This paper proposes an extension of an existing security assessment methodology for Cyber-Physical Power Systems, by applying it to model the Indystroyer cyber-kill chain. Our approach represents both the attack progression (sequence of successful MITRE ATT&CK techniques) and physical power system conditions expressed through metrics such as bus voltages and line loads. To achieve this, we leverage a Dynamic Bayesian Network (DBN) constructed in two parts: the one modeling the cyber-attack progression is derived from an Attack Graph, while the other is derived from the structure of the physical components to evaluate the impact on the power grid. Moreover, DBN parameters for the first component are derived from Time-to-Completion estimations, while those for the second component are obtained through trace-based learning of the power grid’s simulated behavior. Our results show that this approach enables both predictive analysis to forecast the attack propagation in the future and diagnostic inference to identify the attack steps responsible for grid instability. The code and models used in this work are available here: https://github.com/Dosclic98/serics-qcps2-wp3-models-results.
Predictive and Diagnostic Inference for Power Systems Cybersecurity: Analysis of the Industroyer Cyber-Kill Chain
Savarro, Davide;Amparore, Elvio Gilberto;Cerotti, Davide;Franceschinis, Giuliana;
2026-01-01
Abstract
This paper proposes an extension of an existing security assessment methodology for Cyber-Physical Power Systems, by applying it to model the Indystroyer cyber-kill chain. Our approach represents both the attack progression (sequence of successful MITRE ATT&CK techniques) and physical power system conditions expressed through metrics such as bus voltages and line loads. To achieve this, we leverage a Dynamic Bayesian Network (DBN) constructed in two parts: the one modeling the cyber-attack progression is derived from an Attack Graph, while the other is derived from the structure of the physical components to evaluate the impact on the power grid. Moreover, DBN parameters for the first component are derived from Time-to-Completion estimations, while those for the second component are obtained through trace-based learning of the power grid’s simulated behavior. Our results show that this approach enables both predictive analysis to forecast the attack propagation in the future and diagnostic inference to identify the attack steps responsible for grid instability. The code and models used in this work are available here: https://github.com/Dosclic98/serics-qcps2-wp3-models-results.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
