Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Journal of Artificial Intelligence and Soft Computing Research

The Journal of Polish Neural Network Society, the University of Social Sciences in Lodz & Czestochowa University of Technology

4 Issues per year

Open Access
Online
ISSN
2083-2567
See all formats and pricing
More options …

Risk Assessment For Industrial Control Systems Quantifying Availability Using Mean Failure Cost (MFC)

Qian Chen
  • Engineering Technology, Savannah State University, Savannah, GA 31404 USA
/ Robert K. Abercrombie
  • Computational Science and Engineering, Oak Ridge National Laboratory, Oak Ridge, TN 37831 USA, Department of Computer Science, University of Memphis, Memphis, TN 38152 USA
/ Frederick T. Sheldon
  • Department of Computer Science, University of Memphis, Memphis, TN 38152 USA
Published Online: 2015-09-23 | DOI: https://doi.org/10.1515/jaiscr-2015-0029

Abstract

1 Industrial Control Systems (ICS) are commonly used in industries such as oil and natural gas, transportation, electric, water and wastewater, chemical, pharmaceutical, pulp and paper, food and beverage, as well as discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control.

Originally, ICS implementations were susceptible primarily to local threats because most of their components were located in physically secure areas (i.e., ICS components were not connected to IT networks or systems). The trend toward integrating ICS systems with IT networks (e.g., efficiency and the Internet of Things) provides significantly less isolation for ICS from the outside world thus creating greater risk due to external threats. Albeit, the availability of ICS/SCADA systems is critical to assuring safety, security and profitability. Such systems form the backbone of our national cyber-physical infrastructure.

Herein, we extend the concept of mean failure cost (MFC) to address quantifying availability to harmonize well with ICS security risk assessment. This new measure is based on the classic formulation of Availability combined with Mean Failure Cost (MFC). The metric offers a computational basis to estimate the availability of a system in terms of the loss that each stakeholder stands to sustain as a result of security violations or breakdowns (e.g., deliberate malicious failures).

References

  • [1] B. Miller and D. Rowe, ”A survey SCADA of and critical infrastructure incidents,” in Proceedings of the 1st Annual Conference on Research in Information Technology (RITI’12), Calgary, Alberta, Canada, October 11-13, 2012, pp. 51-56.Google Scholar

  • [2] T. M. Chen, ”Stuxnet, the real start of cyber warfare? [Editor’s note],” Network, IEEE, vol. 24, pp. 2-3, 2010.Web of ScienceGoogle Scholar

  • [3] D. Kushner, ”The Real Story of Stuxnet: How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program,” IEEE Spectrum, 2013.Google Scholar

  • [4] D. P. Fidler, ”Was Stuxnet an Act of War? Decoding a Cyberattack,” IEEE Security & Privacy, vol. 9, pp. 56-59, 2011.Web of ScienceGoogle Scholar

  • [5] ”Sector Risk Snapshot,” DHS Office of Cyber and Infrastructure Analysis (OCIA) ed. Washington, DC, 2014, p. 52.Google Scholar

  • [6] ”Inventory of Risk Management/Risk Assessment Methods,” in Risk Management/Risk Assessment Methods and Tools, ENISA European Network and Information Security Agency ed. Heraklion, Greece, 2014.Google Scholar

  • [7] ”Comparison of Risk Management Methods and Tools,” in Risk Management/Risk Assessment Methods and Tools, ENISA European Network and Information Security Agency ed. Heraklion, Greece, 2014.Google Scholar

  • [8] B. Boehm, L. G. Huang, A. Jain, and R. Madachy, ”The nature of system dependability: A stake-holder/value approach,” University of Southern California USC-CSSE-2004-520, 2004.Google Scholar

  • [9] D. Wu, Q. Li, M. He, B. Boehm, Y. Yang, and S. Koolmanojwong, ”Analysis of stakeholder/value dependency patterns and process implications: A controlled experiment,” in 43rd Hawaii Int. Conf. on System Sciences (HICSS), 2010.CrossrefGoogle Scholar

  • [10] A. B. Aissa, R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Defining and computing a value based cyber-security measure,” Information Systems and e-Business Management, vol. 10, pp. 433-453, 2012.Google Scholar

  • [11] IEEE, ”IEEE C37.1-2007, IEEE Standard for SCADA and Automation Systems,” ed, 2008, p. 143.Google Scholar

  • [12] V. M. Igure, S. A. Laughter, and R. D. Williams, ”Security issues in SCADA networks,” Computers & Security, vol. 25, pp. 498-506, October 2006.Google Scholar

  • [13] M. Hentea, ”Improving Security for SCADA Control Systems,” Interdisciplinary Journal of Information, Knowledge, and Management, vol. 3, pp. 73-86, 2008.Google Scholar

