Risk assessment method for cybersecurity of cyber-physical systems based on inter-dependency of vulnerabilities

As cyber physical systems are used more extensively and thoroughly, cyber-attacks have become one of the utmost threats to the cybersecurity of cyber physical systems (CPS). It is possible that an adversary can damage a physical component with cyber-attacks (eg. The Stuxnet). Although many research has been done on risk assessment method, limited work has been published to quantify cybersecurity risk of CPS. This paper suggests a method to quantify the cybersecurity risk of CPS caused by cyber-attacks in terms of numeric value. To help quantitatively measure the risk, we present two indices, the successful-attack-probability index and the attack-impact index, based on vulnerability dependency graph. Furthermore, the successful-attack-probability index is calculated considering the interdependent relationship between vulnerabilities and the calculation of attack-impact index takes the impact on the physical domain resulting from cyber-attacks into account. Numerical example shows that the potential risk of system and the optimal attack target can be obtained. The proposed method can be extended to security investment analysis as well.