How Should Enterprises Quantify and Analyze (Multi-Party) APT Cyber-Risk in their Industrial IoT Network?

Author(s)

Pal, Ranjan; Yin, Xinlong; Sequeira, Rohan; Zeijlemaker, Sander; Kotala, Vineeth

Abstract

Industrial Internet of Things (IIoT) networks (e.g., a smart grid industrial control system) are increasingly on the rise, especially in smart cities around the globe. They contribute to meeting the day-to-day needs (e.g., power, water, manufacturing, transportation) of the civilian society, alongside making societal businesses more efficient, productive, and profitable. However, it is also well known that IoT devices often operate on poorly configured security settings. \textcolor{blue}{This increases the chances of occurrence of (nation-sponsored) stealthy spread-based APT malware attacks in IIoT networks that might go undetected over a considerable period of time.} Such attacks usually generate a negative first-party QoS impact upon a network that spans (aggregates) space (the entire IIoT network or a sub-network) and time (duration of business disruption) and is popularly captured through a statistical cyber-loss distribution by businesses. \textcolor{blue}{In this paper, \emph{we propose, for spread-based APT malware cyber-attacks, the first rigorous and computationally efficient network theory framework (that extends beyond IIoT networks to general sensor networks) to (a) evaluate this distribution, (b) accurately approximate its computationally intractable statistical moments under arbitrary tail-shapes, and (c) tightly bound the accuracy of empirical tail risk obtained using the Conditional Value at Risk (CVaR) metric.}} \textcolor{blue}{Clearly, an accurate estimates of the latter quantities for a parameterized family of malware-based APT cyber-attacks acts as a necessary condition for cyber-risk managers (e.g., cyber-insurers) to effectively design and deploy stand-alone risk coverage policies for such attacks on IIoT networks.} These quantities will also help the C-suite of business organizations allocate appropriate investments in time and money on securing `central' adversary targets (e.g., processes, humans, hardware) within the organization to reduce first-party tail risks and improve cyber-resilience. We validate the effectiveness of our theory using trace-driven Monte Carlo simulations based upon test-bed experiments conducted in the FIT IoT-Lab.

URI

https://hdl.handle.net/1721.1/152616

Department

Sloan School of Management

Journal

ACM Transactions on Management Information Systems

Publisher

ACM

Citation

Pal, Ranjan, Yin, Xinlong, Sequeira, Rohan, Zeijlemaker, Sander and Kotala, Vineeth. "How Should Enterprises Quantify and Analyze (Multi-Party) APT Cyber-Risk in their Industrial IoT Network?." ACM Transactions on Management Information Systems.

Version: Final published version