论文信息 - Ideal Based Cyber Security Technical Metrics for Control Systems

Ideal Based Cyber Security Technical Metrics for Control Systems

Much of the world's critical infrastructure is at risk from attack through electronic networks connected to control systems. Security metrics are important because they provide the basis for management decisions that affect the protection of the infrastructure. A cyber security technical metric is the security relevant output from an explicit mathematical model that makes use of objective measurements of a technical object. A specific set of technical security metrics are proposed for use by the operators of control systems. Our proposed metrics are based on seven security ideals associated with seven corresponding abstract dimensions of security. We have defined at least one metric for each of the seven ideals. Each metric is a measure of how nearly the associated ideal has been achieved. These seven ideals provide a useful structure for further metrics development. A case study shows how the proposed metrics can be applied to an operational control system.

Miles A. McQueen | Wayne F. Boyer

[1] Peter G. Neumann,et al. Computer-related risks , 1994 .

[2] Marianne Swanson,et al. Security metrics guide for information technology systems , 2003 .

[3] Marianne Swanson,et al. SP 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems , 1996 .

[4] Matt Bishop,et al. Computer Security: Art and Science , 2002 .

[5] Richard P. Lippmann,et al. An Overview of Issues in Testing Intrusion Detection Systems , 2003 .

[6] S. Radack. The Common Vulnerability Scoring System (CVSS) , 2007 .

[7] Rita C. Summers. Secure Computing: Threats and Safeguards , 1996 .

[8] E. Rapaport. An Overview of Issues , 1982, Circulation.

[9] Miles A. McQueen,et al. Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[10] Joan Hash,et al. Guide for Developing Performance Metrics for Information Security , 2006 .

[11] Xinming Ou,et al. A scalable approach to attack graph generation , 2006, CCS '06.

[12] Miles A. McQueen,et al. Time-to-Compromise Model for Cyber Risk Reduction Estimation , 2006, Quality of Protection.

[13] Marianne M. Swanson,et al. Recommended Security Controls for Federal Information Systems , 2005 .