1 Industrial Control Systems (ICS) are commonly used in industries such as oil and natural gas, transportation, electric, water and wastewater, chemical, pharmaceutical, pulp and paper, food and beverage, as well as discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control.
Originally, ICS implementations were susceptible primarily to local threats because most of their components were located in physically secure areas (i.e., ICS components were not connected to IT networks or systems). The trend toward integrating ICS systems with IT networks (e.g., efficiency and the Internet of Things) provides significantly less isolation for ICS from the outside world thus creating greater risk due to external threats. Albeit, the availability of ICS/SCADA systems is critical to assuring safety, security and profitability. Such systems form the backbone of our national cyber-physical infrastructure.
Herein, we extend the concept of mean failure cost (MFC) to address quantifying availability to harmonize well with ICS security risk assessment. This new measure is based on the classic formulation of Availability combined with Mean Failure Cost (MFC). The metric offers a computational basis to estimate the availability of a system in terms of the loss that each stakeholder stands to sustain as a result of security violations or breakdowns (e.g., deliberate malicious failures).
1This manuscript has been authored by UT-Battelle, LLC under Contract No. DE-AC05-00OR22725 with the U.S. Department of Energy (DOE). The United States Government (USG) retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for USG purposes. The DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (
 B. Miller and D. Rowe, ”A survey SCADA of and critical infrastructure incidents,” in Proceedings of the 1st Annual Conference on Research in Information Technology (RITI’12), Calgary, Alberta, Canada, October 11-13, 2012, pp. 51-56.
 T. M. Chen, ”Stuxnet, the real start of cyber warfare? [Editor’s note],” Network, IEEE, vol. 24, pp. 2-3, 2010.
 D. Kushner, ”The Real Story of Stuxnet: How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program,” IEEE Spectrum, 2013.
 D. P. Fidler, ”Was Stuxnet an Act of War? Decoding a Cyberattack,” IEEE Security & Privacy, vol. 9, pp. 56-59, 2011.
 ”Sector Risk Snapshot,” DHS Office of Cyber and Infrastructure Analysis (OCIA) ed. Washington, DC, 2014, p. 52.
 ”Inventory of Risk Management/Risk Assessment Methods,” in Risk Management/Risk Assessment Methods and Tools, ENISA European Network and Information Security Agency ed. Heraklion, Greece, 2014.
 ”Comparison of Risk Management Methods and Tools,” in Risk Management/Risk Assessment Methods and Tools, ENISA European Network and Information Security Agency ed. Heraklion, Greece, 2014.
 B. Boehm, L. G. Huang, A. Jain, and R. Madachy, ”The nature of system dependability: A stake-holder/value approach,” University of Southern California USC-CSSE-2004-520, 2004.
 D. Wu, Q. Li, M. He, B. Boehm, Y. Yang, and S. Koolmanojwong, ”Analysis of stakeholder/value dependency patterns and process implications: A controlled experiment,” in 43rd Hawaii Int. Conf. on System Sciences (HICSS), 2010.
 A. B. Aissa, R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Defining and computing a value based cyber-security measure,” Information Systems and e-Business Management, vol. 10, pp. 433-453, 2012.
 IEEE, ”IEEE C37.1-2007, IEEE Standard for SCADA and Automation Systems,” ed, 2008, p. 143.
 V. M. Igure, S. A. Laughter, and R. D. Williams, ”Security issues in SCADA networks,” Computers & Security, vol. 25, pp. 498-506, October 2006.
 M. Hentea, ”Improving Security for SCADA Control Systems,” Interdisciplinary Journal of Information, Knowledge, and Management, vol. 3, pp. 73-86, 2008.
 Y. Cherdantseva and J. Hilton, ”A reference model of information assurance & security,” in 2013 Int. Conf. on Availability, Reliability and Security (ARES), Regensburg, 2013, pp. 546-555.
 A. Daneels and W. Salter, ”What is SCADA?,” in Int. Conf. on Accelerator and Large Experimental Physics Control Systems, 1999, pp. 339-343.
 D. H. Ryu, H. Kim, and K. Um, ”Reducing security vulnerabilities for critical infrastructure,” Journal of Loss Prevention in the Process Industries, vol. 22, pp. 1020-1024, 2009.
 P. A. S. Ralston, J. H. Graham, and J. L. Hieb, ”Cyber security risk assessment for SCADA and DCS networks,” ISA Transactions, vol. 46, pp. 583-594, 2007.
 R. Dawson, C. Boyd, E. Dawson, and J. M. G. Nieto, ”SKMA: A Key Management Architecture for SCADA systems,” in Proceedings of the 2006 Australasian Workshops on Grid computing and e-Research - Volume 54, Hobart, Tasmania, Australia, 2006, pp. 183-192.
 C. Ning, W. Jidong, and Y. Xinghuo, ”SCADA system security: Complexity, history and new developments,” in Industrial Informatics, 2008. INDIN 2008. 6th IEEE International Conference on, Daejeon, Korea, 2008, pp. 569-574.
 W. Yang and Q. Zhao, ”Cyber security issues of critical components for industrial control system,” in 2014 IEEE Chinese on Guidance, Navigation and Control Conference (CGNCC), Yantai, 2014, pp. 2698-2703.
 A. B. Aissa, R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Quantifying Security Threats and Their Potential Impacts: A Case Study,” Innovations in Systems and Software Engineering, vol. 6, pp. 269-281, December 2010.
 J. Caswell, ”Survey of Industrial Control Systems Security,” Washington University in St. Louis, St. Loius, Missouri 2011.
 A. Hildick-Smith, ”Security for Critical Infrastructure SCADA Systems,” SANS GSEC Practical Assignment, Version 1.4c, Option 1, February 23, 2005.
