Sunteți pe pagina 1din 7

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/328303093

Cyber Resilience Framework for Industrial Control Systems: Concepts, Metrics,


and Insights

Conference Paper · November 2018


DOI: 10.1109/ISI.2018.8587398

CITATION READS
1 868

4 authors, including:

Md Ariful Haque Sachin Shetty


Old Dominion University Old Dominion University
9 PUBLICATIONS   5 CITATIONS    184 PUBLICATIONS   1,115 CITATIONS   

SEE PROFILE SEE PROFILE

Bheshaj Krishnappa

4 PUBLICATIONS   1 CITATION   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SDN enabled Smart Grid Security View project

Cyber Resilient Energy Delivery Consortium Project View project

All content following this page was uploaded by Md Ariful Haque on 25 March 2019.

The user has requested enhancement of the downloaded file.


Cyber Resilience Framework for Industrial Control
Systems: Concepts, Metrics, and Insights
Md Ariful Haque Gael Kamdem De Teyou Sachin Shetty Bheshaj Krishnappa
Modeling Simulation and Virginia Modeling Analysis Virginia Modeling Analysis Risk Analysis and Mitigation
Visualization Engineering and Simulation Center and Simulation Center Reliability First
Old Dominion University Old Dominion University Old Dominion University Cleveland, OH, USA
Norfolk, VA, USA Norfolk, VA, USA Norfolk, VA, USA bheshaj.krishnappa@rfirst.org
mhaqu001@odu.edu gdeteyou@odu.edu sshetty@odu.edu

Abstract— In this paper, we have analyzed the resilience for ICS using the R4 framework of disaster resilience [4]. We
property of industrial control systems (ICS) in the events of decompose the resilience metric into a hierarchy of several sub-
cyberattacks using subjective approach. We are proposing a metrics. These metrics are organized in a tree structure that
comprehensive cyber resilience framework for the ICS by captures qualitative information about the ICS resilience.
decomposing the resilience metric into a hierarchy of several sub-
metrics. These metrics form a tree structure that has the potential The paper is organized as follows. Section II provides related
to capture qualitative information about system’s security and work on resilience and security frameworks in brief. Section III
resilience posture and can be used as a high-level framework to provides a cyber-physical description of ICS with the complex
identify where modeling and analysis are needed to be carried out. inter-dependencies between cyber and physical components.
We present a brief description of resilient ICS characteristics and Section III also presents our framework that consists of a set of
a cyber resilience assessment model for ICS. Finally, we present resilience metrics that can effectively measure cyber resilience
the cyber resilience metrics formulation methods and an across ICS industries. Section IV presents discussions on how
illustration of resilience metrics calculation using Analytical the framework can be used to compute the resilience metrics.
Hierarchy Process (AHP). Our resilience framework can serve as Section V concludes the work.
a platform for a multi-criteria decision aid and help technical
experts in identifying the gap in the study of ICS resilience.
II. RELATED WORK
Keywords— Cyberattack, Industrial Control System, Resilience The National Academy of Science (NAS) defined resilience
Framework, Metrics as “The ability to prepare and plan for, absorb, recover from,
or more successfully adapt to actual or potential adverse
I. INTRODUCTION events.”[5]. In [6] the authors used the resilience definition
Industrial Control Systems (ICS) are critical components provided by NAS to define a set of resilience metrics spread
facilitating operations in vital industries such as electricity, oil over four operational domains: physical, information, cognitive,
and gas, water distribution system and manufacturing which are and social. In [4] the authors proposed the R4 framework for
known as critical infrastructures. In the past, the most common disaster resilience. The R4 framework comprises four broad
threats faced by the ICS were at the physical domains with metrics which are Robustness, Redundancy, Resourcefulness,
adverse events such as physical attacks, failures and natural and Rapidity. In [7], the MITRE presents a framework for cyber
disasters [1]. Today the extensive use of Information and resiliency engineering. Most of these frameworks provide some
Communication Technologies (ICT) in ICS make them subjective guidance from different angels of resilience study
vulnerable to cyber-attacks [2]. For example, in Advanced and lack of clear explanation on the quantitative resilience
Persistent Threat (APT) attacks highly skilled attackers can steal metrics formulation. Another issue with these frameworks is
user authentication information and then move laterally in the that they are most suitable for ITS (Information Technology
network, from host to host in a hidden manner until they reach a System) rather than ICS.
valued target. In 2015 attackers used spear-fishing emails to steal
In [8], the National Institute of Standards and Technology
credentials in three energy distribution companies of Ukraine
(NIST) provides a framework for improving the cybersecurity
and moved laterally through the corporate network and gained
access to the Supervisory Control and Data Acquisition and resilience of critical infrastructures. The NIST framework
(SCADA) system [3]. The attackers were able to disable the identifies five functions that organize cybersecurity at the
corporate network and temporarily disrupt electricity supply in highest levels: identify, protect, detect, respond, and recover. In
the power grid infrastructure. [9] NIST provides detailed guidelines for ICS system security.
In [10], the authors define the necessary measures to be taken
In this work, we have reviewed the existing cyber resilience in order to make ICS and critical infrastructures resilient. In all
frameworks. We have analyzed the characteristics of resilient these frameworks, the authors do not provide a methodology to
ICS systems and develop a cyber resilience assessment model quantify the resilience metrics of the ICS system.
for ICS. In addition, we propose a cyber resilience framework

