Cybersecurity Risk Assessment of Industrial Control Systems Based on Order-α Divergence Measures Under an Interval-Valued Intuitionistic Fuzzy Environment

Abstract

With the increasing deployment of network technologies in industrial control systems (ICSs), cybersecurity has become a challenge in ICSs. Cybersecurity risk assessment (CRA) plays an important role in cybersecurity protection of ICSs. However, the weights of risk indices are constants in traditional CRA methods, and they do not fully consider the requirements of risk identification. In this paper, we define a novel order- <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\alpha $ </tex-math></inline-formula> divergence measure for interval-valued intuitionistic fuzzy numbers (IVIFNs) and further develop a novel CRA approach for ICSs based on the proposed divergence measure under an interval-valued intuitionistic fuzzy environment to contribute to the research gap. First, an order- <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\alpha $ </tex-math></inline-formula> divergence measure for IVIFNs is defined considering flexibility and robustness of divergence measures with the parameter. Next, a variable weight-based CRA approach for ICSs is developed. In this approach, IVIFNs are adopted to describe evaluation values of risk indices. The weights of risk indices are variable weight vectors and they are determined by the relative divergence closeness. Integration approaches of each node and each attack path in attack-defense trees (ADTs) are proposed based on the operations of IVIFNs, and risk scores of each attack path are calculated by using the score function. Finally, we apply the proposed method to the CRA of a civil aviation fuel supply automatic control system and verify its effectiveness and advantages by comparing it with other methods. This method can dynamically adjust the weights of risk indices considering the relationship between each risk index and the highest risk, and therefore, it can more effectively recognize the highest risk of ICSs than the traditional CRA method. In addition, it can also match the risk attitude of decision-makers by adjusting the parameter <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\alpha $ </tex-math></inline-formula> .