 ”Vulnerability analysis of energy delivery control system,” Idaho National Laboratory, Idaho Falls INL/EXT-10-18381, September 2011.
 S. Amin, A. Crdenas, and S. S. Sastry, ”Safe and secure networked control systems under Denial-of-Service attacks,” in Hybrid Systems: Computation and Control. vol. 5469, R. Majumdar and P. Tabuada, Eds., ed: Springer Berlin Heidelberg, 2009, pp. 31-45.
 A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, ”SCADA security in the light of Cyber-Warfare,” Computers & Security, vol. 31, pp. 418-436, 2012.
 K. Stouffer, J. Falco, and K. Scarfone, ”Guide to Industrial Control Systems (ICS) Security,” National Institute of Standards and Technology (NIST), Gaithersburg, MD Special Publication 800-82, June 2011.
 I. Onyeji, M. Bazilian, and C. Bronk, ”Cyber Security and Critical Energy Infrastructure,” The Electricity Journal, vol. 27, pp. 52-60, 2014.
 F. T. Sheldon, R. K. Abercrombie, and A. Mili, ”Evaluating security controls based on key performance indicators and stakeholder mission,” in 4th Workshop on Cyber security and information intelligence research (CSIIRW’08), Oak Ridge, Tennessee, 2008, pp. 1-11.
 Q. Chen and S. Abdelwahed, ”Towards realizing self-protecting SCADA systems,” in Proceedings of the 9th Annual Cyber and Information Security Research Conference, Oak Ridge, Tennessee, USA, 2014, pp. 105-108.
 Q. Chen and S. Abdelwahed, ”A Model-based Approach to Self-Protection in SCADA Systems,” in 9th International Workshop on Feedback Computing (Feedback Computing ’14), Philadelphia, 2014.
 ”DOE Electricity Subsector Cybersecurity Risk Management Process (RMP) Guideline (DOE/OE-003),” Department of Energy, Washington, D.C., 2012.
 G. Stoneburner, A. Y. Goguen, and A. Feringa, ”Risk Management Guide for Information Technology Systems,” NIST Special Publication 800-30, Germantown, MD United States, 2002.
 ”Guide for Conducting Risk Assessments,” NIST Special Publication 800-30, Revision 1, Germantown, MD United States, September 2012.
 A. Mili and F. T. Sheldon, ”Challenging the Mean Time to Failure: Measuring Dependability as a Mean Failure Cost,” in 42nd Hawaii International Conference on System Sciences (HICSS), 2009, pp. 1-10.
 F. T. Sheldon, R. K. Abercrombie, and A. Mili, ”Methodology for evaluating security controls based on key performance indicators and stake-holder mission,” in 2009 42nd Hawaii International Conference on System Sciences (HICSS), 2009, pp. 1-10.
 R. K. Abercrombie, E. M. Ferragut, F. T. Sheldon, and M. R. Grimaila, ”Addressing the need for independence in the CSE model,” in 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS), 2011, pp. 68-75.
 R. K. Abercrombie, F. T. Sheldon, and M. R. Grimaila, ”A systematic comprehensive computational model for stake estimation in mission assurance,” in 2010 IEEE SocialCom, Minneapolis, MN, 2010, pp. 1153-1158.
 R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Synopsis of evaluating security controls based on key performance indicators and stakeholder mission value,” in High Assurance Systems Engineering Symposium, 2008. HASE 2008. 11th IEEE, 2008, pp. 479-482.
 R. K. Abercrombie, B. G. Schlicher, and F. T. Sheldon, ”Security analysis of selected AMI failure scenarios using agent based game theoretic simulation,” in 47th Hawaii International Conference on System Sciences (HICSS), Big Island, HI, 2014, pp. 2015-2024.
 R. K. Abercrombie, F. T. Sheldon, K. R. Hauser, M. W. Lantz, and A. Mili, ”Failure impact analysis of key management in AMI using cybernomic situational assessment (CSA),” in Eighth Cyber Security and Information Intelligence Research Workshop, 2013.
 R. K. Abercrombie, F. T. Sheldon, K. R. Hauser, M. W. Lantz, and A. Mili, ”Risk assessment methodology based on the NISTIR 7628 guidelines,” in 46th Hawaii International Conference on System Sciences (HICSS), Wailea, Maui, HI USA, 2013, pp. 1802-1811.
 R. K. Abercrombie, ”Cryptographic Key Management and Critical Risk Assessment,” Oak Ridge National Laboratory, Oak Ridge, TN ORNL/TM-2014/131, 2014.
 C. Vishik, F. T. Sheldon, and D. Ott, ”Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment,” in ISSE 2013 Securing Electronic Business Processes, ed: Springer, 2013, pp. 133-147.
 M. Jouini, A. B. Aissa, L. B. A. Rabai, and A. Mili, ”Towards Quantitative Measures of Information Security: A Cloud Computing Case Study,” International Journal of Cyber-Security and Digital Forensics, vol. 1, pp. 248-262, 2012.
 A. B. Aissa, L. B. A. Rabai, R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Quantifying availability in SCADA environments using the cyber security metric MFC,” in Proceedings of 2014 9th Cyber and Information Security Research Conference, Oak Ridge, TN, 2014, pp. 81-84.
 A. B. Aissa, R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Quantifying the impact of unavailability in cyber-physical environments,” in 2014 IEEE Symposium on Computational Intelligence in Cyber Security (CICS), 2014, pp. 1-8.
 ”Introduction to Repairable Systems,” in System Analysis Reference, Reliability, Availability & Optimization, ed Tucson: RealiSoft Corporation, 2013, pp. 112-125.