A Study on Quantitative Risk Assessment Methods in Security Design for Industrial Control Systems
| Title | A Study on Quantitative Risk Assessment Methods in Security Design for Industrial Control Systems |
| Publication Type | Conference Paper |
| Year of Publication | 2018 |
| Authors | Kawanishi, Y., Nishihara, H., Souma, D., Yoshida, H., Hata, Y. |
| Conference Name | 2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech) |
| Date Published | aug |
| ISBN Number | 978-1-5386-7518-2 |
| Keywords | Automotive engineering, automotive-security guideline, Autonomic Security, big data security, composability, control devices, control engineering computing, control systems, CVSS, CWSS, data logger, data loggers, ICS risk assessment, industrial control, industrial control systems, integrated circuits, JASO TP15002, manufacturing systems, Measurement, Metrics, Pervasive Computing Security, production engineering computing, pubcrawl, quantitative risk assessment, quantitative risk assessment methods, resilience, Resiliency, risk management, risk scoring systems, risk-score dispersion, SCADA(Supervisory Control and Data Acquisition), security, security design, security of data, security threats, Terms—industrial control systems (ICS), three-phase risk assessment method |
| Abstract | In recent years, there has been progress in applying information technology to industrial control systems (ICS), which is expected to make the development cost of control devices and systems lower. On the other hand, the security threats are becoming important problems. In 2017, a command injection issue on a data logger was reported. In this paper, we focus on the risk assessment in security design for data loggers used in industrial control systems. Our aim is to provide a risk assessment method optimized for control devices and systems in such a way that one can prioritize threats more preciously, that would lead work resource (time and budget) can be assigned for more important threats than others. We discuss problems with application of the automotive-security guideline of JASO TP15002 to ICS risk assessment. Consequently, we propose a three-phase risk assessment method with a novel Risk Scoring Systems (RSS) for quantitative risk assessment, RSS-CWSS. The idea behind this method is to apply CWSS scoring systems to RSS by fixing values for some of CWSS metrics, considering what the designers can evaluate during the concept phase. Our case study with ICS employing a data logger clarifies that RSS-CWSS can offer an interesting property that it has better risk-score dispersion than the TP15002-specified RSS. |
| URL | https://ieeexplore.ieee.org/document/8511868 |
| DOI | 10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00025 |
| Citation Key | kawanishi_study_2018 |
- risk scoring systems
- Metrics
- Pervasive Computing Security
- production engineering computing
- pubcrawl
- Quantitative risk assessment
- quantitative risk assessment methods
- resilience
- Resiliency
- risk management
- Measurement
- risk-score dispersion
- SCADA(Supervisory Control and Data Acquisition)
- security
- security design
- security of data
- security threats
- Terms—industrial control systems (ICS)
- three-phase risk assessment method
- CWSS
- automotive-security guideline
- Autonomic Security
- big data security
- composability
- control devices
- control engineering computing
- control systems
- CVSS
- Automotive engineering
- data logger
- data loggers
- ICS risk assessment
- industrial control
- Industrial Control Systems
- integrated circuits
- JASO TP15002
- manufacturing systems