SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering

Abstract

The development of information and communication technology and its wide application in industrial control systems (ICSs) has brought a growing number of security risks to ICSs. Quantifying and dynamically assessing the security risks of ICSs is of great significance to protect ICSs from cyber attacks. Current risk assessment methods, however, do not take into account social engineering (SE) attacks and the potential cyber-to-physical risks associated with cyber attacks. To address these issues, we propose a novel method for the dynamic security risk assessment of ICSs, called SEAG. Specifically, the scheme first extends and modifies three metrics in the common vulnerability scoring system to four metrics for objectively calculating the exploit probability of SE. Then, we construct the attack graph by relying on the knowledge graph that integrates three kinds of knowledge including SE knowledge, common vulnerability knowledge, and control system knowledge. In addition, we combine real time attack data that causes system performance loss with the industrial protocol function code attack detected by the intrusion detection system to accurately quantify the potential cyber-to-physical risks associated with cyber attacks. This method allows us to dynamically assess the security risks of ICSs in real time. Finally, the method is verified by one simulation testbed, which shows the effectiveness and accuracy of the proposed method for dynamic quantitative evaluating security risks of ICSs.