See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/328303093

Cyber Resilience Framework for Industrial Control Systems: Concepts, Metrics,

and Insights

Conference Paper · November 2018

DOI: 10.1109/ISI.2018.8587398

CITATION READS
1 868

4 authors, including:

Md Ariful Haque Sachin Shetty

Old Dominion University Old Dominion University
9 PUBLICATIONS   5 CITATIONS    184 PUBLICATIONS   1,115 CITATIONS   

SEE PROFILE SEE PROFILE

Bheshaj Krishnappa

4 PUBLICATIONS   1 CITATION   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SDN enabled Smart Grid Security View project

Cyber Resilient Energy Delivery Consortium Project View project

All content following this page was uploaded by Md Ariful Haque on 25 March 2019.

The user has requested enhancement of the downloaded file.

 Cyber Resilience Framework for Industrial Control
Systems: Concepts, Metrics, and Insights
Md Ariful Haque Gael Kamdem De Teyou
Modeling Simulation and Virginia Modeling Analysis
Visualization Engineering and Simulation Center
Old Dominion University Old Dominion University
Norfolk, VA, USA Norfolk, VA, USA
mhaqu001@odu.edu gdeteyou@odu.edu
Abstract— In this paper, we have analyzed the resilience
property of industrial control systems (ICS) in the events of
cyberattacks using subjective approach. We are proposing a
comprehensive cyber resilience framework for the ICS by
decomposing the resilience metric into a hierarchy of several sub-
metrics. These metrics form a tree structure that has the potential
to capture qualitative information about system’s security and
resilience posture and can be used as a high-level framework to
identify where modeling and analysis are needed to be carried out.
We present a brief description of resilient ICS characteristics and
a cyber resilience assessment model for ICS. Finally, we present
the cyber resilience metrics formulation methods and an
illustration of resilience metrics calculation using Analytical
Hierarchy Process (AHP). Our resilience framework can serve as
a platform for a multi-criteria decision aid and help technical
experts in identifying the gap in the study of ICS resilience.
Keywords— Cyberattack, Industrial Control System, Resilience
Framework, Metrics
I. INTRODUCTION
Industrial Control Systems (ICS) are critical components
facilitating operations in vital industries such as electricity, oil
and gas, water distribution system and manufacturing which are
known as critical infrastructures. In the past, the most common
threats faced by the ICS were at the physical domains with
adverse events such as physical attacks, failures and natural
disasters [1]. Today the extensive use of Information and
Communication Technologies (ICT) in ICS make them
vulnerable to cyber-attacks [2]. For example, in Advanced
Persistent Threat (APT) attacks highly skilled attackers can steal
user authentication information and then move laterally in the
network, from host to host in a hidden manner until they reach a
valued target. In 2015 attackers used spear-fishing emails to steal
credentials in three energy distribution companies of Ukraine
and moved laterally through the corporate network and gained
access to the Supervisory Control and Data Acquisition
(SCADA) system [3]. The attackers were able to disable the
corporate network and temporarily disrupt electricity supply in
the power grid infrastructure.
In this work, we have reviewed the existing cyber resilience
frameworks. We have analyzed the characteristics of resilient
ICS systems and develop a cyber resilience assessment model
for ICS. In addition, we propose a cyber resilience framework
