CIL: Cyber security index level of cyber-physical systems: A robust stochastic game approach using MITRE ATT&CK framework

Abstract

This paper addresses the challenge of cyber security assessment in interdependent cyber-physical systems (CPS) under model uncertainty and partial observability by developing a Hybrid Zero-Sum Multi-Stage Robust Stochastic-Bayesian (HZMRS) game model. In the cyber layer, HZMRS models attack infiltration dynamics by incorporating tactics and techniques from the ICS MITRE ATT&CK framework, thereby systematically enhancing the modeling of adversarial progression. For the power network as the physical layer, HZMRS employs the Transient Energy Function (TEF) approach, instead of linear approximations and small-signal stability criteria, to effectively capture the severe transient disturbances triggered by DoS attacks. To solve the HZMRS game, we propose a Robust Accelerated Value Iteration (RAVI) algorithm that ensures robust performance against worst-case transition probabilities and employs prioritized sweeping to accelerate convergence. We also provide a proof of convergence for this algorithm. Unlike classic algorithms, RAVI is designed to handle model uncertainties arising from zero-day vulnerabilities and incomplete information about attacker capabilities. Based on the outcome of the HZMRS, we introduce a novel metric called Cyber Security Index Level ($CIL$), which quantifies the probability of successful physical layer intrusion after breaching the cyber layer. The proposed model is validated through simulations conducted on the IEEE 9-bus power network, considering an attack scenario adapted from the BlackEnergy v3 malware. Comparative results show that RAVI achieves successful convergence under uncertainty, and the derived security metrics offer improved reliability and practical relevance for real-world CPS applications.