The second S4 paper on control system security metrics comes from a DHS NCSD supported project that teamed INL researchers with Marie Farrer of Securicon and Zach Tudor of George Mason University. Miles McQueen and Wayne Boyer are letting have selected Sean McBride of INL present the paper: Measurable Control System Security through Ideal Driven Metrics. (Miles, one of the thought leaders in security metrics, will be at S4 again this year)(”are letting” was tongue in cheek that some took literally; Sean was a major contributor to the project and paper)

From the abstract:

The Department of Homeland Security National Cyber Security Division supported development of a small set of security ideals as a framework to establish measurable control systems security. Based on these ideals, a draft set of proposed technical metrics was developed to allow control systems owner-operators to track improvements or degradations in their individual control systems security posture.

The paper identifies seven security ideals and 13 corresponding technical metrics. After analysis in two case studies discussed in the paper, many of the metrics were refined and three of the technical metrics were eliminated.

As a brief example, one of the security ideals is “the control system is inaccessible to attack groups”. Initially three technical metrics were associated with this ideal: Reachability Count, Attack Path Depth, and Root Privilege Count. Note that each of these metrics result in an actual measurement, and there is a statistical analysis of the effectiveness of each proposed metric in the case studies. After the analysis, one of these technical measurements was dropped, but you will have until S4 to learn which metric didn’t make the cut.

Based on response to Byres MTTC paper last year, I’m certain this paper is going to lead to a lot of discussions not only on the technique but also on the individual metrics.

See the full S4 Agenda

Register for S4