This may be the author’s version of a work that was submitted/acceptedfor publication in the following source:

Li, Xuan, Zhou, Chunjie, Tian, Glen, Xiong, Naixue, & Qin, Yuanqing(2018)Asset-based dynamic impact assessment of cyberattacks for risk analysisin industrial control systems.IEEE Transactions on Industrial Informatics, 14(2), pp. 608-618.

This file was downloaded from: https://eprints.qut.edu.au/110345/

c© Consult author(s) regarding copyright matters

This work is covered by copyright. Unless the document is being made available under aCreative Commons Licence, you must assume that re-use is limited to personal use andthat permission from the copyright owner must be obtained for all other uses. If the docu-ment is available under a Creative Commons License (or other specified license) then referto the Licence for details of permitted re-use. It is a condition of access that users recog-nise and abide by the legal requirements associated with these rights. If you believe thatthis work infringes copyright please provide details by email to qut.copyright@qut.edu.au

Notice: Please note that this document may not be the Version of Record(i.e. published version) of the work. Author manuscript versions (as Sub-mitted for peer review or as Accepted for publication after peer review) canbe identified by an absence of publisher branding and/or typeset appear-ance. If there is any doubt, please refer to the published source.

https://doi.org/10.1109/TII.2017.2740571

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 1

Asset-based Dynamic Impact Assessment ofCyberattacks for Risk Analysis in Industrial Control

Systems

Abstract—With the evolution of information, communicationsand technologies, modern industrial control systems (ICSs) facemore and more cybersecurity issues. This leads to increasinglysevere risks in critical infrastructure and assets. Therefore, riskanalysis becomes a significant yet not well investigated topic forprevention of cyberattack risks in ICSs. To tackle this problem, adynamic impact assessment approach is presented in this paperfor risk analysis in ICSs. The approach predicts the trend ofimpact of cybersecurity dynamically from full recognition ofasset knowledge. More specifically, an asset is abstracted withproperties of construction, function, performance, location andbusiness. From the function and performance properties of theasset, object-oriented asset models incorporating with the mecha-nism of common cyberattacks are established at both componentand system levels. Characterizing the evolution of behavioursfor single asset and system, the models are used to analyze theimpact propagation of cyberattacks. Then, from various possibleimpact consequences, the overall impact is quantified based onthe location and business properties of the asset. A specialapplication of the approach is to rank critical system parametersand prioritize key assets according to impact assessment. Theeffectiveness of the presented approach is demonstrated throughsimulation studies for a chemical control system.

Index Terms—Asset, cybersecurity, impact assessment, indus-trial control systems, risk analysis.

I. INTRODUCTION

IN recent years, cybersecurity of industrial control systems(ICSs) has become increasingly important. This is mainly

due to the widespread adoption of computer networks in ICSswith interconnection with the Internet. Significant cyberattackincidents during the last few years include “Stuxnet” accidentin Iran in 2010 [1] and Ukrainian’s power grid attack in2015 [2]. Cyberattacks on ICSs pose significant risks toindustrial production, safety of human lives, and protectionof the environment and critical infrastructure. They may havesevere effects on a nation’s economy [3]. In this context,security protection for ICSs has become extremely significant.

Impact assessment of cyberattacks is a vital part of riskanalysis, which is a major pillar for evaluating the securityresilience of ICSs to cyberattacks in general risk-based secu-rity protection [4], [5]. In general, the impact of cyberattacksderives from damages of various assets. The standard IEC62443-1-1 [6] defines an asset as a physical or logical objectowned by or under the custodial duties of an organization,having either a perceived or actual value to the organization,such as intellectual property, field device, product, human, etc.It also presents a general reference model for understandingsignificant relationships among assets in five different levelsincluding enterprise systems, operations management, super-visory control, local or basic control and process. Different

from the scenario in general information technology systems,the impact of cyberattacks on ICSs in the cyber world maypropagate to physical world [7]. This paper analyzes theimpacts at the last three levels, i.e., supervisory control, localor basic control, and process.

ICSs are composed of a number of related assets thatexecute cooperatively. Cyberattacks on ICSs generally locateat either assets themselves or their interactions to compromisesystem behaviours. Once an ICS is attacked, the impact of theattacks could propagate from an asset to another, or even prop-agate in cycle. The attacked system may move gradually fromthe expected state to unsafe states, which may lead to variouspossible consequences, such as production damage, equipmentdamage, environment pollution, and/or human casualty. Thus,to reason deductively the trend of the impact of cyberattacks,it is essential to fully recognize the attributes of assets andexplore the mechanism of impact propagation. Efforts havebeen made to investigate the impact of cyberattacks [8]–[11].While these efforts developed some insights into the impactof cybersecurity, they show a lack of several essential aspects,e.g., recognition of the inherent attributes of assets, impactpropagation analysis, and prediction of dynamic change of theimpact over time.

To tackle this problem, a dynamic impact assessment ap-proach is presented in this paper for risk analysis in ICSs.In the approach, an asset is abstracted with properties ofconstruction, function, performance, location and business,which guide to establish dynamic and object-oriented assetmodels and quantify the impact of cyberattacks. More specif-ically, a component-level asset model is established based onPetri nets to characterize the internal behaviours and interfacefeatures of system equipment. Then, a system-level assetmodel is constructed through integrating the component-levelasset models with the consideration of interactions of assets.After that, common cyberattacks are modeled and integratedinto the asset model, so as to reason the impact propagationof cyberattacks deductively. From various possible impactconsequences, the loss analysis and quantification for possiblehazard-effected bodies are implemented to predict the trend ofimpact. A special application of the approach is to rank criticalsystem parameters and prioritize key assets. The effectivenessof the presented approach is demonstrated through simulationstudies for a chemical control system.

