IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 14, NO.
6, JUNE 2018
A Fuzzy Probability Bayesian Network Approach
for Dynamic Cybersecurity Risk Assessment in
Industrial Control Systems
Qi Zhang, Chunjie Zhou , Yu-Chu Tian , Member, IEEE, Naixue Xiong, Senior Member, IEEE,
Yuanqing Qin, and Bowen Hu
Abstract—With the increasing deployment of data
network technologies in industrial control systems (ICSs),
cybersecurity becomes a challenging problem in ICSs.
Dynamic cybersecurity risk assessment plays a vital role
in ICS cybersecurity protection. However, it is difficult to
build a risk propagation model for ICSs due to the lack of
sufficient historical data. In this paper, a fuzzy probability
Bayesian network (FPBN) approach is presented for
dynamic risk assessment. First, an FPBN is established for
analysis and prediction of the propagation of cybersecurity
risks. To overcome the difficulty of limited historical data,
the crisp probabilities used in standard Bayesian networks
are replaced in our approach by fuzzy probabilities. Then,
an approximate dynamic inference algorithm is developed
for dynamic assessment of ICS cybersecurity risk. It is
embedded with a noise evidence filter in order to reduce
the impact from noise evidence caused by system faults.
Experiments are conducted on a simplified chemical
reactor control system to demonstrate the effectiveness of
the presented approach.
Index Terms—Bayesian network (BN), cybersecurity,
fuzzy probability, industrial control systems (ICSs), risk as-
sessment.
Manuscript received June 25, 2017; revised September 9, 2017 and
October 11, 2017; accepted October 23, 2017. Date of publication
November 1, 2017; date of current version June 1, 2018. The work of C.
Zhou was supported in part by National Science Foundation of China
under Grant 61433006 and Grant 61272204. The work of Y.-C. Tian
was supported in part by an ATN-DAAD (Australian Technology Network
of Universities—German Academic Exchange Service Joint Research
Co-operation Scheme) Grant in 2015–2016, and in part by Australian
Research Council Discovery Projects under Grant DP160102571 and
Grant DP170103305. Paper no. TII-17-1351. (Corresponding author:
Chunjie Zhou.)
Q. Zhang, C. Zhou, Y. Qin, and B. Hu are with the School of Automa-
tion, Huazhong University of Science & Technology, Wuhan 430074,
China (e-mail: qiqi@hust.edu.cn; cjiezhou@hust.edu.cn; qinyuanqing@
hust.edu.cn; hubowen@hust.edu.cn).
Y.-C. Tian is with the School of Electrical Engineering and Computer
Science, Queensland University of Technology, Brisbane, QLD 4001,
Australia (e-mail: y.tian@qut.edu.au).
N. Xiong is with the Department of Mathematics and Computer Sci-
ence, Northeastern State University, Tahlequah, OK 74464 USA (e-mail:
xiong31@nsuok.edu).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TII.2017.2768998
1551-3203 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
2497
I. INTRODUCTION
NDUSTRIAL control systems (ICSs) are implemented
I worldwide in critical infrastructures [1]. They are integrated
with computation, communication, and control theories [2], [3].
With the increasing deployment of data networks in ICSs, cy-
bersecurity becomes a challenging ICS problem [4]–[8]. The
number of cyberattacks to ICSs increases year by year [9]. This
demands systematic research on cybersecurity risk analysis and
cybersecurity protection for ICSs.
Cyberattacks to ICSs may lead to damage to, and losses of,
physical infrastructure systems [10]. Cybersecurity risk of ICSs
includes casualties, environment pollution, and asset losses.
Cybersecurity protection in ICSs aims to minimize cyberse-
curity risk through implementing security strategies. Thus, risk-
based dynamic cybersecurity protection is widely accepted in
ICSs [11]. It generally consists of a number of components,
e.g., intrusion detection, dynamic risk assessment, risk-based
decision-making, and security strategy enforcement. A dynamic
risk assessment system calculates ICS cybersecurity risk dy-
namically through analysis of real-time ICS data [12]. The risk
value derived from the risk assessment provides important in-
formation for security decision-making. Thus, dynamic risk as-
sessment plays an important role in cybersecurity protection of
ICSs.
But the calculation of ICS cybersecurity risk is difficult. One
of the difficulties is the limited cyberattack data in a large amount
of real-time data, such as sensing data control commands. How
to mine such data to predict the action of cyberattacks is a
challenge. Even more challenging is the existence of various
processes from launching a malicious attack to causing losses.
Example processes are network penetration, privilege escala-
tion, system anomaly, and hazardous incidents. This demands a
synthetic model with attack knowledge and system knowledge
for analysis of the propagation of cybersecurity risk.
Efforts have been made on modeling of cybersecurity risk. An
example is the Bayesian attack graph method employed in risk
assessment for prediction of potential malicious attacks [13].
The method calculates the probability of attacks by supervising
the actions of attackers. Another example is the bow-tie model
for assessment of industrial accidental risk [14]. But both meth-
ods require a large amount of prior knowledge about attacks in
2498 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 14, NO. 6, JUNE 2018

