Cyber Risk Propagation and Optimal Selection of Cybersecurity Controls for Complex Cyberphysical Systems

The increasingly witnessed integration of information technology with operational technology leads to the formation of Cyber-Physical Systems (CPSs) that intertwine physical and cyber components and connect to each other to form systems-of-systems. This interconnection enables the offering of functionality beyond the combined offering of each individual component, but at the same time increases the cyber risk of the overall system, as such risk propagates between and aggregates at component systems. The complexity of the resulting systems-of-systems in many cases leads to difficulty in analyzing cyber risk. Additionally, the selection of cybersecurity controls that will effectively and efficiently treat the cyber risk is commonly performed manually, or at best with limited automated decision support. In this work, we propose a method for analyzing risk propagation and aggregation in complex CPSs utilizing the results of risk assessments of their individual constituents. Additionally, we propose a method employing evolutionary programming for automating the selection of an optimal set of cybersecurity controls out of a list of available controls, that will minimize the residual risk and the cost associated with the implementation of these measures. We illustrate the workings of the proposed methods by applying them to the navigational systems of two variants of the Cyber-Enabled Ship (C-ES), namely the autonomous ship and the remotely controlled ship. The results are sets of cybersecurity controls applied to those components of the overall system that have been identified in previous studies as the most vulnerable ones; such controls minimize the residual risk, while also minimizing the cost of implementation.