A Roadmap for Quantifying the Efficacy of Risk Management of Information Security and Interdependent SCADA Systems

Abstract

Many sectors of the economy and other critical infrastructures are highly coupled and their interdependencies render them at risk to cyber terrorist attacks. This fact is further exacerbated because they are often remotely controlled and managed through supervisory control and data acquisition (SCADA) systems, which are vulnerable to such cyber intrusion. The myriad sources of risk to SCADA systems identified through hierarchical holographic modeling (HHM)serve as the impetus to the roadmap for quantifying the efficacy of risk management of interdependent SCADA systems presented in this paper. Central to this quantification metric is the deployment of the inoperability input-output model (IIM). This is a Leontief-based model that enables accounting for both the intra-and interconnectedness within each economic sector and infrastructure. At the core of the IIM is the notion of risk of inoperability, which describes a critical infrastructure's expected level of dysfunction. The input to the system is an initial perturbation triggered by an attack of terrorism, an accidental event, or a natural disaster. The outputs of the system are the resulting risks of inoperability of different infrastructures due to their connections to one another. These outputs are presented in two different metrics: (1) economic inoperability measured in dollars lost for each interdependent sector of the economy, and (2) functional inoperability measured in each sector's percentage of dysfunctionality. This model addresses the equilibrium state of the system in the event of an attack, provided that the interdependency matrix is known. The national interdependency database provided by the Bureau of Economic Analysis (BEA), US Department of Commerce, constitutes the core database for the IIM interdependency matrix. The national database consists of 483 sectors and the regional of 37 sectors. The metric used for quantifying the efficacy of risk management of interdependent SCADA systems builds on the economic losses generated by the IIM resulting from a cyber attack with and then without risk management, and considering as well the cost of risk management. A scenario of a cyber attack on telecommunications and electric power infrastructures is discussed, using national BEA data. The results are analyzed, followed by a summary and conclusions.