Abstract

ABSTRACT Organisations operating IoT-enabled industrial control systems (ICSs) are concerned about growing cybersecurity risks and impacts to their systems. Cyber-attacks on ICSs demonstrate that technology alone is neither a problem nor a solution to the growing cybersecurity issues affecting these systems. As socio-technical systems, ICSs encompass the functions and interactions of social and technological system elements to enable and/or sustain industrial processes. Thus, a more effective cybersecurity risk management process needs to consider human and technology factors, especially for high-value industrial process targets. Combining critical reviews and gap analysis of existing vulnerability assessment methods with conceptual modelling, a Vulnerability Analysis Critical Impact Point Process (VACIP) methodology is proposed which considers both human and technological vulnerabilities within a cyber-physical system environment to inform an improved insight about attack criticality and impacts. VACIP is validated using a simulated industrial mini testbed; showing that it can enable practicable support for security vulnerability discovery, impact criticality analysis, weak link identification, and prioritised controls. Its novelty is demonstrated in its combination of technology and human vulnerability evaluations in the minimisation of system security exposures. It provides a useful guide for adopting effective cybersecurity risk assessment and exposure reduction strategies.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.