Title :
Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System
Author :
McQueen, Miles A. ; Boyer, Wayne F. ; Flynn, Mark A. ; Beitel, George A.
Author_Institution :
Idaho National Laboratory
Abstract :
We propose a new methodology for obtaining a quantitative measurement of the risk reduction achieved when a control system is modified with the intent to improve cyber security defense against external attackers. The proposed methodology employs a directed graph called a compromise graph, where the nodes represent stages of a potential attack and the edges represent the expected time-to-compromise for differing attacker skill levels. Time-to-compromise is modeled as a function of known vulnerabilities and attacker skill level. The methodology was used to calculate risk reduction estimates for a specific SCADA system and for a specific set of control system security remedial actions. Despite an 86% reduction in the total number of vulnerabilities, the estimated time-to-compromise was increased only by about 3 to 30% depending on target and attacker skill level.
Keywords :
Computer security; Control systems; Data security; Hidden Markov models; Laboratories; Probability; Risk analysis; Risk management; SCADA systems; System testing;
Conference_Titel :
System Sciences, 2006. HICSS '06. Proceedings of the 39th Annual Hawaii International Conference on
Print_ISBN :
0-7695-2507-5
DOI :
10.1109/HICSS.2006.405
