Research Article

International Journal of Distributed

Sensor Networks
2020, Vol. 16(1)
A hierarchical colored Petri net–based Ó The Author(s) 2020
DOI: 10.1177/1550147719889808
cyberattacks response strategy making journals.sagepub.com/home/dsn

approach for critical infrastructures

Qianxiang Zhu, Yuanqing Qin , Yue Zhao and Zhou Chunjie

Abstract
Critical infrastructures are essential for national security, economy, and public safety. As an important part of security
protection, response strategy making provides useful countermeasures to reduce the impacts of cyberattacks. However,
there have been few researches in this domain that investigate the cyberattack propagation within a station and the inci-
dent spreading process in the critical infrastructure network simultaneously, let along analyzing the relationships between
security strategy making for a station and scheduling strategy for the critical infrastructure network. To tackle this prob-
lem, a hierarchical colored Petri net–based cyberattacks response strategy making approach for critical infrastructures is
presented. In this approach, the relationships among cyberattacks, security measures, devices, functions, and station
capacity are analyzed and described in a hierarchical way, and the system loss is calculated with the input of abnormal
station capacities. Then, based on the above model, the security strategy making for a station and the scheduling strategy
making for the critical infrastructure network are investigated in depth. Finally, the effectiveness of the proposed
approach is demonstrated on a simulated water supply system.

Keywords
Critical infrastructures, hierarchical colored Petri net, cyberattack response, cybersecurity protection, system-of-
systems

Date received: 4 December 2018; accepted: 3 October 2019

Handling Editor: Michele Amoretti

Introduction and caused large-scale grid blackout.4 Therefore, cyber-

Critical infrastructures (CIs) are viewed as the founda-
tion of crucial economic and social function, whose
secure and reliable operation provides essential, contin-
ual good, or service to meet the country demand.1
Nowadays, the wide adoption of developed informa-
tion and communication technologies (ICT) improves
the CIs operation efficiency, but it also makes CIs more
vulnerable to cyber threats. In 2003, the worm virus
‘‘Slammer’’ invaded into the ‘‘Davies–Besse’’ nuclear
plant and disabled the safety monitoring system in
Ohio, USA.2 Several relevant departments believed the
blackout accident that occurred in northeast America
and Canada in 2009 was caused by foreign cyberat-
tacks.3 In 2015, hackers attacked the Ukrainian grid
security protection for CIs is important and essential.
CIs require high availability, which means the unex-
pected shutdown of these systems is not allowed.5
Thus, detecting the cyberattacks and responding timely,
which can improve the intrusion tolerance ability of
Key Laboratory of Image Processing and Intelligent Control, Ministry of
Education, School of Artificial Intelligence and Automation, Huazhong
University of Science and Technology, Wuhan, China
Corresponding author:
Yuanqing Qin, Key Laboratory of Image Processing and Intelligent
Control, Ministry of Education, School of Artificial Intelligence and
Automation, Huazhong University of Science and Technology, Wuhan
430074, China.
Email: qinyuanqing@hust.edu.cn

Creative Commons CC BY: This article is distributed under the terms of the Creative Commons Attribution 4.0 License
(https://creativecommons.org/licenses/by/4.0/) which permits any use, reproduction and distribution of the work
without further permission provided the original work is attributed as specified on the SAGE and Open Access pages
(https://us.sagepub.com/en-us/nam/open-access-at-sage).
2 International Journal of Distributed Sensor Networks
CIs on runtime, are of significance.6 Specifically, once
the cyberattacks are detected by intrusion detection sys-
tem (IDS), an appropriate response strategy should be
made and executed to prevent the cyberattacks propa-
gation. In addition, the cyberattack can propagate from
cyber space to physical space, and the incidents due to
cyberattacks may propagate in CIs network with the
interdependence among stations.7 Thus, an appropriate
response strategy can prevent the propagation process
and mitigate the impacts of cyberattacks.
Many researches on response strategy making have
been done in the past decades. Yan et al.8 proposed a
response strategy based on the phasor measurement
unit (PMU) attack graph which analyzed the attack
paths in smart grid. Qin et al.9 established a multi-
model based on Bayesian Network for dynamic
decision-making in industrial control systems (ICSs).
Zonouz and Haghani10 analyzed the grid situation and
sorted the candidate incidents, which provided valuable
information to security strategy makers. Wang et al.11
defined the condition risk and the cost in smart grid
and provided the decision-making approach with these
definitions. Yan and Haimes12 calculated the protec-
tion strategy cost–benefit in each subsystem and used
linear programming model to obtain the optimal sys-
tem strategy. Li et al.13 provided a multi-objective opti-
mization-based decision-making approach which
considered the security benefit, system benefit, and
state benefit in ICSs. These approaches focus on the
attack propagation or the attacker–defender game pro-
cess, contributing to CIs attack response making. But
there exist several special factors in CIs cybersecurity
protection, for example, attacks to CIs cannot only
propagate from cyber space to physical space, but can
also spread from station to stations through the CI net-
work. In addition, security strategy making for the sta-
tion and scheduling strategy making for CIs need to be
cooperated with each other. Therefore, the existing
works cannot be applied to CIs protection directly due
to the neglect of the characteristics mentioned above.
Motivated by the above analysis, a hierarchical
colored Petri net (HCPN)–based cyberattacks response
strategy making approach for CIs is proposed in this arti-
cle. In this approach, an HCPN modeling method which
decouples a complex system into different layers and
describes the relationship among these layers by colored
Petri is proposed. It can be used to model the operation
of a CI in a graphic way. Based on this method, the
cyber-physical interaction within a station and material
dependence among stations are modeled, which are used
to analyze the consequences due to cyberattacks and
response strategy. Also, a response strategy making
approach is introduced to analyze the security strategy
making for station and scheduling strategy making for
system and then generates the optimize response strategy
based on the above two types of strategies.
The rest of this article is organized as follows: sec-
tion ‘‘Background and preliminary’’ discusses the char-
acteristic of the cyberattacks response in CIs and puts
forward the architecture of the proposed approach.
Section ‘‘System modeling with HCPN’’ gives the defi-
nition and description of HCPN and then uses HCPN
to model the attack propagation in CIs. The generation
of the attack response is analyzed in section ‘‘Optimal
response strategy making.’’ Section ‘‘Simulation and
result analysis’’ verifies the effectiveness of proposed
approach, and the conclusions and remarks are pro-
vided in section ‘‘Conclusion.’’
Background and preliminary
Analysis of response strategy making in CIs
As a typical system-of-systems,14 a CI usually consists
of a control center and several types of stations, such
as generation, transmission, customer. The characteris-
tics of CIs are described as follows:15 (1) each station is
independent and useful in its own right, which can be
divided into a cyber space and a physical space; (2) all
stations are distributed geographically and form a com-
plex network; (3) the control center manages all sta-
tions cooperatively to achieve an intended purpose.
The attackers generally acquire the following goals
step by step: (1) compromising the station management
authority by launching cyberattacks,16 (2) reducing the
station capacity using the compromised authority, (3)
propagating the station incident in the CI network due
to interdependences,17 and (4) causing negative impact
on society.18,19 On the contrary, the CI defenders need
to perform the following operations: (1) making secu-
rity strategy to prevent the authority compromise and
capacity reduction within the station, (2) making sche-
duling strategy to prevent the incident propagating in
the CI network, and (3) making policy to mitigate the
negative impact on society. According to the above dis-
cussion, the station operation and CI states are chan-
ged with attacks propagating. Hence, an appropriate
model for describing the changing process is important
for cyberattacks response.
Demand analysis of system modeling
A Petri net (PN) is a graphical and mathematic model-
ing tool to describe the structure and behaviors of sys-
tems in a visual means. Specifically, the places with its
own token can represent the properties of system com-
ponents, and the transition between different places
describes the dynamic process of the component states
changing. These characteristics make PNs suitable for
modeling the system operation process, such as ICS,
telecommunication, and transportation.20,21
Zhu et al. 3

Attack Station security strategy making

evidences Attack paths
analysis

Security strategy Benefit calculation HCPN

identification for security strategy model for
station
Optimal
response
Candidate security strategies set Optimal security strategy
generation strategy selection

Candidate scheduling strategies set

generation
Current
system
states Loss calculation for Optimal scheduling
scheduling strategy strategy selection

System scheduling strategy making

Figure 1. Architecture of cyberattack response approach for CIs.

PN also contributes to response strategy making for

CIs, the places and transitions in PN describe the beha- Goal -functions-devices Hierarchical Colored Petri Net
viors of the attackers in IT system,22 and then the
defenders can prevent the propagating process by mak- G
ing appropriate security strategy.23 However, the sta-
tion capacity, which is changed with the attack
propagation, is multi-variable and it cannot be
described by the token property in PN. In addition, a
station is a complex system that is decoupled into dif-
ferent types of objects, such as device, function, goal,
which makes it difficult for PN to describe the interac- ……
tion among these objects. To solve this problem,
colored Petri net (CPN)24 is combined with ‘‘hierarchi-
cal’’ knowledge in ontology to describe the attack beha-
vior, defender behavior, device states, function states,
and station capacity, which helps to analyze the inci-
dent spreading in the CI network and response strategy Goal Function Device
making for CIs.
Place Transition Relationship

Architecture of response strategy making approach
The architecture of response strategy making approach
is shown in Figure 1, where the inputs are the attack
evidences and the current system states, and the output
is the optimal response strategy for the stations which
has suffered cyberattacks.
The approach consists of three main steps: (1) gener-
ating the candidate response strategies for the station
which has suffered cyberattacks, then obtaining each
strategy properties, such as theirs benefit and mapped
station capacities; (2) making the optimal scheduling
strategy for the CI, which uses the candidate security
strategies of the stations and then distributes the control
tasks to all stations; (3) selecting the optimal security
strategy for the stations, which considers both the con-
trol task and the candidate response strategies. Note
Figure 2. HCPN derived from a ‘‘goal–function–device’’
framework.
that the cyberattacks response strategy for CIs is con-
structed by the appropriate strategy for each station.
System modeling with HCPN
Description of HCPN
HCPN adopts the ‘‘Hierarchical’’ knowledge25 to
decouple a complex system into several related objects,
such as goals, functions, and devices and then utilizes
CPN to describe the state changing of each object and
the relationships among them. As shown in Figure 2,
each object can be viewed as a ‘‘part of’’ another object
4 International Journal of Distributed Sensor Networks

Table 1. ‘‘Goal–function–device–behavior’’ for station.

Object Name Description

Goal Station goal Station capacity can reach the managers expectation
Function Cyber function Role in station management (i.e. monitoring, control, data storage)
Physical function A process in charge of special material handling
Device Cyber device The components (i.e. HMI, engineer station, router, PLC)
Behavior Atomic attack (i.e. buffer overflow, data tampering, privilege escalation)
Security measure (i.e. turn on firewall, shutdown device, disconnect, use standby)

HMI: human–machine interface; PLC: programmable logic controller.

Table 2. Description of places properties in HCPN.

Object Place Colored Description

Goal Pg c1 clg Each colored token represents a special station capacity value
Function Pf fc0 , c1 g c0 means the function is normal; c1 means the function failed
Cyber device Pd fc0 , c1 g c0 means the device is normal; c1 means the device is compromised
Atomic attack Pa fc0 , c1 g c0 means the attack is not launched; c1 means the attack is launched
Security measure Ps fc0 , c1 g c0 and c1 mean the measure is not activated and activated, respectively

HCPN: hierarchical colored Petri net.

situated at a higher level, and the states changing of  Input l: it consists of a distribution of colored
this object contribute to the property of higher object; tokens of the places at the start time.
on this basis, the above objects characteristics are mod-  Output O: it consists of a distribution of colored
eled by CPN. The definition and description of these tokens of the places at the end time.
objects are introduced in the following.
‘‘Goal’’ represents the purpose of system, that is, In general, P represents the goal, functions, and
what the operators want the system to reach. devices in a system, C denotes their property; T indi-
‘‘Function’’ is a role played in the achievement of a cates the relationships between these objects; l and O
goal, which is realized by related devices. ‘‘Device’’ are the input and output
denotes the component that constructs the system.26 A
five-tuple hP, C, T, l, Oi is defined to describe the Modeling cyberattacks propagation within a station
HCPN:
As mentioned in section ‘‘Background and prelimi-
 nary,’’ the cyberattacks to a station can propagate from
Places set P: each object, such as goal, function,
cyber space to physical space, whose goal is to reduce
and device, can be represented by a place Pi .
 the station capacity. In order to describe the process,
Color set C: each place has a token at a certain
HCPN is used to build the cyberattacks propagation
time, and the color of this token denotes the state
model. Referring to the ‘‘goal–function–device’’ frame-
of the corresponding object, such as function
work, a station can be decoupled into many types of
failed or normal.
 objects, as shown in Table 1. In addition, a type of
Transition set T: a transition represents the rela-
object called ‘‘behavior’’ which indicates the attacks
tionship of a place with others. In addition, each
and security measures is added into this table.
transition has a pre-condition and a post-condi-
Based on Table 1, cyberattacks propagation within a
tion. A transition Ti is defined in equation (1)
station can be modeled by an HCPN

Pref(P1 , c1 ), . . . , (Pm , cm )g ) Postf(Pk , ck )g
 where ci represents a colored token, Pi is the ith
place in P. Equation (1) represents when the pre-
condition is satisfied, the color of the token in Pk
is changed to ck .
def
ð1Þ N sta = hPsta , Csta , Tsta , lsta , Osta i ð2Þ
where the place set Psta includes five types of places,
and the color set Csta in different types of places has a
different number of values, as shown in Table 2.
The transition Tista 2 Tsta means the relationship
between the property of the objects mentioned in Table
1, and these transitions can be divided into two types:
Zhu et al. 5

