An approach for assessing the functional vulnerabilities criticality of CPS components

Abstract

Timely identification of critical security flaws in a cyber-physical system makes identifying risks and potential threats possible. To address this issue, threat models are created to better understand potential vulnerabilities that must be considered to ensure system reliability. Selecting the optimal solution for assessing the functional vulnerabilities criticality of cyber-physical system components is a complex process since all vulnerabilities must be identified, classified, and quantified according to a unified approach as part of the cybersecurity process. An effective tool for cyber-physical systems analysis is the Bayesian attack graph. Each path in the graph represents a sequence of attacks that an attacker can use to achieve a specific goal, such as gaining access to sensitive data or controlling a system. This paper proposes a quantitative method for assessing the vulnerability criticality of cyber-physical system components based on the Promethee II multi-criteria decision-making method. It allows ranking and identification of the system's most vulnerable components. The proposed approach is evaluated using a threat model and three scenarios of cyberattacks on a cyber-physical system. Comparison with TOPSIS, VIKOR, and ELECTRE methods proves the effectiveness of the proposed approach. The proposed approach can help technical specialists make more reasoned decisions when ranking critical vulnerabilities of cyber-physical system components to provide security measures and prevent cyberattacks.