Abstract
•Flexible model to represent complex dependencies in multi-protected ICS environments.•Novel security metric and algorithms to identify critical cyber-physical components.•META4ICS, an open source tool to analyse real ICS models.•Extensive experimental evaluation on performance and scalability aspects.•A thorough case study conducted on a realistic Water Transport Network (WTN).
[Display omitted]
In recent years, Industrial Control Systems (ICS) have become increasingly exposed to a wide range of cyber-physical attacks, having massive destructive consequences. Security metrics are therefore essential to assess and improve their security posture. In this paper, we present a novel ICS security metric based on AND/OR graphs and hypergraphs which is able to efficiently identify the set of critical ICS components and security measures that should be compromised, with minimum cost (effort) for an attacker, in order to disrupt the operation of vital ICS assets. Our tool, META4ICS (pronounced as metaphorics), leverages state-of-the-art methods from the field of logical satisfiability optimisation and MAX-SAT techniques in order to achieve efficient computation times. In addition, we present a case study where we have used our system to analyse the security posture of a realistic Water Transport Network (WTN).