Journal of Cyber Security and Risk Auditing

ISSN: 3079-5354 (Online)

Model-Based Systems Engineering Cybersecurity Risk Assessment for Industrial Control Systems Leveraging NIST Risk Management Framework Methodology

by 

Alexander Gampel ;

Timothy Eveleigh

PDF logoPDF

Published: 2025

Abstract

The realm of cybersecurity is perpetually evolving. Organizations must adapt to changing threat environments to protect their assets. Implementing the NIST Risk Management Framework (RMF) has become vital for the protection and security of industrial control and automation systems powered by SCADA technology. However, cybersecurity professionals face challenges in implementing the RMF, leading to systems operating without proper authorization resulting in non-compliance with standards and regulations. Current RMF-based business practices are inadequate, exposing organizations to cyber threats that compromise consumer personal data and essential infrastructure information. To address these challenges, this research proposes a Model-Based Systems Engineering (MBSE) approach to implementing cybersecurity controls and assessing risk through the RMF process. The study stresses the importance of adopting a modeling approach to streamline the RMF process. MBSE can effectively eliminate erroneous structures, simplifying the acquisition of an Authorization-to-Operate (ATO). Focusing on the practical application of MBSE in industrial control and automation systems can improve the security and safety of operations. This research concludes that MBSE can address the implementation challenges of the NIST RMF process while improving the security of industrial control and automation systems. The research suggests MBSE to be a more effective strategy for implementing cybersecurity controls and risk assessment through the RMF process. The study suggests that the MBSE approach can apply to other domains beyond industrial control and automation systems.

Keywords

Authorization-To-Operate (ATO)Industrial Control Systems, (ICS)Model-Based System’s Engineering (MBSE)Risk Management Framework (RMF).

Model-Based Systems Engineering Cybersecurity Risk Assessment for Industrial Control Systems Leveraging NIST Risk Management Framework Methodology is licensed under CC BY 4.0CCBY

