ABSTRACT
As there is neither established nor agreed upon security framework model that currently exists for SCADA and control systems’ environments, we felt that this document, written by the United States Department of Homeland Security, titled “Primer Control Systems Cyber Security Framework and Technical Metrics” (dated June 2009), applied most significantly in outlining and describing how SCADA and control systems should be secured, and how their metrics are determined. It is with appreciation that our thanks goes to DHS for such a document.*
Introduction ............................................................................................................220 Security Group Knowledge ............................................................................... 221 Attack Group Knowledge.................................................................................. 221 Access ............................................................................................................... 222 Vulnerabilities ................................................................................................... 222 Damage Potential .............................................................................................. 222 Detection ........................................................................................................... 222 Recovery............................................................................................................ 223
Defining Cyber Security Metrics ........................................................................... 223 Rogue Change Days ..........................................................................................224 Security Evaluation Deficiency Count ..............................................................224 Data Transmission Exposure .............................................................................224 Reachability Count ............................................................................................224 Attack Path Depth .............................................................................................225 Known Vulnerability Days ................................................................................225 Password Crack Time ........................................................................................225 Worst-Case Loss ................................................................................................226 Detection Mechanism Deficiency Count ..........................................................226 Restoration Time ...............................................................................................226
Conclusion ............................................................................................................. 227
