Abstract
As cyber-physical systems combine physical systems with the cyber domain, to safeguard the communication medium and address the growing security issues, a well-designed risk management is required. The available risk assessment approaches in the area of cybersecurity may not be applied directly to CPS since they are different in many aspects. This chapter explores, reviews, and analyzes risk assessment approaches, and frameworks recommended for CPS risk management are presented. It then proposes a reference style framework for enhancing cybersecurity to ensure having complete resilience of the CPS architecture.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Accountants, A. I. O. C. P. (2004). COSO enterprise risk management—Integrated framework. Available online: https://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990015/PC-990015.jsp.
Ahmadi-Javid, A. (2012). Entropic value-at-risk: A new coherent risk measure. Journal of Optimization Theory and Applications, pp. 1–19.
Al-Ahmad, W., & Mohammad, B. (2012). Can a single security framework address information security risks adequately? International Journal of Digital Information and Wireless Communications, 2, 222–230.
Alberts, C. J., Behrens, S. G., Pethia, R. D., & Wilson, W. R. (1999). Operationally critical threat, asset, and vulnerability evaluation (OCTAVE) framework (Vol. 1).
Almorsy, M., Grundy, J., & Ibrahim, A. S. (2011). Collaboration-based cloud computing security management framework. In International Conference on Cloud Computing. IEEE.
Ashibani, Y., & Mahmoud, Q. H. (2017). Cyber physical systems security: Analysis, challenges and solutions. Computers & Security, 68, 81–97.
Axelrod, C. W. (2013). Managing the risks of cyber-physical systems. In Long Island Conference on Systems, Applications and Technology. IEEE.
Berg, H.-P. (2010). Risk management: Procedures, methods and experiences. Risk Management, 1, 79–95.
Bopp, T., Ganjavi, R., Krebs, R., Ntsin, B., Dauer, M., & Jaeger, J. (2014). Improving grid reliability through application of protection security assessment. In IET international conference on developments in power system protection. Copenhagen: IET.
Brezhnev, E., & Kharchenko, V. (2013). BBN-based approach for assessment of smart grid and nuclear power plant interaction. In East-west design & test symposium. Rostov-on-Don: IEEE.
Cashell, B., Jackson, W. D., Jickling, M., & Webel, B. (2004). The economic impact of cyber-attacks. Available online: http://www.au.af.mil/au/awc/awcgate/crs/rl32331.pdf.
Cepeda, J., Colomé, D., & Castrillón, N. (2011). Dynamic vulnerability assessment due to transient instability based on data mining analysis for smart grid applications. In 2011 IEEE PES conference on innovative smart grid technologies (ISGT Latin America). IEEE.
Ceseña, E. A. M., Capuder, T., & Mancarella, P. (2015). Flexible distributed multienergy generation system expansion planning under uncertainty. IEEE Transactions on Smart Grid, p. 1.
Charitoudi, K., & Blyth, A. J. (2014). An agent-based socio-technical approach to impact assessment for cyber defense. Information Security Journal: A Global Perspective, 23, 125–136.
Charleston, L. J. (2017). Three of the biggest cyber security threats to Australian business. Available: http://www.huffingtonpost.com.au/2017/04/05/three-of-the-biggest-cyber-security-threats-to-australian-busine_a_22027681/. Accessed April 6, 2017.
Ciapessoni, E., Cirio, D., Pitto, A., Massucco, S., & Silvestro, F. (2014). A novel approach to account for uncertainty and correlations in probabilistic power flow. In Innovative smart grid technologies conference Europe (ISGT-Europe), 2014 IEEE PES. IEEE.
Clements, S. L., Kirkham, H., Elizondo, M., & Lu, S. (2011). Protecting the smart grid: A risk based approach. In Power and Energy Society general meeting, 2011 IEEE. IEEE.
Djemame, K., Armstrong, D., Guitart, J., & Macias, M. (2014). A risk assessment framework for cloud computing. IEEE Transactions on Cloud Computing, 1.
ENISA. (2012). Annex II. Security aspects of the smart grid. Heraklion: European Network and Information Security Agency.
Enose, N. (2014). Implementing an integrated security management framework to ensure a secure smart grid. In 2014 International conference on advances in computing, communications and informatics (ICACCI). IEEE.