References

  1. Ayub, A., et al. (2023). How are industrial control systems insecure by design? A deeper insight into real-world programmable logic controllers (Vol. 21). Los Alamitos: IEEE.
  2. Aleksandraviciene, A., & Morkevicius, A. (2021). MagicGrid book of knowledge. Kaunas: Vitae Litera.
  3. Amaghionyeodiwe, L. A. (2017). Risk Management Framework (RMF) and the implementation challenges. Proceedings of the Northeast Business & Economics Association.
  4. Jillepalli, A. A., Sheldon, F. T., de Leon, D. C., Haney, M., & Abercrombie, R. K. (2017). Security management of cyber-physical control systems using NIST SP 800-82r2. In 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC) (p. 186). IEEE.
  5. Al-Maari, A. A., Abdulnabi, M., Nathan, Y., Ali, A., Ali, U., & Khan, M. (2025). Optimized Credit Card Fraud Detection Leveraging Ensemble Machine Learning Methods. Engineering, Technology & Applied Science Research, 15(3), 22287-22294.
  6. Ayub, N., Sarwar, N., Ali, A., Khan, H., Din, I., Alqahtani, A. M., ... & Ali, A. (2025). Forecasting Multi-Level Deep Learning Autoencoder Architecture (MDLAA) for Parametric Prediction based on Convolutional Neural Networks. Engineering, Technology & Applied Science Research, 15(2), 21279-21283.
  7. Chan, A. (2023, April 28). Can AI be used for risk assessments? ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2023/can-ai-be-used-for-risk-assessments
  8. Cherdantseva, Y., et al. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & Security, 56, 1–27.
  9. Ali, A., Almaiah, M. A., Hajjej, F., Pasha, M. F., Fang, O. H., Khan, R., ... & Zakarya, M. (2022). An industrial IoT-based blockchain-enabled secure searchable encryption approach for healthcare systems using neural network. Sensors, 22(2), 572.
  10. Cybersecurity and Infrastructure Security Agency (CISA). (2024, February 29). Threat actors exploit multiple vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways — CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
  11. Chockalingam, S., Pieters, W., Teixeira, A., & Gelder, P. H. A. J. M. (2017). Bayesian network models in cyber security: A systematic review. In Cyber Security and Critical Infrastructure Protection (pp. 105–124). Springer. https://doi.org/10.1007/978-3-319-70290-2_7
  12. Vavra, C. (2022, March 4). Consequence-driven ICS risk management. Control Engineering. https://www.controleng.com/articles/consequencedriven-ics-risk-management/
  13. Eckhart, M., et al. (2023). QualSec: An automated quality-driven approach for security risk identification in cyber-physical production systems. IEEE Transactions on Industrial Informatics, 19(4), 5870–5881.
  14. Almaiah, M. A., Hajjej, F., Ali, A., Pasha, M. F., & Almomani, O. (2022). A novel hybrid trustworthy decentralized authentication and data preservation model for digital healthcare IoT based CPS. Sensors, 22(4), 1448.
  15. Almaiah, M. A., Ali, A., Hajjej, F., Pasha, M. F., & Alohali, M. A. (2022). A lightweight hybrid deep learning privacy preserving model for FC-based industrial internet of medical things. Sensors, 22(6), 2112.
  16. Holm, H., Sommestad, T., Ekstedt, M., & Nordström, L. (2013). CySeMoL: A tool for cyber security analysis of enterprises. In 22nd International Conference and Exhibition on Electricity Distribution (CIRED 2013) (pp. 1–4). https://doi.org/10.1049/cp.2013.1077
  17. Holmes, A. (2021). Exploring the challenges of the Risk Management Framework implementation for cybersecurity professionals. ProQuest Dissertations Publishing.
  18. INCOSE. (2015). Systems engineering handbook: A guide for system life cycle processes and activities.
  19. ] Jiang, Y., Jeusfeld, M. A., Mosaad, M., & Oo, N. (2024). Enterprise architecture modeling for cybersecurity analysis in critical infrastructures — A systematic literature review. International Journal of Critical Infrastructure Protection, 46.
  20. Lapon, J., et al. (n.d.). A SysML extension for security analysis of industrial control systems. Electronic Workshops in Computing. BCS, The Chartered Institute for IT.
  21. Kalogiannidis, S., Kalfas, D., Papaevangelou, O., Giannarakis, G., & Chatzitheodoridis, F. (2024). The role of artificial intelligence technology in predictive risk assessment for business continuity: A case study of Greece. Risks, 12(2), 19. https://doi.org/10.3390/risks12020019
  22. Stouffer, K., Pease, M., Tang, C., Zimmerman, T., Pillitteri, V., & Lightman, S. (2022). Guide to operational technology (OT) security (NIST SP 800-82r3). National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-82r3
  23. Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon (Vol. 9). Los Alamitos: IEEE.
  24. Landau, S. (2008). Security and privacy landscape in emerging technologies (Vol. 6). Los Alamitos: IEEE.
  25. Model-based security engineering for cyber-physical systems: A systematic mapping study. (2017). Information and Software Technology, 83, 116–135. https://doi.org/10.1016/j.infsof.2016.11.004
  26. National Institute of Standards and Technology. (2018). Risk management framework for information systems and organizations (SP 800-37r2). https://doi.org/10.6028/nist.sp.800-37r2
  27. Ross, R. (n.d.). NIST special publication 800-53: Security and privacy controls for information systems and organizations. National Institute of Standards and Technology.
  28. Papamichael, M., Dimopoulos, C., Boustras, G., & Vryonides, M. (n.d.). Performing risk assessment for critical infrastructure protection: A study of human decision-making and practitioners’ transnationalism considerations. International Journal of Critical Infrastructure Protection.
  29. Roberts, P. (2023, February 14). Cyberattacks on industrial control systems jumped in 2022. The Security Ledger with Paul F. Roberts. https://securityledger.com/2023/02/cyberattacks-on-industrial-control-systems-jumped-in2022
  30. Ramos, A. L., Ferreira, J. V., & Barceló, J. (2012). Model-based systems engineering: An emerging approach for modern systems. IEEE Transactions on Systems, Man, and Cybernetics – Part C: Applications and Reviews, 42, 101–111.
  31. Romero-Faz, D., & Camarero-Orive, A. (2017). Risk assessment of critical infrastructures – New parameters for commercial ports. International Journal of Critical Infrastructure Protection, 18, 50–57. https://doi.org/10.1016/j.ijcip.2015.06.009
  32. Ross, R. (2018). Risk management framework for information systems and organizations: A system life cycle approach for security and privacy (Special Publication [NIST SP]). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-37r2
  33. Setola, R. (2024). It is the time, are you sufficiently resilient? International Journal of Critical Infrastructure Protection, 46, Article 100710. https://doi.org/10.1016/S1874-5482(24)00051-9
  34. Shaked, A. (2023). A model-based methodology to support systems security design and assessment. Journal of Industrial Information Integration, 33, 100465. https://doi.org/10.1016/j.jii.2023.100465
  35. Smart electrical grids more vulnerable to cyber attacks. (2017, August 16). ECN. https://www.proquest.com/trade-journals/smart-electricalgrids-more-vulnerable-cyber/docview/1929257720/se-2
  36. Stockman, M., Dwivedi, D., Gentz, R., & Peisert, S. (2019). Detecting control system misbehavior by fingerprinting programmable logic controller functionality. International Journal of Critical Infrastructure Protection, 26, 100306.
  37. Upadhyay, D., Ghosh, S., Ohno, H., Zaman, M., & Sampalli, S. (n.d.). Securing industrial control systems: Developing a SCADA/IoT test bench and evaluating lightweight cipher performance on hardware simulator. International Journal of Critical Infrastructure Protection.
  38. Vasan, D., Alqahtani, E. J. S., Hammoudeh, M., & Ahmed, A. F. (2024). An AutoML-based security defender for industrial control systems. International Journal of Critical Infrastructure Protection, 47, 100718. https://doi.org/10.1016/j.ijcip.2024.100718
  39. Weilkiens, T. (2016). Systems engineering with SysML/UML: Modeling, analysis, design.
  40. Knowles, W., Prince, D., Hutchison, D., Pagna Disso, J. F., & Jones, K. (2015). A survey of cybersecurity management in industrial control systems. International Journal of Critical Infrastructure Protection, 9(C), 52–80.
  41. Wilson, B., Arena, M. V., Mayer, L. A., Heitzenrater, C., Mastbaum, J., & Connolly, K. J. (2022). A methodology for quantifying the value of cybersecurity investments in the Navy. RAND Corporation. https://www.rand.org/pubs/researchreports/RRA13.html
  42. Roudier, Y., & Apvrille, L. (2015). SysML-Sec: A model-driven approach for designing safe and secure systems. In 2015 3rd International Conference on Model-Driven Engineering and Software Development (MODELSWARD) (pp. 655–664).
  43. Yousaf, A., Amro, A., Kwa, P. T. H., Li, M., & Zhou, J. (2024). Cyber risk assessment of cyber-enabled autonomous cargo vessel. International Journal of Critical Infrastructure Protection, 46, 100695. https://doi.org/10.1016/j.ijcip.2024.100695