Affiliations: [a]
Evaluation Center of Civil Aviation University of China, China
| [b] School of Computer Science and Technology, Civil Aviation University of China, China
| [c] Aeronautical Engineering Institute, Civil Aviation University of China, China
| [d] Department of Computer Science and Technology, Civil Aviation University of China, China
Correspondence:
[*]
Corresponding author. He Sui, Aeronautical Engineering Institute, Civil Aviation University of China, China. E-mail: hsui@cauc.edu.cn.
Abstract: Cybersecurity risk assessment is an important means of effective response to network attacks on industrial control systems. However, cybersecurity risk assessment process is susceptible to subjective and objective effects. To solve this problem, this paper introduced cybersecurity risk assessment method based on fuzzy theory of Attack-Defense Tree model and probability cybersecurity risk assessment technology, and applied it to airport automatic fuel supply control system. Firstly, an Attack-Defense Tree model was established based on the potential cybersecurity threat of the system and deployed security equipment. Secondly, the interval probability of the attack path was calculated using the triangular fuzzy quantification of the interval probabilities of the attack leaf nodes and defensive leaf nodes. Next, the interval probability of the final path was defuzzified. Finally, the occurrence probability of each final attack path was obtained and a reference for the deployment of security equipment was provided. The main contributions of this paper are as follows: (1) considering the distribution of equipment in industrial control system, a new cybersecurity risk evaluation model of industrial control system is proposed. (2) The experimental results of this article are compared with other assessment technologies, and the trend is similar to that of other evaluation methods, which proves that the method was introduced in this paper is scientific. However, this method reduces the subjective impact of experts on cybersecurity risk assessment, and the assessment results are more objective and reasonable. (3) Applying this model to the airport oil supply automatic control system can comprehensively evaluate risk, solve the practical problems faced by the airport, and also provide an important basis for the cybersecurity protection scheme of the energy industry.
Keywords: Cybersecurity risk assessment, fuzzy set theory, attack-defense tree
