Professional Documents
Culture Documents
Abstract
Critical infrastructures are essential for national security, economy, and public safety. As an important part of security
protection, response strategy making provides useful countermeasures to reduce the impacts of cyberattacks. However,
there have been few researches in this domain that investigate the cyberattack propagation within a station and the inci-
dent spreading process in the critical infrastructure network simultaneously, let along analyzing the relationships between
security strategy making for a station and scheduling strategy for the critical infrastructure network. To tackle this prob-
lem, a hierarchical colored Petri net–based cyberattacks response strategy making approach for critical infrastructures is
presented. In this approach, the relationships among cyberattacks, security measures, devices, functions, and station
capacity are analyzed and described in a hierarchical way, and the system loss is calculated with the input of abnormal
station capacities. Then, based on the above model, the security strategy making for a station and the scheduling strategy
making for the critical infrastructure network are investigated in depth. Finally, the effectiveness of the proposed
approach is demonstrated on a simulated water supply system.
Keywords
Critical infrastructures, hierarchical colored Petri net, cyberattack response, cybersecurity protection, system-of-
systems
Creative Commons CC BY: This article is distributed under the terms of the Creative Commons Attribution 4.0 License
(https://creativecommons.org/licenses/by/4.0/) which permits any use, reproduction and distribution of the work
without further permission provided the original work is attributed as specified on the SAGE and Open Access pages
(https://us.sagepub.com/en-us/nam/open-access-at-sage).
2 International Journal of Distributed Sensor Networks
CIs on runtime, are of significance.6 Specifically, once The rest of this article is organized as follows: sec-
the cyberattacks are detected by intrusion detection sys- tion ‘‘Background and preliminary’’ discusses the char-
tem (IDS), an appropriate response strategy should be acteristic of the cyberattacks response in CIs and puts
made and executed to prevent the cyberattacks propa- forward the architecture of the proposed approach.
gation. In addition, the cyberattack can propagate from Section ‘‘System modeling with HCPN’’ gives the defi-
cyber space to physical space, and the incidents due to nition and description of HCPN and then uses HCPN
cyberattacks may propagate in CIs network with the to model the attack propagation in CIs. The generation
interdependence among stations.7 Thus, an appropriate of the attack response is analyzed in section ‘‘Optimal
response strategy can prevent the propagation process response strategy making.’’ Section ‘‘Simulation and
and mitigate the impacts of cyberattacks. result analysis’’ verifies the effectiveness of proposed
Many researches on response strategy making have approach, and the conclusions and remarks are pro-
been done in the past decades. Yan et al.8 proposed a vided in section ‘‘Conclusion.’’
response strategy based on the phasor measurement
unit (PMU) attack graph which analyzed the attack
paths in smart grid. Qin et al.9 established a multi- Background and preliminary
model based on Bayesian Network for dynamic
decision-making in industrial control systems (ICSs). Analysis of response strategy making in CIs
Zonouz and Haghani10 analyzed the grid situation and As a typical system-of-systems,14 a CI usually consists
sorted the candidate incidents, which provided valuable of a control center and several types of stations, such
information to security strategy makers. Wang et al.11 as generation, transmission, customer. The characteris-
defined the condition risk and the cost in smart grid tics of CIs are described as follows:15 (1) each station is
and provided the decision-making approach with these independent and useful in its own right, which can be
definitions. Yan and Haimes12 calculated the protec- divided into a cyber space and a physical space; (2) all
tion strategy cost–benefit in each subsystem and used stations are distributed geographically and form a com-
linear programming model to obtain the optimal sys- plex network; (3) the control center manages all sta-
tem strategy. Li et al.13 provided a multi-objective opti- tions cooperatively to achieve an intended purpose.
