1
Portions of this work were funded by grant #60NANB1D0116 from the National Institute of Standards and Technology,
U.S. Dept. of Commerce.
Abstract
In this paper we present a new cyber security assessment
approach, which merges Survivability System Analysis
(SSA) with Probability Risk Assessment (PRA). The
method adds quantitative information to the process
oriented SSA method, which assists with decision making
among security options. Our technique is currently being
developed for power industry cyber security assessment
and hardening. A substation example is presented, with
hypothetical risks and costs from several attack scenarios.
Our technique features self-assessment, risk estimates
based on actual data and quantifiable inputs for decision
analysis. This assessment method is particularly well
suited to hardening critical infrastructure systems against
cyber attack and terrorism.
Keywords: Computer Security, Risk Assessment,
Cyber Terrorism, Infrastructure Protection
1.
Introduction
The lack of computer security is a widespread problem
that crosses all geographic, political and societal
boundaries. Malicious computer activity flourishes in
spite of enormous amounts of time and resources applied
to the problem. The popular FBI/CSI crime survey shows
an unabated increase in incidents originating from the
Internet with total losses at over 450 million [22]. While
these statistics show an alarming trend in the number of
external incidents and financial losses due to cyber crime,
they say little about our susceptibility to cyber terrorism,
an issue of increasing concern. Pollitt [21] claims that
cyber terrorism combines two commonly held fears: that
of random, violent victimization and a distrust of
computer technology. According to Denning [7], cyber
terrorism differs from most other types of computer
attacks in that it is motivated by political, religious or
ideological reasons and its intended purpose is to
influence or coerce governments towards specific actions.
Others have commented on the equalizing effect of cyber
terrorist attacks whereby groups with limited resources
can reap disproportionate gains against more powerful
adversaries [28]. The typical terrorist strategy of
attacking a few individuals and relying on public fear to
pressure the government into action [8] is well suited to
attacks against the cyber world. It would take relatively
few resources to attack a specific target, e.g. a large
network or infrastructure system, and cause widespread
fear from a major or prolonged service disruption [8].
In assessing the US's vulnerability to cyber terrorism we
need to ask two questions:
Are there infrastructure targets vulnerable to
terrorist attacks?
Are there groups with both skills and motivation
to perform acts of cyber terrorism? [7]
Several authors believe overwelmingly that our
infrastructure systems are vulnerable to cyber terrorist
attack [7,23,28]. Answering the second question is more
difficult. At present time, there has not been a
catastrophic cyber terrorist incident since terrorists have
opted for physical means of achieving their goals such as
exploding car bombs and hijacking planes [7]. Yet, many
feel it is only a matter of time before terrorists cause a
major infrastructure failure leading to potential death and
economic disruption. The belief is that future terrorists
will grow up in a computer-based world with easy access
to sophisticated attack tools capable of inflicting damage
at relatively little risk to themselves [7,23].
Examining the threat of cyber terrorism to the electric
power industry raises several issues. Both physical and
cyber security threats have concerned the power industry
for a number of years. The electric power infrastructure
is one of the eight critical infrastructure identified by
President Clinton's Commission on Critical Infrastructure
Protection [20].
Electrical energy along with
communications were identified as the most critical
components of the infrastructure to the maintenance of
American commerce and society [20].
Recent changes in the electric power industry have
decreased the reliability of the North American power grid and increased its vulnerability to disruption from
cyber attack. The major overriding change is the on-
going restructuring as a result of de-regulation begun in
the early 90's. This has resulted in industry consolidations
and downsizing leading to instability in the workforce and
the creation of a potential pool of disgruntled employees
[20]. Security directors estimated that 75% to 80% of the
security incidents are caused by persons within the
organization [10]. Re-organization has also led to the
introduction of new information systems for electronic
data exchange. This requirement has resulted in greater
connectivity between previously separate entities
spreading the vulnerabilities that come with sharing
potentially sensitive data over a network. The growing
use of automated electronic devices in substation
operation increases the risk from both insider and outsider
intruders. Supervisory Control and Data Acquisition
(SCADA) are widely used to control critical power
generation and transmission equipment [19]. SCADA
systems offer an attractive target for their disruptive
power since intruders could modify the data used for
operation or control of power equipment. The
vulnerability of SCADA systems increases when
connected to corporate networks with external access.
Other electronic devices increasingly being used in
substation control include Integrated Electronic Devices
(IED's), Programmable Logic Controllers (PLC) and
substation controllers. Additional factors that contribute
to the growing intruder threat include the wide availability
of hacker tools, the lack of security awareness and the
increase in terrorist incidents targeting Americans [18,19].
In this paper we present an approach for the assurance
assessment of power substations that will assist substation
hardening against cyber attacks including terrorist attacks.
Our approach, Risk Analysis and Probabilistic
Survivability Assessment (RAPSA), combines
Survivability System Analysis (SSA) from computer
survivability with Probabilistic Risk Assessment (PRA)
from dependability [27]. The goal is to incorporate the
best characteristics of both methods into a single process
developed for power industry substation assessment.
While the current target is the power industry, this method
is being developed as a general process that could be
applied to other industries. The RAPSA process exhibits
several notable characteristics, that distinguishes it from
other security assessment methods:
-
Strong self-assessment tool to minimize
reliance on security experts
-
Risk estimates based on actual data
-
Quantifiable outputs for cost/benefit cyber
security analysis
This preliminary work overviews the RAPSA process
and discusses its applicability to the general problem of
hardening heterogeneous networks against cyber
intrusions. An example is presented of applying RAPSA
to a power substation. Future work will discuss the
formal representation of a model for the merged
survivability/risk process.
The paper covers survivability assessment for electric
power substation hardening. Section 2 describes how
survivability and PRA are merged into the RAPSA
process. Section 3 applies the process to the assessment
of a power substation. Alternative approaches are
discussed in Section 4 and our conclusion are outlined in
Section 5.
2. Survivability + PRA = RAPSA
As presented in the previous section, threats from
cyber attacks to infrastructure computer systems are an
increasing concern as the complexity of these systems
grows and our reliance on them becomes critical for
national health and safety [20]. The sheer size and
geographic distribution of these systems prohibits
hardening all system components against cyber attack. A
survivability analysis will enable the partitioning of a
system into components critical to the mission objectives
and those components of lesser importance. Risk analysis
will allow the quantification of cyber threats and, based
on mitigation strategies identified in the survivability
analysis, outline mitigation strategies dealing with those
threats. This section discusses the merging of attributes
from both Survivability System Analyses and Probability
Risk Assessment. First, we separately review SSA and
PRA and then describe our technique for merging these
two processes.
2.1 Survivability System Analysis (SSA)
Survivability evolved out of the need to protect
systems connected to unbounded
2
networks. The lack of
centralized control and the distributed nature of these
networks makes the task of hardening systems connected
to these networks nearly impossible [10]. Computer
system survivability emphasizes continued operation,
though in a degraded mode, in spit