Title: Concept for Cyber-Physical Consequence Process

The Department of Homeland Security’s Office of Cyber and Infrastructure Analysis (DHS/OCIA) has a mission and vision that promotes innovation as central to expanding the organization’s capability to conduct consequence analysis. To pursue such innovation, OCIA is sponsoring a seedling effort with Idaho National Laboratory (INL) to leverage data from the proposed Automated Vulnerability Assessment (AVA) capability, which the DHS Science and Technology (S&T) Directorate is developing through a separate INL effort. The first phase of this effort is to develop a process by which recognized vulnerabilities can be scored relative to importance, reflected primarily in the ability to initiate high consequence and potentially cascading events. This report documents a cyber-physical metrics process (CPMP) to tie physical impact to the malicious exploitation of cyber vulnerabilities in industrial control systems (ICS) with the potential for initiating consequence in the critical infrastructure. The scale of achieving any particular physical consequence is dependent upon the ICS Component the vulnerability exists on, the Level of Access that the exploit would allow to component function and the Physical Impact (CLAPI) to the power system that the component is tied. A modified common vulnerability scoring system (CVSS) was detailed and demonstrated for the power sector with three case studies associated with a recognized vulnerability, with significant consequence detail provided to apply the process across the power sector. A detailed table that provides background on the power system components, ICS-enabled monitoring and control, potential consequence effects, and CVSS scoring is provided. To demonstrate the applicability of the CPMP, tables are provided as examples for other sectors that include chemical, water/wastewater and oil/gas.