(1) the transition shown in equation (1), where the ci Algorithm 1. AP = GetAttackPath(E, Ms , Nsta ).
only has two values, i 2 f1, . . . , m, kg; (2) the transition
shown in equation (1), the ci in pre-condition has two Input: Attacks E, security strategy Ms, HCPN Nsta
Output: Attack path AP
values, and the ck has multi-value, 1 ł i ł m. Appendix 1. Ma E n* refer to Table 2*n
1 provides how to obtain these two types of transitions. 2. AP fMa , Ms g
The input lsta is given by defenders who allocate the 3. Renew Pa and Ps n* refer to equation (4)*n
special colored token to the corresponding places. The 4. for each Pid 2 Pd do
output Osta is inferred by lsta and N sta . 5. Renew Pid n* Based on transition mechanism *n
6. end for
7. for each Pif 2 Pf do
Optimal response strategy making 8: Renew Pif n* Based on transition mechanism *n
9: Renew Mfi n*equation (4)*n
Generation of candidate security strategies for 10: end for
11: Renew Pg n* Based on transition mechanism *n
stations 12: Renew Mg n* refer to equation (4)*n
Cyberattacks are always launched to compromise the 13: AP AP [ fMd , Mf , Mg g
devices, disable the functions, and reduce the station 14: return AP
capacity. In order to secure the operation safety, the
security strategy is made to protect the devices, which Based on the above definition, the candidate security
maps to certain station capacity value. Considering the strategies Ccnd can be represented by the vector M s and
interaction between station and control center, candi- is shown in equation (6)
date security strategies for the station are generated in
this subsection. Ccnd = fM1s, apt , . . . , Mlgs, apt g ð6Þ
A security strategy maps to certain station capacity,
but certain station capacity may be caused by several where Mis, apt = fH(s1 ), . . . , H(sm )g, m is the number of
security strategies. The candidate security strategies Ccnd the security measures in this station, and H(sk ) indicates
for a station consist of lg security strategies and are rep- the measure sk is activated or not and its value is equal
resented by equation (3) to 0 or 1.
A security strategy z is represented by the vector M s ,
Ccnd = fzapt apt
1 , . . . , zlg g ð3Þ and its impact on station is described by attack path
AP = fM a , M s , M d , M f , M g g. Algorithm 1 shows how
where zapt
i is an acceptable security strategy which satis- to get the attack path.
fies certain conditions, such as it makes the station CB(M s ) is used to calculate the net benefit of security
capacity to locate on certain value gi and gains expected strategy M s , which is shown in equation (7)
benefit.
A security strategy z for a station consists of the CBðM s Þ = BftCalðM s Þ  CostCalðM s Þ ð7Þ
security measures which are activated, and it can be
represented by a vector M s , where M s (i) = 1 means the where the description of all the elements in equation (7)
ith security measure is activated. Based on Table 2, is listed as follows:
four vectors M a , M s , M d , and M f are used to map the
colored token in Pa , Ps , Pd , and Pf , respectively, and 1. Benefit of executing security strategy Bft(M s ):
their elements are defined by equation (4) APE and APE, M are the attack paths which are
obtained from GetAttackPath(E, [, N sta ) and
(   GetAttackPath(E, M s , N sta ), respectively. Then
j 0, the colored token is Pji , c0
M ðiÞ =  j  ð4Þ the benefit of the security strategy is calculated
1, the colored token is Pi , c1 by equation (8)
where M j (i) is the value of the ith element in M j ,
BftCalðM s Þ =
j 2 fa, s, d, f g. In addition, we define the variable M g to X X  
MEi (j)  ME,
i i ð8Þ
represent the colored token in station goal place, which M (j) 3 mj
is shown in equation (5) i2fd, f , gg 1 ł j ł l(i)

8 where MEi (j) is the jth element in MEi and MEi is vector
<1
> the colored token is (Pg , c1 ) i
g . .. in APE . Similarly, ME, M (j) is the element in APE, M .
M = .. . ð5Þ i
>
: Besides, mj is the asset value of the specific object
g
lg the colored token is (P , clg ) (device, function, and goal) which is given by experts,
6 International Journal of Distributed Sensor Networks

Algorithm 2. Get a acceptable security strategy. CroMut(G) means that the (ns + 1)th(ns + nc)th indi-
viduals in G are crossed and mutated. AddInd(G, na)
Input: HCPN Nsta , attack evidence E generates na individuals in a random way.
Output: Acceptable security strategy Ms,i apt
The candidate security strategies for station are con-
1: Iterations tmax , population G0
2: G0 ;, G ;, Mcnd ; structed by Mis, apt (1 ł i ł lg), and it can be obtained by
3: G0 Rand(Ms ) executing Algorithm 2 for lg times.
4: for t 1 to tmax do
5: for each G0, k 2 G0 do
6: Mgk GetAttackPath(E, G0, k , Nsta ) Construction of optimal scheduling strategy for CIs
7: end for
8: G Rank(G0 , Mg ) Assume that there exists n stations in a CI network, and
9: if t = tmax | CB(G(1)) ø R then the ith station is named as stai , the candidate station
10: G0 G capacities of stai have lg elements and are defined by
11: break;
equation (10)
12: end if
13: Gn Gn [ Select(G, ns)
14: Gn Gn [ CroMut(G, nc) gi (t) = fgi, 1 , . . . , gi, lg g ð10Þ
15: Gn Gn [ AddInd(G, na)
16: G0 Gn where gi (t) represents the reception capacity of material
17: end for at time t, gi, j is a special value which is decided by the
18: Ms,i apt G0 (1) operation of stai , and it maps to Mig = j.
19: return Ms,i apt Because of the internal dependence and topology
characteristic of CIs network,28 the changing of a sta-
tion capacity may impact on other stations. Hence, the
scheduling strategy which consists of all station capac-
and l(i) is the number of elements in MEi or ME,
i
M,
i 2 fd, f , gg. ity setting can manage the CI network states.29 In order
to quantify the effect of scheduling strategy, we calcu-
late the system loss when the scheduling strategy is exe-
2. Cost of executing security strategy CostCal(M s ):
the execution of security strategy consumes cuted. The system loss L(t) at time t is obtained by
resources, such as hardware configuration, com- equation (11)
puting resource, communication resource, and
L(t) = LossCalðS(t), d(t)Þ ð11Þ
so on.27 Thus, the consumed resources of M s are
quantified as follows where S(t) denotes the scheduling strategy which is
X defined by S(t) = fg1 (t), . . . , gn (t)g; di (t) is the overload
CostCalðM s Þ = s
ME, M ðiÞ 3 ui ð9Þ of stai at time t. Obviously, Si (t) is a specific value which
1 ł i ł ls is decided by the value of gi (t). The inference of equa-
where the value ui is the cost of executing the ith secu- tion (11) is elaborated in Appendix 1.
rity measure and is provided by security experts; ls is If stai has suffered cyberattacks, and the jth element
the number of elements in ME, s in candidate security strategies leads the stai capacity to
M.
s, apt locate at a specific value gi, j at time t, the optimal sche-
Mi in equation (6) needs to meet the following
conditions: (1) CM(Mis, apt , E) = gi represents that duling strategy making for the network is setting the
Mis, apt maps to station capacity gi when the station stai capacities of the other stations, whose goal is to make
has suffered the attack E; (2) CB(Mis, apt ) ø R is satisfied; the system loss at the minimum value. Therefore, the
it means Mis, apt needs to gain enough net benefit. optimal scheduling strategy is defined as follows
Algorithm 2 describes how to generate the acceptable
security strategy Mis, apt , which combines the HCPN Sjopt (t) = fg1opt (t), . . . , gi1
opt
(t), gi, j , giopt opt
+ 1 (t), . . . , gn (t)g
and genetic algorithm. ð12Þ
In Algorithm 2, the population G0 has n individuals,
G0, k is the kth individual in G0 and is used to store a where gkopt (t) equals to a specific element which is
security strategy. Rand(M s ) represents generating n vec- selected from equation (10), 1 ł k ł n and k 6¼ i. In
tors by assigning all the elements in M s with 0 or 1 ran- order to obtain Sjopt (t), Algorithm 3 is provided.
domly and then each vector is a security strategy and In Algorithm 3, (1) G(t) Construct() means con-
represented by an individual. Rank(G0 , M g ) means all structing the scheduling strategies set G. Specifically,
the individuals in G0 are ranked; specifically, the indi- select an element from gk (t) randomly, which forms a
viduals, which map to M g = i, are ranked in descending scheduling strategy with gi, j , where 1 ł k ł n and k 6¼ i.
order according to the net benefit. Select(G, ns) means (2) u is the number of element in G, if the capacity of
that selecting the 1thnsth individuals in G. each station has lg values, then u is equal to lgn1 .
Zhu et al. 7

ES DS Router4 PM4
Intranet
Router5
Control center PM3 Router3 PLC9 PLC10
ETH3

PLC7 PLC8
PM1 Router1 Router2 T3
PM2 T5,T6
ETH2 V5 V6
Station 4

V7 V8
PLC1 PLC2 PLC3 PLC4 PLC5 PLC6 T4
P1 T1
Station 3 T7
R1 V1 V2
P2 L1 Station 5
P3 L2
V3 V4 T8
T2
Station 1 Station 2
ES: Engineer Station DS: Database Server Station 6
R: Reservoir P: Pump T: Water Tower PM: Process Management
ETH: Ethernet V: Valve L: Liquid level sensor PLC: Programmable Logic Controller

Figure 3. The structure of a water supply system.

Algorithm 3. Get the optimal scheduling strategy.

2. Selecting appropriate station capacity giopt (t):
the value gi, j in gi (t) is mapped to an optimal
Input: Station capacity gi, j (t), LossCal(), states d(t) scheduling Sjopt (t), and the system loss of Sjopt (t)
Output: Scheduling strategy Sopt j (t)
can be calculated from Appendix 2, then select
1: G(t) Construct(g1 (t), . . . , gi, j , . . . , gn (t)) the minimum value from the set of system loss.
2: Sopt
j (t) G1 (t) Therefore, we get the optimal station capacity
3: L1 LossCal(G1 (t), d(t)) giopt (t).
4: for i 2 to u do 3. Obtaining the appropriate security strategy for
5: Li LossCal(Gi (t), d(t)) stai : each element in the candidate security stra-
6: if Li ł Li1 then
Sopt
tegies set M cnd is one-to-one mapped to a fixed
7: j (t) Gi (t)
8: end if station capacity value, compare giopt (t) with all
9: end for the station capacities and find the correspond-
10: return Sopt j (t)
ing security strategy from M cnd , at last, obtain
the combination of security measures through
equation (4) and Table 2.
Algorithm 3 can generate the optimal scheduling
strategy when a station has suffered cyberattacks,
which can also be used to make optimal scheduling Simulation and result analysis
strategy when two or more stations have suffered cyber-
attacks simultaneously. Simulation platform and modeling process
Simulations are conducted on a simple water supply
system which consists of six stations and a control cen-
Making the optimal response strategy for CIs ter. As shown in Figure 3, the stations (sta1 sta5 ) form
The candidate security strategies set Micnd for stai has lg a network which is managed by the control center. In
elements and the jth element is one-to-one mapped to sta2 , tower T1 is in charge of seven-tenths of the work-
the station capacity value gi, j . In addition, gi, j is related load, programmable logic controller (PLC)4 controls
with an optimal scheduling strategy Sjopt (t), 1 ł j ł lg. the valves V1 and V2 to manage the operation of T1,
Then the optimal response strategy is obtained by fol- PLC5 collects the liquid levels of T1 and T2 through
lowing steps: the sensors, PLC6 controls the valves V3 and V4 to
manage the operation of T2, and all the PLCs are con-
1. Renewing the station capacities set gi (t): several trolled by the process management (PM2). Similarly,
security strategies may not be suitable for stai the control structures of other stations are shown in
because of resource constraint, which reduces Figure 3.
the number of values of candidate station The attackers scan the devices vulnerabilities in sta2
capacity. and then launch authentication bypass attack to
8 International Journal of Distributed Sensor Networks

Table 3. Goal–function–device in STA2 .

ण2
Type Symbol Description

Function f2, 1 Monitoring the T1 states

f 2.5 f 2.6
f2, 2 Monitoring the T2 states
f2, 3 Controlling the T1 operation
f2, 4 Controlling the T2 operation
f2, 5 Transmitting water based on T1 f 2.3 f 2.1 f 2.2 f 2.4
f2, 6 Transmitting water based on T2
Device d2, 1
d2, 2
Communication devices
Production management
... ...
d2, 3 PLC4 d 2.6 d 2.3 d 2.7 d 2.10 d 2.4
d2, 4 PLC5
d2, 5 PLC6
d2, 6 Valve 1 d 2.2 d 2.2
d2, 7 Valve 2
d2, 8 Valve 3 a2.3 a2.6 s2.4 a2.4 a2.7 s2.5
d2, 9 Valve 4
d2, 10 Liquid level sensor 1 in T1 d 2.1 d 2.1
d2, 11 Liquid level sensor 2 in T2
a2.2 s2.2 s2.3 a2.2 s2.2 s2.3
Attack a2, 1 Device vulnerability scanning on ETH2
a2, 2 Authentication bypass attack on PM2
a2.1 s2.1 a2.1 s2.1
a2, 3 Integrity attack on PLC4
a2, 4 Integrity attack on PLC5
a2, 5 Integrity attack on PLC6 Figure 4. Relationships between ‘‘goal–function–device–
a2, 6 Control logic changing attack on PLC4 behavior.’’
a2, 7 Control logic changing attack on PLC5
a2, 8 Control logic changing attack on PLC6
Measure s2, 1 Install patches onto devices
s2, 2 Limit the password attempts of PM2 model for sta2 is built based on HCPN and is shown in
s2, 3 Close the PM2 Figure 5.
s2, 4 Encryption between PM2 and PLC4
s2, 5 Encryption between PM2 and PLC5
s2, 6 Encryption between PM2 and PLC6 Result analysis
PLC: programmable logic controller; PM: process management. In order to verify the effectiveness of our approach,
several simulations are carried out to analyze the secu-
rity strategy making process when sta2 has suffered
acquire the authority of PM2; based on these opera-
cyberattacks. As shown in Table 5, the security mea-
tions, the attackers can control the physical process of
sures, which are executed to prevent specific attacks,
sta2 by impacting the PLCs which manage the water
have their own properties, such as implementation cost
flowing directly. In order to model the above cyberat-
and benefit.
tacks propagation, we decouple the sta2 into goal, func-
As discussed in section ‘‘System modeling with
tions, and devices; besides, we also give the attack
HCPN,’’ the response strategies making process is
behaviors and the security measures; all of these objects
divided into three sub-processes. The first is generating
are listed in Table 3.
the candidate strategies for the station which has suf-
The relationships between these objects can be mod-
fered cyberattacks. Table 6 shows the attack evidence E
eled by tree structure, and the modeling process is dis-
on sta2 , where the rows show the times and the hap-
cussed in ‘‘ goal–function–devices’’ framework.26 The
pened atomic attacks.
tree structure is shown in Figure 4, where the attack
Then the response strategy for sta2 at each time can
and security measure are activated to change devices
be expressed by the combination of security measures,
states.
which is shown in equation (13)
Each object in Table 3 can be mapped to a certain
place, and the states of these objects can be represented Ri = fH(s2, 1 ), . . . , H(s2, 6 )g ð13Þ
by the colored token in places. Table 4 provides the def-
inition of the colored token in each place, where vept
2 (t) H(s2, i ) = T or H(s2, i ) = F represents the security mea-
represents the expected reception capacity of sta2 at sure s2, i is executed or not, which can map to Mis = 1
time t, which is decided by the station managers. or Mis = 0. From Algorithm 2, the individual in genetic
The places and their properties are provided in algorithm is represented by M s and then we get the
Table 4, and the transitions between these place can be acceptable security strategy for each station capacity
obtained from Appendix 1; hence, attack propagation value. As shown in Table 7, M g is the capacity value of
Zhu et al. 9

