Securing wastewater facilities from accidental and intentional harm: A cost-benefit analysis

Abstract It has been widely reported that industrial control systems underpinning critical infrastructures ranging from power plants to oil refineries are vulnerable to cyber attacks. A slew of countermeasures have been proposed to secure these systems, but their adoption has been disappointingly slow according to many experts. Operators have been reluctant to spend large sums of money to protect against threats that have only rarely materialized as attacks. But many security countermeasures are dual-use, in that they help protect against service failures caused by hackers and by accidents. In many critical infrastructure sectors, accidents caused by equipment failures and nature occur regularly, and investments for detecting and possibly preventing accidents and attacks could be more easily justified than investments for detecting and preventing attacks alone. This paper presents a cost-benefit analysis for adopting security countermeasures that reduce the incidence of sewer overflows in wastewater facilities. The paper estimates the expected annual losses at wastewater facilities due to large overflows exceeding 10,000 gallons using publicly-available data on overflows, cleanup costs, property damage and regulatory fines. Also, it estimates the costs of adopting security countermeasures in wastewater facilities in eight large U.S. cities. The results of the analysis indicate that, in many cases, even a modest 20% reduction in large overflows can render the adoption of countermeasures cost-effective.

[1]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[2]  G. Stigler The Economics of Information , 1961, Journal of Political Economy.

[3]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[4]  Rainer Böhme,et al.  Economic Security Metrics , 2005, Dependability Metrics.

[5]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[6]  Andrew K. Wright,et al.  Low-Latency Cryptographic Protection for SCADA Communications , 2004, ACNS.

[7]  John Mueller,et al.  Terrorism Risks and Cost‐Benefit Analysis of Aviation Security , 2013, Risk analysis : an official publication of the Society for Risk Analysis.

[8]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[9]  Francesco Parisi-Presicce,et al.  DNPSec: Distributed Network Protocol Version 3 (DNP3) Security Framework , 2007 .

[10]  Paul Marks Reaching critical point , 2011 .

[11]  임계영,et al.  Distributed Network Protocol Version 3.0을 이용한 필드버스 시스템 구현 , 2004 .

[12]  Manfred Kochen,et al.  On the economics of information , 1972, J. Am. Soc. Inf. Sci..

[13]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[14]  S. Papa,et al.  A transfer function based intrusion detection system for SCADA systems , 2012, 2012 IEEE Conference on Technologies for Homeland Security (HST).

[15]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[16]  Suku Nair,et al.  Placement of trust anchors in embedded computer systems , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[17]  M. Milvich,et al.  Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System (SCADA IDS) , 2008, 2008 IEEE Conference on Technologies for Homeland Security.

[18]  Dayu Yang,et al.  Anomaly-Based Intrusion Detection for SCADA Systems , 2006 .

[19]  Mark G. Stewart,et al.  The CIP Report November 2011 3 Assessing the Risks , Costs , and Benefits of Counter-Terrorism Protective Measures for Infrastructure , 2011 .

[20]  Sean W. Smith,et al.  YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems , 2008, SEC.

[21]  Stephen M. Papa,et al.  Availability Based Risk Analysis for SCADA Embedded Computer Systems , 2011 .

[22]  S. Papa,et al.  Security fusion implementation and optimization in SCADA systems , 2012, 2012 IEEE Conference on Technologies for Homeland Security (HST).