Open Access
A Socio-Technical Approach to Mitigating Cybersecurity Risks in Industrial Control Systems: The Vulnerability Analysis Critical Impact Point (VACIP) Methodology
4
Department of Information Systems, African Institute of Science and Technology, Accra, Ghana
Abstract
Background: Industrial Control Systems (ICSs) face increasingly sophisticated cybersecurity threats. While much research focuses on technological vulnerabilities, this study argues that a complete risk assessment must also integrate human factors, which are often the weakest link. This paper introduces a novel approach that combines both technical and human elements to provide a more holistic view of cybersecurity risk.
Methods: We propose the Vulnerability Analysis Critical Impact Point (VACIP) methodology, a socio-technical framework designed to identify, analyze, and prioritize cybersecurity risks in ICS environments. The methodology integrates technical vulnerability scanning with an evaluation of human factors, including security awareness, training, and policy adherence. A testbed representing a typical industrial network was used to validate the VACIP methodology, simulating various attack vectors and human-related security weaknesses. Data from this validation was used to quantify the effectiveness of the approach in identifying critical impact points.
Results: The testbed validation successfully demonstrated that the VACIP methodology can effectively pinpoint weak links arising from both technological flaws and human vulnerabilities. The results show that by applying the VACIP framework, we can not only quantify the most critical points of impact but also significantly reduce the overall risk posture through targeted, socio-technical mitigation strategies. Our findings indicate that human-related risks, such as poor security governance and employee error, contribute as much to the overall risk as purely technical vulnerabilities.
Conclusions: This study concludes that a comprehensive cybersecurity risk reduction strategy for ICS environments must adopt a socio-technical perspective. The VACIP methodology provides a practical and effective framework for doing so, moving beyond traditional, technology-centric approaches. By prioritizing a blend of technical and human-focused controls, operators can achieve a more realistic and proactive security posture, ultimately safeguarding critical industrial infrastructure.
Keywords
Industrial Control Systems,
Cybersecurity,
Socio-technical,
Vulnerability Analysis
References
Ani UD, Daniel N, Oladipo F, et al. Securing industrial control system environments: themissing piece. J Cyber Secur Technol. 2018;2(3–4):131–163. doi: 10.1080/23742917.2018.1554985
East S, Butts J, Papa M, et al. A taxonomy of attacks on the DNP3 protocol. IFIP Adv InfCommun Technol. 2009;311:67–81.
Bhamare D, Zolanvari M, Erbad A, et al. Cybersecurity for industrial control systems: asurvey. Comput Secur. 2020;89:101677. doi: 10.1016/j.cose.2019.101677
Iaiani M, Tugnoli A, Bonvicini S, et al. Analysis of cybersecurity-related incidents in theprocess industry. Reliab Eng Syst Saf. 2021;209:1–20. doi: 10.1016/j.ress.2021.107485
Wang K, Guo X, Yang D. Research on the effectiveness of cyber security awareness inICS risk assessment frameworks. Electron. 2022;11(10):1–13. doi: 10.3390/electronics11101659
Applied Risk BV. The state of industrial cyber security 2020. Amsterdam, Netherlands:Applied Risk BV; 2020. https://applied-risk.com/resources/the-state-of-industrial-cyber-security-2020
Ani UPD, He HM, Tiwari A. Review of cybersecurity issues in industrial critical infra-structure: manufacturing in perspective. J Cyber Secur Technol. 2017;1(1):32–74. doi:10.1080/23742917.2016.1252211
Craggs B, Rashid A, Hankin C, et al. A reference architecture for IIoT and industrialcontrol systems testbeds. In: 2nd Conference on Living in the Internet of Things. London,United Kingdom. 2018.
Igure VM, Laughter SA, Williams RD. Security issues in SCADA networks. Comput Secur.2006 Oct;25(7):498–506. doi: 10.1016/j.cose.2006.03.001
Byres E, Leversage D, Kube N. Security incidents and trends in SCADA and processindustries. Ind Ethernet B. 2007;39(May):12–20.