This work is part of the project funded by the Department of Energy under
Award Number DE-OE0000780.
978-1-5386-7848-0/18/$31.00 ©2018 IEEE
Sachin Shetty Bheshaj Krishnappa
Virginia Modeling Analysis Risk Analysis and Mitigation
and Simulation Center Reliability First
Old Dominion University Cleveland, OH, USA
Norfolk, VA, USA bheshaj.krishnappa@rfirst.org
sshetty@odu.edu
for ICS using the R4 framework of disaster resilience [4]. We
decompose the resilience metric into a hierarchy of several sub-
metrics. These metrics are organized in a tree structure that
captures qualitative information about the ICS resilience.
The paper is organized as follows. Section II provides related
work on resilience and security frameworks in brief. Section III
provides a cyber-physical description of ICS with the complex
inter-dependencies between cyber and physical components.
Section III also presents our framework that consists of a set of
resilience metrics that can effectively measure cyber resilience
across ICS industries. Section IV presents discussions on how
the framework can be used to compute the resilience metrics.
Section V concludes the work.
II. RELATED WORK
The National Academy of Science (NAS) defined resilience
as “The ability to prepare and plan for, absorb, recover from,
or more successfully adapt to actual or potential adverse
events.”[5]. In [6] the authors used the resilience definition
provided by NAS to define a set of resilience metrics spread
over four operational domains: physical, information, cognitive,
and social. In [4] the authors proposed the R4 framework for
disaster resilience. The R4 framework comprises four broad
metrics which are Robustness, Redundancy, Resourcefulness,
and Rapidity. In [7], the MITRE presents a framework for cyber
resiliency engineering. Most of these frameworks provide some
subjective guidance from different angels of resilience study
and lack of clear explanation on the quantitative resilience
metrics formulation. Another issue with these frameworks is
that they are most suitable for ITS (Information Technology
System) rather than ICS.
In [8], the National Institute of Standards and Technology
(NIST) provides a framework for improving the cybersecurity
and resilience of critical infrastructures. The NIST framework
identifies five functions that organize cybersecurity at the
highest levels: identify, protect, detect, respond, and recover. In
[9] NIST provides detailed guidelines for ICS system security.
In [10], the authors define the necessary measures to be taken
in order to make ICS and critical infrastructures resilient. In all
these frameworks, the authors do not provide a methodology to
quantify the resilience metrics of the ICS system.
25
 III. ICS RESILIENCE FRAMEWORK
In this section, we discuss the cyber resilience assessment
model (CRAM) and the comprehensive cyber resilience
framework for the ICS system.
A. Resilient ICS
Industrial control networks are composed of specialized
components and applications, such as Programmable Logic
Controllers (PLCs), Supervisory Control and Data Acquisition
(SCADA) systems, Distributed Control Systems (DCS),
Remote Terminal Unit (RTU), Intelligent Electronic Devices
(IED), and Phasor Measurement Units (PMU) as shown in Fig.
1. In [11] the authors present a resilient industrial control system
(RICS) model where they have identified the following
characteristics of the ICS system to be resilient:
• Ability to minimize the undesirable consequence of an
incidence
• Ability to mitigate most of the undesirable incidents Fig. 1. Generic ICS architecture
• Ability to restore to normal operation within a short time.

