Industrial Internet Security Framework v 1.0 | Page 32
Security Framework
5: Managing Risk
Repudiation: Denial that a person or device was involved in a particular transaction or event. This
refers to the ability (or lack thereof) to trace which person or device was responsible for an event.
Information disclosure: Exposure of information to individuals who are not supposed to have
access to it. In the Industrial Internet, this could mean sensor data for a smart city in the hands
of persons with intentions to launch an attack on the city.
Denial of service: This refers to making a particular service unavailable, often through resource
consumption or unreliable execution.
Elevation of privilege: An unprivileged user gains sufficient access to compromise or destroy an
entire system. In elevation of privilege threats, an attacker has penetrated all system defenses
and become part of the trusted system itself, a dangerous situation indeed.
These last six items make up the acronym STRIDE.
5.3
COMMUNICATING RISK
Effective business decision-making is an important component of industrial security programs.
The costs and benefits of different security risks and defensive postures should be clearly
communicated to business decision makers, especially as they are often unfamiliar with the
details of security risks and countermeasures.
There are three basic methods for communicating risk:
Quantitative risk assessment expresses the risk of an incident as the product of probability of that
incident occurring and the cost of consequences of the incident. This approach works well for
high-frequency, low-impact events. Systems with large numbers of devices, where the cost of
compromise is comparatively low, and system compromise occurs frequently enough to produce
statistically significant estimates of probability, are well-served by quantitative risk assessment.
Quantitative risk assessment is much less effective for communicating the risk associated with
low-frequency, high-impact events. For example, in IIoT system where the cost of compromise is
high, and there is no way to make statistically significant predictions of the probability of such a
disasters occurring in the future.
Qualitative risk assessment uses surrogates for cost or probability estimates, and expresses risk
as a mathematical function of these qualitative surrogates. For example, the French ANSSI
standards1 calculate the importance of an industrial system by assigning a small integer rating to
each of consequences, likelihood, system complexity/functionality, connectivity, exposure and
accessibility. These rankings are combined arithmetically to produce a number between one and
three describing the importance of an industrial control system. Minimum-security measures are
then prescribed for each class of control system. Other qualitative systems assign and calculate
qualitative metrics for individual risks and kinds of incidents.
1
See [ANSSI-CMKM]
IIC:PUB:G4:V1.0:PB:20160926
- 32 -