Table 4. Description of colored token in STA2 .

a a
P2,1 P2,1s s
P2,2 P2,2 s
P2,3
Token Object state Token Object state

(pai , c0 ) ai does not happen (pfi , c0 ) fi is normal d d

P2,1 P2,2
(pai , c1 ) ai happens (pfi , c1 ) fi is failed
(psi , c0 ) si is not activated (pg2 , c0 ) g2 = v2ept (t)
a s s a
(psi , c1 ) si is activated (pg2 , c1 ) g2 = 0:73v2ept (t) P2,3 P2,4 a
P2,6 a
P2,4 P2,5 P2,7 a
P2,5 s
P2,6 a
P2,8
(pdi , c0 ) di is normal (pg2 , c2 ) g2 = 0:33v2ept (t)
(pdi , c1 ) di is compromised (pg2 , c3 ) g2 = 0
d d d d d d d d d
P2,6 P2,7 P2,3 P2,10 P2,4 P2,11 P2,5 P2,8 P2,9
Table 5. Properties of security measures.

Security Prevented Implementation Benefit

measure attack cost (USD) (USD)
P2,3f d
P2,1 d
P2,2 d
P2,4

s2, 1 a2, 1 150 500

s2, 2 a2, 2 80 400 d
P2,5 d
P2,6
s2, 3 a2, 2 300 400
s2, 4 a2, 3 , a2, 6 200 600
s2, 5 a2, 4 , a2, 7 200 400 P2g
s2, 6 a2, 5 , a2, 8 100 800
a a
P2.1 Vulnerability scanning happens or not P2.2 Authentication bypass happens or not
a a
P2.3 Integrity attack on PLC4 happens or not P2.4 Integrity attack on PLC 5 happens or not
a a
P2.5 Integrity attack on PLC6 happens or not P2.6 Control logic changing on PLC4 happens or not
a
sta2 , and the net benefit of each strategy is calculated P2.7
s
Control logic changing on PLC 5 happens or not
a
P2.8
s
Control logic changing on PLC6 happens or not
P2.1 Updating devices is adopted or not P2.2 Password attempts of PM2 is limited or not
based on Table 5. Note that the cyberattack or security s
P2.3 PM2 is closed or not s
P2.4 Message (PLC4-PM2) is encrypted or not
strategy has no impact on station capacity at some s
P2.5 Message (PLC5-PM2) is encrypted or not
s
P2.6 Message (PLC6-PM2) is encrypted or not

time, such as at hours 4 and 6. d

P2.1 Device vulnerabilities is obtained or not
d
P2.2 WS2 is compromised or not
d
P2.3 PLC 4 is compromised or not d
Table 7 provides the candidate security strategies for d
P2.4 PLC 5 is compromised or not
P2.5 PLC 6 is compromised or not
d
P2.6 V1 is closed or not
sta2 at different times. Assume that the capacity of sta1 , d
P2,7 V2 is closed or not d
P2,8 V3 is closed or not
sta4 , and sta5 is not changed, and the sta3 has three val- d
P2,9 V4 is closed or not d L1 works or not
P2,10
ues (vept ept d

3 (t), 0:5 3 v3 (t), 0), then the scheduling strategy

P2,11 L2 works or not P2.1f Monitoring function for T1 is failed or not
P2.2f Monitoring function for T2 is failed or not P2.3f Controlling function for T1 is failed or not
is equivalent to the combination of the capacity setting P2.4f Controlling function for T2 is failed or not P2.5f Transmission based on T1 is failed or not
value of sta2 and sta3 . Table 8 shows the optimal sche- P2.6f Transmission based on T2 is failed or not P2g Capacity value of station 2

duling strategy which is mapped to the candidate capac-

ity of sta2 at different times. Figure 5. The attack propagation model for sta2.
The optimal response strategy making for cyberat-
tacks is depended on the cost constraint of sta2 . Based
on Table 8, several scenarios are introduced for making
the optimal response strategy: (1) the implementation Table 6. Description of attack evidences.
cost of strategy is not constrained, (2) the implementa- Time Attack Description
tion cost of strategy is constrained, such as the cost con-
straint is 500 USD at hour 11 and 700 USD at hour 13, 4 H(a2, 1 ) = T Vulnerability scanning attack happens
(3) the implementation cost of strategy is constrained, 6 H(a2, 2 ) = T Authentication bypass attack on PM2
such as the cost constraint is 400 USD at hour 11 and 8 H(a2, 3 ) = T Integrity attack on PLC4 happens
11 H(a2, 5 ) = T Integrity attack on PLC6 happens
600 USD at hour 13. The optimal response strategy is 13 H(a2, 7 ) = T Control logic changing attack on PLC5
shown in Table 9.
Figure 6 shows the water output of sta2 and sta3 PLC: programmable logic controller; PM: process management.
when they are under different scenarios, where lines 1–
3 in each sub-figure represent the output of sta2 or sta3
when sta2 is running normally, has suffered cyberat- due to the security strategy for sta2 , as shown in
tacks, and is protected by security strategy, as shown in Table 9, the security strategy H(S opt ) in different sce-
Table 9. Specifically, in the three sub-figures in the first narios is different, which lead the PLCs and functions
column, line 1 is the same because they indicated the to reach different states, and then impacts the output
same states of sta2 . Line 2 in above sub-figures reaches of sta2 . In the three sub-figures of the second column,
the minimum value at hour 13 because the operation of the output of sta3 is related with the output of sta2 due
T1 and T2 is disturbed. Line 3 shows the consequence to the material interdependence between sta2 and sta3 ;
10 International Journal of Distributed Sensor Networks

Table 7. Candidate security strategy for STA2.

Time Response strategy Capacity Cost (USD) Net benefit (USD)

4 Ms = ½1, 0, 0, 0, 0, 0 Mg = 0 150 0:353103

6 Ms = ½1, 1, 0, 0, 0, 0 Mg = 0 230 0:673103
8 Ms = ½1, 1, 0, 1, 0, 0 Mg = 0 430 1:073103
Ms = ; Mg = 1 0 0
11 Ms = ½1, 1, 0, 1, 0, 1 Mg = 0 530 1:173103
Ms = ½1, 1, 0, 0, 0, 1 Mg = 1 330 1:373103
Ms = ½1, 1, 0, 1, 0, 0 Mg = 2 430 1:073103
Ms = ; Mg = 3 0 0
13 Ms = ½1, 1, 0, 1, 1, 1 Mg = 0 730 1:973103
Ms = ½1, 1, 0, 0, 1, 1 Mg = 1 530 1:573103
Ms = ½1, 1, 0, 1, 1, 0 Mg = 2 630 1:273103
Ms = ; Mg = 3 0 0

Table 8. Optimal scheduling strategies. Table 9. The optimal strategy for system.

