**3. Risk assessment of IACS cybersecurity**

Let us consider the task of assessment of IACS risk on the example of the automated system for collecting, storing, and processing the telemetric information (TMI) of the aviation equipment manufacturer. The current information on the state parameters of on-board aviation systems is continuously collected during the entire period of their operation by the ground services of technical maintenance. The detailed analysis of this information allows the subsequent making the right management decisions on the further operation and modification of on-board aviation systems. Therefore, the task of ensuring the integrity of the mentioned telemetric information under the conditions of possible impact of external and internal threats undoubtedly takes on particular significance.

The generalized structure of the studied territorially distributed automated information system (AIS), providing the collection, storage, and processing of TMI, is presented in **Figure 1**.

As the parts of AIS, the following subsystems (zones), combined according to the principle of the unity of functions performed and security requirements for their implementation, are identified:

1.The subsystem for collecting and storing the primary data at the service stations (Zone 1), which includes:

Element 1—the client part of the SCADA system Web-base;

Element 2—the server part of the SCADA system Web-base;

Element 3—OPC UA client;

Element 4—the temporary storage for accommodating the operative telemetry data accumulated at the object;

Element 5—the server part of the accumulated data transmission to the storage of the aviation equipment manufacturer;

2.The core of the corporate information network (CIN) of the enterprisemanufacturer (Zone 2), where:

Element 6—the client part for providing access to the server of the service station transferring the accumulated operational data of TMI to the enterprisemanufacturer's storage;

Using FGCM as a tool for cognitive modeling, let us turn to the task of analyzing the risks associated with ensuring the TMI integrity in AIS considered above, taking into account the impact of possible external and internal threats to the system. The original (integrated) FGCM for assessing the risks of AIS, serving in this case as the

*The generalized structure of territorially distributed automated information system for the collection, storage, and processing of TMI. The corresponding subsystems (security zones) are interconnected with the aid of*

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive…*

*DOI: http://dx.doi.org/10.5772/intechopen.89215*

The following descriptions are used in **Figure 2**: superscript ("\*") denotes the

The presence of the grey connection weights ⊗*W*~ *ij* indicates an uncertainty in the assessment of the mutual influence of main risk factors. The state variables of

reflecting the expert's point of view on the possibility of an event occurrence [13]. Taking into account that each of these events is a complex event consisting of a chain of consecutive elementary events, it is reasonable to decompose FGCM of AIS

*<sup>R</sup>* . Let us note that in this case we mean so-called subjective probabilities,

*<sup>p</sup>* to integrated FGCM and subscript (*p*) denotes the

*<sup>R</sup>* represent the probabilities of

*T*1 , *C*<sup>∗</sup> *T*2 , *C*<sup>∗</sup> 1 ,

AIS cognitive model of initial approximation (zero decomposition level), is

, <sup>⊗</sup> *Xi*, ð Þ *<sup>i</sup>* <sup>¼</sup> 1, 2, …, 5 , <sup>⊗</sup> *<sup>X</sup>*<sup>∗</sup>

occurrence of the enumerated events corresponding to the concepts *C*<sup>∗</sup>

presented in **Figure 2**.

concepts ⊗ *X*<sup>∗</sup>

…, *C*<sup>∗</sup> <sup>5</sup> ,*C*<sup>∗</sup>

**25**

**Figure 1.**

affiliation of the concept *C*<sup>∗</sup>

*telecommunication channels (conducts).*

*T*1 , ⊗ *X*<sup>∗</sup> *T*2

number of the concept (**Table 1**).

Element 8—the workstations of administrator and service personnel of the CIN core of the enterprise-manufacturer;

3.TMI storage subsystem with fault tolerance functions (Zone 3), where:

Element 7—the node of access to TMI data storage at the enterprisemanufacturer;


The corresponding subsystems (security zones) are interconnected (see **Figure 1**) with the aid of telecommunication channels (conducts).

