Table 3.
Qualitative CPS risk assessment.
| Attack | System/Data Exposure | Evaluation | Risk Mitigation | Targeted Security Goals | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Type | Impact | Protected | Unprotected | Risk Level | Security Measures | Countermeasures | Confident-iality | Integrity | Availability | Authent-ication |
| Malware | High | L/M/H | H | Ma/Cr | D, P, C & R | IDS, Firewalls, Anti-Malware, Anti-Virus | X | |||
| Spyware | Moderate | M | H | Ma/Mi | D, P & R | Anti-Spyware, Defence in Depth | X | X | X | |
| Ransomware | High | M/H | H | Ma/Cr | D, R & C | Honeypot, Verified Backup/Update, Lesson Learnt | ||||
| Botnets | High | M/L | H | Ma | D, C & P | IDS, Anti-Malware | X | |||
| DoS/DDoS | High | H | H | Ma/Mi | D, P & R | Backups, Secondary Devices, IDS, Leverage to Clouds | X | X | X | |
| Eavesdrop | Low | L | H | Mi | D & P | HTTPS/SSH Encryption, Personal Firewalls, VPNs [238] | X | X | X | |
| Side-Channel | Moderate | M/L | H | Ma | D, P & R | Ultra-Low Power Processors, Faraday Cage, Obfuscating Timing/Power Information [239] | X | X | X | |
| Zero-Day | High | H | H | Cr | D, C & R | Real-Time Threat Intelligence, Rapid Incident Response Teams, Constant Updates | ||||
| Malicious Data Injection | Moderate | L | H | Ma | D, P & C | Hybrid IDS, ML, BYOD Policy [240] | X | X | ||
| Social Engineering | Low | L | M/H | Mi | D & P | Employee Training & Awareness | X | X | ||
| Phishing | Moderate | L | H | Ma | D & P | IDS, Anti-Phshing Software/Training | X | X | ||
| Password Cracking | Moderate | L | M | Ma | P & C | Password Policy, Periodic Password Changing | X | |||
| Replay | Low | L | M | Mi | D & P | Timestamp, Filtering, Random Session Keying | X | X | X | |
| XSS | High | L | H | Cr | D & P | Validate & Sanitize User Input | X | |||
| SQLi | Moderate | L | H | Ma/Mi | D, C & P | Least Privilege, Strong Code, Whitelisting | X | |||