their cybersecurity risk propagation models. They do not work B. Brief Review of BN
in the presence of limited cyberattack data.
A BN is a probabilistic graphical model to describe a set
However, acquiring sufficient knowledge of cyberattacks
of random variables and their conditional dependencies via a
from limited historical data is challenging. It is reported that
directed acyclic graph [17]. It is widely used in probabilistic
290 ICS cybersecurity incidents happened in 2016 [9]. This
estimation [18], fault diagnosis [19], system prediction [20],
number is far less than that of cybersecurity incidents in IT
and pattern recognition [21]. A BN is defined as
systems. Thus, it is difficult to obtain accurate prior knowledge
B = x, g x→x , p
about risk propagation in ICSs. This makes it also difficult to def
(1)
establish a cybersecurity risk propagation model.
To address this issue, an FPBN approach is presented in this where
paper for dynamic risk assessment in ICSs. It consists of an 1) x = (x1 , x2 , . . . , x(x) ) is a set of (x) nodes in total.
FPBN model and a fuzzy approximate dynamic inference al- 2) g x→x is an (x) × (x) incidence matrix that describes
gorithm. The model is designed for analysis and prediction of the relationship between the nodes, it is expressed as
cybersecurity risk. It uses fuzzy probabilities in our approach to x1 , x2 , . . . , x(x)
replace the crisp probabilities required in a standard Bayesian ⎛ ⎞
g1,1 g1,2 · · · g1,(x) x1
network (BN) model. The inference algorithm is for dynamic ⎜ g2,1 g2,2 · · · g2,(x) ⎟ x
assessment of ICS cybersecurity risk. It is integrated with a con- g x→x = ⎜
⎜
⎟ 2 . (2)
⎟
⎜ .. .. .. .. ⎟ ..
fidence index based noise evidence filter for elimination of noise ⎝ . . . . ⎠ .
evidence, thus improving the convergence of the algorithm.
g(x),1 g(x),2 · · · g(x),(x) x(x)
This paper is organized as follows. Section II gives some
background and preliminaries. Section III presents the architec- The definition of incidence matrix element gi,j is
ture of our approach for dynamic assessment of cybersecurity 
risk in ICSs. This is followed by FPBN modeling in Section IV 1, node xi is the parent of node mj
gi,j = (3)
for cybersecurity risk propagation. In Section V, a fuzzy proba- 0, otherwise.
bility Bayesian inference algorithm is designed for dynamic risk
3) p = (p1 , p2 , . . . , p(x) ) is a set of conditional probability
assessment. Experiments are conducted in Section VI to demon-
tables, pi is the conditional probability table of node xi .
strate our approach. Finally, Section VII concludes the paper.
Common methods for exact inference in BN are: variable
elimination [22], clique tree propagation [23], and recursive
II. BACKGROUND AND PRELIMINARIES
conditioning and AND/OR search [24]. The complexity of these
A. Cybersecurity Risk Propagation in ICSs methods increases exponentially with the tree width of the net-
work. The most commonly used approximate inference algo-
As an ICS is a cyberphysical system [15], the process of
rithms are importance sampling [25], stochastic Markov chain
cybersecurity risk propagation in ICSs is different from that in
Monte Carlo simulation [26], minibucket elimination [27], and
general network systems. Most ICS attacks aim to vandalize ICS
loopy belief propagation [28].
assets, which include humans, environment, and equipment. To
The set p is generally obtained from statistics and analysis
achieve a destructive purpose, attacks generally behave with part
of big historical data [23], [29]. But for ICSs, the amount of
or all of the following five characteristics:
historical data about cyberattacks is too small to be used for es-
1) infiltrating the field network;
timation of conditional probability table. In this paper, a fuzzy
2) elevating the attacker’s privilege;
conditional probability table is employed, which is easy to ob-
3) launching attacks to invalidate system functions;
tain from a group of experts.
4) causing hazardous incidents;
5) leading to casualties, environment pollution, and other
damages. III. ARCHITECTURE OF OUR FUZZY APPROACH FOR
DYNAMIC CYBERSECURITY RISK ASSESSMENT
Modeling of cybersecurity risk propagation is critical for dy-
namic cybersecurity risk assessment in ICSs. Various models The architecture of our FPBN approach for dynamic cyber-
have been proposed for this purpose in recent years. Exam- security risk assessment in ICSs is shown in Fig. 1.
ples are BN, Petri net, fault tree, attack graph, and attack tree. In the architecture of our approach, there are two types of
However, most of these models are developed for cybersecurity input data: attack evidence and anomaly evidence. The attack
analysis in general IT systems or for system safety analysis in evidence data are from intrusion detection system, while the
ICSs. They do not cover all the above-mentioned five charac- anomaly evidence data are from anomaly detection system. Cy-
teristics of ICS attacks. berattacks and system faults can both generate anomaly evi-
To predict the propagation of cybersecurity risk for ICSs, a dence. System faults can lead to the error of risk assessment.
multilevel BN is proposed in the literature [16]. It is equipped Therefore, to ensure that there is no noise evidence caused by
with multiple domain knowledge about attacks, system func- system faults, attack evidence and the anomaly evidence should
tions, hazardous incidents, and system assets. Therefore, a mul- be filtered first.
tilevel BN can be used to describe the whole cybersecurity risk The FPBN is designed with multidomain knowledge about at-
propagation. It is effective for dynamical assessment of cyber- tacks, system functions, hazardous incidents, and system assets.
security risks in ICSs. In our FPBN, crisp conditional probabilities, which are diffi-

Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: FPBN APPROACH FOR DYNAMIC CYBERSECURITY RISK ASSESSMENT IN ICSs
Fig. 1. Architecture of our FPBN approach for dynamic cybersecurity
risk assessment in ICSs.
cult to obtain, are replaced by fuzzy conditional probabilities.
When the FPBN inference engine receives evidence, it calcu-
lates posterior probabilities that assets are damaged with the
FPBN. Then, it assesses the dynamic cybersecurity risk with
the losses of assets. The symbol “×” means that cyber secu-
rity risk value is equal to the product of asset losses and the
corresponding probabilities. Detailed system modeling and risk
assessment will be developed in the next two sections.
IV. FUZZY PROBABILITY BN
A. Modeling of FPBN
As an extension to BN, a multilevel BN is an effective tool
for risk assessment of ICSs [12], It is defined as
B = x, g x→x , p, v
def
(4)
where
1) x = (x1 , x2 , . . . , x(x) ) is a set of nodes, xi represents
an ICS event with three states T (true), F (false) and U
(unknown):
⎧ strained optimization. Assume that there are (p)
⎨ T, event of node xi happens
⎪ linguistic probabilities p̃1 , p̃2 , . . . , p̃(p) , and an ex-
xi = F, event of node xi does not happen (5)
⎪
⎩ probability p̃i to describe the conditional probability
U, unknown.
There are four types of nodes in the BN B: attack node a,

