skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs

Abstract

For the past year we have applied a variety of risk assessment technologies to evaluate the risk to critical infrastructure from cyber attacks on control systems. More recently, we identified the need for a stand alone control system risk reduction estimation tool to provide owners and operators of control systems with a more useable, reliable, and credible method for managing the risks from cyber attack. Risk is defined as the probability of a successful attack times the value of the resulting loss, typically measured in lives and dollars. Qualitative and ad hoc techniques for measuring risk do not provide sufficient support for cost benefit analyses associated with cyber security mitigation actions. To address the need for better quantitative risk reduction models we surveyed previous quantitative risk assessment research; evaluated currently available tools; developed new quantitative techniques [17] [18]; implemented a prototype analysis tool to demonstrate how such a tool might be used; used the prototype to test a variety of underlying risk calculational engines (e.g. attack tree, attack graph); and identified technical and research needs. We concluded that significant gaps still exist and difficult research problems remain for quantitatively assessing the risk to control system components and networks, but thatmore » a useable quantitative risk reduction estimation tool is not beyond reach.« less

Authors:
; ; ;
Publication Date:
Research Org.:
Idaho National Laboratory (INL)
Sponsoring Org.:
USDOE
OSTI Identifier:
911635
Report Number(s):
INL/CON-06-01255
TRN: US200801%%93
DOE Contract Number:  
DE-AC07-99ID-13727
Resource Type:
Conference
Resource Relation:
Conference: International Workshop On Complex Network and Infrastructure Protection,Rome, Italy,03/28/2006,03/29/2006
Country of Publication:
United States
Language:
English
Subject:
99 - GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE; CONTROL SYSTEMS; DOLLARS; ENGINES; MITIGATION; PROBABILITY; RISK ASSESSMENT; SECURITY; Control system security; Network security; Risk estimation

Citation Formats

Miles McQueen, Wayne Boyer, Mark Flynn, and Sam Alessi. Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs. United States: N. p., 2006. Web.
Miles McQueen, Wayne Boyer, Mark Flynn, & Sam Alessi. Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs. United States.
Miles McQueen, Wayne Boyer, Mark Flynn, and Sam Alessi. Wed . "Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs". United States. doi:. https://www.osti.gov/servlets/purl/911635.
@article{osti_911635,
title = {Quantitative Risk reduction estimation Tool For Control Systems, Suggested Approach and Research Needs},
author = {Miles McQueen and Wayne Boyer and Mark Flynn and Sam Alessi},
abstractNote = {For the past year we have applied a variety of risk assessment technologies to evaluate the risk to critical infrastructure from cyber attacks on control systems. More recently, we identified the need for a stand alone control system risk reduction estimation tool to provide owners and operators of control systems with a more useable, reliable, and credible method for managing the risks from cyber attack. Risk is defined as the probability of a successful attack times the value of the resulting loss, typically measured in lives and dollars. Qualitative and ad hoc techniques for measuring risk do not provide sufficient support for cost benefit analyses associated with cyber security mitigation actions. To address the need for better quantitative risk reduction models we surveyed previous quantitative risk assessment research; evaluated currently available tools; developed new quantitative techniques [17] [18]; implemented a prototype analysis tool to demonstrate how such a tool might be used; used the prototype to test a variety of underlying risk calculational engines (e.g. attack tree, attack graph); and identified technical and research needs. We concluded that significant gaps still exist and difficult research problems remain for quantitatively assessing the risk to control system components and networks, but that a useable quantitative risk reduction estimation tool is not beyond reach.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Wed Mar 01 00:00:00 EST 2006},
month = {Wed Mar 01 00:00:00 EST 2006}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share: