Damage prediction system, damage prediction method, or damage prediction program

The damage prediction system enhances cyberattack damage prediction by using business and plant models to simulate attacks, improving accuracy and addressing system integrity, overcoming limitations of existing systems.

JP7881504B2Active Publication Date: 2026-06-29HITACHI LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
HITACHI LTD
Filing Date
2023-03-23
Publication Date
2026-06-29

Smart Images

  • Figure 0007881504000001
    Figure 0007881504000001
  • Figure 0007881504000002
    Figure 0007881504000002
  • Figure 0007881504000003
    Figure 0007881504000003
Patent Text Reader

Abstract

To provide a damage prediction system for predicting damage assuming a cyber attack on a business system that controls a plant system for producing an object.SOLUTION: Business model state information 312 includes business damage information indicating the presence or absence of damage caused by a cyber attack to data related to business for each processing object. Plant model state information 317 includes plant damage information indicating the presence or absence of damage caused by the cyber attack to the object for each work object. An updating part 302 updates the business model state information 312 and the plant model state information 317 in time series based on the cyber attack information, business model information 311, and plant model information 316. A calculation part 303 calculates the damage caused by the cyber attack based on the business model state information 312 or the plant model state information 317.SELECTED DRAWING: Figure 3
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present disclosure relates to a damage prediction system, a damage prediction method, or a damage prediction program for predicting damage caused by cyberattacks.

Background Art

[0002] In order to cope with cyberattacks, it is beneficial to predict (estimate) the damage caused by cyberattacks. Patent Document 1 discloses an estimation device that estimates the impact (damage) on business caused by cyberattacks, targeting a system in which a plurality of devices (servers or PCs) exist and these devices are interconnected by a network. When estimating the risk (damage) caused by cyberattacks, the estimation device also considers the transition of cyberattacks between devices (servers or PCs). When a user inputs information on an observed event (which is understood to be related to a cyberattack) to the estimation device, the estimation device presents to the user the impact (damage) on business caused by the cyberattack in terms of money. Here, the estimation device can separately present to the user the impact on business caused by cyberattacks in each case where countermeasures can be taken against cyberattacks and where no countermeasures are taken. FIG. 12 of Patent Document 1 shows that parameters used for calculating the impact (damage) on business are preset for each server or service. Examples of the preset parameters include the number of personal information items, the amount of personal information compensation, the number of confidential information items, the amount of confidential information compensation, litigation costs, the daily sales of services, and the impact on stock prices.

Prior Art Documents

Non-Patent Documents

[0003]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] The prior art disclosed in Patent Document 1 is insufficient in its consideration of the target of predicting damage from cyberattacks. Furthermore, the prior art disclosed in Patent Document 1 has a high degree of arbitrariness in the prediction results when predicting damage from cyberattacks, making it difficult to guarantee the accuracy of the prediction results. Specifically, the prior art disclosed in Patent Document 1 does not assume a plant system that produces or generates some kind of object, or a business system (or control system; hereinafter the same) that controls the plant system, as the target for predicting damage from cyberattacks. Originally, within a plant system, there is coordination between operations performed in the process of producing or generating some kind of object, and within a business system that controls the plant system, there may also be coordination between processes (or between devices or machines) within the system. Furthermore, there can be various cases for the inter-system correspondence between the plant system and the business system. However, the prior art disclosed in Patent Document 1 does not predict damage from cyberattacks by taking into consideration the above-mentioned aspects within the plant system, the aspects within the business system, and the inter-system correspondence between the plant system and the business system. Furthermore, the prior art disclosed in Patent Document 1 uses a large number of artificially defined parameters when predicting damage from cyberattacks. When predicting damage from cyberattacks, relying heavily on artificially defined parameters makes the prediction results prone to being arbitrary, and it is difficult to guarantee the accuracy of the prediction results.

[0005] Furthermore, most prior technologies for predicting damage from cyberattacks focus on the extent to which a system can continue to operate after a cyberattack (the extent to which availability is maintained). On the other hand, when predicting damage from cyberattacks, few focus on the extent to which the system's state and what the system should provide (e.g., objects) remain normal (the extent to which integrity is maintained), even if the system continues to operate to some extent after a cyberattack (while maintaining availability).

[0006] Based on the above, one of the purposes of this disclosure is to predict the damage caused by a cyberattack, assuming that there is a cyberattack on a business system that controls a plant system that produces or generates some kind of object. Furthermore, one of the purposes of this disclosure is to reduce the arbitrariness of prediction results and improve the accuracy of prediction results when making predictions regarding cyberattacks. Furthermore, one of the objectives of this disclosure is to enable predictions that focus on the state of a system under cyberattack and the degree to which the system's expected output (e.g., objects) remains normal (the degree to which integrity is maintained) when making predictions regarding cyberattacks. [Means for solving the problem]

[0007] To achieve at least one of the above objectives, the features that this disclosure may have include, for example, the following: The damage prediction system predicts the damage caused by a cyberattack to one or more business systems and one or more plant systems, based on a business model corresponding to the business system and a plant model corresponding to the plant system. Each of the plant systems is controlled by one or more of the business systems. The damage prediction system comprises a storage unit, an update unit, and a calculation unit. The storage unit stores information about the business model, including business model status information, and information about the plant model, including plant model status information. The business model status information includes, for each processing target, business location information indicating the location of the processing target within the business model, and business damage information indicating whether the data related to the business corresponding to the processing target has been damaged by the cyberattack. The plant model status information includes, for each work target, plant location information indicating the location of the work target within the plant model, and plant damage information indicating whether the objects produced in conjunction with the work target have been damaged by the cyberattack. The update unit updates the business model status information and the plant model status information in chronological order based on information about the cyberattack scenario, information about the business model, and information about the plant model. The calculation unit calculates the damage to the business system or the plant system caused by the cyberattack, based on the business model status information or the plant model status information. [Effects of the Invention]

[0008] The effects and benefits corresponding to the features that this disclosure may possess are, for example, as follows: The damage prediction system described in this disclosure predicts damage from cyberattacks using a business model corresponding to an operational system and a plant model corresponding to a plant system. Therefore, it can predict damage from cyberattacks assuming that there is a cyberattack on an operational system that controls a plant system that produces or generates objects. The damage prediction system described in this disclosure predicts damage caused by cyberattacks based on business model status information or plant model status information, thereby reducing the arbitrariness of the prediction results and improving the accuracy of the prediction results. The damage prediction system in this disclosure predicts damage caused by cyberattacks using business damage information for each processing target in the business model, or plant damage information for each work target in the plant model. Since the business damage information and plant damage information can include information on integrity, when making predictions about cyberattacks, it is possible to realize predictions that focus on the state of the system that has been cyberattacked and the degree to which what the system should provide (e.g., objects) is normal (the degree to which integrity is maintained).

[0009] Damage prediction methods and programs that achieve the same processing or operation as the damage prediction system described above can also achieve the same effects and benefits as the damage prediction system itself. Furthermore, in the form of a program, costs can often be reduced. In a program, it is also easier to make design changes related to processing or operation. Any other features that this disclosure may possess, and the effects corresponding to such features, are disclosed in this specification, claims, or drawings. [Brief explanation of the drawing]

[0010] [Figure 1] The functional configuration (modeling and simulation) of the embodiments of this disclosure is shown. [Figure 2] The functional configuration (intra-model configuration and inter-model relationships) of the embodiments of this disclosure is shown. [Figure 3] The functional configuration of the embodiment of this disclosure (internal configuration of the damage prediction system) is shown. [Figure 4] This document shows a computer architecture that implements the embodiments of this disclosure. [Figure 5] A flowchart of the process in the first embodiment is shown. [Figure 6] This section provides information about the system model. [Figure 7] Shows information about the attack scenario. [Figure 8] Shows the attack scenario selection screen. [Figure 9] Shows information about the business model. [Figure 10] Shows information about the plant model. [Figure 11] Shows business model status information and business time-series data. [Figure 12] Shows plant model status information and plant time-series data. [Figure 13] Shows production volume time-series data. [Figure 14] Shows an example display of business time-series data. [Figure 15] Shows the first example display of production volume time-series data. [Figure 16] Shows the second example display of production volume time-series data. [Figure 17] Shows the third example display of production volume time-series data. [Figure 18] Shows information about the damage amount conversion table. [Figure 19] Shows the first example display of the damage amount. [Figure 20] Shows the second example display of the damage amount. [Figure 21] Shows the flowchart of the processing of the second embodiment. [Figure 22] Shows the screen for specifying important performance evaluation indicators (damage amount or target production volume). [Figure 23] Shows an example display of a dangerous attack scenario.

Mode for Carrying Out the Invention

[0011] Hereinafter, embodiments of the present disclosure will be described in detail with reference to the drawings. The following description and drawings are examples for explaining the present disclosure, and for the sake of clarity of explanation, appropriate omissions and simplifications have been made. The present disclosure can be implemented in various other forms. Unless otherwise particularly limited, each component may be singular or plural. The positions, sizes, shapes, and extents of the components shown in the drawings may not represent their actual positions, sizes, shapes, and extents in order to facilitate understanding of the invention. Therefore, this disclosure is not necessarily limited to the positions, sizes, shapes, and extents disclosed in the drawings. The use of the same reference number in multiple drawings indicates that they are the same. Each of the systems, devices, or parts of this disclosure may be a single, integrated piece of hardware, or it may be divided into multiple parts that work together to perform their respective functions. Several systems, devices, or parts may be integrated in hardware. Each of the systems, devices, or parts of this disclosure may be implemented by having a computer execute software (programs) (as shown in Figure 4). Some of the functions of the system, device, or part may be implemented in hardware (e.g., hardwired logic or FPGA), and the remaining functions may be implemented by executing software (programs). Alternatively, all of the functions of each of the systems, devices, or parts may be implemented in hardware. The term "program" in this disclosure is included in the general concept of software, where software and hardware resources work together to construct a specific information processing device or method of operation suited to a particular purpose. In other words, the program in this disclosure is not limited to any particular type or form of program. Furthermore, the program may initially be recorded in a compressed format. In this disclosure, processes may be explained using flowcharts or similar methods. Some or all of the steps of the processes shown in the flowcharts or similar methods can also be implemented in hardware.

