Study on assessing homeland security risks does not adequately address control system cyber security
The Journal of the Naval PostGraduate School (NPS) Center for Homeland Defense and Security published the article: “Assessing Homeland Security Risks: A Comparative Risk Assessment of 10 Hazards” by Russell Lundberg and Henry Willis. The National Academy of Sciences recommended that the Department of Homeland Security use methods of qualitative comparative risk assessment as part of its approach to strategic planning. To provide insight into how this can be done, the above paper examined a set of ten homeland security risks– including natural disasters, terrorist events, cyber attacks against critical infrastructure, and major accidents (Toxic Industrial Chemical accident and Oil Spills) – in a systematic fashion.
The NPS paper identifies cyber attacks and not unintentional cyber incidents. However, it may not be possible to tell the difference between a malicious attack and an unintentional incident. Moreover, if the incident can occur unintentionally, it generally can also be caused maliciously. Since natural events are considered (non-malicious events), unintentional cyber incidents also need to be included. Additionally, the paper includes the separate categories of “Toxic Industrial Chemical Accident” and “Oil Spills” even though toxic chemical plant accidents and oil spills have been caused by cyber incidents.
Enclosed is my comparison of control system cyber incidents to the paper’s assessment of cyber attacks against the critical infrastructure. The reason that control system cyber risk is so difficult to estimate is that the probability of occurrence cannot be estimated unless you assume it is 1. And, the consequence of the incident can be almost anything if the attacker has control of the process. Consequently, impacts from cyber attacks (unintentional and intentional) can range from localized, short duration with no injuries to nation-wide (or even larger), long duration with catastrophic injuries.
Category |
NPS paper – Cyber Attack |
My data |
Average number of deaths/year |
0 |
Some |
Greatest number of deaths in a single incident |
1-10 |
>200 (actual to date) |
Average more severe injuries/illnesses per year |
0
|
Some |
Average less severe injuries/illnesses per year |
0 |
Some |
Psychological damage per year on average |
Low |
Low (events not recognized as cyber) |
Average economic damages per year |
$50B |
Significant |
Greatest economic damages in a single event |
$100M-$10B |
Depends on event (can be >$Trillion for extended widespread outage) |
Duration of economic damages |
Days to weeks |
Days to years |
Size of area affected by economic damages |
Company to nation |
Facility to continent |
Average environmental damages per year |
Low |
Low |
Average individuals displaced per year |
0 |
Some |
Disruption of government operations |
Moderate to high |
Moderate to high |
Ability of individual to control their exposure |
Low to moderate |
Low to moderate |
Time between exposure and health effects |
Immediate |
Immediate to long term |
Quality of scientific understanding |
Low to moderate |
Low |
Combined Uncertainty |
Moderate |
High |
My comparison to the NPS study illustrates the gaps in understanding of control system cyber security and its impacts.
Joe Weiss