Cyber-physical component ranking for risk sensitivity analysis using betweenness centrality

This article proposes a model for critical component ranking in power system risk analysis using a proposed cyber-physical betweenness centrality (CPBC) index. Risk assessment, as part of the contingency analysis, is a critical activity that can identify and evaluate component outages that lead to system vulnerability, aiding operators to improve resilience. A power system cyber-physical risk assessment model is proposed that calculates and offers an efficient protection strategy to the system operator based on component vulnerability to adversaries and the impact of compromised assets on the system operation. We present the CPBC index, which traverses generated attack graphs to rank components according to their importance in reducing adversary impact on the power system. The CPBC extends upon betweenness centrality and integrates into analysis, the services and security cost of communications between system components, as well as the likelihood of component exploitation as an adversary medium to the target relays. The proposed model recommends actions, taking into account the in-terconnections between cyber and physical components as well as cyber-induced Common Vulnerabilities and Exposure scores associated with these connections, thus protecting critical components. The proposed model is implemented on the Cyber-Physical Situational Awareness 8-substation and extended IEEE 300-bus cyber-physical power system models, and results are presented on the impacts of the proposed component ranking model on the security-aware operation of the power system


| INTRODUCTION
The electric power grid is critical to national security in modern societies and thus should be resilient to adversaries. Increased cyber attack risks come with modern configurations that integrate advancements in communication and control with advancements in devices, thereby introducing novel opportunities for cyber-threats [1][2][3]. These cyber-threats can lead to data breaches, asset damage and power outages by exploiting control assets in the physical grid. For instance, the 2015 Ukranian attack exploited a phishing email to ultimately enable the adversary to gain control of system circuit breakers, causing 6 hours of power outages for thousands of customers [4]. Similarly, the Stuxnet attack exploited network printer vulnerabilities to stealthily penetrate the control configuration system and tamper with the control logic of the nuclear process [5]. To be prepared for these anomalies, the system operator usually performs contingency analysis as a risk monitoring tool to provide situational awareness of the power grid [6].
The electric power grid is a complex system comprising interdependent networks of control devices, Internet hosts, sensors, data acquisition, communication services and more. These interdependent networks can be broadly grouped into cyber and physical layers, where anomalies in one layer can have repercussions in the other layers [7]. As interactions between cyber and physical layers increase, the potential paths which a system adversary can exploit to reach critical devices also increases, making comprehensive monitoring more intractable for the system operator; this can have the unintended consequence of the grid becoming a 'honey pot' for cyber attacks [8]. Hence in the case of an adversary attack, cyber-physical risk analysis as a fundamental power system monitoring tool would allow the operator to gain knowledge of the expected system performance and thus, can aid in preparing the system operators for possible scenarios by ranking equipment according to access, vulnerability, and impact.
This article investigates the effect of component vulnerability on the impact (exploitable paths) of the adversary on the power system. More specifically, we develop here a cyberphysical operation model, CRSA, that ranks cyber and physical components in the order of importance towards minimising the impact of the adversary on the power system. In the proposed cyber-physical model, from a physical perspective, we introduce the cyber-physical betweenness centrality (CPBC) index that effectively ranks power system components based on cyber network configuration, whereas from a cyber perspective, control network vulnerabilities are also integrated according to the underlying power system topology. The main contributions of this article are as follows.
� We propose a component ranking and risk sensitivity analysis model (CRSA), which integrates the cyber-physical network topology and standard industry level vulnerabilities to model attack and defense from adversary and system operator perspectives simultaneously. � We propose a cyber-physical component-ranking metric, the CPBC, which aids this security-oriented risk awareness by ranking system assets according to their security tiers. We compare our proposed CPBC index with the existing BC index to further illustrate the improvements attainable by the proposed risk sensitivity analysis model. � We develop an algorithm to protect critical components to demonstrate the efficiency of the proposed model, while the model scalability is also illustrated using the Cyber-physical Situational Awareness (CyPSA) 8 substation and IEEE 300-bus test systems, respectively.
The rest of this article proceeds as follows. Section 2 provides a literature review of different methods and models developed for vulnerability analysis of the electric power grid. In Section 3, we discuss the modelling and formulation of system vulnerability including generation of adversary attack graphs. Sections 4, 5 and 6 discuss core facets on the proposed CRSA which are the component ranking assessment, the development of the CPBC index, and the risk analysis process. The simulation results are presented in Section 7, and conclusions are drawn in Section 8.