This work is part of the project funded by the Department of Energy under
Award Number DE-OE0000780.

978-1-5386-7848-0/18/$31.00 ©2018 IEEE 25


III. ICS RESILIENCE FRAMEWORK
In this section, we discuss the cyber resilience assessment
model (CRAM) and the comprehensive cyber resilience
framework for the ICS system.
A. Resilient ICS
Industrial control networks are composed of specialized
components and applications, such as Programmable Logic
Controllers (PLCs), Supervisory Control and Data Acquisition
(SCADA) systems, Distributed Control Systems (DCS),
Remote Terminal Unit (RTU), Intelligent Electronic Devices
(IED), and Phasor Measurement Units (PMU) as shown in Fig.
1. In [11] the authors present a resilient industrial control system
(RICS) model where they have identified the following
characteristics of the ICS system to be resilient:
• Ability to minimize the undesirable consequence of an
incidence
• Ability to mitigate most of the undesirable incidents Fig. 1. Generic ICS architecture
• Ability to restore to normal operation within a short time.

All the above characteristics are included in the R4 resilience


framework [4] that we have considered as the base of this work.
B. ICS Resilience Sub-metric Tree
In this sub-section, we propose a set of comprehensive cyber
resilience metrics adapted from the R4 framework [4] that can
effectively contribute to the cyber resilience assessment for
ICS. We decompose the four R4 metrics (Robustness,
Redundancy, Resourcefulness, and Rapidity) from [4] into a
hierarchy of several sub-metrics, each of which can be analyzed
independently. The resilience sub-metric tree is shown in Fig.
2. Because resilience depends on the effective functioning of all
aspects of the ICS, the metric-structure should consider the
physical security, organizational practices, and technologies
implemented in the cyber-physical system. Fig. 2. Cyber resilience sub-metric tree

Fig. 3. ICS cyber resilience assessment model (CRAM)

26
TABLE I. CYBER RESILIENCE FRAMEWORK FOR ICS

ROBUSTNESS (R1) REDUNDANCY (R2) RESOURCEFULNESS (R3) RAPIDITY (R4)