Time (h) Candidate sta3 capacity System Scenario Time Response strategy
sta2 capacity setting cost (USD)
sta2 sta3
4 g2 = v2ept (t) g3 = v3ept (t) 0
I 4 fs2, 1 g g3 = v3ept (t)
6 g2 = v2ept (t) g3 = v3ept (t) 0
6 fs2, 1 , s2, 2 g g3 = v3ept (t)
8 g2 = v2ept (t) g3 = v3ept (t) 0
8 fs2, 1 , s2, 2 , s2, 4 g g3 = v3ept (t)
g2 = 0:73v2ept (t) g3 = 0:53v3ept (t) 5:33104
11 fs2, 1 , s2, 2 , s2, 4 , s2, 6 g g3 = v3ept (t)
11 g2 = v2ept (t) g3 = v3ept (t) 0
13 fs2, 1 , s2, 2 , s2, 4 , s2, 5 , s2, 6 g g3 = v3ept (t)
g2 = 0:73v2ept (t) g3 = 0:53v3ept (t) 3:43104
II 4 fs2, 1 g g3 = v3ept (t)
g2 = 0:33v2ept (t) g3 = v3ept (t) 2:63104
6 fs2, 1 , s2, 2 g g3 = v3ept (t)
g2 = 0 g3 = 0 4:83104
13 g2 = v2ept (t) g3 = v3ept (t) 0 8 fs2, 1 , s2, 2 , s2, 4 g g3 = v3ept (t)
g2 = 0:73v2ept (t) g3 = 0:53v3ept (t) 2:43104
11 fs2, 1 , s2, 2 , s2, 4 g g3 = v3ept (t)
g2 = 0:33v2ept (t) g3 = v3ept (t) 1:13104
13 fs2, 1 , s2, 2 , s2, 4 , s2, 5 g g3 = v3ept (t)
g2 = 0 g3 = 0 3:43104
III 4 fs2, 1 g g3 = v3ept (t)
6 fs2, 1 , s2, 2 g g3 = v3ept (t)
8 fs2, 1 , s2, 2 , s2, 4 g g3 = v3ept (t)
11 fs2, 1 , s2, 2 , s2, 6 g g3 = 0:53v3ept (t)
13 fs2, 1 , s2, 2 , s2, 5 , s2, 6 g g3 = 0:53v3ept (t)
line 3 in those three sub-figures indicates the impact of
sta2 output, sta3 capacity setting shown in Table 9, and
the time delay between sta2 and sta3 simultaneously.
Note that Figure 6 only focuses on the consequence of hour 8 is larger than that at hour 11 or 13 which indi-
the cyberattacks which occur at hour 13. cates that the cyberattacks to sta2 have more serious
Figure 7 shows the net benefit of sta2 (gray bar asso- impact on system at hour 8. The net benefit of system
ciated with the left Y axes) and the net benefit of the CI in the second and the third sub-figures is smaller than
(white bar associated with the right Y axes) when the that in the first sub-figure due to the cost constraint in
response strategies in different scenarios are executed. sta2 .
The net benefit of sta2 is calculated by equation (7) In order to evaluate the real-time performance of
which considers the asset of devices, function, and goal our approach, the simulation for response strategy
in sta2 ; additionally, the net benefit of the CI is calcu- making at hour 13 is performed for 1000 times, where
lated by equation (24) which considers the property of the simulation ran on a computer with Inter Core i3 at
all stations. In the first sub-figure, the net benefit of 3.90 GHz and 8 GB RAM. The execution time distri-
sta2 increases because more and more security measures bution of the simulation is shown in Figure 8. The exe-
have been activated, which are shown in Tables 5 and cution time of our approach consists of three main
9. The net benefit of the CI is equal to 0 at hours 4 and parts: the time spent on Algorithm 2, Algorithm 3, and
6 because the cyberattacks have not yet impacted on the system loss calculation. The complexity of
the capacity of sta2 . Besides, the net benefit of the CI at Algorithm 2 is equal to O(G 3 N 2 ), which is based on
Zhu et al. 11

5
3
4
3 2
2 1
1
0
0 Line 1 Line 1
-1
Line 2 -1 Line 2
Line 3 Line 3
-2 -2
11 12 13 14 15 16 11.5 12.5 13.5 14.5 15.5 16.5

5
3
4
3 2
2 1
1
0
0 Line 1 Line 1
-1 Line 2 -1 Line 2
Line 3 Line 3
-2 -2
11 12 13 14 15 16 11.5 12.5 13.5 14.5 15.5 16.5

5
3
4
3 2
2 1
1
0
0 Line 1 Line 1
-1
Line 2 -1 Line 2
Line 3 Line 3
-2 -2
11 12 13 14 15 16 11.5 12.5 13.5 14.5 15.5 16.5

Figure 6. Outputs of sta2 and sta3 after executing response strategy at hour 13.

the generation number G and the population size N;
the complexity of Algorithm 3 is equal to O(K M ), which
is based on the station capacity size K and the station
number M; the complexity of system loss calculation is
small and can be ignored.
The above simulations verify that our approach has
the ability to making response strategy for CIs. In addi-
tion, this approach employs different perspectives, which
makes it difficult to compare our approach with others.
Therefore, we compare the approaches mentioned in
section ‘‘Introduction’’ with ours from different aspects.
Table 10 provides the approaches comparison.
Conclusion
In this article, an HCPN-based cyberattacks
response strategy making approach for CIs is
proposed, which analyzes the relationships among
cyberattacks, security measures, devices, functions, and
station capacity in a graphical way and then investi-
gates the interaction between response strategy making
for station and the scheduling strategy making for CI
network. The simulation verifies our approach can
make an appropriate response strategy for cyberattacks
in real time.
However, this approach needs to prepare the com-
plete knowledge of all the cyberattacks and security
measures before building the HCPN model and does
not consider the probability attribute of the transition
in HCPN. In our future work, the probabilities of
attack paths in cyberattacks propagation are investi-
gated, where the propagation process is analyzed with
the input of incomplete knowledge of cyberattacks and
systems.
12 International Journal of Distributed Sensor Networks

Net benefit (dollars)

Net benefit (dollars)

2000 8*10 4
6*10 4
1500
4*10 4
1000 2*10 4
500 0
0 -2*10 4
3 4 5 6 7 8 9 10 11 12 13 14
Net benefit (dollars)

Net benefit (dollars)

2000 8*10 4
1500 6*10 4
1000 4*10 4
2*10 4
500 0
0 -2*10 4
3 4 5 6 7 8 9 10 11 12 13 14
Net benefit (dollars)

Net benefit (dollars)

2000 8*10 4
1500 6*10 4
1000 4*10 4
2*10 4
500 0
0 -2*10 4
3 4 5 6 7 8 9 10 11 12 13 14

Figure 7. Net benefit of sta2 and system under different scenarios.

