IDEAS home Printed from https://ideas.repec.org/a/eee/reensy/v220y2022ics0951832021007444.html
   My bibliography  Save this article

Hybrid ontology for safety, security, and dependability risk assessments and Security Threat Analysis (STA) method for industrial control systems

Author

Listed:
  • Alanen, Jarmo
  • Linnosmaa, Joonas
  • Malm, Timo
  • Papakonstantinou, Nikolaos
  • Ahonen, Toni
  • Heikkilä, Eetu
  • Tiusanen, Risto

Abstract

This paper introduces a model-based methodology for hybrid reliability, availability, maintainability, safety, and security (RAMSS) risk assessment management, which extends our previous work of model-based, data-driven, support for engineering mission-critical systems. It represents a hybrid risk assessment ontology, which harmonises basic concepts between dependability, safety and security based on well-known industrial standards. Based on the proposed ontology, we create a cybersecurity risk analysis method, called Security Threat Analysis (STA), for industrial control systems and successfully demonstrate the method. For the demonstration, we introduce a data model for creating a tool-supported data repository for STA, then implement this repository with a commercial-off-the-shelf tool. We use the repository to carry out an exemplary STA of a nuclear fuel pool cooling control system, assessing a cybersecurity-related hazard. The demonstration suggests that the hybrid RAMSS risk assessment ontology and the related STA data model are ready to be tested in industrial use, offering a structured data repository to support assessment and traceability between the created artefacts.

Suggested Citation

  • Alanen, Jarmo & Linnosmaa, Joonas & Malm, Timo & Papakonstantinou, Nikolaos & Ahonen, Toni & Heikkilä, Eetu & Tiusanen, Risto, 2022. "Hybrid ontology for safety, security, and dependability risk assessments and Security Threat Analysis (STA) method for industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 220(C).
  • Handle: RePEc:eee:reensy:v:220:y:2022:i:c:s0951832021007444
    DOI: 10.1016/j.ress.2021.108270
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0951832021007444
    Download Restriction: Full text for ScienceDirect subscribers only