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive… DOI: http://dx.doi.org/10.5772/intechopen.89215*

**Figure 1.**

**3. Risk assessment of IACS cybersecurity**

threats undoubtedly takes on particular significance.

is presented in **Figure 1**.

*Digital Forensic Science*

their implementation, are identified:

Element 3—OPC UA client;

data accumulated at the object;

manufacturer (Zone 2), where:

manufacturer's storage;

manufacturer;

**24**

of the aviation equipment manufacturer;

CIN core of the enterprise-manufacturer;

models of aviation equipment (Zone 4);

enterprise-manufacturer (Zone 5).

stations (Zone 1), which includes:

Let us consider the task of assessment of IACS risk on the example of the automated system for collecting, storing, and processing the telemetric information (TMI) of the aviation equipment manufacturer. The current information on the state parameters of on-board aviation systems is continuously collected during the entire period of their operation by the ground services of technical maintenance. The detailed analysis of this information allows the subsequent making the right management decisions on the further operation and modification of on-board aviation systems. Therefore, the task of ensuring the integrity of the mentioned telemetric information under the conditions of possible impact of external and internal

The generalized structure of the studied territorially distributed automated information system (AIS), providing the collection, storage, and processing of TMI,

As the parts of AIS, the following subsystems (zones), combined according to the principle of the unity of functions performed and security requirements for

1.The subsystem for collecting and storing the primary data at the service

Element 4—the temporary storage for accommodating the operative telemetry

Element 5—the server part of the accumulated data transmission to the storage

2.The core of the corporate information network (CIN) of the enterprise-

Element 6—the client part for providing access to the server of the service station transferring the accumulated operational data of TMI to the enterprise-

Element 8—the workstations of administrator and service personnel of the

4.TMI data processing subsystem with the use of a hierarchy of mathematical

5.Subsystem of support and implementation of business processes of the

The corresponding subsystems (security zones) are interconnected (see

**Figure 1**) with the aid of telecommunication channels (conducts).

3.TMI storage subsystem with fault tolerance functions (Zone 3), where: Element 7—the node of access to TMI data storage at the enterprise-

Element 1—the client part of the SCADA system Web-base; Element 2—the server part of the SCADA system Web-base;

*The generalized structure of territorially distributed automated information system for the collection, storage, and processing of TMI. The corresponding subsystems (security zones) are interconnected with the aid of telecommunication channels (conducts).*

Using FGCM as a tool for cognitive modeling, let us turn to the task of analyzing the risks associated with ensuring the TMI integrity in AIS considered above, taking into account the impact of possible external and internal threats to the system. The original (integrated) FGCM for assessing the risks of AIS, serving in this case as the AIS cognitive model of initial approximation (zero decomposition level), is presented in **Figure 2**.

The following descriptions are used in **Figure 2**: superscript ("\*") denotes the affiliation of the concept *C*<sup>∗</sup> *<sup>p</sup>* to integrated FGCM and subscript (*p*) denotes the number of the concept (**Table 1**).

The presence of the grey connection weights ⊗*W*~ *ij* indicates an uncertainty in the assessment of the mutual influence of main risk factors. The state variables of concepts ⊗ *X*<sup>∗</sup> *T*1 , ⊗ *X*<sup>∗</sup> *T*2 , <sup>⊗</sup> *Xi*, ð Þ *<sup>i</sup>* <sup>¼</sup> 1, 2, …, 5 , <sup>⊗</sup> *<sup>X</sup>*<sup>∗</sup> *<sup>R</sup>* represent the probabilities of occurrence of the enumerated events corresponding to the concepts *C*<sup>∗</sup> *T*1 , *C*<sup>∗</sup> *T*2 , *C*<sup>∗</sup> 1 , …, *C*<sup>∗</sup> <sup>5</sup> ,*C*<sup>∗</sup> *<sup>R</sup>* . Let us note that in this case we mean so-called subjective probabilities, reflecting the expert's point of view on the possibility of an event occurrence [13]. Taking into account that each of these events is a complex event consisting of a chain of consecutive elementary events, it is reasonable to decompose FGCM of AIS

