A novel probabilistically timed dynamic model for physical security attack scenarios on critical infrastructures

• Developed probabilistically timed model for simulating physical security attacks.
• Used visual flowcharting methodology to construct the security attack algorithm.
• Applied model to a hypothetical scenario involving attack on a chemical facility.
• Proposed model can benefit security drills to uncover exploitable vulnerabilities.
• Proposed modeling framework can be extended to simulating cyber security attacks.

This study proposes a novel probabilistically timed dynamic model for physical security attack scenarios on critical infrastructures (CIs). The model simulates attacker's attempts to compromise exploitable vulnerabilities in targeted CIs. Attacker's times to successfully compromise physical barriers, intrusion detection systems, and standby safety systems are modeled as random variables represented by user-defined probability distributions. The model assumes a highly skilled attacker, tracks his cumulative time to compromise targeted assets relative to an estimated mission time, and calculates mission success probability under imperfect information. The model uses Monte Carlo sampling technique to propagate uncertainties of input parameters to calculate statistics of mission success probability. Model's utility is demonstrated by a postulated case study in which an attacker attempts to launch undetected and unmitigated fire in 1-out-of-4 protected areas within a chemical process plant. Destroying one of these protected areas represents attacker's mission success in disrupting plant operation in addition to causing property damage. Visual flowcharting and dynamic attack tree logic are used to describe systematic execution of the attack. Simulation results show 64.4% mission success probability with 4.7% standard deviation. Benefits of proposed model include its use in security training to quantify probabilistic outcomes of “what if” scenarios, uncover exploitable vulnerabilities, and implement defensive strategies to improve CI's resilience under attack. The modeling framework can be extended to cyber security applications.