Risk Assessment For Industrial Control Systems Quantifying Availability Using Mean Failure Cost (MFC)

Open access

Abstract

1 Industrial Control Systems (ICS) are commonly used in industries such as oil and natural gas, transportation, electric, water and wastewater, chemical, pharmaceutical, pulp and paper, food and beverage, as well as discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control.

Originally, ICS implementations were susceptible primarily to local threats because most of their components were located in physically secure areas (i.e., ICS components were not connected to IT networks or systems). The trend toward integrating ICS systems with IT networks (e.g., efficiency and the Internet of Things) provides significantly less isolation for ICS from the outside world thus creating greater risk due to external threats. Albeit, the availability of ICS/SCADA systems is critical to assuring safety, security and profitability. Such systems form the backbone of our national cyber-physical infrastructure.

Herein, we extend the concept of mean failure cost (MFC) to address quantifying availability to harmonize well with ICS security risk assessment. This new measure is based on the classic formulation of Availability combined with Mean Failure Cost (MFC). The metric offers a computational basis to estimate the availability of a system in terms of the loss that each stakeholder stands to sustain as a result of security violations or breakdowns (e.g., deliberate malicious failures).

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] B. Miller and D. Rowe ”A survey SCADA of and critical infrastructure incidents” in Proceedings of the 1st Annual Conference on Research in Information Technology (RITI’12) Calgary Alberta Canada October 11-13 2012 pp. 51-56.

  • [2] T. M. Chen ”Stuxnet the real start of cyber warfare? [Editor’s note]” Network IEEE vol. 24 pp. 2-3 2010.

  • [3] D. Kushner ”The Real Story of Stuxnet: How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program” IEEE Spectrum 2013.

  • [4] D. P. Fidler ”Was Stuxnet an Act of War? Decoding a Cyberattack” IEEE Security & Privacy vol. 9 pp. 56-59 2011.

  • [5] ”Sector Risk Snapshot” DHS Office of Cyber and Infrastructure Analysis (OCIA) ed. Washington DC 2014 p. 52.

  • [6] ”Inventory of Risk Management/Risk Assessment Methods” in Risk Management/Risk Assessment Methods and Tools ENISA European Network and Information Security Agency ed. Heraklion Greece 2014.

  • [7] ”Comparison of Risk Management Methods and Tools” in Risk Management/Risk Assessment Methods and Tools ENISA European Network and Information Security Agency ed. Heraklion Greece 2014.

  • [8] B. Boehm L. G. Huang A. Jain and R. Madachy ”The nature of system dependability: A stake-holder/value approach” University of Southern California USC-CSSE-2004-520 2004.

  • [9] D. Wu Q. Li M. He B. Boehm Y. Yang and S. Koolmanojwong ”Analysis of stakeholder/value dependency patterns and process implications: A controlled experiment” in 43rd Hawaii Int. Conf. on System Sciences (HICSS) 2010.

  • [10] A. B. Aissa R. K. Abercrombie F. T. Sheldon and A. Mili ”Defining and computing a value based cyber-security measure” Information Systems and e-Business Management vol. 10 pp. 433-453 2012.

  • [11] IEEE ”IEEE C37.1-2007 IEEE Standard for SCADA and Automation Systems” ed 2008 p. 143.

  • [12] V. M. Igure S. A. Laughter and R. D. Williams ”Security issues in SCADA networks” Computers & Security vol. 25 pp. 498-506 October 2006.

  • [13] M. Hentea ”Improving Security for SCADA Control Systems” Interdisciplinary Journal of Information Knowledge and Management vol. 3 pp. 73-86 2008.

  • [14] Y. Cherdantseva and J. Hilton ”A reference model of information assurance & security” in 2013 Int. Conf. on Availability Reliability and Security (ARES) Regensburg 2013 pp. 546-555.

  • [15] A. Daneels and W. Salter ”What is SCADA?” in Int. Conf. on Accelerator and Large Experimental Physics Control Systems 1999 pp. 339-343.