[0012] 1. Functional configuration of the embodiments of this disclosure In the following, the first and second embodiments of this disclosure will be described. Of these, the functional configuration will be described collectively in "1. Functional Configuration of the Embodiments of this Disclosure". The system configuration will be described collectively in "2. System Configuration of the System According to the Embodiments of this Disclosure". The processing will be described separately for each embodiment. Finally, modifications will be mentioned.

[0013] Figure 1 shows the modeling and simulation aspects of the functional configuration of the embodiment of this disclosure. In Figure 1, the damage prediction system 100 of this disclosure predicts damage to a hypothetical real system 110 caused by a cyberattack. The hypothetical real system 110 may be an existing real system or a system that does not yet exist. The hypothetical real system 110 has one or more business systems (each business system is referred to as business system X, business system Y, business system Z, etc.) and one or more plant systems (each plant system is referred to as plant system A, plant system B, etc.). Each plant system performs one or more operations to produce or generate objects. Different plant systems may produce or generate different types of objects, or they may produce or generate the same type of objects. Each business system performs one or more operations to control the plant systems. Here, each plant system is controlled by one or more business systems. (Alternatively, each plant system may be said to depend on one or more business systems.) Also, each business system may control one or more plant models. In the example in Figure 1, plant system A is controlled by business system X and business system Y. In the example in Figure 1, plant system B is controlled by business systems X and Z. Within the plant system, the concept of a work object is associated with each object produced or generated. An object or work object will sequentially undergo one or more operations within the plant system. Within the business systems, the concept of a processing object is associated with each piece of business-related data. Business-related data may include commands or parameters for controlling any of the operations performed within the plant system. Business-related data or processing objects are transmitted and received between one or more devices within the business systems (e.g., general IT terminals, servers, or controllers). Here, each operation within the plant system may be controlled by any device within any of the business systems (e.g., a server or controller) (however, any operation within any of the plant systems may not be controlled by any device in any of the business systems).In the case of the control relationships described above, the device that receives the data relating to the business will perform controls on the work that are influenced by the data relating to the business, and therefore the data relating to the business will affect the work within the plant system controlled by the device. In the embodiments of this disclosure, assuming that there is a cyberattack based on an attack scenario against each of the devices in the business system, the damage prediction system 100 predicts the damage caused by the cyberattack.

[0014] To predict damage caused by cyberattacks, the damage prediction system 100 simulates a modeled system 120. The modeled system 120 has one or more business models (each business model is referred to as business model X, business model Y, business model Z, etc.) and one or more plant models (each plant model is referred to as plant model A, plant model B, etc.). Business models correspond to business systems and represent the configuration, processing, state, or input / output of those business systems. Plant models correspond to plant systems and represent the configuration, processing, state, or input / output of those plant systems. The concept of a processing target in a business model corresponds to the concept of a processing target in a business system. However, business damage information is linked to the processing targets in business models. Business damage information indicates whether or not the corresponding processing targets have been damaged by a cyberattack during the process in which the damage prediction system 100 simulates the modeled system 120. The concept of a work target in a plant model corresponds to the concept of a work target in a plant system. However, plant damage information is linked to the work targets in plant models. The plant damage information indicates the result of the determination of whether or not the corresponding work target was damaged by a cyberattack during the process in which the damage prediction system 100 simulates the modeled system 120.

[0015] Figure 2 shows the internal model configuration and inter-model relationships among the functional configurations of the embodiments of this disclosure. Figure 2 shows an example that is consistent with the example in Figure 1. Specifically, it shows the configuration in which plant model A is controlled by business model X and business model Y, and the configuration in which plant model B is controlled by business model X and business model Z, as shown in Figure 1. Regarding the notation of processing target and work target in Figure 2, for example, "processing target PX" and "work target PA" in Figure 1 are abbreviated as "PX" and "PA" in Figure 2.

[0016] In the example in Figure 2, each business model contains one or more devices (e.g., general IT terminals, servers, or controllers). The devices within the business models are merely hypothetical devices assumed in the simulation. In the example in Figure 2, business model X contains one general IT terminal X0, one server X1, and two controllers X2 and X3. Business model Y contains one general IT terminal Y0, one server Y1, and one controller Y2. Business model Z contains one general IT terminal Z0, one server Z1, and one controller Z2. The processing targets are sequentially transmitted between the devices within the business models according to the configured processing order. In the example in Figure 2, the processing order shown by the white arrows is set for each of the business models X, Y, and Z. For example, in business model X, the processing order is set to be general IT terminal X0, server X1, controller X2, and controller X3. The number of various devices included in the business models and the paths through which the processing targets are transmitted between devices are not limited to the example in Figure 2. Each processing target within a business model is associated with business location information (abbreviated as "business location" in Figure 2), which indicates the location of the processing target within the business model, and business damage information (abbreviated as "business damage" in Figure 2), which indicates whether or not the processing target has been affected by a cyberattack (as explained in Figure 1). For example, the initial state of the business damage information for each processing target may be "completeness is true".

[0017] In the example in Figure 2, each plant model has one or more tasks, and there are positions between tasks where the work object stops. The tasks within the plant models are merely tasks assumed in the simulation and are not the actual work robots, etc., that would perform those tasks in the assumed real system 110. In the example in Figure 2, plant model A has four tasks A1, A2, A3, and A4, and five positions set between tasks (including the position before task A1 and the position after task A4). Plant model B has four tasks B1, B2, B3, and B4, and five positions set between tasks (including the position before task B1 and the position after task B4). The work object is sequentially moved between positions within the plant models according to the set work sequence. In the example in Figure 2, a work sequence is set for both plant models A and B, indicated by white arrows. For example, in plant model A, the work sequence is set to be task A1, task A2, task A3, and task A4. The number of various tasks and locations included in the plant model, as well as the paths through which the work objects are transmitted between tasks, are not limited to the example in Figure 2. Each work object within the plant model is associated with plant location information (abbreviated as "plant location" in Figure 2), which indicates the location of the work object within the plant model, and plant damage information (abbreviated as "plant damage" in Figure 2), which indicates whether or not the work object has been damaged by a cyberattack (as explained in Figure 1). For example, the initial state of the plant damage information for each work object may be "completeness is true".

[0018] In the example in Figure 2, in plant model A, task A1 (performed by a robot, etc.) is controlled by server X1, task A2 (performed by a robot, etc.) is controlled by controller Y2, task A3 (performed by a robot, etc.) is controlled by controller X2, and task A4 (performed by a robot, etc.) is controlled by controller X3. In plant model B, tasks B1 (performed by a robot, etc.) and B2 (performed by a robot, etc.) are controlled by controller X2, task B3 (performed by a robot, etc.) is controlled by server Z1, and task B4 (performed by a robot, etc.) is controlled by controller Z2. Note that the correspondence between tasks in the plant model and devices in the business model is not limited to the example in Figure 2. Furthermore, it is possible that any task in the plant model may not be controlled by any device in any of the business models. The control relationships from the devices in the control model described above to the operations (robots, etc.) in the plant model may be described in the inter-model control relationship information 448 below.

[0019] A cyberattack based on an attack scenario can target devices within a business model. If the damage prediction system 100 determines in a simulation that a device in a certain business model has entered an abnormal state due to a cyberattack, the business damage information of the processed items handled while that device is in an abnormal state may be treated as "false integrity" information. Once the business damage information of a processed item has entered a "false integrity" state, it may be treated so that it remains unchanged even if the processed items are subsequently transmitted to any other device. If a device in a certain business model is determined to be in an abnormal state due to a cyberattack, the plant damage information of the target of work handled by the work (such as a robot) controlled by the device may be treated as "false integrity" information while the device is in an abnormal state. Once the plant damage information of a target of work has become "false integrity" information, it may be treated so that it does not change, even if the target of work is subsequently transmitted to any work or location.

[0020] Figure 3 shows the internal configuration of the damage prediction system, which is one of the functional configurations of the embodiment of this disclosure. The damage prediction system 100 takes an attack scenario 304 as input, simulates a modeled system 120 having a business model and a plant model, and calculates the damage 305 to the modeled system 120 caused by a cyberattack based on the attack scenario 304. The damage prediction system 100 has a storage unit 301, an update unit 302, and a calculation unit 303. The storage unit 301 has information related to the business model 311 (abbreviated as "business model information 311" in the drawings) and information related to the plant model 316 (abbreviated as "plant model information 316" in the drawings). The information related to the business model 311 has business model status information 312. The information related to the plant model has plant model status information 317. For each processing target, the business model status information 312 has, for example, business location information as shown in the explanation of Figure 2, and business damage information as shown in the explanations of Figures 1 and 2. For each work target, the plant model status information 317 has, for example, plant location information as shown in Figure 2, and plant damage information as shown in the explanations of Figures 1 and 2. The update unit 302 updates the business model status information 312 and the plant model status information 317 in chronological order based on the attack scenario 304, the information related to the business model 311, and the information related to the plant model 316. The calculation unit 303 calculates the damage to the business system or plant system caused by a cyberattack based on the attack scenario 304, based on the business model status information 312 or the plant model status information 317. The business model information 311 may include other business model information 313. The other business model information 313 may include processing sequence information 314 that shows the processing order in the explanation of Figure 2 and the data transmission path related to the business. The plant model information 316 may include other plant model information 318. The other plant model information 318 may include work sequence information 319 that shows the work order in the explanation of Figure 2.

