loading...
 This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06) Track 9
Kauai, Hawaii
January 04-January 07
ISBN: 0-7695-2507-5
Miles A. McQueen, Idaho National Laboratory
Wayne F. Boyer, Idaho National Laboratory
Mark A. Flynn, Idaho National Laboratory
George A. Beitel, Idaho National Laboratory
We propose a new methodology for obtaining a quantitative measurement of the risk reduction achieved when a control system is modified with the intent to improve cyber security defense against external attackers. The proposed methodology employs a directed graph called a compromise graph, where the nodes represent stages of a potential attack and the edges represent the expected time-to-compromise for differing attacker skill levels. Time-to-compromise is modeled as a function of known vulnerabilities and attacker skill level. The methodology was used to calculate risk reduction estimates for a specific SCADA system and for a specific set of control system security remedial actions. Despite an 86% reduction in the total number of vulnerabilities, the estimated time-to-compromise was increased only by about 3 to 30% depending on target and attacker skill level.
Citation:
Miles A. McQueen, Wayne F. Boyer, Mark A. Flynn, George A. Beitel, "Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System," hicss, vol. 9, pp.226, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06) Track 9, 2006
Usage of this product signifies your acceptance of the Terms of Use.