Abstract

Identifying, analyzing, and evaluating cybersecurity risks are essential to devise effective decision-making strategies to secure critical manufacturing against potential cyberattacks. However, a manufacturing-specific quantitative approach is lacking to effectively model threat events and evaluate the unique cybersecurity risks in discrete manufacturing systems. In response, this paper introduces the first taxonomy-driven graph-theoretic model and framework to formally represent this unique cybersecurity threat landscape and identify vulnerable manufacturing assets requiring prioritized control. First, the proposed framework characterizes threat actors’ techniques, tactics, and procedures using taxonomical classifications of manufacturing-specific threat attributes and integrates these attributes into cybersecurity risk modeling. This facilitates the systematic generation of comprehensive and generalizable cyber-physical attack graphs for discrete manufacturing systems. Second, using the attack graph formalism, the proposed framework enables concurrent modeling and analysis of a wide variety of cybersecurity threats comprising varying attack vectors, locations, vulnerabilities, and consequences. The risk model captures the cascading attack impact of varying attack methods through different cyber and physical entities in manufacturing systems, leading to specific consequences. Then, the constructed cyber-physical attack graphs are analyzed to comprehend threat propagation through the discrete manufacturing value chain and identify potential attack paths. Third, a quantitative risk assessment approach is presented to evaluate the cybersecurity risk associated with potential attack paths. It also identifies the attack path with the maximum likelihood of success, pointing out critical manufacturing assets requiring prioritized control. Finally, the proposed risk modeling and assessment framework is demonstrated using an illustrative example.

References

1.
Lu
,
Y.
,
Morris
,
K. C.
, and
Frechette
,
S.
,
2016
, “
Current Standards Landscape for Smart Manufacturing Systems
,”
Nat. Inst. Stand. Technol. NISTIR
,
8107
(
3
), pp.
1
39
.
2.
Lu
,
Y.
,
Xu
,
X.
, and
Wang
,
L.
,
2020
, “
Smart Manufacturing Process and System Automation–A Critical Review of the Standards and Envisioned Scenarios
,”
J. Manuf. Syst.
,
56
, pp.
312
325
.
3.
Tweneboah-Koduah
,
S.
,
Skouby
,
K. E.
, and
Tadayoni
,
R.
,
2017
, “
Cyber Security Threats to IoT Applications and Service Domains
,”
Wirel. Pers. Commun.
,
95
(
1
), pp.
169
185
.
4.
Roman
,
R.
,
Najera
,
P.
, and
Lopez
,
J.
,
2011
, “
Securing the Internet of Things
,”
Computer
,
44
(
9
), pp.
51
58
.
5.
Da Xu
,
L.
,
He
,
W.
, and
Li
,
S.
,
2014
, “
Internet of Things in Industries: A Survey
,”
IEEE Trans. Ind. informatics
,
10
(
4
), pp.
2233
2243
.
6.
Rahman
,
M. H.
,
Wuest
,
T.
, and
Shafae
,
M.
,
2023
, “
Manufacturing Cybersecurity Threat Attributes and Countermeasures: Review, Meta-Taxonomy, and Use Cases of Cyberattack Taxonomies
,”
J. Manuf. Syst.
,
68
, pp.
196
208
.
7.
2020
, “
IBM Security X-Force Threat Intelligence Index
”. https://securityintelligence.com/posts/threat-actors-targeted-industries-2020-finance-manufacturing-energy/. Accessed March 8, 2022.
8.
Sturm
,
L. D.
,
Williams
,
C. B.
,
Camelio
,
J. A.
,
White
,
J.
, and
Parker
,
R.
,
2017
, “
Cyber-Physical Vulnerabilities in Additive Manufacturing Systems: A Case Study Attack on the. STL File With Human Subjects
,”
J. Manuf. Syst.
,
44
, pp.
154
164
.
9.
Elhabashy
,
A. E.
,
Wells
,
L. J.
,
Camelio
,
J. A.
, and
Woodall
,
W. H.
,
2019
, “
A Cyber-Physical Attack Taxonomy for Production Systems: A Quality Control Perspective
,”
J. Intell. Manuf.
,
30
(
6
), pp.
2489
2504
.
10.
Rahman
,
M. H.
, and
Shafae
,
M.
,
2022
, “
Physics-Based Detection of Cyber-Attacks in Manufacturing Systems: A Machining Case Study
,”
J. Manuf. Syst.
,
64
, pp.
