GQM-based Risk Assessment Method for Industrial Control Systems

doi:10.3969/j.issn.1006-2475.2019.08.017

Abstract

Abstract: Risk assessment is an essential component of safety and security assurance infrastructure mechanisms for industrial control systems. And safety and security attributes are tightly coupled. Information security assessment of industrial control systems should be coupled with the business goals. Based on Goal-Question-Metric (GQM) model, the industrial control systems risk assessment process is defined as identifying business goals, describing questions, and specification of metrics. The proposed risk assessment method is guided by the business goals, which are supported by the industrial control systems. The questions are raised on account of the scenario-based risk model. Information and data are collected concentrating on these questions. Then metrics are measured or evaluated using association analysis. Finally, a risk assessment instance of programmable logic controller (PLC) is described to specify the effectiveness of the proposed GQM-based risk assessment method for industrial control systems.

Key words: information security, function safety, risk assessment, threat modeling

CLC Number:

TP393

YE Qian1,WANG Yu-fei2,FU Yi3,TANG Yu-lan1. GQM-based Risk Assessment Method for Industrial Control Systems[J]. Computer and Modernization, 2019, 0(08): 92-.

References

［1］ SOLINGEN R B R V. Goal question metric(GQM) approach［M］// Encyclopedia of Software Engineering. John Wiley & Sons Inc., 2002.
［2］ ANDERSON S, FELICI M. Safety, reliability and security of industrial computer systems［J］. Reliability Engineering & System Safety, 2005,89(1):1-5.
［3］ KRIAA S, PIETRE-CAMBACEDES L, BOUISSOU M, et al. A survey of approaches combining safety and security for industrial control systems［J］. Reliability Engineering & System Safety, 2015,139(7):156-178.
［4］ KNOWLES W, PRINCE D, HUTCHISON D, et al. A survey of cyber security management in industrial control systems［J］. International Journal of Critical Infrastructure Protection, 2015,9(6):52-80.
［5］郭庆来，辛蜀骏，王剑辉,等. 从乌克兰停电事件看信息能源系统综合安全评估［J］. 电力系统自动化, 2016（5）：145-147.
［6］ SERPANOS D, KHAN M T, SHROBE H. Designing safe and secure industrial control systems: A tutorial review［J］. IEEE Design & Test, 2018,35(3):73-88.
［7］ ZHOU C, LI X, ZHANG Q, et al. Risk-based task scheduling approach for integrated control of system safety and cyber security in industrial control systems［C］// Proceedings of the 10th IET System Safety and Cyber-Security Conference. 2015:1-6.
［8］ KHOUSSI S, MATTAS A. A brief introduction to smart grid safety and security［M］// Handbook of System Safety and Security. Boston, Syngress, 2017:225-252.
［9］ ZONOUZ S, HAGHANI P. Cyber-physical security metric inference in smart grid critical infrastructures based on system administrators responsive behavior ［J］. Computers & Security, 2013,39(Part B):190-200.
［10］JOHANSSON J, HASSEL H, ZIO E. Reliability and vulnerability analyses of critical infrastructures: Comparing two approaches in the context of power systems［J］. Reliability Engineering & System Safety, 2013,120:27-38.
［11］GENGE B, SIATERLIS C, NAI FOVINO I, et al. A cyber-physical experimentation environment for the security analysis of networked industrial control systems［J］. Computers & Electrical Engineering, 2012,38(5):1146-1161.
［12］CHERDANTSEVA Y, BURNAP P, BLYTH A, et al. A review of cyber security risk assessment methods for SCADA systems［J］. Computers & Security, 2016,56(2):1-27.
［13］NI S, ZHUANG Y, GU J, et al. A formal model and risk assessment method for security-critical real-time embedded systems［J］. Computers & Security, 2016,58(5):199-215.
［14］ZHANG Q, ZHOU C, XIONG N, et al. Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems［J］. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2015,46(10):1-16.
［15］LUO F, DONG Z, CHEN G, et al. Advanced pattern discovery-based fuzzy classification method for power system dynamic security assessment［J］. IEEE Transactions on Industrial Informatics, 2015,11(2):416-426.
［16］VAN STAALDUINEN M A, KHAN F, GADAG V. SVAPP methodology: A predictive security vulnerability assessment modeling method［J］. Journal of Loss Prevention in the Process Industries, 2016,43(9):397-413.
［17］LIU X, SHAHIDEHPOUR M, LI Z, et al. Power system risk assessment in cyber attacks considering the role of protection systems［J］. IEEE Transactions on Smart Grid, 2017,8(2):572-580.
［18］BODUNGEN C E, SINGER B L, SHBEEB A,等. 黑客大曝光：工业控制系统安全［M］. 戴超，张鹿，译. 北京：机械工业出版社， 2017.
［19］NIST. Guide to Industrial Control Systems(ICS) Security［EB/OL］. ［2019-02-13］. https://www.nist.gov/publications/guide-industrial-control-systems-ics-security?pub_id=918368.
［20］Cybersecurity and Infrastructure Security Agency(CISA). Cyber Security Evaluation Tool［EB/OL］. ［2019-02-15］. https://ics-cert.us-cert.gov/Assessments.
［21］Common Vulnerabilities and Exposures. CVE List［EB/OL］. ［2019-02-15］. http://cve.mitre.org.
［22］FIRST. Common Vulnerability Scoring System Version 3.0 Calculator［EB/OL］. ［2019-02-15］. https://www.first.org/cvss/calculator/3.0.
［23］HAYDEN L. 信息安全度量：用来测量安全性和保护数据的一种有效框架［M］. 吕欣，王标，于江霞，等译. 北京：北京大学出版社, 2015.