[0021] Since the damage prediction system 100 in this disclosure has the functional configuration described above, it can provide the effects shown in the [Effects of the Invention] section above. Furthermore, since the damage prediction system 100 represents the business model using processing sequence information 314, it can appropriately determine which of the one or more processes performed on a processing target each individual processing target is located in. In other words, the damage prediction system 100 can appropriately simulate the processing of the business system that the business model is modeling. Similarly, since the damage prediction system 100 represents the plant model using work sequence information 319, it can appropriately determine which of the one or more tasks performed on the work target each individual work target is located within. In other words, the damage prediction system 100 can appropriately simulate the tasks of the plant system that the plant model represents.

[0022] 2. System configuration of the system according to the embodiment of this disclosure Figure 4 shows the system configuration (architecture) for realizing the embodiment of this disclosure. To realize the damage prediction system 100, some or all of the following may be interconnected by an interconnection section (e.g., a bus, a crossbar switch) 410: an information processing device (e.g., a CPU) 401, a storage device (e.g., a memory) 402, a non-volatile recording medium (e.g., a non-volatile memory, a non-volatile disk device) 403, an external recording medium drive (e.g., a disk drive) 404, a display or output device (e.g., a display, a printer; a device that displays or outputs setting screens or result screens in a format visible to the user, etc.) 406, an input device (e.g., a mouse, a keyboard, an imaging device, a sensor) 407, a communication device (e.g., a wired communication device, a wireless communication device; a network interface device that controls communication with other systems, devices, or servers according to a predetermined protocol) 408, and an external input / output port 409. The non-volatile recording medium 403 may record the damage prediction program 430 and various other information. The damage prediction program 430 may include an attack setting unit program 431 (abbreviated as "attack setting unit P431" in the drawing), an update unit program 432 (abbreviated as "update unit P432" in the drawing), a calculation unit program 433 (abbreviated as "calculation unit P433" in the drawing), a display control unit program 434 (abbreviated as "display control unit P434" in the drawing), a generation unit program 435 (abbreviated as "generation unit P435" in the drawing), a threshold setting unit program 436 (abbreviated as "threshold setting unit P436" in the drawing), and a specific unit program 437 (abbreviated as "specific unit P437" in the drawing). Furthermore, the various information stored in the non-volatile recording medium 403 may include information about the system model 441 (abbreviated as "system model information 441" in the diagram), information about attack scenarios 442 (abbreviated as "attack scenario information 442" in the diagram), information about the business model 311, information about the plant model 316, inter-model control relationship information 448 (abbreviated as "inter-model relationship information 448" in the diagram), business time-series data 443, plant time-series data 444, production volume time-series data 445, damage cost conversion table information 446 (abbreviated as "damage cost conversion table 446" in the diagram), information about key performance indicators 447 (abbreviated as "key performance indicators 447" in the diagram), and other various information 449. Alternatively, some or all of the above-mentioned programs or various types of information may be acquired (accessed) from outside Figure 4. The external storage media drive 404 can connect to an external storage media (for example, a portable recording disc (DVD, etc.), an IC card, or an SD card) 405. Alternatively, the damage prediction program 430 and various other information may be transferred from this external storage media 405 to the non-volatile storage media 403 or the storage device 402 and stored therein. Furthermore, the damage prediction program 430 and various other information may be provided via the communication device 408, the external input / output port 409, or the input device 407, and stored in the non-volatile recording medium 403 or the storage device 402. In order for the architecture in Figure 4 to function as the damage prediction system 100, or as a part of the damage prediction system 100 (performing one or a series of processes (steps)), the damage prediction program 430 may first be loaded into the storage device 402 (for example, from the non-volatile recording medium 403). The loaded program is shown as 420 in Figure 4. Then, the information processing device 401 may execute the program 420 on the storage device 402 (using various information present in the non-volatile recording medium 403, etc., as needed). The execution of program 420 realizes the function of each part of the damage prediction system 100 (performing one or a series of processes (steps)). At this time, various buffers 423 temporarily formed in the storage device 402 may also be used as appropriate.

[0023] 3. Processing of the embodiments of the present disclosure The first and second embodiments of this disclosure will be described in order below. In the flowchart diagrams illustrating the processing of the first embodiment of this disclosure and the second embodiment described below, rectangular boxes represent processing steps, and diamond-shaped boxes represent conditional branching steps. In the flowchart diagrams, "step" is abbreviated as "S". In the flowchart diagrams, boxes with a fold in the lower right corner of a rectangle represent data (information) handled in the processing. Furthermore, the information processing device 401 implements the attack setting unit program 431, the update unit program 432, the calculation unit program 433, the display control unit program 434, the generation unit program 435, the threshold setting unit program 436, and the identification unit program 437, respectively, thereby realizing the attack setting unit, update unit, calculation unit, display control unit, generation unit, threshold setting unit, and identification unit. Each step in the flowchart is executed by any of these functional units. As described above, some or all of the steps may be implemented in hardware without relying on program execution. Furthermore, the forms of information, pull-down menus, and icons shown in the diagrams described below are examples only and are not limited to these.

[0024] 3-1. Processing of the first embodiment of this disclosure In the first embodiment of this disclosure, a user of the damage prediction system 100 selects one or more attack scenarios for a cyberattack for which damage prediction is to be made, and the damage prediction system 100 performs simulations related to the business model and plant model, and displays or outputs time-series data obtained from the simulation. Figure 5 shows a flowchart 500 of the process in the first embodiment. Each step shown in flowchart 500 may constitute a damage prediction method.

[0025] 3-1-1. Attack Scenario Generation Process In step 501 of Figure 5, the generation unit generates information 442 regarding the attack scenario based on information 441 regarding the system model. The information 441 regarding the system model is information regarding at least the specifications of the business system (and the business model that models the business system) among the specifications of the assumed real system 110 (and the modeled system 120 that models this assumed real system 110). For example, the information 441 regarding the system model may include any of the following: hardware information, software information, vulnerability information, physical configuration information, logical configuration information, or information regarding the time required from the occurrence of a cyberattack until recovery. Figure 6 shows some examples of information 441 regarding the system model. Figure 6 shows a table that holds information on the time required to recover from a cyberattack (recovery time) and vulnerability information for at least the business systems (and business models) within the assumed real system 110 (and the modeled system 120), for each type of device that the system or model has. For example, Figure 6 shows that for "general IT terminal," "server," and "controller," the recovery times are "60 minutes," "15 minutes," and "30 minutes," respectively, and the vulnerability information is "CVE XXX," "CVE YYY," and "CVE ZZZ," respectively. CVE stands for Common Vulnerability Identifier. XXX, YYY, and ZZZ represent the CVE identification numbers. Each CVE identification number is assigned to a corresponding type of vulnerability. The information 441 regarding the system model may include, in addition to the information shown in Figure 6, information such as the number of devices of each type possessed by the business system (and business model), and information on inter-device connectivity (including hardware connectivity or logical connectivity of the network). Furthermore, if there is a type of common information that can be included in both the information 441 regarding the system model and the information 311 regarding the business model, then either the information 441 regarding the system model or the information 311 regarding the business model may possess such common information.

[0026] In step 501 of Figure 5, the generation unit uses the information 441 regarding the system model described above to define the device within the business model that will be targeted by the cyberattack (attack target) and the attack path, which is the inter-device path that the cyberattack will take to reach the targeted device. The set of attack target and attack path defined by the generation unit constitutes an attack scenario. The generation unit may also define a simple attack scenario that includes only the attack target. The generation unit generates a list of attack scenarios and stores it as information 442 regarding attack scenarios. Figure 7 shows information related to attack scenarios. Figure 7 shows a table containing the attack scenario ID (scenario ID), information about the target of the attack, and information about the attack path for each attack scenario generated by the generation unit. For example, in the attack scenario with attack scenario ID 1 in Figure 7, the target of the attack is "server χ" and the attack path is "an inter-device path in the order of general IT terminal α, general IT terminal β, and server χ".

[0027] As described above, the damage prediction system 100 uses information about the system model for realizing the business system to generate attack scenarios for cyberattacks against the business model that models the business system. Furthermore, these attack scenarios include the target devices and attack paths within the business model. Therefore, the damage prediction system 100 can prepare attack scenarios that are relevant to the actual business system, resulting in highly accurate damage prediction results.

[0028] 3-1-2. Attack Scenario Selection Process In step 502 of Figure 5, the attack setting unit selects an attack scenario for damage prediction from the list of attack scenarios contained in the information on attack scenarios 442, and sets (specifies) the attack occurrence time (event occurrence time) of the cyberattack for which damage prediction is to be made. For example, the attack setting unit may control the display of a screen (attack scenario selection screen) to accept input for the above selection or specification from the user of the damage prediction system 100. Figure 8 shows the attack scenario selection screen. In the attack scenario selection screen of Figure 8, a list of attack scenarios (attack scenario ID, target, and attack path) from the attack scenario information 442 is displayed in a table format. On the attack scenario selection screen, there is a scenario selection checkbox 801 for each attack scenario. Users of the damage prediction system 100 click the scenario selection checkbox 801 for one or more attack scenarios for which they want to perform damage prediction. Users of the damage prediction system 100 enter the attack time (event occurrence time) of the cyberattack for which damage prediction is to be performed into the time input field 802 on the attack scenario selection screen in Figure 8. The time entered into the time input field 802 may be the time when the cyberattack begins against the first device in the attack path (for example, in the case of attack scenario ID 1 in Figure 8, general IT terminal α). Users of the damage prediction system 100 check the scenario selection checkbox 801 and enter the time in the time input field 802, and then click the execute icon 803. In response to the click of the execute icon 803, the attack setting unit accepts input to select the attack scenario for damage prediction and input to set the attack occurrence time (event occurrence time).

