Applicability of Domain Based Security risk modeling to SCADA systems

Domain Based Security (DBSy) is a model-based approach, developed by the Defence Evaluation and Research Agency for the UK Ministry of Defence, to analyze information security risks in business context for the purpose of providing a direct mapping between the risks and security controls needed to manage them. The traditional DBSy modelling partitions business processes and underlying IT infrastructure into logical domains of predefined confidentiality levels to enforce restrictions on sharing of information. While constrains on sharing of information are addressing requirements on confidentiality of the information, industrial control systems primarily require and rely on timely and correct information. Therefore, this short paper explores applicability of the DBSy modeling to SCADA industrial control system environments in which integrity and availability of information is important for correct operation of the system, protection of human lives and prevention of damages to environment. Examples are shown to illustrate that on confidentiality focused legacy style DBSy modeling can be extended to consider and address integrity and availability requirements of industrial control systems.