function node f , incident node e, and asset node z. The
event of an attack node means that an attacker launches
an attack a. The event of a function node indicates that
the system function f fails. The event of an incident node
implies that a hazardous incident e happens. The event of
an asset node marks a damage of the asset z.
2) g x→x is an (x) × (x) incidence matrix. It describes the
relationship between the nodes.
3) p = (p1 , p2 , . . . , p(x) ) is a set of conditional probability
tables.
4) v = (v1 , v2 , . . . , v(x) ) is a set of loss, vi is the loss of
node xi . If xi is an asset node, the loss vi is the value
of that asset; otherwise vi = 0. There are three types
of assets in ICSs: humans, environment, and properties.
The quantification of these assets is introduced in the
literature [12].
Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
2499
Fig. 2. Some fuzzy numbers of linguistic probabilities.
As mentioned earlier, the crisp conditional probability table
is difficult to estimate from limited historical data. To deal with
this problem, this paper introduces an FPBN as follows:
B̃ = x, g x→x , p̃, v
def
(6)
where p̃ = (p̃1 , p̃2 , . . . , p̃(x) ) is a set of conditional probabil-
ity tables, and p̃i is the fuzzy conditional probability table of
node xi .
Our modeling of an FPBN is similar to that of a traditional
BN. However, we estimate the fuzzy conditional probability
table differently. Our method consists of three steps as described
below.
Step 1: Establish a group of linguistic probabilities. Lin-
guistic probabilities are words to describe the prob-
abilities, such as “certain,” “more probable,” “less
probable,” and “impossible” [30], [31]. Each lin-
guistic probability corresponds to a fuzzy number
∈ [0, 1]. Fig. 2 shows fuzzy numbers of some lin-
guistic probabilities.
Step 2: Build an expert team. The experts are chosen from
the cybersecurity or control engineering field. They
define the meanings of the nodes and the fuzzy prob-
abilities in the FPBN. With consideration of time
resource and cost, a team of not less than 10 is sug-
gested.
Step 3: Obtain the conditional probability from a con-
perts team. If there are κi experts select linguistic
p̃(u), then p̃(u) can be calculated by
p̃(u) = sup min p̃1 (u1 ), p̃2 (u2 ), . . . , p̃(p) (u(p) )
(p) (p) (p)
s.t. i=i κi ui = i=1 κi u, i=i ui = 1
(7)
where sup(·) refers to the least upper bound of a partially
ordered set. In (7), the fuzzy probability p̃i (ui ) is expressed as a
function of ui . When u is confirmed, p̃(u) can be obtained from
(p) (p)
i=i κi ui = i=1 κi u
an optimization problem subject to
(p)
and i=i ui = 1. When u ∈ [0, 1] changes, the solution of this
optimization p̃(u) varies.
B. Inference of FPBN
Let x denote a node in FPBN B̃. Its parent node set is ∗x =
{ x1 , ∗x2 , . . . , ∗xm }. Its child node set is x∗ = {x∗1 , x∗2 , . . . , x∗n }.
∗
At the (t + 1)th iteration, the message that x passes to its parent
2500 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 14, NO. 6, JUNE 2018

node ∗xi is
⎛ (t+1) ⎞
λx (∗xi = F)
⎜ ⎟
⎜ ⎟
⎝ λ(t+1) (∗x = T) ⎠ =
x i

⎛   ⎞ 
p(x|∗xi , ∗xi = F)
πx(t) (∗xk )
(t)
λx (x) λx ∗ (x)
⎜ x j
∗x ⎟
β⎜ ⎟
j k
= i
   i
⎝ λx (x)
(t)
λx ∗ (x) ∗ ∗
p(x| xi , xi = T) πx ( xk )⎠
(t) ∗
Fig. 3. Relationship between two expression methods.
j
x j ∗x
i k = i
(8)
In (10), α-cuts is another expression method of fuzzy proba-
∗ ∗ ∗
where xi = x \ { xi }, and the operator “\” refers to set sub- bility. For example,
traction. The message that x sends to its child node x∗j is ⎧
⎛ (t+1) ⎞ ⎪ 10u − 2
⎪
⎪ , 0.2 < u ≤ 0.5
πx ∗ (x = F)   3α + 2 8 − 3α  ⎨ 3
⎜ j ⎟ α , = 8 − 10u
⎜ ⎟= 10 10 ⎪
⎪ , 0.5 < u ≤ 0.8
⎝ π (t+1) (x = T) ⎠ α ∈[0,1] ⎪
⎩ 3
x∗j 0, otherwise.
⎛  (t)   ⎞ The relationship between these two kinds of expression methods
λx (x = F) λx ∗ (x = F) p(x = F|∗x) πx(t) (∗xk )
⎜ k
∗x ⎟ is shown in Fig. 3.
β⎜
⎝λ (x = T)
k
= j  k
 ⎟. In (8) and (9), the function λx (·) is the message that the node
∗
πx ( xk )⎠
(t) ∗
(t)
x λx ∗ (x = T) p(x = T| x)
k
∗x
x sends to itself. It is expressed as
k = j k
(9) 
0, when x ∈ E, and its observed value is T
Equations (8) and (9) are derived from the literature [28]. The λx (x = F) =
 1, otherwise
symbol “ ∗x ” is a summation operator over all possible states
(12)
of ∗x. For example, 
0, when x ∈ E, and its observed value is F
 λx (x = T) =
p(x1 )p(x2 ) = p(x1 = F)p(x2 = F) + p(x1 = F)p(x2 = T) 1, otherwise
x1x2 (13)
+ p(x1 = T)p(x2 = F) + p(x1 = T)p(x2 = T).
where E is the evidence set of the ICS:
In (8) and (9), β is a normalization operator. For two fuzzy def
possibilities p̃1 and p̃2 , β(p̃1 , p̃2 ) is defined as E = {x|x ∈ x, x = U}. (14)
⎛ ⎞
E can be obtained by analyzing the result of intrusion detection
⎜ p̃1 ⎟ system and anomaly detection system.
⎜ ⎟
β⎜
⎜ ⎟
⎟ After tth iteration, the fuzzy belief of node x becomes
⎝ p̃ ⎠    
2
Bel(t) (x = F) λ(t) (x = F) · π (t) (x = F)
=β
⎛   ⎞ Bel(t) (x = T) λ(t) (x = T) · π (t) (x = T)
L̃−1
1 (α) R̃1−1 (α)
⎜ α , ⎟
⎜ L̃−1 −1 −1 −1
1 (α) + R̃2 (α) R̃1 (α) + L̃2 (α) ⎟ (15)
=⎜ ⎟
α ∈[0,1]
⎜   ⎟
L̃−1 R̃2−1 (α) ⎛ ⎞ ⎛  ⎞
⎝ 2 (α) ⎠ (t)
α , λ(t) (x = F) λx (x = F) λx ∗ (x = F)
L̃2 (α) + R̃1−1 (α)
−1
R̃2−1 (α) + L̃−1
1 (α) ⎜ ⎟ ⎜ j
⎟
α ∈[0,1]
where ⎜
⎝
⎟=⎜
⎠ ⎝
j
 ⎟
λx ∗ (x = T) ⎠
(t)
(10) λ (x = T)
(t)
λx (x = T)
j
j
where α = L̃(u) is a monotonically increasing function, its (16)
inverse function is L̃−1 (u), α = R̃(u) is a monotonically de-
creasing function, its inverse function is R̃−1 (u). They form the
⎛ ⎞ ⎛  ⎞
membership function of fuzzy probability p̃, which is shown in π (t) (x = F) P (x = F|∗x) πx(t) (∗xk )
⎧ ⎜ ⎟ ⎜ ∗x ⎟
⎨ L̃(u), u ∈ [0, u)
⎪ and ⎜
⎝
⎟ = ⎜
⎠ ⎝

