Autonomous mitigation of cyber risks in the Cyber-Physical Systems

The Cyber-Physical Systems (CPS) attacks and vulnerabilities are increasing and the consequences of such attacks can be catastrophic. The CPS needs to be self-resilient to cyber-attacks through a precise autonomous and timely risk mitigation model that can analyze and assess the risk of the CPS and apply a proper response strategy against the ongoing attacks. There is a limited amount of work on the self-protection of the cyber risks in the CPS. This paper contributes toward the need of advanced security approaches to respond against the attacks across the CPS in an autonomous way, with or without including a system administrator in the loop for troubleshooting based on the criticality of the CPS asset that can be protected, once the alert about a possible intrusion has been raised. To this end, this paper augments our existing security framework with an Autonomous Response Controller (ARC). ARC uses our quantitative Hierarchical Risk Correlation Tree (HRCT) that models the paths an attacker can traverse to reach certain goals and measures the financial risk that the CPS assets face from cyber-attacks. ARC also uses a Competitive Markov Decision Process (CMDP) to model the security reciprocal interaction between the protection system and the attacker/adversary as a multi-step, sequential, two player stochastic game in which each player tries to maximize his/her benefit. The experiments' results depict that the accuracy of ARC outperforms the traditional Static Intrusion Response System (S-IRS) by 43.61%. To experimentally test and validate ARC in real-time large-scale data, we run the Aurora attack to open the generator breaker in our testbed to create a cascading failure and voltage collapse. ARC was able to recover the CPS system and provide a timely response in less than 6 s. We compared the output of ARC against the current state of the art, the Suricata intrusion response system. ARC was able to mitigate the single line to ground (SLG) attacks and recover the CPS to its normal state in 122 s before Suricata does. (c) 2020 Elsevier B.V. All rights reserved.