  • [14] Y. Cherdantseva and J. Hilton, ”A reference model of information assurance & security,” in 2013 Int. Conf. on Availability, Reliability and Security (ARES), Regensburg, 2013, pp. 546-555.Google Scholar

  • [15] A. Daneels and W. Salter, ”What is SCADA?,” in Int. Conf. on Accelerator and Large Experimental Physics Control Systems, 1999, pp. 339-343.Google Scholar

  • [16] D. H. Ryu, H. Kim, and K. Um, ”Reducing security vulnerabilities for critical infrastructure,” Journal of Loss Prevention in the Process Industries, vol. 22, pp. 1020-1024, 2009.Google Scholar

  • [17] P. A. S. Ralston, J. H. Graham, and J. L. Hieb, ”Cyber security risk assessment for SCADA and DCS networks,” ISA Transactions, vol. 46, pp. 583-594, 2007.Google Scholar

  • [18] R. Dawson, C. Boyd, E. Dawson, and J. M. G. Nieto, ”SKMA: A Key Management Architecture for SCADA systems,” in Proceedings of the 2006 Australasian Workshops on Grid computing and e-Research - Volume 54, Hobart, Tasmania, Australia, 2006, pp. 183-192.Google Scholar

  • [19] C. Ning, W. Jidong, and Y. Xinghuo, ”SCADA system security: Complexity, history and new developments,” in Industrial Informatics, 2008. INDIN 2008. 6th IEEE International Conference on, Daejeon, Korea, 2008, pp. 569-574.Google Scholar

  • [20] W. Yang and Q. Zhao, ”Cyber security issues of critical components for industrial control system,” in 2014 IEEE Chinese on Guidance, Navigation and Control Conference (CGNCC), Yantai, 2014, pp. 2698-2703.Google Scholar

  • [21] A. B. Aissa, R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Quantifying Security Threats and Their Potential Impacts: A Case Study,” Innovations in Systems and Software Engineering, vol. 6, pp. 269-281, December 2010.Google Scholar

  • [22] J. Caswell, ”Survey of Industrial Control Systems Security,” Washington University in St. Louis, St. Loius, Missouri 2011.Google Scholar

  • [23] A. Hildick-Smith, ”Security for Critical Infrastructure SCADA Systems,” SANS GSEC Practical Assignment, Version 1.4c, Option 1, February 23, 2005.Google Scholar

  • [24] ”Vulnerability analysis of energy delivery control system,” Idaho National Laboratory, Idaho Falls INL/EXT-10-18381, September 2011.Google Scholar

  • [25] S. Amin, A. Crdenas, and S. S. Sastry, ”Safe and secure networked control systems under Denial-of-Service attacks,” in Hybrid Systems: Computation and Control. vol. 5469, R. Majumdar and P. Tabuada, Eds., ed: Springer Berlin Heidelberg, 2009, pp. 31-45.Google Scholar

  • [26] A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, ”SCADA security in the light of Cyber-Warfare,” Computers & Security, vol. 31, pp. 418-436, 2012.Google Scholar

  • [27] K. Stouffer, J. Falco, and K. Scarfone, ”Guide to Industrial Control Systems (ICS) Security,” National Institute of Standards and Technology (NIST), Gaithersburg, MD Special Publication 800-82, June 2011.Google Scholar

  • [28] I. Onyeji, M. Bazilian, and C. Bronk, ”Cyber Security and Critical Energy Infrastructure,” The Electricity Journal, vol. 27, pp. 52-60, 2014.Google Scholar

  • [29] F. T. Sheldon, R. K. Abercrombie, and A. Mili, ”Evaluating security controls based on key performance indicators and stakeholder mission,” in 4th Workshop on Cyber security and information intelligence research (CSIIRW’08), Oak Ridge, Tennessee, 2008, pp. 1-11.Google Scholar

  • [30] Q. Chen and S. Abdelwahed, ”Towards realizing self-protecting SCADA systems,” in Proceedings of the 9th Annual Cyber and Information Security Research Conference, Oak Ridge, Tennessee, USA, 2014, pp. 105-108.Google Scholar

  • [31] Q. Chen and S. Abdelwahed, ”A Model-based Approach to Self-Protection in SCADA Systems,” in 9th International Workshop on Feedback Computing (Feedback Computing ’14), Philadelphia, 2014.Google Scholar

  • [32] ”DOE Electricity Subsector Cybersecurity Risk Management Process (RMP) Guideline (DOE/OE-003),” Department of Energy, Washington, D.C., 2012.Google Scholar

