Study on assessing homeland security risks does not adequately address control system cyber security

Dec. 20, 2015

The Journal of the Naval PostGraduate School Center for Homeland Defense and Security published an article assessing homeland security risks. The study does not adequately address control system cyber security.

The Journal of the Naval PostGraduate School (NPS) Center for Homeland Defense and Security published the article: “Assessing Homeland Security Risks: A Comparative Risk Assessment of 10 Hazards” by Russell Lundberg and Henry Willis. The National Academy of Sciences recommended that the Department of Homeland Security use methods of qualitative comparative risk assessment as part of its approach to strategic planning. To provide insight into how this can be done, the above paper examined a set of ten homeland security risks– including natural disasters, terrorist events, cyber attacks against critical infrastructure, and major accidents (Toxic Industrial Chemical accident and Oil Spills) – in a systematic fashion.

The NPS paper identifies cyber attacks and not unintentional cyber incidents. However, it may not be possible to tell the difference between a malicious attack and an unintentional incident. Moreover, if the incident can occur unintentionally, it generally can also be caused maliciously. Since natural events are considered (non-malicious events), unintentional cyber incidents also need to be included. Additionally, the paper includes the separate categories of “Toxic Industrial Chemical Accident” and “Oil Spills” even though toxic chemical plant accidents and oil spills have been caused by cyber incidents.

Enclosed is my comparison of control system cyber incidents to the paper’s assessment of cyber attacks against the critical infrastructure. The reason that control system cyber risk is so difficult to estimate is that the probability of occurrence cannot be estimated unless you assume it is 1. And, the consequence of the incident can be almost anything if the attacker has control of the process. Consequently, impacts from cyber attacks (unintentional and intentional) can range from localized, short duration with no injuries to nation-wide (or even larger), long duration with catastrophic injuries.


NPS paper – Cyber Attack

My data

Average number of deaths/year



Greatest number of deaths in a single incident


>200 (actual to date)

Average more severe injuries/illnesses per year




Average less severe injuries/illnesses per year



Psychological damage per year on average


Low (events not recognized as cyber)

Average economic damages per year



Greatest economic damages in a single event


Depends on event (can be >$Trillion for extended widespread outage)

Duration of economic damages

Days to weeks

Days to years

Size of area affected by economic damages

Company to nation

Facility to continent

Average environmental damages per year



Average individuals displaced per year



Disruption of government operations

Moderate to high

Moderate to high

Ability of individual to control their exposure

Low to moderate

Low to moderate

Time between exposure and health effects


Immediate to long term

Quality of scientific understanding

Low to moderate


Combined Uncertainty



My comparison to the NPS study illustrates the gaps in understanding of control system cyber security and its impacts.

Joe Weiss