k ⎟.
π (t) (x = T) ∗
P (x = T| x) πx ( xk ) ⎠
(t) ∗
p̃(u) = 1, u ∈ [u, ū] (11)
⎪
⎩
∗x
k
R̃(u), u ∈ (u, 1]. (17)

Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: FPBN APPROACH FOR DYNAMIC CYBERSECURITY RISK ASSESSMENT IN ICSs
The iteration will terminate when it reaches the pre-specified
iteration limit tmax , i.e.,
t ≥ tm ax
or achieves the pre-defined accuracy threshold Dmin , i.e.,
 
∀x ∈ B, Bel(t) (x = T) − Bel(t−1) (x = T) ≤ Dm in . (19)
It is worth mentioning that, for the BN with fuzzy probabilities,
the beliefs Bel(t) (x = T) and Bel(t−1) (x = T) are fuzzy num-
bers. The distance between Bel(t) (x = T) and Bel(t−1) (x = T)
can be calculated by [32], [33]
 (t) 
Bel (x = T) − Bel(t−1) (x = T)
 1
 (t)  accordingly. Then, the cybersecurity risk is assessed from
= Bel (x = T)(u) − Bel(t−1) (x = T)(u)du.
0 (x)
When the iteration terminates, Bel(t) (x) is considered to be
an approximation of the posterior fuzzy probability of node x
under the evidence set E, i.e.,
p̃(x = T |E) ≈ Bel(t) (x = T ).
For tree-structured FPBNs, this iteration process can be used
to efficiently perform exact marginalization in a finite number of
iterations. However, for loopy FPBNs, the sequence of messages
defined by (8) and (9) is not guaranteed to converge to a fixed
point after some iterations [34]. Therefore, (18) is used as a
time-out termination condition.
V. DYNAMIC RISK ASSESSMENT
Cybersecurity risk of an ICS is calculated from the evidence
set E. A successful detection of an intrusion or anomaly leads
to a change in the evidence set E. Therefore, dynamic risk
assessment is required for cybersecurity protection.
As mentioned earlier, noise evidence caused by system faults
will lead to incorrect cybersecurity risk assessment. Therefore,
the first step of risk assessment is to filter out the noise evidence
from the evidence set E.
For evidence set E and FPBN B = x, g x→x , p̃, v, a confi-
dence index C(x = T) is proposed in this paper to describe the
confidence degree of node x ∈ x. It refers to a function node or
incident node. The confidence index C(x = T) is defined as
⎛ ⎞
 is the controller of feeding valves V1 and V2. PLC2 is exploited
⎜ ⎟
C(x = T) = max ⎝ ηi ⎠ (22)
ǎ∈ǎ
ai ∈ ǎ, ai = T
where ǎ is an attack path of node x, ǎ is the attack path set
of node x, ai is an attack node, ηi is the false negative rate of
intrusion detection system for attack ai . Algorithm 1 shows how
to get the attack path set ǎ of node x.
If the value of the confidence index of evidence x = T is
smaller the threshold Cm in , this evidence is considered to be
caused by system faults, and thus should be removed from the
evidence set E. After noise evidence is filtered out from E,
the evidence set becomes E  . E  is sent to the FPBN inference
Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
2501
(18)
engine. The probabilities of all nodes in the FPBN are calculated

