- Senior Lecturer, Department of Chemical Engineering, University of Port Harcourt, , Nigeria
Information Technology (IT) is vital and valuable to our society. An important type of IT system is Supervisory Control and Data Acquisition (SCADA) systems. The most common misconception regarding the security of SCADA was that this network was electronically isolated from other networks and hence attackers could not access them. Over the years SCADA systems have become incorporated with other IT systems, which has made them becoming increasingly vulnerable to cyber threats. Decision makers should assess the security that the SCADA system’s architecture offers so as to make notified decisions about its appropriateness. In this work a mixed qualitative and quantitative approach for evaluation of Cyber security for a Hypothetical Refinery. Cyber security scenario has been modeled by using Defense Tree (DT), an extension of Attack Tree (AT) with attack countermeasures. Numerical values were assigned to the leaf nodes to assert the difficulty of compromising the root nodeand quantitative indexes for computing the defender’s Return On security Investment (ROI) and the attacker’s Return On Attack (ROA). It has been shown that this approach can be used to evaluate the strength and economic profitability of countermeasures as well as their impediment effect on attackers, thus providing decision makers with a utilitarian tool for performing better evaluation of Cyber security investments during the risk management process in our local refinery.
Keywords: SCADA, Vulnerability Assessment, Attack Tree, Defense Tree, ROA, ROI
[This article belongs to Emerging Trends in Chemical Engineering(etce)]
1. VanKessel P. and Allan K. (2013). Under Cyber Attacks.:Global Information Security Survey(online). Available from https://www.slideshare.net/ernstandyoung/under-cyber-attack-eys- global-information-security-survey-2013-30942141
2. McAfee. (2014). Net Losses: Estimating the Global Cost of Cyber Crime, Economic Impact of Cyber Crime: Center for Strategic and International Studies(online). Available from https://csis- website-prod.s3.amazonaws.com/s3fs public/legacy_files/files/attachments/140609_McAfee_PDF.pdf
3. VanKessel P. and Allan K. (2014, October). Get Ahead of Cyber Crimes: Global Information Security Survey(online). Available from https://www.eycom.ch/en/Publications/20141125-Get- ahead-of-cybercrime-EYs-Global-Information-Security-Survey-2014/
4. Barbara K., Sjouke M., SasaR., et al. Attack-Defense Trees. Journal of Logic and Computation. 2012; 24(1): 55-87.
5. Buldas A., Laud P., Priisalu J., et al. Critical Information Infrastructures Security: Rational Choice of Security Measures via Multi-parameter Attack Trees. Berlin, Germany: Springer Berlin Heidelberg; 2006.
6. Weiss, J. D. (1991).Proceedings of the 14th National Computer SecurityComference: A system Security Engineering Process; 1991 October 1-4; Washington DC: National computer security center; 1991.
7. Schneier, B. Attack Trees. Dr. Dobb’s Journal. 1999; 24 (12): 21-29.
8. Hossein Bidgoli, editor. The Handbook of Computer Networks: Denial of Service Attacks: California; John Wiley & Sons. 2007.
9. Horowitz B., Jones R. A. A system aware Cyber Security Architecture Systems and Information Engineering. Systems Engineering. 2012; 15 (2): 225-240.
10. Tanya R., Dennis N., Ulf L., and et al. Proceedings of the 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems (MASS 2008): An Intrusion Detection System for Wireless Process Control System; 2008 Sep29-Oct 2; Atlanta. US: IEEE; 2008. 866-872.
11. Amenaza. (2005). Fundamentals of Capabilities based Attack Tree Analysis (online). Available from https://www.amenaza.com//downloads/docs/AttackTreeFundamentals.pdf
12. Meritt, J.W. (1999). A Method for Quantitative Risk Analysis Approach, CISSP, WLNG GLOBAL(online). Available from https://csrc.nist.gov/csrc/media/publications/conference- paper/1999/10/21/proceedings-of-the-22nd-nissc 1999/documents/papers/p28.pdf
13. Cremonini M, Martini P. (2005, June). Evaluating Information Security Investments from Attackers Perspective: the Return On Attack (ROA) (online). Available from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.60.9925&rep=rep1&type=pdf
14. Akinola A., Kuye A., Ayodeji A. (2014). Cyber Security Evaluation for a Hypothetical Nuclear Power Plant using Attack Tree Methodology. Journal of Nuclear Engineering and Technology, 4 (1).
15. Akinola A., Kuye A., Ayodeji A. Proceedings of the 55th Annual Meeting of the Institute of Nuclear Materials Management (INMM): Cyber Attacks Analysis of a School Network; 2014 Juy20-24; Atlanta, Georgia. NY: Curran Associates, Inc.; 2015.
16. Edge K., Raines R., Baldwin R., et al. Analyzing Security Measures for Mobile Ad hoc Networks Using Attack and Protection Trees.Journal of Information Warfare. 2007; 6(2): 25-38.
17. Bistarelli S., Fioravanti F., Peretti P. First International Conference on Availability, Reliability and Security (ARES’06): Defense Trees for Economic Evaluation of Security Investments. 2006; Vienna, Austria. US: IEEE; 2006. 426-423.
18. Mauw S., Oostdijk M. 8th International Conference on Information Security and Cryptology: Foundations of Attack Trees; 2005 December; Berlin, Heidelberg: Springer-verlag; 2005.
19. Lindley D.V., Hoboken N.J. Making Decisions. 2nd ed. London: John Wiley and Sons; 1985. 20. Zadeh, L.A. Fuzzy Sets as a Basis for a Theory of Possibility. Fuzzy Sets and Systems. 1978; 1(1): 3-28.
21. Dubois D., Prade H. Possibility Theory: An Approach to the Computerized Processing of Uncertainty. 1st. ed. Germany: Springer; 1988.
|Received||March 1, 2021|
|Accepted||May 20, 2021|
|Published||May 29, 2021|