mization-based decision-making approach which The attackers generally acquire the following goals
considered the security benefit, system benefit, and step by step: (1) compromising the station management
state benefit in ICSs. These approaches focus on the authority by launching cyberattacks,16 (2) reducing the
attack propagation or the attacker–defender game pro- station capacity using the compromised authority, (3)
cess, contributing to CIs attack response making. But propagating the station incident in the CI network due
there exist several special factors in CIs cybersecurity to interdependences,17 and (4) causing negative impact
protection, for example, attacks to CIs cannot only on society.18,19 On the contrary, the CI defenders need
propagate from cyber space to physical space, but can to perform the following operations: (1) making secu-
also spread from station to stations through the CI net- rity strategy to prevent the authority compromise and
work. In addition, security strategy making for the sta- capacity reduction within the station, (2) making sche-
tion and scheduling strategy making for CIs need to be duling strategy to prevent the incident propagating in
cooperated with each other. Therefore, the existing the CI network, and (3) making policy to mitigate the
works cannot be applied to CIs protection directly due negative impact on society. According to the above dis-
to the neglect of the characteristics mentioned above. cussion, the station operation and CI states are chan-
Motivated by the above analysis, a hierarchical ged with attacks propagating. Hence, an appropriate
colored Petri net (HCPN)–based cyberattacks response model for describing the changing process is important
strategy making approach for CIs is proposed in this arti- for cyberattacks response.
cle. In this approach, an HCPN modeling method which
decouples a complex system into different layers and
describes the relationship among these layers by colored Demand analysis of system modeling
Petri is proposed. It can be used to model the operation
of a CI in a graphic way. Based on this method, the A Petri net (PN) is a graphical and mathematic model-
cyber-physical interaction within a station and material ing tool to describe the structure and behaviors of sys-
dependence among stations are modeled, which are used tems in a visual means. Specifically, the places with its
to analyze the consequences due to cyberattacks and own token can represent the properties of system com-
response strategy. Also, a response strategy making ponents, and the transition between different places
approach is introduced to analyze the security strategy describes the dynamic process of the component states
making for station and scheduling strategy making for changing. These characteristics make PNs suitable for
system and then generates the optimize response strategy modeling the system operation process, such as ICS,
based on the above two types of strategies. telecommunication, and transportation.20,21
Zhu et al. 3
Architecture of response strategy making approach Figure 2. HCPN derived from a ‘‘goal–function–device’’
framework.
The architecture of response strategy making approach
is shown in Figure 1, where the inputs are the attack
evidences and the current system states, and the output that the cyberattacks response strategy for CIs is con-
is the optimal response strategy for the stations which structed by the appropriate strategy for each station.
has suffered cyberattacks.
The approach consists of three main steps: (1) gener-
ating the candidate response strategies for the station System modeling with HCPN
which has suffered cyberattacks, then obtaining each
strategy properties, such as theirs benefit and mapped
Description of HCPN
station capacities; (2) making the optimal scheduling HCPN adopts the ‘‘Hierarchical’’ knowledge25 to
strategy for the CI, which uses the candidate security decouple a complex system into several related objects,
strategies of the stations and then distributes the control such as goals, functions, and devices and then utilizes
tasks to all stations; (3) selecting the optimal security CPN to describe the state changing of each object and
strategy for the stations, which considers both the con- the relationships among them. As shown in Figure 2,
trol task and the candidate response strategies. Note each object can be viewed as a ‘‘part of’’ another object
4 International Journal of Distributed Sensor Networks
Goal Station goal Station capacity can reach the managers expectation
Function Cyber function Role in station management (i.e. monitoring, control, data storage)
Physical function A process in charge of special material handling
Device Cyber device The components (i.e. HMI, engineer station, router, PLC)
Behavior Atomic attack (i.e. buffer overflow, data tampering, privilege escalation)
Security measure (i.e. turn on firewall, shutdown device, disconnect, use standby)
Goal Pg c1 clg Each colored token represents a special station capacity value
Function Pf fc0 , c1 g c0 means the function is normal; c1 means the function failed
Cyber device Pd fc0 , c1 g c0 means the device is normal; c1 means the device is compromised
Atomic attack Pa fc0 , c1 g c0 means the attack is not launched; c1 means the attack is launched
Security measure Ps fc0 , c1 g c0 and c1 mean the measure is not activated and activated, respectively
situated at a higher level, and the states changing of Input l: it consists of a distribution of colored
this object contribute to the property of higher object; tokens of the places at the start time.
on this basis, the above objects characteristics are mod- Output O: it consists of a distribution of colored
eled by CPN. The definition and description of these tokens of the places at the end time.
objects are introduced in the following.