676
683
.
11.
Shafae
,
M. S.
,
Wells
,
L. J.
, and
Purdy
,
G. T.
,
2019
, “
Defending Against Product-Oriented Cyber-Physical Attacks on Machining Systems
,”
Int. J. Adv. Manuf. Technol.
,
105
(
9
), pp.
1
21
.
12.
Mahesh
,
P.
,
Tiwari
,
A.
,
Jin
,
C.
,
Kumar
,
P. R.
,
Reddy
,
A. L. N.
,
Bukkapatanam
,
S. T. S.
,
Gupta
,
N.
, and
Karri
,
R.
,
2021
, “
A Survey of Cybersecurity of Digital Manufacturing
,”
Proc. IEEE
,
109
(
4
), pp.
495
516
.
13.
Tuptuk
,
N.
, and
Hailes
,
S.
,
2018
, “
Security of Smart Manufacturing Systems
,”
J. Manuf. Syst.
,
47
, pp.
93
106
.
14.
Wu
,
D.
,
Ren
,
A.
,
Zhang
,
W.
,
Fan
,
F.
,
Liu
,
P.
,
Fu
,
X.
, and
Terpenny
,
J.
,
2018
, “
Cybersecurity for Digital Manufacturing
,”
J. Manuf. Syst.
,
48
, pp.
3
12
.
15.
Turner
,
H.
,
White
,
J.
,
Camelio
,
J. A.
,
Williams
,
C.
,
Amos
,
B.
, and
Parker
,
R.
,
2015
, “
Bad Parts: Are Our Manufacturing Systems at Risk of Silent Cyberattacks?
,”
IEEE Secur. Priv.
,
13
(
3
), pp.
40
47
.
16.
Graves
,
L. M. G.
,
King
,
W.
,
Carrion
,
P.
,
Shao
,
S.
,
Shamsaei
,
N.
, and
Yampolskiy
,
M.
,
2021
, “
Sabotaging Metal Additive Manufacturing: Powder Delivery System Manipulation and Material-Dependent Effects
,”
Addit. Manuf.
,
46
,
102029
.
17.
Chhetri
,
S. R.
,
Canedo
,
A.
, and
Faruque
,
M. A. A.
,
2017
, “
Confidentiality Breach Through Acoustic Side-Channel in Cyber-Physical Additive Manufacturing Systems
,”
ACM Trans. Cyber-Phys. Syst.
,
2
(
1
), pp.
1
25
.
18.
Wu
,
M.
,
Song
,
Z.
, and
Moon
,
Y. B.
,
2019
, “
Detecting Cyber-Physical Attacks in CyberManufacturing Systems With Machine Learning Methods
,”
J. Intell. Manuf.
,
30
(
3
), pp.
1111
1123
.
19.
Belikovetsky
,
S.
,
Solewicz
,
Y. A.
,
Yampolskiy
,
M.
,
Toh
,
J.
, and
Elovici
,
Y.
,
2019
, “
Digital Audio Signature for 3D Printing Integrity
,”
IEEE Trans. Inf. Forensics Secur.
,
14
(
5
), pp.
1127
1141
.
20.
Komolafe
,
T.
,
Tian
,
W.
,
Purdy
,
G. T.
,
Albakri
,
M.
,
Tarazaga
,
P.
, and
Camelio
,
J.
,
2019
, “
Repeatable Part Authentication Using Impedance Based Analysis for Side-Channel Monitoring
,”
J. Manuf. Syst.
,
51
, pp.
42
51
.
21.
Joint Task Force Transformation
Initiative,
2011
,
NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
,
National Institute of Standards & Technology
.
22.
Ross
,
R. S.
, and
Gallagher
,
P. D.
,
2012
,
Guide for Conducting Risk Assessments
, NIST, NIST Special Publication.
23.
Stouffer
,
K.
,
Zimmerman
,
T.
,
Tang
,
C.
,
Lubell
,
J.
,
Cichonski
,
J.
, and
Mccarthy
,
J.
,
2020
,
NISTIR 8183 Revision 1, Cybersecurity Framework: Manufacturing Profile
, NIST, Technical Report.
25.
Liu
,
H.-C.
,
You
,
J.-X.
,
Chen
,
S.
, and
Chen
,
Y.-Z.
,
2016
, “
An Integrated Failure Mode and Effect Analysis Approach for Accurate Risk Assessment Under Uncertainty
,”
IIE Trans.
