Risks Assessment of Critical Industrial Control Systems

  • Gabriel RădulescuEmail author
Part of the Studies in Systems, Decision and Control book series (SSDC, volume 255)


When we deal with the risks associated with the industrial control systems (ICS), we have to frame them into a more general problem: the risk management (RM) techniques. In fact, organizations always manage risk in order to fulfill their (business) tasks and objectives, and we speak here about economic and financial risk, personnel physical risk, equipment failure, ICS malfunctioning and so on. Normally, such organizations evaluate their business risks, determining how to deal with them in the frame of their priorities, taking into account internal and external constraints. In fact, RM is regarded as an interactive process, this being in permanent connection with usual (technical) processes. At the same time, when using ICS it is normal to have some sort of good engineering practices and safety compulsory rules. These safety assessments are formulated as regulatory requirements, this being a part of the official operating procedures. This is why we consider that RM (in general) and ICS associated risks (in particular) may be regarded as an added/complimentary dimension to any plant operation. Based on a comprehensible literature study, this chapter will concentrate on how ICS associated risks (usually formulated at the global system information level) are identified, expressed and (if possible) quantified. At the same time, like any other RM activity, we will indicate that dealing with these risks usually impacts the other system levels. It is our intention to show how extending the concepts here emphasized (for the control level) provides ICS-specific rules to be integrated in specific system/plant operating procedures. Finally, some conclusions will be presented.


