A Quantitative Methodology for Measuring Cyber Risk to Critical Infrastructure

Jovana Helms (16-FS-042)

Project Description

The U.S. Department of Homeland Security reports that cyber attacks on the electric grid system are increasing in both frequency and sophistication. Such attacks come from a variety of different sources, including nation states and sub-national terrorist organizations. Concern over their ability to hack into power grid software and possibly disrupt the electrical supply system is growing because such an attack could be one of the quickest ways to disrupt the U.S. economy. Protecting our nation’s critical infrastructure from cyber, physical, and environmental hazards requires the ability to measure risk to that infrastructure and assess how that risk is impacted by mitigation actions. In an effort to reduce the risk to critical infrastructure from cyber attacks, the National Institute of Standards and Technology was charged to create a voluntary framework. This framework consists of standards and best practices to help critical infrastructure owners mitigate their risk. While useful, a best-practices- or compliance-based risk-mitigation approach has limitations. Without being able to quantitatively measure risk, it is not possible to defensibly prioritize security investments or evaluate trade-offs between security and functionality. We plan to explore the feasibility of a new approach for quantitatively measuring and monitoring cyber risks to the energy sector, beginning with the electrical utilities. A difficulty-based risk-assessment methodology has recently been developed to understand risk to nuclear weapons security from physical attacks. Rather than working forward through an event tree, this approach starts by defining consequence tiers of interest, creating a limited number of representative scenarios that could result in consequences in those tiers, and then assessing the difficulty of executing each scenario. It makes no assumptions about adversary capabilities or intent, and does not require the characterization of every potential scenario perturbation. We believe that the fundamental concepts from this approach can be leveraged to develop a quantitative risk-assessment methodology that would be applicable to cyber risks to energy infrastructure. We will focus on developing inverse models to analyze grid failures from a consequence-based perspective. If successful, this feasibility study will serve as an enabling capability for developing a quantitative methodology for critical infrastructure cyber risk assessment.

We intend to examine the feasibility for a new approach of quantitatively assessing the risk to the nation’s critical infrastructure from cyber and other threats. Traditional quantitative risk-assessment methodologies, such as the probabilistic risk-assessment approach used by the National Aeronautics and Space Administration and the Nuclear Regulatory Commission, define risk as the product of threat, vulnerability, and consequence. These approaches assume that the system is well-characterized and events can be treated probabilistically. The introduction of an intelligent adversary who does not necessarily behave in a predictable, probabilistic manner renders these assumptions invalid, severely limiting the utility of traditional risk-assessment methodologies in this area. To develop a difficulty-based methodology for quantifying cyber risk, we must have a clear understanding of the impacts on critical infrastructure that compromise national security and the critical failures that can cause them. We expect to leverage knowledge obtained through our collaboration with the California Energy System for the 21st Century and existing analysis performed by the North American Electric Reliability Corporation—the organization of U.S. electric grid operators based in Atlanta, Georgia—to define a prioritized set of undesired consequences. By leveraging Livermore's existing grid-modeling capabilities, we will then attempt to solve the inverse problem of identifying critical points of failure for a given consequence.

Mission Relevance

This research supports the Laboratory’s energy and climate security strategic focus area by providing a fundamental capability to energy infrastructure security. Our work would enhance Livermore’s ability to articulate the value and impact of other work in the infrastructure security area and enable strategic engagement with federal agencies and industry. We will leverage Laboratory core competencies in cybersecurity, space, and intelligence as well as electric grid modeling and our understanding of threat assessment.

FY16 Accomplishments and Results

In FY16 we (1) completed extensive research on existing consequence analysis for the power grid; (2) evaluated requirements that the specified consequence description will need to include to serve as input to Livermore LDRD-developed GridDyn modeling (a new high-performance-computing, power-transmission-system simulator); (3) developed a workflow of how inverse modeling in GridDyn will be performed (see figure), and successfully defined the critical failure analysis as an inverse problem; and (4) selected two historical consequences, one severe and one of minor impact, to help characterize the consequence description that can be fed into the GridDyn model.

Flowchart describing the inverse modeling capability for the griddyn power-transmission-system simulator.
Flowchart describing the inverse modeling capability for the GridDyn power-transmission-system simulator.