A Dynamic Decision-Making Approach for Intrusion Response in Industrial Control Systems

Industrial control systems (ICSs) are facing more and more cybersecurity issues, leading to increasingly severe risks in critical infrastructure. To mitigate risks, developing an appropriate security strategy is of paramount importance. However, existing efforts on decision making in ICSs inherit some limitations, such as the lack of consideration of the strategy for securing both cyber and physical domains and a tradeoff between security and system requirements. To overcome these limitations, a decision-making approach is presented in this paper for intrusion response in ICSs. Aiming to determine the optimal security strategy against attacks promptly, it tries to secure the most “dangerous” attack paths and respond to functional failures. In this approach, measures that cover both cyber and physical domains are designed with in-depth analysis of attack propagation. They ensure the completeness of candidate security strategy space. A number of Pareto optimal solutions are determined from the strategy space through multiobjective optimization. The objective is to maximize the objective vector composed of security benefit, system benefit, and state benefit. Then, these solutions are prioritized by using a distance-based evaluation method, which pursues the optimal protection ability by making the objective vector of the selected strategy closest to the ideal one. The effectiveness of the proposed approach is demonstrated with a case study on a simulated process control system.