The technique for evaluating the risk of cyber-sabotage of industrial processes are well understood by those skilled in the art. Essentially, such risk assessments evaluate a typically large inventory of possible cyber attacks against the cyber-physical system in question, and render a verdict. Communicating the verdict to business decision-makers who are not familiar with cyber-security minutia is more difficult, especially for the low-frequency, high-impact (LFHI) type of attacks for which there is little statistical data.
The experience of such communications suggests that business decision-makers can much more often understand and make useful decisions about specific examples of cyber attacks, than they can understand abstract risk scores resulting from a process of evaluating millions of attacks.
This paper recommends using a standard set of Top 20 ICS attacks as a methodology for communicating cyber-sabotage risk, with the Top 20 set representing ICS attacks of varying levels of cyber and engineering sophistication, and with varying degrees of undesirable physical consequences. We recommend that a standard Top 20 includes both ICS attacks that are reliably defeated by existing cyber defenses, and attacks that are not so defeated.