Risk Analysis as a Security Metric for Industrial Control Systems

Abstract

As time and technology advances, the people become more reliant on the services provided by Industrial Control Systems (ICSs). Mainly used in the critical infrastructure industries, the ICSs have realised and enabled a myriad of services essential to individuals, the public and organizations on a daily basis. Developments in networking technologies, open standards and the use of legacy devices in the ICSs have brought about a paradigm shift in the way ICSs interconnect with each other and operate over long geographical distances. The legacy devices come with inherent vulnerabilities which may be costly to patch and/or may not be possible to patch and these in turn are a source of threats to the entire ICS. In order to mitigate the risks that may arise due to the vulnerabilities introduced into the system, we gained a deeper understanding of the different ICSs and reviewed a number of existing risk analysis approaches and categorized them in terms of their overall goal, whether they are qualitative or quantitative approaches, the stages of risk management addressed, and the scope in terms of issues they addressed. Based on this analysis, we use the NIST and CORAS frameworks as the underlying approaches to develop a Modified Risk Analysis Framework for ICS systems (MRAF-ICS). This framework assigns weights to all the system assets to emphasise the importance/criticality of the asset in the overall system. It uses the a threat modelling approach, FMEA and HAZOP to exhaustively identify the threats, hazards and vulnerabilities in the system.