‘‘Goal’’ represents the purpose of system, that is, In general, P represents the goal, functions, and
what the operators want the system to reach. devices in a system, C denotes their property; T indi-
‘‘Function’’ is a role played in the achievement of a cates the relationships between these objects; l and O
goal, which is realized by related devices. ‘‘Device’’ are the input and output
denotes the component that constructs the system.26 A
five-tuple hP, C, T, l, Oi is defined to describe the Modeling cyberattacks propagation within a station
HCPN:
As mentioned in section ‘‘Background and prelimi-
nary,’’ the cyberattacks to a station can propagate from
Places set P: each object, such as goal, function,
cyber space to physical space, whose goal is to reduce
and device, can be represented by a place Pi .
the station capacity. In order to describe the process,
Color set C: each place has a token at a certain
HCPN is used to build the cyberattacks propagation
time, and the color of this token denotes the state
model. Referring to the ‘‘goal–function–device’’ frame-
of the corresponding object, such as function
work, a station can be decoupled into many types of
failed or normal.
objects, as shown in Table 1. In addition, a type of
Transition set T: a transition represents the rela-
object called ‘‘behavior’’ which indicates the attacks
tionship of a place with others. In addition, each
and security measures is added into this table.
transition has a pre-condition and a post-condi-
Based on Table 1, cyberattacks propagation within a
tion. A transition Ti is defined in equation (1)
station can be modeled by an HCPN
def
Pref(P1 , c1 ), . . . , (Pm , cm )g ) Postf(Pk , ck )g ð1Þ N sta = hPsta , Csta , Tsta , lsta , Osta i ð2Þ
where the place set Psta includes five types of places,
and the color set Csta in different types of places has a
where ci represents a colored token, Pi is the ith different number of values, as shown in Table 2.
place in P. Equation (1) represents when the pre- The transition Tista 2 Tsta means the relationship
condition is satisfied, the color of the token in Pk between the property of the objects mentioned in Table
is changed to ck . 1, and these transitions can be divided into two types:
Zhu et al. 5
(1) the transition shown in equation (1), where the ci Algorithm 1. AP = GetAttackPath(E, Ms , Nsta ).
only has two values, i 2 f1, . . . , m, kg; (2) the transition
shown in equation (1), the ci in pre-condition has two Input: Attacks E, security strategy Ms, HCPN Nsta
Output: Attack path AP
values, and the ck has multi-value, 1 ł i ł m. Appendix 1. Ma E n* refer to Table 2*n
1 provides how to obtain these two types of transitions. 2. AP fMa , Ms g
The input lsta is given by defenders who allocate the 3. Renew Pa and Ps n* refer to equation (4)*n
special colored token to the corresponding places. The 4. for each Pid 2 Pd do
output Osta is inferred by lsta and N sta . 5. Renew Pid n* Based on transition mechanism *n
6. end for
7. for each Pif 2 Pf do
Optimal response strategy making 8: Renew Pif n* Based on transition mechanism *n
9: Renew Mfi n*equation (4)*n
Generation of candidate security strategies for 10: end for
11: Renew Pg n* Based on transition mechanism *n
stations 12: Renew Mg n* refer to equation (4)*n
Cyberattacks are always launched to compromise the 13: AP AP [ fMd , Mf , Mg g
devices, disable the functions, and reduce the station 14: return AP
capacity. In order to secure the operation safety, the
security strategy is made to protect the devices, which Based on the above definition, the candidate security
maps to certain station capacity value. Considering the strategies Ccnd can be represented by the vector M s and
interaction between station and control center, candi- is shown in equation (6)
date security strategies for the station are generated in
this subsection. Ccnd = fM1s, apt , . . . , Mlgs, apt g ð6Þ
A security strategy maps to certain station capacity,
but certain station capacity may be caused by several where Mis, apt = fH(s1 ), . . . , H(sm )g, m is the number of
security strategies. The candidate security strategies Ccnd the security measures in this station, and H(sk ) indicates
for a station consist of lg security strategies and are rep- the measure sk is activated or not and its value is equal
resented by equation (3) to 0 or 1.
A security strategy z is represented by the vector M s ,
Ccnd = fzapt apt
1 , . . . , zlg g ð3Þ and its impact on station is described by attack path
AP = fM a , M s , M d , M f , M g g. Algorithm 1 shows how
where zapt
i is an acceptable security strategy which satis- to get the attack path.
fies certain conditions, such as it makes the station CB(M s ) is used to calculate the net benefit of security
capacity to locate on certain value gi and gains expected strategy M s , which is shown in equation (7)
benefit.