Access control Contingency Monitoring and Detection Communication Latency
- Physical barrier policy (guards, walls, rooms, gates) - Alternate - Capabilities to monitor the - The delay between adverse event and detection
- Identification and Authentication (biometric, smart card, PIN storage/processing site, physical environment to detect Restoration Delay
P code) power supply and cybersecurity events (video - The delay to access damaged devices (debugging
H - Physical ports protection & electronic device policy communication network cameras, motion detectors, ports, remote access)
Y Segmentation - Protection of alternate sites sensors, and various identification - The delay between detection and restoration (Mean
S - Physical isolation of ICS sites from Corporate sites and power supply systems) Time to Repair)
I - Physical isolation of storage site from the processing site - PLC and RTU redundancy Response and Recovery - Switching delay for backup operations (hot, cold,
C Diversity (shadow or separate mode) - Capabilities to investigate and warm)
A - Product and Vendor diversity Composition repair physical devices Learning
L Risk Mitigation - Capabilities to deploy new - Update device configuration in response to recent
- Threats Identification, Characterization and Mitigation PLC/RTU inter-operable events and performs better in the future
(capabilities of the threats, likelihood, and impact of potential with the ICS to ensure
attacks) continuity of the process
Access control Contingency Monitoring and Detection Communication Latency
O - Visitor escort and access agreements policy - Business continuity - Capabilities to monitor personnel - Cyber events are reported timely to appropriate
R - Restriction of physical-access to ICS to authorized planning and coordination activity to detect cybersecurity personnel
G employee only Composition events (account management, - Responsibilities and Procedures are clearly defined for
A - Personnel designation, screening, termination and transfer - Capabilities to deploy new configuration change control) adequate personnel to ensure quick response
N policy manufacturing processes - Record and Classification of Restoration Delay
I - Terms of employment policy incident - Timely availability of dedicated resources for service
Z Segmentation Response and Recovery restoration (budget, manufacturer support, and tools)
A - Employee-specific roles & responsibility - Collection of evidences for civil Learning
T Diversity and criminal actions - Registration to association and security conferences
I - Diverse group of employees to mitigate insider attacks - Audit policy and Change - Review security policy during and after adverse
O Risk Mitigation Management policy events
N - Planning, implementation and progress monitoring - User awareness and training (penetration tests,
role-based training)
Access Control Contingency Monitoring and Detection Communication Latency
- Port, protocol and traffic filtering in CS - Backup secured on - Capabilities to monitor network - Fault isolation latency
- Wireless and Remote access policy (authentication and protected servers logs to detect cybersecurity events - Measurement reading latency
encryption policy) - Backup copies of - ICS protocol attacks detection - Routine automation latency
- Email and Browser policy (URL filtering, attachment, information system and (Modbus, DNP3, ICCP, etc.) Restoration Delay
supported email clients and browser, plugins) software - Network-based IDS between CS - Intrusion Response Frequency
Segmentation - Adequate resource to ensure and Corporate Learning
- Firewalls/Gateways between Corporate and CS availability of data - Host-based IDS in both CS and - Logs correlation with vulnerability databases
- Firewalls/Gateways between ICS and third-party network Composition Corporate - Dynamic reconfiguration after cyber-attacks
T - DMZ for CS and Corporate - Capabilities to deploy new Response and Recovery - Online learning of attacker strategy’s
E Diversity protocols and technologies - Anti-malware tools, IRS
C - Disjoint technologies between CS and Corporate network inter-operable with the ICS - Reduction of malware spread from
H - Software, firmware and hardware diversity to ensure continuity of the Corporate to CS
N Risk Mitigation process - Dynamic reconfiguration
I - Continuous Vulnerability Scanning & Patching
C - Identification and Mitigation of ICS weaknesses due to old
A technology design (clear communications, poor coding
L practices, low CPU/memory)
- Identification and Mitigation of ICS weaknesses due to
implementation (weak logging/authentication, weak
scripting interface, malfunction devices)
- Default configuration avoidance in CS and Corporate
(default account/password, unused services/components)
- Securing configuration in backup servers
- Realignment (align cyber resources with specific need of
ICS, thus reducing attack surface)
27
C. ICS Cyber Resilience Assessment Model (CRAM)
The cyber resilience assessment model assesses the
