+1 Recommend
2 collections

      Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65

      • Record: found
      • Abstract: found
      • Conference Proceedings: found
      Is Open Access

      Measuring the Risk of Cyber Attack in Industrial Control Systems

      , , ,
      4th International Symposium for ICS & SCADA Cyber Security Research 2016 (ICS-CSR)
      Cyber Security Research
      23 - 25 August 2016
      ICS, SCADA, Risk, HILF, Cyber, Security, Process Control, Deep Uncertainty


            Cyber attacks on industrial control systems (ICS) that underpin critical national infrastructure can be characterised as high-impact, low-frequency events. To date, the volume of attacks versus the overall global footprint of ICS is low, and as a result there is an insufficient dataset to adequately assess the risk to an ICS operator, yet the impacts are potentially catastrophic. This paper identifies key elements of existing decision science that can be used to inform and improve the cyber security of ICS against antagonistic threats and highlights the areas where further development is required to derive realistic risk assessments, as well as detailing how data from established safety processes may inform the decision-making process. The paper concludes by making recommendations as to how a validated dataset could be constructed to support investment in ICS cyber security.


            Author and article information

            URI : www.dmu.ac.uk
            URI : www.dmu.ac.uk
            URI : www.dmu.ac.uk
            URI : www.dmu.ac.uk
            August 2016
            August 2016
            : 103-113
            [0001]Cyber Security Centre, De Montfort University, Leicester, LE1 9BH, UK
            © Cook et al. Published by BCS Learning & Development Ltd. Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016

            This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

            4th International Symposium for ICS & SCADA Cyber Security Research 2016
            Queen’s Belfast University, UK
            23 - 25 August 2016
            Electronic Workshops in Computing (eWiC)
            Cyber Security Research

            1477-9358 BCS Learning & Development

            Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2016.12
            Self URI (journal page): https://ewic.bcs.org/
            Electronic Workshops in Computing

            Applied computer science,Computer science,Security & Cryptology,Graphics & Multimedia design,General computer science,Human-computer-interaction
            Risk,ICS,SCADA,HILF,Cyber,Security,Process Control,Deep Uncertainty


            1. 2010 Probabilistic Risk Assessment (PRA) (Wiley Handbook of Science and Technology for Homeland Security) 1

            2. 2004 How useful is quantitative risk assessment? Risk Analysis 24 3 515 520

            3. 1954 Exposition of a new theory on the measurement of risk Econometrica: Journal of the Econometric Society 23 36

            4. 2015 Making decisions without trustworthy risk models Breakthroughs in Decision Science and Risk Analysis 189

            5. et al 2008 Logic Trees: Fault, Success, Attack, Event, Probability, and Decision Trees(Wiley Handbook of Science and Technology for Homeland Security)

            6. 2014 Risk Assessment and Security for Pipelines, Tunnels, and Underground Rail and Transit Operations CRC Press

            7. et al 2004 An economic damage model for large-scale internet attacks Enabling Technologies: Infrastructure for Collaborative Enterprises 2004. WET ICE 2004. 13th IEEE International Workshops on, 223 228

            8. et al 2010 Probabilistic risk analysis and terrorism risk Risk Analysis 30 4 575 589

            9. 2012 Risk Assessment and Decision Analysis With Bayesian Networks CRC Press

            10. 2014 On cyber attacks and signature based intrusion detection for modbus based industrial control systems Journal of Digital Forensics, Security and Law 9 1 37 56

            11. et al 2007 Evaluating strategies for defending electric power networks against antagonistic attacks IEEE Transactions on Power Systems 22 1 76 84

            12. 2007 8 eliciting probabilities from experts Advances in Decision Analysis: From Foundations to Applications 129