Andreeva O, Gordeychik S, Gritsai G, et al. Industrial control systems vulnerabilitiesstatistics. Leningradskoe Shosse, Moscow: Kaspersky Lab; 2016. https://kasperskycontenthub.com/securelist/files/2016/07/KL_REPORT_ICS_Statistic_vulnerabilities.pdf
Bartman T, Carson K. Securing communications for SCADA and critical industrialsystems. In: 69th Annual Conference for Protective Relay Engineers, CPRE 2016; CollegeStation, TX, USA. 2017. IEEE. doi: 10.1109/CPRE.2016.7914914
Cook A, Janicke H, Smith R, et al. The industrial control system cyber defence triageprocess. Comput Secur. 2017;70:467–481. doi: 10.1016/j.cose.2017.07.009
Alcaraz C, Zeadally S. Critical infrastructure protection: requirements and challenges forthe 21st century. Int J Crit Infrastruct Prot. 2015;8:53–66. doi: 10.1016/j.ijcip.2014.12.002
Chowdhury N, Gkioulos V. Key competencies for critical infrastructure cyber-security:a systematic literature review. Inf Comput Secur. 2021;29(5):697–723. doi: 10.1108/ICS-07-2020-0121
Cheminod M, Durante L, Valenzano A. Review of security issues in industrial networks.IEEE Trans Ind Inf. 2013;9(1):277–293. doi: 10.1109/TII.2012.2198666
Stouffer K, Pillitteri V, Lightman S, et al. Guide to industrial control systems (ICS) security- NIST.SP.800-82r2. Gaithersburg (MD): NIST, US Department of Commerce; 2015.p. 1–247.
Cherdantseva Y, A review of cyber security risk assessment methods for SCADAsystems. Comput Secur. 2016;56:1–27. doi: 10.1016/j.cose.2015.09.009
US-FDA. Hazard analysis critical control point (HACCP). U.S. Food & drugs administrationwebsite. 2017. [Online]. [cited 2017 Oct 20]. Available from: https://www.fda.gov/Food/GuidanceRegulation/HACCP/
Ani UPD, Watson JM, Tuptuk N, et al. Socio-technical security modelling: analysis ofstate-of-the-art, application, and maturity in critical industrial infrastructureEnvironments/Domains. London (UK): PETRAS National Centre of Excellence for IoTSystems Cyber Security; 2022. p. 1–56.
Ralston PAS, Graham JH, Hieb JL. Cyber security risk assessment for SCADA and DCSnetworks. ISA Trans. 2007 Oct;46(4):583–594. doi: 10.1016/j.isatra.2007.04.003
Ani UD, Watson JDM, Nurse JRC, et al. A review of critical infrastructure protectionapproaches: improving security through responsiveness to the dynamic modellinglandscape. In: PETRAS/IET Conference Living in the Internet of Things: Cybersecurity ofthe IoT - 2019 system; London, United Kingdom. 2019. IET; p. 1–16.
Melaku HM. Context-based and adaptive cybersecurity risk management framework.Risks. 2023;11(6):101. doi: 10.3390/risks11060101
Goel R, Kumar A, Haddow J. PRISM: a strategic decision framework for cybersecurity riskassessment. Inf Comput Secur. 2020;28(4):591–625. doi: 10.1108/ICS-11-2018-0131
Lee I. Internet of things (IoT) cybersecurity: literature review and iot cyber riskmanagement. Future Internet. 2020;12(9):157. doi: 10.3390/fi12090157
Kure HI, Islam S. Assets focus risk management framework for critical infrastructurecybersecurity risk management. IET Cyber-Phys Syst Theory Appl. 2019;4(4):332–340.doi: 10.1049/iet-cps.2018.5079
Caltagirone S, Pendergast A, Betz C. The diamond model of intrusion analysis. ThreatConnect. 2013;298(704):1–61.