All the above characteristics are included in the R4 resilience

framework [4] that we have considered as the base of this work.
B. ICS Resilience Sub-metric Tree
In this sub-section, we propose a set of comprehensive cyber
resilience metrics adapted from the R4 framework [4] that can
effectively contribute to the cyber resilience assessment for
ICS. We decompose the four R4 metrics (Robustness,
Redundancy, Resourcefulness, and Rapidity) from [4] into a
hierarchy of several sub-metrics, each of which can be analyzed
independently. The resilience sub-metric tree is shown in Fig.
2. Because resilience depends on the effective functioning of all
aspects of the ICS, the metric-structure should consider the
physical security, organizational practices, and technologies
implemented in the cyber-physical system. Fig. 2. Cyber resilience sub-metric tree

Fig. 3. ICS cyber resilience assessment model (CRAM)

26
 TABLE I. CYBER RESILIENCE FRAMEWORK FOR ICS

ROBUSTNESS (R1) REDUNDANCY (R2) RESOURCEFULNESS (R3) RAPIDITY (R4)

Access control Contingency Monitoring and Detection Communication Latency
- Physical barrier policy (guards, walls, rooms, gates) - Alternate - Capabilities to monitor the - The delay between adverse event and detection
- Identification and Authentication (biometric, smart card, PIN storage/processing site, physical environment to detect Restoration Delay
P code) power supply and cybersecurity events (video - The delay to access damaged devices (debugging
H - Physical ports protection & electronic device policy communication network cameras, motion detectors, ports, remote access)
Y Segmentation - Protection of alternate sites sensors, and various identification - The delay between detection and restoration (Mean
S - Physical isolation of ICS sites from Corporate sites and power supply systems) Time to Repair)
I - Physical isolation of storage site from the processing site - PLC and RTU redundancy Response and Recovery - Switching delay for backup operations (hot, cold,
C Diversity (shadow or separate mode) - Capabilities to investigate and warm)
A - Product and Vendor diversity Composition repair physical devices Learning
L Risk Mitigation - Capabilities to deploy new - Update device configuration in response to recent
- Threats Identification, Characterization and Mitigation PLC/RTU inter-operable events and performs better in the future
(capabilities of the threats, likelihood, and impact of potential with the ICS to ensure
attacks) continuity of the process
Access control Contingency Monitoring and Detection Communication Latency
O - Visitor escort and access agreements policy - Business continuity - Capabilities to monitor personnel - Cyber events are reported timely to appropriate
R - Restriction of physical-access to ICS to authorized planning and coordination activity to detect cybersecurity personnel
G employee only Composition events (account management, - Responsibilities and Procedures are clearly defined for
A - Personnel designation, screening, termination and transfer - Capabilities to deploy new configuration change control) adequate personnel to ensure quick response
N policy manufacturing processes - Record and Classification of Restoration Delay
I - Terms of employment policy incident - Timely availability of dedicated resources for service
Z Segmentation Response and Recovery restoration (budget, manufacturer support, and tools)
A - Employee-specific roles & responsibility - Collection of evidences for civil Learning
T Diversity and criminal actions - Registration to association and security conferences
I - Diverse group of employees to mitigate insider attacks - Audit policy and Change - Review security policy during and after adverse
O Risk Mitigation Management policy events
N - Planning, implementation and progress monitoring - User awareness and training (penetration tests,
role-based training)
Access Control Contingency Monitoring and Detection Communication Latency
- Port, protocol and traffic filtering in CS - Backup secured on - Capabilities to monitor network - Fault isolation latency
- Wireless and Remote access policy (authentication and protected servers logs to detect cybersecurity events - Measurement reading latency
encryption policy) - Backup copies of - ICS protocol attacks detection - Routine automation latency
- Email and Browser policy (URL filtering, attachment, information system and (Modbus, DNP3, ICCP, etc.) Restoration Delay
supported email clients and browser, plugins) software - Network-based IDS between CS - Intrusion Response Frequency
Segmentation - Adequate resource to ensure and Corporate Learning
- Firewalls/Gateways between Corporate and CS availability of data - Host-based IDS in both CS and - Logs correlation with vulnerability databases
- Firewalls/Gateways between ICS and third-party network Composition Corporate - Dynamic reconfiguration after cyber-attacks
T - DMZ for CS and Corporate - Capabilities to deploy new Response and Recovery - Online learning of attacker strategy’s
E Diversity protocols and technologies - Anti-malware tools, IRS
C - Disjoint technologies between CS and Corporate network inter-operable with the ICS - Reduction of malware spread from
H - Software, firmware and hardware diversity to ensure continuity of the Corporate to CS
N Risk Mitigation process - Dynamic reconfiguration
I - Continuous Vulnerability Scanning & Patching
C - Identification and Mitigation of ICS weaknesses due to old
A technology design (clear communications, poor coding
L practices, low CPU/memory)
- Identification and Mitigation of ICS weaknesses due to
implementation (weak logging/authentication, weak