[0029] The damage prediction system 100 accepts input to select an attack scenario to predict damage from a list of attack scenarios, making it easy to perform initial setup for damage prediction simulations. Furthermore, the damage prediction system 100 accepts input to set the attack occurrence time (event occurrence time), allowing time-related factors to be incorporated into the damage prediction simulation.

[0030] 3-1-3. State update process within the simulation process using the model After the initialization of various state information in step 503 of Figure 5, in steps 504 and 505, the update unit updates the business model state information 312 (and business time-series data 443) and the plant model state information 317 (and plant time-series data 444) in chronological order, while referring to the business model information 311 and the plant model information 316 (and inter-model control relationship information 448). In Figure 5, the business model status information 312 is extracted from the information contained in the business model information 311, and the plant model status information 317 is extracted from the information contained in the plant model information 316, and these are displayed separately.

[0031] Figure 9 shows information 311 about the business model. However, Figure 9 does not show the format in which the information 311 about the business model is recorded, but rather shows the Petri net representation of the business model that is represented by the information 311 about the business model. The example in Figure 9 is business model Y shown in Figures 1 and 2. In the Petri net representation in Figure 9, the business model Y is represented by a directed arc 901, two types of nodes connected by the directed arc 901 (place 902 and transition 903), and tokens (business tokens) 904 that move across the directed arc 901. Furthermore, the state transitions of the business model Y are represented by the movement of business tokens 904 between places 902 when transition 903 is triggered. The vertical orientation of Figure 9 shows how the business tokens 904 sequentially transition over time. Each of the devices included in the business model Y—the general IT terminal Y0, server Y1, and controller Y2—is associated with a separate place 902. In addition, each of the processing targets is associated with a separate business token 904. Here, we assume a scenario in business model Y where data related to the business (associated with the processing target) is sent and received from general IT terminal Y0 to server Y1 every 20 minutes, and data related to the business (associated with the processing target) is sent and received from server Y1 to controller Y2 every 5 minutes. In accordance with this assumed scenario, the Petri net representation of business model Y includes a transition that passes the business token through a directed arc between the place corresponding to general IT terminal Y0 and the place corresponding to server Y1 every 20 minutes. Additionally, a transition that passes the business token through a directed arc between the place corresponding to server Y1 and the place corresponding to controller Y2 every 5 minutes. Each business token 904 is associated with either "true integrity" or "false integrity" information as business damage information. In the process of a business token 904 moving across the directed arc 901, once the business damage information associated with a business token 904 becomes "false integrity," it may remain "false integrity" thereafter. In the example in Figure 9, a case is assumed in which server Y1 is in an abnormal state due to a cyberattack. In Figure 9, in this case, when a business token 904 is located in the place corresponding to server Y1, the business damage information associated with that business token 904 becomes "false integrity," and thereafter, the business damage information associated with that business token 904 remains "false integrity."

[0032] Figure 10 shows information 316 about the plant model. However, Figure 10 does not show the format in which the information 316 about the plant model is recorded, but rather the Petri net representation of the plant model that is represented by the information 316 about the plant model. An example in Figure 10 is the beginning portion of plant model A shown in Figures 1 and 2 (the portion related to the first two operations A1 and A2). In the Petri net representation in Figure 10, plant model A is represented by a directed arc 1001, two types of nodes connected by the directed arc 1001 (places 1002 and transitions 1003), and tokens (plant tokens) 1004 that move along the directed arc 1001. Furthermore, the firing of transitions 1003 causes plant tokens 1004 to move between places 1002, representing the state transitions of plant model A. The vertical orientation of Figure 10 shows the state at each time point, illustrating how plant tokens 1004 sequentially transition over time. Individual transitions 1003 are associated with each of the tasks included in the initial part of plant model A: task A1 (performing the robot, etc.) and task A2 (performing the robot, etc.). Places 902 are associated with the positions between tasks (positions where plant tokens 1004 temporarily stop). Additionally, individual plant tokens 1004 are associated with each of the work targets. Here, we assume a scenario where, at the beginning of Plant Model A, it takes 2 minutes from start to finish for task A1 (associated with the work target) and 4 minutes from start to finish for task A2 (associated with the work target). In accordance with this assumed scenario, the Petri net representation at the beginning of Plant Model A is set to take 2 minutes for the transition corresponding to task A1 and 4 minutes for the transition corresponding to task A2. Each plant token 1004 is associated with either "true integrity" or "false integrity" information as plant damage information. During the process of a plant token 1004 transitioning on the directed arc 1001, once the plant damage information associated with a plant token 1004 becomes "false integrity," it may remain in that state thereafter. In the example in Figure 10, a case is assumed in which the robot (or other device performing) task A2, which is controlled by the business model Y, is in an abnormal state due to damage to the business model Y caused by a cyberattack. In Figure 10, in this case, when a plant token 1004 passes through the transition corresponding to task A2, the plant damage information associated with that plant token 1004 becomes "false integrity," and thereafter, the plant damage information associated with that plant token 1004 remains in that state.

[0033] As shown in Figures 9 and 10, by representing the business model and plant model using Petri nets, the damage prediction system 100 can naturally represent the situation shown in Figures 1 and 2, where multiple business-related data (processing targets) exist simultaneously within the business system (and business model), and multiple objects (work targets) exist simultaneously within the plant system (and plant model). Therefore, the damage prediction system 100 can easily implement model-based simulations and is expected to obtain highly accurate simulation results.

[0034] Figure 11 shows the business model state information 312 and the business time series data 443. Note that Figure 11 directly shows the business model state information 312. The business time series data 443 can be realized by individually maintaining information similar to that shown in Figure 11 for each time (and attack scenario pair) in which the business model state information is recorded. For example, to realize 60 minutes of business time series data 443 at one-minute intervals, one set of information equivalent to Figure 11 would need to be recorded every minute, for a total of 60 sets (61 sets if the initial state is included). The business model state information 312 in Figure 11 includes business time information 1101 (abbreviated as "business time 1101" in Figure 11), processing target state information 1102, and device state information 1103 (and attack scenario ID (scenario ID)). The business time information 1101 indicates the time information on the business model corresponding to the processing target state information 1102 and device state information 1103. The processing target status information 1102 includes, for each processing target, the name of the business model in which the processing target is included, the name of the processing target, business location information, and business damage information. The business location information for a processing target indicates the location of the processing target within the business model. For example, the business location information for a processing target indicates which device (e.g., general IT terminal, server, or controller) within the business model the processing target is located on. The business damage information for a processing target indicates whether the data related to the business corresponding to the processing target has been damaged by a cyberattack. For example, the business damage information indicates either a "true integrity" state or a "false integrity" state. The device status information 1103 may include, for each device included in each business model, the business model name, device name (here, not just the type of device, but a device name that can identify the individual device), device status, and scheduled recovery time. The device status indicates whether or not the device has been damaged by a cyberattack, etc. For example, the device status is either "normal" or "abnormal". Alternatively, there may be other states as the device status besides "normal" and "abnormal". The scheduled recovery time for a device indicates the time when the device is expected to recover (for example, the time when it is expected to return to "normal") when the device is in a state where it has been damaged by a cyberattack, etc. (for example, "abnormal"). For example, in the table shown in Figure 6, the recovery time corresponding to the type of device may be referenced, and the time after the recovery time from the time when the device began to be damaged by a cyberattack, etc. may be used as the scheduled recovery time for the device in Figure 11.

[0035] Figure 12 shows the plant model state information 317 and the plant time series data 444. Figure 12 directly shows the plant model state information 317. The plant time series data 444 can be realized by individually maintaining information similar to the information shown in Figure 12 for each time (and attack scenario pair) in which the plant model state information is recorded. For example, in order to realize 60 minutes of plant time series data 444 at one-minute intervals, one set of information equivalent to Figure 12 should be recorded every minute, for a total of 60 sets (61 sets if the initial state is included) to be recorded. The plant model state information 317 in Figure 12 includes plant time information 1201 (abbreviated as "plant time 1201" in Figure 12), target state information 1202, and work state information 1203 (and attack scenario ID (scenario ID)). The plant time information 1201 indicates the time information on the plant model corresponding to the target state information 1202 and work state information 1203. The work target status information 1202 may include, for each work target, the name of the plant model containing the work target, the name of the work target, plant location information, and plant damage information. The plant location information for a work target indicates the location of the work target within the plant model. For example, the plant location information for a work target indicates between which operations (before the first operation, or after the last operation) the work target is located within the plant model. The plant damage information for a work target indicates whether the objects produced or generated in connection with the work target have been damaged by a cyberattack. For example, the plant damage information indicates either a "true integrity state" or a "false integrity state". The work status information 1203 includes the plant model name, work name, and work status for each work (or robot, etc., that performs it) included in each plant model. The work status for a work indicates whether or not the work (or robot, etc., that performs it) has been damaged by a cyberattack or the like. For example, the work status is either "normal" or "abnormal". Alternatively, there may be other states as work status besides "normal" and "abnormal". The work status information 1203 may also include information indicating the cause of the abnormal state of the work. For example, if work A2 (or the robot, etc., that performs it) in plant model A shown in Figures 1 and 2 is in an abnormal state, the work status information 1203 may record that the integrity of the business-related data (or the corresponding processing target) transmitted and received from server Y1 to controller Y2 is false because server Y1 of business model Y is in an abnormal state due to a cyberattack, and as a result, controller Y2 is abnormally controlling work A2 (or the robot, etc.).

