Critical Attacks Set Identification in Attack Graphs for Computer and SCADA/ICS Networks

Supervisory control and data acquisition/industrial control systems (SCADA/ICSs) networks are becoming more vulnerable to attacks that exploit the interdependence of security weaknesses at the atomic level to compromise system-level security. Attack graphs are an effective approach to depict these complex attack scenarios, assisting security administrators in determining how to best safeguard their systems. However, due to time and financial constraints, it is frequently not possible to address all atomic-level flaws at the same time. In this article, we propose a method for automatically detecting a minimal set of critical attacks that, when defended against, render the system secure. Finding a minimal label cut is typically an NP-complete problem. However, we propose a linear complexity approximation that uses the attack graph's strongly connected components (SCCs) to create a simplified version of the graph in the form of a tree over the SCCs. Then, we perform an iterative backward search over this tree to find a set of backward-reachable SCCs, as well as their outward edges and labels, in order to find a cut of the tree with the fewest labels, which is a critical attack set. We put our proposed method to the test on real-world case studies, such as IT and SCADA networks for a cyber-physical system for water treatment, and outperformed previous state-of-the-art algorithms in terms of approximation accuracy and/or computational speed. Our solution provides security administrators with a practical and efficient method for prioritizing efforts to address vulnerabilities in SCADA/ICS networks.