  • [16] D. H. Ryu H. Kim and K. Um ”Reducing security vulnerabilities for critical infrastructure” Journal of Loss Prevention in the Process Industries vol. 22 pp. 1020-1024 2009.

  • [17] P. A. S. Ralston J. H. Graham and J. L. Hieb ”Cyber security risk assessment for SCADA and DCS networks” ISA Transactions vol. 46 pp. 583-594 2007.

  • [18] R. Dawson C. Boyd E. Dawson and J. M. G. Nieto ”SKMA: A Key Management Architecture for SCADA systems” in Proceedings of the 2006 Australasian Workshops on Grid computing and e-Research - Volume 54 Hobart Tasmania Australia 2006 pp. 183-192.

  • [19] C. Ning W. Jidong and Y. Xinghuo ”SCADA system security: Complexity history and new developments” in Industrial Informatics 2008. INDIN 2008. 6th IEEE International Conference on Daejeon Korea 2008 pp. 569-574.

  • [20] W. Yang and Q. Zhao ”Cyber security issues of critical components for industrial control system” in 2014 IEEE Chinese on Guidance Navigation and Control Conference (CGNCC) Yantai 2014 pp. 2698-2703.

  • [21] A. B. Aissa R. K. Abercrombie F. T. Sheldon and A. Mili ”Quantifying Security Threats and Their Potential Impacts: A Case Study” Innovations in Systems and Software Engineering vol. 6 pp. 269-281 December 2010.

  • [22] J. Caswell ”Survey of Industrial Control Systems Security” Washington University in St. Louis St. Loius Missouri 2011.

  • [23] A. Hildick-Smith ”Security for Critical Infrastructure SCADA Systems” SANS GSEC Practical Assignment Version 1.4c Option 1 February 23 2005.

  • [24] ”Vulnerability analysis of energy delivery control system” Idaho National Laboratory Idaho Falls INL/EXT-10-18381 September 2011.

  • [25] S. Amin A. Crdenas and S. S. Sastry ”Safe and secure networked control systems under Denial-of-Service attacks” in Hybrid Systems: Computation and Control. vol. 5469 R. Majumdar and P. Tabuada Eds. ed: Springer Berlin Heidelberg 2009 pp. 31-45.

  • [26] A. Nicholson S. Webber S. Dyer T. Patel and H. Janicke ”SCADA security in the light of Cyber-Warfare” Computers & Security vol. 31 pp. 418-436 2012.

  • [27] K. Stouffer J. Falco and K. Scarfone ”Guide to Industrial Control Systems (ICS) Security” National Institute of Standards and Technology (NIST) Gaithersburg MD Special Publication 800-82 June 2011.

  • [28] I. Onyeji M. Bazilian and C. Bronk ”Cyber Security and Critical Energy Infrastructure” The Electricity Journal vol. 27 pp. 52-60 2014.

  • [29] F. T. Sheldon R. K. Abercrombie and A. Mili ”Evaluating security controls based on key performance indicators and stakeholder mission” in 4th Workshop on Cyber security and information intelligence research (CSIIRW’08) Oak Ridge Tennessee 2008 pp. 1-11.

  • [30] Q. Chen and S. Abdelwahed ”Towards realizing self-protecting SCADA systems” in Proceedings of the 9th Annual Cyber and Information Security Research Conference Oak Ridge Tennessee USA 2014 pp. 105-108.

  • [31] Q. Chen and S. Abdelwahed ”A Model-based Approach to Self-Protection in SCADA Systems” in 9th International Workshop on Feedback Computing (Feedback Computing ’14) Philadelphia 2014.

  • [32] ”DOE Electricity Subsector Cybersecurity Risk Management Process (RMP) Guideline (DOE/OE-003)” Department of Energy Washington D.C. 2012.

  • [33] G. Stoneburner A. Y. Goguen and A. Feringa ”Risk Management Guide for Information Technology Systems” NIST Special Publication 800-30 Germantown MD United States 2002.

