Process Safety and Environmental Protection 1 0 2 ( 2 0 1 6 ) 473–484 Contents lists available at ScienceDirect Process Safety and Environmental Protection journal h om ep age: www.elsevier.com/locate/ps ep A novel probabilistically timed dynamic model for physical security attack scenarios on critical infrastructures Y.F. Khalil Physical Sciences Department, United Technologies Research Center (UTRC), 411 Silver Lane, East Hartford, CT, USA a r t i c l e i n f o Article history: Received 14 February 2016 Received in revised form 25 April 2016 Accepted 1 May 2016 Available online 6 May 2016 Keywords: Physical security Critical infrastructures High-value assets Probabilistic models Time to compromise Mission time a b s t r a c t This study proposes a novel probabilistically timed dynamic model for physical security attack scenarios on critical infrastructures (CIs). The model simulates attacker’s attempts to compromise exploitable vulnerabilities in targeted CIs. Attacker’s times to successfully compromise physical barriers, intrusion detection systems, and standby safety systems are modeled as random variables represented by user-defined probability distributions. The model assumes a highly skilled attacker, tracks his cumulative time to compromise targeted assets relative to an estimated mission time, and calculates mission success probability under imperfect information. The model uses Monte Carlo sampling technique to propa- gate uncertainties of input parameters to calculate statistics of mission success probability. Model’s utility is demonstrated by a postulated case study in which an attacker attempts to launch undetected and unmitigated fire in 1-out-of-4 protected areas within a chemical process plant. Destroying one of these protected areas represents attacker’s mission success in disrupting plant operation in addition to causing property damage. Visual flowcharting and dynamic attack tree logic are used to describe systematic execution of the attack. Simu- lation results show 64.4% mission success probability with 4.7% standard deviation. Benefits of proposed model include its use in security training to quantify probabilistic outcomes of “what if” scenarios, uncover exploitable vulnerabilities, and implement defensive strategies to improve CI’s resilience under attack. The modeling framework can be extended to cyber security applications. © 2016 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved. Abbreviations: BE, basic event; CB, circuit breaker; CI, critical infrastructure; CPS, cyber-physical systems; CS, cutsets (in fault tree analysis); DAT, dynamic attack tree; DiD, defense in depth; ET, event tree; ETA, event tree analysis; FL, flammable liquid; FSS, fire suppres- sion system; FT, fault tree; FTA, fault tree analysis; FW, firewater; FWP, firewater pump; HVAC, heating, ventilation, and air conditioning; IDS, intrusion detection system; MCS, Monte Carlo sampling technique; MOV, motor-operated value; MS, mission success from attacker’s viewpoint denotes achieving his malicious intent within a predetermined mission time; MTTSC, mean time to successfully compromise an exploitable vulnerability; MT, mission time, represents the window of opportunity available to attacker to accomplish a malevolent goal; MV, manual valve; PAN, priority AND Gate (used in dynamic fault trees); QRA, quantitative risk assessment; SDAS, smoke detection and alarm system; T-1, flammable liquid storage tank; T-2, firewater storage tank. E-mail address: khalilyf@utrc.utc.com http://dx.doi.org/10.1016/j.psep.2016.05.001 0957-5820/© 2016 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.