CyRA: A Real-Time Risk-Based Security Assessment Framework for Cyber Attacks Prevention in Industrial Control Systems

Insufficient authentication and authorization of interconnected components are major risks in the Industrial Control System (ICS). To address this, we introduce CyRA, a realtime risk-based security assessment framework that consists of a Nested-ICS security architecture, secure registration protocol, and risk-based multi-factor authentication protocol by which every component is authenticated and authorized to ensure secure communications and prevent cyber attacks in the ICS. Our proposed framework applies Zero-Knowledge Proof of Knowledge (ZKPK) to perform risk-based multi-factor authentication and authorization using a digitally signed identity that encodes secrets provided by the component. Our approach is based on Threat Modeling (TM), Vulnerability Identification (VI), and Consequence Analysis (CA) to provide adequate and efficient authentication and authorization in the ICS. The resilience of our framework is evaluated against recent well-known cyber attacks. Specifically, we conduct a risk-based security assessment for a Safety Instrumentation System (SIS) communication protocol, known as TriStation. The results show that our framework enhances the security of the protocol in dealing with real-time uncertainty of threats, vulnerabilities, and consequences from a new cyber-attack, known as TRITON malware.