Visible to the public Security management of cyber physical control systems using NIST SP 800-82r2

TitleSecurity management of cyber physical control systems using NIST SP 800-82r2
Publication TypeConference Paper
Year of Publication2017
AuthorsJillepalli, A. A., Sheldon, F. T., Leon, D. C. de, Haney, M., Abercrombie, R. K.
Conference Name2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC)
ISBN Number978-1-5090-4372-9
Keywordscontrol systems, critical infrastructure system, critical infrastructures, CSES method, cyber physical control systems, Cyber-physical systems, cybersecurity, Cyberspace, Cyberspace Security Econometrics System, Damage Assessment, Databases, Dependability, economics-based risk evaluation method, electric utility, Electricity supply industry, gas industry, gas utility, ICS security, industrial control, industrial control systems, NIST, NIST Guide, NIST SP 800-82r2, pubcrawl, resilience, Resiliency, risk assessment, risk management, security, security management, security measures, security of data, security requirements, stakeholder-aware risk evaluation method, Stakeholders, Standards, threats, vulnerabilities

Cyber-attacks and intrusions in cyber-physical control systems are, currently, difficult to reliably prevent. Knowing a system's vulnerabilities and implementing static mitigations is not enough, since threats are advancing faster than the pace at which static cyber solutions can counteract. Accordingly, the practice of cybersecurity needs to ensure that intrusion and compromise do not result in system or environment damage or loss. In a previous paper [2], we described the Cyberspace Security Econometrics System (CSES), which is a stakeholder-aware and economics-based risk assessment method for cybersecurity. CSES allows an analyst to assess a system in terms of estimated loss resulting from security breakdowns. In this paper, we describe two new related contributions: 1) We map the Cyberspace Security Econometrics System (CSES) method to the evaluation and mitigation steps described by the NIST Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82r2. Hence, presenting an economics-based and stakeholder-aware risk evaluation method for the implementation of the NIST-SP-800-82 guide; and 2) We describe the application of this tailored method through the use of a fictitious example of a critical infrastructure system of an electric and gas utility.

Citation Keyjillepalli_security_2017