### **Figure 2.**

*Integrated FGCM for AIS risk assessment.* ⊗*W*~ *ij—the grey connection weights indicate an uncertainty in the assessment of the mutual influence of main risk factors and C*<sup>∗</sup> *—concepts.*


### **Table 1.**

*List of the concepts of the integrated FGCM.*

shown in **Figure 2** as the set of FGCMs for separate concepts (AIS security zones containing targets objects for attack to TMI).

As for the concept *<sup>C</sup>*1, <sup>1</sup>

*The first level of FGCM decomposition to assess the AIS risks.*

**Figure 3.**

of SCADA;

(Zone 2), is shown in **Figure 6**.

**27**

<sup>1</sup> , characterizing the possibility to run in the browser of

2

the client part of SCADA system on the base on Web technology (Zone 1), the corresponding decomposition can be represented as FGCM in **Figure 5**.

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive…*

*DOI: http://dx.doi.org/10.5772/intechopen.89215*

3. the exploitation of the vulnerability of OS browser for launching the client part

5. the exploitation of the vulnerability of OPC UA client authorization system.

Similarly, it is possible to decompose the other concepts of original FGCM for the second decomposition level of Zone 1 presented in **Figure 4** (**Figures 6**–**9**, **Tables 4–6**). The corresponding FGCM, revealing the content of the concept *<sup>C</sup>*1, <sup>1</sup>

1. the exploitation of the vulnerability of OS authorization system;

2. the exploitation of the vulnerability of SCADA Web client;

4. the exploitation of the vulnerability of access to OS memory;

Here, the numbers 1–5 denote the following concepts:

The first decomposition level of the original (integrated) FGCM is presented in **Figure 3**.

The following designations of the concepts are used in **Figure 3**: the superscript (*q*) of *Cq <sup>p</sup>* indicates the belongings to the concept *Cq* of the integrated FGCM; and the subscript (*p*) is the number of the concepts in the FGCM of the first level of decomposition (**Table 2**).

**Figure 4** shows the further decomposition level (the second level) for the concept *C*<sup>∗</sup> <sup>1</sup> , allowing to make clearer the impact of the threats on the considered target concept.

On the scheme, the following designations of the concepts of FGCM secondlevel decomposition are used: the superscript (*q*) of the *<sup>C</sup><sup>q</sup>*, *<sup>p</sup> <sup>r</sup>* concept is the number of the concept (the parent concept of the zero decomposition level) of the original FGCM whose decomposition includes this element, the superscript index *p* is the number of the parent concept of the first level of decomposition, the subscript (*r*) is the number of the concept of the current level (**Table 3**).

The further decomposition of the third level allows us to go to the detailed FGCM, which allows us to take into account the influence of individual vulnerabilities on the potential violation of TMI integrity in the intermediate information processing elements.

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive… DOI: http://dx.doi.org/10.5772/intechopen.89215*

### **Figure 3.**

shown in **Figure 2** as the set of FGCMs for separate concepts (AIS security zones

*Integrated FGCM for AIS risk assessment.* ⊗*W*~ *ij—the grey connection weights indicate an uncertainty in the*

*<sup>T</sup>*<sup>1</sup> Internal threat to TMI integrity (e.g., due to failures or erroneous actions of staff)

*<sup>T</sup>*<sup>2</sup> External threat to TMI integrity (e.g., due to attempts of unauthorized access from outside

*assessment of the mutual influence of main risk factors and C*<sup>∗</sup> *—concepts.*

*<sup>R</sup>* Potential damage caused by violation of TMI integrity in AIS

the subscript (*p*) is the number of the concepts in the FGCM of the first level of

The first decomposition level of the original (integrated) FGCM is presented in

The following designations of the concepts are used in **Figure 3**: the superscript

