A Quantitative Methodology for Measuring Cyber Risk to Critical Infrastructure

Meghan McGarry | 17-ERD-117

Project Overview

We developed the Quantitative Intelligent Adversary Risk Assessment (QIARA) framework to provide a quantitative understanding of the risks of cyber-attacks to the power grid. QIARA inverts the traditional approach to risk analysis by starting with the consequence and working back to attack scenarios that would result in the consequence, thereby ensuring only relevant attack paths are considered. Rather than estimate the probability of a cyber-attack, QIARA defines the risk in terms of the difficulty to any adversary of executing the attack, independent of the capabilities of a particular threat actor. This difficulty-based assessment enables relative risk comparison between different attack paths, providing a quantitative understanding of the risk landscape and the impact of potential mitigations and countermeasures. By providing an ability to assess the effectiveness of countermeasures, this methodology significantly improves capabilities related to critical infrastructure (CI) protection and enables decision-makers to make performance-based decisions on future investments. Further, the methodology can be generalized across different CI sectors and for other types of intelligent adversary attacks, allowing a decision-maker to develop a comprehensive CI protection strategy.

Mission Impact

The QIARA methodology enables CI owners and operators, as well as the federal government, to better understand their risk landscape and make performance-based prioritization decisions regarding their investments into the cybersecurity of the electric grid. QIARA has been extended and used for applications for (1) the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response (CESER) office for power grid security; (2) the Department of Homeland Security's Science and Technology directorate for global positioning system (GPS)-associated risks; and (3) California utilities and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) for use in larger-scale investigations of power-grid vulnerability, as well as critical failure analysis for the oil and natural gas sector.

Publications, Presentations, and Patents

Altus, S. L., et al. 2019. "Variable Neighborhood Search Methods for Squirrel." Scholars Poster Symposium. Livermore, CA, Summer 2019. LLNL-POST-785222

Graham, K. L., et al. 2018. "Parallel Implementation of Model Order Reduction for Discrete Operating Regimes (MORDOR) in Squirrel." Scholars Poster Symposium. Livermore, CA, Summer 2018. LLNL-POST-755533

Mackay, S., et al. 2021. “Finding Diverse Ways to Improve Algebraic Connectivity through Multi-start Optimization.” Journal of Complex Networks, 9(1). doi.org/10.1093/comnet/cnab005