Dams Sector Roadmap to Secure Control Systems - Association of ...


Dams Sector Roadmap to Secure Control Systems - Association of ...

3. Challenges And Milestones

This chapter addresses the challenges associated with each

of the control system security goals previously described

in Chapter 2, which were developed to guide efforts to

improve the cybersecurity posture of the Dams Sector. In

addition, corresponding milestones were established to

address the challenges and support the implementation of

the control system security goals.


Challenges to cybersecurity consist not only of the direct

risk factors that increase the probability of a successful

attack and the severity of the consequences, but also those

factors that limit the ability to implement ideal security


Risk is defined as the potential for an unwanted outcome

resulting from an incident, event, or occurrence, as determined

by its likelihood and the associated consequences.

The three components of risk are threat - defined as a

natural or manmade occurrence, individual, entity, or action

that has or indicates the potential to harm life, information,

operations, the environment, and/or property; vulnerability

- which is a physical feature or operational attribute that

renders an entity open to exploitation or susceptible to a

given hazard; and consequences - also known as the effect

of an event, incident, or occurrence.

The direct risk challenges include: the threat (those who

seek to attack and compromise cyber system); the means of

attack (which relies on taking advantage of system vulnerabilities);

the nature of the system attacked (such as the age

and configuration of the system); the value of the systems;

and how loss of control impacts the interaction with

humans, property, and the environment.

Challenges related to the implementation of security measures

include organizational, institutional, economic, and

technical factors that either limit the availability of security

Risk Challenges to Cybersecurity

• Threat

• Means of attack

• Nature of the system attacked

• Value of systems attacked

• Interaction caused by loss of control

measures, or increase the difficulty of implementing the

optimum security enhancements.

One key technical challenge is the issue of accessibility,

both physical and cyber, which could enable an attacker to

take advantage of known and yet-to-be-discovered vulnerabilities.The

accessibility issue is exacerbated by the

international nature of the Internet and CIKR. An attack

could originate from almost anywhere on the planet; CIKR

companies often have international partners, suppliers,

and customers; and cyber components and systems often

have international origins with international maintenance

and support. Furthermore, ICS owned and operated by the

Dams Sector often include vendors with cyber components

and systems with international origins, maintenance

and/or support.

Risk assessment and analysis will provide an analytical

understanding of this problem.The business case is a subset

of risk analysis in that it provides an understanding of the

cost benefit of expending resources to reduce risk. Once the

problem is recognized and understood through assessment

and analysis, it will be possible to design and implement

solutions that will act as countermeasures to the system

vulnerabilities. Security systems and procedures should be

designed and implemented in accordance with standards

Challenges And Milestones 17

More magazines by this user
Similar magazines