Cyber security risk assessment for SCADA and DCS networks

ISA Transactions

Volumn 46, Issue 4, 2007, Pages 583-594

  Ralston, P A S ^a   Graham, J H ^a   Hieb, J L ^a  

^a University of Louisville   (United States)

Author keywords

Control systems; DCS; Risk analysis; SCADA; Vulnerability assessment

Indexed keywords

CONTROL SYSTEM ANALYSIS; DISTRIBUTED PARAMETER CONTROL SYSTEMS; NETWORK SECURITY; SCADA SYSTEMS;

CYBER SECURITY; GOVERNMENT GROUPS; RISK ASSESSMENT METHODS; VULNERABILITY ASSESSMENT;

RISK ASSESSMENT;

EID: 34548017452     PISSN: 00190578     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.isatra.2007.04.003     Document Type: Article

References (98)

1. Critical Foundations-Protecting America's Infrastructures. Report of the president's commission on critical infrastructure protection, http://www.fas.org/sgp/library/pccip.pdf; 1997 [accessed 4.8.2006]
2. Progress in Developing the National Asset Database. Office of the Inspector General, OIG-06-40. 2006
3. US-CERT (United States Computer Emergency Readiness Team) Control System Documents. US-CERT, http://www.us-cert.gov/control_systems/csdocuments.html; 2006 [accessed 2.5.2006]
4. Nash T. An undirected attack against critical infrastructure, a case study for improving your control system security. US-CERT, http://www.us-cert.gov/control_systems/pdf/undirected_attack0905.pdf; 2005 [accessed 2006]
5. Nelson T. Common control system vulnerability. US-CERT, http://www.us-cert.gov/control_systems/pdf/csvul1105.pdf; 2005 [accessed 2.2006]
6. National Infrastructure Protection Plan. DHS, http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf; 2006 [accessed 11.1.2006]
7. Carlson RE, Dagle JE, Shamsuddin SA, Evans RP. National SCADA testbed. A summary of control system security standards activities in the energy sector. National Laboratories, https://www.pcsforum.org/news/NSTB%20Security%20Standards%20Report.pdf; 2005 [accessed 2006]
8. Evans RP, Hill RC, Rodriquez JG. A comparison of cross-sector cyber security standards. Idaho national laboratories, INL/EXT-05-00656, http://www.inl.gov/scada/publications/d/a_comparison_of_cross-sector_cyber_security_standards.pdf; 2005 [accessed 4.23.2006]
9. Kilman D, Stamp J. Framework for SCADA security policy. Sandia national laboratories, SAND 2005-1002C, http://www.sandia.gov/scada/documents/sand_2005_1002C.pdf; 2005 [accessed 11.1.2006]
10. Singer B, Weiss J. Control systems cyber security. Control Engineering, http://www.manufacturing.net/ctl/index.asp?layout=articlePrint%26articleID=CA501039; 2005 [accessed 2.4.2006]
11. ANSI/ISA-TR99.00.01-2004. Security Technologies for Manufacturing and Control Systems. Instrument society of America, http://www.isa.org/Template.cfm?Section=Find_Standards%26template=/Ecommerce/ProductDisplay.cfm%26ProductID=7372; 2004 [accessed 4.21.2006]
12. Instrument Society of America, ANSI/ISA-TR99.00.02-2004. Integrating electronic security into the manufacturing and control systems environment. Instrument Society of America, http://www.isa.org/Template.cfm?Section=Standards2%26template=/Ecommerce/ProductDisplay.cfm%26ProductID=7380; 2004 [accessed 4.11.2006]
13. Cryptographic Protection of SCADA Communications, Part 1: Background, Policies, and Test Plan. AGA 12 Part 1. American Gas Association, http://www.aga.org/Template.cfm?Section=Operations_and_Engineering%26template=/ContentManagement/ContentDisplay.cfm%26ContentID=19329; 2006 [accessed 4.7.2006]
14. Cyber Security Standards, CIP -002-1-CIP-009-1. North American electric reliability council, http://www.nerc.com/~filez/standards/Cyber-Security-Permanent.html; 2006 [accessed 10.3.2006]