scripting interface, malfunction devices)
- Default configuration avoidance in CS and Corporate
(default account/password, unused services/components)
- Securing configuration in backup servers
- Realignment (align cyber resources with specific need of
ICS, thus reducing attack surface)
27
C. ICS Cyber Resilience Assessment Model (CRAM)
The cyber resilience assessment model assesses the
complete ICS system and network in terms of technical,
organizational, and physical capabilities as shown in Fig. 3.
The model assesses each of the R4 metrics under the physical,
organizational, and technical domain. The assessment is
subjective because the criteria to evaluate those sub-metrics
are normally not quantifiable. For example, the effectiveness
of contingency planning which falls under Technical
Redundancy is a question of subjective judgment to be
evaluated by the ICS expert. Using the subjective evaluation
from the sub-metrics, overall resilience metrics can be
assessed which we discuss in section IV. As the model itself
is explanatory, we are not going into the further discussion
here.
D. ICS Cyber Resilience Framework
We present the ICS resilience framework in detail in
Table I. The framework is based on the cyber resilience
assessment model as in Fig. 3 and designed to assess the
cyber resilience of the ICS. The framework can serve as a
platform to create secure and resilient ICS across different
industries (Energy, Oil & Gas, Manufacturing etc.). Again,
the resilience is assessed in terms of robustness, redundancy,
resourcefulness, and rapidity in the three domains: physical,
organizational, and technical. The details provided in the
framework make it self-explanatory.
IV. METRICS FORMULATION AND ANALYSIS
One of our objectives in this work is to make the resilience
metrics operational, i.e., the metrics should be analytically
measurable and quantifiable with the available data and
resources. One challenge of developing effective,
generalizable resilience metrics for ICS is that the data
regarding the cybersecurity of ICS is not available mostly due
to regulation that requires reporting only a subset of cyber-
attacks in a lot of countries as reported in [12]. Consequently,
ICS companies with established cybersecurity policies prefer
to keep their data confidential, largely due to privacy, and the
proprietary nature of information. By taking into
consideration the lack of system data availability, resilience
metrics can be evaluated with a qualitative approach using
cautiously chosen sets of questionnaires. The questionnaires
are designed in a way so that it can address each individual
sub-metric and therefore capture qualitative information
about the system resilience posture. The resilience metrics
can be obtained by aggregating the individual sub-metrics
using a multi-criteria decision-making approach such as
Analytical Hierarchy Process (AHP) [13]. We want to
mention here that we have given lots of efforts to make the
questionnaires as realistic, balanced, and pertinent as possible
by taking subject matter experts’ (SME) opinions and ICS
security standards [9, 14-16] into considerations. Some of the
subject matter experts are our collaborators in this work.
Some other SMEs are professionals working in the ICS
industries.
28
Fig. 4. Decomposition of robustness into the AHP process hierarchy
A. Analytical Hierarchy Process (AHP)
The Analytic Hierarchy Process (AHP) is a structured
technique for organizing and analyzing complex decisions
based on mathematics and psychology [13]. It has been
widely used to provide cybersecurity metrics because it
combines the objectivity of mathematics and the subjectivity
of psychology to evaluate information and make decisions
[13, 17-19].
B. Resilience Metrics Formulation Using AHP
To compute the resilience metrics, 𝑁𝑁 datasets were
collected from 𝑁𝑁 cybersecurity experts. Here datasets
represent the response of questionnaires related to the ICS
system. For our example case in sub-section C, we have used
𝑁𝑁 = 10. This type of data collection from security experts
has used to provide a scoring formula for cybersecurity
metrics [19, 20] and we adopt the same methodology to
collect the data. The steps involved in implementing the AHP
methodology are presented below.
Step 1: Each resilience metric is decomposed into a
hierarchy of 4 levels: goal (maximize the corresponding
resilience metric), criteria, sub-criteria, and alternatives
(possible values that the sub-criteria can take). Fig. 4
illustrates the hierarchy that we build for the robustness
metric as an example. Each criterion at lower level criteria
affects the overall effort of maximizing the robustness. In the
same way, each sub-criterion (respective to alternative
options) affects its corresponding criterion.
Step 2: Data were collected from 𝑁𝑁 cybersecurity experts
(SMEs) corresponding to the hierarchy of Fig. 4. 𝑁𝑁 = 10 for
our sample illustration. The data collection process was based
on a pairwise comparison implementing the qualitative scale
explained in [13].
Step 3: The pairwise comparisons of all criteria and
alternatives constructed in step 2 are organized into a square
matrix. Mathematically, the pairwise comparison matrix 𝐴𝐴,
for 𝑚𝑚 factors requires an 𝑚𝑚 x 𝑚𝑚 elements. Each entry in 𝐴𝐴
denoted by 𝑎𝑎𝑖𝑖𝑖𝑖 , represents the comparison between factor 𝑖𝑖
and factor 𝑗𝑗. The pairwise comparison matrix can be
determined by using (1).
 TABLE II. VALUES OF THE RANDOM INDEX FOR SMALL PROBLEMS
* With respect to Robustness, what criteria do you find the most important
(M < 10) [13]
between Physical and Organization ?
𝒎𝒎 factors 2 3 4 5 6 7 8 Physical