Fletcher, K. K., & Liu, X. F. (2011). Security requirements analysis, specification, prioritization and policy development in cyber-physical systems. In 2011 5th International conference on secure software integration and reliability improvement companion (SSIRI-C). IEEE.
Giraldo, J., Sarkar, E., Cardenas, A. A., Maniatakos, M., & Kantarcioglu, M. (2017). Security and privacy in cyber-physical systems: A survey of surveys. IEEE Design & Test, 34, 7–17.
Group, S. G. I. P. C. S. W. (2010). NISTIR 7628-guidelines for smart grid cyber security.
Habash, R. W., Groza, V., & Burr, K. (2013a). Risk management framework for the power grid cyber-physical security. British Journal of Applied Science & Technology, 3, 1070–1085.
Habash, R. W., Groza, V., Krewski, D., & Paoli, G. (2013b). A risk assessment framework for the smart grid. In 2013 IEEE conference on electrical power & energy conference (EPEC). IEEE.
Hecht, T., Langer, L., & Smith, P. (2014). Cybersecurity risk assessment in smart grids. Tagungsband ComForEn 2014, 39.
Hillson, D. (2002). Extending the risk process to manage opportunities. International Journal of Project Management, 20, 235–240.
Humayed, A., Lin, J., Li F., & Luo, B. (2017). Cyber-physical systems security—a survey. https://ARXIV.ORG/ABS/1701.04525.
Humphreys, T. (2006). State-of-the-art information security management systems with ISO/IEC 27001: 2005. ISO Management Systems, 6, 1.
Hussain, O. K., Dillon, T. S., Hussain, F. K., & Chang, E. J. (2013). Risk Assessment and management in the networked economy. Berlin Heidelberg: Springer.
Karantjias, A., Polemi, N., & Papastergiou, S. (2014). Advanced security management system for critical infrastructures. In IISA 2014, The 5th international conference on information, intelligence, systems and applications. IEEE.
Kumsuprom, S., Corbitt, B., & Pittayachawan, S. (2008). ICT risk management in organizations: Case studies in Thai business. In 19th Australasian conference on information system. Christchurch: ACIS.
Law, Y. W., Alpcan, T., & Palaniswami, M. (2015). Security games for risk minimization in automatic generation control. IEEE Transactions on Power Systems, 30, 223–232.
Lebanidze, E. (2011). Guide to developing a cyber security and risk mitigation plan. Arlington, VA: National Rural Electric Cooperative Association.
Lewis, J. A. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats. Center for Strategic and International Studies(CSIS), 1–12.
Liu, C.-C., Stefanov, A., Hong, J., & Panciatici, P. (2012). Intruders in the grid. IEEE Power and Energy magazine, 10, 58–66, 1540–7977.
Lu, T., Xu, B., Guo, X., Zhao, L., & Xie, F. (2013). A new multilevel framework for cyber-physical system security. In First international workshop on the swarm at the edge of the cloud. Montreal: TerraSwarm.
Macdonald, D., Clements, S. L., Patrick, S. W., Perkins, C., Muller, G., Lancaster, M. J., & Hutton, W. (2013). Cyber/physical security vulnerability assessment integration. In 2013 IEEE PES Innovative Smart Grid Technologies (ISGT) (pp. 1–6). Washington, D.C.: IEEE.
Machado, R. C., Boccardo, D. R., De Sá, V. G. P.D., & Szwarcfiter, J. L. (2016). Software control and intellectual property protection in cyber-physical systems. In EURASIP Journal on Information Security, 2016, 8.
Madhyastha, S. (2017). Cyber security—One size does not fil all. Cyber security by design. Available online: https://www.stickman.com.au/cyber-security-one-size-not-fit-all/. Accessed April 3, 2017.
Manuel, D. (2015, October 29). The reputational damage of data breaches: don’t hope for customer apathy. CSO Bloogers. Available online from: https://www.cso.com.au/blog/cso-bloggers/2015/10/29/the-reputational-damage-of-data-breaches-dont-hope-for-customer-apathy/.
Maple, C. (2017). Security and privacy in the internet of things. Journal of Cyber Policy, 2, 155–184.
Marrone, M., & Kolbe, L. M. (2011). Impact of IT service management frameworks on the IT organization. Business & Information Systems Engineering, 3, 5–18.