15. Falco J, Stouffer K, Wavering A, Proctor F. IT Security for Industrial Control Systems. Intelligent Systems Division, National Institute of Standards and Technology (NIST) Gaithersburg, MD, in coordination with the Process Control Security Requirements Forum(PCSRF), http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf; 2006 [accessed 10.23.2006]
16. Stouffer, Keith, Joe F., and Fred P. The NIST Process Control Security Requirements Forum (PCSRF) and the future of industrial control system security (2004 TAPPI paper summit-spring technical and international environmental conference) (2004), TAPPI Press, Atlanta (GA 30348-5113, United States)
17. Melton R, Fletcher T, Earley M. System protection profile-industrial control systems (SPP-ICS) Version 1.0. NIST process control security requirements forum (PCSRF), http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.pdf; 2004 [accessed 10.23.2006]
18. Stouffer K, Falco J, Kent K. NIST Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security. NIST Process Control Security Requirements Forum (PCSRF), http://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdf; 2006
19. Trellue R. I3P Scada Security Research Plan Summary. I3P, 5-20-2005. http://www.thei3p.org/research/scada/scadasecresearchplan606.pdf; [accessed 2006]
20. Kertzner P, Bodeau D, Nitschke R, Watters J, Young M, Stoddard M. Process control system security technical risk assessment: Analysis of problem domain. I3P, Research report No.3, www.thei3p.org; 2006 [accessed 2006]
21. Stoddard M, Bodeau D, Carlson R, Glantz C, Haimes Y, Lian C, et al. Process control system security metrics-state of practice. I3P Research report No. 1, www.thei3p.org; 2005 [accessed 2.11.2006]
22. Hildick-Smith A. Security for Critical Infrastructure SCADA Systems. SANS Institute White Paper, http://www.sans.org/reading_room/whitepapers/warfare/1644.php; 2005 [accessed 11.19.2006]
23. Byres E., and Lowe J. The Myths and facts behind cyber security risks for industrial control systems (2004), VDE Kongress, Berlin (Germany)
24. Brown T. Security in SCADA systems: How to handle the growing menace to process automation. Computing and Control Engineering 16 3 (2005) 42-47
25. Supervisory Control and Data Acquisition (SCADA) Systems. National Communications System, Technical bulletin 04-1, http://www.ncs.gov/library/tech_bulletins/2004/tib_04-1.pdf; 2006 [accessed 3.15.2007]
26. Making the nation safer: The role of science and technology in countering terrorism (2002), National Research Council
27. Fernandez J.D., and Fernandez A.E. SCADA systems: Vulnerabilities and remediation. Journal of Computing Sciences in Colleges 20 4 (2005) 160-168
28. Igure V.M., Laughter S.A., and Williams R.D. Security issues in SCADA networks. Computers & Security 25 7 (2006) 1-9
29. Kropp T. System threats and vulnerabilities [power system protection]. Power and Energy Magazine 4 2 (2006) 46-50
30. Smith C. Connection to public communications increases danger of cyber-attacks. Pipeline and Gas Journal 230 2 (2003) 20-24
31. Watts D. Security & vulnerability in electric power systems. In: 35th North American Power Symposium. 2003. p. 559-66
32. Oman P, Schweitzer E, Roberts J. Safeguarding IEDs, substations, and SCADA systems against electronic intrusions. In: Proceedings of the 2001 western power delivery automation conference. 2001. p. 9-12
33. 21 Steps to Improve Cyber Security of SCADA Networks. President's critical infrastructure protection board and department of energy report, http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf; 2002 [accessed 2.15.2006]
34. Good Practice Guide for Process Control and SCADA Security. National infrastructure security coordination centre (NISCC) and PA consulting group, http://www.niscc.gov.uk/niscc/docs/re-20051025-00940.pdf?lang=en; 2005 [accessed 3.21.2006]