𝑹𝑹𝑹𝑹 0.00 0.58 0.9 1.12 1.24 1.32 1.41 Organization

* Based on your previous choice, evaluate the following statements
1 𝑎𝑎12 … 𝑎𝑎1𝑚𝑚
⎡ 1 ⎤ Equal Moderate Strong Very Strong Extreme
Importance Importance Importance Importance Importance
⎢ 1 … 𝑎𝑎2𝑚𝑚 ⎥ 1 3 5 7 9
Importance
𝐴𝐴 = ⎢ 𝑎𝑎…
12
… … … ⎥
⎥ (1) of selection
⎢
⎢ 1 1
… 1 ⎥
⎣ 𝑎𝑎1𝑚𝑚 𝑎𝑎2𝑚𝑚 ⎦ Fig. 5. Sample pairwise comparison between the Physical and the
Organization criteria for the Robustness metric
In addition, the individual responses of the 𝑁𝑁 SMEs were
* With respect to Segmentation sub criteria, what option do you find is the
aggregated by using the geometric mean, which yielded to most important between High and Medium ?
one unique comparison matrix. High (H)

𝑁𝑁 1/𝑁𝑁 Medium (M)

𝑎𝑎𝑖𝑖𝑖𝑖 = ���𝑎𝑎𝑖𝑖𝑖𝑖 �𝑘𝑘 � (2) * Based on your previous choice, evaluate the following statements

𝑘𝑘=1 Equal Moderate Strong Very Strong Extreme

Importance Importance Importance Importance Importance
where �𝑎𝑎𝑖𝑖𝑖𝑖 �𝑘𝑘 is the response obtained by the 𝑘𝑘 𝑡𝑡ℎ Importance 1 3 5 7 9
of selection
cybersecurity expert.
Step 4: When all judgments are made, the relative weight Fig. 6. Sample pairwise comparison between options High (H) and Medium
of each criterion respective to the goal is calculated. These (M) for the segmentation sub-criteria metric
weights are obtained with the normalized right eigenvector of
the pairwise comparison matrix 𝐴𝐴. The relative weights of all TABLE III. LIST OF POSSIBLE VALUES FOR THE SUB CRITERIA
the sub-criteria and alternative options are generated using Value Description
the same process. High (H) Specialized measures are implemented in the ICS
for the corresponding sub criteria
Step 5: A Consistency Ratio (CR) is calculated to measure Medium (M) Some measures are implemented in the ICS for
how accurate or consistent are the judgments of the 𝑁𝑁 the corresponding sub criteria
experts’ responses. For the 𝑘𝑘 𝑡𝑡ℎ cybersecurity expert Low (L) No or very few measures are implemented in the
response, if 𝐶𝐶𝐶𝐶𝑘𝑘 < 0.1 then the judgment of this expert can ICS for the corresponding sub criteria
be accepted; otherwise it should be excluded from the
TABLE IV. PAIRWISE COMPARISON MATRIX A AND EIGENVECTOR
analysis for inconsistency. The consistency ratio can be FOR MAXIMIZING ROBUSTNESS WITH RESPECT TO THE 3 CRITERIA C1, C2
evaluated by comparing the Consistency Index (CI) with the AND C3
Random Index (RI) [13]: Criteria
𝐶𝐶𝐶𝐶 Physical Organization Technical Normalized
(3) Eigenvector
𝐶𝐶𝐶𝐶 = (𝑪𝑪𝟏𝟏 ) (𝑪𝑪𝟐𝟐 ) (𝑪𝑪𝟑𝟑 )
𝑅𝑅𝑅𝑅
Physical 1 0.20 0.11 0.0578
The values of the random index are shown in Table II for Organization 4.89 1 0.20 0.2039
small problems (𝑚𝑚 < 10) and the consistency index 𝐶𝐶𝐶𝐶 is Technical 8.95 5.101 1 0.7382
given by:
criteria 𝐶𝐶1 , 𝐶𝐶2 , and 𝐶𝐶3 : Physical, Organization, and Technical.
𝜆𝜆𝑚𝑚𝑚𝑚𝑚𝑚 − 𝑚𝑚 (4) Each criterion has four sub-criteria 𝑆𝑆𝑆𝑆1 , 𝑆𝑆𝑆𝑆2 , 𝑆𝑆𝐶𝐶3 , and 𝑆𝑆𝐶𝐶4 :
𝐶𝐶𝐶𝐶 = Access Control, Segmentation, Diversity, and Risk Mitigation
𝑚𝑚 − 1
as in Table II. Finally, we design each sub-criterion to take
In (4), 𝜆𝜆𝑚𝑚𝑚𝑚𝑚𝑚 is the maximum eigenvalue of the expert values among three alternative options: High (𝐻𝐻), Medium
(𝑀𝑀) and Low (𝐿𝐿) which are presented in Table III.
judgment.
Step 6: The resilience metric is calculated by combining The scale within each pairwise comparison is based on a
the total of the weights of the elements of each level multiplied Likert scale having equal importance as the lowest parameter,
by the weights of the corresponding lower-level elements. which is indicated with a numerical value of one, and extreme
importance which indicated with a numerical value of 9 as
C. Robustness as an Illustration shown in Fig. 5 and Fig. 6. We have analyzed using 𝑁𝑁 =
To explain the formulation process discussed in sub- 10 datasets, where 𝑁𝑁 ′ = 2 are excluded for inconsistency
section B, we provide an example here for the Robustness (CR < 0.1). Table VI contains the aggregated pairwise
metric. As shown in Fig. 4, the robustness metric has three comparison matrix that was collected from the
remaining consistent datasets for the three criteria 𝐶𝐶1 , 𝐶𝐶2 , and

