Hybrid knowledge-based decision support system for intrusion response in industrial cyber-physical systems

As Industrial Cyber-Physical Systems (ICPS) become increasingly interconnected, they are exposed to a growing array of hybrid threats that target both digital and physical assets. A central challenge lies in identifying and implementing effective security countermeasures that mitigate such threats without disrupting critical operations. In this context, Decision Support Systems (DSS) offer a promising avenue for enhancing incident response. This can be done by assisting security operators in selecting optimal mitigation strategies. However, existing DSS solutions often face significant limitations, including poor scalability, high computational demands, and dependence on simulated attack scenarios that may not reflect real-world conditions. To overcome these challenges, we propose a novel hybrid knowledge-based DSS for intrusion response in ICPSs. Our approach integrates expert-driven evaluations with dynamic risk assessment to ensure both scalability and computational efficiency. Risk is continuously assessed using multiple Bayesian Networks. Moreover, expert knowledge is incorporated through an adapted Analytic Hierarchy Process (AHP) framework, capable of handling incomplete information, to evaluate the effectiveness and operational impact of available countermeasures. A cyber-physical detection module further enhances the system by providing detected events along with their associated detection probabilities. The optimal response strategy is selected by solving a bi-objective optimization problem. In particular, the problem amounts to minimizing both residual risk and the potential negative impact on ICPS functionality. The proposed DSS is validated through a proof-of-concept implementation based on a real-world laboratory case study. This demonstrates its practical applicability and robustness in complex industrial environments.