,
48
(
11
), pp.
1027
1042
.
26.
Sherwin
,
M. D.
,
Medal
,
H. R.
,
MacKenzie
,
C. A.
, and
Brown
,
K. J.
,
2020
, “
Identifying and Mitigating Supply Chain Risks Using Fault Tree Optimization
,”
IISE Trans.
,
52
(
2
), pp.
236
254
.
27.
Poolsappasit
,
N.
,
Dewri
,
R.
, and
Ray
,
I.
,
2011
, “
Dynamic Security Risk Management Using Bayesian Attack Graphs
,”
IEEE Trans. Dependable Secur. Comput.
,
9
(
1
), pp.
61
74
.
28.
Sen
,
A.
, and
Madria
,
S.
,
2016
, “
Risk Assessment in a Sensor Cloud Framework Using Attack Graphs
,”
IEEE Trans. Serv. Comput.
,
10
(
6
), pp.
942
955
.
29.
Ge
,
M.
,
Hong
,
J. B.
,
Guttmann
,
W.
, and
Kim
,
D. S.
,
2017
, “
A Framework for Automating Security Analysis of the Internet of Things
,”
J. Netw. Comput. Appl.
,
83
, pp.
12
27
.
30.
Huang
,
K.
,
Zhou
,
C.
,
Tian
,
Y.-C. C.
,
Yang
,
S.
, and
Qin
,
Y.
,
2018
, “
Assessing the Physical Impact of Cyberattacks on Industrial Cyber-Physical Systems
,”
IEEE Trans. Ind. Electron.
,
65
(
10
), pp.
8153
8162
.
31.
Lyu
,
X.
,
Ding
,
Y.
, and
Yang
,
S.-H. H.
,
2020
, “
Bayesian Network Based C2P Risk Assessment for Cyber-Physical Systems
,”
IEEE Access
,
8
, pp.
88506
88517
.
32.
Chae
,
Y. H.
,
Lee
,
C.
,
Choi
,
M. K.
, and
Seong
,
P. H.
,
2022
, “
Evaluating Attractiveness of Cyberattack Path Using Resistance Concept and Page-Rank Algorithm
,”
Ann. Nucl. Energy
,
166
, p.
108748
.
33.
Jha
,
S.
,
Sheyner
,
O.
, and
Wing
,
J.
,
2002
, “
Two Formal Analyses of Attack Graphs
,”
Proceedings of the 15th IEEE Computer Security Foundations Workshop, CSFW-15
,
Cape Breton, NS, Canada
,
June 24–26
,
IEEE
, pp.
49
63
.
34.
Ou
,
X.
,
Govindavajhala
,
S.
, and
Appel
,
A. W.
,
2005
, “
MulVAL: A Logic-Based Network Security Analyzer
,”
Proceedings of the USENIX Security Symposium
,
Baltimore, MD
,
Aug. 1–5
, pp.
113
128
.
35.
Ingols
,
K.
,
Chu
,
M.
,
Lippmann
,
R.
,
Webster
,
S.
, and
Boyer
,
S.
,
2009
, “
Modeling Modern Network Attacks and Countermeasures Using Attack Graphs
,”
Proceedings of the 2009 Annual Computer Security Applications Conference
,
Honolulu, HI
,
Dec. 7–11
,
IEEE
, pp.
117
126
.
36.
Jia
,
F.
,
Hong
,
J. B.
, and
Kim
,
D. S.
,
2015
, “
Towards Automated Generation and Visualization of Hierarchical Attack Representation Models
,”
Proceedings of the 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing
,
Liverpool, UK
,
Oct. 26–28
,
IEEE
, pp.
1689
1696
.
37.
Cai
,
C.
,
Zhang
,
Y.
,
Wang
,
Z.
, and
Xue
,
C.
,
2019
, “
A New Model for Securing Networks Based on Attack Graph
,”
Proceedings of the 2019 IEEE 4th Int. Conf. Signal Image Process
,
Wuxi, China
,
July 19–21
,
ICSIP
, pp.
318
324
.
38.
Wu
,
W.
,
Kang
,
R.
, and
Li
,
Z.
,
2016
, “
Risk Assessment Method for Cybersecurity of Cyber-Physical Systems Based on Inter-Dependency of Vulnerabilities
,”
IEEE Int. Conf. Ind. Eng. Eng. Manag.
, pp.
1618
1622
.
39.
George
,
G.