The rest of this paper is organized as follows. Section II in-troduces general knowledge of assets and Petri nets. Section IIIpresents the architecture of dynamic impact assessment. In-corporating with the mechanism of common cyberattacks,asset models are established in Section IV. Then, Section V

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 2

calculates the dynamic impact of cyberattacks. Simulationstudies are conducted in Section VI. Finally, Section VIIconcludes the paper.

II. BACKGROUND

A. General Knowledge of Asset in ICSsAn ICS is a collection of assets. Through ontology-based

system modelling approach, the systems can be described withsome fundamental attributes, e.g., goal, function, behaviourand structure, which basically represent certain aspects of anasset [12], [13]. Under a certain scenario, various properties ofassets and relationships among assets are explicit. In general,an asset instance can be represented by a collection of thefollowing basic properties [14].• Construction: reflection of the mechanical information or

constructional properties, such as dimensions.• Function: reflection of the functional aspects. It is achieved

by the coordination of coupled behaviors of an asset.• Performance: reflection of the characteristics of the func-

tional aspects, such as upper pressure limit of a reactor.• Location: indicating the position of an asset, such as relative

location, absolute location.• Business: reflection of the commercial aspect properties of

an asset, such as price, cost of maintenance or replacement.An asset is represented by at least one but not necessarily all

of these basic properties. The knowledge can be obtained frommanufacturers, engineers, and other sources of information.Interactions of basic properties for assets in an organized wayattain certain pre-defined objectives of ICSs, and contribute toanalyze the evolution of systems under cyberattacks.

B. A Brief Review of Petri NetsPetri nets (PNs) are a graphical and mathematical modelling

tool to set up state equations, algebraic equations, and othermathematical models governing the behaviour of systems [15].In the past half century, Petri nets have been enriched anddeveloped significantly to form different classes of PNs, suchas Hybrid Petri nets, Timed Petri nets, and Coloured Petri nets.They have been widely applied in many industrial systems,such as manufacturing, chemical engineering, communicationsand transportation [16], [17].

Petri nets have the capability to model and analyze dynamicand concurrent activities. They provide a clear means todescribe system dynamics in a visual representation [18],[19]. These characteristics make them suitable for risk anal-ysis [20]–[22]. In this paper, hybrid PNs [23] are adopted tomodel system dynamics under cyberattacks. The use of hybridPNs for simulating the behaviours of assets and evolution ofsystems greatly contributes to in-depth observation and analy-sis of the impact propagation mechanism of cyberattacks. Thisallows an adequate assessment of the impact of cyberattacks.

III. ARCHITECTURE OF DYNAMIC IMPACT ASSESSMENT

The architecture of the designed asset-based dynamic im-pact assessment of cyberattacks for risk analysis is shownin Fig. 1. The approach has the input of information of

attacks, such as attack type, time, action (1/0 - an attack islaunched/stopped), deriving from intrusion detection system.Its output is the overall impact caused by the attacks.

Asset Model

Component-levelAsset Model

System-levelAsset Model

Knowledge Base

Asset Knowledge

Attack Knowledge

Hazardous IncidentKnowledge

Dynamic Impact Assessment of Cyberattack

Impact PropagationAnalysis

Quantitation ofImpactCyberattack Total Impact

Fig. 1. Architecture of dynamic impact assessment.

Our dynamic impact assessment consists of two phases: 1)impact propagation analysis, and 2) quantification of impact.During the first phase, the information of the detected cyber-attacks is injected into the asset model. This is followed byinvestigations into the evolution of system behaviours underattacks. During the second phase, combining the identified ab-normal behaviours and multi-domain knowledge, the possiblehazard incidents and corresponding hazard-effected bodies areanalyzed and quantified. The results are used to predict thetrend of impact.

IV. ASSET-BASED HIERARCHICAL SYSTEM MODELLING

A typical ICS can be sketched with a proliferation of HMIsand control loops including controllers, actuators, controlledprocesses and sensors [4]. These assets can be classified intoa hierarchy of five different levels as shown in Table I.

TABLE ITHE HIERARCHY OF ASSET

Level Asset1 Supervisory device (i.e., HMI)2 Controller (i.e., PLC, embedded controller)3 Actuator (i.e., valve, motor)4 Process unit (i.e., reactor, tank)5 Sensor (i.e., liquid sensor, pressure sensor)

A. Object-oriented Modelling of Component-level AssetIn terms of assets in Table I, each asset has its own

behaviours and attributes. An asset interacts with another viaits inputs and outputs. Thus, the component-level asset modelconsists two parts: external structure and internal structure.The external structure comprises a set of ports (used to receiveand send messages), which form the interface of the model.The internal structure characterizes the features of internalbehaviours of an asset. The evolution of these behaviours isgenerally specified in a recipe. Treating each asset as a singleserver queue, behaviours in an asset are executed sequentially.To model the behaviours, hybrid Petri net [23] is adopted tosummarize the structures of an asset. A general paradigm ofcomponent-level asset model is shown in Fig. 2-(1). The inputsand outputs of an asset are described with places, and theevolution of internal behaviours is modelled with firing speedfunctions. The discrete places guarantee behaviours, modelledby continuous places and their associated transitions, to beexecuted sequentially. The number of tokens in each contin-uous place denotes the qualitative value of the correspondingparameter.

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 3

Fig. 2. Component-level asset model.

1) L-1: Supervisory deviceSupervisory devices are usually to modify control settings

and also monitor the state of a process. A general modelof a supervisory device can is depicted in Fig. 2-(2). Theconfiguration behaviors can be characterized with two elemen-tary actions: configuration of parameters and confirmation ofsending command. For instance, operators set a parameter tobe modified into the place sp1. After validity verification, suchas the maximum and minimum tests, the parameter is stored inthe buffer place sp3 waiting to be sent. Once the configurationis completed, a command of confirmation signals is issuedvia mc. The supervisory device reads the received processparameters from input buffer places mvi and displays them inmpi, so as to monitor the states of the system.