A security strategy z for a station consists of the CBðM s Þ = BftCalðM s Þ CostCalðM s Þ ð7Þ
security measures which are activated, and it can be
represented by a vector M s , where M s (i) = 1 means the where the description of all the elements in equation (7)
ith security measure is activated. Based on Table 2, is listed as follows:
four vectors M a , M s , M d , and M f are used to map the
colored token in Pa , Ps , Pd , and Pf , respectively, and 1. Benefit of executing security strategy Bft(M s ):
their elements are defined by equation (4) APE and APE, M are the attack paths which are
obtained from GetAttackPath(E, [, N sta ) and
( GetAttackPath(E, M s , N sta ), respectively. Then
j 0, the colored token is Pji , c0
M ðiÞ = j ð4Þ the benefit of the security strategy is calculated
1, the colored token is Pi , c1 by equation (8)
where M j (i) is the value of the ith element in M j ,
BftCalðM s Þ =
j 2 fa, s, d, f g. In addition, we define the variable M g to X X
MEi (j) ME,
i i ð8Þ
represent the colored token in station goal place, which M (j) 3 mj
is shown in equation (5) i2fd, f , gg 1 ł j ł l(i)
8 where MEi (j) is the jth element in MEi and MEi is vector
<1
> the colored token is (Pg , c1 ) i
g . .. in APE . Similarly, ME, M (j) is the element in APE, M .
M = .. . ð5Þ i
>
: Besides, mj is the asset value of the specific object
g
lg the colored token is (P , clg ) (device, function, and goal) which is given by experts,
6 International Journal of Distributed Sensor Networks
Algorithm 2. Get a acceptable security strategy. CroMut(G) means that the (ns + 1)th(ns + nc)th indi-
viduals in G are crossed and mutated. AddInd(G, na)
Input: HCPN Nsta , attack evidence E generates na individuals in a random way.
Output: Acceptable security strategy Ms,i apt
The candidate security strategies for station are con-
1: Iterations tmax , population G0
2: G0 ;, G ;, Mcnd ; structed by Mis, apt (1 ł i ł lg), and it can be obtained by
3: G0 Rand(Ms ) executing Algorithm 2 for lg times.
4: for t 1 to tmax do
5: for each G0, k 2 G0 do
6: Mgk GetAttackPath(E, G0, k , Nsta ) Construction of optimal scheduling strategy for CIs
7: end for
8: G Rank(G0 , Mg ) Assume that there exists n stations in a CI network, and
9: if t = tmax | CB(G(1)) ø R then the ith station is named as stai , the candidate station
10: G0 G capacities of stai have lg elements and are defined by
11: break;
equation (10)
12: end if
13: Gn Gn [ Select(G, ns)
14: Gn Gn [ CroMut(G, nc) gi (t) = fgi, 1 , . . . , gi, lg g ð10Þ
15: Gn Gn [ AddInd(G, na)
16: G0 Gn where gi (t) represents the reception capacity of material
17: end for at time t, gi, j is a special value which is decided by the
18: Ms,i apt G0 (1) operation of stai , and it maps to Mig = j.
19: return Ms,i apt Because of the internal dependence and topology
characteristic of CIs network,28 the changing of a sta-
tion capacity may impact on other stations. Hence, the
scheduling strategy which consists of all station capac-
and l(i) is the number of elements in MEi or ME,
i
M,
i 2 fd, f , gg. ity setting can manage the CI network states.29 In order
to quantify the effect of scheduling strategy, we calcu-
late the system loss when the scheduling strategy is exe-
2. Cost of executing security strategy CostCal(M s ):
the execution of security strategy consumes cuted. The system loss L(t) at time t is obtained by
resources, such as hardware configuration, com- equation (11)
puting resource, communication resource, and
L(t) = LossCalðS(t), d(t)Þ ð11Þ
so on.27 Thus, the consumed resources of M s are
quantified as follows where S(t) denotes the scheduling strategy which is
X defined by S(t) = fg1 (t), . . . , gn (t)g; di (t) is the overload
CostCalðM s Þ = s
ME, M ðiÞ 3 ui ð9Þ of stai at time t. Obviously, Si (t) is a specific value which
1 ł i ł ls is decided by the value of gi (t). The inference of equa-
where the value ui is the cost of executing the ith secu- tion (11) is elaborated in Appendix 1.
rity measure and is provided by security experts; ls is If stai has suffered cyberattacks, and the jth element
the number of elements in ME, s in candidate security strategies leads the stai capacity to
M.
