Measuring the Risk of Cyber Attack in Industrial Control Systems

Cyber attacks on industrial control systems (ICS) that underpin critical national infrastructure can be characterised as high-impact, low-frequency events. To date, the volume of attacks versus the overall global footprint of ICS is low, and as a result there is an insufficient dataset to adequately assess the risk to an ICS operator, yet the impacts are potentially catastrophic. This paper identifies key elements of existing decision science that can be used to inform and improve the cyber security of ICS against antagonistic threats and highlights the areas where further development is required to derive realistic risk assessments, as well as detailing how data from established safety processes may inform the decision-making process. The paper concludes by making recommendations as to how a validated dataset could be constructed to support investment in ICS cyber security.

[1]  Bernhard Plattner,et al.  An economic damage model for large-scale Internet attacks , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[2]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[3]  David V. Budescu,et al.  Encoding subjective probabilities: A psychological and psychometric review , 1983 .

[4]  George E Apostolakis,et al.  How Useful Is Quantitative Risk Assessment? , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[5]  Barack Obama,et al.  Executive Order 13636: Improving Critical Infrastructure Cybersecurity , 2013 .

[6]  Michael Pecht,et al.  Reliability Engineering , 2014 .

[7]  George E. Apostolakis,et al.  Probabilistic Risk Assessment (PRA) , 2008 .

[8]  Lee T. Ostrom,et al.  Risk Assessment: Tools, Techniques, and Their Applications , 2012 .

[9]  M. Krotofil,et al.  Rocking the pocket book: Hacking chemical plants for competition and extortion , 2015 .

[10]  S. Hora Advances in Decision Analysis: Eliciting Probabilities from Experts , 2007 .

[11]  Martin Naedele,et al.  Addressing IT Security for Critical Control Systems , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[12]  D. Bernoulli Exposition of a New Theory on the Measurement of Risk , 1954 .

[13]  Teodor Sommestad,et al.  Cyber Security Exercises and Competitions as a Platform for Cyber Security Experiments , 2012, NordSec.

[14]  L. Nordstrom,et al.  Modeling Security of Power Communication Systems Using Defense Graphs and Influence Diagrams , 2009, IEEE Transactions on Power Delivery.

[15]  Enrico Zio,et al.  Uncertainty in Risk Assessment: The Representation and Treatment of Uncertainties by Probabilistic and Non-Probabilistic Methods , 2013 .

[16]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[17]  James S. Dyer,et al.  The Reliability of Subjective Probabilities: Obtained Through Decomposition , 2015 .

[18]  Tyson Macaulay,et al.  Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS , 2011 .

[19]  Anna M. Doro-on,et al.  Risk Assessment and Security for Pipelines, Tunnels, and Underground Rail and Transit Operations , 2014 .

[20]  Cristina Alcaraz,et al.  Smart control of operational threats in control substations , 2013, Comput. Secur..

[21]  Robin L. Dillon-Merrill,et al.  Logic Trees: Fault, Success, Attack, Event, Probability, and Decision Trees , 2009 .

[22]  Ali Balaid,et al.  Knowledge maps: A systematic literature review and directions for future research , 2016, Int. J. Inf. Manag..

[23]  Gideon Keren,et al.  On The Calibration of Probability Judgments: Some Critical Comments and Alternative Perspectives , 1997 .

[24]  Eric V. Larson,et al.  Vulnerability Assessment Method Pocket Guide , 2014 .

[25]  Oliver C. Ibe,et al.  Markov processes for stochastic modeling , 2008 .

[26]  Norman Fenton,et al.  Risk Assessment and Decision Analysis with Bayesian Networks , 2012 .

[27]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[28]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[29]  T. Lewis Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation , 2006 .

[30]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[31]  John A. Sokolowski,et al.  Probabilistic Risk Analysis and Terrorism Risk , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[32]  Åke J. Holmgren,et al.  Evaluating Strategies for Defending Electric Power Networks Against Antagonistic Attacks , 2007, IEEE Transactions on Power Systems.

[33]  Wei Gao,et al.  On Cyber Attacks and Signature Based Intrusion Detection for MODBUS Based Industrial Control Systems , 2014, J. Digit. Forensics Secur. Law.