35. Guidance for Addressing Cyber security in the Chemical Sector. Chemical industry data exchange (CIDX) report. Version 2.1, http://www.chemicalcybersecurity.com/cybersecurity_tools/CyberSecurityGuidanceMaster2_1.pdf; 2005 [accessed 4.18.2006]
36. Information Security Risk Assessment Practices of Leading Organizations, A Supplement to GAO's May 1998 Executive Guide on Information Security Management. United states general accounting office (GAO) report GAO/AIMD-00-33, http://www.gao.gov/special.pubs/ai00033.pdf; 1999 [accessed 4.1.2006]
37. Novak R. Merging SCADA and business processes. Plant Engineering 59 5 (2005) 35-36
38. Securing your SCADA and Industrial Control Systems. Version 1. Technical support working group guide, http://www.tswg.gov/tswg/ip/SCADA_GB_Short.pdf; 2005 [accessed 5.10.2006]
39. Dacey RF. Critical infrastructure protection, challenges and efforts to secure control systems. United States general accounting office, GAO-04-354, http://www.gao.gov/new.items/d04354.pdf; 2004 [accessed 2.10.2006]
40. Asenjo J. Cybersecurity for legacy SCADA systems. Utility Automation and Engineering T&D 10 6 (2005) 48-52
41. Battling the cyber menace. PEI Power Engineering International 13 6 (2005) 123-125
42. Blume R. Mitigating Security Risks in SCADA/DCS System Environments. DYONYX, http://www.dyonyx.com/documents/SCADA_security.pdf; 2006 [accessed 2.4.2006]
43. SAAD AY. Securing supervisory control and data acquisition systems: Plant utilities: A special report. Hydrocarbon processing (International Ed.) 2002; 81(7); 55-6
44. Miller A. Trends in process control systems security. Security & Privacy Magazine, IEEE 3 5 (2005) 57-60
45. Byres E., and Lowe J. Insidious threat to control systems. InTech 52 1 (2005) 28-31
46. Alper A. SCADA Security-Closing a Pandora's Box. Managing automation, http://www.managingautomation.com/maonline/channel/exclusive/read/5111813; 2005 [accessed 3.8.2006]
47. Byres E., and Franz M. Uncovering cyber flaws. InTech 53 1 (2006) 20-25
48. Strickles RP, Ozog H, Mohindra S. Security Vulnerability Assessment (SVA) Revealed. ioMosiac Corporation White Paper, http://archives1.iomosaic.com/whitepapers/SVA.pdf; 2003 [accessed 2.5.2006]
49. Peterson D. Intrusion detection and cyber security monitoring of SCADA and DCS Networks (2004), ISA Automation West, ISA
50. Creery A, Byres EJ. Industrial Cybersecurity for Power System and SCADA Networks. In: Industry applications society 52nd annual petroleum and chemical industry conference. 2005. p. 303-9
51. Geer D. Security of critical control systems sparks concern. Computer 39 1 (2006) 20-23
52. Carlson C. DHS to state its case to business. Eweek 42 (2005) 20
53. Honeywell reshapes industrial control world. Manufacturing Computer Solutions (2005) 37
54. Pollett J. patriotSCADA Distributed Firewall for SCADA and Industrial Networks. Plantdata technologies whitepaper, http://www.controlglobal.com/whitepapers/wp_001_SCADApollet.pdf; 2006 [accessed 4.5.2006]
55. Assante M, Pelgrin W, Wells R. Cyber security procurement language for control systems, Draft Version 1.4. Idaho National Laboratory National & Homeland Security Division, http://www.msisac.org/scada/documents/1-aug-06-scada-procurement-draft-1.4.pdf; 2006 [accessed 10.22.2006]
56. Miller D., and Byres E. Risk assessment: The first step. InTech 52 3 (2005) 68
57. RiskWorld list of software for risk assessment and management. Risk World, http://www.riskworld.com/SOFTWARE/SW5SW001.HTM; 2006 [accessed 4.10.2006]
58. How to do a Complete Automated Risk Assessment: A Methodology Review. Riskwatch White Paper, http://www.riskwatch.com/news/whitepapers/How_To_Do_A_Complete_Automated_Risk_Assessment_10-02RW.pdf; 2002 [accessed 4.1.2006]
59. Alberts C, Dorofee A, Stevens J, Woody C. Introduction to the OCTAVE Approach. CERT Coordination Center, http://www.cert.org/octave/approach_intro.pdf; 2003 [accessed 4.9.2006]