s, apt locate at a specific value gi, j at time t, the optimal sche-
Mi in equation (6) needs to meet the following
conditions: (1) CM(Mis, apt , E) = gi represents that duling strategy making for the network is setting the
Mis, apt maps to station capacity gi when the station stai capacities of the other stations, whose goal is to make
has suffered the attack E; (2) CB(Mis, apt ) ø R is satisfied; the system loss at the minimum value. Therefore, the
it means Mis, apt needs to gain enough net benefit. optimal scheduling strategy is defined as follows
Algorithm 2 describes how to generate the acceptable
security strategy Mis, apt , which combines the HCPN Sjopt (t) = fg1opt (t), . . . , gi1
opt
(t), gi, j , giopt opt
+ 1 (t), . . . , gn (t)g
and genetic algorithm. ð12Þ
In Algorithm 2, the population G0 has n individuals,
G0, k is the kth individual in G0 and is used to store a where gkopt (t) equals to a specific element which is
security strategy. Rand(M s ) represents generating n vec- selected from equation (10), 1 ł k ł n and k 6¼ i. In
tors by assigning all the elements in M s with 0 or 1 ran- order to obtain Sjopt (t), Algorithm 3 is provided.
domly and then each vector is a security strategy and In Algorithm 3, (1) G(t) Construct() means con-
represented by an individual. Rank(G0 , M g ) means all structing the scheduling strategies set G. Specifically,
the individuals in G0 are ranked; specifically, the indi- select an element from gk (t) randomly, which forms a
viduals, which map to M g = i, are ranked in descending scheduling strategy with gi, j , where 1 ł k ł n and k 6¼ i.
order according to the net benefit. Select(G, ns) means (2) u is the number of element in G, if the capacity of
that selecting the 1thnsth individuals in G. each station has lg values, then u is equal to lgn1 .
Zhu et al. 7
ES DS Router4 PM4
Intranet
Router5
Control center PM3 Router3 PLC9 PLC10
ETH3
PLC7 PLC8
PM1 Router1 Router2 T3
PM2 T5,T6
ETH2 V5 V6
Station 4
V7 V8
PLC1 PLC2 PLC3 PLC4 PLC5 PLC6 T4
P1 T1
Station 3 T7
R1 V1 V2
P2 L1 Station 5
P3 L2
V3 V4 T8
T2
Station 1 Station 2
ES: Engineer Station DS: Database Server Station 6
R: Reservoir P: Pump T: Water Tower PM: Process Management
ETH: Ethernet V: Valve L: Liquid level sensor PLC: Programmable Logic Controller
Table 8. Optimal scheduling strategies. Table 9. The optimal strategy for system.
Time (h) Candidate sta3 capacity System Scenario Time Response strategy
sta2 capacity setting cost (USD)
sta2 sta3
4 g2 = v2ept (t) g3 = v3ept (t) 0
I 4 fs2, 1 g g3 = v3ept (t)
6 g2 = v2ept (t) g3 = v3ept (t) 0
6 fs2, 1 , s2, 2 g g3 = v3ept (t)
8 g2 = v2ept (t) g3 = v3ept (t) 0
8 fs2, 1 , s2, 2 , s2, 4 g g3 = v3ept (t)
g2 = 0:73v2ept (t) g3 = 0:53v3ept (t) 5:33104
11 fs2, 1 , s2, 2 , s2, 4 , s2, 6 g g3 = v3ept (t)
11 g2 = v2ept (t) g3 = v3ept (t) 0
13 fs2, 1 , s2, 2 , s2, 4 , s2, 5 , s2, 6 g g3 = v3ept (t)
g2 = 0:73v2ept (t) g3 = 0:53v3ept (t) 3:43104
II 4 fs2, 1 g g3 = v3ept (t)
g2 = 0:33v2ept (t) g3 = v3ept (t) 2:63104
6 fs2, 1 , s2, 2 g g3 = v3ept (t)
g2 = 0 g3 = 0 4:83104
13 g2 = v2ept (t) g3 = v3ept (t) 0 8 fs2, 1 , s2, 2 , s2, 4 g g3 = v3ept (t)
g2 = 0:73v2ept (t) g3 = 0:53v3ept (t) 2:43104
11 fs2, 1 , s2, 2 , s2, 4 g g3 = v3ept (t)
g2 = 0:33v2ept (t) g3 = v3ept (t) 1:13104
13 fs2, 1 , s2, 2 , s2, 4 , s2, 5 g g3 = v3ept (t)
g2 = 0 g3 = 0 3:43104
III 4 fs2, 1 g g3 = v3ept (t)
6 fs2, 1 , s2, 2 g g3 = v3ept (t)
8 fs2, 1 , s2, 2 , s2, 4 g g3 = v3ept (t)
11 fs2, 1 , s2, 2 , s2, 6 g g3 = 0:53v3ept (t)
13 fs2, 1 , s2, 2 , s2, 5 , s2, 6 g g3 = 0:53v3ept (t)
line 3 in those three sub-figures indicates the impact of
sta2 output, sta3 capacity setting shown in Table 9, and
the time delay between sta2 and sta3 simultaneously.
