A Fact-driven Security Assessment Methodology for SCADA Systems in Operational Environments

Abstract

Today, the operators of critical infrastructures are forced to assess the cyber-security of the SCADA (Supervisory Control and Data Acquisition) systems deployed in their plants. Typical approaches for this purpose are security risk assessments, vulnerability scans, patch management, or penetration testing. Typically, such security assessment approaches are rarely based on standard procedures and depend on individual knowledge and capabilities. Additionally, they return little reproducible results with respect to the operators’ specific SCADA topologies or operational proceeding recommendations for security improvements. In order to support the SCADA cyber-security validation as part of the operators’ business processes, we describe a novel approach to a fact-driven security assessment method. The required facts are SCADA-related data which are available to the operators: first, descriptive data of possible plant attack scenarios are collected. In the second step, the target systems are described in a way that enables an automatic or semi-automatic security validation. Finally, the attack scenario data are mapped on the target system data by means of a search algorithm realized via logic programming. The solution returns those attack scenarios which can be successfully executed against the target systems ‐ due to technical constraints. In addition to this assessment approach, a security metric is described that is applicable to operators’ business processes. The proposed metric is calculated from the results of the previous security assessment. Without any speculations on attacker capabilities or attack probabilities, the proposed metric is based on security-related system properties at the time of the assessment. In order to illustrate the applicability of the proposed method and security metric, the results of a sample assessment and the comparison with a standard-based approach is given. With a dedicated SCADA cyber-security management becoming a part of the operators’ business processes, on-going security improvements and awareness processes may be implemented.