COMPUTERS & SECURITY, cilt.128, 2023 (SCI-Expanded)
In this paper, we propose a generic vulnerability and risk assessment method for IIoT-enabled critical sys-tems. We focus on reducing risk factors and vulnerable structures in order to provide security issues for the IIoT and enabled complex systems. In addition to the existing risk assessment and related methods, we represent the IIoT-enabled network topology as a directed graph, and we develop an attack tree-based approach using graph theory. We assume that each device is a potential critical node due to the existing vulnerabilities, which are defined in the National Vulnerability Database (NVD), and we establish directed relations between nodes, considering cyber and physical interactions. We improve existing attack path-identifying methods using the Depth First Search (DFS) algorithm to find all the paths from the source to the target nodes. In the generated topology, each node has the pre-assigned Common Vulnerability Scoring System (CVSS) scores acting as a weight. We also implement the Floyd-Warshall algorithm to identify path risk levels. Finally, we assess the identified vulnerable paths from varying source and target pairs via path and node-reducing procedures, considering risk thresholds. We perform our simulation on a custom Python simulator, considering the transportation and supply sectors. We compare our results with the previous ones. Simulation results show that our proposed methods and procedures outperform existing risk assessment and filtering methods in terms of running time and attack path identification and filtering. (c) 2023 Elsevier Ltd. All rights reserved.