A Methodology to Measure the "Cost" of CPS Attacks: Not all CPS Networks are Created Equal
Published in 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) on .
Abstract
Cyber-Physical Systems (CPS) are connected computer systems used to monitor and control physical processes using digital control programs. Cyberattacks targeting CPS can cause physical impact with potentially devastating consequences. While some past attacks required expert CPS knowledge (e.g., Stuxnet), other attacks could be implemented by anyone, solely with pure IT knowledge. Understanding what causes these differences is essential in effectively defending CPS, however, as of now, there is no way of qualifying let alone quantifying them. In this paper, we first define a notion of (non-monetary) attack 'cost' focusing on the required CPS-specific attacker knowledge. We then identify several context factors that may influence this cost and, finally, provide a methodology to analyze the relation between attack cost and CPS-context using past cyberattacks. To validate the methodology in a reproducible way, we apply it to publicly reported CPS incidents with physical impact. Though this constitutes only a small set of attacks, our methodology is able to find correlations between context factors and the attack cost, as well as significant differences in context factors between CPS domains.
Additional Info
- This paper has artifacts.