Note that Figure 6 only focuses on the consequence of hour 8 is larger than that at hour 11 or 13 which indi-
the cyberattacks which occur at hour 13. cates that the cyberattacks to sta2 have more serious
Figure 7 shows the net benefit of sta2 (gray bar asso- impact on system at hour 8. The net benefit of system
ciated with the left Y axes) and the net benefit of the CI in the second and the third sub-figures is smaller than
(white bar associated with the right Y axes) when the that in the first sub-figure due to the cost constraint in
response strategies in different scenarios are executed. sta2 .
The net benefit of sta2 is calculated by equation (7) In order to evaluate the real-time performance of
which considers the asset of devices, function, and goal our approach, the simulation for response strategy
in sta2 ; additionally, the net benefit of the CI is calcu- making at hour 13 is performed for 1000 times, where
lated by equation (24) which considers the property of the simulation ran on a computer with Inter Core i3 at
all stations. In the first sub-figure, the net benefit of 3.90 GHz and 8 GB RAM. The execution time distri-
sta2 increases because more and more security measures bution of the simulation is shown in Figure 8. The exe-
have been activated, which are shown in Tables 5 and cution time of our approach consists of three main
9. The net benefit of the CI is equal to 0 at hours 4 and parts: the time spent on Algorithm 2, Algorithm 3, and
6 because the cyberattacks have not yet impacted on the system loss calculation. The complexity of
the capacity of sta2 . Besides, the net benefit of the CI at Algorithm 2 is equal to O(G 3 N 2 ), which is based on
Zhu et al. 11
5
3
4
3 2
2 1
1
0
0 Line 1 Line 1
-1
Line 2 -1 Line 2
Line 3 Line 3
-2 -2
11 12 13 14 15 16 11.5 12.5 13.5 14.5 15.5 16.5
5
3
4
3 2
2 1
1
0
0 Line 1 Line 1
-1 Line 2 -1 Line 2
Line 3 Line 3
-2 -2
11 12 13 14 15 16 11.5 12.5 13.5 14.5 15.5 16.5
5
3
4
3 2
2 1
1
0
0 Line 1 Line 1
-1
Line 2 -1 Line 2
Line 3 Line 3
-2 -2
11 12 13 14 15 16 11.5 12.5 13.5 14.5 15.5 16.5
Figure 6. Outputs of sta2 and sta3 after executing response strategy at hour 13.
the generation number G and the population size N; proposed, which analyzes the relationships among
the complexity of Algorithm 3 is equal to O(K M ), which cyberattacks, security measures, devices, functions, and
is based on the station capacity size K and the station station capacity in a graphical way and then investi-
number M; the complexity of system loss calculation is gates the interaction between response strategy making
small and can be ignored. for station and the scheduling strategy making for CI
The above simulations verify that our approach has network. The simulation verifies our approach can
the ability to making response strategy for CIs. In addi- make an appropriate response strategy for cyberattacks
tion, this approach employs different perspectives, which in real time.
makes it difficult to compare our approach with others. However, this approach needs to prepare the com-
Therefore, we compare the approaches mentioned in plete knowledge of all the cyberattacks and security
section ‘‘Introduction’’ with ours from different aspects. measures before building the HCPN model and does
Table 10 provides the approaches comparison. not consider the probability attribute of the transition
in HCPN. In our future work, the probabilities of
attack paths in cyberattacks propagation are investi-
Conclusion gated, where the propagation process is analyzed with
In this article, an HCPN-based cyberattacks the input of incomplete knowledge of cyberattacks and
response strategy making approach for CIs is systems.