**Figure 4** shows the further decomposition level (the second level) for the con-

On the scheme, the following designations of the concepts of FGCM secondlevel decomposition are used: the superscript (*q*) of the *<sup>C</sup><sup>q</sup>*, *<sup>p</sup> <sup>r</sup>* concept is the number of the concept (the parent concept of the zero decomposition level) of the original FGCM whose decomposition includes this element, the superscript index *p* is the number of the parent concept of the first level of decomposition, the subscript (*r*) is

The further decomposition of the third level allows us to go to the detailed FGCM, which allows us to take into account the influence of individual vulnerabilities on the potential violation of TMI integrity in the intermediate information

*<sup>p</sup>* indicates the belongings to the concept *Cq* of the integrated FGCM; and

<sup>1</sup> , allowing to make clearer the impact of the threats on the considered target

containing targets objects for attack to TMI).

the number of the concept of the current level (**Table 3**).

**Figure 3**.

**Figure 2.**

*C*∗

*C*∗

*C*∗

*C*∗

*C*∗

*C*∗

*C*∗

**Table 1.**

**Concept Concept name**

*Digital Forensic Science*

to information)

*List of the concepts of the integrated FGCM.*

<sup>1</sup> Modification of TMI data in Zone 1

<sup>2</sup> Modification of TMI data in Zone 2

<sup>3</sup> Modification of TMI data in Zone 3

<sup>5</sup> Modification of TMI data in Zone 5

(*q*) of *Cq*

cept *C*<sup>∗</sup>

concept.

**26**

decomposition (**Table 2**).

processing elements.

*The first level of FGCM decomposition to assess the AIS risks.*

As for the concept *<sup>C</sup>*1, <sup>1</sup> <sup>1</sup> , characterizing the possibility to run in the browser of the client part of SCADA system on the base on Web technology (Zone 1), the corresponding decomposition can be represented as FGCM in **Figure 5**.

Here, the numbers 1–5 denote the following concepts:


4. the exploitation of the vulnerability of access to OS memory;

5. the exploitation of the vulnerability of OPC UA client authorization system.

Similarly, it is possible to decompose the other concepts of original FGCM for the second decomposition level of Zone 1 presented in **Figure 4** (**Figures 6**–**9**, **Tables 4–6**). The corresponding FGCM, revealing the content of the concept *<sup>C</sup>*1, <sup>1</sup> 2 (Zone 2), is shown in **Figure 6**.


### **Table 2.**

*List of the first level decomposition concepts of the FGCM.*

### **Figure 4.**

*The second level of FGCM decomposition for assessing AIS risk in Zone 1.*

Consider the numerical example of risk assessment for the concept *<sup>C</sup>*1, <sup>1</sup> <sup>1</sup> (**Figure 5**).

Let us take a bipolar sigmoid (5) here as an activation function *f*ð Þ∙ for the concepts 1–5. Checking condition (7) for the data presented in **Table 2** shows that

*<sup>6</sup> and C<sup>1</sup>*, *<sup>4</sup> <sup>5</sup> of the second level of FGCM decomposition*

**Concept Concept name Parent concept**

1

2

<sup>1</sup> Access to HMI client SCADA *<sup>C</sup>*<sup>1</sup>

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive…*

<sup>3</sup> Access to the client to interact with the OPC UA server *<sup>C</sup>*<sup>1</sup>

<sup>2</sup> Access to operative TMI data on the client-server part of the SCADA before entering in the operative storage

<sup>4</sup> Access to the database of operative TMI storage data

*List of second-level decomposition concepts for Zone 1.*

*DOI: http://dx.doi.org/10.5772/intechopen.89215*

*The third level of FGCM decomposition—the concept C<sup>1</sup>*, *<sup>1</sup>: <sup>1</sup>*

