Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Measurable Control System Security through Ideal Driven Technical Metrics

Conference ·
OSTI ID:924496
; ; ; ;

The Department of Homeland Security National Cyber Security Division supported development of a small set of security ideals as a framework to establish measurable control systems security. Based on these ideals, a draft set of proposed technical metrics was developed to allow control systems owner-operators to track improvements or degradations in their individual control systems security posture. The technical metrics development effort included review and evaluation of over thirty metrics-related documents. On the bases of complexity, ambiguity, or misleading and distorting effects the metrics identified during the reviews were determined to be weaker than necessary to aid defense against the myriad threats posed by cyber-terrorism to human safety, as well as to economic prosperity. Using the results of our metrics review and the set of security ideals as a starting point for metrics development, we identified thirteen potential technical metrics - with at least one metric supporting each ideal. Two case study applications of the ideals and thirteen metrics to control systems were then performed to establish potential difficulties in applying both the ideals and the metrics. The case studies resulted in no changes to the ideals, and only a few deletions and refinements to the thirteen potential metrics. This led to a final proposed set of ten core technical metrics. To further validate the security ideals, the modifications made to the original thirteen potential metrics, and the final proposed set of ten core metrics, seven separate control systems security assessments performed over the past three years were reviewed for findings and recommended mitigations. These findings and mitigations were then mapped to the security ideals and metrics to assess gaps in their coverage. The mappings indicated that there are no gaps in the security ideals and that the ten core technical metrics provide significant coverage of standard security issues with 87% coverage. Based on the two case studies and evaluation of the seven assessments, the security ideals demonstrated their value in guiding security thinking. Further, the final set of core technical metrics has been demonstrated to be both usable in the control system environment and provide significant coverage of standard security issues.

Research Organization:
Idaho National Laboratory (INL)
Sponsoring Organization:
USDOE
DOE Contract Number:
AC07-99ID13727
OSTI ID:
924496
Report Number(s):
INL/CON-07-13581
Country of Publication:
United States
Language:
English

Similar Records

Ideal Based Cyber Security Technical Metrics for Control Systems
Conference · Mon Oct 01 00:00:00 EDT 2007 · OSTI ID:924508
Primer Control System Cyber Security Framework and Technical Metrics
Technical Report · Thu May 01 00:00:00 EDT 2008 · OSTI ID:935471

Related Subjects

99 GENERAL AND MISCELLANEOUS
CONTROL SYSTEMS
Cyber Security Metrics
Control System Security
ECONOMICS
EVALUATION
METRICS
MODIFICATIONS
SAFETY
SECURITY