Quantitative Security Risk Assessment for Industrial Control Systems: Research Opportunities and Challenges

Matthias Eckhart^1,2+, Bernhard Brenner^1,2, Andreas Ekelhart^1,2, and Edgar Weippl^1,2
 

¹Christian Doppler Laboratory for Security and Quality Improvement in the Production System Lifecycle, TU Wien, Vienna, Austria

²SBA Research, Vienna, Austria

{firstname.lastname}@tuwien.ac.at

Abstract

Due to the gradual implementation of the Industry 4.0 vision, information technology is becoming increasingly important in industrial control systems (ICSs), such as production systems. Although the digital transformation of ICSs represents the foundation for resource-efficient and flexible industrial plants, this change increases the attack surface, leading to the emergence of new threats. Moreover, ICSs constitute an attractive target for attackers who may disrupt plant operation, causing severe physical/material damages (PD/MD), such as machinery breakdowns. In further consequence, asset owners (i.e., plant operators) may suffer from business interruption (BI) and loss of profit (LOP). Thus, security risks must be managed in all phases of the ICSs’ lifecycle, starting from engineering to decommissioning. Risk assessment is an integral part of the risk management process in which risks are identified, analyzed, and evaluated. In this context, the quantitative assessment is vital, since measuring cyber risks is required to establish an effective decision-making process for security investments. This survey article reviews the state of the art concerning quantitative security risk assessments for ICSs and identifies promising opportunities for future research and associated challenges. We report that the current state of quantitatively assessing cyber risks for ICSs is characterized by the absence of adequate (dynamic) security risk assessment methods tailored to the peculiarities of ICSs. This is aggravated by the fact that the complexity of the threat landscape increases in the light of Industry 4.0, and historical data on security incidents is lacking. As a consequence, asset owners may fail to quantitatively assess their cyber risk exposure, leaving them uncertain about security decisions. Furthermore, if they purchase cyber insurance in order to transfer the risks of non-PD BI, the underlying problem remains unsolved as (re)insurers potentially take on these unassessed risks. As an initial step to guide individuals seeking to improve the quantification of cyber risks pertaining to ICSs, this article concludes by outlining several directions for further research that are worth pursuing.

Keywords: Information Security, Industrial Control Systems, Security Risk Assessment,

Cyber Risk Quantification, Cyber Insurance.

+: Corresponding author: Matthias Eckhart

SBA Research, Floragasse 7, Vienna, Austria, Tel: +43 (1) 505 36 88,

Web: https://www.sba-research.org/team/researchers/matthias-eckhart/

Journal of Internet Services and Information Security (JISIS), 9(3): 52-73, August 2019

DOI: 10.22667/JISIS.2019.08.31.052 [pdf]