Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System

We propose a new methodology for obtaining a quantitative measurement of the risk reduction achieved when a control system is modified with the intent to improve cyber security defense against external attackers. The proposed methodology employs a directed graph called a compromise graph, where the...

Full description

Saved in:
Bibliographic Details
Main Authors: McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.
Format: Conference Proceeding
Language:English
Subjects:
Computer security
Control systems
Data security
Hidden Markov models
Laboratories
Probability
Risk analysis
Risk management
SCADA systems
System testing
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:We propose a new methodology for obtaining a quantitative measurement of the risk reduction achieved when a control system is modified with the intent to improve cyber security defense against external attackers. The proposed methodology employs a directed graph called a compromise graph, where the nodes represent stages of a potential attack and the edges represent the expected time-to-compromise for differing attacker skill levels. Time-to-compromise is modeled as a function of known vulnerabilities and attacker skill level. The methodology was used to calculate risk reduction estimates for a specific SCADA system and for a specific set of control system security remedial actions. Despite an 86% reduction in the total number of vulnerabilities, the estimated time-to-compromise was increased only by about 3 to 30% depending on target and attacker skill level.
ISSN:1530-1605
2572-6862
DOI:10.1109/HICSS.2006.405