Extended Dependency Modeling Technique for Cyber Risk Identification in ICS

Complex systems such as Industrial Control Systems (ICS) are designed as a collection of functionally dependent and highly connected units with multiple stakeholders. Identifying the risk of such complex systems requires an overall view of the entire system. Dependency modelling (DM) is a highly participative methodology that identifies the goals and objectives of a system and the required dependants to satisfy these goals. Researchers have proved DM to be suitable for identifying and quantifying impact and uncertainty in complex environments. However, there exist limitations in the current expressions of DM that hinder its complete adaptation for risk identification in a complex environment such as ICS. This research investigates how the capability of DM could be extended to address the identified limitations and proposes additional variables to address phenomena that are unique to ICS environments. The proposed extension is built into a system-driven ICS dependency modeller, and we present an illustrative example using a scenario of a generic ICS environment. We reflect that the proposed technique supports an improvement in the initial user data input in the identification of areas of risk at the enterprise, business process, and technology levels.

Automated summary

Identifying risks in complex systems like Industrial Control Systems (ICS) requires a holistic understanding of the entire system. Dependency modelling (DM) is a participative methodology that helps identify system goals and dependencies. However, there are limitations in the current expressions of DM that hinder its adaptation for risk identification in ICS environments. This research explores how DM can be extended to address these limitations and proposes additional variables specific to ICS environments. The proposed extension improves risk identification at the enterprise, business process, and technology levels.