Techniques for evaluating cyber-sabotage risk to industrial systems are well understood by those skilled in the art – evaluate a large inventory of possible attacks against the cyber-physical system in question, and render a verdict. Communicating the results of the assessment to business decision-makers is more difficult, especially for low-frequency, high-impact (LFHI) attacks for which there are no historical statistics.
Since business decision-makers understand example attacks more readily than abstract risk metrics, this paper simplifies assessing and communicating risk by defining a standard set of Top 20 industrial control system (ICS) attacks across a wide range of attack sophistication and consequences. The key risk metric to communicate to business decision makers, then, is the nature of the simplest attack that is not reliably defeated by existing or proposed security measures.
This paper concludes with a worked example, applying the Top 20 type of assessment to an example industrial site and comparing the strength of two different security programs for the site using the standard attacks.