Information Security Risk Assessment Method for Ship Control System Based on Fuzzy Sets and Attack Trees

Abstract EN

Information security risk assessment for industrial control system is usually influenced by uncertain factors.

For effectively dealing with problem that the uncertainty and quantification difficulties are caused by subjective and objective factors in the assessment process, an information security risk assessment method based on attack tree model with fuzzy set theory and probability risk assessment technology is proposed, which is applied in a risk scenario of ship control system.

Firstly, potential risks of the control system are analyzed and the attack tree model is established.

Then triangular fuzzy numbers and expert knowledge are used to determine the factors that influence the probability of a leaf node and the leaf nodes are quantified to obtain the interval probability.

Finally, the fuzzy arithmetic is used to determine the interval probability of the root node and the attack path.

After defuzzification, the potential risks of the system and the probability of occurrence of each attack path are obtained.

Compared with other methods, the proposed method can greatly reduce the impact of subjectivity on the risk assessment of industrial control systems and get more stable, reliable, and scientific evaluation results.