[1]	MO Yan, TANG Rong-chuan, JU Hao, SUN Shao-fei, WANG An. Commercial Cryptographic Upgrade for Industrial Internet Platform [J]. Computer and Modernization, 2023, 0(06): 118-126.
[2]	WU Yang１, WU Guo-wen１, ZHANG Hong１, SHEN Shi-gen２, CAO Qi-ying. Rumor Source Detection Based on Extended Epidemic Model [J]. Computer and Modernization, 2022, 0(01): 113-119.
[3]	LU Sai, ZHUANG Yi. Information System Risk Assessment Model Based on Self-Adaptive Expert Weight [J]. Computer and Modernization, 2021, 0(08): 85-93.
[4]	GE Bin, CHEN Gang, FANG Rui, LIAO Zhong-zhi. A Novel Hyper Chaotic Image Encryption Algorithm Using Four Directional Diffusion Based on Matrix [J]. Computer and Modernization, 2021, 0(06): 113-119.
[5]	CUI Wen-di, DUAN Peng-fei, ZHU Hong-qiang, LIU Na. Security Risk Assessmenton of Attack Graph and HMM Industrial Control Network [J]. Computer and Modernization, 2020, 0(07): 32-37.
[6]	ZHANG Su-ning, WANG Yue-juan, WU Shui-ming, JING Dong-sheng. Network Intrusion Data Clustering Algorithm Based on Krylov Subspace [J]. Computer and Modernization, 2019, 0(10): 121-.
[7]	MI Qian-kun1, WU Bin2, DU Ning1,QIN Xi1. Information System Security Risk Assessment Based on Incomplete Information Game Model [J]. Computer and Modernization, 2019, 0(04): 118-.
[8]	WANG Yin， GUO Hong-yu. CART-based Risk Assessment of Community Correction Staff [J]. Computer and Modernization, 2018, 0(08): 73-.
[9]	HUANG Yujie, TANG Zuoqi. Information Security Risk Assessment Based on Improved Bayesian Network Model [J]. Computer and Modernization, 2018, 0(04): 95-.
[10]	PING Ping， HUANG Li-lin， MAO Ying-chi， XU Guo-yan. Image Encryption Algorithm Based on Life-like Cellular Automaton [J]. Computer and Modernization, 2017, 0(10): 95-99.
[11]	YU Hao1, JIA Xue1, WANG Qiang2. Research on Safety Protection Strategy of Smart Substation Application Layer Data Encryption [J]. Computer and Modernization, 2016, 0(2): 82-85.
[12]	TANG Lian, WANG Xiao-long. Pattern Matching-based Wireless Network Security Configuration Verification Tool [J]. Computer and Modernization, 2015, 0(10): 98-102.
[13]	YANG Yun-ping, WU Zhi-jun. Application of Apache Shiro Security Framework in Technology Transfer Services System [J]. Computer and Modernization, 2014, 0(3): 158-160.
[14]	PU Lin. Identity Authentication Service Based on Restful [J]. Computer and Modernization, 2014, 0(3): 165-168.
[15]	YIN Bo;CHEN Lu;CHEN Liang;WANG Yu-fei. Application of Information Security Key Technologies for Smart Grid in Sino-Singapore Tianjin Eco-city [J]. Computer and Modernization, 2013, 1(9): 186-189.