(20) R̃ = p̃(xi |E  ) · vi (23)
i=1
where xi is a node in the BN of ICSs, p̃(z|E  ) is the probability
that node x happens under the observed evidence set E  , and vi
is the loss of the node xi .
(21)
VI. SIMULATION EXPERIMENTS
This section conducts simulation studies to demonstrate our
approach resented in this paper. The simulated control system is
for control of a chemical reactor. Chemical reactors are widely
used in process industries. Their safe operations are significant.
Hazardous incidents of chemical reactors, such as explosion and
toxic substance leaks, may cause casualties and environmental
pollution, and thus must be avoided.
A. Experiment Setup
Fig. 4 shows a continuous stirred-tank reactor and its control
system. The control system consists of supervisory control in
an Ethernet network environment and power line carrier (PLC)
control in two CANBUS subnets. The Ethernet network inter-
connects the control system with the enterprise network via a
commercial gateway. In this network, there are two hosts: a data
server (DS) and an engineer station (ES). The DS is used for
collecting the real-time control data and providing data service
for the enterprise network. The ES is employed to program and
configure the six PLCs.
The six PLCs are separated into two CANBUS subnets. PLC1
for collecting data from pressure, liquid level, and temperature
sensors. PLC3 and PLC4 control the impeller and heater, re-
spectively. The relief valve V4 is controlled by PLC5. PLC6 is
responsible for control of discharging valve V3.
An FPBN of this chemical reactor control system is shown
in Fig. 5. This BN model and our fuzzy probability Bayesian
inference engine are implemented with C++ language pro-
grammed in Microsoft Visual Studio 2015.
Four case studies are carried out as follows:
1) the effectiveness of our risk assessment approach;
2) the effectiveness of our noise filter;
3) the execution time performance of our approach; and
2502 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 14, NO. 6, JUNE 2018

Fig. 4. Networked control of continuous stirred-tank reactor.

TABLE I
EVIDENCE EVENTS

Start Time End Time Evidence Description

49 81 Attacker launches network scanning attack a 1

90 142 Attacker launches vulnerability scanning attack a 2
163 204 Attacker launches DoS attack a 6 on DS
195 205 Attacker launches spoofing attack a 8 on ES
238 260 Attacker reconfigurates PLC6
268 367 Flow control function f3 of V3 fails
279 388 Temperature control function f11 fails
312 402 Temperature anomaly incident e3 occurs

4) the scalability of our approach with respect to the problem

size characterized by the number of nodes.

B. Case Study 1: Effectiveness of Our Risk Assessment

To demonstrate the ability of our approach in dynamic risk as-
sessment, multistep attacks to the control system are simulated.
From 49 to 81 min, the attacker scans the Ethernet network.
From 90 to 142 min, the attacker scans the vulnerabilities of
the devices in the Ethernet. From 163 to 204 min, the attacker
launches a DoS attack to the DS. A full list of attacks and system
faults are shown in Table I.
Fig. 5. FPBN for the reactor control system.
Fig. 6 shows the curve of dynamic cybersecurity risk from the
1st minute to the 498th minute. The y-coordinate is the value of
risk, which is a fuzzy number with unit of U.S. dollar. The color
is used to describe the degree of confidence. Blue indicates that
the degree of confidence is 0, while red means that the degree of

Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: FPBN APPROACH FOR DYNAMIC CYBERSECURITY RISK ASSESSMENT IN ICSs
Fig. 6. Curve of dynamic cybersecurity risk.
Fig. 7. Key values of dynamic cybersecurity risk.
confidence is 1. The curve in black is the most likely risk whose
degree of confidence is equal to 1.
It is seen from Fig. 6 that the cybersecurity risk increases as
the attacker gradually launches those attacks. When an attack is
suspended or the invalid function is recovered, the cybersecurity
risk decreases. The key values of cybersecurity risk are shown
in Fig. 7.
C. Case Study 2: Effectiveness of Our Noise Filter
Noise evidence will lead to an increase in the number of iter-
ations of the inference algorithm if no noise filter is employed.
In the BN shown in Fig. 8, the nodes in red are observed pieces
Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
2503
Fig. 8. Number of iterations when the noise filter is not used.
of evidence. If each of the other nodes is a new evidence, then
judge whether the new evidence is a noise evidence. If Yes,
draw it with black; otherwise draw it with green. The parameter
τ in each evidence is the number of iterations of the inference
algorithm if no noise filter is applied. Our simulation shows that
the numbers of iterations in the presence of noise evidence are
mostly larger than those in the absence of noise evidence.
To demonstrate the effectiveness of our noise filtering, a sce-
nario shown in Fig. 9 is simulated. In Fig. 9, E is the evi-
2504
Fig. 9. Simulation of our noise filter.
Fig. 10. Curves of Hamming distances.
dence sequence shown in Table I. E  is the evidence sequence
E together with added noise evidence. The symbol E  is the
evidence sequence derived from the noise filter. The noise in-
validation of functions caused by system faults is designed as
following. From the 45th minute to the 56th minute, the system
function f10 fails. From the 340th minute to the 361st minute,
the system function f6 fails.
Other simulation settings are as follows. The maximum num-
ber of iterations is tm ax = 100. The accuracy Dm in = 1 × 10−4 .
The inference process is repeated 5000 times. For each infer-
ence of BN, a stochastic evidence set is generated and sent to
the fuzzy probability Bayesian inference engine. All simulations
are conducted on computer with Intel Pentium processor G3220
(3M Cache, 3.00GHz) and 4GB DDR3 memory.
In our simulation, the fuzzy probability Bayesian inference
engine receives evidence sequences E, E  and E”. Then, it
generates three risk curves R̃, R̃  , and R̃  with these evidence
sequences E, E  , and E  , respectively. After that, two Hamming
distances D(R̃  , R̃) and D(R̃  , R̃) are recorded as shown in
Fig. 10.
Filtering out noises, the noise filter helps improve the con-
vergence of the fuzzy probability Bayesian inference algorithm.
This is due to the noise-induced increase in the number of it-
erations in the inference algorithm if the noise is not filtered
out. To demonstrate this claim, 5000 attack scenarios are gener-
ated stochastically according to the BN shown in Fig. 5. Then,
stochastic noises are added to each evidence sequence. These
5000 evidence sequences without noise and 5000 evidence se-
quences with noise are sent to the fuzzy probability Bayesian
inference engine. Simulation results show that in the presence
of noise, the number of nonconvergence is 493 if the noise is not
filtered out. In comparison, in the absence of noise, the number
of nonconvergence is reduced to 269, indicating a 45% drop.
The effectiveness of our noise filter is shown in the plot of
Hamming distances in Fig. 10. It is seen from Fig. 10 that
D(R̃  , R̃) has two disturbances: one from the 45th minute to
Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 14, NO. 6, JUNE 2018
Fig. 11. Distribution of execution times from 5000 runs.
the 56th minute, and the other from the 340th minute to the
361st minute. The maximum distance between R̃  and R̃ is
1.660 × 106 . This means that if the noise filter is not applied,
the value of the cybersecurity risk will be disturbed by the noises
caused by system faults. It is also observed that the curve of the
Hamming distance D(R̃  , R̃) is always 0. This confirms that
with the noise filter, the risk error caused by noise evidence
events is eliminated.
It is worth mentioning that a noise filter should be used with
caution as it may filter out useful information. Assume that an
attacker utilizes a zero-day vulnerability to launch a new attack,
and the attack is missed out by the intrusion detection system.
The result is that the anomaly evidence caused by this attack
may be filtered out by the noise filter. Being too sensitive may
cause some false actions, while being too robust may reduce its
functionality as a noise filter. Therefore, a tradeoff is required
between the sensitivity and robustness to noises by adjusting the
parameter Cm in .
D. Case Study 3: Execution Time of Our Approach
To demonstrate the execution time performance of our ap-
proach, all execution times of the 5000 simulation runs are
recorded. Their distribution is shown in the histogram plot in
Fig. 11. A quantitative analysis is carried out for Fig. 11. It shows
that the minimum, maximum, and average execution times are
0.242, 3.074, and 0.648 s, respectively. The execution time per-
formance is acceptable to a wide range of industrial process
control systems. It can be well controlled by two parameters: the
maximum number tm ax of iterations, and the accuracy threshold
Dm in .
E. Case Study 4: Scalability of Our Approach
To show the scalability of our approach, simulations are car-
ried out to measure possible lower and upper bounds of the ex-
ecution time performance under different problem sizes, which
are characterized by the number of nodes. For this purpose, 25
FPBNs are simulated. The minimum and maximum problem
sizes are 10 and 490, respectively. For each FPBN, the risk as-
sessment is repeated for 200 runs. Fig. 12 shows the measured
upper and lower bounds together with the best fitting line of
average execution time performance.
In Fig. 12, the best fitting line has the form t = 0.0080201 ×
(m) + 0.01467 with the correlation coefficient r = 0.99968.
This means that the average execution time increases linearly
ZHANG et al.: FPBN APPROACH FOR DYNAMIC CYBERSECURITY RISK ASSESSMENT IN ICSs
Fig. 12. Execution time performance of our approach under different
problem sizes each with 200 runs.
TABLE II
COMPARISON OF OUR APPROACH AND EXISTING APPROACHES
Our Approach Approaches from literature
OA [12] [35] [36] [37] [13] [14] [38]
Is it designed for ICSs?   ✗  ✗ ✗
Is it dynamic risk assessment?     ✗ 
Does it support fuzzy probability?  ✗  ✗ ✗ ✗
Is it quantitative risk assessment?      
Can it filter noises?  ✗ ✗ ✗ ✗ ✗
Can it address unknown attacks? ✗  ✗ ✗ ✗ ✗