60. Aagedal J, den Braber F, Dimitrakos T, Gran BA, Raptis D, Stolen K. Model-based risk assessment to improve enterprise security. In: Proceedings of the sixth international distributed object computing conference. 2002
61. Auerswald P.E., Branscomb L.M., La Porte T.M., and Michel-Kerjan E.O. Seeds of disaster, roots of response (2006), Cambridge University Press, New York
62. Campbell P, Stamp J. A classification scheme for risk assessment methods. Sandia National Laboratory, SAND2004-4233. 2004
63. Farahmand F., Navathe S.B., Enslow P.H., and Sharp G.P. Managing vulnerabilities of information systems to security incidents. Proceedings of the 5th international conference on electronic commerce (2003), ACM Press
64. Rinaldi Steven M. Modeling and simulating critical infrastructures and their interdependencies. In: Proceedings of the Hawaii international conference on system sciences. Piscataway (Piscataway, NJ): Institute of Electrical and Electronics Engineers Computer Society; 2004
65. Haimes Y.Y. Hierarchical holographic modeling. IEEE Transactions on Systems, Man, and Cybernetics 11 9 (1981) 606-617
66. Haimes Y.Y. Risk modeling, assessment, and management. 1st ed. (1998), John Wiley and Sons, New York
67. Chittester C.G., and Haimes Y.Y. Risks of terrorism to information technology and to critical interdependent infrastructures. Journal of Homeland Security and Emergency Management 1 4 (2004)
68. Ezell BC. Thesis/dissertation. University of Virginia: Systems Engineering Department; 1998
69. Haimes Y.Y., Kaplan S., and Lambert J.H. Risk filtering, ranking, and management framework using hierarchical holographic modeling. Risk Analysis 22 2 (2002) 381-395
70. Haimes Y.Y., and Chittester C.G. A roadmap for quantifying the efficacy of risk management of information security and interdependent scada systems. Journal of Homeland Security and Emergency Management 2 2 (2005) Article 12
71. Crowther K.G., and Haimes Y.Y. Application of the inoperability input-output model (IIM) for systemic risk assessment and management of interdependent infrastructures. Systems Engineering 8 4 (2005) 323-341
72. Crowther KG, Dicdican RY, Leung MF, Lian C, Haimes YY, Lambert JH, et al. Assessing and Managing Risk of Terrorism to Virginia's Interdependent Transportation Systems. Virginia Transportation Research Council, VTRC 05-CR6, http://virginiadot.org/vtrc/main/online_reports/pdf/05-cr6.pdf; 2004 [accessed 3.15.2006]
73. Nozick L.K., Turnquist M.A., Jones D.A., Davis J.R., and Lawton C.R. Assessing the performance of interdependent infrastructures and optimizing investments. Proceedings of the hawaii international conference on system sciences (2004), Institute of Electrical and Electronics Engineers Computer Society, Piscataway (NJ 08855-1331, United States) Big Island, HI., United States
74. Nozick L.K., Turnquist M.A., Jones D.A., and Davis J.R. Assessing the performance of interdependent infrastructures and optimizing investments. International Journal of Critical Infrastructures 1 2 (2005) 144-154
75. Kumamoto H., and Henley E.J. Probabilistic risk assessment and management for engineers and scientists. 2nd ed. (1996), IEEE Press, New York
76. Kaplan S., and Garrick B J. On the quantitative definition of risk. Risk Analysis 1 1 (1981) 11-37
77. Stamatelalos M. Probabilistic risk assessment procedure guide for NASA managers and practitioners. NASA office of safety and mission assurance, http://www.hq.nasa.gov/office/codeq/doctree/praguide.pdf; 2002 [accessed 4.18.2006]
78. Vesely W, Stamatelalos M, Dugan J, Fragola J, Minarick J. Fault tree handbook with aerospace applications. Report by NASA Office of Safety and Mission Assurance, http://www.hq.nasa.gov/office/codeq/doctree/fthb.pdf; 2002 [accessed 2006]
