Optimization of the penetration testing process in automated process control systems using machine learning algorithms

The process of widespread implementation of automated information management systems in industry, energy and transport is studied in the paper. It is noted that an increase in their complexity inevitably leads to the emergence of various kinds of vulnerabilities in these systems, the presence of which allows attackers to penetrate automated control systems, take control of them, and also disrupt the normal operation of the technological processes they control. It is emphasized that over the past decade, successful cyber attacks have been recorded in the energy sector, including nuclear, in maritime shipping, in port transshipment complexes, as well as in other systems. A preventive approach to ensuring the security of automated control systems is to identify and exploit existing vulnerabilities by simulating possible cyber attacks. It is noted that automation of such a rather labor-intensive process as “penetration testing” allows reducing time, financial costs and other resources. The main methods for identifying vulnerabilities, including the use of artificial intelligence, have been studied. The presented approach to optimizing the penetration testing process in automated process control systems uses machine learning algorithms. Preference is given to machine learning with reinforcement, which is based on the Deep Q-learning algorithm. The integration of network scanning methods, building an attack graph and training neural networks to effectively identify vulnerabilities and risks in network infrastructures is proposed in the paper. To build an attack graph, the MITER ATT&CK knowledge base using the GBVA Framework is utilized, and the Deep Q-learning algorithm is used to select optimal actions during testing.

1. Federal’nyi zakon “O bezopasnosti kriticheskoi informatsionnoi infrastruktury” ot 26.07.2017 № 187. Web. 21 Oct. 2023 <http://www.consultant.ru/document/cons_doc_LAW_220885/>.

2. An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. Web. 3 Nov. 2023 <https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/>.

3. Kogtev A. V. “Justification of the need to create an automated information system for assessing and predicting cyber threats on sea vessels under the flag of the Russian Federation.” Sovremennye tendentsii i perspektivy razvitiya vodnogo transporta Rossii: mater. mezhvuz. nauch.-prakt. konf. aspirantov, studentov i kursantov. Vol. 2. SPb.: Izd-vo GUMRF im. adm. S. O. Makarova, 2021. 37–41.

4. Kardakova, Maria, Ilya Shipunov, Anatoly Nyrkov, and Tatyana Knysh. “Cyber security on sea transport.” Energy Management of Municipal Transportation Facilities and Transport. Cham: Springer International Publishing, 2018. 481–490. DOI: 10.1007/978-3-030-19756-8_46.

5. Natashova, K. V., S. S. Sokolov, O. N. Gubernatorov, A. P. Nyrkov, and A. V. Kirikov. “On the issue of categorization of objects of critical information infrastructure of seaports.” IT Security (Russia) 27.2 (2020): 35–46. DOI: 10.26583/bit.2020.1.03.

6. Alcaide, Juan Ignacio, and Ruth Garcia Llave. “Critical infrastructures cybersecurity and the maritime sector.” Transportation Research Procedia 45 (2020): 547–554. DOI: 10.1016/j.trpro.2020.03.058.

7. Androjna, Andrej, Tanja Brcko, Ivica Pavic, and Harm Greidanus. “Assessing Cyber Challenges of Maritime Navigation.” Journal of Marine Science and Engineering 8.10 (2020): 776. DOI: 10.3390/jmse8100776.

8. Attacks on industrial sector hit record in second quarter of 2023. Web. 20 Nov. 2023 <https://www.kaspersky.com/about/press-releases/2023_attacks-on-industrial-sector-hit-record-in-second-quarter-of‑2023>.

9. Sutton, R.S., and A. G. Barto. Reinforcement Learning: An Introduction. Second edition. Cambridge: MIT Press, 2020. 10. Vorontsov, N. AlphaGo defeated humanity in Go. Web. 30 Nov. 2023 <https://nplus1.ru/news/2017/05/25/now-it-is-official>.

10. Vorontsov, N. The exact number of allowed combinations in Go turned out to be greater than the number of atoms in the Universe. Web. 22 Nov.2023 <https://nplus1.ru/news/2016/01/25/mathematical>.

11. ATT&CK Matrix for Enterprise. Web. 22 Nov. 2023 <https://attack.mitre.org>.

12. Nyrkov, A.P., A. Yu. Kuznetsov, E. V. Zurov, and A. V. Bashmakov. Diskretnaya matematika: kodirovanie i obrabotka diskretnykh struktur dannykh. SPb.: GUMRF im. adm. S. O. Makarova, 2022.

13. Zhilenkov, Anton A., S. G. Chernyi, S. S. Sokolov, and A. P. Nyrkov. “Intelligent autonomous navigation system for UAV in randomly changing environmental conditions.” Journal of Intelligent & Fuzzy Systems 38.5 (2020): 6619–6625. DOI: 10.3233/JIFS‑179741.

14. Sokolov, Sergei, Anton Zhilenkov, Sergei Chernyi, Anatoliy Nyrkov, and Nikolay Glebov. “Hybrid neural networks in cyber physical system interface control systems.” Bulletin of Electrical Engineering and Informatics 9.3 (2020): 1268–1275. DOI: 10.11591/eei.v9i3.1293.