with the increase of the problem size, indicating good scalability
of our risk assessment approach. For 490 nodes, the maximum
execution time of the FPBN is 4.90 s in our simulation environ-
ment.
F. Comparison of Various Approaches
Requirements for cybersecurity risk assessment change from
a system to another, or from a scenario to another. Therefore, a
variety of risk assessment approaches have been developed for
different scenarios or applications. A direct comparison of these
approaches is unfair for a particular scenario. Instead, a compar-
ison of the differences among these approaches will give some
insights into the functionality and features of the approaches. Ta-
ble II provides such a comparison of our approach and existing
approaches. It is seen from Table II that our approach has more
features than any other existing approaches from the literature.
VII. CONCLUSION
Dynamic assessment of cybersecurity risks plays a vital role
in cybersecurity protection of ICSs. Due to the lack of histori-
cal data in ICSs, building a risk propagation model is difficult
for risk assessment. To address this issue, an FPBN approach
has been presented in this paper for dynamic assessment of
cybersecurity risks in ICSs. It starts with establishment of an
FPBN. To overcome the difficulty of limited historical data,
fuzzy probabilities have been used in our approach to replace
crisp probabilities used in standard BN. Then, an approximate
dynamic inference algorithm has been designed for dynamic as-
sessment of cybersecurity risks based on the established FPBN.
It has been integrated with a noise evidence filter for removal
of noise evidence caused by system faults. To demonstrate the
effectiveness of our presented approach, experiments have been
Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
2505
conducted on a simulation platform of a simplified chemical re-
actor. Our simulations of 5000 runs for each scenario have shown
a computation time of about 3 s for risk evaluation, indicating
satisfaction of soft real-time control requirements of ICSs.
ACKNOWLEDGMENT
The authors would like to thank the anonymous referees for
their critical comments and suggestions, which are invaluable
for improvement of the quality of this paper.
REFERENCES
[1] Y. Zhou, Z. Mo, Q. Xiao, S. Chen, and Y. Yin, “Privacy-preserving trans-
portation traffic measurement in intelligent cyber-physical road systems,”
IEEE Trans. Veh. Technol., vol. 65, no. 5, pp. 3749–3759, May 2016.
[2] P. Nuzzo, A. L. Sangiovanni-Vincentelli, D. Bresolin, L. Geretti, and T.
Villa, “A platform-based design methodology with contracts and related
tools for the design of cyber-physical systems,” Proc. IEEE, vol. 103,
 ✗ no. 11, pp. 2104–2132, Nov. 2015.
  [3] S. Jeschke, C. Brecher, T. Meisen, D. Özdemir, and T. Eschert, Industrial
✗ ✗ Internet of Things and Cyber Manufacturing Systems. Cham, Switzerland:
  Springer, 2017, pp. 3–19.
✗ ✗ [4] H. Wang, N. Lau, and R. Gerdes, “Application of work domain analysis
✗ ✗ for cybersecurity,” in International Conference on Human Aspects of In-
formation Security, Privacy, and Trust. New York, NY, USA: Springer,
2017, pp. 384–395.
[5] B. Miller and D. Rowe, “A survey SCADA of and critical infrastructure
incidents,” in Proc. 1st Annu. Conf. Res. Inf. Technol.. New York, NY,
USA: ACM, 2012, pp. 51–56.
[6] L. J. Trautman and P. C. Ormerod, “Industrial cyber vulnerabili-
ties: Lessons from Stuxnet and the Internet of Things,” Univ. Mi-
ami Law Review, Forthcoming, Jun. 7, 2017. [Online]. Available:
https://ssrn.com/abstract=2982629
[7] E. Nakashima, G. Miller, and J. Tate, “US, Israel developed flame com-
puter virus to slow Iranian nuclear efforts, officials say,” The Washington
Post, vol. 19, 2012. [Online]: Available: https://www.washingtonpost.
com/world/national-security/us-israel-developed-computer-virus-to-
slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_
story.html?utm_term=.26d4f9575892
[8] P. Paganini, “Israeli road control system hacked, caused traffic
jam on Haifa highway,” Hacker News, 2013. [Online]. Avail-
able: https://thehackernews.com/2013/10/israeli-road-control-system-
hacked.html
[9] “ICS-CERT year in review,” Industrial Control Systems Cyber
Emergency Response Team, 2016. [Online]. Available: https://ics-cert.us-
cert.gov/sites/default/files/Annual_Reports/Year_in_Review_FY2016_
Final_S508C.pdf
[10] H. Song, G. Fink, and S. Jeschke, Security and Privacy in Cyber-Physical
Systems: Foundations, Principles and Applications. Hoboken, NJ, USA:
Wiley, 2017.
[11] M. Ni, J. D. McCalley, V. Vittal, and T. Tayyib, “Online risk-based secu-
rity assessment,” IEEE Trans. Power Syst., vol. 18, no. 1, pp. 258–265,
Feb. 2003.
[12] Q. Zhang, C. Zhou, N. Xiong, Y. Qin, X. Li, and S. Huang, “Multimodel-
based incident prediction and risk assessment in dynamic cybersecurity
protection for industrial control systems,” IEEE Trans. Syst., Man, Cy-
bern., Syst., vol. 46, no. 10, pp. 1429–1444, Oct. 2016.
[13] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic security risk management
using Bayesian attack graphs,” IEEE Trans. Dependable Secure Comput.,
vol. 9, no. 1, pp. 61–74, Jan. 2012.
[14] R. Gowland, “The accidental risk assessment methodology for industries
(ARAMIS)/layer of protection analysis (LOPA) methodology: A step for-
ward towards convergent practices in risk assessment?” J. Hazardous
Mater., vol. 130, no. 3, pp. 307–310, 2006.
[15] R. Baheti and H. Gill, “Cyber-physical systems,” Impact Control Technol.,
vol. 12, pp. 161–166, 2011.
[16] Y. Zhang, G. Tao, and M. Chen, “Relative degrees and adaptive feedback
linearization control of T-S fuzzy systems,” IEEE Trans. Fuzzy Syst.,
vol. 23, no. 6, pp. 2215–2230, Dec. 2015.
[17] N. Friedman, D. Geiger, and M. Goldszmidt, “Bayesian network classi-
fiers,” Mach. Learn., vol. 29, no. 2/3, pp. 131–163, 1997.
2506 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 14, NO. 6, JUNE 2018
[18] A. Mehmood, A. khanan, A. H. H. M. Mohamed, and H. Song, “ANTSC:
An intelligent naive Bayesian probabilistic estimation practice for traffic
flow to form stable clustering in VANET,” IEEE Access, 2017.
[19] B. Cai, L. Huang, and M. Xie, “Bayesian networks in fault diagnosis,”
IEEE Trans. Ind. Informat., vol. 2017, no. 13, pp. 2227–2240, Oct. 2017.
[20] C. Queiroz, A. Mahmood, and Z. Tari, “A probabilistic model to predict
the survivability of SCADA systems,” IEEE Trans. Ind. Informat., vol. 9,
no. 4, pp. 1975–1985, Nov. 2013.
[21] M. Kafai and B. Bhanu, “Dynamic Bayesian networks for vehicle classi-
fication in video,” IEEE Trans. Ind. Informat., vol. 8, no. 1, pp. 100–109,
Feb. 2012.
[22] F. G. Cozman et al., “Generalizing variable elimination in Bayesian
networks,” in Proc. Workshop Probabilistic Reason. Bayesian Networks
SBIA/Iberamia, 2000, pp. 21–26.
[23] S. L. Lauritzen and D. J. Spiegelhalter, “Local computations with proba-
