National Technical Reports Library

The National Technical Information Service acquires, indexes, abstracts, and archives the largest collection of U.S. government-sponsored technical reports in existence. The NTRL offers online, free and open access to these authenticated government technical reports. Technical reports and documents in its repository may be available online for free either from the issuing federal agency, the U.S. Government Publishing Office’s Federal Digital System website, or through search engines.

Details

Quantitative Cyber Risk Reduction Estimation Methodology for a Small Scada Control System.

DE2008911188

Publication Date	2006
Personal Author	Flynn, M. A.; Beitel, G. A.; Boyer, W. F.; McQueen, M. A.
Page Count	12
Abstract	We propose a new methodology for obtaining a quick quantitative measurement of the risk reduction achieved when a control system is modified with the intent to improve cyber security defense against external attackers. The proposed methodology employs a directed graph called a compromise graph, where the nodes represent stages of a potential attack and the edges represent the expected time-to-compromise for differing attacker skill levels. Time-to-compromise is modeled as a function of known vulnerabilities and attacker skill level. The methodology was used to calculate risk reduction estimates for a specific SCADA system and for a specific set of control system security remedial actions. Despite an 86% reduction in the total number of vulnerabilities, the estimated time-to-compromise was increased only by about 3 to 30% depending on target and attacker skill level.
Keywords	Computerized control systems Remedial action Security Risk Attack Vulnerability Targets Estimation Methdology Cyber security Supervisory Control and Data Acquisition(SCADA)
Source Agency	Technical Information Center Oak Ridge Tennessee
Corporate Authors	Idaho National Engineering Lab., Idaho Falls.; Department of Energy, Washington, DC.
Supplemental Notes	Sponsored by Department of Energy, Washington, DC.
Document Type	Technical Report
NTIS Issue Number	200819
Contract Number	DE-AC07-99ID-13727

Quantitative Cyber Risk Reduction Estimation Methodology for a Small Scada Control System.

Quantitative Cyber Risk Reduction Estimation Methodology for a Small Scada Control System.
DE2008911188

Publication Date	2006
Personal Author	Flynn, M. A.; Beitel, G. A.; Boyer, W. F.; McQueen, M. A.
Page Count	12
Abstract	We propose a new methodology for obtaining a quick quantitative measurement of the risk reduction achieved when a control system is modified with the intent to improve cyber security defense against external attackers. The proposed methodology employs a directed graph called a compromise graph, where the nodes represent stages of a potential attack and the edges represent the expected time-to-compromise for differing attacker skill levels. Time-to-compromise is modeled as a function of known vulnerabilities and attacker skill level. The methodology was used to calculate risk reduction estimates for a specific SCADA system and for a specific set of control system security remedial actions. Despite an 86% reduction in the total number of vulnerabilities, the estimated time-to-compromise was increased only by about 3 to 30% depending on target and attacker skill level.
Keywords	Computerized control systems Remedial action Security Risk Attack Vulnerability Targets Estimation Methdology Cyber security Supervisory Control and Data Acquisition(SCADA)
Source Agency	Technical Information Center Oak Ridge Tennessee
Corporate Authors	Idaho National Engineering Lab., Idaho Falls.; Department of Energy, Washington, DC.
Supplemental Notes	Sponsored by Department of Energy, Washington, DC.
Document Type	Technical Report
NTIS Issue Number	200819
Contract Number	DE-AC07-99ID-13727