This event has ended. Visit the official site or create your own event on Sched.
Welcome to the Interactive Agenda for SecurityWeek’s 2017 ICS Cyber Security Conference! (View the full conference website here)  (You can register for the conference here)
View analytic
Thursday, October 26 • 3:15pm - 4:30pm
Quantifying Cybersecurity Risks for Industrial Control Systems

Sign up or log in to save this to your schedule and see who's attending!

The current cybersecurity risk analysis and assessment methods are primarily based on manual processes with subjective and qualitative data inputs, often resulting in inaccurate risk scores and inconsistent assessment reports. While NIST’s Risk Management Framework (RMF) provides the standard guidelines for cybersecurity risk assessment at the organizational level, there is a lack of detailed reference models to quantify cybersecurity risks at the operational level.  This is especially true for infrastructure companies because often the decision makers of an organization, such as the CEO or the CISO, wants to know about the financial consequences of a critical production component, e.g. a generator or a water pump, with respect to vulnerability or cyber threat induced failures.

This session will introduce a new quantitative risk model (QRM) to support cybersecurity risk analytics in an integrated IT and OT environment. The QRM is based on the existing cybersecurity standards by NIST (including Asset Identification (AI), Common Vulnerability Enumeration (CVE) and Common Vulnerability Scoring System (CVSS).  It provides organizations with a comprehensive reference framework to quantify risks at different operation levels by integrating asset management with automated vulnerability discovery and threat monitoring. In addition, the model can be used to implement exploit path analysis (EPA) functions for identifying potential attack patterns and the weakest link in an asset network.  We will demonstrate the basic concepts of QRM through some sample use case and how it can be used to support quantitative decision making in enhancing operational cybersecurity readiness..

The QRM development is sponsored by the Department of Energy (DOE) through a research grant. We would like to reach out to the ICS community for feedback and support in creating a robust QRM that can be extended across multiple infrastructure sectors.

Learning Objectives

  • Why quantitative risk analysis is important for ICS and what are the benefits?
  • How to quantify cybersecurity risks?
  • How the QRM is designed with respect to various industry standards?
  • How can QRM be implemented and extended to support various operation environments?

avatar for Dr. Nick Duan

Dr. Nick Duan

CTO, D-Tech, LLC
Dr. Nick Duan is the President and Chief Information Officer of D-Tech, LLC, an R&D firm specializing in cybersecurity products and services. He has over 30 years of experience in software design and and project development, with a wide range of expertise in cybersecurity, iden... Read More →

Thursday October 26, 2017 3:15pm - 4:30pm
Windsor DE

Attendees (22)