[0036] Returning to the explanation of Figure 5, in step 503 of Figure 5, the update unit sets one of the one or more attack scenarios selected in step 502 as the target of the simulation. Before starting the simulation based on the set attack scenario, the update unit initializes the business model state information 312 and the plant model state information 317. As part of this initialization, the update unit may, for example, define the arrangement of processing targets in the business model (business location information) and the arrangement of work targets in the plant model (plant location information) at the attack occurrence time (event occurrence time) set in step 502, set the business damage information for all processing targets to "completeness true state", set the plant damage information for all work targets to "completeness true state", and set all devices in the business model to "normal state". If there are multiple business models or plant models to be analyzed for damage prediction, the process in step 503 is performed for each respective business model and plant model. The same applies to steps 504, 505, and 506.

[0037] In steps 504 and 505 (update steps) of Figure 5, the update unit updates the business model status information 312 and plant model status information 317 in chronological order based on information about one attack scenario selected in step 502 and set in step 503, information about the business model 311 (including the business model status information 312 before the update), and information about the plant model 316 (including the plant model status information 317 before the update) (and inter-model control relationship information 448). For example, each time steps 504 and 505 are executed, the update unit may advance the business time information 1101 and plant time information 1201 by a predetermined time interval (e.g., 1 minute) and update the business model status information 312 and plant model status information 317 so that they correspond to the various status information of the time indicated by the advanced business time information 1101 and plant time information 1201. Although Figure 5 shows step 505 following step 504, the update unit may execute each step in this order, in the reverse order, or simultaneously. When the update unit updates the business model state information 312 to correspond to the updated business time information 1101, it may add to the business time series data 443 a set of information similar to that contained in the business model state information 312 corresponding to the updated business time information 1101. Similarly, when the update unit updates the plant model state information 317 to correspond to the updated plant time information 1201, it may add to the plant time series data 444 a set of information similar to that contained in the plant model state information 317 corresponding to the updated plant time information 1201. In other words, the business model state information 312 and the plant model state information 317 hold various state information for a single time (the most advanced time in the simulation process at that point), while the business time series data 443 and the plant time series data 444 hold various state information for each of the time units included in the time group handled up to that point in the simulation process.

[0038] By updating various status information at predetermined time intervals in each model, the damage prediction system 100 becomes easier to implement simulations that update various status information in a time-series manner, and it also becomes easier to grasp the values ​​of various status information for each time value.

[0039] 3-1-4. Production volume calculation process among simulation processes using the model In step 506 (calculation step) of Figure 5, the calculation unit calculates the damage to the business system or plant system caused by a cyberattack represented by one attack scenario selected in step 502 and set in step 503, based on the business model state information 312 or the plant model state information 317. The calculation unit can also use business time-series data 443 instead of business model state information 312, and plant time-series data 444 instead of plant model state information 317. In the example in Figure 5, the calculation unit calculates the normal object production volume and the abnormal object production volume based on the plant model state information 317 (or plant time-series data 444). The normal object production volume and abnormal object production volume in a given plant model represent the total amount of objects corresponding to the work target group for which the last work was completed in that plant model, specifically the work target group for which the plant damage information at the time the last work was completed is "integrity is true" and the work target group for which the plant damage information at the time the last work was completed is "integrity is false". For example, the calculation unit may, in the work target status information 1202 within the plant model status information 317 (or plant time series data 444), count the number of work targets whose plant damage information is in the "completeness true state" for a group of work targets whose plant position information indicates that the last work in the plant model has been completed, and use this as the normal object production quantity, and count the number of work targets whose plant damage information is in the "completeness false state" for this group of work targets, and use this as the abnormal object production quantity. Alternatively, if the quantity of objects is set for each work target, the calculation unit may calculate the sum of the quantities of those objects in the "completeness true state" and "completeness false state" and use these as the normal object production quantity and the abnormal object production quantity, respectively. The calculation unit appends the updated plant time information 1201 from step 505, along with the normal object production volume and abnormal object production volume calculated in step 506, to the production volume time series data 445. Figure 13 shows production time series data 445 for one attack scenario. The table in Figure 13 records the production volume object production volume and abnormal object production volume for each combination of plant time information 1201 and plant model name. The table in Figure 13 may include information on the attack scenario ID (scenario ID). The damage prediction system 100 may have the table in Figure 13 for each attack scenario as production time series data.

[0040] The damage prediction system 100 calculates normal object production volume or abnormal object production volume based on plant model state information 317 (or plant time series data 444), thereby reducing the arbitrariness of prediction results in simulations of damage prediction due to cyberattacks and improving the accuracy of prediction results.

[0041] When a series of processes shown in steps 504, 505, and 506 of Figure 5 are performed corresponding to one value of the plant time information 1201 (business time information 1101), in step 507, the update unit determines whether the value of the plant time information 1201 (business time information 1101) in the simulation has reached the end time for the attack scenario set up at that time. If the end time has not been reached, the update unit transitions control to step 504 (and step 505) to continue the simulation for the next value of the plant time information 1201 (business time information 1101). If the end time has been reached, the simulation for the attack scenario set up at that time is complete, and the update unit transitions control to step 508. In step 508 of Figure 5, the update unit determines whether the damage prediction simulation has been completed for all attack scenarios selected in step 502. If there are any attack scenarios for which the damage prediction simulation has not been performed, in step 509, the update unit sets one of the remaining attack scenarios as the target for damage prediction simulation and then transitions control to step 503. If the damage prediction simulation has been completed for all attack scenarios selected in step 502, the update unit transitions control to the display or output step indicated in step 510, 511, or 512. The number of steps to be executed from among steps 510, 511, or 512 may be determined as appropriate.

[0042] 3-1-5. Display or output of operational time-series data (plant time-series data) In step 510 of Figure 5, the display control unit may control the display or output, based on the business time-series data 443, the information indicated by the business time-series data 443 for each combination of attack scenario and business model, in a time-series manner. The information to be displayed or output may be information indicating whether the data related to each business to be processed has been damaged by a cyberattack, that is, business damage information (for example, information on integrity). Alternatively, in step 510 of Figure 5, the display control unit may control the display or output, based on the plant time-series data 444, the information indicated by the plant time-series data 444 in a time-series manner for each combination of attack scenario and plant model. The information to be displayed or output may be information indicating whether or not the objects produced or generated in connection with each work target have been damaged by a cyberattack, i.e., plant damage information (for example, information regarding integrity). The following shows an example of how to display the business time series data 443, but the plant time series data 444 can be handled in the same way as shown below. Figure 14 shows an example of displaying business time-series data. In Figure 14, the user of the damage prediction system 100 first selects an attack scenario using the scenario selection pull-down menu 1401 on the screen, and then selects a business model using the business model selection pull-down menu 1402. The display control unit may use the business time-series data 443 to control the system to display information on the integrity of the business damage information corresponding to the most recently received processing target (business token, business-related data) in the time series of the business time information 1101, on the screen shown in Figure 14. Alternatively, the display control unit may control the system to output something equivalent to the content of Figure 14. The example in Figure 14 shows the following situation: (1) When the value of business time information 1101 is t1, a device that is not at the end of the processing order in the business model is subjected to a cyberattack. From time t1 onwards (up to time t3), the business damage information of the target of processing via that device becomes information with "false integrity". (2) When the value of the business time information 1101 is t2, the processing target with a "false completeness state" is first transmitted to the last device in the processing sequence in the business model. Reflecting this, the completeness display in Figure 14 becomes "false". (3) When the value of the business time information 1101 is t3, the device that was subjected to the cyberattack is restored. From time t3 onward, the business damage information of the target of processing via the device becomes "completeness true" information. (4) When the value of the business time information 1101 is t4, the processing target with "integrity in a true state" is transmitted to the last device in the processing order in the business model only after the cyberattacked device has recovered. Reflecting this, the integrity display in Figure 14 returns to "true".

[0043] The damage prediction system 100 generates business time-series data 4443 or plant time-series data 444 through damage prediction simulations, and can display or output information in a time-series format whether or not damage has been caused by a cyberattack based on this time-series data. Therefore, users of the damage prediction system 100 can easily grasp the changes over time in the state of the business model or plant model (for example, the state related to integrity).

[0044] 3-1-6. Display or output of production volume time series data In step 511 of Figure 5, the display control unit controls the system to display or output production time series data 445 for each combination of attack scenario and plant model. For example, the display control unit may control the system to display or output normal object production and abnormal object production in a time series manner. Alternatively, only one of the normal object production or abnormal object production may be displayed or output. Figure 15 shows a first example of displaying production volume time series data. In Figure 15, the user of the damage prediction system 100 first selects an attack scenario using the scenario selection pull-down menu 1501 and a plant model using the plant model selection pull-down menu 1502 on the screen. The display control unit may use the production volume time series data 445 to control the screen of the first example of display shown in Figure 15 to display the normal object production volume and abnormal object production volume observed at the position (place) after the last operation in the work sequence in the plant model controlled by the business system that is subjected to the cyberattack indicated by the attack scenario, on the time series of the plant time information 1201. Alternatively, the display control unit may control the output to be the same as the content in Figure 15. In the example in Figure 15, the normal object production volume is represented using a solid line graph, and the abnormal object production volume is displayed using a dashed line graph. The example shown in Figure 15 illustrates the normal and abnormal object production volumes in a plant model controlled by a business model, assuming that the business model has been subjected to a cyberattack, as shown in the example in Figure 14. More specifically, the example in Figure 15 assumes a case where a device at the end of the processing sequence in the business model controls a task (such as a robot) that is not at the end of the work sequence in the plant model. This assumption corresponds, for example, to the case in Figure 2 where controller Y2 of business model Y controls task A2 of plant model A. Furthermore, in the plant model, it is assumed that Δt is the time lag between the point in time when a task (such as a robot) that directly receives control from the business model enters an abnormal state (or returns to a normal state) and the point in time when the target of that task, which was started after that point, reaches a position (place) after the last task in the work sequence in the plant model. (Note that in the example in Figure 15, for simplicity, the time lag between a change in the state of a device in the business model and a change in the state of a task (such as a robot performing a task) in the plant model that receives direct control from that device is treated as zero. However, in the example in Figure 15, for simplicity, it is assumed that the state of a task does not change during the course of a single task on a single work target.) Here, Δt is assumed to be the time lag from the point when task A2 of plant model A, which receives direct control from business model Y in Figure 2, enters an abnormal state (or returns to a normal state) until the work target, for which task A2 was started, reaches the position (place) after task A4. Note that a wide range of examples of such business models and plant models can be assumed, such as manufacturing plants, power plants, water treatment plants, and chemical plants. Assuming the above time lag Δt, the examples of business model Y and plant model A in Figures 1 and 2, the example in Figure 14, and the setting that business time information 1101 and plant time information 1201 have the same value, Figure 15 shows the following situation. (2') At time t2, controller Y2 receives the first object to be processed that is in a "false completeness state," causing the robot or other device performing task A2 controlled by controller Y2 to enter an abnormal state. The first object to be processed that starts task A2 after time t2 (the object in a "false completeness state") reaches the position (place) after task A4 at time t2+Δt. (4') At time t4, controller Y2 receives the first object to be processed whose "completeness is true" state, and the robot or other device performing task A2 controlled by controller Y2 returns to a normal state. The first object to be processed (an object whose "completeness is true" state) whose task A2 started after time t4 reaches the position (place) after task A4 at time t4+Δt.

