Alyah Alfageh
ABSTRACT
Desalination plants, heavily reliant on Industrial Control Systems (ICS), have emerged as increasingly vital resources in the wake of escalating global water scarcity. This raises an urgent need to prioritize their security, calling for the implementation of robust risk assessment measures. Recognizing these pressing issues, this paper proposes a risk assessment approach for ICS within water desalination facilities. The strategy integrates the capabilities of Bayesian Networks (BNs) and Dynamic Programming (DP). It evolves BNs into Multilevel Bayesian Networks (MBNs), an innovative form that adeptly navigates the intricacies of system complexity, facilitates efficient inference, and dynamically adapts risk profiles. The proposed methodology considers the perspective of potential attackers, which is critical for a comprehensive risk assessment and a robust defense strategy. The DP aspect enhances this approach by dissecting complex problems and identifying optimal attack paths. The work demonstrates the comprehensive risk assessment by executing multiple attacks on a water desalination plant with various strategies. It takes into account the probabilistic interdependence relationships within the system. Additionally, the paper formulates a mathematical risk assessment using system models and graphical representation, yielding realistic results.
- Houssein Abdo, Mohamad Kaouk, J-M Flaus, and Francc ois Masse. 2018. A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie--combining new version of attack tree with bowtie analysis. Computers & security , Vol. 72 (2018), 175--195.Google Scholar
- Marshall Abrams and Joe Weiss. 2008. Malicious control system cyber security attack case study--Maroochy Water Services, Australia. (2008).Google Scholar
- Hala Al-Fulaij, Andrea Cipollina, David Bogle, and Hisham Ettouney. 2010. Steady state and dynamic models of multistage flash desalination: A review. Desalination and Water Treatment , Vol. 13, 1--3 (2010), 42--52.Google ScholarCross Ref
- Emad Ali. 2002. Understanding the operation of industrial MSF plants Part I: Stability and steady-state analysis. Desalination, Vol. 143, 1 (2002), 53--72.Google ScholarCross Ref
- Ahmed Amro, Vasileios Gkioulos, and Sokratis Katsikas. 2023. Assessing cyber risk in cyber-physical systems using the ATT&CK framework. ACM Transactions on Privacy and Security , Vol. 26, 2 (2023), 1--33.Google ScholarDigital Library
- Mart'in Barrère and Chris Hankin. 2021. Analysing mission-critical cyber-physical systems with AND/OR graphs and MaxSAT. ACM Transactions on Cyber-Physical Systems , Vol. 5, 3 (2021), 1--29.Google ScholarDigital Library
- Mart'in Barrère, Chris Hankin, Demetrios G Eliades, Nicolas Nicolau, and Thomas Parisini. 2019. Assessing cyber-physical security in industrial control systems. (2019).Google Scholar
- Sevilay Beken and Mete Eminaug aoug lu. 2019. An information security risk assessment model based on Bayesian network and fuzzy inference system. Ege Stratejik Aracs tirmalar Dergisi, Vol. 10, 1 (2019), 13--33.Google Scholar
- Bashir Brika. 2018. Water resources and desalination in Libya: A review. In Proceedings, Vol. 2. MDPI, Greece, 586.Google Scholar
- Christopher Bronk and Eneken Tikk-Ringas. 2013. The cyber attack on Saudi Aramco. Survival, Vol. 55, 2 (2013), 81--96.Google ScholarCross Ref
- Daria Gaskova and Aleksei Massel. 2019. Semantic modeling of cyber threats in the energy sector using Dynamic Cognitive Maps and Bayesian Belief Network. In 7th Scientific Conference on Information Technologies for Intelligent Decision Making Support (ITIDS 2019). Atlantis Press, Russia, 326--329.Google ScholarCross Ref
- Priscilla Grace George and VR Renjith. 2021. Evolution of safety and security risk assessment methodologies towards the use of bayesian networks in process industries. Process Safety and Environmental Protection , Vol. 149 (2021), 758--775.Google ScholarCross Ref
- Noreddine Ghaffour, Thomas M Missimer, and Gary L Amy. 2013. Technical review and evaluation of the economics of water desalination: Current and future challenges for better water supply sustainability. Desalination , Vol. 309 (2013), 197--207.Google ScholarCross Ref
- Elias Gyftodimos and Peter A Flach. 2002. Hierarchical bayesian networks: A probabilistic reasoning model for structured domains. In Proceedings of the ICML-2002 Workshop on Development of Representations. The University of New South Wales, Sydney, 23--30.Google Scholar
- Anastasis Keliris, Charalambos Konstantinou, Nektarios Georgios Tsoutsos, Raghad Baiad, and Michail Maniatakos. 2016. Enabling multi-layer cyber-security assessment of Industrial Control Systems through Hardware-In-The-Loop testbeds. In 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC). IEEE, Macao, 511--518.Google ScholarDigital Library
- Marjan Keramati. 2016. New vulnerability scoring system for dynamic security evaluation. In 2016 8th International Symposium on Telecommunications (IST). IEEE, Iran, 746--751.Google ScholarCross Ref
- Taeyoung Kim and Shahriar Namvar. 2020. A New Strategy of Using Cation Intercalation Electrodes for Water Desalination. (2020), bibinfonumpages1251--1251 pages.Google Scholar