complete ICS system and network in terms of technical,
organizational, and physical capabilities as shown in Fig. 3.
The model assesses each of the R4 metrics under the physical,
organizational, and technical domain. The assessment is
subjective because the criteria to evaluate those sub-metrics
are normally not quantifiable. For example, the effectiveness
of contingency planning which falls under Technical
Redundancy is a question of subjective judgment to be
evaluated by the ICS expert. Using the subjective evaluation
from the sub-metrics, overall resilience metrics can be
assessed which we discuss in section IV. As the model itself
Fig. 4. Decomposition of robustness into the AHP process hierarchy
is explanatory, we are not going into the further discussion
here.
A. Analytical Hierarchy Process (AHP)
D. ICS Cyber Resilience Framework The Analytic Hierarchy Process (AHP) is a structured
We present the ICS resilience framework in detail in technique for organizing and analyzing complex decisions
Table I. The framework is based on the cyber resilience based on mathematics and psychology [13]. It has been
assessment model as in Fig. 3 and designed to assess the widely used to provide cybersecurity metrics because it
cyber resilience of the ICS. The framework can serve as a combines the objectivity of mathematics and the subjectivity
platform to create secure and resilient ICS across different of psychology to evaluate information and make decisions
industries (Energy, Oil & Gas, Manufacturing etc.). Again, [13, 17-19].
the resilience is assessed in terms of robustness, redundancy,
resourcefulness, and rapidity in the three domains: physical, B. Resilience Metrics Formulation Using AHP
organizational, and technical. The details provided in the To compute the resilience metrics, 𝑁𝑁 datasets were
framework make it self-explanatory. collected from 𝑁𝑁 cybersecurity experts. Here datasets
represent the response of questionnaires related to the ICS
IV. METRICS FORMULATION AND ANALYSIS system. For our example case in sub-section C, we have used
One of our objectives in this work is to make the resilience 𝑁𝑁 = 10. This type of data collection from security experts
metrics operational, i.e., the metrics should be analytically has used to provide a scoring formula for cybersecurity
measurable and quantifiable with the available data and metrics [19, 20] and we adopt the same methodology to
resources. One challenge of developing effective, collect the data. The steps involved in implementing the AHP
generalizable resilience metrics for ICS is that the data methodology are presented below.
regarding the cybersecurity of ICS is not available mostly due Step 1: Each resilience metric is decomposed into a
to regulation that requires reporting only a subset of cyber- hierarchy of 4 levels: goal (maximize the corresponding
attacks in a lot of countries as reported in [12]. Consequently, resilience metric), criteria, sub-criteria, and alternatives
ICS companies with established cybersecurity policies prefer (possible values that the sub-criteria can take). Fig. 4
to keep their data confidential, largely due to privacy, and the illustrates the hierarchy that we build for the robustness
proprietary nature of information. By taking into metric as an example. Each criterion at lower level criteria
consideration the lack of system data availability, resilience affects the overall effort of maximizing the robustness. In the
metrics can be evaluated with a qualitative approach using same way, each sub-criterion (respective to alternative
cautiously chosen sets of questionnaires. The questionnaires options) affects its corresponding criterion.
are designed in a way so that it can address each individual
sub-metric and therefore capture qualitative information Step 2: Data were collected from 𝑁𝑁 cybersecurity experts
about the system resilience posture. The resilience metrics (SMEs) corresponding to the hierarchy of Fig. 4. 𝑁𝑁 = 10 for
can be obtained by aggregating the individual sub-metrics our sample illustration. The data collection process was based
using a multi-criteria decision-making approach such as on a pairwise comparison implementing the qualitative scale
Analytical Hierarchy Process (AHP) [13]. We want to explained in [13].
mention here that we have given lots of efforts to make the Step 3: The pairwise comparisons of all criteria and
questionnaires as realistic, balanced, and pertinent as possible alternatives constructed in step 2 are organized into a square
by taking subject matter experts’ (SME) opinions and ICS matrix. Mathematically, the pairwise comparison matrix 𝐴𝐴,
security standards [9, 14-16] into considerations. Some of the for 𝑚𝑚 factors requires an 𝑚𝑚 x 𝑚𝑚 elements. Each entry in 𝐴𝐴
subject matter experts are our collaborators in this work. denoted by 𝑎𝑎𝑖𝑖𝑖𝑖 , represents the comparison between factor 𝑖𝑖
Some other SMEs are professionals working in the ICS
and factor 𝑗𝑗. The pairwise comparison matrix can be
industries.
determined by using (1).

