Quantitative Cyber Risk Reduction Estimation Methodology for a Small Scada Control System
We propose a new methodology for obtaining a quick quantitative measurement of the risk reduction achieved when a control system is modified with the intent to improve cyber security defense against external attackers. The proposed methodology employs a directed graph called a compromise graph, where the nodes represent stages of a potential attack and the edges represent the expected time-to-compromise for differing attacker skill levels. Time-to-compromise is modeled as a function of known vulnerabilities and attacker skill level. The methodology was used to calculate risk reduction estimates for a specific SCADA system and for a specific set of control system security remedial actions. Despite an 86% reduction in the total number of vulnerabilities, the estimated time-to-compromise was increased only by about 3 to 30% depending on target and attacker skill level.
- Research Organization:
- Idaho National Lab. (INL), Idaho Falls, ID (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- DE-AC07-99ID-13727
- OSTI ID:
- 911188
- Report Number(s):
- INL/CON-06-01133; TRN: US200724%%554
- Resource Relation:
- Conference: Hawaii International Conference On System Science,Kauai, Hawaii,01/04/2006,01/07/2006
- Country of Publication:
- United States
- Language:
- English
Similar Records
Cyber Incidents Involving Control Systems
Scenario-based approach to risk analysis in support of cyber security