2) L-2: ControllerA controller is reconfigured by supervisory devices irreg-

ularly. It periodically collects sensor signals and implementcontrol laws under current configuration to compute controlcommands. The behaviours with the capability of controllingcomplex processes in the controller vary with the requirementsof applications. In industry, a very classical and widespreadcontrol law, named, incremental Proportional Integral Deriva-tive (PID) algorithm is usually adopted and it is described byEquation (1).∆u=KP · (ek−ek−1)+KI · ek+KD · (ek−2 · ek−1+ek−2), (1)

where KP ,KI ,KD are proportional gain, integral time con-stant and derivative time constant, respectively; ek is the staticerror at k. Fig. 2-(3) shows the PN model of the controller withincremental PID algorithm. The discrete places mc1 ∼ mc5coordinate the behaviours for calculating the control com-

mand. The input places sp and yp receive the setpoint fromthe supervisory device and the measurement from sensor,respectively. sp1 buffers the setpoint from sp and compares itwith yp to derive the static error ek. Then, the incremental PIDalgorithm is implemented and the result is stored in ∆u. Forthe weighted arcs attached to the place ∆u, their weights aredefined as mathematical functions corresponding to deviationplaces ek, ek−1 and ek−2. Finally, ∆u is accumulated to theoutput place up, so as to give the new control command.3) L-3: Actuator

An actuator is a component of a machine responsible formoving or controlling a mechanism or system for completionof control actions in ICSs. The type of action is determinedby the control command derived from the correspondingcontroller. From the computer modelling perspective, thebehaviours of an actuator can be simplified. The actuatorinterprets the control command and then sends the interpretedinformation to process units. Fig. 2-(4) shows the PN model ofan actuator. The buffer place up receives the control commandfrom the input place upI and passes it to the output place upOafter proper processing. It also stores the control command,i.e., it keeps its current state before any new commands arrive.4) L-4: Process unit

In ICSs, due to different requirements, there are manydifferent physical processes holding by different process units.In general, the input-output relationships of a general physicalprocess can be described in a group of diffrential and/ordifference equations based on laws in physics, chemistry, etc.A different process means different instances of such equa-tions. Thus, there is no unified description for modelling theirinternal structures, and only a general coarse-grained asset

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 4

model is presented in Fig. 2-(5) for a process unit. The inputplace ui and output place yi represent signals from actuatorand to sensor, respectively. The equations model the physicalprocess, in which u = [u1, u2, · · · , un],y = [y1, y2, · · · , ym]and k is a discrete instant of time. The vector x representsstate variables, such as pressure, liquid level. The evolutionof these variables characterizes the behaviours of a physicalprocess. For instance, the PN model of linear time-invariant(LTI) systems can be established through their state-spacemodel [23].

For some physical processes, accurate mathematical modelsare difficult to establish. In this case, a relatively simple tech-nique, black-box modelling technique, can be adopted. It trimssome universal input-output functions with a fixed numberof parameters to represent the true process dynamics. Thetechnique can be used to extract the model from the historicalprocess data [24]. This contributes to the establishment of assetmodels of this type of process units.5) L-5: Sensor

The state of controlled processes can be measured bysensors. Fig. 2-(6) shows the model of a sensor, which issimilar to that of an actuator. The measurement signal receivedby the input buffer place ypI from process unit is passed tothe buffer place yp. Then, it is uploaded to controllers via theoutput place ypO, periodically.

B. Construction of System-level Asset Model

In each component-level asset model, input ports are used toenter input parameters and output ports show results. Relationsof input ports and output ports can be used to synchronizecomponent-level asset models when they are synthesized.Interaction among assets is achieved by message passing. Achange in an upstream device is always concerned with achange in the behaviours of a downstream device. Two adja-cent component-level asset models can be connected accordingto Fig. 3.

Fig. 3. Construction of system-level asset model.

According to the interactive relationship among assets, thesystem-level asset model can be formed. Control loops of anICS operate continuously, which means the system-level assetmodel has closed-loop structures and is updated constantly.The token flows of places stand for the evolution of the system.

Before modelling attacks in asset model, ensuring an es-tablished model being a representation of an actual system isrequired. Therefore, whether the model behaves in consistentwith the behaviours of the actual system requires to bechecked. More specifically, models are investigated and de-bugged by means of a Petri Net simulator (e.g., CPN (ColouredPetri Nets) simulator) in a similar way as a programmer testsand debugs his program [25]. The simulator provides a wayto “walk through” a model, investigating different scenarios in

detail and checking whether the model behaves as expected. Ifthe model does not behave as expected, a closer investigationcan be made to see where discrepancies appear, and then thediscrepancies can be corrected.

C. Modelling Attacks in Asset Model

Cyberattacks on ICSs generally aim to either compromiseassets or disrupt communication channels. They can be broadlyclassified to deception attacks and denial-of-service (DoS)attacks from the perspective of effects of cyberattacks [26],[27]. To formally model attacks, several notations are used.The term Ta = (ts, te] denotes the duration of an attack fromthe start time ts to the end time te. The terms vi(t) andVi = [vmin

i , vmaxi ] uniformly denote system variables, such

as sensor measurements, manipulated variables, etc. and theirreasonable ranges, respectively.1) Deception attacks

A deception attack results in loss of integrity. The receivedmessage of destinations, which may come from adversariesor compromised sources, probably has an offset from theexpected value. Thus, a general mathematical description ofdeception attacks is presented as Equation (2).

vi(t) =

{vi(t) if t /∈ Ta,ai(t) if t ∈ Ta, ai(t) ∈ Vi,

(2)

where ai(t) is the attack signal and assumed to be lain withinVi (signal outside this range can be easily detected).