- Siwar Kriaa, Marc Bouissou, and Ludovic Piètre-Cambacédès. 2012. Modeling the Stuxnet attack with BDMP: Towards more formal risk assessments. In 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS). IEEE, Ireland, 1--8.Google ScholarDigital Library
- Xuan Li, Chunjie Zhou, Yu-Chu Tian, and Yuanqing Qin. 2018. A dynamic decision-making approach for intrusion response in industrial control systems. IEEE Transactions on Industrial Informatics, Vol. 15, 5 (2018), 2544--2554.Google ScholarCross Ref
- Xuan Li, Chunjie Zhou, Yu-Chu Tian, Naixue Xiong, and Yuanqing Qin. 2017. Asset-based dynamic impact assessment of cyberattacks for risk analysis in industrial control systems. IEEE Transactions on Industrial Informatics, Vol. 14, 2 (2017), 608--618.Google ScholarCross Ref
- Andreas Lindhe, Lars Rosén, Tommy Norberg, and Olof Bergstedt. 2009. Fault tree analysis for integrated and probabilistic risk analysis of drinking water systems. Water research, Vol. 43, 6 (2009), 1641--1653.Google Scholar
- Xiaorong Lyu, Yulong Ding, and Shuang-Hua Yang. 2020. Bayesian network based C2P risk assessment for cyber-physical systems. IEEE Access , Vol. 8 (2020), 88506--88517.Google ScholarCross Ref
- Ludmil Mikhailov and Petco Tsvetinov. 2004. Evaluation of services using a fuzzy analytic hierarchy process. Applied Soft Computing , Vol. 5, 1 (2004), 23--33.Google ScholarCross Ref
- Hans Pasman and William Rogers. 2013. Bayesian networks make LOPA more effective, QRA more transparent and flexible, and thus safety more definable! Journal of Loss Prevention in the Process Industries, Vol. 26, 3 (2013), 434--442.Google Scholar
- Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray. 2011. Dynamic security risk management using Bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, Vol. 9, 1 (2011), 61--74.Google ScholarDigital Library
- Prashant Hari Narayan Rajput, Pankaj Rajput, Marios Sazos, and Michail Maniatakos. 2019. Process-aware cyberattacks for thermal desalination plants. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. ACM, New Zealand, 441--452.Google ScholarDigital Library
- Prashant S Shinde and Shrikant B Ardhapurkar. 2016. Cyber security analysis using vulnerability assessment and penetration testing. In 2016 World Conference on Futuristic Trends in Research and Innovation for Social Welfare (Startup Conclave). IEEE, Coimbatore, India, 1--5.Google ScholarCross Ref
- Ioannis Stellios, Panayiotis Kotzanikolaou, Mihalis Psarakis, and Cristina Alcaraz. 2021. Risk assessment for IoT-enabled cyber-physical systems. Advances in Core Computer Science-Based Technologies: Papers in Honor of Professor Nikolaos Alexandris , Vol. 14 (2021), 157--173.Google Scholar
- Qi Zhang, Chunjie Zhou, Naixue Xiong, Yuanqing Qin, Xuan Li, and Shuang Huang. 2015. Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE Transactions on Systems, Man, and Cybernetics: Systems, Vol. 46, 10 (2015), 1429--1444.Google ScholarCross Ref
- Qianxiang Zhu, Yuanqing Qin, Chunjie Zhou, and Weiwei Gao. 2018. Extended multilevel flow model-based dynamic risk assessment for cybersecurity protection in industrial production systems. International journal of distributed sensor networks, Vol. 14, 6 (2018), 1550147718779564.Google ScholarCross Ref
- Ioannis Zografopoulos, Charalambos Konstantinou, Nektarios Georgios Tsoutsos, Dan Zhu, and Robert Broadwater. 2021a. Security assessment and impact analysis of cyberattacks in integrated T&D power systems. In Proceedings of the 9th Workshop on Modeling and Simulation of Cyber-Physical Energy Systems. IEEE, Virtual Event, 1--7.Google ScholarDigital Library
- Ioannis Zografopoulos, Juan Ospina, Xiaorui Liu, and Charalambos Konstantinou. 2021b. Cyber-physical energy systems security: Threat modeling, risk assessment, resources, metrics, and case studies. IEEE Access , Vol. 9 (2021), 29775--29818. ioGoogle ScholarCross Ref
Index Terms
- Water Risk-Proofed: Risk Assessment in Water Desalination
Recommendations
The Risk Assessment of Groundwater Pollution in the Dawu Water Source
ICBEB '12: Proceedings of the 2012 International Conference on Biomedical Engineering and BiotechnologyThe paper takes the typical Karst-Phreatic in the north of China-Dawu Water Source as an example, and the risk assessment of groundwater pollution is conducted by using the Overlay and Index method. Unsaturated zone media, net recharge, rich water ...
Risk Management and Risk Assessment at ENISA: Issues and Challenges
ARES '06: Proceedings of the First International Conference on Availability, Reliability and SecurityIn this talk, the main directions followed in current and future work in the area of Risk Management and Risk Assessment at ENISA will be presented. The efforts in this area range from an initial inventory of Risk Management /Risk Assessment methods and ...
The Systems Integration Technical Risk assessment fusing of Bayesian Belief Networks and Parametric Models
Computational intelligence models for image processing and information reasoningThis paper presents an approach for modelling Systems Integration Technical Risks SITR assessment using Bayesian Belief Networks BBN. SITR represent a significant part of project risks associated with a development of large software intensive systems. ...
Comments