bilities on graphical structures and their application to expert systems,” J.
Roy. Stat. Soc. Ser. B (Methodological), pp. 157–224, 1988.
[24] A. Darwiche, “Recursive conditioning,” Artif. Intell., vol. 126, no. 1/2,
pp. 5–41, 2001.
[25] A. Salmerón, A. Cano, and S. Moral, “Importance sampling in Bayesian
networks using probability trees,” Comput. Statist. Data Anal., vol. 34,
no. 4, pp. 387–413, 2000.
[26] D. Gamerman and H. F. Lopes, Markov Chain Monte Carlo: Stochastic
Simulation for Bayesian Inference. Boca Raton, FL, USA: CRC Press,
2006.
[27] R. Mateescu, K. Kask, and R. Dechter, “Partition-based anytime approx-
imation for belief updating,” ICS, University of California, Irvine, CA,
USA, Tech. Rep., 2001. [Online]. Available: http://www.mathcs.emory.ed
u/∼whalen/Papers/BNs/DistributedBNs/CausalDecomposition/Partition-
based%20Anytime%20Approximation%20for%20Belief%20Updating.pdf
[28] K. P. Murphy, Y. Weiss, and M. I. Jordan, “Loopy belief propagation
for approximate inference: An empirical study,” in Proc. 15th Conf. Un-
certainty Artif. Intell. San Mateo, CA, USA: Morgan Kaufmann, 1999,
pp. 467–475.
[29] R. N. Aslin, J. R. Saffran, and E. L. Newport, “Computation of conditional
probability statistics by 8-month-old infants,” Psychol. Sci., vol. 9, no. 4,
pp. 321–324, 1998.
[30] J. Halliwell and Q. Shen, “Linguistic probabilities: Theory and applica-
tion,” Soft Comput.—A Fusion Found., Methodologies Appl., vol. 13, no. 2,
pp. 169–183, 2009.
[31] J. L. Halliwell, “Linguistic probability theory,” Ph.D. dissertation, Dept.
School Informat., Univ. of Edinburgh, Edinburgh, U.K., 2008.
[32] R. Zwick, E. Carlstein, and D. V. Budescu, “Measures of similarity among
fuzzy concepts: A comparative analysis,” Int. J. Approx. Reason., vol. 1,
no. 2, pp. 221–242, 1987.
[33] P. Grzegorzewski, “Distances between intuitionistic fuzzy sets and/or
interval-valued fuzzy sets based on the Hausdorff metric,” Fuzzy Sets
Syst., vol. 148, no. 2, pp. 319–328, 2004.
[34] A. T. Ihler, W. F. John, III, and A. S. Willsky, “Loopy belief propagation:
Convergence and effects of message errors,” J. Mach. Learn. Res., vol. 6,
pp. 905–936, 2005.
[35] J. Ren, I. Jenkinson, J. Wang, D. Xu, and J. Yang, “An offshore risk
analysis method using fuzzy Bayesian network,” J. Offshore Mech. Arctic
Eng., vol. 131, no. 4, 2009, Art. no. 041101.
[36] A. A. Cárdenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and
S. Sastry, “Attacks against process control systems: Risk assessment,
detection, and response,” in Proc. 6th ACM Symp. Inf., Comput. Commun.
Security. New York, NY, USA: ACM, 2011, pp. 355–366.
[37] C. Alberts, A. Dorofee, J. Stevens, and C. Woody, “Introduction to the
octave approach. CERT coordination center,” Aug. 2003. [Online]. Avail-
able: http://www.dtic.mil/get-tr-doc/pdf?AD=ADA634134
[38] K. Wrona and G. Hallingstad, “Real-time automated risk assessment in
protected core networking,” Telecommun. Syst., vol. 45, no. 2, pp. 205–
214, 2010.
Qi Zhang received the M.S. and Ph.D. de-
grees in automation in 2012 and 2017 from the
Huazhong University of Science and Technol-
ogy, Wuhan, China, where he is currently work-
ing toward the Ph.D. degree in control science
and control engineering with the School of Au-
tomation.
His research interests include risk assess-
ment and decision-making for industrial control
systems.
Authorized licensed use limited to: KIT Library. Downloaded on April 29,2023 at 16:22:51 UTC from IEEE Xplore. Restrictions apply.
Chunjie Zhou received the M.S. and Ph.D. de-
grees in control theory and control engineering
from Huazhong University of Science and Tech-
nology, Wuhan, China, in 1991 and 2001, re-
spectively.
He is currently a Professor in the School
of Automation, Huazhong University of Science
and Technology. His research interests include
safety and security control of industrial control
systems, theory and application of networked
control systems, and artificial intelligence.
Yu-Chu Tian (M’00) received the Ph.D. degree
in computer and software engineering in 2009
from the University of Sydney, Sydney, NSW,
Australia, and the Ph.D. degree in industrial
automation in 1993 from Zhejiang University,
Hangzhou, China.
Over the last many years, he has worked
Zhejiang University; Hong Kong University of
Technology, Hong Kong, China; Curtin Univer-
sity of Technology, Perth, WA; and the University
of Maryland at College Park, MD, USA. Since
2002, he has been with Queensland University of Technology, Brisbane,
QLD, Australia, as a Professor of Computer Science. He has authored
or coauthored a monograph and more than 200 refereed papers, and is
the holder of a patent. His research interests include big data computing,
cloud computing, real-time computing, computer networks, and control
theory and engineering.
Dr. Tian is the Editor-in-Chief of Springer’s book series Handbook
of Real-Time Computing (Springer), and an Associate Editor for a few
international journals.
Naixue Xiong (M’08–SM’12) received the B.E.
degree in computer science from the Hubei Uni-
versity of Technology, Wuhan, China, in 2001,
the M.E. degree in computer science from Cen-
tral China Normal University, Wuhan, China, in
2004, and the Ph.D. degrees in software engi-
neering from Wuhan University, Wuhan, China,
in 2007, and in dependable networks from Japan
Advanced Institute of Science and Technology,
Nomi, Japan, in 2008.
He is currently a Full Professor in the Depart-
ment of Business and Computer Science, Southwestern Oklahoma State
University, Weatherford, OK, USA. His research interests include cloud
computing, security and dependability, parallel and distributed comput-
ing, networks, and optimization theory.
Dr. Xiong is an Editor-in-Chief, an Associate Editor or an Editor Mem-
ber and a Guest Editor for more than ten international journals including
an Associate Editor for the IEEE TRANSACTIONS ON SYSTEMS, MAN, &
CYBERNETICS: SYSTEMS, and an Editor-in-Chief for the Journal of Paral-
lel & Cloud Computing, Sensor Journal, Wireless Networks, and Mobile
Networks and Application.
Yuanqing Qin received the M.S. and Ph.D. de-
grees in control theory and control engineering
from Huazhong University of Science and Tech-
nology, Wuhan, China, in 2003 and 2007, re-
spectively.
He is currently a Lecturer in the Department
of Control Science and Engineering, Huazhong
University of Science & Technology. His re-
search interests include networked control sys-
tem, artificial intelligent, and machine vision.
Bowen Hu received the B.S. degrees in automa-
tion from Central South University, Changsha,
China, in 2015. He is currently working toward
the Ph.D. degree in control science and con-
trol engineering at the School of Automation,
Huazhong University of Science and Technol-
ogy, Wuhan, China.
His main research interests include indus-
trial control system and smart grid information
security.