Defenders have to enforce defense strategies by taking decisions on allocation of resources to protect the integrity and survivability of cyber-physical systems (CPSs) from intentional and malicious cyber attacks. In this work, we propose an adversarial risk analysis approach to provide a novel one-sided prescriptive support strategy for the defender to optimize the defensive resource allocation, based on a subjective expected utility model, in which the decisions of the adversaries are uncertain. This increases confidence in cyber security through robustness of CPS protection actions against uncertain malicious threats compared with prescriptions provided by a classical defend-attack game-theoretical approach. We present the approach and the results of its application to a nuclear CPS, specifically the digital instrumentation and control system of the advanced lead-cooled fast reactor European demonstrator.
Keywords: Adversarial risk analysis (ARA); cyber security; cyber-physical system; defend-attack model; defense strategy; game theory; nuclear power plant; optimization.
© 2019 Society for Risk Analysis.