*<sup>C</sup>*1, <sup>1</sup>

*<sup>C</sup>*1, <sup>1</sup>

*<sup>C</sup>*1, <sup>2</sup>

*<sup>C</sup>*1, <sup>2</sup>

**Table 3.**

**Figure 5.**

**Figure 6.**

**Figure 7.**

**29**

*Decomposition of the concepts C<sup>1</sup>*, *<sup>3</sup>*

<sup>¼</sup> ffiffiffiffiffiffiffiffiffi

2, 76 <sup>p</sup> <sup>¼</sup> <sup>1</sup>*:*66<2, (8)

X 5

*Decomposition of the concept C<sup>1</sup>*, *<sup>1</sup> <sup>2</sup> of FGCM for AIS risk assessment (Zone 1)*

*W*<sup>2</sup> *ij* !<sup>1</sup>

2

*<sup>i</sup>*,*<sup>j</sup>*¼<sup>1</sup>

i.e., the steady-states of FGCM will be stable.

Let us assume that while choosing the grey values of FGCM weights, it is necessary to focus on a certain fuzzy scale, which determines the strength of the connections between different concepts (see, e.g., **Table 7**).

Let us further assume that the expert estimated the values of FGCM connections weights in **Figure 5** as follows (**Table 8**).

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive… DOI: http://dx.doi.org/10.5772/intechopen.89215*


### **Table 3.**

*List of second-level decomposition concepts for Zone 1.*

#### **Figure 5.**

*The third level of FGCM decomposition—the concept C<sup>1</sup>*, *<sup>1</sup>: <sup>1</sup>*

### **Figure 6.**

*Decomposition of the concept C<sup>1</sup>*, *<sup>1</sup> <sup>2</sup> of FGCM for AIS risk assessment (Zone 1)*

**Figure 7.** *Decomposition of the concepts C<sup>1</sup>*, *<sup>3</sup> <sup>6</sup> and C<sup>1</sup>*, *<sup>4</sup> <sup>5</sup> of the second level of FGCM decomposition*

Let us take a bipolar sigmoid (5) here as an activation function *f*ð Þ∙ for the concepts 1–5. Checking condition (7) for the data presented in **Table 2** shows that

$$\left(\sum\_{i,j=1}^{5} \overline{W}\_{ij}^{2}\right)^{\frac{1}{2}} = \sqrt{2,76} = 1.66 < 2,\tag{8}$$

i.e., the steady-states of FGCM will be stable.

Consider the numerical example of risk assessment for the concept *<sup>C</sup>*1, <sup>1</sup>

connections between different concepts (see, e.g., **Table 7**).

*The second level of FGCM decomposition for assessing AIS risk in Zone 1.*

weights in **Figure 5** as follows (**Table 8**).

Let us assume that while choosing the grey values of FGCM weights, it is necessary to focus on a certain fuzzy scale, which determines the strength of the

**Concept Concept name Parent**

block diagram of AIS, **Figure 1**, i.e., the points of potential realization of the

<sup>1</sup> Internal threats to the integrity of TMI (concept *<sup>T</sup>*<sup>∗</sup>

<sup>2</sup> External threats to TMI integrity (concept *<sup>T</sup>*<sup>∗</sup>

<sup>2</sup> Access to the database of operative TMI data storage

storage of the enterprise-manufacturer

database of TMI operational storage

<sup>3</sup> Access to the network equipment

the enterprise-manufacturer

*List of the first level decomposition concepts of the FGCM.*

*IST*<sup>5</sup> TMI integrity control model

threat to TMI integrity by the internal subject of the system)

<sup>1</sup> Access to TMI in the client-server SCADA Web-base before adding to the

<sup>4</sup> Access to the module of Web server sending TMI data in the long-term

<sup>6</sup> Access to the Web client module that implements receiving TMI at the enterprise-manufacturer from remote service stations

<sup>8</sup> Unauthorized access to workstation (node 8 in **Figure 1**) of the core of CIN of

<sup>10</sup> Access to the server of equipment status reports generated for users of Zone 4