28
TABLE II. VALUES OF THE RANDOM INDEX FOR SMALL PROBLEMS
* With respect to Robustness, what criteria do you find the most important
(M < 10) [13]
between Physical and Organization ?
𝒎𝒎 factors 2 3 4 5 6 7 8 Physical

𝑹𝑹𝑹𝑹 0.00 0.58 0.9 1.12 1.24 1.32 1.41 Organization


* Based on your previous choice, evaluate the following statements
1 𝑎𝑎12 … 𝑎𝑎1𝑚𝑚
⎡ 1 ⎤ Equal Moderate Strong Very Strong Extreme
Importance Importance Importance Importance Importance
⎢ 1 … 𝑎𝑎2𝑚𝑚 ⎥ 1 3 5 7 9
Importance
𝐴𝐴 = ⎢ 𝑎𝑎…
12
… … … ⎥
⎥ (1) of selection

⎢ 1 1
… 1 ⎥
⎣ 𝑎𝑎1𝑚𝑚 𝑎𝑎2𝑚𝑚 ⎦ Fig. 5. Sample pairwise comparison between the Physical and the
Organization criteria for the Robustness metric
In addition, the individual responses of the 𝑁𝑁 SMEs were
* With respect to Segmentation sub criteria, what option do you find is the
aggregated by using the geometric mean, which yielded to most important between High and Medium ?
one unique comparison matrix. High (H)

𝑁𝑁 1/𝑁𝑁 Medium (M)


𝑎𝑎𝑖𝑖𝑖𝑖 = ���𝑎𝑎𝑖𝑖𝑖𝑖 �𝑘𝑘 � (2) * Based on your previous choice, evaluate the following statements

𝑘𝑘=1 Equal Moderate Strong Very Strong Extreme


Importance Importance Importance Importance Importance
where �𝑎𝑎𝑖𝑖𝑖𝑖 �𝑘𝑘 is the response obtained by the 𝑘𝑘 𝑡𝑡ℎ Importance 1 3 5 7 9
of selection
cybersecurity expert.
Step 4: When all judgments are made, the relative weight Fig. 6. Sample pairwise comparison between options High (H) and Medium
of each criterion respective to the goal is calculated. These (M) for the segmentation sub-criteria metric
weights are obtained with the normalized right eigenvector of
the pairwise comparison matrix 𝐴𝐴. The relative weights of all TABLE III. LIST OF POSSIBLE VALUES FOR THE SUB CRITERIA
the sub-criteria and alternative options are generated using Value Description
the same process. High (H) Specialized measures are implemented in the ICS
for the corresponding sub criteria
Step 5: A Consistency Ratio (CR) is calculated to measure Medium (M) Some measures are implemented in the ICS for
how accurate or consistent are the judgments of the 𝑁𝑁 the corresponding sub criteria
experts’ responses. For the 𝑘𝑘 𝑡𝑡ℎ cybersecurity expert Low (L) No or very few measures are implemented in the
response, if 𝐶𝐶𝐶𝐶𝑘𝑘 < 0.1 then the judgment of this expert can ICS for the corresponding sub criteria
be accepted; otherwise it should be excluded from the
TABLE IV. PAIRWISE COMPARISON MATRIX A AND EIGENVECTOR
analysis for inconsistency. The consistency ratio can be FOR MAXIMIZING ROBUSTNESS WITH RESPECT TO THE 3 CRITERIA C1, C2
evaluated by comparing the Consistency Index (CI) with the AND C3
Random Index (RI) [13]: Criteria
𝐶𝐶𝐶𝐶 Physical Organization Technical Normalized
(3) Eigenvector
𝐶𝐶𝐶𝐶 = (𝑪𝑪𝟏𝟏 ) (𝑪𝑪𝟐𝟐 ) (𝑪𝑪𝟑𝟑 )
𝑅𝑅𝑅𝑅
Physical 1 0.20 0.11 0.0578
The values of the random index are shown in Table II for Organization 4.89 1 0.20 0.2039
small problems (𝑚𝑚 < 10) and the consistency index 𝐶𝐶𝐶𝐶 is Technical 8.95 5.101 1 0.7382
given by:
criteria 𝐶𝐶1 , 𝐶𝐶2 , and 𝐶𝐶3 : Physical, Organization, and Technical.
𝜆𝜆𝑚𝑚𝑚𝑚𝑚𝑚 − 𝑚𝑚 (4) Each criterion has four sub-criteria 𝑆𝑆𝑆𝑆1 , 𝑆𝑆𝑆𝑆2 , 𝑆𝑆𝐶𝐶3 , and 𝑆𝑆𝐶𝐶4 :
𝐶𝐶𝐶𝐶 = Access Control, Segmentation, Diversity, and Risk Mitigation
𝑚𝑚 − 1
as in Table II. Finally, we design each sub-criterion to take
In (4), 𝜆𝜆𝑚𝑚𝑚𝑚𝑚𝑚 is the maximum eigenvalue of the expert values among three alternative options: High (𝐻𝐻), Medium
(𝑀𝑀) and Low (𝐿𝐿) which are presented in Table III.
judgment.
Step 6: The resilience metric is calculated by combining The scale within each pairwise comparison is based on a
the total of the weights of the elements of each level multiplied Likert scale having equal importance as the lowest parameter,
by the weights of the corresponding lower-level elements. which is indicated with a numerical value of one, and extreme
importance which indicated with a numerical value of 9 as
C. Robustness as an Illustration shown in Fig. 5 and Fig. 6. We have analyzed using 𝑁𝑁 =
To explain the formulation process discussed in sub- 10 datasets, where 𝑁𝑁 ′ = 2 are excluded for inconsistency
section B, we provide an example here for the Robustness (CR < 0.1). Table VI contains the aggregated pairwise
metric. As shown in Fig. 4, the robustness metric has three comparison matrix that was collected from the
remaining consistent datasets for the three criteria 𝐶𝐶1 , 𝐶𝐶2 , and

