Abstract

Internet of Things (IoT) increase the interconnectivity and interoperability of systems in various critical sectors, such as industrial control, healthcare and smart transportation systems. At the same time, as IoT technologies enable systems to interact both in cyber and physical ways, they also act as enablers of complex attack paths against critical systems. In this paper we propose a novel risk-based methodology for identifying and assessing IoT-enabled attack paths against critical cyber-physical systems. While the majority of existing approaches focus on cyber system connectivity only, the proposed methodology models both cyber and physical interactions. In comparison to existing cyber physical approaches that grow exponentially, our approach is significantly more efficient, by utilizing an attack tree topology; the critical system is set as the root (target) of an attack tree that is recursively build, based on the identified cyber-physical system interactions. Our methodology uses well-known building blocks such Common Vulnerabilities and Exposures (CVE), Common Vulnerability Scoring System (CVSS) and threat modeling. Furthermore,we significantly reduce false positives by prioritizing the identified attack paths in a risk manner, which, in turn, can assist decision makers in effectively mitigating multi-hop attack paths. To validate our methodology, we developed a proof-of-concept implementation and tested it using a realistic scenario from the healthcare sector. Our results show that the proposed methodology can efficiently identify and assess hidden and/or underestimated cyber physical attack paths.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.