| LITERATURE REVIEW
Different methods have been proposed to analyse power system risk to adversarial attacks. Researchers in [9,10] initially presented the concept of cyber-physical contingency analysis to identify high-risk elements using techniques based on Markov Decision Processes as well as reachability analysis of the attack paths [11] and quantifying physical impact in power systems. Graph theory-based analysis can be utilised to improve this cyber-physical contingency analysis by analysing the system as a weighted graph, where priority can be assigned to edges/vertices with the most connection paths passing through [12]. A graph can represent topology, where the vertices are assets/components such as Internet hosts and relays, while the edges are the communication links between the vertices. Example usages include betweenness centrality (BC) measures [13], which generally seek the relative importance of a vertex or an edge in a graph.
Using the graph theory approach, [14] estimates the impact of the cyber layer on the physical system through costeffect analysis. Furthermore, [15] proposes probabilistic capturing of data packets for cyber traffic monitoring in software defined networks using the concept of betweenness centrality. In [16], principal component analysis and dictionary learning graph decomposition methods are proposed based on graph multi-centrality features which can reflect structural perturbations in graph symmetry and edge weight and direction, and hence, they can be utilised to detect attacks on the network. These measures can also be adapted to power system networks, using graph topology to detect anomalies in electric power grids [17]. In [18], centrality and electrical characteristics are utilised to identify critical vertices. In [12], parallel BC is applied to power grid contingency selection, validated using a model of the western US power grid to help operators identify and mitigate potential widespread cascading failures in real time.
With these topological methods, a variety of metrics have also been developed in order to identify the most critical components in an electric grid [19][20][21][22]. In [23], effective graph resistance is utilised as a metric to assess the robustness of power grids against cascading failure, identifying the best pair of connectivity vertices towards optimising the metric. In [24], systematic investigation of topological and electrical characteristics is performed for power grid networks based on real and synthetic grid data, while in [25], the authors rank the importance of the grid vertices and lines based on centrality measures and other characteristics.
In most of these studies, physical/electrical characteristics are investigated, while cyber vulnerabilities are not integrated. However, researchers have been extending test systems to include cyber characteristics that emulate real systems, featuring communication networks and cyber-physical interconnections that are salient in control of power systems [9,26,27]. For example, some intelligent electronic devices, such as relays could be reached via TCP/UDP ports from secured control room computers utilising firewall rules to limit access of vendors, customers, or corporate offices in and out of the control perimeter, as illustrated in Figure 1. These communication networks could potentially be penetrated through external connections, internal Internet hosts, virus penetration, and more. Specifically, although the OT (operational technology) network is isolated from the IT (information technology) network with the use of firewalls and DMZs, a collection of vulnerable web and remote access services can still be exploited to plant malware or worms to bridge this isolation [28]. Hence, the main role of the proposed CRSA approach is to assess the component importance towards reducing the security impact (adversary-accessible paths) of adversary intrusion to overall system vulnerability. In particular, we are motivated by the nature of attacks such as the Ukrainian and the Stuxnet, which compromise control assets to create adversarial havoc. Therefore, in this work, we focus on the adversarial process from the operators' host computers (e.g. via phishing emails) to the control network (relays). Thus, as illustrated in Figure 3, the relays form the boundary devices of the cyber-physical network in this article.
Rather than ranking discovered vulnerability by severity [29], the CRSA considers that the operator wants to rank the system components by importance towards reducing the total system vulnerability. Furthermore, CRSA integrates the likelihood and cost of adversary exploitation [30] into cyberphysical risk analysis.
As shown in Figure 2, CRSA utilises the system connectivity, topology information, and user defined adversary and target component lists to generate attack graphs. Given the attack graphs, component ranking follows with the CPBC index consisting of detailed vulnerability scores (cost) of network communication links and the BC of components (vertices), thus demonstrating the relative ease of compromising a communication link and the ease of reaching target assets from unique vertices. The proposed model makes use of information flow, such as services and processes among system components, where the information flow and connectivity of the network are traced at a time when the system is in normal operation. Points of adversary intrusion are then modelled as hosts through which target relays may be reached after a series of vulnerability exploitation.
In other words, using the generated attack graph, potential points of intrusion and potential targets, the CRSA model evaluates the importance of components to the system state based on component services, the security cost of communications between system components, and the likelihood of component exploitation as an adversary medium to the target relays. Based on the results of the proposed approach, ranked components are in turn protected to demonstrate the ability of protecting these components to reduce the overall system vulnerability.