29
𝐶𝐶3 . From the normalized right eigenvector of Table IV, we completeness, or usefulness of any information, apparatus,
find the Robustness in function of the Physical ( 𝐶𝐶1 ) , product, or process disclosed, or represents that its use would
Organization (𝐶𝐶2 ) and Technical (𝐶𝐶3 ) criteria as: not infringe privately owned rights. Reference herein to any
specific commercial product, process, or service by trade
𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 = 0.06𝐶𝐶1 + 0.200𝐶𝐶2 + 0.74𝐶𝐶3 (5) name, trademark, manufacturer, or otherwise does not
Similarly, pairwise comparisons were done between sub- necessarily constitute or imply its endorsement,
criteria, and alternatives. We derive the relative weights of recommendation, or favoring by the United States
each criterion and the score corresponding to the alternative Government or any agency thereof. The views and opinions
options at the lower level of the hierarchy. Equation (6) and of authors expressed herein do not necessarily state or reflect
those of the United States Government or any agency thereof.
(8) give the numerical values that we obtained for the relative
weights and the score vector for the four criteria and three
alternative options respectively. REFERENCES

𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 (𝑆𝑆𝑆𝑆1 ) 0.3 [1] R. Kinney, P. Crucitti, R. Albert, and V. Latora, “Modeling cascading
failures in the North American power grid,” The European Physical
𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 (𝑆𝑆𝑆𝑆2 ) (6)
� � = �0.2� Journal B-Condensed Matter and Complex Systems, vol. 46, no. 1, pp.
𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷(𝑆𝑆𝑆𝑆3 ) 0.1 101-107, 2005.
𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀 (𝑆𝑆𝑆𝑆4 ) 0.4 [2] C. Glenn, D. Sterbentz, and A. Wright, Cyber Threat and Vulnerability
Analysis of the US Electric Sector, Idaho National Lab.(INL), Idaho
Equation (7) shows how the Organization criteria (𝐶𝐶2 ) is Falls, ID (United States), 2016.
[3] D. U. Case, “Analysis of the cyber attack on the Ukrainian power grid,”
computed in function of the four sub-criteria, Electricity Information Sharing and Analysis Center (E-ISAC), 2016.
[4] K. Tierney, and M. Bruneau, “Conceptualizing and measuring
𝐶𝐶2 = 0.3 𝑆𝑆𝑆𝑆1 + 0.2 𝑆𝑆𝑆𝑆2 + 0.1 𝑆𝑆𝐶𝐶3 + 0.4 𝑆𝑆𝑆𝑆4 (7) resilience: A key to disaster loss reduction,” TR news, no. 250, 2007.
[5] N. A. o. Sciences, Disaster resilience: a national imperative,
𝐻𝐻 0.73 Washington, D.C., 2012.
�𝑀𝑀� = �0.2067� (8) [6] I. Linkov, D. A. Eisenberg, K. Plourde, T. P. Seager, J. Allen, and A.
Kott, “Resilience metrics for cyber systems,” Environment Systems and
𝐿𝐿 0.0581 Decisions, vol. 33, no. 4, pp. 471-476, 2013.
[7] D. Bodeau, and R. Graubart, “Cyber resiliency engineering
V. CONCLUSION framework,” MTR110237, MITRECorporation, 2011.
[8] C. I. Cybersecurity, “Framework for Improving Critical Infrastructure
In this paper, we investigate the cyber resilience of ICS. Cybersecurity,” Framework, vol. 1, pp. 11, 2014.
First, we discuss the properties of a resilient ICS. Then we [9] K. Stouffer, J. Falco, and K. Scarfone, “Guide to industrial control
systems (ICS) security,” NIST special publication, vol. 800, no. 82, pp.
adapt the R4 framework to derive the cyber resilience 16-16, 2011.
