A Vulnerability Risk Assessment Method for Industrial Control System

Abstract

Aiming at how to accurately assess the vulnerability risk of industrial control system, this paper proposes an algorithm for vulnerability risk assessment of industrial control system. This method firstly establishes the attack-defense game model of industrial control system and gives the expression of the attacker’s maximum return expectation. The loss degree of the industrial control system after being attacked is calculated according to the three security attributes of the industrial control system. The vulnerability value is calculated by using the attacker’s maximum return expectation and system loss degree. Then the expression of comprehensive connectivity between vulnerabilities is given according to vulnerability correlation graph and risk matrix. The own risk and associated risk of vulnerability are calculated by using vulnerability value and comprehensive connectivity between vulnerabilities, the vulnerability comprehensive risk is assessed finally. The example analysis shows that the method combined with the security attributes of industrial control system, not only considers the influence of mutual restriction factors of information security attack and defense sides, but also reflects the correlation between vulnerabilities. The method is feasible and effective, the results are objective and accurate. The method is used to evaluate the key vulnerability of industrial control system, it has the advantages of safety assessment and defense.