Risk Assessment For Industrial Control Systems Quantifying Availability Using Mean Failure Cost (MFC)

Abstract 1 Industrial Control Systems (ICS) are commonly used in industries such as oil and natural gas, transportation, electric, water and wastewater, chemical, pharmaceutical, pulp and paper, food and beverage, as well as discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. Originally, ICS implementations were susceptible primarily to local threats because most of their components were located in physically secure areas (i.e., ICS components were not connected to IT networks or systems). The trend toward integrating ICS systems with IT networks (e.g., efficiency and the Internet of Things) provides significantly less isolation for ICS from the outside world thus creating greater risk due to external threats. Albeit, the availability of ICS/SCADA systems is critical to assuring safety, security and profitability. Such systems form the backbone of our national cyber-physical infrastructure. Herein, we extend the concept of mean failure cost (MFC) to address quantifying availability to harmonize well with ICS security risk assessment. This new measure is based on the classic formulation of Availability combined with Mean Failure Cost (MFC). The metric offers a computational basis to estimate the availability of a system in terms of the loss that each stakeholder stands to sustain as a result of security violations or breakdowns (e.g., deliberate malicious failures).

[1]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[2]  Ali Mili,et al.  Quantifying security threats and their potential impacts: a case study , 2010, Innovations in Systems and Software Engineering.

[3]  L. Chunyan,et al.  Exogenous polyamines affect mycorrhizal development of Glomus mosseae-colonized citrus (Citrus tangerine) seedlings. , 2010 .

[4]  Ali Mili,et al.  Defining and computing a value based cyber-security measure , 2012, Inf. Syst. E Bus. Manag..

[5]  David P. Fidler,et al.  Was Stuxnet an Act of War? Decoding a Cyberattack , 2011, IEEE Security & Privacy.

[6]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[7]  T. M. Chen,et al.  Stuxnet, the real start of cyber warfare? [Editor's Note] , 2010, IEEE Netw..

[8]  Xinghuo Yu,et al.  SCADA system security: Complexity, history and new developments , 2008, 2008 6th IEEE International Conference on Industrial Informatics.

[9]  Ali Mili,et al.  Quantifying the impact of unavailability in cyber-physical environments , 2014, 2014 IEEE Symposium on Computational Intelligence in Cyber Security (CICS).

[10]  Robert K. Abercrombie,et al.  A Systematic Comprehensive Computational Model for Stake Estimation in Mission Assurance - Applying Cyber Security Econometrics System (CSES) to Mission Assurance Analysis Protocol (MAAP) , 2010, 2010 IEEE Second International Conference on Social Computing.

[11]  Jayne Caswell A Survey of Industrial Control Systems Security , 2011 .

[12]  Robert K. Abercrombie Cryptographic Key Management and Critical Risk Assessment , 2014 .

[13]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[14]  Christopher Bronk,et al.  Cyber Security and Critical Energy Infrastructure , 2014 .

[15]  Ronald S. Ross,et al.  Guide for Conducting Risk Assessments , 2012 .

[16]  Ali Mili,et al.  Risk Assessment Methodology Based on the NISTIR 7628 Guidelines , 2013, 2013 46th Hawaii International Conference on System Sciences.

[17]  Ali Mili,et al.  Towards quantitative measures of Information Security: A Cloud Computing case study , 2012 .

[18]  Helge Janicke,et al.  SCADA security in the light of Cyber-Warfare , 2012, Comput. Secur..

[19]  Robert K. Abercrombie,et al.  Security Analysis of Selected AMI Failure Scenarios Using Agent Based Game Theoretic Simulation , 2014, 2014 47th Hawaii International Conference on System Sciences.

[20]  Sherif Abdelwahed,et al.  Towards realizing self-protecting SCADA systems , 2014, CISR '14.

[21]  Robert K. Abercrombie,et al.  Addressing the need for independence in the CSE model , 2011, 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS).

[22]  Miguel Areias,et al.  SECURITY FOR CRITICAL INFRASTRUCTURE SCADA SYSTEMS , 2013 .

[23]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[24]  Ali Mili,et al.  Evaluating security controls based on key performance indicators and stakeholder mission , 2008, CSIIRW '08.

[25]  Qianchuan Zhao,et al.  Cyber security issues of critical components for industrial control system , 2014, Proceedings of 2014 IEEE Chinese Guidance, Navigation and Control Conference.

[26]  Yulia Cherdantseva,et al.  Secure*BPMN : a graphical extension for BPMN 2.0 based on a reference model of information assurance & security , 2014 .

[27]  Barry W. Boehm,et al.  Analysis of Stakeholder/Value Dependency Patterns and Process Implications: A Controlled Experiment , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[28]  Dale C. Rowe,et al.  A survey SCADA of and critical infrastructure incidents , 2012, RIIT '12.

[29]  Jeremy Hilton,et al.  A Reference Model of Information Assurance & Security , 2013, 2013 International Conference on Availability, Reliability and Security.

[30]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[31]  Ed Dawson,et al.  SKMA - A Key Management Architecture for SCADA Systems , 2006 .

[32]  Ali Mili,et al.  Challenging the Mean Time to Failure: Measuring Dependability as a Mean Failure Cost , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[33]  Sherif Abdelwahed,et al.  A Model-based Approach to Self-Protection in SCADA Systems , 2014, Feedback Computing.

[34]  Mariana Hentea,et al.  Improving Security for SCADA Control Systems , 2008 .

[35]  Ali Mili,et al.  Synopsis of Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission Value , 2008, 2008 11th IEEE High Assurance Systems Engineering Symposium.

[36]  Ali Mili,et al.  Defining and computing a value based cyber-security measure , 2011 .

[37]  HyungJun Kim,et al.  Reducing security vulnerabilities for critical infrastructure , 2009 .

[38]  Ali Mili,et al.  Failure impact analysis of key management in AMI using cybernomic situational assessment (CSA) , 2013, CSIIRW '13.

[39]  Ali Mili,et al.  Quantifying availability in SCADA environments using the cyber security metric MFC , 2014, CISR '14.

[40]  A. Daneels,et al.  Современные SCADA-системы , 2017 .

[41]  Ali Mili,et al.  Methodology for Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[42]  David Ott,et al.  Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment , 2013, ISSE.

[43]  Andrew Hildick-Smith,et al.  Security for Critical Infrastructure SCADA Systems , 2005 .