Abstract
This paper is a result of a cyber risk assessment with a goal of increasing awareness to operators of infrastructure, managers, and political leadership. Senior executives and political leaders have a very limited understanding of industrial control systems (ICS) and of the crucial role ICS provide to public/private infrastructure, industry, and military systems. Therefore, to accomplish our purpose, we conducted a cyber-risk study focusing on a bridge tunnel ICS and a cyber event that tampered with traffic light operation—two scenarios of concern for senior leaders. In this paper, we present the analytic approach, discuss our model and simulation, and analyze the results using a notational data and generic system description. As a result of this study, we were able to discuss the importance of controls systems with senior leaders. We were able to demystify what we mean by “cyber”, showing that it is possible through simulation to inject the effects of cyber scenarios of concern into simulations to assess impact. Most importantly, during a system audit, ICS operators with decades of engineering experience began to realize that the ICS is vulnerable to willful intrusion.
Similar content being viewed by others
Notes
Natural hazard risk is the other type of risk of concern to DHS.
A Stuxnet-styled attack targets the firmware in a programmable logic controller (Basnight et al. 2013).
Joseph Weiss is an industry expert on control systems and electronic security of control systems, with more than 35 years of experience in the energy industry. He has conducted numerous SCADA system vulnerability assessments, taught numerous SCADA security short courses, given several university lectures, and authored the book, Protecting Industrial Control Systems from Electronic Threats.
References
Basnight Z, Butts J, Lopez J, Dube T (2013) Firmware modification attacks on programmable logic controllers. Int J Crit Infrastruct Prot 6(2):76–84
Boyer S (1999) SCADA supervisory control and data acquisition—2nd edition, instrumentation, systems, and automation society. Research Triangle Park, NC
Common Cybersecurity Vulnerabilities in Industrial Control Systems (2011) Control systems security program. National Cyber Security Division, DHS
Ezell B, Bennett S, Von Winterfeldt D, Sokolowki J, Collins A (2010) Probabilistic risk analysis and terrorism risk. Risk Anal 30(4):575–589
Kaplan S, Garrick B (1981) On the quantitative definition of risk. Risk Anal 1(1):11–27
DHS Risk Lexicon (2010). Risk Steering Committee
NIST 800-82 (2011), Guide to Industrial Control Systems (ICS) Security, National Institute of Standards and Technology
Parnell G, Banks D, Borio L, Brown G, Cox LA, Gannon J, Harvill E, Kunreuther H, Morse S, Pappaioanou M, Pollack S, Singpurwalla N, Wilson A (2008) Report on methodological improvements to the department of homeland security’s biological agent risk analysis. National Academies Press, Washington, DC
Robinson RM, Khattak A (2012) Evacuee route choice decisions in a dynamic hurricane evacuation context. Transportation Research Record, J Transp Res Board, No. 2312, Transportation Research Board of the National Academies, Washington, DC, pp. 141–149
Shan X, Zhuang J (2013) Hybrid defensive resource allocations in the face of partially strategic attackers in a sequential defender-attacker game. Eur J Oper Res 228(1):262–272
Weiss J (2007) Threats impacting the nation, testimony before the subcommittee on oversight, investigations, and management. Committee on Homeland Security, House of Representatives, U.S. Government Accounting Office, Washington, DC
Weiss J (2010) Protecting industrial control systems from electronic threats. Momentum Press, NY
Wilshusen, G. (2012). Threats impacting the nation, testimony before the subcommittee on oversight, investigations, and management. Committee on Homeland Security, House of Representatives, U.S. Government Accounting Office, Washington, DC
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ezell, B.C., Michael Robinson, R., Foytik, P. et al. Cyber risk to transportation, industrial control systems, and traffic signal controllers. Environ Syst Decis 33, 508–516 (2013). https://doi.org/10.1007/s10669-013-9481-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10669-013-9481-2