A Quantitative Methodology for Measuring Cyber Risk to Critical Infrastructure

Jovana Helms (17-ERD-117)

Executive Summary

We are developing a quantitative methodology that employs analysis, modeling, and simulation capabilities to assess the risks to the nation’s electric grid and the effectiveness of potential mitigations and countermeasures. This tool could help address the risks to the nation’s critical infrastructure from physical or cyber attacks and environmental hazards.

Project Description

The U.S. Department of Homeland Security reports that cyber attacks on the electric grid system are increasing in both frequency and sophistication. Such attacks come from a variety of sources, including nation states and sub-national terrorist organizations, and are deeply concerning because disrupting the electrical supply system is one of the quickest ways to disrupt the U.S. economy. Currently, protecting the nation’s critical infrastructure from cyber, physical, and environmental hazards is more of an art than a science. While a series of best practices for assessing risks currently exists, there is no way to compare the value of one mitigation technology or approach to another, and to determine whether risk has been mitigated to an acceptable level. Decision-makers and those charged with protecting the nation’s power grid need such risk and mitigation assessment capabilities to make informed decisions about infrastructure investments and countermeasure deployment. We plan to develop a quantitative methodology that employs analysis, modeling, and simulation capabilities to provide baseline risks to critical infrastructures and assess the effectiveness of potential mitigations and countermeasures. We will enumerate all scenarios that can lead to consequences of interest and develop automatic attack-path generation, which can be used for the analysis of mitigation strategies. While the general framework will be broadly applicable to critical infrastructure, the focus of this project is the electric grid. Our approach will be to extend existing Lawrence Livermore National Laboratory technology, specifically the software framework Squirrel, which, when given a consequence of interest in the power grid, outputs a set of simulated critical failures. Though additional research is needed to improve the performance and scalability of Squirrel’s algorithms (which will be a partial focus of this project), the proof of concept for addressing critical-failure problems exists and provides a suitable basis for further development.

Current methods for addressing cyber risk are based on best practices and compliance. While this may ensure a baseline level of cyber security, it does not provide a way to measure risk or prioritize mitigation strategies. Traditional methods for quantifying risk require knowledge of the probabilities of various events occurring, which are not available. Furthermore, enumerating all possible outcomes, required for a probability-based approach, is not feasible. To measure cyber risk to critical infrastructure, we intend to use fundamental concepts from a recently developed methodology for understanding risks to nuclear weapons from physical attacks. The framework we are developing relies on the articulation of various tiers of consequences and assesses the difficulty of an adversary successfully executing an attack that would create consequences in each of those tiers. We expect to develop a new approach for quantitatively assessing the risk to the nation’s critical infrastructure from cyber attacks and other threats. We intend to (1) improve the existing Squirrel framework to include a broader range of manipulations and consequences, and to improve the scalability and efficiency of the framework; (2) develop a representative set of cyber-attack scenarios that can result in critical failures and quantify attack difficulty; (3) quantify the effectiveness of countermeasures and map threat information into a difficulty metric; and (4) validate the framework by modeling the attacks and their effects using hardware in loop simulations. Our work will enhance the Laboratory’s ability to articulate the value and impact of other work in the infrastructure security area and enable strategic engagement with federal agencies and industry. We will leverage Laboratory core competencies in electric grid modeling and our understanding of threat assessment.

Mission Relevance

This research supports the DOE goal of maintaining a secure and resilient national energy infrastructure, as well as the NNSA goals to expand and apply our science and technology capabilities to deal with national security challenges and to protect against technological surprise. It also directly supports the Laboratory’s core competency in cyber security and cyber physical resilience by developing capabilities to protect the nation’s critical infrastructure from cyber, physical, and environmental hazards.

FY17 Accomplishments and Results

In FY17, we (1) began work in June to extend the Squirrel framework to include a broader set of manipulations and possible outcomes; (2) created an initial set of simulated cyber attacks designed to cause specific critical failures; (3) determined that each attack's level of difficulty will be assessed and assigned a numerical score in each difficulty category, that each category will also have vectors that define the maximum capabilities for different actor tiers, and that a function that combines difficulty and capability of a given actor tier will represent the feasibility of an attack; and (4) determined that feasibility can then be combined with other dimensions (such as actor motivation, size of actor pool, and severity of consequence) to provide a quantitative metric for the overall risk of a given attack scenario.