assessment model (CRAM) for ICS. Finally, we propose a [10] S. Bologna, A. Fasani, and M. Martellini, "Cyber Security and
detailed cyber resilience framework for ICS using the Resilience of Industrial Control Systems and Critical Infrastructures,"
CRAM. We explain how to effectively quantify and evaluate Cyber Security, pp. 57-72: Springer, 2013.
[11] D. Wei, and K. Ji, "Resilient industrial control system (RICS):
cyber resilience metrics using the proposed framework. The Concepts, formulation, metrics, and insights." pp. 15-22.
framework can provide directions in ICS resilience analysis [12] A. McIntyre, B. Becker, and R. Halbgewachs, “Security metrics for
and assessment process and help the ICS operators and process control systems,” Sandia National Laboratories, Sandia
Report SAND2007-2070P, 2007.
technical experts to better understand their industrial control [13] T. L. Saaty, “Relative measurement and its generalization in decision
system architecture to make it more resilient from making why pairwise comparisons are central in mathematics for the
cyberattacks. Unlike most of the relevant works that only measurement of intangible factors the analytic hierarchy/network
provide security guidance and recommendations, we have process,” RACSAM-Revista de la Real Academia de Ciencias Exactas,
Fisicas y Naturales. Serie A. Matematicas, vol. 102, no. 2, pp. 251-318,
derived the resilience metrics using the proposed framework 2008.
which provides quantitative insights into the ICS cyber [14] M. J. Bartock, J. A. Cichonski, M. P. Souppaya, M. C. Smith, G. A.
resilience. This resilience metrics formulation process can be Witte, and K. A. Scarfone, Guide for cybersecurity event recovery,
2016.
used to evaluate and analyze overall ICS network resilience. [15] J. T. Force, and T. Initiative, “Security and privacy controls for federal
information systems and organizations,” NIST Special Publication,
ACKNOWLEDGMENT vol. 800, no. 53, pp. 8-13, 2013.
[16] T. Macaulay, and B. L. Singer, Cybersecurity for industrial control
This material is based upon work supported by the systems: SCADA, DCS, PLC, HMI, and SIS, p.^pp. 51: Auerbach
Department of Energy under Award Number DE- Publications, 2016.
[17] K. Sun, S. Jajodia, J. Li, Y. Cheng, W. Tang, and A. Singhal,
OE0000780. "Automatic security analysis using security metrics." pp. 1207-1212.
[18] L. Watkins, and J. Hurley, "Cyber Maturity as Measured by Scientific
DISCLAIMER Risk-Based Metrics." p. 384.
[19] G. C. Wilamowski, J. R. Dever, and S. M. Stuban, “Using Analytical
This report was prepared as an account of work sponsored Hierarchy and Analytical Network Processes to Create CYBER
by an agency of the United States Government. Neither the SECURITY METRICS,” Defense Acquisition Research Journal: A
Publication of the Defense Acquisition University, vol. 24, no. 2, 2017.
United States Government nor any agency thereof, nor any of [20] H. Tran, E. Campos-Nanez, P. Fomin, and J. Wasek, “Cyber resilience
their employees makes any warranty, express or implied, or recovery model to combat zero-day malware attacks,” computers &
assumes any legal liability or responsibility for the accuracy, security, vol. 61, pp. 19-31, 2016.

30

View publication stats