Merrell, S., Moore, A. P., & Stevens, J. F. (2010). Goal-based assessment for the cybersecurity of critical infrastructure. In IEEE International Conference on Technologies for Homeland Security (HST) (pp. 84–88). Waltham, MA. IEEE.
Noyan, N. (2012). Risk-averse two-stage stochastic programming with an application to disaster management. Computers & Operations Research, 39, 541–559, 0305–0548.
Orojloo, H., & Azgomi, M. A. (2014). A method for modeling and evaluation of the security of cyber-physical systems. In 2014 11th International ISC conference on Information Security and Cryptology (ISCISC) (pp 131–136). Tehran: IEEE.
Qiang, S., Yibin, Z., Dong, H., Zheng, Y., & Jianwei, Z. (2012). Multi-elements and multi-dimensions risk evaluation of smart grid. In 2012 IEEE conference on innovative smart grid technologies-Asia (ISGT Asia) (pp. 1–6). IEEE: Tianjin.
Ray, P. D., Harnoor, R., & Hentea, M. (2010). Smart power grid security: A unified risk management approach. In 2010 IEEE International Carnahan conference on security technology (ICCST) (pp. 276–285). San Jose, CA: IEEE.
Seifert, D., & Reza, H. (2016). A security analysis of cyber-physical systems architecture for healthcare. Computers, 27, 1–24.
Shafi, Q. (2012). Cyber physical systems security: A brief survey. In 12th International Conference on Computational Science and Its Applications (pp. 146–150), June 18–21, 2012.
Spira, L. F., & Page, M. (2003). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16, 640–661.
Sridhar, S., Hahn, A., & Govindarasu, M. (2012). Cyber–physical system security for the electric power grid. Proceedings of the IEEE, 100, 210–224.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. In Nist special publication 800-30 (pp. 2–56).
Taylor, C., Krings, A., & Alves-Foss, J. (2002). Risk analysis and probabilistic survivability assessment (RAPSA): An assessment approach for power substation hardening. In ACM Workshop on scientific aspects of cyber terrorism, Washington D.C.
Tiwana, A., & Keil, M. (2004). The one-minute risk assessment tool. Communications of the ACM, 47, 73–77.
Vellaithurai, C., Srivastava, A., Zonouz, S., & Berthier, R. (2015). CPINDEX: Cyber-physical vulnerability assessment for power-grid infrastructures. IEEE Transactions on Smart Grid, 6, 566–575.
Waters, D. (2011). Supply chain risk management—Vulnerability and resilience in logistics. Great Britain: Kogan Page.
Wang, G., Gunasekaran, A., Ngai, E. W. T., & Papadopoulos, T. (2016). Big data analytics in logistics and supply chain management: Certain investigations for research and applications. International Journal of Production Economics, 176, 98–110.
Wang, E. K., Ye, Y., Xu, X., Yiu, S. M., Hui, L. C. K., & Chow, K. P. (2010). Security issues and challenges for cyber physical system. green computing and communications (GreenCom). In 2010 IEEE/ACM International conference on & international conference on cyber, physical and social computing (CPSCom) (pp. 733–738), December 18–20, 2010.
Wardell, D. C., Mills, R. F., Peterson, G. L., & Oxley, M. E. (2016). A method for revealing and addressing security vulnerabilities in cyber-physical systems by modeling malicious agent interactions with formal verification. Procedia Computer Science, 95, 24–31.
Wu, G., Sun, J., & Chen, J. (2016). A survey on the security of cyber-physical systems. Control Theory and Technology, 14, 2–10.
Yong, P., Tianbo, L., Jingli, L., Yang, G., Xiaobo, G., & Feng, X. (2013). Cyber-physical system risk assessment. In: Ninth international conference on intelligent information hiding and multimedia signal processing, Beijing, China.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this chapter
Cite this chapter
Ali, S., Al Balushi, T., Nadir, Z., Hussain, O.K. (2018). Risk Management for CPS Security. In: Cyber Security for Cyber Physical Systems. Studies in Computational Intelligence, vol 768. Springer, Cham. https://doi.org/10.1007/978-3-319-75880-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-75880-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75879-4
Online ISBN: 978-3-319-75880-0
eBook Packages: EngineeringEngineering (R0)