<sup>7</sup> Access to TMI in the long-term storage *<sup>C</sup>*<sup>∗</sup>

<sup>9</sup> Access to computing cluster management server of Zone 5 *<sup>C</sup>*<sup>∗</sup>

<sup>5</sup> Access to the network infrastructure *<sup>C</sup>*<sup>∗</sup>

*T*1 <sup>1</sup> *<sup>T</sup>*<sup>8</sup>

*Digital Forensic Science*

*T*1 2, *T*<sup>2</sup>

*C*1

*C*1

*C*1

*C*1

*C*2

*C*2

*C*2

*C*2

*C*3

*C*5

**Table 2.**

**Figure 4.**

**28**

Let us further assume that the expert estimated the values of FGCM connections

<sup>1</sup> (**Figure 5**).

**concept**

*T*∗ 1

2

*C*∗ <sup>1</sup> (Zone 1)

<sup>2</sup> (Zone 2)

<sup>3</sup> (Zone 3)

<sup>5</sup> (Zone 5)

<sup>1</sup> decomposition on the

<sup>2</sup> decomposition) *T*<sup>∗</sup>

### **Figure 8.**

*Decomposition of the concepts C<sup>1</sup>*, *<sup>2</sup> <sup>3</sup> and C<sup>1</sup>*, *<sup>2</sup> <sup>4</sup> of FGCM for AIS risk assessment*


### **Figure 9.**

*FGCM concepts states for risk assessment of Zone 1 (the change in the state of concepts over time and the final states of the target concepts of the FGCM, software window form).*


### **Table 4.**

*List of the concepts of the third decomposition level for AIS risks assessment of Zone 1.*

Using for calculation the "Cognitive Map Constructor" tool, which is described more detailed in the next section of this chapter, we will estimate the change in the upper and lower boundaries of the state variable *X*<sup>5</sup> over time *k* ¼ 1, 2, 3, …

(**Tables 9** and **10**). The state of the input concept *CT*<sup>1</sup> is defined here as ⊗ *XT*<sup>1</sup> ð Þ¼ *k*

**Linguistic meaning of connection strength Numeric range** Does not affect 0 Very weak (0; 0.15] Weak (0.15; 0.35] Average (0.35; 0.6] Strong (0.6; 0.85] Very strong (0.85; 1]

**Concept Concept name Parent**

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive…*

19 Exploitation of the vulnerability of authorization system of the main OS user *<sup>C</sup>*1, <sup>4</sup>

Apache Web application server, MySQL DBMS, PHP runtime frameworks to

20 Exploitation of the vulnerability of system software implementing work of

22 Exploitation of the vulnerability of Java Virtual Machine Memory Access

24 The target concept of unauthorized launching of the module for access to the

25 Exploitation of the vulnerability of authorization system of the main OS user *<sup>C</sup>*1, <sup>3</sup>

**Concept Concept name Parent**

14 Exploitation of the vulnerability of authorization system of the main OS user *<sup>C</sup>*1, <sup>2</sup>

16 Exploitation of the vulnerability of authorization system of the main DBMS

18 The target concept of unauthorized modification of TMI operative data TMI

11 Exploitation of the vulnerability of authorization system of the client part of

12 Exploitation of the vulnerability of authorization system of the main OS user

23 Exploitation of the vulnerability of Application Server Software

database of operative storage of TMI at service stations

26 Exploitation of the vulnerability of access to operating system memory

support interactive Web pages

*DOI: http://dx.doi.org/10.5772/intechopen.89215*

*List of the concepts of the third decomposition level of Zone 1.*

15 Exploitation of the vulnerability of OS memory access

17 Exploitation of the vulnerability of DBMS memory access

13 Exploitation of the vulnerability of OS memory access

*List of the concepts of the third level of FGCM decomposition of Zone 1.*

**Table 5.**

**Table 6.**

**Table 7.**

**31**

user

stored in the database

OPC Client UA software

21 Exploitation of the vulnerability of OS memory access

**concept**

5

6

**concept**

4

*<sup>C</sup>*1, <sup>2</sup> 3

½ � 0*:*8;1 for all ¼ 0, 1, 2, …; the initial conditions for other state variables

⊗ *X*1ð Þ 0 ÷⊗ *X*5ð Þ 0 are assumed to be zero, i.e., equal to 0;0 ½ �.