| CYBER VULNERABILITY MODELING
It is vastly improbable that an adversary will have access to all the information required to carry out an attack on the power system, however, as with all high impact low probability events, the event probability is 0 until the event occurs and then the probability is 1. Hence, in our model we expect that the adversary will inevitably gain system access while the system operator takes contingency measures to minimise adversary impact. We assume that the adversary will prioritise easily accessible paths which pose high vulnerability impact on the system (i.e., access to more targets). Therefore, the adversary has access to the power grid topology information [13] and can carry out an attack based on component vulnerability and graph theory [31]. In this section, we explain how the system information is used to determine the state of the cyber-physical -141 network. We begin by discussing how attack graphs are modelled and generated and continue with discussing the evaluation of inter-component vulnerability.

| Attack graph generation
The goal of the attack graph is to provide details about the cyber-physical power network through dependencies among the system components. The attack graph informs the current state of the system as well as the potential paths an adversary could take to reach target components, given the possible points of intrusion as adapted from Algorithms 2 and 3 of our previous work [32], and is generated from the system connectivity and topology information as follows 1 .

| The connectivity matrix
The attack graph is generated using the system connectivity matrix (CM) with a pre-defined list of attack vertices and target assets. To aid realistic analysis, this article incorporates the interconnections between the physical (electrical) and cyber networks of synthetic power system models, such as CyPSA 8substation model [26], which capture normal communications and operational services, for example, remote or secured shell access, between components of the unattacked system and develops a CM. Given the system CM, the security state of the system is evaluated by assigning security scores (cyber costs [CC]) to the communication links between connected components.

| Cyber topology and host connectivity generation
Here, we obtain the system topology and host connectivity. Specifically, NMap is used to generate a network mapping report which is spawned from control network hosts and provides host service details. The report is parsed using the NP-View application [34]. Based on the firewall's interface and object group configuration, NP-View generates the cyber topology as a topology dictionary json file having two primary features, namely Device and Network. The feature Device has a list of all the devices such as hosts, relays, gateways with their IP addresses and unique IDs, while the Network feature lists the collection of the model's networks, since there are different networks for the control center, Internet, vendor access and peer utility. These attributes are stored in these dictionaries for accessing unique devices and networks. The connectivity file is generated based on the access control list configured in each firewall [32]. Thus, the NPView parses the Nmap report as well as the firewall rules to generate host connectivity, which along with the physical power grid topology from PowerWorld, is used to model the cyber-physical power system.

| System vulnerability
Given generated attack graphs, the security state of the system can be evaluated. The goal of this section is to explain the system security state. In this work, the adversary gains access to the network and can reach the target relays through Internet hosts. As shown in Figure 2, the attack graph is generated from an input of IPs of the target components, and the adversary list. We assume that an adversary penetrates a utility communication network, and will take a relative path of least resistance to find relays to operate breakers. The adversary penetrates the network which once compromised, ethernet connected relays may be discovered using port scanning tools such as NMap. In our model, discovered relays can be identified using the relay IPs.
Furthermore, connectivity characterisation is stored in three elements: (1) a source object; (2) a sink object; and (3) their security CC. Source and sink are vertices and may have more than one communication link (connectivity edge). For instance, an attack source vertex may leverage knowledge of required username and password to remotely access another sink vertex with hard-coded SSH credentials by exploiting the vulnerability CVExxxx-xxxx with a score, hence the path between the two vertices will be weighted on the CCs which are computed based on the Common Vulnerability Scoring System (CVSS) scores obtained from the National Vulnerability Database (NVD). The vulnerability between vertices can also be depicted by the CIA triad criteria for critical components where vulnerability is modelled, given the information flow between compromised components and those yet to be compromised. Confidentiality and Integrity compromise of an object is captured if a communication link exists with a compromised object which could be in the forward or reverse direction, respectively. Availability is captured, given that a communication link exists and the unavailability of an object is delineated where there is no information flow. For instance, if a critical component frequently communicates another through an ftp service, the component once compromised would possibly cause loss of integrity in that ftp service while the confidentiality of the component being written to is also in jeopardy. The component or service availability is threatened if an attack path is in situ.
Thus, in this work, vulnerability exploitation through paths is available to adversary to assume relay control. Given these exploitable paths, the component ranking algorithm seeks to identify relatively easy access paths that the adversary can take to get to target assets. Once the paths are ascertained, the vertices most common in these paths have high graph centrality and with consideration of their associated vulnerability types and scores, these vertices are noted as relatively critical for the adversary mission. The critical vertices (important components) are then sent to the system operator to be protected, as a collection of attacks can be prevented by patching system vulnerabilities. For instance, a distributed denial of services (DDoS) can be avoided if vulnerable services or software are patched, uninstalled or filtered. Similarly, a Man-in-The-Middle (MiTM) attack targeting false command or data injection can be avoided, if an intruder is prevented from planting malware or creating botnets. In this work, we assume that once the critical component is protected, the service it provides is deterministically secure and available, that is it becomes 100% secure.

