Minimising cybersecurity risk exposures in industrial control system environments: a techno-human vulnerability analysis approach

Abstract

Organisations operating IoT-enabled industrial control systems (ICSs) are concerned about growing cybersecurity risks and impacts to their systems. Cyber-attacks on ICSs demonstrate that technology alone is neither a problem nor a solution to the growing cybersecurity issues affecting these systems. As socio-technical systems, ICSs encompass the functions and interactions of social and technological system elements to enable and/or sustain industrial processes. Thus, a more effective cybersecurity risk management process needs to consider human and technology factors, especially for high-value industrial process targets. Combining critical reviews and gap analysis of existing vulnerability assessment methods with conceptual modelling, a Vulnerability Analysis Critical Impact Point Process (VACIP) methodology is proposed which considers both human and technological vulnerabilities within a cyber-physical system environment to inform an improved insight about attack criticality and impacts. VACIP is validated using a simulated industrial mini testbed; showing that it can enable practicable support for security vulnerability discovery, impact criticality analysis, weak link identification, and prioritised controls. Its novelty is demonstrated in its combination of technology and human vulnerability evaluations in the minimisation of system security exposures. It provides a useful guide for adopting effective cybersecurity risk assessment and exposure reduction strategies