skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Cybersecurity Vulnerability Mitigation Framework through Empirical Paradigm: Enhanced Prioritized Gap Analysis

Abstract

Existing cybersecurity vulnerability assessment tools were designed based on the policies and standards defined by organizations such as the U.S. Department of Energy and the National Institute of Standards and Technology (NIST). Frameworks such as the cybersecurity capability maturity model (C2M2) and the NIST Cybersecurity Framework (CSF) are often used by the critical infrastructure owners and operators to determine the cybersecurity maturity of their facility. Although these frameworks are exceptional at performing qualitative cybersecurity analysis and identifying vulnerabilities, they do not provide a means to perform prioritized mitigation of those vulnerabilities in order to achieve a desired cybersecurity maturity. To address that challenge, we developed a framework and software application called the cybersecurity vulnerability mitigation framework through empirical paradigm (CyFEr). This paper presents the detailed architecture of CyFEr’s enhanced prioritized gap analysis (EPGA) methodology and its application to CSF. The efficacy of the presented framework is demonstrated by comparing against existing similar models and testing against the cyber injects from a real-world cyber-attack that targeted industrial control systems (ICS) in critical infrastructures.

Authors:
ORCiD logo [1];  [1];  [2]
  1. BATTELLE (PACIFIC NW LAB)
  2. University of Arkansas at Little Rock
Publication Date:
Research Org.:
Pacific Northwest National Lab. (PNNL), Richland, WA (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1580581
Report Number(s):
PNNL-SA-143834
DOE Contract Number:  
AC05-76RL01830
Resource Type:
Journal Article
Journal Name:
Future Generation Computer Systems
Additional Journal Information:
Journal Volume: 105
Country of Publication:
United States
Language:
English

Citation Formats

Gourisetti, Sri Nikhil G., Mylrea, Michael E., and Patangia, Hirak. Cybersecurity Vulnerability Mitigation Framework through Empirical Paradigm: Enhanced Prioritized Gap Analysis. United States: N. p., 2020. Web. doi:10.1016/j.future.2019.12.018.
Gourisetti, Sri Nikhil G., Mylrea, Michael E., & Patangia, Hirak. Cybersecurity Vulnerability Mitigation Framework through Empirical Paradigm: Enhanced Prioritized Gap Analysis. United States. doi:10.1016/j.future.2019.12.018.
Gourisetti, Sri Nikhil G., Mylrea, Michael E., and Patangia, Hirak. Wed . "Cybersecurity Vulnerability Mitigation Framework through Empirical Paradigm: Enhanced Prioritized Gap Analysis". United States. doi:10.1016/j.future.2019.12.018.
@article{osti_1580581,
title = {Cybersecurity Vulnerability Mitigation Framework through Empirical Paradigm: Enhanced Prioritized Gap Analysis},
author = {Gourisetti, Sri Nikhil G. and Mylrea, Michael E. and Patangia, Hirak},
abstractNote = {Existing cybersecurity vulnerability assessment tools were designed based on the policies and standards defined by organizations such as the U.S. Department of Energy and the National Institute of Standards and Technology (NIST). Frameworks such as the cybersecurity capability maturity model (C2M2) and the NIST Cybersecurity Framework (CSF) are often used by the critical infrastructure owners and operators to determine the cybersecurity maturity of their facility. Although these frameworks are exceptional at performing qualitative cybersecurity analysis and identifying vulnerabilities, they do not provide a means to perform prioritized mitigation of those vulnerabilities in order to achieve a desired cybersecurity maturity. To address that challenge, we developed a framework and software application called the cybersecurity vulnerability mitigation framework through empirical paradigm (CyFEr). This paper presents the detailed architecture of CyFEr’s enhanced prioritized gap analysis (EPGA) methodology and its application to CSF. The efficacy of the presented framework is demonstrated by comparing against existing similar models and testing against the cyber injects from a real-world cyber-attack that targeted industrial control systems (ICS) in critical infrastructures.},
doi = {10.1016/j.future.2019.12.018},
journal = {Future Generation Computer Systems},
number = ,
volume = 105,
place = {United States},
year = {2020},
month = {4}
}