12 International Journal of Distributed Sensor Networks
Approach Yan et al.8 Qin et al.9 Zonouz and Wang et al.11 Yan and Li et al.13 This study
Haghani10 Haimes12
Cyber domain = = = =
Physical domain = = = = = =
Station characteristic = = = =
Topology characteristic = = =
Attack propagation = = = = = =
System impact = = = = = = =
350
Declaration of conflicting interests
300 The author(s) declared no potential conflicts of interest with
respect to the research, authorship, and/or publication of this
Number of simulations
250 article.
200
Funding
150 The author(s) disclosed receipt of the following financial sup-
port for the research, authorship, and/or publication of this
100 article: This work was supported by the National Science
Foundation of China (NSFC) under grant numbers
50 61433006, 61873103, and 61272204.
0
2.25 2.31 2.37 2.43 2.49
Execution time (s) ORCID iD
Yuanqing Qin https://orcid.org/0000-0003-3600-5594
Figure 8. Execution time of response strategy making at hour 13.
Zhu et al. 13
1 1 P2 P3 p1
AND OR
p5
2 3 2 3 P1 p2
Logical relations in tree Transition in Petri Net p4
Figure 9. Relationship between tree and Petri net.
p3
Figure 10. Station physical space structure.
Table 13. Description of station properties. oj (t) = kj (t) 3 gj (t) + mj (t) 3 (gj (t) + rj (t)) ð20Þ
Symbol Description where the kj (t) and mj (t) are defined as follows
gi (t) Station capacity 8
oi (t) Material output < kj (t) = 1, mj (t) = 0, j 2 UpNei(stai )rj ø 0
li (t) Material input kj (t) = 0, m (t) = 1, j 2 UpNei(stai )rj \0 ð21Þ
: k (t) = 0, mj (t) = 0, else
ri (t) Material overload j j
di, j Proportion of output from stai to staj
Based on equation (21), equation (17) can be repre-
sented as follows
Then it means the station capacity is changed from P
n
g ept (t) to 0:82 3 g ept (t) when p2 is failed. According to ri (t + 1) = (kj (t) 3 gj (t) + mj (t) 3 (gj (t) + rj (t)))
j=1
the mapping relationships between material process 3 dj, i gi (t)
and Petri net, we can get a concrete description of the P n
transition which is described by f(Pf1 , c0 ), (Pf2 , c1 ), = (kj (t) + mj (t)) 3 dj, i 3 gj (t) gi (t)
j=1
(Pf3 , c0 ), (Pf4 , c0 ), (Pf5 , c0 )g ) f(Pg , c2 )g, where (Pf2 , c1 ) P
n
+ mj (t) 3 rj (t)
means the function p2 is failed; (Pg , c2 ) represents the j=1
station capacity is mapped to 0:82 3 gept (t). = Ai (t) 3 r(t) + Bi (t) 3 g(t)
ð22Þ
Appendix 2
where r(t) = ½r1 (t), . . . , rn (t)T , g(t) = ½g1 (t), . . . , gn (t)T .
In order to analyze the relationship between stations Therefore, we can get the estimation equation of all the
capacities and system loss, several properties of station station states, as shown in equation (23)
are listed in Table 13.
Then there exist several equations about the proper- r(t + 1) = A(t)r(t) + B(t)g(t) ð23Þ
ties in Table 13
Therefore, the cyberattack on a station may cause
ri ðt + 1Þ = lðt + 1Þ gi ðtÞ ð17Þ the overload of other stations in CI network. Thus, we
calculate the system loss based on the overloads. As
where li (t) is the input of stai
shown in equation (24)
X
li ðt + 1Þ = oj (t) 3 dj, i ð18Þ n X
X m
j2UpNei(stai ) L(t) = jri (t0 + j)j 3 Dt 3 t i ð24Þ
i=1 j=0
The UpNei(stai ) represents the stations which is the
upstream neighbor of stai . Then the output of stai is where ri (t0 + j) is the overload of the ith station at time
obtained by the following equation t0 + j, t0 is the start time of cyberattacks, t0 + m is the
time when the station state is normal, Dt is the period
gj (t), rj (t) ø 0 between t0 + j and t0 + (j + 1), and ti is the economic
oj (t) = ð19Þ
gj (t) + rj (t), rj (t)\0 loss of per unit overload of the ith station.
Then equation (19) can be described as follows