Game-theoretic approach to cybersecurity risk assessment and protective strategy optimization in process industry production systems

Abstract

In the realm of process plants, the imperative to avert accidental incidents is compounded by the escalating specter of deliberate attacks, predominantly in the form of cyber intrusions. These cyber threats, with their attendant physical risks, are notoriously elusive to quantify, thereby impeding the plants’ ability to adapt swiftly to evolving risk profiles. This paper introduces a game-theoretic framework that translates cyber-assaults on industrial processes into process deviations induced by anomalous control actions, enabling the quantification of risk and the assessment of the cyberattacks’ impact on operational processes. Risk quantification serves as the foundation for the payoffs of both the attackers and the defenders, and it is used to address the probability and severity of incidents through static games characterized by incomplete information. Subsequently, complete information static game theory is employed to calculate the payoffs for both the attacker and the defender. This approach encompasses a spectrum of potential attacks and defenses, yielding optimal economic strategies for the defender across various temporal junctures. Furthermore, a risk tolerance model is integrated to refine the payoff calculation, offering a blueprint for the defender to execute enhanced defensive strategies. The efficacy of the proposed methodology in managing the physical risks emanating from cyberattacks is substantiated through a case study, which scrutinizes a steam stripper and its control system within a catalytic cracking unit.