Rational attackers would adopt the Max or Min attacks,which are generally the most effective [26], [27]. It means thatthe attack signal ai(t) = vmax

i or vmini during Ta. To model

a deception attack, additional places and transitions, markedwith thick lines, are incorporated into the asset model. Fig. 4presents an example to illustrate the modelling method, wherethe place EN is the place that enables the deception attack,and the value of the place A represents the attack signal. Theattack is launched by inserting a token in the place EN at ts.Then, through setting an appropriate weighting function w, thevalue of the buffer place yp is forced to be overwritten withthe value of the place A. When the attack is stopped at te, thetoken in the EN place is removed, and the update of bufferplace from the place ypI will be effective afterwards. Thisleads the sensor output to the value that attackers specified,instead of the expected one during Ta. Deception attacks onother assets are similar to those on the sensor, and thus willnot be further discussed.

Fig. 4. Deception attack model of sensor.

2) DoS attacksThis type of attacks leads to loss of availability, which jams

communication channels among devices and make signalsunable to reach destinations. A conservative response strategyin destinations uses the last signal received as the current

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 5

command. Thus, a general mathematical description of DoSattacks is given as Equation (3).

vi(t) =

{vi(t) if t /∈ Ta,vi(ts) if t ∈ Ta.

(3)

To characterize the effects of DoS attacks, additional placesand transitions, marked with thick lines, are incorporated intothe asset model. Fig. 5 shows a DoS attack model. The attackis launched by inserting a token in the place EN at ts. Then,the token flow from the place O2 of an upstream device to theplace I2 of a downstream device is disabled, which makes thevalue of the place I2 remain as the last value received duringTa. When the attack is stopped at te, the token in the ENplace is removed and the value of place I2 of a downstreamdevice can be updated from the place O2 of an upstreamdevice afterwards.

Fig. 5. DoS attack model in ICSs.

In the asset models, the additional elements like the placesand transitions, marked with thick lines, in Fig. 4 and Fig. 5 areinstantiated more than once to introduce multiple attacks and,also, any combinations of possible attacks. When detectingcyberattacks, corresponding elements will be configured at theright time and, thus, the evolution of system behaviours undercyberattacks can be reasoned through simulating the PN-basedasset model.

V. DYNAMIC IMPACT ASSESSMENT OF CYBERATTACKS

A. Impact Propagation Analysis of Cyberattack

Cyberattacks can induce abnormal behaviours. The evolu-tion of behaviours can be predicted through simulating theasset model with detected attacks. Interactions among assetsresult in impact propagation from upstream devices to down-stream devices. Closed-loop structures in asset model make theimpact propagate in cycle along with the loops. For example,for a deception attack on a sensor, if the controller receives afalse sensor signal, it may generate a wrong control commandaccording to specified control laws. Further, the downstreamactuator will regulate the physical process improperly, andmake its state be offset from the expected state. This will leadto deviations of sensor readings from their expected signals.In turn, the unexpected sensor measurements will continuouslyguide to regulate system behaviours in the next period. In otherwords, the evolution of behaviours under cyberattacks canbe monitored to identify abnormal behaviours, and to checkwhether and when a system deviates from its expected statesor even enters into unsafe states.

During the process of impact propagation, the productionrate probably deviates from its setpoint, yielding unexpectedproduct. Even worse, the system may be runaway and hazardsmay occur. For a specified control system, possible hazardousincidents and corresponding runaway criteria can be identifiedoffline in advance. Many research efforts focus on runaway

criteria of hazard incidents. For example, there are empiricalrunaway criteria for explosions, in which the runaway limitis viewed as the boundary in the parameter space and therunaway conditions are related to the presence of an inflectionpoint in the corresponding curves [28]. With the evolutionof critical parameters, runaway conditions should be checked.Once a runaway criterion is satisfied, hazardous incidentswould happen and further bring harm to various assets. In sum-mary, with the impact propagation analysis of cyberattacks,a variety of consequences like unexpected product, devicedamage, human injuries, environmental pollution, etc., couldbe determined.

B. Quantification of Impact

Assume that the production rate is pr(t) under normalcircumstances, obtained offline. While, under cyberattacks,it is predicted to be pr′(t) by the asset model. Thus, asthe time goes on, the production loss, denoted by PL(t), isaccumulated, which can be calculated by Equation (4), whereVp, indicated by the business property of asset knowledge, isthe unit price of the product.

PL(t) =

∫ t

ts

(pr(t)− pr ′(t)) · Vpdt . (4)

With the evolution of system, until a runaway criterion issatisfied, a hazard incident, such as explosion, will happen,which probably terminates production processes and leads asudden increase in system losses. For each type of hazardincidents, combining asset knowledge, the loss analysis andcalculation for the hazard-effected bodies can be made offline.In detail, according to different types of accidents, throughselecting an appropriate damage model (explosion model, firemodel, etc.) and damage criteria (thermal strength criteria,etc.) [29], [30], the influence range can be divided into severaldamage zones with different severities. Combining the locationand business properties in asset knowledge, the extent of eachdamage zone, measured by the cost for recovering hazard-effected bodies in the zone, can be calculated. For a device,the cost can be repair cost or replacement cost. For a person,it probably includes medical expenses, loss of future earnings,etc. For simplicity, assume that there are M assets in a plant,the influence range of an accident is divided into N zones,such as zone of certain destruction, zone of minor destructionand safety zone. The unit recovering cost of an asset i inzone j is denoted by rcij . The location mapping relationshipbetween an asset and a zone is indicated by the matrix X , inwhich xij ∈ X . Thus, the loss of an incident, denoted by BL,can be calculated by Equation (5).