  • [33] G. Stoneburner, A. Y. Goguen, and A. Feringa, ”Risk Management Guide for Information Technology Systems,” NIST Special Publication 800-30, Germantown, MD United States, 2002.Google Scholar

  • [34] ”Guide for Conducting Risk Assessments,” NIST Special Publication 800-30, Revision 1, Germantown, MD United States, September 2012.Google Scholar

  • [35] A. Mili and F. T. Sheldon, ”Challenging the Mean Time to Failure: Measuring Dependability as a Mean Failure Cost,” in 42nd Hawaii International Conference on System Sciences (HICSS), 2009, pp. 1-10.Google Scholar

  • [36] F. T. Sheldon, R. K. Abercrombie, and A. Mili, ”Methodology for evaluating security controls based on key performance indicators and stake-holder mission,” in 2009 42nd Hawaii International Conference on System Sciences (HICSS), 2009, pp. 1-10.Google Scholar

  • [37] R. K. Abercrombie, E. M. Ferragut, F. T. Sheldon, and M. R. Grimaila, ”Addressing the need for independence in the CSE model,” in 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS), 2011, pp. 68-75.Google Scholar

  • [38] R. K. Abercrombie, F. T. Sheldon, and M. R. Grimaila, ”A systematic comprehensive computational model for stake estimation in mission assurance,” in 2010 IEEE SocialCom, Minneapolis, MN, 2010, pp. 1153-1158.Google Scholar

  • [39] R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Synopsis of evaluating security controls based on key performance indicators and stakeholder mission value,” in High Assurance Systems Engineering Symposium, 2008. HASE 2008. 11th IEEE, 2008, pp. 479-482.Google Scholar

  • [40] R. K. Abercrombie, B. G. Schlicher, and F. T. Sheldon, ”Security analysis of selected AMI failure scenarios using agent based game theoretic simulation,” in 47th Hawaii International Conference on System Sciences (HICSS), Big Island, HI, 2014, pp. 2015-2024.Google Scholar

  • [41] R. K. Abercrombie, F. T. Sheldon, K. R. Hauser, M. W. Lantz, and A. Mili, ”Failure impact analysis of key management in AMI using cybernomic situational assessment (CSA),” in Eighth Cyber Security and Information Intelligence Research Workshop, 2013.Google Scholar

  • [42] R. K. Abercrombie, F. T. Sheldon, K. R. Hauser, M. W. Lantz, and A. Mili, ”Risk assessment methodology based on the NISTIR 7628 guidelines,” in 46th Hawaii International Conference on System Sciences (HICSS), Wailea, Maui, HI USA, 2013, pp. 1802-1811.Google Scholar

  • [43] R. K. Abercrombie, ”Cryptographic Key Management and Critical Risk Assessment,” Oak Ridge National Laboratory, Oak Ridge, TN ORNL/TM-2014/131, 2014.Google Scholar

  • [44] C. Vishik, F. T. Sheldon, and D. Ott, ”Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment,” in ISSE 2013 Securing Electronic Business Processes, ed: Springer, 2013, pp. 133-147.Google Scholar

  • [45] M. Jouini, A. B. Aissa, L. B. A. Rabai, and A. Mili, ”Towards Quantitative Measures of Information Security: A Cloud Computing Case Study,” International Journal of Cyber-Security and Digital Forensics, vol. 1, pp. 248-262, 2012.Google Scholar

  • [46] A. B. Aissa, L. B. A. Rabai, R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Quantifying availability in SCADA environments using the cyber security metric MFC,” in Proceedings of 2014 9th Cyber and Information Security Research Conference, Oak Ridge, TN, 2014, pp. 81-84.Google Scholar

  • [47] A. B. Aissa, R. K. Abercrombie, F. T. Sheldon, and A. Mili, ”Quantifying the impact of unavailability in cyber-physical environments,” in 2014 IEEE Symposium on Computational Intelligence in Cyber Security (CICS), 2014, pp. 1-8.Google Scholar

  • [48] ”Introduction to Repairable Systems,” in System Analysis Reference, Reliability, Availability & Optimization, ed Tucson: RealiSoft Corporation, 2013, pp. 112-125.Google Scholar

About the article

Published Online: 2015-09-23

Published in Print: 2015-07-01


1This manuscript has been authored by UT-Battelle, LLC under Contract No. DE-AC05-00OR22725 with the U.S. Department of Energy (DOE). The United States Government (USG) retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for USG purposes. The DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).


Citation Information: Journal of Artificial Intelligence and Soft Computing Research, ISSN (Online) 2083-2567, DOI: https://doi.org/10.1515/jaiscr-2015-0029.

Export Citation

© Academy of Management (SWSPiZ), Lodz. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Comments (0)

Please log in or register to comment.
Log in