Evidence-Based Techniques for Evaluating Cyber Protection Systems for Critical Infrastructures
Sholander,Peter
Sandia National Laboratories
Wyss,Gregory
Sandia National Laboratories
Walter,Andrew
Sandia National Laboratories
Smith,Bryan
Sandia National Laboratories
Phelan,James
Sandia National Laboratories
Darby,John
Sandia National Laboratories
Assessing the risk of malevolent attacks against large-scale critical infrastructures requires modifications to existing methodologies. Most existing risk assessment methodologies consider physical security and cyber security separately. As such, they do not accurately model attacks that involve defeating both physical protection and cyber protection elements (e.g., hackers turning off alarm systems prior to forced entry). Previous research has developed a risk assessment methodology that accounts for both physical and cyber security, while preserving the traditional security paradigm of detect, delay and respond and accounting for the possibility that a facility may be able to recover from or mitigate the results of a successful attack before serious consequences occur. This research is focused on evidence-based techniques (which are a generalization of probability theory) for evaluating the security posture of the cyber protection systems typically found in critical infrastructure facilities. It presents category-based approaches to characterizing both cyber threats and security primitives such as authentication and network access control. A path-based approach is then used wherein various security primitives protect each link (e.g., attack step) in a given path. The end goal is to evaluate the conditional risk that a given adversary category can traverse an attack path and thereby cause a given consequence of concern. This paper’s examples focus on cyber-based attack paths. Ongoing research is considering attack paths that contain both cyber and physical steps.
James Phelan is a Distinguished Member of Technical Staff (DMTS) at Sandia National Laboratories in Albuquerque, NM. His Center (Security Systems and Technology) is responsible for physical-security system research, design and evaluation for both Sandia and the larger DOE complex. He led a multi-year research effort that investigated “blended” security concepts that combine both physical and cyber security into one integrated security system. The focus was on improved security for our Nation’s critical infrastructures such as water, gas, power and telecom.