*Evaluation of the strength of communication between concepts.*

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive… DOI: http://dx.doi.org/10.5772/intechopen.89215*


### **Table 5.**

*List of the concepts of the third decomposition level of Zone 1.*


### **Table 6.**

*List of the concepts of the third level of FGCM decomposition of Zone 1.*


### **Table 7.**

*Evaluation of the strength of communication between concepts.*

(**Tables 9** and **10**). The state of the input concept *CT*<sup>1</sup> is defined here as ⊗ *XT*<sup>1</sup> ð Þ¼ *k* ½ � 0*:*8;1 for all ¼ 0, 1, 2, …; the initial conditions for other state variables ⊗ *X*1ð Þ 0 ÷⊗ *X*5ð Þ 0 are assumed to be zero, i.e., equal to 0;0 ½ �.

Using for calculation the "Cognitive Map Constructor" tool, which is described more detailed in the next section of this chapter, we will estimate the change in the

*FGCM concepts states for risk assessment of Zone 1 (the change in the state of concepts over time and the final*

**Concept Concept name Parent**

6 Exploitation of the vulnerability of authorization system of the primary OS

9 Exploitation of the vulnerability of system software of application server for

10 The target concept of access to operative TMI data, which can be modified before adding to the database on the nodes of SCADA client-server type

*List of the concepts of the third decomposition level for AIS risks assessment of Zone 1.*

7 Exploitation of the vulnerability of access to operating system memory

8 Exploitation of the vulnerability of Java virtual machine

running the SCADA server Web application

**concept**

*<sup>C</sup>*1, <sup>1</sup> 2

upper and lower boundaries of the state variable *X*<sup>5</sup> over time *k* ¼ 1, 2, 3, …

**Figure 8.**

*Digital Forensic Science*

**Figure 9.**

**Table 4.**

**30**

user

*Decomposition of the concepts C<sup>1</sup>*, *<sup>2</sup> <sup>3</sup> and C<sup>1</sup>*, *<sup>2</sup> <sup>4</sup> of FGCM for AIS risk assessment*

*states of the target concepts of the FGCM, software window form).*

As a result, the steady-state value of the grey state vector ⊗ *X* for FGCM presented in **Figure 6**, i.e., for the concept *<sup>C</sup>*1, <sup>1</sup> <sup>1</sup> decomposition is found as

⊗ *X* ¼ f g ½ � 0, 8;1 , 0, 43;0, 58 ½ �, 0, 28;0, 55 ½ �, 0, 20;0, 40 ½ �, 0, 06;0, 16 ½ �, 0, 24;0, 53 ½ � ,

threat is the internal threat of violation of the integrity of TMI, the value of which is

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive…*

*<sup>T</sup>*<sup>1</sup> ∈½ � 0, 6;0, 95 . Risk assessment because of violation of the integrity of TMI information is

To reduce the potential damage from the violation of TMI integrity, a monitoring system, deployed as a protected container in Zone 5, is used. In **Figure 3**, this information protection tool is designated as a TMI integrity monitoring model—

integrity monitoring system, which implements online and offline analysis of

The concept of TMI integrity monitoring system as a whole has some

• Simulated parameters of the aviation engine operation and TMI can be presented in the form of multidimensional technological time series;

• The output of the monitoring system is the evaluation of conditional

• Monitoring the TMI integrity is based on the analysis of the consistency of the behavior of parameters obtained by using the model of complex technical

