Security Analysis on Cyber-physical System Using Attack Tree

Cyber-Physical System (CPS) is a system of system which integrates physical system with cyber capability in order to improve the physical performance. It is being widely used in areas closely related to national economy and people's livelihood, therefore CPS security problems have drawn a global attention and an appropriate risk assessment for CPS is in urgent need. Existing risk assessment for CPS always focuses on the reliability assessment, using Probability Risk Assessment (PRA). In this way, the assessment of physical part and cyber part is isolated as PRA is difficult to quantify the risks from the cyber world. Methodologies should be developed to assess the both parts as a whole system, considering this integrated system has a high coupling between the physical layer and cyber layer. In this paper, a risk assessment idea for CPS with the use of attack tree is proposed. Firstly, it presents a detailed description about the threat and vulnerability attributes of each leaf in an attack tree and tells how to assign value to its threat and vulnerability vector. Then this paper focuses on calculating the threat and vulnerability vector of an attack path with the use of the leaf vector values. Finally, damage is taken into account and an idea to calculate the risk value of the whole attack path is given.