Mandiant. APT1: exposing one of China’s cyber espionage units. 2013.
Schnaubelt CM, Larson EB, Boyer ME. Vulnerability assessment method pocket Guide.Small Wars J. 2014;8:2–3. http://www.rand.org/content/dam/rand/pubs/tools/TL100/TL129/RAND_TL129.pdf
Woo PS, Kim BH. A study on quantitative methodology to assess cyber security risk ofSCADA systems. J Energy Eng. 2015;24(1):123–131. doi: 10.5855/ENERGY.2015.24.1.123
Markovic-Petrovic JD, Stojanovic MD. An improved risk assessment method for SCADAinformation security. Elektron ir Elektrotechnika. 2014;20(7):69–72. doi: 10.5755/j01.eee.20.7.8027
Yan J, Govindarasu M, Liu C-C, et al. A pmu-based risk assessment framework for powercontrol systems. In: Power and Energy Society General Meeting (PES), 2013 IEEE;Vancouver, BC, Canada. 2013. p. 1–5.
Beitel GA, Gertman DI, Plum MM. Balanced Scorecard Method for Predicting theProbability of a terrorist attack. WIT Transactions on Ecology and the Environment.2004;77(12):581–592. https://www.witpress.com/elibrary/wit-transactions-on-ecology-and-the-environment/77/14333
A Francia G, Thornton D, and Dawson J. Security best practices and risk assessment ofSCADA and Industrial control systems. 2012.
Aagedal J, Den Braber F, Dimitrakos T, et al. Model-based risk assessment to improveenterprise security. In: Proceedings - 6th International Enterprise Distributed ObjectComputing Conference; Lausanne, Switzerland, Switzerland. 2002. IEEE. vol. 2002-January, no. January, pp. 51–62.
Song J-G, Lee J-W, Lee C-K, et al. A cyber security risk assessment for the design of I&Csystems in nuclear power plants. Nucl Eng Technol. 2012;44(8):919–928 . doi: 10.5516/NET.04.2011.065
Stouffer K, Falco J, Scarfone K. Guide to industrial control systems (ICS) securityrecommendations of the national institute of standards and technology.Gaithersburg (MD), USA: NIST; 2011.
Shin J, Son H, Heo G. Cyber security risk evaluation of a nuclear I & C using BN and ET.Nucl Eng Technol. 2017;49(3):517–524. doi: 10.1016/j.net.2016.11.004
Ten CW, Manimaran G, Liu CC. Cybersecurity for critical infrastructures: attack anddefense modeling. IEEE Trans Syst Man Cybern Part A Systems Humans. 2010;40(4):853–865. doi: 10.1109/TSMCA.2010.2048028
LeMay E, Ford MD, Keefe K, et al. Model-based security metrics using Adversary VIewsecurity evaluation (ADVISE). In: 8th International Conference on Quantitative Evaluationof Systems, QEST 2011; 2011. Aachen, Germany. p. 191–200.
Deavours DD, Clark G, Courtney T, et al. The Mobius Framework and ItsImplementation. IEE Trans Softw Enf. 2002;28(10):956–969. doi: 10.1109/TSE.2002.1041052
McQueen MA, Boyer WF, Flynn MA, et al. Quantitative cyber risk reduction estimationmethodology for a small SCADA control system. In: Proceedings of the Annual HawaiiInternational Conference on System Sciences; 2006. Vol. 9. Kauia, HI, USA. p. 226.
Patel SC, Graham JH, Ralston PAS. Quantitatively assessing the vulnerability of criticalinformation systems: a new method for evaluating security enhancements. Int J InfManage. 2008;28(6):483–491. doi: 10.1016/j.ijinfomgt.2008.01.009
Baiardi F, Telmon C, Sgandurra D. Hierarchical, model-based risk management ofcritical infrastructures. Reliab Eng Syst Saf. 2009;94(9):1403–1415. doi: 10.1016/j.ress.2009.02.001
Henry MH, Haimes YY. A comprehensive network security risk model for processcontrol networks. Risk Anal. 2009;29(2):223–248. doi:10.1111/j.1539-6924.2008.01151.x
The Open Group. Dependency modeling (O-DM): constructing a data Model to managerisk and build trust between inter-dependent enterprises. Reading, Berkshire, (UK): TheOpen Group; 2012. p. 1–50.
