Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AI-based Identification of Most Critical Cyberattacks in Industrial Systems

Bruno Paes Leao, Jagannadh Vempati, Siddharth Bhela, Tobias Ahlgrim, Daniel Arnold

TL;DR

The paper tackles the challenge of identifying the most disruptive cyberattacks on industrial systems by tying attack progression directly to operational performance through a KPI $y$. It introduces an augmented simulation model (ASM) augmented with a cybersecurity information layer (CIL) and a Monte Carlo Tree Search-based sequential decision-making optimizer (SDMO) to discover attack paths that minimize $y$ under an attack budget. Key contributions include (i) KPI-driven critical-attack identification, (ii) integration of system models with cyber network information, and (iii) empirical validation on a realistic power distribution grid using PyCIGAR/OpenDSS, showing the framework can reveal realistic entry points and impactfully disrupt operations. The approach provides a principled basis for prioritizing defenses and testing cybersecurity solutions in OT environments, though it faces computational challenges that motivate future work on parallelization, surrogate modeling, and richer integration with standard risk frameworks like MITRE ATT&CK and CVSS. $y$-based assessment is central to translating cyber threats into actionable operational risk in industrial settings.

Abstract

Modern industrial systems face a growing threat from sophisticated cyberattacks that can cause significant operational disruptions. This work presents a novel methodology for identification of the most critical cyberattacks that may disrupt the operation of such a system. Application of the proposed framework can enable the design and development of advanced cybersecurity solutions for a wide range of industrial applications. Attacks are assessed taking into direct consideration how they impact the system operation as measured by a defined Key Performance Indicator (KPI). A simulation model (SM), of the industrial process is employed for calculation of the KPI based on operating conditions. Such SM is augmented with a layer of information describing the communication network topology, connected devices, and potential actions an adversary can take based on each device or network link. Each possible action is associated with an abstract measure of effort, which is interpreted as a cost. It is assumed that the adversary has a corresponding budget that constrains the selection of the sequence of actions defining the progression of the attack. A dynamical system comprising a set of states associated with the cyberattack (cyber-states) and transition logic for updating their values is also proposed. The resulting augmented simulation model (ASM) is then employed in an artificial intelligence-based sequential decision-making optimization to yield the most critical cyberattack scenarios as measured by their impact on the defined KPI. The methodology is successfully tested based on an electrical power distribution system use case.

AI-based Identification of Most Critical Cyberattacks in Industrial Systems

TL;DR

The paper tackles the challenge of identifying the most disruptive cyberattacks on industrial systems by tying attack progression directly to operational performance through a KPI . It introduces an augmented simulation model (ASM) augmented with a cybersecurity information layer (CIL) and a Monte Carlo Tree Search-based sequential decision-making optimizer (SDMO) to discover attack paths that minimize under an attack budget. Key contributions include (i) KPI-driven critical-attack identification, (ii) integration of system models with cyber network information, and (iii) empirical validation on a realistic power distribution grid using PyCIGAR/OpenDSS, showing the framework can reveal realistic entry points and impactfully disrupt operations. The approach provides a principled basis for prioritizing defenses and testing cybersecurity solutions in OT environments, though it faces computational challenges that motivate future work on parallelization, surrogate modeling, and richer integration with standard risk frameworks like MITRE ATT&CK and CVSS. -based assessment is central to translating cyber threats into actionable operational risk in industrial settings.

Abstract

Modern industrial systems face a growing threat from sophisticated cyberattacks that can cause significant operational disruptions. This work presents a novel methodology for identification of the most critical cyberattacks that may disrupt the operation of such a system. Application of the proposed framework can enable the design and development of advanced cybersecurity solutions for a wide range of industrial applications. Attacks are assessed taking into direct consideration how they impact the system operation as measured by a defined Key Performance Indicator (KPI). A simulation model (SM), of the industrial process is employed for calculation of the KPI based on operating conditions. Such SM is augmented with a layer of information describing the communication network topology, connected devices, and potential actions an adversary can take based on each device or network link. Each possible action is associated with an abstract measure of effort, which is interpreted as a cost. It is assumed that the adversary has a corresponding budget that constrains the selection of the sequence of actions defining the progression of the attack. A dynamical system comprising a set of states associated with the cyberattack (cyber-states) and transition logic for updating their values is also proposed. The resulting augmented simulation model (ASM) is then employed in an artificial intelligence-based sequential decision-making optimization to yield the most critical cyberattack scenarios as measured by their impact on the defined KPI. The methodology is successfully tested based on an electrical power distribution system use case.
Paper Structure (26 sections, 38 equations, 4 figures, 7 tables)

This paper contains 26 sections, 38 equations, 4 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Previous Work
  3. Major Contributions
  4. Methodology
  5. Augmented Simulation Model (ASM)
  6. Categories of Adversary Actions
  7. Access
  8. Exploit
  9. Impact
  10. Action Costs and Attack Budget
  11. Action Costs Quantification
  12. Logical Links and Network Links
  13. CI
  14. CIE and Augmented SM State Transitions
  15. Optimization Problem Formulation
  16. ...and 11 more sections

Figures (4)

  • Figure 1: High-level structure of the proposed solution with three main components: simulation model of the industrial system (SM), cybersecurity information layer (CIL) and sequential decision-making optimization (SDMO). SM and CIL combined form the augmented SM (ASM). Solid arrows indicate information exchanged once for each evaluated attack scenario while the dashed arrow indicates information exchanged multiple times for each evaluated attack scenario. Definition of the symbols presented in the figure are described in section \ref{['sec:augmented_dt']}.
  • Figure 2: Diagram representing the interconnection among devices. Solid lines indicate network (physical) links and dashed lines correspond to logical links.
  • Figure 3: Shown here is the standard IEEE $123$-bus feeder model (for a single feeder) connected to the substation bus $150$. The $246$-bus network was built by mirroring the standard IEEE $123$-bus feeder and adding it to the existing substation, i.e., the power network consisted of one substation with two $123$-bus feeder models, henceforth referred to as Feeder $1$ and Feeder $2$. Boxes in the figure show the locations of normally open switches between the same buses ($135$, $152$, and $300$) in Feeder $1$ and $2$.
  • Figure 4: System architecture pattern employed for definition of the communication network.