skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs

Abstract

For the past year we have applied a variety of risk assessment technologies to evaluate the risk to critical infrastructure from cyber attacks on control systems. More recently, we identified the need for a stand alone control system risk reduction estimation tool to provide owners and operators of control systems with a more useable, reliable, and credible method for managing the risks from cyber attack. Risk is defined as the probability of a successful attack times the value of the resulting loss, typically measured in lives and dollars. Qualitative and ad hoc techniques for measuring risk do not provide sufficient support for cost benefit analyses associated with cyber security mitigation actions. To address the need for better quantitative risk reduction models we surveyed previous quantitative risk assessment research; evaluated currently available tools; developed new quantitative techniques [17] [18]; implemented a prototype analysis tool to demonstrate how such a tool might be used; used the prototype to test a variety of underlying risk calculational engines (e.g. attack tree, attack graph); and identified technical and research needs. We concluded that significant gaps still exist and difficult research problems remain for quantitatively assessing the risk to control system components and networks, but thatmore » a useable quantitative risk reduction estimation tool is not beyond reach.« less

Authors:
; ; ;
Publication Date:
Research Org.:
Idaho National Laboratory (INL)
Sponsoring Org.:
USDOE
OSTI Identifier:
911635
Report Number(s):
INL/CON-06-01255
TRN: US200801%%93
DOE Contract Number:
DE-AC07-99ID-13727
Resource Type:
Conference
Resource Relation:
Conference: International Workshop On Complex Network and Infrastructure Protection,Rome, Italy,03/28/2006,03/29/2006
Country of Publication:
United States
Language:
English
Subject:
99 - GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE; CONTROL SYSTEMS; DOLLARS; ENGINES; MITIGATION; PROBABILITY; RISK ASSESSMENT; SECURITY; Control system security; Network security; Risk estimation

Citation Formats

Miles McQueen, Wayne Boyer, Mark Flynn, and Sam Alessi. Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs. United States: N. p., 2006. Web.
Miles McQueen, Wayne Boyer, Mark Flynn, & Sam Alessi. Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs. United States.
Miles McQueen, Wayne Boyer, Mark Flynn, and Sam Alessi. Wed . "Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs". United States. doi:. https://www.osti.gov/servlets/purl/911635.
@article{osti_911635,
title = {Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs},
author = {Miles McQueen and Wayne Boyer and Mark Flynn and Sam Alessi},
abstractNote = {For the past year we have applied a variety of risk assessment technologies to evaluate the risk to critical infrastructure from cyber attacks on control systems. More recently, we identified the need for a stand alone control system risk reduction estimation tool to provide owners and operators of control systems with a more useable, reliable, and credible method for managing the risks from cyber attack. Risk is defined as the probability of a successful attack times the value of the resulting loss, typically measured in lives and dollars. Qualitative and ad hoc techniques for measuring risk do not provide sufficient support for cost benefit analyses associated with cyber security mitigation actions. To address the need for better quantitative risk reduction models we surveyed previous quantitative risk assessment research; evaluated currently available tools; developed new quantitative techniques [17] [18]; implemented a prototype analysis tool to demonstrate how such a tool might be used; used the prototype to test a variety of underlying risk calculational engines (e.g. attack tree, attack graph); and identified technical and research needs. We concluded that significant gaps still exist and difficult research problems remain for quantitatively assessing the risk to control system components and networks, but that a useable quantitative risk reduction estimation tool is not beyond reach.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Wed Mar 01 00:00:00 EST 2006},
month = {Wed Mar 01 00:00:00 EST 2006}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share:
  • We propose a new methodology for obtaining a quick quantitative measurement of the risk reduction achieved when a control system is modified with the intent to improve cyber security defense against external attackers. The proposed methodology employs a directed graph called a compromise graph, where the nodes represent stages of a potential attack and the edges represent the expected time-to-compromise for differing attacker skill levels. Time-to-compromise is modeled as a function of known vulnerabilities and attacker skill level. The methodology was used to calculate risk reduction estimates for a specific SCADA system and for a specific set of control systemmore » security remedial actions. Despite an 86% reduction in the total number of vulnerabilities, the estimated time-to-compromise was increased only by about 3 to 30% depending on target and attacker skill level.« less
  • Risk assessment methods vary in nature and depth. Their application to the evaluation of information security issues should be decided on the basis of their capability to provide answers to practical and fundamental questions concerning the design and implementation of security controls in specific information systems. Quantitative risk analysis provides an objectively based approach to the problem of assessing and managing risk. As a decision making and risk assessment tool, it is not only capable of identifying potential losses that could be unacceptable for a given system, but it can be used to determine which specific security controls and countermeasuresmore » can be effective and cost justifiable. The Livermore Risk Analysis Methodology (LRAM) was developed to cover these objectives in a balanced and comprehensive way. Its model and procedures, from the identification of valuable assets to the prioritization and budgeting of proposed controls, are examined and discussed both from the technical and from the decision making/risk management perspectives.« less
  • The so-called Millennium Bug, also known as the Y2K problem will affect the operation of some industrial process control and automation systems. This paper describes an integrated risk management approach based on analytical techniques generally used in the design of industrial facilities. The methodology will assist operators, regulatory bodies, investors and insurers in verifying that critical process control and safety systems are being addressed to ensure Y2K compliance. In addition, the methodology will allow remediation and/or mitigation resources to be confidently focused where they will be most cost effective based on an understanding of the potential consequences of system failure.more » The loss of revenue associated with the extensive system testing and plant shutdowns required by other Y2K compliance techniques may be demonstrated to be unnecessary.« less
  • The watch list'' waste tanks at the Hanford Site in Washington state are those that the Secretary of the Department of Energy reports upon to the Congress because of the unresolved safety question. As such, they are subject to intense surveillance and an enhanced list of controls and safety procedures. The objective of the Waste Tank Safety Program is to mitigate the safety concerns with respect to these tanks, thereby removing them from the watch list.'' The essential step in this process is the development of a defensible position that reduce the risk of these tanks to an acceptable level.more » An integrated research and development (R D) program is believed to be the most cost-effective means of achieving the information required to mitigate the safety concern and to resolve the safety issues. This program uses chemical and physical modeling studies of synthetic waste, is substantiated with limited field data and radioactive samples from a tank, and uses numerical modeling to extrapolate results to actual tank-scale operations. 3 refs., 4 figs.« less
  • As part of Rohm and Haas` Major Accident Prevention Program (MAPP) a team of plant engineering, operating and safety personnel modeled a worst case (loss of entire system contents) as well as more likely release scenarios from the plant`s ammonia refrigeration system. Emergency Response Planning Guideline (ERPG) level 3 concentrations (1,000 ppm) were found to extend into the nearest residential community. Due to the potential to affect the community the plant management requested a quantitative risk assessment (QRA) to test the effectiveness of the team`s risk reduction recommendations, and to develop alternative recommendations. Loss of containment scenarios were developed frommore » HAZOPs of the refrigeration system, a review of previous incidents and a listing of representative equipment failure scenarios. Plant management and interested in the likelihood of ammonia concentrations that might impact the community. Therefore, the ERPG2 concentration (200 ppm) was chosen as an endpoint of concern. Dispersion modeling of the release scenarios was done using a commercially available dispersion modeling program. Detailed modeling also showed that the worst case scenario assumed in the original MAPP study was not possible. Frequencies for releases were calculated using equipment failure rate data and Fault Tree Analysis. The QRA showed that an initial recommendation made by the MAPP team did not reduce risk as much as alternative recommendations developed in the detailed study.« less