Malatji M, Marnewick A, von Solms S. Validation of a socio-technical managementprocess for optimising cybersecurity practices. Comput Secur. 2020;95:101846. doi: 10.1016/j.cose.2020.101846
Aloul FA. The need for effective information security awareness. J Adv Inf Technol.2012;3(3):176–183. doi: 10.4304/jait.3.3.176-183
Ani UD, He H, Tiwari A. Vulnerability-based impact criticality estimation for industrialcontrol systems. In: International Conference on Cyber Security and Protection of DigitalServices (Cyber Security 2020) Dublin, Ireland; 2020 (IEEE). p. 33–40 doi:10.1109/CyberSecurity49315.2020.9138886.
Henrie M. Cyber security risk management in the SCADA critical infrastructureenvironment. Eng Manag J. 2013;25(2):38–45. doi: 10.1080/10429247.2013.11431973
Peffers K, Tuunanen T, Rothenberger MA, et al. A design science research methodologyfor information systems research. J Manag Inf Syst. 2007;24(3):45–77. doi: 10.2753/MIS0742-1222240302
Peffers K, A Model for producing and presenting information systems research. ArXiv.2020;2006:1–24.
Ani UD, He H, Tiwari A. Human capability evaluation approach for cyber security incritical industrial infrastructure. In: Nicholson D, editor. Advances in Human Factors inCyber Security: Proceedings of the AHFE 2016 International Conference on Human Factorsin Cybersecurity, 2016 July 27-31; Walt Disney World® (FL)USA. Florida: SpringerInternational Publishing; 2016. Vol. 501. p. 169–182.
C’ardenas AA, Amin S, Lin ZS, et al. Attacks against process control systems: riskassessment, detection, and response. In: Proceedings of the 6th ACM Symposium onInformation, Computer and Communications Security (ASIACCS’11); Hong Kong, China.2011. ACM. p. 355–366.
Ropkins K, Ferguson A, Beck AJ. Development of hazard analysis and critical controlpoints (HACCP) procedures to control organic chemical hazards in the agriculturalproduction of raw food commodities. Crit Rev Food Sci Nutr. 2003;43(3):287–316. doi:10.1080/10408690390826536
Sekheta MAF, Sahtout AH, Airoud ASA, et al. A preventive strategy for possible attacksaimed at crippling the cyberspace controlling food & water supplies in HACCP pro-grams. Internet J Food Saf. 2007;9:17–21.
Tenable I. Nessus professional | TenableTM. Tenable Nessus Webiste. 2017. [Online].[cited 2017 Oct 11]. Available from: http://www.tenable.com/products/nessus-vulnerability-scanner/nessus-professional
Rapid7. Top rated vulnerability management software | Rapid7. Rapid7 website, 2017.[Online]. [cited 2017 Oct 11]. Available from: https://www.rapid7.com/products/nexpose/
Antrobus RFrey SGreen B, et al. SimaticScan: towards a specialised vulnerabilityScanner for industrial control systems. 4th International Symposium for ICS & SCADACyber Security Research 2016; August 2016; Belfast United Kingdom. 2016; ACM. p.11–18.
Wang S, Xia C, Gao J, et al. Vulnerability evaluation based on CVSS and Environmentalinformation statistics. In: Proceedings of 2015 4th International Conference on ComputerScience and Network Technology, ICCSNT 2015; Harbin, China. 2016. p. 1249–1252.