BL =M∑

i=1

N∑

j=1

rcij · xij , (5)

where

xij =

{1 if the asset i is located in zone j,0 Otherwise.

In addition, the economic cost EL for treating environmentalpollution caused by cyberattacks can be quantified by threeparts: penalty, compensation and pollution treatment cost. Thecost can be valuated by analyzing records of similar cases.

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 6

Typical asset model

of the simulation:

(1) Asset model of PC.

(2) Asset model of

process unit.

(3) System-level asset

model.

(1)

(2)

(3)

ADoS2ADoS2

ADoS1ADoS1

ADoS3ADoS3

ADoS4ADoS4

ADoS5ADoS5

ADoS6ADoS6

ADoS7ADoS7

ADoS8ADoS8

ADoS9ADoS9

AMax6 =AMin

6AMax6 =AMin

6

Fig. 6. Typical asset models of the simulation.

TAB

LEII

AT

TAC

KS

INT

HE

CH

EM

ICA

LC

ON

TR

OL

SY

ST

EM

Goal

Description

TypeG

oalD

escriptionType

Goal

Description

Typey4

FTm

easurement

AM

ax1

,AM

in1

,AD

oS1

u1

Manipulated

variableof

V1

AM

ax4

,AM

in4

,AD

oS4

PRsp

Specifiedproductrate

AM

ax7

,AM

in7

,AD

oS7

y5

PTm

easurement

AM

ax2

,AM

in2

,AD

oS2

u2

Manipulated

variableof

V2

AM

ax5

,AM

in5

,AD

oS5

Psp

Specifiedpressure

AM

ax8

,AM

in8

,AD

oS8

y7

IAm

easurement

AM

ax3

,AM

in3

,AD

oS3

u3

Manipulated

variableof

V3

AM

ax6

,AM

in6

,AD

oS6

yA3sp

Specifiedfraction

ofA

AM

ax9

,AM

in9

,AD

oS9

In summary, the overall impact of cyberattacks, denoted byTL(t), is made up of PL(t), BL and EL. It can be calculatedby Equation (6).

TL(t) = PL(t) + (BL+ EL) · u(tr ) for t ≤ tr , (6)where u(t) is the unit step function and tr denotes the time forsystem being runaway. That is to say, the loss of cyberattacksis gradually accumulated until the occurrence of hazardous in-cidents at tr. It is worth noting that considering the situation oft > tr is meaningless in general, because hazardous incidents

occur at tr, which would terminate production processes oreven ruin the factory. For the cases that attackers probablylaunch relatively innocuous attacks, which are not enoughto lead hazardous incidents, the tr is not exist. In addition,there are probably other kinds of losses, such as unexpectedoperating cost, which can be assessed by similar methods.

C. Impact Analysis of Multiple CyberattacksAttackers may conduct individual attacks or combinations

of individual attacks against control systems. The impact

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 7

of combinational attacks is not the sum of impact of eachindividual attack, because the impact propagation analysis isconducted on the foundation of the current system state, whichcan be either a normal state or a state of being attacked.Whether an individual attack is launched or a launched attackis stopped, the evolution of behaviours may deviate from thetrend being predicted previously and the time for system beingrunaway changes too. Thus, along with the adjustment ofattacks, the impact should be predicted based on the currentstate again.

VI. SIMULATION: A CHEMICAL CONTROL SYSTEM

Simulations are conducted with the simplified TennesseeEastman chemical process control system, which has beenwidely used in cybersecurity research [31], [32]. The structureof the system is shown in Fig. 7. The reactants A and C arereacted with trace amounts of an inert B to generate productD. The regulatory control objective is to maintain a specifiedproduct rate PRsp 100 kmol h−1 with the pressure Psp of2700 kPa and a fraction yA3sp of 47mole% in the purge. Thepressure must be kept below the limit of 3000 kPa, Otherwise,the reactor will explode. More details can be found in [33].

Possible attacks are summarized in Table II. Under cyber-attacks, three types of undesirable consequences can occur aslisted in Table III. According to the behaviours of the chemicalsystem introduced in detail in [33], the corresponding assetmodels can be established. Due to the page limit, severaltypical asset models, established with the PN simulation tool,named, CPN tools [25], [34], are given in Fig. 6, in whichthe meanings of relevant variables can refer to Section IV.Although the tool does not support part of the basic elementsused in Section IV, it can model their behaviors with specifiedstructures. The established models are debugged by means ofthe CPN simulator [25] according to Section IV-B. There-fore, the discrepancies of behaviours between the model andchemical system are identified and corrected, thereby ensuringthe model being a true representation of the control system.Fig. 6 includes the PC model, process unit (reactor) modeland system-level asset model. In Fig. 6, the additional elementsmarked with thick lines simulate the related attacks in Table IIand the symbols of corresponding attacks are attached in red.

In the system-level asset model, each substitution transitionrepresents the model of corresponding device in Fig. 7. Itencapsulates the internal behaviour of the device. For example,the substitution transition PC is the encapsulation of thebehaviours in the pressure controller (PC), whose model isshown in Fig. 6-(1). It is worth mentioning that not everydevice in Fig. 7 is associated with a substitution transition inFig. 6-(3). For instance, the gateways G1 and G2, and serverHDS are generally responsible for data forwarding and storage,respectively. They do not have the functions of sensing, controland actuation directly. This implies that it is not necessary tobuild their models.