, and
Thampi
,
S. M.
,
2018
, “
A Graph-Based Security Framework for Securing Industrial IoT Networks From Vulnerability Exploitations
,”
IEEE Access
,
6
, pp.
43586
43601
.
40.
Al Ghazo
,
A. T.
,
Ibrahim
,
M.
,
Ren
,
H.
, and
Kumar
,
R.
,
2019
, “
“A2G2V: Automatic Attack Graph Generation and Visualization and Its Applications to Computer and SCADA Networks
,”
IEEE Trans. Syst. Man, Cybern. Syst.
,
50
(
10
), pp.
3488
3498
.
41.
Ani
,
U. D.
,
He
,
H.
, and
Tiwari
,
A.
,
2020
, “
Vulnerability-Based Impact Criticality Estimation for Industrial Control Systems
,”
Proceedings of the International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 2020
,
Dublin, Ireland
,
June 15–19
.
42.
Stergiopoulos
,
G.
,
Dedousis
,
P.
, and
Gritzalis
,
D.
,
2022
, “
Automatic Analysis of Attack Graphs for Risk Mitigation and Prioritization on Large-Scale and Complex Networks in Industry 4.0
,”
Int. J. Inf. Secur.
,
21
(
1
), pp.
1
23
.
43.
Elhabashy
,
A. E.
,
Wells
,
L. J.
, and
Camelio
,
J. A.
,
2020
, “
Cyber-Physical Attack Vulnerabilities in Manufacturing Quality Control Tools
,”
Qual. Eng.
,
32
(
4
), pp.
676
692
.
44.
DeSmit
,
Z.
,
Elhabashy
,
A. E.
,
Wells
,
L. J.
, and
Camelio
,
J. A.
,
2017
, “
An Approach to Cyber-Physical Vulnerability Assessment for Intelligent Manufacturing Systems
,”
J. Manuf. Syst.
,
43
, pp.
339
351
.
45.
“What Is a Threat Actor?. IBM”
. https://www.ibm.com/topics/threat-actor. Accessed: August 15, 2023.
46.
Sailio
,
M.
,
Latvala
,
O.-M.
, and
Szanto
,
A.
,
2020
, “
Cyber Threat Actors for the Factory of the Future
,”
Appl. Sci.
,
10
(
12
), p.
4334
.
47.
2023
, “
2022 ICS/OT Cybersecurity Year in Review | Dragos
”. https://www.dragos.com/blog/industry-news/2022-dragos-year-in-review-now-available/. Accessed February 23, 2023.
48.
2020
, “
Manufacturing Threat Perspective | Dragos
https://www.dragos.com/resource/manufacturing-threat-perspective/. Accessed January 17, 2023.
49.
Ahmed
,
M.
, and
Pathan
,
A.-S. K.
,
2020
, “
False Data Injection Attack (FDIA): An Overview and New Metrics for Fair Evaluation of Its Countermeasure
,”
Complex Adapt. Syst. Model.
,
8
(
1
), pp.
1
14
.
50.
Bhushan
,
B.
,
Sahoo
,
G.
, and
Rai
,
A. K.
,
2017
, “
Man-in-the-Middle Attack in Wireless and Computer Networking—A Review
,”
Proceedings of the 2017 3rd International Conference on Advances in Computing, Communication & Automation (ICACCA)(Fall)
,
Dehradun, India
,
Sept. 15–16
,
IEEE
, pp.
1
6
.
51.
FireEye
, “
What Is a Zero-Day Exploit? | FireEye
”. https://us.norton.com/blog/emerging-threats/how-do-zero-day-vulnerabilities-work, Accessed December 5, 2022.
52.
El Abbadi
,
R.
, and
Jamouli
,
H.
,
2021
, “
Takagi–Sugeno Fuzzy Control for a Nonlinear Networked System Exposed to a Replay Attack
,”
Math. Probl. Eng.
,
2021
, pp.
1
13
.
53.
Industrial Control Systems Cyber Emergency Response Team
,
2016
,
Recommended Practice: Improving Industrial Control System Cybersecurity With Defense-in-Depth Strategies
, US Department of Homeland Security.
54.
China’s Huawei and ZTE Pose National Security Threat, Says US Committee | Technology | The Guardian
”. https://www.theguardian.com/technology/2012/oct/08/china-huawei-zte-security-threat, Accessed January 19, 2023.
55.
Thornburgh
,
T.