            13. 1989 Knowledge maps Management science 35 8 903 922

            14. 2013 Markov Processes for Stochastic Modeling Newnes

            15. ICS-CERT 2012 ICS-CERT year in review - 2012 ext-link-type="uri" xlink: href="https://ics-cert.us-cert.gov/ICS-CERT-Year-Review-2012">https://ics-cert.us-cert.gov/ICS-CERT-Year-Review-2012

            16. ICS-CERT 2016 Jan ICS-CERT monitor November/December 2015 ext-link-type="uri" xlink: href="https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT%20Monitor_Nov-Dec2015_S508C.pdf">https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT%20Monitor_Nov-Dec2015_S508C.pdf

            17. 1981 On the quantitative definition of risk Risk analysis 1 1 11 27

            18. 2014 Reliability Engineering John Wiley & Sons

            19. 1997 On the calibration of probability judgments: Some critical comments and alternative perspectives Conference on Subjective Probability, Utility and Decision Making: Overconfidence: Sources, Implications, and Solutions Jerusalem, Israel John Wiley & Sons Aug 1995

            20. 2015 Rocking the pocket book: Hacking chemical plants

            21. 2014 Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation John Wiley & Sons

            22. Lloyds and The University of Cambridge Centre for Risk Studies 2015 Business blackout: The insurance implications of a cyber attack on the us power grid ext-link-type="uri" xlink: href="http://www.lloyds.com//media/files/news%20and%20">www.lloyds.com//media/files/news%20and%20 insight/risk%20insight/2015/business%20 blackout/business%20blackout20150708.pdf

            23. et al 2013 Smart control of operational threats in control substations Computers & Security 38 14 27

            24. 2011 Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS. CRC Press

            25. 2009 Rare events DTIC Document, Technical Rep

            26. et al 2015 Outthinking the terrorists Breakthroughs in Decision Science and Risk Analysis 287

            27. et al 2012 Aug Global industrial automation

            28. 2014 A survey of intrusion detection techniques for cyber-physical systems ACM Computing Surveys (CSUR) 46 4 55

            29. 2007 Addressing it security for critical control systems 40th Annual Hawaii International Conference on System Sciences.

            30. National Research Council 2010 Review of the Department of Homeland Security’s Approach to Risk Analysis The National Academies Press

            31. NERC 2010 High-impact, low-frequency event risk to the north American bulk power system A Jointly-Commissioned Summary Report of the North American Electric Reliability Corporation and the U.S. Department of Energy’s November 2009 Workshop

            32. 2012 Risk Assessment: Tools, Techniques, and Their Applications John Wiley & Sons

            33. et al 1988 The reliability of subjective probabilities obtained through decomposition Management Science 34 2 186 199

            34. et al 2010 A survey of game theory as applied to network security System Sciences (HICSS), 2010 43rd Hawaii International Conference on 1 10

            35. 2002 Feb U.S. DOD news briefing ext-link-type="uri" xlink: href="https://www.youtube.com/">https://www.youtube.com/watch?v=GiPe1OiKQuk

            36. et al 2014 Vulnerability Assessment Method Pocket Guide RAND Corporation

            37. 1999 Attack trees Dr. Dobbs Journal 24 12 21 29

            38. et al 2009 Modeling security of power communication systems using defense graphs and influence diagrams IEEE Transactions on Power Delivery 24 4 1801 1808

            39. 2012 Cyber security exercises and competitions as a platform for cyber security experiments Nordic Conference on Secure IT Systems, Springer 47 60

            40. et al 2011 Guide to industrial control systems (ICS) security NIST Special Publication 800 82

            41. 2014 Process Risk and Reliability Management: Operational Integrity Management Gulf Professional Publishing

            42. The White House 2013 Feb Executive order -improving critical infrastructure cybersecurity

            43. 1983 State of the art encoding subjective probabilities: A psychological and psychometric review Management Science 29 2 151 173

            44. et al 2013 Uncertainty in Risk Assessment: The Representation and Treatment of Uncertainties by Probabilistic and Non-Probabilistic Methods John Wiley & Sons


            Comment on this article