From the business properties of assets, the price of prod-uct, replacement costs of devices, cost of casualties, cost ofenvironmental pollution, etc. can be evaluated. For the sake ofsimplicity, assume that the unit price Vp of the product and

the explosion loss (BL+EL) are quantified to be 100 $/kmoland 250 000 $, respectively. The attacks on PRsp, Psp andyA3sp just modify the setpoints in reasonable ranges, whichdon’t lead the system into unsafe state. Thus, attacks aimingat y4, y5, y7, u1, u2 and u3 are simulated under the conditionthat the system is running at a steady state indicated by theregulatory control objective.

Feed 1

Product

PT

FT

IA

V2

V1 V3

Purge

G1

G2

HMI HDS

MFC AFC

PC

CC

Feed 2

CAN bus

Ethernet

A+C+B

DA

G1: Gateway of EthernetG2: Gateway of CAN busHMI: Human machine interfaceHDS: Historial data serverMFC: Master flow controllerAFC: Auxiliary flow controllerPC: Pressure controllerCC: Composition controllerFT: Flow transmitterPT: Pressure transmitterIA: Ingredient analyzerV1: Valve of feed 1V2: Valve of feed 2V3: Valve of purgeCAN: Controller Area Network

Legend

Fig. 7. Control structure of chemical control system.TABLE III

POSSIBLE UNDESIRABLE CONSEQUENCES OF THE CHEMICAL SYSTEMTypes Cost calculationProduction loss PL(t) =

∫ tts

(pr(t) − pr ′(t)) · Vpdt

Additional operating cost UC (t) =∫ tts

(oc′(t) − oc(t))dt

Reactor explosion HL · u(tr )Note: “oc(t), oc′(t)” - instantaneous operating costs under expected andattack states; “HL” - explosion cost, it equals to (BL + EL).

A. Priority analysis of system parameters and assetsSimulations are run from t = 0 to t = 50h with each attack

starting from ts = 0. Fig. 8 shows the impact under eachattack. It indicates that some attacks, such as AMin

3 , can leadto a severe consequence such as an explosion. Some attacks,such as AMax

1 , will lead to a gradual increase in losses. Alsosome other attacks, such as ADoS

6 , almost have no impact onthe system. The overall impact varies with the specific attack.Table IV presents the composition of the impact caused byeach attack.

TABLE IVCOMPOSITION OF IMPACT UNDER EACH ATTACK

A1 A2 A3Max Min DoS Max Min DoS Max Min DoS

PL + – ◦ + – ◦ + + ◦UC – + ◦ – – ◦ + + ◦HL × × × × 16.4 × × 13.4 ×

A4 A5 A6Max Min DoS Max Min DoS Max Min DoS

PL – + ◦ + + ◦ + + ◦UC + – ◦ + + ◦ + – ◦HL 0.3 × × 13.4 × × × × ×Note: “+ / –” - an attack lead a decrease / an increase on production, or anincrease / a decrease on operating cost comparing with them under the expectedstate; “◦” - an attack has no effect on production and operating cost; “×” - anattack do not cause reactor explosion; “number” - time (hour) until the reactorexplodes since an attack is initiated.

Attacks on y5, y7, u1, u2 can cause great impact and evenbring the system into an unsafe state. The response time leftto operators for the attack on u1 is far less than that ofattacks on the other three parameters. It can be inferred thatparameters y5, y7, u1, u2 are critical than y4, u3, and more

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 8

0 5 10 15 20 25 30 35 40 45 50−1

0

1

2

3·105

Time (h)

Impact

($)

AMax1 AMin

1

ADoS1 AMax

2

AMin2 ADoS

2

AMax3 AMin

3

ADoS3 AMax

4

AMin4 ADoS

4

AMax5 AMin

5

ADoS5 AMax

6

AMin6 ADoS

6

Fig. 8. Impact under each attack starting from ts = 0.

care should be taken on u1 than any other parameters. Thecontrol loops, formed by assets IA-CC-V2 and PT-AFC-MFC-V1, respectively, should be protected with a high priority.

B. Dynamic Impact Assessment StudyIn this part, two attack scenarios covering multiple attacks

are designed with simulation running from t = 0 to t = 75h.Table V presents the information of the scenarios. Under thetwo scenarios, the dynamic curves of pressure and impact areshown in Fig. 9.

TABLE VTHE DESIGNED ATTACK SCENARIOS

Scenario Attack Type Time Action Description

S1

AMin5 5 1 Attack AMin

5 is launched at t = 5h

AMax1 30 1 Attack AMax

1 is launched at t = 30 h

AMin5 40 0 Attack AMin

5 is stopped at t = 40 h

AMax1 50 0 Attack AMax

1 is stopped at t = 50 h

S2AMin

1 15 1 Attack AMin1 is launched at t = 15 h

ADoS2 19.5 1 Attack ADoS

2 is launched at t = 19.5 h

Fig. 9. Pressure and Impact under the two scenarios.

The results demonstrate the ability of predicting the impactof cyberattacks and the time for system being runaway, dynam-ically. It can be inferred from the scenario 2 that a combinationof some single attacks that do not cause explosions by theirown may lead to explosions. Impact of cyberattacks varies withcombination of different attacks. Multiple attacks launchedon the system probably lead more serious consequences thansingle attacks.

C. Time Capacity StudyThis part discusses the time capacity of the designed ap-

proach. First, the real-time performance is evaluated throughperforming simulations for 3000 times on a computer withIntel Core i3 (3M Cache, 3.70GHz) and 4GB DDR3 memory.Fig. 10 shows the execution time distribution under such

conditions. The average, maximum and minimum executiontimes of the impact assessment are 3.56 s, 3.64 s and 3.55 s,respectively.

Fig. 10. Distribution of execution time with TP = 72 hours.