,
2004
, “
Social Engineering: The” Dark Art
,”
Proceedings of the 1st Annual Conference on Information Security Curriculum Development
,
Kennesaw, GA
,
Oct. 8
, pp.
133
135
.
56.
2020
, “
Hackers Could Destroy 3D Printers by Setting Them on Fire | TechRadar
”, https://www.techradar.com/news/hackers-could-destroy-3d-printers-by-setting-them-on-fire. Accessed August 23, 2023.
57.
2021
, “
Colonial Pipeline Cyber Attack: Hackers Used Compromised Password—Bloomberg
”, https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password. Accessed January 27, 2023.
58.
Wells
,
L. J.
,
Camelio
,
J. A.
,
Williams
,
C. B.
, and
White
,
J.
,
2014
, “
Cyber-Physical Security Challenges in Manufacturing Systems
,”
Manuf. Lett.
,
2
(
2
), pp.
74
77
.
59.
Kaspersky
,
2022
, “
The Human Factor in IT Security: How Employees Are Making Businesses Vulnerable From Within
.” https://www.kaspersky.com/blog/the-human-factor-in-it-security/. Accessed February 03, 2023.
60.
Al Faruque
,
M. A.
,
Chhetri
,
S. R.
,
Canedo
,
A.
, and
Wan
,
J.
,
2016
, “
Acoustic Side-Channel Attacks on Additive Manufacturing Systems
,”
Proceedings of the 2016 ACM/IEEE 7th International Conference on Cyber-Physical Systems, ICCPS 2016
,
Vienna, Austria
,
Apr. 11–14
,
IEEE
, pp.
1
10
.
61.
2020
, “
Siemens SPPA-T3000 | CISA
”, https://www.us-cert.gov/ics/advisories/icsa-19-351-02, Accessed August 08, 2023.
62.
2023
, “
IBM Security X-Force Threat Intelligence Index
”, https://www.ibm.com/reports/threat-intelligence, Accessed March 29, 2023.
63.
2022
, “
Toyota Cyberattack: Production to Restart in Japan after Attack on Kojima Industries | CNN Business
”. https://www.cnn.com/2022/03/01/business/toyota-japan-cyberattack-production-restarts-intl-hnk/index.html, Accessed January 19, 2023.
64.
Yampolskiy
,
M.
,
King
,
W. E.
,
Gatlin
,
J.
,
Belikovetsky
,
S.
,
Brown
,
A.
,
Skjellum
,
A.
, and
Elovici
,
Y.
,
2018
, “
Security of Additive Manufacturing: Attack Taxonomy and Survey
,”
Addit. Manuf.
,
21
, pp.
431
457
.
65.
Tarjan
,
R.
,
1972
, “
Depth-First Search and Linear Graph Algorithms
,”
SIAM J. Comput.
,
1
(
2
), pp.
146
160
.
66.
2019
, “
Common Vulnerability Scoring System Version 3.1: Specification Document
”, https://www.first.org/cvss/specification-document, Accessed November 10, 2022.
67.
Kaspersky
, “
Zero-Day Exploits & Zero-Day Attacks
”,
2021
. https://usa.kaspersky.com/resource-center/definitions/zero-day-exploit, Accessed December 5, 2022.
68.
Goldberg
,
A.
, and
Radzik
,
T.
,
1993
, “
A Heuristic Improvement of the Bellman-Ford Algorithm
,”
Appl. Math. Lett.
,
6
(
3
), pp.
3
6
..
69.
Dijkstra
,
E. W.
,
1959
, “
A Note on Two Problems in Connexion With Graphs
,”
Numer. Math.
,
1
(
1
), pp.
269
271
.
70.
2023
. “
Common Attack Pattern Enumeration and Classification (CAPEC)
”, https://capec.mitre.org/. Accessed January 28, 2023.
71.
Vatanparvar
,
K.
,
Abdullah
,
M.
, and
Faruque
,
A.
,
2019
,
Self-Secured Control With Anomaly Detection and Recovery in Automotive Cyber-Physical Systems
,”
Proceedings of the 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE)
,
Florence, Italy
,
Mar. 25–29
, IEEE, pp.
788
793
.
72.
McInerney
,
D.
,
2020
, “
With IoT, Common Devices Pose New Threats
,” Coalfire. https://www.coalfire.com/the-coalfire-blog/april-2020/with-iot-common-devices-pose-new-threats, Accessed January 14, 2023.
You do not currently have access to this content.