29
 𝐶𝐶3 . From the normalized right eigenvector of Table IV, we
find the Robustness in function of the Physical ( 𝐶𝐶1 ) ,
Organization (𝐶𝐶2 ) and Technical (𝐶𝐶3 ) criteria as:
𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 = 0.06𝐶𝐶1 + 0.200𝐶𝐶2 + 0.74𝐶𝐶3
Similarly, pairwise comparisons were done between sub-
criteria, and alternatives. We derive the relative weights of
each criterion and the score corresponding to the alternative
options at the lower level of the hierarchy. Equation (6) and
(8) give the numerical values that we obtained for the relative
weights and the score vector for the four criteria and three
alternative options respectively.
𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 (𝑆𝑆𝑆𝑆1 ) 0.3
𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 (𝑆𝑆𝑆𝑆2 )
� � = �0.2�
𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷(𝑆𝑆𝑆𝑆3 ) 0.1
𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀 (𝑆𝑆𝑆𝑆4 ) 0.4
Equation (7) shows how the Organization criteria (𝐶𝐶2 ) is
computed in function of the four sub-criteria,
𝐶𝐶2 = 0.3 𝑆𝑆𝑆𝑆1 + 0.2 𝑆𝑆𝑆𝑆2 + 0.1 𝑆𝑆𝐶𝐶3 + 0.4 𝑆𝑆𝑆𝑆4
𝐻𝐻 0.73
�𝑀𝑀� = �0.2067�
𝐿𝐿 0.0581
V. CONCLUSION
In this paper, we investigate the cyber resilience of ICS.
First, we discuss the properties of a resilient ICS. Then we
adapt the R4 framework to derive the cyber resilience
assessment model (CRAM) for ICS. Finally, we propose a
detailed cyber resilience framework for ICS using the
CRAM. We explain how to effectively quantify and evaluate
cyber resilience metrics using the proposed framework. The
framework can provide directions in ICS resilience analysis
and assessment process and help the ICS operators and
technical experts to better understand their industrial control
system architecture to make it more resilient from
cyberattacks. Unlike most of the relevant works that only
provide security guidance and recommendations, we have
derived the resilience metrics using the proposed framework
which provides quantitative insights into the ICS cyber
resilience. This resilience metrics formulation process can be
used to evaluate and analyze overall ICS network resilience.
ACKNOWLEDGMENT
This material is based upon work supported by the
Department of Energy under Award Number DE-
OE0000780.
DISCLAIMER
This report was prepared as an account of work sponsored
by an agency of the United States Government. Neither the
United States Government nor any agency thereof, nor any of
their employees makes any warranty, express or implied, or
assumes any legal liability or responsibility for the accuracy,
View publication stats
completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would
not infringe privately owned rights. Reference herein to any
specific commercial product, process, or service by trade
(5) name, trademark, manufacturer, or otherwise does not
necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States
Government or any agency thereof. The views and opinions
of authors expressed herein do not necessarily state or reflect
those of the United States Government or any agency thereof.
REFERENCES
[1] R. Kinney, P. Crucitti, R. Albert, and V. Latora, “Modeling cascading
failures in the North American power grid,” The European Physical