79. Vesely W. Fault Tree Analysis (FTA): Concepts and Applications. http://www.hq.nasa.gov/office/codeq/risk/ftacourse.pdf; 1998 [accessed 2006]
80. Walker RW. Assessment of technical risks. In: Proceedings of the 2000 IEEE international conference on management of innovation and technology. 2000
81. Yacoub S.M., and Ammar H.H. A methodology for architecture-level reliability risk analysis. IEEE Transactions on Software Engineering 28 6 (2002) 529-547
82. Yacoub Sherif M, Ammar Hany H, Robinson Tom. Methodology for architectural-level risk assessment using dynamic metrics. In: Proceedings of the international symposium on software reliability engineering, ISSRE. Los Alamitos (San Jose, CA, USA): Institute of Electrical and Electronics Engineers Computer Society; 2000
83. Wyss G.D., Duran F.A., and Dandini V.J. An object-oriented approach to risk and reliability analysis: Methodology and aviation safety applications. Simulation 80 1 (2004) 33-43
84. Madan B.B., Goseva-Popstojanova K., Vaidyanathan K., and Trivedi K.S. Modeling and quantification of security attributes of software systems. Proceedings of the 2002 international conference on dependable systems and networks (2002), IEEE Computer Society, Washington (DC, United States)
85. Taylor C, Krings A, Alves-Foss J. Risk analysis and probabilistic survivability assessment (RAPSA): An assessment approach for power substation hardening. In: Proc. ACM workshop on scientific aspects of cyber terrorism. 2002. p. 1-9
86. de Ru W.G., and Eloff J.H.P. Risk analysis modeling with the use of fuzzy logic. Computers & Security 15 3 (1996) 239-248
87. Wat F.K.T., and Ngai E.W.T. Risk analysis in electronic commerce development using fuzzy set. Annual conference of the north american fuzzy information processing society (2001), Institute of Electrical and Electronics Engineers Inc., Vancouver (BC, Canada)
88. Choi H.H., Cho H.N., and Seo J.W. Risk assessment methodology for underground construction projects. Journal of Construction Engineering and Management 130 2 (2004) 258-272
89. Pillay A., and Wang J. Risk assessment of fishing vessels using fuzzy set approach. International Journal of Reliability, Quality and Safety Engineering 9 2 (2002) 163-181
90. Schneier B. Attack Trees. Dr. Dobb's Journal 24 12 (1999) 21-29
91. Moore A, Ellison R, Linger R. Attack modeling for information security and survivability. Technical note, CMU/SEI-2001-TN-001, 3-15-2001. Software Engineering Institute, Carnegie Mellon University
92. Byres E.J., Franz M., and Miller D. The use of attack trees in assessing vulnerabilities in SCADA systems. International infrastructure survivability workshop (2004), IEEE, Lisbon (Portugal)
93. Vidalis S, Jones A. Using vulnerability trees for decision making in threat assessment. University of Glamorgan, School of Computing Technical report CS-03-2, http://www.glam.ac.uk/socschool/research/publications/technical/CS-03-2.pdf; 2003 [accessed 2006]
94. Tolbert GD. Residual risk reduction. Professional Safety. 2005. p. 25-33
95. McQueen MA, Boyer WF, Flynn MA, Beitel GA. quantitative cyber risk reduction estimation methodology for a Small SCADA control system. In: Proceedings of the 39th annual hawaii international conference on system sciences. 2006
96. Graham J, Patel S, Ralston P. Security enhancement for scada communication protocols using augmented vulnerability trees. In: 19th international conference on computer applications in industry and engineering. 2006
97. Cohen F. Simulating cyber attacks, defenses, and consequences. Computers & Security 18 6 (1999) 479-518
98. Rakaczky E. Building a Security Business Case. Invensys, https://www.pcsforum.org/events/2005/fall/pdf/Building%20a%20Security%20Business%20Case2a.pdf; 2005