| Dynamic attack graphs for unknown vulnerabilities
Current algorithms to generate attack graphs are based on the CVSS scores of known vulnerabilities. For zero-day attacks or for the source of attacks whose vulnerability are not available in the NVD database, we are exploring dynamic attack graph generation methods such as dynamic Bayesian network (DBN) [35], based on IDS alerts. Hence, probabilistic graphical models such as Bayesian networks (directed) or Markov random fields (undirected) are used to make inference and compute scores or posterior probabilities based on an alert, starting with a prior dummy probability at every node in the attack graph.

| COMPONENT RANKING ASSESSMENT
In this section, we formulate the component ranking model that integrates cyber topology and vulnerabilities into power system risk sensitivity analysis. Mathematically, the ranking model is formulated given the cyber-physical attack graph G. Specifically, the cyber-physical network is a set of components that connect (communicate/control) to one another and hence can be mathematically represented as a graph [36]. The graph vertices represent the system components such as hosts, routers, and relays. The edges represent links between the vertices, for example, service (ssh, tcp) running between two vertices. In particular, if data flows from object v i to v j , then object v j becomes dependent on v i and the dependency is represented by the network edge e ij = v i →v j . To capture this, we represent G as a pair of vertex and edge sets (V, E), with vertices, V = {v 1 , v 2 , v 3 , …, v n }, and edges, E = {e 1 , e 2 , e 3 , …, e m } with individual weights CC(e) → R + .

| Cyber-physical interdependencies
The nature of historical attacks that is compromises of operator computers to access system control devices, as cited in the introduction, motivates our focus on adversarial analysis between hosts and physical control devices. Hence, it is important to highlight the cyber-physical interdependencies considered in this article: � From one cyber vertex to another, for example, host-host, host-router link. This interdependency is the data flow or service between cyber vertices. � From a cyber vertex to a physical vertex (relays) used to send information/commands (control) to the relay.
Given these interdependency types, as illustrated in Figure 3, the physical components are mostly boundary vertices in the network. Figure 3 presents the sample graph where the green vertices are the electrical relay vertices and the pink vertices are the cyber vertices, for example, host vertices, Internet vertices and routers. Similarly, the green edges represent electrical/ physical connections, the red edges, ICT/cyber links, and the blue edges represent the interdependency (communication/ control) of cyber to electrical vertices. Hence, the goal is to discover the most critical vertices in the system that, if the adversary compromises, will cause higher overall system vulnerability which is measured by the number of attack paths accessible to the adversary. Towards this end, we obtain possible attack scenarios through attack graphs which are analysed for component importance.