Execution time of the approach depends on the length ofpredicted time TP and the system size NT indicating by thetotal number of transitions in asset model. The overall timecomplexity is on the order of O(TP ∗ NT). To demonstratethe complexity, each simulation with any pair of ⟨TP, NT⟩,where TP ∈ {12, 24, · · · , 96} and NT ∈ {300, 600, · · · , 2400},is conducted for 3000 times. And the average execution timeof each pair is calculated. The relationship between executiontime and ⟨TP, NT⟩ is shown as Fig. 11. The front and left viewsalso present the corresponding fitting lines, whose correlationcoefficients r are all greater than 0.99 and the standard errorse are all less than 0.2. This means that the execution timescales linearly with the increase of both TP and NT.

D. Comparative Study

There are a variety of solutions for impact assessment.Table VI presents some characteristics of the proposed ap-proach, compared with existing methods. It can be inferredthat existing methods either are not designed for ICSs orcannot deeply explore the relationship between the impactand cyberattacks on ICSs and adequately assess the impact.Our approach is designed from the inherent characteristics ofsystem assets to analyze how cyberattacks will impact ICSs.This enables to assess the impact accurately and to rank keyassets/system parameters, and thus, contributes to optimizationof security protection. Furthermore, our approach has the timecomplexity of O(TP ∗ NT), where TP and NT represent howlong the impact of cyberattacks will be predicted and the sizeof a system, respectively.

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 9

24487296300900150021000

5

10

15

TP NT

Exec

ution

time(s)

24 48 72 96

0

5

10

15

NT = 300NT = 600NT = 900NT

= 1200NT= 150

0NT= 180

0NT

=2100

NT=2400

Quantity of fitting lines:r, e

1.000, 0.0091.000, 0.0241.000, 0.0310.999, 0.1251.000, 0.0311.000, 0.0731.000, 0.0520.999, 0.180

TP

Exec

ution

time(s)

300 900 1500 2100

0

5

10

15

TP = 12TP = 24TP

= 36TP

= 48TP= 60TP= 72TP=84TP

=96

Quantity of fitting lines:r, e

0.999, 0.0240.999, 0.0590.998, 0.1090.999, 0.0851.000, 0.0371.000, 0.0570.999, 0.1690.999, 0.177

NT

Fig. 11. Time complexity of the designed approach: 3D-front-left views.TABLE VI

COMPARISON OF THE PROPOSED AND OTHER EXISTING IMPACTASSESSMENT SOLUTIONS

OA: our approach[number]: Literature OA [8] [9] [10] [11] [35] [36] [37]

Is designed for ICSs?√ √ √ √ √ × × √

Is dynamic?√ √ √ √ √ √ √ ×

Is quantitative?√ × √ × √ × × ×

Can analyze impact propagation?√ √ × √ × × √ ×

Can predict the trend of impact?√ × √ × × × × ×

Can rank key assets?√ √ × √ × × × √

VII. CONCLUSION

Impact assessment of cyberattacks is significant and es-sential for risk analysis of modern ICSs. A dynamic impactassessment approach has been presented in this paper toaddress this issue. It can predict the trend of impact of cyber-security dynamically from full recognition of asset knowledge.More specifically, an asset is abstracted with properties ofconstruction, function, performance, location and business.From the function and performance properties, object-orientedasset models incorporating with the mechanism of commoncyberattacks are established at both component and systemlevels. Characterizing the evolution of behaviours for singleasset and system, the models are used to analyze the impactpropagation of cyberattacks. Then, from various possible im-pact consequences, the total impact is quantified based on thelocation and business properties. The simulation results havedemonstrated the effectiveness of the proposed approach. Thefuture work will cover the content of the probability predictionof cyberattacks, which is another aspect of risk analysis.

REFERENCES

[1] T. M. Chen, “Stuxnet, the real start of cyber warfare? [editor’s note],”IEEE Network, vol. 24, no. 6, pp. 2–3, November 2010.

[2] R. Piggin, “Cyber security trends: What should keep CEOs awakeat night,” International Journal of Critical Infrastructure Protection,vol. 13, pp. 36–38, 2016.

[3] S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.-R. Sadeghi,M. Maniatakos, and R. Karri, “The cybersecurity landscape in industrialcontrol systems,” Proceedings of the IEEE, vol. 104, no. 5, pp. 1039–1057, 2016.

[4] K. Stouffer, J. Falco, and K. Scarfone, “Guide to industrial controlsystems (ics) security,” NIST special publication, vol. 800, no. 82, pp.16–16, 2011.

[5] National Institute of Standards and Technology (NIST), “Framework forimproving critical infrastructure cybersecurity,” 2014.

[6] International Electrotechnical Commission (IEC), “62443-1-1: 2009,industrial communication networks-network and system security-part 1-1: terminology, concepts and models,” 2009.

[7] T. Vollmer and M. Manic, “Cyber-physical system security with decep-tive virtual hosts for industrial control networks,” IEEE Transactions onIndustrial Informatics, vol. 10, no. 2, pp. 1337–1347, 2014.

[8] B. Genge, I. Kiss, and P. Haller, “A system dynamics approach forassessing the impact of cyber attacks on critical infrastructures,” Inter-national Journal of Critical Infrastructure Protection, vol. 10, pp. 3–17,2015.

[9] R. Liu, C. Vellaithurai, S. S. Biswas, T. T. Gamage, and A. K. Srivastava,“Analyzing the cyber-physical impact of cyber events on the power grid,”IEEE Transactions on Smart Grid, vol. 6, no. 5, pp. 2444–2453, 2015.

[10] H. Orojloo and M. A. Azgomi, “A method for evaluating the con-sequence propagation of security attacks in cyber–physical systems,”Future Generation Computer Systems, vol. 67, pp. 57–71, 2017.

