A Vulnerability Assessment Approach for Transportation Networks Subjected to Cyber–Physical Attacks

Transportation networks are fundamental to the efficient and safe functioning of modern societies. In the past, physical and cyber space were treated as isolated environments, resulting in transportation network being considered vulnerable only to threats from the physical space (e.g., natural hazards). The integration of Internet of Things-based wireless sensor networks into the sensing layer of critical transportation infrastructure has resulted in transportation networks becoming susceptible to cyber–physical attacks due to the inherent vulnerabilities of IoT devices. However, current vulnerability assessment methods lack details related to the integration of the cyber and physical space in transportation networks. In this paper, we propose a new vulnerability assessment approach for transportation networks subjected to cyber–physical attacks at the sensing layer. The novelty of the approach used relies on the combination of the physical and cyber space, using a Bayesian network attack graph that enables the probabilistic modelling of vulnerability states in both spaces. A new probability indicator is proposed to enable the assignment of probability scores to vulnerability states, considering different attacker profile characteristics and control barriers. A probability-based ranking table is developed that details the most vulnerable nodes of the graph. The vulnerability of the transportation network is measured as a drop in network efficiency after the removal of the highest probability-based ranked nodes. We demonstrate the application of the approach by studying the vulnerability of a transportation network case study to a cyber–physical attack at the sensing layer. Monte Carlo simulations and sensitivity analysis are performed as methods to evaluate the results. The results indicate that the vulnerability of the transportation network depends to a large extent on the successful exploitation of vulnerabilities, both in the cyber and physical space. Additionally, we demonstrate the usefulness of the proposed approach by comparing the results with other currently available methods. The approach is of interest to stakeholders who are attempting to incorporate the cyber domain into the vulnerability assessment procedures of their system.