| Vertex betweenness centrality
Towards risk assessment, vertex BC assigns ranking coefficients to vertices in a graph through which important components can be identified as those represented by vertices with high coefficient values [37]. It gives insight into the influence of a vertex over the data flow between other vertices. Given the graph G(V, E), the betweenness of a vertex v is the count of the shortest paths between pairs of other vertices that run through v as below: Equation (1) relies on the use of the shortest path distance between the vertices which is computed using the Dijkstra shortest path algorithm, where σ st is the number of shortest paths from a source vertex s to a target vertex t, σ st (v) is the total number from the mentioned paths that pass through vertex v, and n is the number of vertices. Hence, the vertices that occur on many shortest paths have relatively higher betweenness [25]. Different studies on cyber-physical vulnerability analysis using graph-theoretic algorithms including BC have been proposed towards contingency analysis [38]. However, utilising just the BC index for critical asset ranking in cyber-physical systems only takes into consideration the centrality positioning of a component in the network graph towards component importance, and hence less accurate results are often obtained. For instance, the BC index may consider a network switch as a critical asset because of its high centrality in the network, even if there are other more critical components with less centrality but with higher potential to cause increased system failure for example, cascade failures.
To enhance the accuracy in component ranking, we propose the CPBC for ranking system components towards risk assessment in the cyber-physical network. Specifically, the proposed index incorporates the impending likelihood of components being compromised, directly or indirectly, in the attack graph as discussed in Section 2. For instance, a vertex A, for example, an Internet host, is affected directly by an adversary if he/she can successfully access that vertex via for example, malicious emails. Alternatively, vertex B, for example, a router, is indirectly compromised if it gets accessed by the adversary through A. In addition, the CPBC index incorporates security vulnerability scores (CC) calculated as follows, using the lowest cost vulnerability to reach a particular vertex even though the attack graph retains all vulnerability IDs.
We obtain the vulnerability scores V e from the NVD where the cost metric associated with realising an attack edge is obtained from the CVSS with a script that extracts the exploitability sub-score using the access complexity and authentication scores. In this work, the CC represents the severity(operator-side)/ vulnerability(adversary-side) of compromising a service between two vertices.

| CYBER-PHYSICAL BETWEENNESS CENTRALITY INDEX
In this section, we present the proposed cyber-physical security index that the CRSA uses to rank components, given possible attacks against the cyber-physical power system. The objective of the CPBC index is to rank the cyberphysical power system components in order of importance to the power system operator. This importance stems from the impact the adversary will have on the entire system through the compromise of a component given cyber-originated intrusions that target the introduction of malicious commands to the physical power system control components through several host computers to cause a physical-layer security event.
The CPBC utilises the computed shortest paths containing the vertices as in the BC index, the count, and vulnerability magnitude of communication links, to calculate a unified cyberphysical ranking index for the entire network. In particular, the CPBC index integrates the fact that the important vertices have a greater chance to lie on multiple vulnerability-weighted shortest paths to the target relays, as illustrated in line 10 of Algorithm 1, while the vertices with fewer services and lower CC will have relatively less importance. For instance, as illustrated in Figure 4, the adversary at the red source vertices (with CC = 1) will pass through v1 and v2 to get to their targets t1 and t2. As we observe, v1 provides about double the number of access paths from which the adversary can take the least cost path to t1. In addition, the cost of services associated with v1 is higher than v2 (29 > 17.9), hence it will cost more to the system operator if v1 is compromised. Thus, v1 will rank higher than v2, assuming they have the same centrality in the graph.
In Algorithm 1, the relative importance of a vertex due to its position in the network is obtained by defining the Internet and the relay vertices as inputs. Then, the shortest paths from possible adversary sources (Internet) to targets (relay) are calculated. When these paths are obtained, the number of times a vertex occurs in these paths, σ st (v), can be determined. For the BC index, this suffices for calculations as in Equation (1), while the obtained σ st (v) is a function of the proposed CPBC index, adequately capturing critical vertices: where σ st (v) is the number of shortest paths from source vertex, s, to target vertex, t, that pass through the vertex, v, with edges weighted on the communication link CCs, and e v is the set of all edges to/from v, with cardinality of ɛ which is proportional to the vertex density in the network. The reciprocal of the CC is utilised to weigh the vertices in the cyberphysical graph, so that computation is consistent with the cyber vulnerability concept discussed. Also worth mentioning is that this index allows for risk analysis where the adversary can compromise a vertex without having access to compromise all the services being provided by that vertex since CC is summed for each compromised e v . For instance, for the ranking of v2 in Figure 4, the service represented by the edge with CC of 5 could be compromised with an expected higher probability than that of CC 9.9, the CPBC index is formulated in such a way that this information can be incorporated if so desired. In this case, if granular analysis of the compromised vertex services is required, the CPBC index can be utilised effectively. Another important advantage of this setup is that it allows for the grouping of vertices in security tiers with similar importance, and hence impact, on the overall system vulnerability. This will be further illustrated in the results section.

| MODEL EVALUATION: RISK SENSITIVITY ANALYSIS
Risk sensitivity analysis proceeds with the prioritised protection of ranked components while the impact of protection towards reducing the system's vulnerability is measured. The objective is to give the system operator enough information about the combination of components that is chosen to protect to have a tractable number of possible adversary accessible paths in case of an attack.