[0045] The damage prediction system 100 displays or outputs the normal object production volume and the abnormal object production volume in a time-series manner, making it easy for users of the damage prediction system 100 to grasp the changes over time and the total amount of damage caused by cyberattacks.

[0046] Figure 16 shows a second example of displaying production volume time series data. In the example shown in Figure 16, the relationship between the control of the business model and the plant model, and the assumption of the time lag Δt, are the same as in the example shown in Figure 15. However, in the example shown in Figure 16, lots are set for the objects produced or generated in the plant model. Lot setting here refers to setting a lot for each certain quantity of objects, and all objects in a lot are treated as normal objects only when all objects in that lot are normal (or when no abnormal objects are found in that lot), and all objects in a lot are treated as abnormal objects if abnormal objects exist in (or are found in) that lot. Such lot setting can be done, for example, in the production of various products in manufacturing industries or in the production of chemical products in chemical plants. In the example shown in Figure 16, the production volume shown from the position of zero to the position of 1603 on the vertical axis, and the production volume shown from the position of 1603 to the position of 1604, represent the production volume of objects included in one lot. Under the lot settings and time lag Δt described above, the example of business model Y and plant model A already shown, and the example in Figure 14, shows the following situation in the example in Figure 16. (2'') The first work object (a work object in a "false state of completeness") for which work A2 started at time t2 or later reaches the position (place) after work A4 at time t2+Δt. Based on this, all objects in the lot containing the object corresponding to that work object, which is the lot from position 1603 to position 1604 at time t2+Δt in Figure 16, are treated as abnormal objects. To illustrate this treatment, in Figure 16, at time t2+Δt, the normal object production quantity is temporarily reduced to position 1603. The abnormal object production quantity is then increased by the same amount as this reduction. (4'') The first work object (a work object in the "completeness true state") for which work A2 started at time t4 or later reaches the position (place) after work A4 at time t4+Δt. In this case, the amount of objects corresponding to that work object is not necessarily added directly to the normal object production volume. This is because the lot containing the objects corresponding to that work object may contain abnormal objects corresponding to work objects that previously reached the position (place) after work A4. For example, the normal object production volume will gradually increase again once work objects in the "completeness true state" corresponding to normal objects in a new lot begin to reach the position (place) after work A4.

[0047] Since the damage prediction system 100 can set lots for objects produced or generated by the plant system (and plant model), it is suitable for simulating damage prediction from cyberattacks against plant systems (and plant models) that are suitable for determining the normality and abnormality of objects at the lot granularity.

[0048] Figure 17 shows a third example of the time-series display of production volume data. Unlike the examples shown in Figures 15 and 16, in the example shown in Figure 17, the display control unit controls the system to display or output a list of normal object production volumes and abnormal object production volumes for each plant model at the time when the simulation of the cyberattack shown in the attack scenario is completed. In Figure 17, first, a user of the damage prediction system 100 selects an attack scenario using the scenario selection pull-down menu 1701 on the screen. The display control unit reads the record corresponding to the plant time information 1201 at the time the simulation of the cyberattack indicated by the attack scenario is completed from the production volume time series data 445 table, and controls the system to display or output a list of normal object production volume and abnormal object production volume for each plant model. In the example shown in Figure 17, the normal object production volume and abnormal object production volume are represented by a bar graph.

[0049] 3-1-7. Display or output of the amount of damage. In step 512 of Figure 5, the calculation unit may convert the production volume of abnormal objects into the damage amount of abnormal objects using the production volume time series data 445 and the information 446 from the damage amount conversion table. The display control unit may be controlled to display or output the damage amount of abnormal objects. Figure 18 shows information 446 from the damage cost conversion table. The damage cost conversion table contains information on the damage cost per unit quantity of abnormal objects produced or generated in each plant model. Figure 19 shows a first example of the display of damage amounts. In Figure 19, first, the user of the damage prediction system 100 selects an attack scenario using the scenario selection pull-down menu 1901 on the screen. The calculation unit reads the record corresponding to the plant time information 1201 at the time the simulation of the cyberattack indicated by the selected attack scenario is completed from the production volume time series data 445, and converts the abnormal object production volume into abnormal object damage amounts for each plant model. The display control unit controls the system to display or output a list of abnormal object damage amounts for each plant model. In the example in Figure 19, the abnormal object damage amounts are represented by a bar graph. Figure 20 shows a second example of how damage amounts are displayed. In the example in Figure 20, the calculation unit reads records from the production volume time series data 445 that correspond to the plant time information 1201 at the time the simulation of the cyberattack shown in each attack scenario is completed, and converts the abnormal object production volume into abnormal object damage amounts for each combination of attack scenario and plant model. For each attack scenario, the calculation unit calculates the sum of abnormal object damage amounts for the plant models that were the target of the damage prediction due to the cyberattack shown in that attack scenario. The display control unit controls the display to show or output a list of the sum of abnormal object damage amounts for each attack scenario. In the example in Figure 20, the sum of abnormal object damage amounts for each attack scenario is represented by a bar graph.

[0050] The damage prediction system 100 displays or outputs the damage caused by cyberattacks in monetary terms, making it easier for users of the damage prediction system 100 to understand the economic impact of cyberattacks.

[0051] 3-2. Processing of the second embodiment of this disclosure The processing of a second embodiment of this disclosure will now be described. In the second embodiment, information 447 regarding key performance indicators is set when performing damage prediction simulations, and attack scenarios of note (e.g., high-risk attack scenarios) are identified based on the simulation results for each attack scenario and the information 447 regarding key performance indicators. Furthermore, the second embodiment displays or outputs the simulation results in a recognizable manner for the identified attack scenarios. Figure 21 shows a flowchart 2100 of the process in the second embodiment. Each step shown in flowchart 2100 may constitute a damage prediction method. In Figure 21, steps or information similar to those in flowchart 500 of the process in the first embodiment shown in Figure 5 are given the same reference numerals as in Figure 5, and their explanations are generally omitted.

[0052] 3-2-1. Designation process for key performance indicators (e.g., damage amount or target production volume) In step 502 of Figure 21 and in Figure 8, the attack setting unit selects an attack scenario for damage prediction and specifies the time of the cyberattack (event occurrence time). Then, in step 2101, the threshold setting unit controls the system to accept inputs related to key performance indicators 447 (for example, inputs indicating target production volume or inputs indicating acceptable damage amount). Figure 22 shows a screen for specifying the amount of damage or the target production volume. In the example in Figure 22, the threshold setting unit controls the display of a table on the screen, with a row for each plant model subject to damage prediction. Each row in the table may include a plant specification checkbox 2202, a plant model name, a production volume input field 2203, and an individual amount input field 2204. The threshold setting unit also controls the display of a total amount input field 2201 and an execution icon 2205 on the screen. In the screen shown in Figure 22, the user of the damage prediction system 100 makes inputs to set information 447 related to key performance indicators. The information 447 related to key performance indicators may, for example, serve as criteria for identifying noteworthy attack scenarios (e.g., high-risk attack scenarios) among one or more attack scenarios for which damage prediction is performed. In the example shown in Figure 22, one of the following three methods may be used to set the information 447 regarding key performance indicators. Alternatively, several methods may be used in combination. Alternatively, key performance indicators may be set using other methods. (1) Users of the damage prediction system 100 enter the allowable total damage amount in the total amount input field 2201 and click the execute icon 2205. The allowable total damage amount is the upper limit of the allowable sum of the damage amounts to abnormal objects in all plant models subject to damage prediction due to a cyberattack shown in one attack scenario. (2) Users of the damage prediction system 100 check the plant designation checkbox 2202 for the plant model for which they want to set the allowable individual damage amount, and enter the allowable individual damage amount in the individual amount input field 2204. After that, the user clicks the execute icon 2205. The allowable individual damage amount is the upper limit of the amount of damage to abnormal objects in a specific plant model that is the target of damage prediction, as a result of a cyberattack shown in one attack scenario. (3) Users of the damage prediction system 100 check the plant designation checkbox 2202 corresponding to the plant model for which individual target production quantities are set, and enter the acceptable target production quantity in the production quantity input field 2203. After that, the user clicks the execute icon 2205. The individual target production quantity is the lower limit of the acceptable normal object production quantity for a specific plant model that is the target of damage prediction due to a cyberattack shown in one attack scenario.

