SCADApedia
AAA  AAA 

S4 Preview: Security Metrics for Cyber Security Assurance

I will be previewing one S4 2009 paper each week. Digital Bond’s SCADA Security Scientific Symposium is Jan 21-22 in Miami Beach with an advanced control system security course on Jan 20th.

  • See the full agenda with detailed paper descriptions
  • Register to be a physical or virtual S4 attendee

    • Security Metrics for Cyber Security Assurance

    In our preview blog last week of the INL paper on estimating 0days a commenter mentioned Jaquith’s criteria for a good metric. In an interesting coincidence, Dennis Holstein highlights conformance with Jaquith’s metric criteria in his book Security Metrics – Replacing Fear, Uncertainty and Doubt. Namely a metric:

  • must be capable of being consistently measured (without subjective criteria)
  • the measurement of these metrics must be collectable by automated systems
  • must be expressed as a cardinal number or percentage using at least one unit of measure
  • must be meaningful to the asset owner

    • In his paper and presentation, Dennis will attempt to meet this criteria for metrics related to the seven foundational requirements of ISA 99.00.01. Mathematical formulas for quantifying security assurance for the system and for the components of the system under consideration will be presented. The formulas do not rely on minimizing the risk-based based formula R = (1-Pe)*C*Po. Rather, risk analysis is used to establish weighting coefficients used in the proposed formulas.

    Beyond the keen and continued interest by S4 attendees, this paper got our attention by its link to ISA99 foundational requirements. This committee has been one of the most active in control system security guidelines and standards with a large support particularly in manufacturing. Metrics that tie into an accepted standard may be more likely to be accepted and used.

    Other S4 Previews

    Author: Dale Peterson
    Posted: November 14th, 2008 under S4.
    Comments: 2

    Comments

    Comment from Éireann Leverett
    Time: November 17, 2008, 9:36 am

    I think this is an excellent topic for S4, and the control system community in general. I would just like to highlight one thing: the difference between the IT style metrics an ‘asset owner’ might use, and the Application Security metrics a vedor organisation might use. I imagine you will focus on the first, and that depends on your audience base, but it would be nice to address the second too. If you can do both, you will generate some much needed disucssions.

    Comment from Dennis Holstein
    Time: December 25, 2008, 3:40 pm

    The need to address the use of quantitative metrics is important. ISA99WG04 leadership requires all standards in the Technical Requirements series to address usage in four categories: Asset Owner, System Integrator, Manufacturer, and 3rd Party Provider. The general approach by each Task Group (TG) in WG04 is for an Asset Owner to assess the impact of a “requirement”, assign a qualitative impact (high, medium, low) based on a consequence analysis, and to set a SAL (Security Assurance Level)+security strength value for each Foundational Requirement (FR) for the SUT (System Under Consideration).

    A System Integrator task is to “verification” of the topology, risk mitigation, impact assessments, qualitative assignments, and SAL + security strength.

    A Manufacturer or 3rd Party Provider must first determine if their product or service is applicable, and then determine if it is compliant with the derived requirements for a given class (or category) of components set forth in the ISA99 Technical Requirement series. Developing these derived requirements is the hard part! ISA99WG04 task groups are working together on this subject, but the work is in its infancy. Hopefully, concrete examples will be available for discussion and debate in future venues.

    Write a comment