Algorithm 2 Protecting Important vertices
1: function Generate_Attack_Graph, H(G, L, sel_t) 2: create empty attackGraph; H 3: Get CC(e) (vuln_list) of x ranked vertices 4: for vertex in x do 5: v_list = Get(vuln_list -y% of vuln_list) 6: new_path = get_path(G, v_list) 7: for adversary a in L do 8: d, p = djikstra_shortest_path(a, G) 9: for target t in d do 10: if t in L then 11: path = G(t) (▹) get the path from G 12: Add path to attackGraph, H 13: end if 14: end for 15: end for 16: end for 17: return new_attackGraph, H 18: end function As illustrated in Algorithm 2, the protection of the critical vertices follows with the removal of y% of the unique vertex's associated edges in the attack graph G. This generates a new attack graph, H, which is a sub graph of G, with number of attack paths less than or equal to G. In particular, if a vertex is critical, its protection should reduce the number of attack paths P accessible to the adversary. For instance, in Figure 4, assuming the same graph centrality for v1 and v2, protecting v1 with eight immediate communication links will generally reduce attacker access paths in the network than the latter.
The formulation of the protection algorithm is as follows. Let e 1 be the set of edges with links to a unique vertex v1 in the attack graph G, and e v1 c be the set of edges with links to critical vertex v1 c in the attack graph H. Then, the list of edges e v1 c , associated with critical vertex v1 c , is defined as unique row entries with all but y% of the edges of the original set e 1 , where e v1 c ∈ e 1 ∈ E. Hence, within a row e * (e.g., e 1 , e 2 ,…) of E, the set of edges e y * , from vertex v * (e. g., v1, v2,…), not in e v� c is defined as: This means that e v1 c is a subset of e 1 , where y% of the edges in e 1 are removed. Hence for a vertex, v1, Analysis for the new generated attack graph advances by calculating the impact of increased protection of important components on overall system attack paths as follows: Hence, Equation (6) measures the improvement, that is, reduction in paths accessible to the adversary, that increased protection of critical vertices provides the system operator. This implies that protection of more critical vertices should relatively provide a higher improvement in the overall system vulnerability with a reduced number of attack paths accessible to the adversary.

| SIMULATION AND NUMERICAL RESULTS
The goal of this section is to demonstrate how the CPBC index can aid system operators and administrators in calculating the component ranks using realistic case studies. The proposed CRSA model is implemented on an 8-substation test case [26], as shown in Figure 5, [26,32] and are publicly available for download [33]. To illustrate the effectiveness of the proposed model, we consider the improvements offered by using the CPBC index in the risk sensitivity analysis compared with the BC index. The results are computed using a computer with an i7 1.80 GHz processor and 16 GB of RAM.

| Cyber-physical component ranking
We implemented the proposed cyber-physical ranking model on the test cases with results as illustrated in Tables 1 and 2.
The tables show the calculated and normalised values for the indices that is, the CPBC and the BC index. The first column in the table shows the rank of the vertices until such a rank where the decrease in overall system vulnerability is negligible for the test system. The second and fifth columns furnish the calculated and normalised values for the BC and the CPBC indices, respectively. The third and sixth columns furnish the unique identification (ID) for the vertices as ranked by the BC and the CPBC. respectively, while, the fourth and seventh columns present the component type. For instance, Host PC with ID 1896, ranked 1 (most critical) by both the BC and the CPBC in Table 1, when protected, drastically reduces the adversary security impact on the system by 12.95% as observed from Table 3.