Risk value estimate due to violation of TMI information integrity after applying

Due to the significant amount of computation when working with FGCM containing a large number of concepts, it was necessary to develop a software tool to automate cognitive modeling with use of FGCM. The change in the state of concepts over time and the final states of the target concepts of the FGCM, calcu-

**4. Automation of risk analysis and management on the base of cognitive**

Besides supporting the FGCM with the installation of connections weights in the form of the upper and lower boundaries, the software allows us the use of linguistic terms of fuzzy logic, as well as setting the weights in the form of "white" crisp numbers. The software has the interface implemented in HTML using CSS, which allows displaying the FGCM and all the necessary accompanying information by the concepts and connections, and also is able to work on any graphical operating

There are five kinds of concepts which are used in FGCM: threats, information assets, intermediate concepts, targets, and countermeasures, which can be marked

To improve an efficiency of risk analysis and management with use of FGCM, the special software tool "Cognitive Map Constructor" was developed. This software allows us to build and edit FGCM, use them to carry out the security risk analysis, and justify the choice of the necessary countermeasures from the given user-specified set. As a result, a diagram of risk assessment is built under various scenarios of countermeasures' implementation and threats'

*R* 

*<sup>A</sup>* ∈ ½ � 0*:*07;0*:*15 .

operational data and data collected in the repository (Zone 3).

object, and taken from the on-board aircraft systems;

the tool based on the integrity monitoring model is ⊗ *X*<sup>∗</sup>

lated in the developed software tool, are presented in **Figure 9**.

probability of the events of data integrity violation events.

. The protected container ensures the continuous operation of the TMI

determined by a grey number ⊗ *X*<sup>∗</sup>

*DOI: http://dx.doi.org/10.5772/intechopen.89215*

*<sup>A</sup>* ∈½ � 0*:*19;0*:*28 .

*R* 

**modeling technology**

system that has a current Web browser.

by different colors for convenience and clarity.

realization.

**33**

defined as ⊗ *X*<sup>∗</sup>

concept *IST*<sup>5</sup>

peculiarities:

and the final value for the target concept state is determined by the grey number ⊗ *X*<sup>5</sup> ∈ ½ � 0, 24;0, 53 .

Consider the state of the target concept *CR* (**Figure 2**)—the damage caused by the potential violation of TMI integrity in the AIS—after clarifying all weights by the level of decomposition of the original FGCM. Let us assume that the active


### **Table 8.**

*The values of communications FGCM weights.*


### **Table 9.**

*Upper boundaries of concept state estimates*


### **Table 10.**

*Lower boundaries of concept state estimates.*

*Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive… DOI: http://dx.doi.org/10.5772/intechopen.89215*

threat is the internal threat of violation of the integrity of TMI, the value of which is determined by a grey number ⊗ *X*<sup>∗</sup> *<sup>T</sup>*<sup>1</sup> ∈½ � 0, 6;0, 95 .

Risk assessment because of violation of the integrity of TMI information is defined as ⊗ *X*<sup>∗</sup> *R <sup>A</sup>* ∈½ � 0*:*19;0*:*28 .

To reduce the potential damage from the violation of TMI integrity, a monitoring system, deployed as a protected container in Zone 5, is used. In **Figure 3**, this information protection tool is designated as a TMI integrity monitoring model concept *IST*<sup>5</sup> . The protected container ensures the continuous operation of the TMI integrity monitoring system, which implements online and offline analysis of operational data and data collected in the repository (Zone 3).

The concept of TMI integrity monitoring system as a whole has some peculiarities:


Risk value estimate due to violation of TMI information integrity after applying the tool based on the integrity monitoring model is ⊗ *X*<sup>∗</sup> *R <sup>A</sup>* ∈ ½ � 0*:*07;0*:*15 .

Due to the significant amount of computation when working with FGCM containing a large number of concepts, it was necessary to develop a software tool to automate cognitive modeling with use of FGCM. The change in the state of concepts over time and the final states of the target concepts of the FGCM, calculated in the developed software tool, are presented in **Figure 9**.