[0053] 3-2-2. Identifying dangerous attack scenarios The damage prediction system 100 receives inputs regarding key performance indicators 447 (for example, inputs indicating target production volume or inputs indicating acceptable damage amount) in steps 2101 of Figure 21 and Figure 22, and after executing the simulations shown in steps 503 to 509, it performs step 2102 of Figure 21. In step 2102, the identification unit may identify a noteworthy attack scenario (for example, a high-risk attack scenario) from among one or more attack scenarios for which damage prediction is performed, based on the information regarding key performance indicators 447 and the damage prediction results for each attack scenario. If information 447 regarding key performance indicators is set as shown in the example in Figure 22, the specific unit may identify noteworthy attack scenarios (for example, high-risk attack scenarios) for each of the cases (1), (2), and (3) shown in the explanation of Figure 22 using the following methods. Alternatively, several methods may be used in combination. Alternatively, other methods may be used. (1) If, for a given attack scenario, the sum of the damage amounts of abnormal objects in all plant models for which damage predictions have been made exceeds (or is equal to or equal to) the allowable total damage amount, the identification unit may identify that attack scenario as a noteworthy attack scenario (a high-risk attack scenario). (2) If, with respect to a certain attack scenario, the amount of damage from abnormal objects in any one of the plant models exceeds (or is equal to or equal to) the permissible individual damage amount for that plant model, the identification unit may identify that attack scenario as a noteworthy attack scenario (a high-risk attack scenario). (3) If, with respect to a certain attack scenario, the normal object production volume in any one of the plant models is below (or less than or equal to) the individual target production volume for that plant model, the Identifier may identify that attack scenario as a noteworthy attack scenario (a high-risk attack scenario).

[0054] 3-2-3. Display or Output of Dangerous Attack Scenarios In step 2103 of Figure 21, the display control unit controls the system to display or output the simulation results to the user of the damage prediction system 100 in a manner that allows recognition of the notable attack scenarios (e.g., high-risk attack scenarios) identified in step 2102. Figure 23 shows an example of a dangerous attack scenario. The example shown in Figure 23 follows case (1) in the explanation of Figures 21 and 22 (a case where the allowable total damage amount is set). In the example shown in Figure 23, the display control unit may be controlled to display or output a table having a row for each attack scenario for which damage prediction was performed. Each row in the table contains information on the dangerous scenario display 2301, the attack scenario ID, the target of the attack, the attack path, and the total damage amount. Of these, the attack scenario ID, the target of the attack, and the attack path may be information on the attack scenario for which damage prediction simulation was performed, from the information contained in the attack scenario information 442 in Figure 7. The total damage amount shows the sum of the damage amounts of abnormal objects in all plant models for which damage prediction was performed for the attack scenario corresponding to that row. The dangerous scenario display 2301 indicates whether the identification unit has identified the attack scenario corresponding to that row as a noteworthy attack scenario (a high-risk attack scenario). In the example in Figure 23, a star is displayed if such identification has been made. Instead of displaying a star, the row related to the attack scenario identified by the identification unit may be highlighted. In the example shown in Figure 23, when a user of the damage prediction system 100 clicks the sort icon 2302, the display control unit may control the display to sort and display the rows of the table in descending or ascending order of total damage amount.

[0055] The damage prediction system 100 accepts inputs related to key performance indicators (for example, inputs indicating target production volume or inputs indicating acceptable damage amounts), performs simulations to predict the damage from cyberattacks, and identifies attack scenarios that meet predetermined conditions using the key performance indicators (target production volume, acceptable damage amounts) and the simulation results for each attack scenario. The damage prediction system 100 displays or outputs the simulation results of the identified attack scenarios in a recognizable manner. Therefore, users of the damage prediction system 100 can easily grasp the attack scenarios that deserve attention (for example, attack scenarios with a high degree of risk). Users of the damage prediction system 100 can also take measures to counter cyberattacks on business systems and plant systems, for example, by prioritizing attacks against high-risk attack scenarios.

[0056] 4. Variations This disclosure is not limited to the embodiments described above and includes various modifications. The above is a detailed explanation to facilitate understanding of this disclosure, and this disclosure is not necessarily limited to having all the configurations and processes described. Furthermore, some of the configurations and processes of the embodiments can be replaced with configurations and processes of other conceivable embodiments. In addition, configurations and processes of other conceivable embodiments can be added to the configurations and processes of the embodiments. For example, the following variations are possible.

[0057] (A) Probability setting to change "completeness to false state" (1. Related) In the above embodiment, the damage prediction system 100 treated the business damage information handled by a certain device, as well as the plant damage information handled by a robot or other work unit controlled by the device, as "false completeness" information while the device was in an abnormal state. However, the damage prediction system 100 may adjust the probability of a "false integrity state" depending on the severity of the cyberattack. For example, depending on the type of cyberattack, the damage prediction system 100 may set the probability that the business damage information of the processed targets handled by a certain device while it is in an abnormal state will be in a "false integrity state" within a range greater than 0% and less than 100%, and while the device is in an abnormal state, the probability that the plant damage information of the target targets handled by the work (such as a robot performing the work) controlled by the device will be in a "false integrity state" within a range greater than 0% and less than 100%. This modified version allows for damage prediction that also takes into account the severity of the cyberattack.

[0058] (B) Attack occurrence time (event occurrence time) and attack scenario (3-1-2. related) In the above embodiment, the time entered in the time input field 802 on the attack scenario selection screen in Figure 8 was the time when the cyberattack was initiated against the first device in the attack path. Alternatively, the time entered in the time input field 802 may be the time when the cyberattack on the target of the attack scenario (for example, server χ in attack scenario ID 1 of Figure 8) begins, or the time when damage from the cyberattack occurs on the target. In this case, the attack scenario may include only the target and not the attack path. This modified version allows for damage prediction simulations that pinpoint the time at which a cyberattack is carried out against the target (the last device in the attack path) in an attack scenario.

[0059] (C) Model representation methods (3-1-3. Related) In the examples shown in Figures 9 and 10 above, a Petri net representation was used. However, the damage prediction system 100 may use other representation formats as long as the model can be represented. For example, the damage prediction system 100 may use a finite state machine (finite automaton) method to represent the business model or the plant model. Alternatively, the damage prediction system 100 may use different representation formats for the business model and the plant model. This modified version can use model representation formats that are not limited to Petri net representations, and therefore can handle various types of business systems and plant systems as targets for damage prediction simulations.

[0060] (D) Display or output of time-series data for operations (plants) (Related to 3-1-5.) In the example shown in Figure 14 above, the display control unit controls the device to display or output information regarding the integrity of the business damage information corresponding to the processing target (business token, business-related data) observed at the last device in the processing sequence of the business model. However, the objects that the display control unit of the damage prediction system 100 controls to display or output are not limited to these. For example, the display control unit may be controlled to display or output information regarding the integrity of business damage information corresponding to a processing target (business token, business-related data) observed in a device other than the last in the processing order in the business model. Alternatively, the display control unit may be controlled to display or output the device status corresponding to the device in the business model, which is recorded in the device status information 1103. The display control unit may perform the same actions as described above for the plant time-series data 444. For example, the display control unit may control the display or output information regarding the integrity indicated by the plant damage information corresponding to the work target (plant token, object) observed at a position (place) after the last work in the work sequence in the plant model. Alternatively, the display control unit may control the display or output information regarding the integrity indicated by the plant damage information corresponding to the work target (plant token, object) observed at a position (place) after a work other than the last in the work sequence in the plant model. Furthermore, the display control unit may control the display or output the work status corresponding to the work (robot, etc., performing the work) in the plant model, which is recorded in the work status information 1203. This modification allows for the display or output of operational time-series data or plant time-series data, focusing on various perspectives.

[0061] (E) Display or output of production volume time series data (Related to 3-1-6.) In the example shown in Figure 17 above, the display control unit is configured to display or output a list of normal object production and abnormal object production (for each plant model) at the point when the simulation of the cyberattack shown in the attack scenario is completed. However, it is not limited to this. For example, the display control unit may be controlled to display or output a list of normal object production quantities and abnormal object production quantities (for each plant model) corresponding to any value of the plant time information 1201. This modified version clearly presents the changes over time in normal and abnormal object production for each plant model to users of the damage prediction system 100.

[0062] (F) Calculation of the amount of damage (Related to 3-1-7.) In the example shown in Figure 18 above, the amount of damage per unit quantity of abnormal objects was set for each plant model. However, this is not the only possible variation. For example, the following variations are possible: (1) When similar types of objects are produced or generated in different plant models, the damage cost conversion table may retain information on the amount of damage per unit quantity of abnormal objects for each type of object. (2) The damage cost conversion table may be a correspondence table between the amount of abnormal objects produced and the amount of damage caused by abnormal objects. (3) The damage prediction system 100 may calculate the amount of damage without using a damage amount conversion table by having information of a calculation formula for converting the amount of abnormal object production to the amount of damage caused by abnormal objects within the program code of the calculation unit program 433. Such modifications allow for the use of a damage calculation method suitable for the relationship between the amount of abnormal objects produced and the amount of damage caused by those abnormal objects.

[0063] (G) Display or output of the amount of damage (3-1-7. related) In the example shown in Figure 19 above, the calculation unit and display control unit calculate the amount of damage to abnormal objects at the time the simulation of the cyberattack indicated by the attack scenario is completed, and control the unit to display or output a list of the amount of damage to abnormal objects (for each plant model). However, it is not limited to this. The calculation unit and display control unit may, for example, calculate the amount of damage to abnormal objects corresponding to any value in the plant time information 1201 and control the unit to display or output a list of the amount of damage to abnormal objects (for each plant model). This modified version clearly presents to users of the damage prediction system 100 the changes in the amount of damage caused by abnormal objects over time for each plant model.