| Cyber-physical risk sensitivity analysis
Here, we evaluate the proposed model to assess the impact of the ranked components on decreasing the overall system  Tables 1 and 2, the vertices are in-turn protected as in Algorithm 2, by reducing the vulnerabilities associated with that vertex by 100%, hence deterministically patching the vulnerabilities. We choose 100% for the purpose of this evaluation to eliminate bias that can occur in the results due to randomly choosing different vulnerability types to be removed. This leads to a new system attack graph with total adversaryaccessible attack paths less than or equal to that of the original attack graph. Tables 3 and 4 furnish the decrease in attack paths that the protection of each of the power system components provides. The second column represents the total number of attack paths present in H. The third column furnishes the total percentage decrease in the attack paths present in H, from the number of attack paths present in the original attack graph G, before component protection. In Figure 6, the accuracy of the CRSA model is observed in the decreasing slope of percentage adversary-accessible attack paths as the component ranks progress from 1 to 15 and one to five, for the 8 substation and 300 bus test cases, respectively. This sustained reduction, as opposed to the random decrease in ranking attained by using the BC index, is preferable since [component_importance ∝ percentage_decrease_in_attack_paths]. Hence the decrease in attack paths is attained by protecting a component of Rank 1 > Rank 2 > Rank 3 > …as illustrated in Figure 6. Thus, reduction in system vulnerability is expected to be higher with the protection of highly ranked components. Furthermore, we observe that the proposed CPBC ranking, as shown in Tables 1 and 2, calculates the same rank for the vertices with an equal decrease in the number of attack paths accessible to the adversary. This is due to the comprehensiveness of the CPBC index with the incorporation of criticality (communication link vulnerability costs and cardinality) with vertex betweenness, in the proposed CPBC index. Hence, this additional component grouping functionality, not provided by the traditional BC index, aids in simplifying and reducing the computational burden during cyber-physical risk analysis as illustrated in Tables 3 and 4, where the set of components with equal importance is provided to the system operator. F I G U R E 6 8 Substation and 300 bus test cases: Visualising the decrease in attack paths illustrated in Tables 1 and 2. BC, betweenness centrality; CPBC, cyber-physical betweenness centrality

| Complexity and computational efficiency
From Algorithm 1, we can compute the time complexity of the component ranking algorithm to be of the order of O (I � R � Avg PL � N), where I is the number of Internet vertices, R is the number of relay vertices, Avg PL is the average shortest path length which will depend on the graph density, and N is the total number of vertices. With approximation, we can consider the time complexity of the BC algorithm to be O (N 4 ). The number of the Internet and relay vertices as shown in Table 5 also influence the computation time, as the CPBC index traverses, the attack graph starting from Internet hosts and terminating in the relay vertices, hence adding to the time complexity of the CPBC ranking. Note that the time for the attack graph generation, an input to the proposed ranking model, increases with larger connected networks (9 min for the IEEE 300 test case) as detailed in our previous work [32], while in this article, we focus on the time complexity of the proposed ranking model.

| Vertex density analysis
Vertex density is the relationship between the number of edges associated with a vertex and the total number of possible edges in the attack graph [40]. Hence, the vertex density holds information on the importance of a vertex [41]. Here, we show the improvements attained by the proposed CPBC index as opposed to the traditional BC index using their correlations with vertex density as shown in Figure 7 where we observe approximately linear relationships, however, with higher correlation between vertex densities and the CBPC index as opposed to the traditional BC index.

| CONCLUSION
This article proposed a model for critically ranking system components, which integrates cyber-layer industry-standard security vulnerabilities into the risk sensitivity analysis of the cyber-physical power system. The proposed model includes three main stages, where the first stage leverages the subjective adversary vertices and the targeted components to generate an attack graph which estimates the potential adversary attack paths, using the system connectivity and topology. The second stage integrates criticality and target reachability of components, via a proposed CPBC index, to determine the component importance which is passed on to the system operator to analyse the system risk. By prioritising protection of the critical components, the system operator analyses the impact of protection on the overall system vulnerability. The proposed model is implemented on a test 8 substation cyber-physical power system, in addition to the cyber-physical IEEE 300-bus test system, and compared with the BC index to illustrate the advantages of the proposed CPBC index. The simulation results demonstrate that using the proposed index promises improved determination of the important system components. Future works may include expanding the proposed model to a dynamic risk assessment, which would account for changes in the cyber-physical power system with time.
F I G U R E 7 Vertex density analysis: Comparing the correlation of using in the ranking model, the betweenness centrality versus the proposed cyber-physical betweenness centrality index with the node density of the 8 substation and IEEE 300 bus test cases