Question

It can be difficult to estimate the probability of some threat events, as the attack could be accomplished in many ways. Fortunately, the quantitative technique of decomposition suggests one approach to this problem. What is this technique called?

Answer 1

---> Risk Management, in general, is a process aiming at an efficient balance between realizing opportunities for gains while minimizing vulnerabilities and losses.

---> Risk Management should be an endlessly recurring process consisting of phases which, when properly implemented, enable continuous improvement in decision-making and performance improvement.

A review of cyber security risk assessment methods for SCADA systems:

---> Over the last several decades we already saw a range of cyber attacks on CNI and SCADA.

---> In 1982, the first recorded cyber attack on CNI took place at the Trans-Siberian pipeline and resulted in an explosion visible from space (Miller and Rowe, 2012).

---> Over the last decade there was a number of cyber attacks on SCADA systems and ICS.

---> This paper reviews the state of the art in cyber security risk assessment of Supervisory Control and Data Acquisition (SCADA) systems.

---> Based on the analysis, we suggest an intuitive scheme for the categorisation of cyber security risk assessment methods for SCADA systems. We also outline five research challenges facing the domain and point out the approaches that might be taken.

---> A Supervisory Control and Data Acquisition (SCADA) system is a type of Industrial Control System (ICS).

---> An ICS controls processes in the industrial sector and in the sectors which form a Critical National Infrastructure (CNI) (NIST, 2011).

Quantitative cyber risk reduction estimation methodology, 2006:
------------------------------------------------------------------------------------

---> McQueen et al. (2006) suggest a methodology for the quantitative estimation of cyber risk reduction for a SCADA system in which an enhancement of cyber security has been performed.

---> For risk reduction estimation a directed graph of a cyber attack is developed for both a baseline and improved systems, and the difference in time-to-compromise in each system is measured and analysed.

The methodology consists of ten steps:

1.Establish system configuration;

2.Identify the applicable portions of the quantitative risk model;

3.Identify and prioritise the security requirements of the primary target(s);

4.Identify system vulnerabilities;

5.Categorise vulnerabilities on each device by the type of compromise;

6.Estimate time-to-compromise for each device;

7.Generate compromise graph(s) and attack paths;

8.Estimate dominant attack path(s);

9.Perform steps 3–8 for both baseline and enhanced system; and

10.Compare results of both versions of the system and estimate risk reduction.

---> McQueen et al. (2006) introduce a formula for calculating the probability of an occurrence of an undesired event. This probability is the product of the following conditional probabilities.

---> the probability of the system being on an attacker's target list, the probability of being attacked given that the system is targeted, the probability of a perimeter breach given that the system is attacked, the probability of a successful attack given that there is a perimeter breach and the probability of damage given the system is successfully attacked.

---> Since the estimation of all probabilities involved is not feasible, risk reduction is measured as the change of the probabilities of perimeter breach and successful attack rather than an absolute value of risk.

---> Security requirements for SCADA are identified so that integrity and availability have the highest priority, while confidentiality is secondary.

---> The vulnerabilities of a system are identified using existing vulnerability identification libraries. Each vulnerability is classified as reconnaissance, breach, penetrate, escalation or damage.

---> Time-to-compromise a device is calculated. It depends on the known vulnerabilities of the target system and the skills of an attacker.