(6)
Journal B-Condensed Matter and Complex Systems, vol. 46, no. 1, pp.
101-107, 2005.
[2] C. Glenn, D. Sterbentz, and A. Wright, Cyber Threat and Vulnerability
Analysis of the US Electric Sector, Idaho National Lab.(INL), Idaho
Falls, ID (United States), 2016.
[3] D. U. Case, “Analysis of the cyber attack on the Ukrainian power grid,”
Electricity Information Sharing and Analysis Center (E-ISAC), 2016.
[4] K. Tierney, and M. Bruneau, “Conceptualizing and measuring
(7) resilience: A key to disaster loss reduction,” TR news, no. 250, 2007.
[5] N. A. o. Sciences, Disaster resilience: a national imperative,
Washington, D.C., 2012.
(8) [6] I. Linkov, D. A. Eisenberg, K. Plourde, T. P. Seager, J. Allen, and A.
Kott, “Resilience metrics for cyber systems,” Environment Systems and
Decisions, vol. 33, no. 4, pp. 471-476, 2013.
[7] D. Bodeau, and R. Graubart, “Cyber resiliency engineering
framework,” MTR110237, MITRECorporation, 2011.
[8] C. I. Cybersecurity, “Framework for Improving Critical Infrastructure
Cybersecurity,” Framework, vol. 1, pp. 11, 2014.
[9] K. Stouffer, J. Falco, and K. Scarfone, “Guide to industrial control
systems (ICS) security,” NIST special publication, vol. 800, no. 82, pp.
16-16, 2011.
[10] S. Bologna, A. Fasani, and M. Martellini, "Cyber Security and
Resilience of Industrial Control Systems and Critical Infrastructures,"
Cyber Security, pp. 57-72: Springer, 2013.
[11] D. Wei, and K. Ji, "Resilient industrial control system (RICS):
Concepts, formulation, metrics, and insights." pp. 15-22.
[12] A. McIntyre, B. Becker, and R. Halbgewachs, “Security metrics for
process control systems,” Sandia National Laboratories, Sandia
Report SAND2007-2070P, 2007.
[13] T. L. Saaty, “Relative measurement and its generalization in decision
making why pairwise comparisons are central in mathematics for the
measurement of intangible factors the analytic hierarchy/network
process,” RACSAM-Revista de la Real Academia de Ciencias Exactas,
Fisicas y Naturales. Serie A. Matematicas, vol. 102, no. 2, pp. 251-318,
2008.
[14] M. J. Bartock, J. A. Cichonski, M. P. Souppaya, M. C. Smith, G. A.
Witte, and K. A. Scarfone, Guide for cybersecurity event recovery,
2016.
[15] J. T. Force, and T. Initiative, “Security and privacy controls for federal
information systems and organizations,” NIST Special Publication,
vol. 800, no. 53, pp. 8-13, 2013.
[16] T. Macaulay, and B. L. Singer, Cybersecurity for industrial control
systems: SCADA, DCS, PLC, HMI, and SIS, p.^pp. 51: Auerbach
Publications, 2016.
[17] K. Sun, S. Jajodia, J. Li, Y. Cheng, W. Tang, and A. Singhal,
"Automatic security analysis using security metrics." pp. 1207-1212.
[18] L. Watkins, and J. Hurley, "Cyber Maturity as Measured by Scientific
Risk-Based Metrics." p. 384.
[19] G. C. Wilamowski, J. R. Dever, and S. M. Stuban, “Using Analytical
Hierarchy and Analytical Network Processes to Create CYBER
SECURITY METRICS,” Defense Acquisition Research Journal: A
Publication of the Defense Acquisition University, vol. 24, no. 2, 2017.
[20] H. Tran, E. Campos-Nanez, P. Fomin, and J. Wasek, “Cyber resilience
recovery model to combat zero-day malware attacks,” computers &
security, vol. 61, pp. 19-31, 2016.
30