  • [34] ”Guide for Conducting Risk Assessments” NIST Special Publication 800-30 Revision 1 Germantown MD United States September 2012.

  • [35] A. Mili and F. T. Sheldon ”Challenging the Mean Time to Failure: Measuring Dependability as a Mean Failure Cost” in 42nd Hawaii International Conference on System Sciences (HICSS) 2009 pp. 1-10.

  • [36] F. T. Sheldon R. K. Abercrombie and A. Mili ”Methodology for evaluating security controls based on key performance indicators and stake-holder mission” in 2009 42nd Hawaii International Conference on System Sciences (HICSS) 2009 pp. 1-10.

  • [37] R. K. Abercrombie E. M. Ferragut F. T. Sheldon and M. R. Grimaila ”Addressing the need for independence in the CSE model” in 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS) 2011 pp. 68-75.

  • [38] R. K. Abercrombie F. T. Sheldon and M. R. Grimaila ”A systematic comprehensive computational model for stake estimation in mission assurance” in 2010 IEEE SocialCom Minneapolis MN 2010 pp. 1153-1158.

  • [39] R. K. Abercrombie F. T. Sheldon and A. Mili ”Synopsis of evaluating security controls based on key performance indicators and stakeholder mission value” in High Assurance Systems Engineering Symposium 2008. HASE 2008. 11th IEEE 2008 pp. 479-482.

  • [40] R. K. Abercrombie B. G. Schlicher and F. T. Sheldon ”Security analysis of selected AMI failure scenarios using agent based game theoretic simulation” in 47th Hawaii International Conference on System Sciences (HICSS) Big Island HI 2014 pp. 2015-2024.

  • [41] R. K. Abercrombie F. T. Sheldon K. R. Hauser M. W. Lantz and A. Mili ”Failure impact analysis of key management in AMI using cybernomic situational assessment (CSA)” in Eighth Cyber Security and Information Intelligence Research Workshop 2013.

  • [42] R. K. Abercrombie F. T. Sheldon K. R. Hauser M. W. Lantz and A. Mili ”Risk assessment methodology based on the NISTIR 7628 guidelines” in 46th Hawaii International Conference on System Sciences (HICSS) Wailea Maui HI USA 2013 pp. 1802-1811.

  • [43] R. K. Abercrombie ”Cryptographic Key Management and Critical Risk Assessment” Oak Ridge National Laboratory Oak Ridge TN ORNL/TM-2014/131 2014.

  • [44] C. Vishik F. T. Sheldon and D. Ott ”Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment” in ISSE 2013 Securing Electronic Business Processes ed: Springer 2013 pp. 133-147.

  • [45] M. Jouini A. B. Aissa L. B. A. Rabai and A. Mili ”Towards Quantitative Measures of Information Security: A Cloud Computing Case Study” International Journal of Cyber-Security and Digital Forensics vol. 1 pp. 248-262 2012.

  • [46] A. B. Aissa L. B. A. Rabai R. K. Abercrombie F. T. Sheldon and A. Mili ”Quantifying availability in SCADA environments using the cyber security metric MFC” in Proceedings of 2014 9th Cyber and Information Security Research Conference Oak Ridge TN 2014 pp. 81-84.

  • [47] A. B. Aissa R. K. Abercrombie F. T. Sheldon and A. Mili ”Quantifying the impact of unavailability in cyber-physical environments” in 2014 IEEE Symposium on Computational Intelligence in Cyber Security (CICS) 2014 pp. 1-8.

  • [48] ”Introduction to Repairable Systems” in System Analysis Reference Reliability Availability & Optimization ed Tucson: RealiSoft Corporation 2013 pp. 112-125.

Search
Journal information
Impact Factor


CiteScore 2018: 4.70

SCImago Journal Rank (SJR) 2018: 0.351
Source Normalized Impact per Paper (SNIP) 2018: 4.066

Cited By
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 384 215 2
PDF Downloads 158 101 1