Ani UPD, He HM, Tiwari A. Human capability evaluation approach for cyber security incritical industrial infrastructure. In: Nicholson D, editor. Advances in Human Factors inCyber Security: Proceedings of the AHFE 2016 International Conference on Human Factorsin Cybersecurity, 2016 July 27-31; Walt Disney World® (FL)USA. Florida: SpringerInternational Publishing; 2016. Vol. 501. p. 169–182.
NIST. Security and Privacy Controls for Information Systems and Organizations.Gaithersburg, MD, USA: National Institute of Standards and Technology (NIST); 2020.https://doi.org/10.6028/NIST.SP.800-53r5
CIS. CIS controls. Centre for internet security website. 2017. [Online]. [cited 2017 Oct 20].Available from: https://www.cisecurity.org/controls/
Pescatore J, Filkins B. Back to Basics: Focus on the first six critical security controls SANSSpotlight White Paper. 2018. https://www.dlt.com/sites/default/files/resource-attachments/2019-09/White%2520Paper%2520-%2520Focus%2520on%2520the%2520First%2520Six%2520CIS%2520Critical%2520Security%2520Controls_0_13.pdf
UK-Cabinet-Office. 10 steps to cyber security. Cyber security strategy. 2012. [Online].[cited 2015 Mar 26]. Available from: https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-summary
Similar Articles
- Prof. Emily Zhang, Luca Romano, DEFENDING AGAINST EVOLVING CYBER THREATS: A HYBRID FRAMEWORK FOR ATTACK PATTERN ANALYSIS AND INTELLIGENCE INTEGRATION , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 2 No. 04 (2025): Volume 02 Issue 04
- Dr. Alistair Finch, Navigating the Digital Battlefield: A Systematic Review of Collateral Effects in Offensive Cyber Operations , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 2 No. 08 (2025): Volume 02 Issue 08
- Dr. Julian R. Cortez, A Comparative Analysis of Image Encryption Techniques Based on Linear Feedback Shift Registers and Chaotic Systems , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 3 No. 05 (2026): Volume 03 Issue 05
- Dr. Jakob R. Neumann, Prof. Leila F. Mahmoud, Securing the Virtual Meeting Space: An Analysis of Cybersecurity Risks and Mitigation Strategies for Video Conferencing Platforms , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 2 No. 09 (2025): Volume 02 Issue 09
- Farah Al-Mansouri, THE IMPLICIT LANGUAGE OF CYBERSECURITY: EDUCATIONAL CHALLENGES AND IMPLICATIONS , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 2 No. 07 (2025): Volume 02 Issue 07
- Elena M. Kovacs, Predictive Intelligence Across Physical and Financial Systems: A Comparative Research Framework for Packed-Bed Thermal Energy Storage and AI-Driven Forecasting , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 3 No. 03 (2026): Volume 03 Issue 03
- Dr. Elena Petrova, Dr. Hassan Al-Mansoori, EVALUATING AND ENHANCING CYBERSECURITY AND RESILIENCE IN HEALTHCARE: A UNIFIED RISK AND COMPLIANCE FRAMEWORK , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 2 No. 05 (2025): Volume 02 Issue 05
- Dr. Laura Stein, ADVANCING PROACTIVE CYBERSECURITY THROUGH CYBER THREAT INTELLIGENCE MINING: A COMPREHENSIVE REVIEW AND FUTURE DIRECTIONS , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 2 No. 02 (2025): Volume 02 Issue 02
- Dr. Amara Ndlovu, Dr. Faisal Khan, CYBERSECURITY IN VIRTUAL GATHERINGS: RISKS AND REMEDIAL STRATEGIES FOR VIDEO CONFERENCING SOFTWARE , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 2 No. 04 (2025): Volume 02 Issue 04
- Aghasi Gevorgyan, Automation of Compliance Control Processes According to PCI DSS Standards in Hybrid Cloud Environments , International Journal of Cyber Threat Intelligence and Secure Networking: Vol. 3 No. 04 (2026): Volume 03 Issue 04
You may also start an advanced similarity search for this article.