SCENARIO-BASED APPROACH TO RISK ANALYSIS IN SUPPORT OF CYBER SECURITY

摘要

The US infrastructure is continually challenged by hostile nation states and others who would do us harm. Cyber vulnerabilities and weaknesses are potential targets and are the result of years of construction and technological improvement in a world less concerned with security than is currently the case. As a result, cyber attack presents a class of challenges for which we are just beginning to prepare. What has been done in the nuclear, chemical and energy sectors as a means of anticipating and preparing for randomly occurring accidents and off-normal events is to develop scenarios as a means by which to prioritize and quantify risk and to take action. However, the number of scenarios risk analysts can develop is almost limitless. How do we ascertain which scenario has the greatest merit? One of the more important contributions of probabilistic risk analysis (PRA) has been to quantify the initiating event probability associated with various classes of accidents; and to quantify the occurrence of various conditions, i.e., end-states, as a function of these important accident sequences. Typically, various classes of conditions are represented by scenarios and are quantified in terms of cut sets and binned into end states. For example, the nuclear industry has a well-defined set of initiating events that are studied in assessing risk. The maturation of risk analysis for cyber security from accounting for barriers or looking at conditions statically to one of ascertaining the probability associated with certain events is, in part, dependent upon the adoption of a scenario-based approach. For example, scenarios take into account threats to personnel and public safety; economic damage, and compromises to major operational and safety functions. Scenarios reflect system, equipment, and component configurations as well as key human-system interactions related to event detection, diagnosis, mitigation and restoration of systems. As part of a cyber attack directed toward control systems, perpetrators will attempt to control and defeat automation systems, engineering access, control systems and protective systems implemented in today's critical infrastructures. Major systems such as supervisory control and data acquisition (SCADA) systems are likely targets for attack. Not all attack scenarios have the same expected frequency or consequence. The attacks will be directed and structured and thus, are not be characterized as random events when one considers failure probabilities. Attack types differ in their consequence as a function of the probability associated with various sub events in the presence of specific system configurations. Ideally, a series of generic scenarios can be identified for each of the major critical infrastructure (CI) sectors. A scenario-based approach to risk assessment allows decision makers to place financial and personnel resources in-place for attacks that truly matter: e.g. attacks that generate physical and economic damage. The use of scenario-based analysis allows risk reduction goals to be informed by more than consequence analysis alone. The key CI targets used in the present study were identified previously as part of a mid-level consequence analysis performed at INL by the Control System Security Program (CSSP) for the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). This paper discusses the process for and results associated with the development of scenario-based cyber attacks upon control systems including the information and personnel requirements for scenario development. Challenges to scenario development including completeness and uncertainty characterization are discussed as well. Further, the scenario discussed herein, is one of a number of scenarios for infrastructures currently under review.