[11] D. Kundur, X. Feng, S. Liu, T. Zourntos, and K. L. Butler-Purry,“Towards a framework for cyber attack impact analysis of the electricsmart grid,” in Smart Grid Communications (SmartGridComm), 2010First IEEE International Conference on. IEEE, 2010, pp. 244–249.

[12] M. Modarres and S. W. Cheon, “Function-centered modeling of engi-neering systems using the goal tree-success tree technique and functionalprimitives,” Reliability Engineering & System Safety, vol. 64, no. 2, pp.181–200, 1999.

[13] C. Guo, S. Gong, L. Tan, and B. Guo, “Extended GTST-MLD foraerospace system safety analysis,” Risk analysis, vol. 32, no. 6, pp.1060–1071, 2012.

[14] International Electrotechnical Commission (IEC), “Industrial-processmeasurement, control and automation-reference model for representationof production facilities (digital factory),” TR 62794, Tech. Rep., 2012.

[15] T. Murata, “Petri nets: Properties, analysis and applications,” Proceed-ings of the IEEE, vol. 77, no. 4, pp. 541–580, Apr 1989.

[16] H. Hu and M. Zhou, “A petri net-based discrete-event control ofautomated manufacturing systems with assembly operations,” IEEETransactions on Control Systems Technology, vol. 23, no. 2, pp. 513–524, 2015.

[17] M. Jamro, D. Rzonca, and W. Rzsa, “Testing communication tasks indistributed control systems with sysml and timed colored petri netsmodel,” Computers in Industry, vol. 71, pp. 77–87, 2015.

[18] G. F. List and M. Mashayekhi, “A modular colored stochastic petri netfor modeling and analysis of signalized intersections,” IEEE Transac-tions on Intelligent Transportation Systems, vol. 17, no. 3, pp. 701–713,March 2016.

[19] A. Polic and K. Jezernik, “Closed-loop matrix based model of discreteevent systems for machine logic control design,” IEEE Transactions onIndustrial Informatics, vol. 1, no. 1, pp. 39–46, Feb 2005.

[20] M. Vileiniskis and R. Remenyte-Prescott, “Quantitative risk prognosticsframework based on petri net and bow-tie models,” Reliability Engineer-ing & System Safety, 2017.

[21] R. Mitchell and I. R. Chen, “Modeling and analysis of attacks andcounter defense mechanisms for cyber physical systems,” IEEE Trans-actions on Reliability, vol. 65, no. 1, pp. 350–358, March 2016.

[22] T. M. Chen, J. C. Sanchez-Aarnoutse, and J. Buford, “Petri net modelingof cyber-physical attacks on smart grid,” IEEE Transactions on SmartGrid, vol. 2, no. 4, pp. 741–749, Dec 2011.

[23] R. Drath, Description of Hybrid Systems by Modified Petri Nets. Berlin,Heidelberg: Springer Berlin Heidelberg, 2002, pp. 15–36.

[24] M. Glavan, D. Gradisar, S. Strmcnik, and G. Music, “Production mod-elling for holistic production control,” Simulation Modelling Practiceand Theory, vol. 30, pp. 1–20, 2013.

[25] K. Jensen and L. M. Kristensen, Coloured Petri nets: modelling andvalidation of concurrent systems. Springer Science & Business Media,2009.

[26] S. Amin, “On cyber security for networked control systems,” 2011.[27] Y.-L. Huang, A. A. Cardenas, S. Amin, Z.-S. Lin, H.-Y. Tsai, and

S. Sastry, “Understanding the physical and economic consequences ofattacks on control systems,” International Journal of Critical Infrastruc-ture Protection, vol. 2, no. 3, pp. 73–83, 2009.

[28] J. Adler and J. Enig, “The critical conditions in thermal explosion theorywith reactant consumption,” Combustion and Flame, vol. 8, no. 2, pp.97–103, 1964.

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. XX, NO. XX, XX XX 10

[29] H. Si, H. Ji, and X. Zeng, “Quantitative risk assessment model ofhazardous chemicals leakage and application,” Safety Science, vol. 50,no. 7, pp. 1452–1461, 2012.

[30] T. Li and R. Lindstedt, “Thermal radiation induced ignition of multipointturbulent explosions,” Process Safety and Environmental Protection, vol.107, pp. 108–121, 2017.

[31] R. Candell, T. Zimmerman, and K. Stouffer, “An industrial control sys-tem cybersecurity performance testbed,” National Institute of Standardsand Technology. NISTIR, vol. 8089, 2015.

[32] C. Zhou, S. Huang, N. Xiong, S.-H. Yang, H. Li, Y. Qin, and X. Li,“Design and analysis of multimodel-based anomaly intrusion detectionsystems in industrial process automation,” IEEE Transactions on Sys-tems, Man, and Cybernetics: Systems, vol. 45, no. 10, pp. 1345–1360,2015.

[33] N. L. Ricker, “Model predictive control of a continuous, nonlinear, two-phase reactor,” Journal of Process Control, vol. 3, no. 2, pp. 109–123,1993.

[34] R. Amoah, S. Camtepe, and E. Foo, “Securing DNP3 broadcast com-munications in SCADA systems,” IEEE Transactions on IndustrialInformatics, vol. 12, no. 4, pp. 1474–1485, 2016.

[35] A. Motzek and R. Moller, “Context- and bias-free probabilistic missionimpact assessment,” Computers & Security, vol. 65, pp. 166–186, 2017.

[36] I. Kotenko and A. Chechulin, “A cyber attack modeling and impactassessment framework,” in 2013 5th International Conference on CyberConflict (CYCON 2013), June 2013, pp. 1–24.

[37] N. Liu, J. Zhang, and X. Wu, “Asset analysis of risk assessment forIEC 61850-based power control systems - part I: Methodology,” IEEETransactions on Power Delivery, vol. 26, no. 2, pp. 869–875, 2011.