Robert K. Abercrombie
Frederick T. Sheldon
Katie R. Hauser
ABSTRACT
In earlier work we presented a metric that quantifies system security in terms of the average loss per unit of time incurred by a stakeholder of the system as a result of security threats. The computational infrastructure of this metric involves system stakeholders, security requirements, system components and security threats. To compute this metric, we estimate the stakes that each stakeholder associates with each security requirement, as well as stochastic matrices that represent the probability of a threat to cause a component failure and the probability of a component failure to cause a security requirement violation. We apply this model to estimate the security of the Advanced Metering Infrastructure (AMI), by leveraging the recently established NISTIR 7628 guidelines for smart grid security and IEC 63351, Part 9 to identify the life cycle for cryptographic key management, resulting in a vector that assigns to each stakeholder an estimate of their average loss in terms of dollars per day of system operation.
Supplemental Material
Available for Download
Supplemental file.
- "Roadmap to Achieve Energy Delivery Systems Cybersecurity," ed: Energy Sector Control Systems Working Group, 2011.Google Scholar
- "International Energy Agency Technology Roadmap Smart Grids," International Energy Agency, Paris, 2011.Google Scholar
- F. T. Sheldon, K. A. Robert, and A. Mili, "Methodology for Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission," in Proceedings of Forty-second Hawaii International Conference on System Sciences, Waikoloa, Big Island, Hawaii 2009, pp. 1--10. Google ScholarDigital Library
- A. B. Aissa, R. K. Abercrombie, F. T. Sheldon, and A. Mili, "Quantifying security threats and their potential impacts: a case study" Innovations in Systems and Software Engineering, vol. 6, pp. 269--281, 2010. Google ScholarDigital Library
- R. K. Abercrombie, F. T. Sheldon, K. R. Hauser, M. W. Lantz, and A. Mili, "Risk Assessment Methodology Based on the NISTIR 7628 Guidelines," in Proceedings of Forty-sixth Hawaii International Conference on System Sciences, Wailea, Maui, Hawaii 2013 (accepted), pp. 1--10. Google ScholarDigital Library
- "National Institute of Standards and Technology (NIST) Interagency Report (NISTIR) 7628 Guidelines for Smart Grid Cyber Security," NIST, Ed., ed. Gaithersburg: NIST, 2010.Google Scholar
- "IEC 62351 Part 9 -- Key Management," ed: International Electrotechnical Commission, 2012, p. 40.Google Scholar
- "Public Printing and Documents," in 44 USC 3502, ed. USA, 2009, p. 3542.Google Scholar
- "Electric Sector Failure Scenarios and Impact Analyses," in National Electric Sector Cybersecurity Organization Resource (NESCOR) Technical Working Group 1, ed, Draft - July 3, 2012.Google Scholar
Index Terms
- Failure impact analysis of key management in AMI using cybernomic situational assessment (CSA)
Recommendations
Mean Failure Cost as a Measurable Value and Evidence of Cybersecurity: E-Learning Case Study
Addressing Cybersecurity within e-Learning systems becomes empowered to make online information more secure. Certain competences need to be identified as necessary skills to manage security online such the ability to assess sources and architectural ...
Modeling stakeholder/value dependency through mean failure cost
CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence ResearchIn an earlier series of works, Boehm et al. discuss the nature of information system dependability and highlight the variability of system dependability according to stakeholders. In a recent paper, the dependency patterns of this model are analyzed. In ...
Risk Assessment Methodology Based on the NISTIR 7628 Guidelines
HICSS '13: Proceedings of the 2013 46th Hawaii International Conference on System SciencesEarlier work describes computational models of critical infrastructure that allow an analyst to estimate the security of a system in terms of the impact of loss per stakeholder resulting from security breakdowns. Here, we consider how to identify, ...
Comments