Eric Byres, formerly with BCIT and now with ByresSecurity, Inc., is a well known and highly requested speaker at SCADA security events because of his talent for explaining technical issues in an interesting way that can be understood by all regardless of technical skill. Well at S4 you see the technical side of Eric as he presents, along with his co-author David Leversage from BCIT, the most math intensive paper at the event.

The paper bulids on the work by Miles McQueen and his co-authors from INL (interesting that Miles will be in the audience) in calculating the Mean Time-to-Compromise (MTTC). The MTTC is calculated from formulas in three statistical processes as described in the paper:

1. the attacker has identified one or more known vulnerabilities AND has one or more exploits on hand
2. the attacker has identified one or more known vulnerabilities; however, he does not have an exploit on hand
3. the attacker has no known vulnerabilites or exploits

The math is much too complex for a blog entry, but another interesting facet is how individual security controls are introduced into the equations.  

The end result is a mathematical approach to determining the impact of possible security controls on MTTC. For example how much longer will the MTTC be if you review the firewall ruleset monthly rather than annually?  Or how much longer will the MTTC be if you use as stateful firewall in place of a router access control list (ACL)?

The MTTC data can be combined with cost of the control and the impact or consequence of the compromise to determine where security money and effort should be placed to reduce risk. The paper does not answer all these questions because there is work required in gathering data for certain coefficients in the formulas. It does provide a construct for determining the relative impact of controls based initially on expert estimates and later on observed data.