  1. 1.
    Stouffer, K.A., Falco, J.A.: Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems security. Recommendations of the NIST. National Institute of Standards and Technology. Gaithersburg, MD, USA (2006)Google Scholar
  2. 2.
    Department of Defense (DoD): MIL-STD-882E Standard Practice—System Safety. (2012). Accessed 7 Apr 2019
  3. 3.
    Mukama, J.: Risk Analysis as a Security Metric for Industrial Control Systems. Master’s Thesis. Department of Computer Science and Engineering, Chalmers University of Technology, Gothenburg, Sweden (2016)Google Scholar
  4. 4.
    National Institute of Standards and Technology: Guide for Conducting Risk Assessments. NIST Special Publication 800-30 Revision 1. (2012). Accessed 7 Apr 2019
  5. 5.
    Stouffer, K.A., Falco, J.A., Scarfone, K.A.: SP 800-82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC). Revision 1. Technical Report. National Institute of Standards & Technology, Gaithersburg, MD, USA (2013)Google Scholar
  6. 6.
    National Institute of Standards and Technology: Framework for Improving Critical Infrastructure Cyber-security (2014)Google Scholar
  7. 7.
    National Cybersecurity and Communications Integration Center, Industrial Control Systems Cyber Emergency Response Team: NCCIC/ICS-CERT Year in Review. (2015). Accessed 7 Apr 2019
  8. 8.
    Christiansson, H., Luiijf, E.: Creating a European SCADA security testbed. In: Goetz, E., Shenoi, S. (eds) Critical Infrastructure Protection. ICCIP 2007. IFIP International Federation for Information Processing, vol. 253, pp. 237–247. Springer. Boston, MA, USA (2008)Google Scholar
  9. 9.
    Knapp, E.D., Langill, J.T., Samani, R., Cruz, M.I.: Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and other Industrial Control Systems, 2nd edn. Syngress, Waltham, Massachusetts, USA (2015)Google Scholar
  10. 10.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)CrossRefGoogle Scholar
  11. 11.
    Baezner, M., Robin, P.: Hotspot Analysis: Stuxnet. Risk and Resilience Team Center for Security Studies (CSS). ETH Zürich, Switzerland (2017)Google Scholar
  12. 12.
    FireEye Threat Intelligence: Report: Cyber Threats to the Nordic Region. (2015). Accessed 7 Apr 2019
  13. 13.
    Applied Computer Security Associates: Information System Security Attribute Quantification or Ordering. Workshop on Information Security System Rating and Ranking (WISSRR), Williamsburg, Virginia, USA (2001)Google Scholar
  14. 14.
    Hallberg, J., Hunstad, A.: Towards Quantifying Computer Security: System Structure and System Security Models. Workshop on Information Security System Rating and Ranking (WISSRR), Williamsburg, Virginia, USA (2001)Google Scholar
  15. 15.
    Kahn, J.: Certification of Intelligence Community Systems and Measurement of Residual Risks. Workshop on Information Security System Rating and Ranking (WISSRR), Williamsburg, Virginia, USA (2001)Google Scholar
  16. 16.
    Hoo, K.J.S.: How Much Is Enough? A Risk-Management Approach to Computer Security. (2000). Accessed 4 Mar 2019
  17. 17.
    Brotby, W.K., Hinson, G., Kabay, M.E.: Pragmatic Security Metrics: Applying Metametrics to Information Security, 1st edn. CRC Press, Boca Raton, FL, USA (2013)Google Scholar
  18. 18.
    Zhang, Q., Zhou, C., Xiong, N., Qin, Y., Li, X., Huang, S.: Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE Trans. Syst. Man, Cybern. Syst. 46(10), 1429–1444 (2015)CrossRefGoogle Scholar
  19. 19.
    Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: SP 800-55. Security Metrics Guide for Information Technology Systems. Technical Report, Gaithersburg, MD, USA (2003)CrossRefGoogle Scholar
  20. 20.
    Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., Robinson, W.: Performance Measurement Guide for Information Security. NIST Special Publication 800-55 Revision 1. Maryland, USA (2008)Google Scholar
  21. 21.
    Premaratne, U., Samarabandu, J., Sidhu, T., Beresh, B., Tan, J.-C.: Application of security metrics in auditing computer network security: A Case Study. In: 4th International Conference on Information and Automation for Sustainability (ICIAFS 2008), pp. 200–205. Sri Lanka (2008)Google Scholar
  22. 22.
    Foroughi, F.: Information security risk assessment by using Bayesian learning technique. Lect. Notes Eng. Comput. Sci. 2170(1), 91–95 (2008)Google Scholar
  23. 23.
    Hayden, L.: IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data, 1st edn. McGraw-Hill, USA (2010)Google Scholar
  24. 24.
    Talabis, M., Martin, J.: Information Security Risk Assessment Toolkit: Practical Assessments Through Data Collection and Data Analysis. Newnes Edition (2012)Google Scholar
  25. 25.
    Committee on National Security Systems, CNSS Instruction No. 4009: National Information Assurance (IA) Glossary. (2010). Accessed 7 Apr 2019
  26. 26.
    International Organization for Standardization: ISO/IEC JTC 1/SC 27–IT Security techniques. (1989). Accessed 7 Apr 2019
  27. 27.
    Yazar, Z.: A Qualitative Risk Analysis and Management Tool—CRAMM. SANS Institute Information Security Reading Room, Philadelphia, PA, USA (2002)Google Scholar
  28. 28.
    Broder, J.F., Tucker, E.: Risk Analysis and the Security Survey, 4th edn. Elsevier, Butterworth-Heinemann (2012)Google Scholar
  29. 29.
    Australian Standard IEC: Hazard and Operability Studies (HAZOP Studies)—Application Guide. AS IEC 61882:2017, IEC 61882, Ed. 2.0. (2016). Accessed 7 Apr 2019
  30. 30.
    Filip, F.-C.: Theoretical research on the failure mode and effects analysis (FMEA) method and structure. recent advances in manufacturing engineering. In: Proceeding of the 4th International Conference on Manufacturing Engineering, Quality and Production Systems, pp. 176–181 (2011)Google Scholar
  31. 31.
    Aagedal, J.O., den Braber, F., Dimitrakos, T., Gran, B.A., Raptis, D., Stolen, K.: Model-based risk assessment to improve enterprise security. In: Proceedings of the IEEE’s Sixth International Enterprise Distributed Object Computing, 20–20 Sept., Lausanne, Switzerland, pp. 51–62 (2002)Google Scholar
  32. 32.
    Alberts, C.J., Dorofee, A.J., Stevens, J.F., Woody, C.: Introduction to the OCTAVE approach. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA (2003)CrossRefGoogle Scholar
  33. 33.
    Club de la Sécurité de l’Information Français—CLUSIF: MEHARI 2010: Fundamental Concepts and Functional Specifications. (2010). Accessed 7 Apr 2019
  34. 34.
    Office of Rail and Road: Common Safety Method for risk Evaluation and Assessment. (2019). Accessed 7 Apr 2019
  35. 35.
    Baiardi, F., Telmon, C., Sgandurra, D.: Hierarchical, model-based risk management of critical infrastructures. Reliab. Eng. Syst. Saf. 94(9), 1403–1415 (2009)CrossRefGoogle Scholar
  36. 36.
    Henderson, G., Sawilla, R., Matwin, S., Bacic, E., Tremblay, L., Sayyad-Shirabad, J., de Souza, E. N.: Automated risk management system. Decision making support for continuous improvement of IT mission assurance. Defence R&D Canada—Ottawa, Technical Report DRDC Ottawa TR 2012-060 (2012)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Control Engineering, Computers and Electronics DepartmentPetroleum-Gas University of PloieștiPloieștiRomania

Personalised recommendations