Table 10. Comparison of the response making approaches.

Approach Yan et al.8 Qin et al.9 Zonouz and Wang et al.11 Yan and Li et al.13 This study
Haghani10 Haimes12

Cyber domain = = = =
Physical domain = = = = = =
Station characteristic = = = =
Topology characteristic = = =
Attack propagation = = = = = =
System impact = = = = = = =

350
Declaration of conflicting interests
300 The author(s) declared no potential conflicts of interest with
respect to the research, authorship, and/or publication of this
Number of simulations

250 article.

200
Funding
150 The author(s) disclosed receipt of the following financial sup-
port for the research, authorship, and/or publication of this
100 article: This work was supported by the National Science
Foundation of China (NSFC) under grant numbers
50 61433006, 61873103, and 61272204.

0
2.25 2.31 2.37 2.43 2.49
Execution time (s) ORCID iD
Yuanqing Qin https://orcid.org/0000-0003-3600-5594
Figure 8. Execution time of response strategy making at hour 13.
Zhu et al.
References
1. National Institute of Standards and Technology (NIST).
Framework for improving critical infrastructure cyberse-
curity, 2014, https://nvlpubs.nist.gov/nistpubs/CSWP/
NIST.CSWP.04162018.pdf
2. Cherdantseva Y, Burnap P, Blyth A, et al. A review of
cyber security risk assessment methods for SCADA sys-
tems. Comput Secur 2016; 56: 1–27.
3. Gorman S. Electricity grid in U.S. penetrated by spies.
The Wall Street Journal, 2009, p.8.
4. Piggin R. Cyber security trends: what should keep CEOs
awake at night. Int J Crit Infrastruct Protect 2016; 13(C):
36–38.
5. Lewis TG. Critical infrastructure protection in homeland
security: defending a networked nation. Hoboken, NJ:
John Wiley & Sons, 2014.
6. Shameli-Sendi A and Dagenais M. ARITO: cyber-attack
response system using accurate risk impact tolerance. Int
J Inform Secur 2014; 13(4): 367–390.
7. Banerjee A, Venkatasubramanian KK, Mukherjee T, et
al. Ensuring safety, security, and sustainability of
mission-critical cyber–physical systems. Proc IEEE 2012;
100(1): 283–299.
8. Yan J, Govindarasu M, Liu C-C, et al. Risk assessment
framework for power control systems with PMU-based
intrusion response system. J Mod Power Syst Clean Ener
2015; 3(3): 321–331.
9. Qin Y, Zhang Q, Zhou C, et al. A risk-based dynamic
decision-making approach for cybersecurity protection in
industrial control systems. IEEE Trans Syst Man Cyber-
net Syst 2018; 1–8. DOI: 10.1109/TSMC.2018.2861715.
10. Zonouz S and Haghani P. Cyber-physical security metric
inference in smart grid critical infrastructures based on
system administrators’ responsive behavior. Comput
Secur 2013; 39: 190–200.
11. Wang X, Xie S, Wang X, et al. Decision-making model
based on conditional risks and conditional costs in power
system probabilistic planning. IEEE Trans Power Syst
2013; 28(4): 4080–4088.
12. Yan Z and Haimes YY. Risk-based multiobjective
resource allocation in hierarchical systems with multiple
decisionmakers. Part I: theory and methodology. Syst
Eng 2011; 14(1): 1–16.
13. Li X, Zhou C, Tian Y, et al. A dynamic decision-making
approach for intrusion response in industrial control sys-
tems. IEEE Trans Indus Inform 2019; 15: 2544–2554.
14. Thacker S, Pant R and Hall JW. System-of-systems for-
mulation and disruption analysis for multi-scale critical
national infrastructures. Reliab Eng Syst Saf 2017; 167:
30–41.
15. Sage AP and Cuppan CD. On the systems engineering
and management of systems of systems and federations
of systems. Inform Knowled Syst Manage 2001; 2(4):
325–345.
16. Zhang Q, Zhou C, Xiong N, et al. Multimodel-based
incident prediction and risk assessment in dynamic
cybersecurity protection for industrial control systems.
IEEE Trans Syst Man Cybernet Syst 2016; 46(10):
1429–1444.
13
17. Rinaldi SM, Peerenboom JP and Kelly TK. Identifying,
understanding, and analyzing critical infrastructure inter-
dependencies. IEEE Control Syst Mag 2001; 21(6): 11–25.
18. Papa S, Casper W and Moore T. Securing wastewater
facilities from accidental and intentional harm: a cost-
benefit analysis. Int J Crit Infrastruct Protect 2013; 6(2):
96–106.
19. Restrepo CE, Simonoff JS and Zimmerman R. Causes,
cost consequences, and risk implications of accidents in
US hazardous liquid pipeline infrastructure. Int J Crit
Infrastruct Protect 2009; 2(1): 38–50.
20. Sayda AF and Taylor JH. An implementation plan for
integrated control and asset management of petroleum
production facilities. In: Proceedings of the 2006 IEEE
conference on computer-aided control system design, 2006
IEEE international conference on control applications,
2006 IEEE international symposium on intelligent control,
Munich, 4–6 October 2006, pp.1212–1219. New York:
IEEE.
21. Herrero-Perez D and Martinez-Barbera H. Modeling dis-
tributed transportation systems composed of flexible
automated guided vehicles in flexible manufacturing sys-
tems. IEEE Trans Indus Inform 2010; 6(2): 166–180.
22. Jasiul B, Szpyrka M and Śliwa J. Detection and modeling
of cyber attacks with Petri nets. Entropy 2014; 16(12):
6602–6623.
23. Beccuti M, Chiaradonna S and Giandomenico FD.
Quantification of dependencies between electrical and
information infrastructures. Int J Crit Infrastruct Protect
2012; 5(1): 14–27.
24. Peterson et al JL. A note on colored Petri nets. Inf Pro-
cess Lett 1980; 11(1): 40–43.
25. Modarres M and Cheon SW. Function-centered model-
ing of engineering systems using the goal tree–success tree
technique and functional primitives. Reliab Eng Syst Saf
1999; 64(2): 181–200.
26. Larsson JE. Diagnosis based on explicit means-end mod-
els. Artif Intell 1996; 80(1): 29–93.
27. Celli G, Pilo F, Pisano G, et al. Cost–benefit analysis for
energy storage exploitation in distribution systems.
CIRED 2017; 2017(1): 2197–2200.
28. Wang S, Hong L, Ouyang M, et al. Vulnerability analysis
of interdependent infrastructure systems under edge
attack strategies. Saf Sci 2013; 51(1): 328–337.
29. Ten C, Manimaran G and Liu C. Cybersecurity for criti-
cal infrastructures: attack and defense modeling. IEEE
Trans Syst Man Cybernet Pt A Syst Hum 2010; 40(4):
853–865.
30. de Gusmão APH, Silva MM, Poleto T, et al. Cybersecur-
ity risk analysis model using fault tree analysis and fuzzy
decision theory. Int J Inform Manage 2018; 43: 248–260.
Appendix 1
Two types of transitions in HCPN model are analyzed
and obtained in this appendix.
1. Transition among the places of attacks, security
measures, devices, and functions: the token in
14 International Journal of Distributed Sensor Networks

1 1 P2 P3 p1
AND OR
p5
2 3 2 3 P1 p2
Logical relations in tree Transition in Petri Net p4
Figure 9. Relationship between tree and Petri net.
p3
Figure 10. Station physical space structure.

