Title: Industrial Control Systems Cyber Security Risk Candidate Methods Analysis.

In recognition of their mission and in response to continuously evolving cyber threats against nuclear facilities, Department of Energy - Nuclear Energy (DOE-NE) is building the Nuclear Energy Cyber security Research, Development, and Demonstration (RD&D) Program, which includes a cyber risk management thrust. This report supports the cyber risk management thrust objective which is to deliver "Standardized methodologies for credible risk-based identification, evaluation and prioritization of digital components." In a previous task, the Sandia National Laboratories (SNL) team presented evaluation criteria and a survey to review methods to determine the most suitable techniques [1] . In this task we will identify and evaluate a series of candidate methodologies. In this report, 10 distinct methodologies are evaluated. The overall goal of this effort was to identify the current range of risk analysis techniques that were currently available, and how they could be applied, with an focus on industrial control systems (ICS). Overall, most of the techniques identified did fall into accepted risk analysis practices, though they generally addressed only one step of the multi-step risk management process. A few addressed multiple steps, but generally their treatment was superficial. This study revealed that the current state of security risk analysis in digital control systems was not comprehensive and did not support a science-based evaluation. The papers surveyed did use mathematical formulation to describe the addressed problems, and tied the models to some kind of experimental or experiential evidence as support. Most of the papers, however, did not use a rigorous approach to experimentally support the proposed models, nor did they have enough evidence supporting the efficacy of the models to statistically analyze model impact. Both of these issues stem from the difficulty and expense associated with collecting experimental data in this domain.