    File URL: https://libkey.io/10.1016/j.ress.2021.108270?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Pakonen, Antti & Buzhinsky, I & Björkman, K, 2021. "Model checking reveals design issues leading to spurious actuation of nuclear instrumentation and control systems," Reliability Engineering and System Safety, Elsevier, vol. 205(C).
    2. SICARD, Franck & ZAMAI, Éric & FLAUS, Jean-Marie, 2019. "An approach based on behavioral models and critical states distance notion for improving cybersecurity of industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 188(C), pages 584-603.
    3. Carreras Guzman, Nelson H. & Zhang, Jin & Xie, Jing & Glomsrud, Jon Arne, 2021. "A Comparative Study of STPA-Extension and the UFoI-E Method for Safety and Security Co-analysis," Reliability Engineering and System Safety, Elsevier, vol. 211(C).
    4. Henriques de Gusmão, Ana Paula & Mendonça Silva, Maisa & Poleto, Thiago & Camara e Silva, Lúcio & Cabral Seixas Costa, Ana Paula, 2018. "Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory," International Journal of Information Management, Elsevier, vol. 43(C), pages 248-260.
    5. Antoine B. Rauzy & Cecilia Haskins, 2019. "Foundations for model‐based systems engineering and model‐based safety assessment," Systems Engineering, John Wiley & Sons, vol. 22(2), pages 146-155, March.
    6. Viet Loan Dao Thi & Xianfang Wu & Rachel L. Belote & Ursula Andreo & Constantin N. Takacs & Joseph P. Fernandez & Luis Andre Vale-Silva & Sarah Prallet & Charlotte C. Decker & Rebecca M. Fu & Bingqian, 2020. "Stem cell-derived polarized hepatocytes," Nature Communications, Nature, vol. 11(1), pages 1-13, December.
    7. Almut Herzog & Nahid Shahmehri & Claudiu Duma, 2007. "An Ontology of Information Security," International Journal of Information Security and Privacy (IJISP), IGI Global, vol. 1(4), pages 1-23, October.
    8. Martin, H. & Ma, Z. & Schmittner, Ch. & Winkler, B. & Krammer, M. & Schneider, D. & Amorim, T. & Macher, G. & Kreiner, Ch., 2020. "Combined automotive safety and security pattern engineering approach," Reliability Engineering and System Safety, Elsevier, vol. 198(C).
    9. Zio, E., 2018. "The future of risk assessment," Reliability Engineering and System Safety, Elsevier, vol. 177(C), pages 176-190.
    10. Zhao, Yunfei & Huang, Linan & Smidts, Carol & Zhu, Quanyan, 2020. "Finite-horizon semi-Markov game for time-sensitive attack response and probabilistic risk assessment in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 201(C).
    11. Piètre-Cambacédès, L. & Bouissou, M., 2013. "Cross-fertilization between safety and security engineering," Reliability Engineering and System Safety, Elsevier, vol. 110(C), pages 110-126.
    12. Modarres, Mohammad & Zhou, Taotao & Massoud, Mahmoud, 2017. "Advances in multi-unit nuclear power plant probabilistic risk assessment," Reliability Engineering and System Safety, Elsevier, vol. 157(C), pages 87-100.
    13. Zhou, Taotao & Modarres, Mohammad & Droguett, Enrique López, 2021. "Multi-unit nuclear power plant probabilistic risk assessment: A comprehensive survey," Reliability Engineering and System Safety, Elsevier, vol. 213(C).
    14. DeJesus Segarra, Jonathan & Bensi, Michelle & Modarres, Mohammad, 2021. "A Bayesian Network Approach for Modeling Dependent Seismic Failures in a Nuclear Power Plant Probabilistic Risk Assessment," Reliability Engineering and System Safety, Elsevier, vol. 213(C).
    15. Kim, Junyung & Shah, Asad Ullah Amin & Kang, Hyun Gook, 2020. "Dynamic risk assessment with bayesian network and clustering analysis," Reliability Engineering and System Safety, Elsevier, vol. 201(C).
    16. Aven, Terje, 2007. "A unified framework for risk and vulnerability analysis covering both safety and security," Reliability Engineering and System Safety, Elsevier, vol. 92(6), pages 745-754.
    17. Kriaa, Siwar & Pietre-Cambacedes, Ludovic & Bouissou, Marc & Halgand, Yoran, 2015. "A survey of approaches combining safety and security for industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 139(C), pages 156-178.
    18. Ruiz, Alejandra & Juez, Garazi & Espinoza, Huáscar & de la Vara, Jose Luis & Larrucea, Xabier, 2017. "Reuse of safety certification artefacts across standards and domains: A systematic approach," Reliability Engineering and System Safety, Elsevier, vol. 158(C), pages 153-171.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Wang, Bin & Zio, Enrico & Chen, Xiuhan & Zhu, Hanhua & Guo, Yunhua & Fan, Shidong, 2024. "Reliability improvement of the dredging perception system: A sensor fault-tolerant strategy," Reliability Engineering and System Safety, Elsevier, vol. 247(C).
    2. Xia, Liqiao & Liang, Yongshi & Leng, Jiewu & Zheng, Pai, 2023. "Maintenance planning recommendation of complex industrial equipment based on knowledge graph and graph neural network," Reliability Engineering and System Safety, Elsevier, vol. 232(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Georgios Kavallieratos & Sokratis Katsikas & Vasileios Gkioulos, 2020. "Cybersecurity and Safety Co-Engineering of Cyberphysical Systems—A Comprehensive Survey," Future Internet, MDPI, vol. 12(4), pages 1-17, April.
    2. DeJesus Segarra, Jonathan & Bensi, Michelle & Modarres, Mohammad, 2023. "Multi-unit seismic probabilistic risk assessment: A Bayesian network perspective," Reliability Engineering and System Safety, Elsevier, vol. 234(C).
    3. Yoon, Jae Young & Kim, Dong-San, 2022. "Estimating the adverse effects of inter-unit radioactive release on operator actions at a multi-unit site," Reliability Engineering and System Safety, Elsevier, vol. 228(C).
    4. Kim, Yongjin & Jang, Seunghyun & Jae, Moosung, 2022. "Evaluation of inter-unit dependency effect on site core damage frequency: Internal and seismic event," Reliability Engineering and System Safety, Elsevier, vol. 227(C).
    5. Kim, Hee Eun & Son, Han Seong & Kim, Jonghyun & Kang, Hyun Gook, 2017. "Systematic development of scenarios caused by cyber-attack-induced human errors in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 167(C), pages 290-301.
    6. Zio, E., 2018. "The future of risk assessment," Reliability Engineering and System Safety, Elsevier, vol. 177(C), pages 176-190.
    7. Chelouati, Mohammed & Boussif, Abderraouf & Beugin, Julie & El Koursi, El-Miloudi, 2023. "Graphical safety assurance case using Goal Structuring Notation (GSN) — challenges, opportunities and a framework for autonomous trains," Reliability Engineering and System Safety, Elsevier, vol. 230(C).
    8. Carreras Guzman, Nelson H. & Zhang, Jin & Xie, Jing & Glomsrud, Jon Arne, 2021. "A Comparative Study of STPA-Extension and the UFoI-E Method for Safety and Security Co-analysis," Reliability Engineering and System Safety, Elsevier, vol. 211(C).
    9. Kriaa, Siwar & Pietre-Cambacedes, Ludovic & Bouissou, Marc & Halgand, Yoran, 2015. "A survey of approaches combining safety and security for industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 139(C), pages 156-178.
    10. Casson Moreno, Valeria & Marroni, Giulia & Landucci, Gabriele, 2022. "Probabilistic assessment aimed at the evaluation of escalating scenarios in process facilities combining safety and security barriers," Reliability Engineering and System Safety, Elsevier, vol. 228(C).
    11. Øystein Amundrud & Terje Aven & Roger Flage, 2017. "How the definition of security risk can be made compatible with safety definitions," Journal of Risk and Reliability, , vol. 231(3), pages 286-294, June.
    12. Wei Wang & Francesco Di Maio & Enrico Zio, 2019. "Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Cyber–Physical Systems from Cyber Attacks," Risk Analysis, John Wiley & Sons, vol. 39(12), pages 2766-2785, December.
    13. Wanxin Feng & Ming Wang & Zhixin Xu & Yu Yu, 2023. "The Method of Calculating the Frequency of the Initiating Event in a Dual-Unit Site with the Example of LOOP Events," Energies, MDPI, vol. 16(2), pages 1-8, January.
    14. Wang, Wei & Cammi, Antonio & Di Maio, Francesco & Lorenzi, Stefano & Zio, Enrico, 2018. "A Monte Carlo-based exploration framework for identifying components vulnerable to cyber threats in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 175(C), pages 24-37.
    15. Jang, Seunghyun & Kim, Yongjin & Jae, Moosung, 2021. "A site risk assessment for internal events: A case study," Reliability Engineering and System Safety, Elsevier, vol. 215(C).
    16. Chatterjee, Samrat & Thekdi, Shital, 2020. "An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems," Reliability Engineering and System Safety, Elsevier, vol. 193(C).
    17. Al-Douri, Ahmad & Levine, Camille S. & Groth, Katrina M., 2023. "Identifying human failure events (HFEs) for external hazard probabilistic risk assessment," Reliability Engineering and System Safety, Elsevier, vol. 235(C).
    18. Argenti, Francesca & Landucci, Gabriele & Reniers, Genserik & Cozzani, Valerio, 2018. "Vulnerability assessment of chemical facilities to intentional attacks based on Bayesian Network," Reliability Engineering and System Safety, Elsevier, vol. 169(C), pages 515-530.
    19. SICARD, Franck & ZAMAI, Éric & FLAUS, Jean-Marie, 2019. "An approach based on behavioral models and critical states distance notion for improving cybersecurity of industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 188(C), pages 584-603.
    20. Zheng, Xiaoyu & Tamaki, Hitoshi & Sugiyama, Tomoyuki & Maruyama, Yu, 2022. "Dynamic probabilistic risk assessment of nuclear power plants using multi-fidelity simulations," Reliability Engineering and System Safety, Elsevier, vol. 223(C).

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:reensy:v:220:y:2022:i:c:s0951832021007444. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/reliability-engineering-and-system-safety .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.