IEEE Access (Jan 2023)

Quantitative Evaluation Method for Industrial Control System Vulnerability Based on Improved Expert Elicitation and Fuzzy Set Method

  • Wenli Shang,
  • Tianyu Gong,
  • Jing Hou,
  • Jiayue Lu,
  • Zhong Cao

DOI
https://doi.org/10.1109/ACCESS.2023.3314629
Journal volume & issue
Vol. 11
pp. 101007 – 101019

Abstract

Read online

For the problems of scientificity and reliability of vulnerability quantitative assessment method based on attack tree model, we propose an improved expert decision method based on attack tree model to improve the reliability of expert decision aggregation and solve the problem of insufficient evaluation data for the vulnerability quantitative evaluation method. Firstly, based on the expert decision aggregation method, the concept of deviation degree is proposed, and the maximum deviation degree method is innovatively proposed to screen fuzzy evaluations of experts. Then the deviation degree is taken as one of the influencing factors of fuzzy evaluations aggregation, and the expert fuzzy evaluations are aggregated to solve the problem of insufficient evaluation data. Finally, the improved expert decision aggregation method is combined with the vulnerability quantitative evaluation method based on the attack tree model to quantify the leaf nodes, security events, and attack sequence events. Using the ship industry control system as an illustration, we analyze and evaluate the feasibility and scientific validity of the proposed method. This analysis effectively enhances the reliability of the expert’s fuzzy evaluation summary, solves the problem of insufficient evaluation data, and provides an important basis for the information security protection of the industrial control system.

Keywords