"How Long is a Piece of String":: Defining Key Phases andObserved Challenges within ICS Risk Assessment

The numbers and severity of global cyber security attacks on Industrial Control Systems have increased over recent years. However, there are also significant efforts to improve defensive capabilities. While comprehensive reviews of risk assessment efforts exist, little detail is currently available on how they are being applied by security practitioners. This paper provides a summary of the approaches adopted by security practitioners, outlining key phases applied to risk assessment, application of existing predefined methodologies, and challenges faced throughout the overall process.

[1]  David Hutchison,et al.  Socio-Technical Security Analysis of Industrial Control Systems (ICS) , 2014, ICS-CSR.

[2]  David Hutchison,et al.  Pains, Gains and PLCs: Ten Lessons from Building an Industrial Control Systems Testbed for Security Research , 2017, CSET @ USENIX Security Symposium.

[3]  Herbert Snyder,et al.  Qualitative interviewing: The art of hearing data , 1996 .

[4]  D. Ganga,et al.  Cultural "Insiders" and the Issue of Positionality in Qualitative Migration Research: Moving "Across" and Moving "Along" Researcher-Participant Divides , 2006 .

[5]  Grant Mccracken The long interview , 1988 .

[6]  M. Brenner Interviewing in Educational Research , 2006 .

[7]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[8]  Gillian Symon,et al.  Qualitative methods in organizational research : a practical guide , 1994 .

[9]  Nabil Sahli,et al.  SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS , 2013 .

[10]  David Hutchison,et al.  The Impact of Social Engineering on Industrial Control System Security , 2015, CPS-SPC '15.

[11]  Sylvain Frey,et al.  Testbed diversity as a fundamental principle for effective ICS security research , 2016 .

[12]  David Hutchison,et al.  Achieving ICS Resilience and Security through Granular Data Flow Management , 2016, CPS-SPC '16.

[13]  David Hutchison,et al.  Design and construction of an Industrial Control System testbed , 2014 .

[14]  M. Patton,et al.  Qualitative evaluation and research methods , 1992 .

[15]  H. Arksey,et al.  Interviewing for Social Scientists: An Introductory Resource with Examples , 1999 .

[16]  Yvonne Jaeger Survey Research By Telephone , 2016 .

[17]  J. S. Busby,et al.  Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk , 2017, Risk analysis : an official publication of the Society for Risk Analysis.

[18]  David Hutchison,et al.  A survey of cyber security management in industrial control systems , 2015, Int. J. Crit. Infrastructure Prot..

[19]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[20]  James Broad,et al.  The Joint Task Force Transformation Initiative , 2013 .

[21]  D. Canter,et al.  The Research interview, uses and approaches , 1986 .