Ideal Based Cyber Security Technical Metrics for Control Systems

  • Wayne Boyer
  • Miles McQueen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5141)


Much of the world’s critical infrastructure is at risk from attack through electronic networks connected to control systems. Security metrics are important because they provide the basis for management decisions that affect the protection of the infrastructure. A cyber security technical metric is the security relevant output from an explicit mathematical model that makes use of objective measurements of a technical object. A specific set of technical security metrics are proposed for use by the operators of control systems. Our proposed metrics are based on seven security ideals associated with seven corresponding abstract dimensions of security. We have defined at least one metric for each of the seven ideals. Each metric is a measure of how nearly the associated ideal has been achieved. These seven ideals provide a useful structure for further metrics development. A case study shows how the proposed metrics can be applied to an operational control system.


Cyber Security Metrics Control System Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bishop, M.: Computer Security Art and Science, pp. 343–349. Addison-Wesley, Reading (2003)Google Scholar
  2. 2.
    Chew, E., Clay, A., Hash, J., Bartol, N., Brown, A.: Guide for Developing Performance Metrics for Information Security. NIST Special Publication 800-80 (May 2006)Google Scholar
  3. 3.
    Chemical Sector Cyber Security Program (CSCSP), Guidance for Addressing Cyber Security in the Chemical Industry, Technical Report, CSCSP (May 2006)Google Scholar
  4. 4.
    Idaho National Laboratory Report to the Department of Homeland Security, INL/EXT-06-12016, Cyber Security Metrics (December 2006)Google Scholar
  5. 5.
    Jacquith, A.: Security Metrics. Addison-Wesley, Reading (2007)Google Scholar
  6. 6.
    McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Time-to-compromise Model for Cyber Risk Reduction Estimation. In: First Workshop on Quality of Protection (September 2005)Google Scholar
  7. 7.
    McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System. In: Proceedings of the 39th Hawaii International Conference on System Sciences, p. 226 (January 2006)Google Scholar
  8. 8.
    Mell, P., Hu, V., Lippmann, R., Haines, J., Zissman, M.: An Overview of Issues in Testing Intrusion Detection Systems. In: Interagency Report (IR) 7007, National Institute of Standards and Technology, Gaithersburg, Maryland (June 2003)Google Scholar
  9. 9.
    Manadhata, P., Wing, J.M.: An Attack Surface Metric, Technical Report CMU-CS-05-155 (July 2005)Google Scholar
  10. 10.
    Neumann, P.G.: Computer Related Risks, p. 244. Addison-Wesley, Reading (1995)Google Scholar
  11. 11.
    Ou, X., Boyer, W., McQueen, M.: A Scalable approach to Attack Graph Generation. In: 13th ACM Conference on Computer and Communications Security, CCS 2006, October 30 - November 3 (2006)Google Scholar
  12. 12.
    Ross, R., Katzke, S., Johnson, A., Swanson, M., Rogers, G.: System Questionnaire with NIST SP 800-53: Recommended Security Controls for Federal Information Systems, Technical Report, NIST, References and Associated Security Control Mappings, Gaithersburg, Maryland (March 2006)Google Scholar
  13. 13.
    Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: NIST Special Publication 800-55: Security Metrics Guide for Information Technology Systems, Technical Report, National Institute of Standards and Technology (NIST), Gaithersburg, Maryland (July 2003)Google Scholar
  14. 14.
    Schneier, B.: Secrets & Lies, pp. 367–380. Wiley, Chichester (2000)Google Scholar
  15. 15.
    Schiffman, M.: A Complete Guide to the Common Vulnerability Scoring System (CVSS), Technical Report, Forum for Incident Response and Security Teams (FIRST), June 7 (2005)Google Scholar
  16. 16.
    Swanson, M., Guttman, B.: Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST 800-14 (September 1996)Google Scholar
  17. 17.
    Summers, R.C.: Secure Computing Threats and Safeguards, pp. 251–252. McGraw-Hill, New York (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Wayne Boyer
    • 1
  • Miles McQueen
    • 1
  1. 1.Idaho National LaboratoryIdaho FallsUSA

Personalised recommendations