Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Identifying Adversarial Cyber-Activity in Operational Technology Environments Using Bayesian Networks

Journal Article · · IEEE Transactions on Information Forensics and Security
 [1];  [2];  [3];  [1]
  1. Idaho National Laboratory
  2. Sandia National Laboratory
  3. Program Contractor
+ Show Author Affiliations

Abstract—Critical infrastructure and other operational technology (OT) environments face increasing cybersecurity risks from adversarial behavior. This paper describes the development of a risk model using a Bayesian network to enhance the comprehension of observable cyber events caused by malicious activity in OT environments. The core of the Bayesian network is a process model that describes the stages of adversary behavior. The remainder of the model is based on the MITRE ATT&CK® for Industrial Control Systems (ICS) taxonomy, which includes tactics and techniques that may be used by the adversary. The observables provide evidence for adversary behavior through the intermediary technique and tactic nodes. One challenge in constructing this model is a lack of open-source data from cyber-attacks on OT systems. This paper discusses learning from limited data, the elicitation of expert opinion to construct the conditional probability tables when data is scarce, and the refinement of the most difficult conditional probabilities tables using several forms of sensitivity analyses. Finally, the Bayesian network is demonstrated using two historical case studies: the DarkSide ransomware attack on the Colonial Pipeline and the destructive cyberattack targeting the ThyssenKrupp blast furnace. Index Terms—Cybersecurity, industrial control systems, operational technology

Research Organization:
Idaho National Laboratory (INL), Idaho Falls, ID (United States)
Sponsoring Organization:
USDOE Office of Nuclear Energy (NE); USDOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER)
Grant/Contract Number:
AC07-05ID14517
OSTI ID:
3011940
Report Number(s):
INL/JOU-24-77873
Journal Information:
IEEE Transactions on Information Forensics and Security, Journal Name: IEEE Transactions on Information Forensics and Security Journal Issue: - Vol. 20
Country of Publication:
United States
Language:
English

Similar Records

Assessment of the Distributed Ledger Technology for Energy Sector Industrial and Operational Applications Using the MITRE ATT&CK® ICS Matrix
Journal Article · Thu Jun 22 00:00:00 EDT 2023 · IEEE Access · OSTI ID:1997359
Requirements and Recommendations for a Physical Attack Characterization Framework
Technical Report · Sat Jul 01 00:00:00 EDT 2023 · OSTI ID:2229613
Taxonomies of Cyber Adversaries and Attacks: A Survey of Incidents and Approaches
Technical Report · Thu Oct 08 00:00:00 EDT 2009 · OSTI ID:967712

Related Subjects

97 - MATHEMATICS AND COMPUTING
Cybersecurity
Industrial Control Systems
Operational Technology