Table 11. Description of transitions.

Logical Transition
AND f(P2 , c0 ), (P3 , c0 )g ) (P1 , c0 )
f(P2 , c0 ), (P3 , c1 )g ) (P1 , c0 )
f(P2 , c1 ), (P3 , c0 )g ) (P1 , c0 )
f(P2 , c1 ), (P3 , c1 )g ) (P1 , c1 )
OR f(P2 , c0 ), (P3 , c0 )g ) (P1 , c0 )
f(P2 , c0 ), (P3 , c1 )g ) (P1 , c1 )
f(P2 , c1 ), (P3 , c0 )g ) (P1 , c1 )
f(P2 , c1 ), (P3 , c1 )g ) (P1 , c1 )
Table 12. Importance of different processes.
Structure
Serial structure
Parallel structure
Importance value
I(p5 jfp1 , p2 , p3 , p4 , p5 g) = 1
I(fp1 , p2 , p3 , p4 gjfp1 , p2 , p3 , p4 , p5 g) = 1
I(p4 jfp2 , p3 , p4 g) = 1
I(fp2 , p3 gjfp2 , p3 , p4 g) = 1
I(p1 jfp1 , p2 , p3 , p4 g) = 0:4
I(fp2 , p3 , p4 gjfp1 , p2 , p3 , p4 g) = 0:6
I(p2 jfp2 , p3 g) = 0:3
I(p3 jfp2 , p3 g) = 0:7

each above place has only two colors; thus, the

element in (Pi , ci ) in the pre-condition or post-
condition represents the object has two states.
Besides, the relationship among these objects
can be modeled as a tree,30 which can be divided
into two types, ‘‘AND’’ and ‘‘OR,’’ as shown in
Figure 9. In general, this type of transition is
used to describe the relationships in the tree
whose node has two values.
In Figure 9, the ‘‘AND’’ and ‘‘OR’’ in the tree whose
nodes are the objects can be described by the transitions
in Petri net. Then, the detailed transitions are shown in
Table 11.
2. Transition between the places of function and sta-
tion goal: the function in this paragraph repre-
sents the physical process which plays a special
material handing role, such as transmission, store,
conversation, balance in station physical space,
and all these functions support the station goal.
Definition 1. Assume a station consists of n process
p = fp1 , . . . , pn g, and the normal station capacity is
gept . If the station capacity is from gept to
(1  a) 3 gept when the process pi is failed. Based on
this assumption, equation (14) is used to define the
importance of pi
I(pi jp) = a
Referring to the material flow mechanism, there exist a
lemma about the structure of station physical space. If
p1 and p2 are serial structure, then I(p1 jfp1 , p2 g) = 1; if
p1 and p2 are parallel structure, and I(p1 jfp1 , p2 g) = a,
I(p2 jfp1 , p2 g) = b, then a + b = 1.
Based on above contents, the transition between
physical process and station goal can be calculated. A
simple example is provided to explain the calculation
process. As shown in Figure 10, the station consists of
five material process pf = fpf1 , pf2 , pf3 , pf4 , pf5 g, each pro-
cess is mapped to a function place Pfi , and the station
capacity is mapped to the goal place, then the transi-
tion between them are listed as follows
n   o  
Pre Pf2 , ci(1) , . . . , Pf5 , ci(5) ) Post Pg , cj ð15Þ
Where the token in Pfi has only two colors, and the
token in Pg is based on the station structure.
In Figure 10, the importance of function in serial
structure and parallel structure is given by experts and
is shown in Table 12.
With the above analysis, the importance of p2 is
obtained by the following equations
I(p2 jsta) = I(p2 jfp1 , p2 , p3 , p4 , p5 g)
= I(p2 jfp2 , p3 g) 3 I(fp2 , p3 gjfp2 , p3 , p4 g)
3 I(fp2 , p3 , p4 gjfp1 , p2 , p3 , p4 g)
ð14Þ 3 I(fp1 , p2 , p3 , p4 gjfp1 , p2 , p3 , p4 , p5 g)
= 0:3 3 1 3 0:6 3 1
= 0:18 ð16Þ
Zhu et al. 15

Table 13. Description of station properties. oj (t) = kj (t) 3 gj (t) + mj (t) 3 (gj (t) + rj (t)) ð20Þ

Symbol Description where the kj (t) and mj (t) are defined as follows
gi (t) Station capacity 8
oi (t) Material output < kj (t) = 1, mj (t) = 0, j 2 UpNei(stai )rj ø 0
li (t) Material input kj (t) = 0, m (t) = 1, j 2 UpNei(stai )rj \0 ð21Þ
: k (t) = 0, mj (t) = 0, else
ri (t) Material overload j j
di, j Proportion of output from stai to staj
Based on equation (21), equation (17) can be repre-
sented as follows
Then it means the station capacity is changed from P
n
g ept (t) to 0:82 3 g ept (t) when p2 is failed. According to ri (t + 1) = (kj (t) 3 gj (t) + mj (t) 3 (gj (t) + rj (t)))
j=1
the mapping relationships between material process 3 dj, i  gi (t)
and Petri net, we can get a concrete description of the P n

transition which is described by f(Pf1 , c0 ), (Pf2 , c1 ), = (kj (t) + mj (t)) 3 dj, i 3 gj (t)  gi (t)
j=1
(Pf3 , c0 ), (Pf4 , c0 ), (Pf5 , c0 )g ) f(Pg , c2 )g, where (Pf2 , c1 ) P
n
+ mj (t) 3 rj (t)
means the function p2 is failed; (Pg , c2 ) represents the j=1
station capacity is mapped to 0:82 3 gept (t). = Ai (t) 3 r(t) + Bi (t) 3 g(t)
ð22Þ
Appendix 2
where r(t) = ½r1 (t), . . . , rn (t)T , g(t) = ½g1 (t), . . . , gn (t)T .
In order to analyze the relationship between stations Therefore, we can get the estimation equation of all the
capacities and system loss, several properties of station station states, as shown in equation (23)
are listed in Table 13.
Then there exist several equations about the proper- r(t + 1) = A(t)r(t) + B(t)g(t) ð23Þ
ties in Table 13
Therefore, the cyberattack on a station may cause
ri ðt + 1Þ = lðt + 1Þ  gi ðtÞ ð17Þ the overload of other stations in CI network. Thus, we
calculate the system loss based on the overloads. As
where li (t) is the input of stai
shown in equation (24)
X
li ðt + 1Þ = oj (t) 3 dj, i ð18Þ n X
X m
j2UpNei(stai ) L(t) = jri (t0 + j)j 3 Dt 3 t i ð24Þ
i=1 j=0
The UpNei(stai ) represents the stations which is the
upstream neighbor of stai . Then the output of stai is where ri (t0 + j) is the overload of the ith station at time
obtained by the following equation t0 + j, t0 is the start time of cyberattacks, t0 + m is the
 time when the station state is normal, Dt is the period
gj (t), rj (t) ø 0 between t0 + j and t0 + (j + 1), and ti is the economic
oj (t) = ð19Þ
gj (t) + rj (t), rj (t)\0 loss of per unit overload of the ith station.
Then equation (19) can be described as follows