[0064] (H) Display or output of dangerous attack scenarios (3-2-3. Related) In the example shown in Figure 23 above, the output control unit controls the display of the dangerous scenario 2301 (or highlighting) for information regarding attack scenarios identified as noteworthy attack scenarios (high-risk attack scenarios). Alternatively, the display control unit may be controlled to display or output only information about attack scenarios identified as noteworthy attack scenarios (high-risk attack scenarios). In other words, the display control unit may be controlled not to display or output information about other attack scenarios (for example, low-risk attack scenarios). This modified version effectively shows users of the damage prediction system 100 noteworthy attack scenarios (high-risk attack scenarios) when the display or output in the manner shown in Figure 23 becomes cumbersome due to a large number of attack scenarios for which damage predictions have been made.

[0065] (I) Plant System (Plant Model) The objects produced or generated by the plant system in this disclosure may be not only tangible materials but also software. The work in the plant system or plant model may be not only material work but also software processing. This modification can broaden the scope of application of the damage prediction system 100.

[0066] 5. Others The technical matters shown in each of the embodiments and modifications of the embodiments described above can be combined as appropriate, as long as no technical inconsistencies arise.

Claims

1. It is a damage prediction system, The damage prediction system predicts damage caused by cyberattacks against one or more business systems and one or more plant systems based on a business model corresponding to the business system and a plant model corresponding to the plant system. Each of the aforementioned plant systems is controlled by one or more of the aforementioned business systems, The damage prediction system comprises a storage unit, an update unit, and a calculation unit. The memory unit stores information about the business model, including business model state information, and information about the plant model, including plant model state information. The aforementioned business model status information includes, for each processing target, business location information indicating the location of the processing target within the business model, and business damage information indicating whether or not the data related to the business corresponding to the processing target has been damaged by the cyberattack. The aforementioned plant model status information includes, for each work object, plant location information indicating the location of the work object within the plant model, and plant damage information indicating whether or not the objects produced in conjunction with the work object have been damaged by the cyberattack. The update unit updates the business model status information and the plant model status information in chronological order based on information regarding the cyber attack scenario, information regarding the business model, and information regarding the plant model. The damage prediction system comprises a calculation unit that calculates the damage to the business system or the plant system caused by the cyberattack based on the business model status information or the plant model status information.

2. A damage prediction system according to claim 1, The information relating to the aforementioned business model represents the order of processing to be performed on the processing target and includes processing order information indicating the data transmission path related to the business, The information relating to the plant model includes work sequence information representing the sequence of operations to be performed on the work object, The business location information for each processing target indicates the location of that processing target within the business model represented by the processing sequence information. A damage prediction system in which the plant location information for each work target indicates the location of the work target within the plant model represented by the work sequence information.

3. A damage prediction system according to claim 1, The update unit updates the business model status information and the plant model status information in chronological order, and performs such updates at predetermined time intervals in the business model and the plant model, in this damage prediction system.

4. A damage prediction system according to claim 1, The update unit stores the business location information and business damage information for each processing target in the storage unit as business time-series data. The damage prediction system includes a display control unit, The display control unit controls the system to display or output, in a time-series manner, whether the data relating to the business corresponding to each of the processing targets has been damaged by the cyberattack, based on the business time-series data of the attack scenario and the business model.

5. A damage prediction system according to claim 1, The update unit stores the plant location information and plant damage information for each work target in the storage unit as plant time-series data. The damage prediction system includes a display control unit, The display control unit controls the system to display or output, in a time-series manner, whether the objects produced in conjunction with each of the work targets have been damaged by the cyberattack, based on the plant time-series data, for each combination of the attack scenario and the plant model.

6. A damage prediction system according to claim 1, The memory unit stores information relating to the system model corresponding to the business system, The information relating to the aforementioned system model includes at least one of the following: hardware information, software information, vulnerability information, physical configuration information, logical configuration information, or information relating to the time required to recover from a cyberattack. The damage prediction system includes a generation unit, The generation unit generates a list of attack scenarios based on the information regarding the system model and stores the information regarding the attack scenarios in the storage unit. A damage prediction system in which each of the aforementioned attack scenarios includes a target device within the business system and an attack path to reach the target device.

7. A damage prediction system according to claim 1, The aforementioned damage prediction system includes an attack setting unit, The damage prediction system is configured such that the attack setting unit is controlled to accept an input for selecting an attack scenario from a list of attack scenarios to predict damage from, and an input for setting the assumed time of attack occurrence when performing damage prediction.

8. A damage prediction system according to claim 1, The information regarding the aforementioned business model and the information regarding the aforementioned plant model are based on models represented by Petri nets. The aforementioned Petri net has two types of nodes, places and transitions, connected by directed arcs, and the firing of the transitions causes tokens to move between the places, thereby representing the state transitions of the model. The aforementioned business location information indicates the location of the business token, which is the token, when the business model is represented by the Petri net. The aforementioned plant location information indicates the position of the plant token, which is the token, when the plant model is represented by the Petri net. The aforementioned business token is associated with data related to the aforementioned business and information on damages caused by the aforementioned business. A damage prediction system in which the aforementioned plant token is associated with the aforementioned object and the aforementioned plant damage information.

9. A damage prediction system according to claim 1, The damage prediction system comprises a calculation unit that calculates, based on the plant model status information, either the normal object production volume, which is the production volume of objects that have not been damaged by the cyberattack, or the abnormal object production volume, which is the production volume of objects that have been damaged by the cyberattack.

10. A damage prediction system according to claim 9, The calculation unit stores information on the production volume of normal objects and the production volume of abnormal objects in the storage unit as production volume time series data. The damage prediction system includes a display control unit, The damage prediction system includes a display control unit that controls the display control unit to display or output the normal object production volume or the abnormal object production volume in a time-series manner for each combination of the attack scenario and the plant model, based on the production volume time-series data.

11. A damage prediction system according to claim 9, The information relating to the plant model includes information relating to the setting of lots of the objects to be produced, Damage prediction system, wherein the calculation unit calculates the abnormal object production volume by considering all objects included in the lot to which the object corresponding to the work target belongs, and the work target corresponding to all objects included in the lot, as having been damaged by the cyberattack, when the plant damage information corresponding to a certain work target indicates that it has been damaged by the cyberattack.

12. A damage prediction system according to claim 9, The memory unit stores information for a damage cost conversion table used to convert the amount of abnormal objects produced into the amount of damage caused by the objects that were damaged by the cyberattack. The calculation unit converts the amount of abnormal object production into the amount of damage caused by the abnormal object, using the information in the damage amount conversion table. The damage prediction system includes a display control unit. The aforementioned display control unit controls the display or output of the amount of damage caused by the abnormal object, in a damage prediction system.

13. A damage prediction system according to claim 9, The damage prediction system comprises a threshold setting unit, a specification unit, and a display control unit. The threshold setting unit is for controlling the acceptance of an input indicating the target production volume or an input indicating the acceptable amount of damage. The target production volume is the permissible lower limit of the normal object production volume for each plant model used to predict damage from the cyberattack. The aforementioned permissible damage amount is either the permissible upper limit of the sum of the damage amounts for all the plant models that predict damage from the cyberattack, or the permissible upper limit of the damage amount set for each of the plant models that predict damage from the cyberattack. The identification unit identifies the attack scenario that satisfies predetermined conditions based on the information input by the control of the threshold setting unit and the normal object production amount or abnormal object production amount calculated by the calculation unit. The predetermined conditions are that the normal object production volume of the plant model predicting the damage caused by the cyberattack shown in the attack scenario is less than or equal to the target production volume, or that the calculated damage amount for the plant model predicting the damage caused by the cyberattack shown in the attack scenario is greater than or equal to the allowable damage amount. The damage prediction system includes a display control unit that controls the display or output in a manner that allows recognition of which of the attack scenarios identified by the identification unit is the actual attack scenario.

14. A method for predicting damage performed by a computer, The aforementioned damage prediction method predicts damage caused by cyberattacks against one or more business systems and one or more plant systems based on a business model corresponding to the business system and a plant model corresponding to the plant system. Each of the aforementioned plant systems is controlled by one or more of the aforementioned business systems, The aforementioned damage prediction method comprises an update step and a calculation step, The update step is to update the business model status information included in the business model information and the plant model status information included in the plant model information in chronological order, based on the information regarding the attack scenario of the cyber attack, the information regarding the business model, and the information regarding the plant model. The calculation step is a step of calculating the damage to the business system or the plant system caused by the cyber attack, based on the business model status information or the plant model status information. The aforementioned business model status information includes, for each processing target, business location information indicating the location of the processing target within the business model, and business damage information indicating whether or not the data related to the business corresponding to the processing target has been damaged by the cyberattack. The damage prediction method includes, for each work target, plant location information indicating the location of the work target within the plant model, and plant damage information indicating whether or not the objects produced in conjunction with the work target have been damaged by the cyberattack.

15. It is a damage prediction program, The damage prediction program is executed to predict the damage caused by cyberattacks to one or more business systems and one or more plant systems, based on the business model corresponding to the business systems and the plant model corresponding to the plant systems. Each of the aforementioned plant systems is controlled by one or more of the aforementioned business systems, The aforementioned damage prediction program is designed to cause a computer to perform an update step and a calculation step. The update step is to update the business model status information included in the business model information and the plant model status information included in the plant model information in chronological order, based on the information regarding the attack scenario of the cyber attack, the information regarding the business model, and the information regarding the plant model. The calculation step is a step of calculating the damage to the business system or the plant system caused by the cyber attack, based on the business model status information or the plant model status information. The aforementioned business model status information includes, for each processing target, business location information indicating the location of the processing target within the business model, and business damage information indicating whether or not the data related to the business corresponding to the processing target has been damaged by the cyberattack. The plant model status information includes, for each work target, plant location information indicating the location of the work target within the plant model, and plant damage information indicating whether or not the objects produced in conjunction with the work target have been damaged by the cyberattack, in a damage prediction program.