For modern industrial automation and control systems (IACS), it is a cybersecurity risk that provokes the most growing anxiety among other potential hazards. In order to manage the risk efficiently, a risk assessment is necessary. A standard CIA approach explores the confidentiality, integrity, and availability properties of assets. However, for IACS dealing with critical infrastructures, it is more crucial to investigate separately the availability part of the risk. Moreover, not assets but functions are particularly important. One of the major problems arising during the assessment is how to assign values for the availability property of IACS functions. For establishing the CIA values, techniques related to confidentiality and integrity seem to be quite evident and make just a minor issue to develop and employ. However, methods for assessing the availability property happen to be not obvious and not widely used. The article presents a metric helpful for the availability valuation. Inherently constructed to be applicable particularly to functions, not to assets, the metric will be found especially effective for IACS. Essentially based on delay as a measure, the metric is proved to be conformant to the IEC 62443 series availability interpretation and the general requirements for the cybersecurity metrics. For the metric to be accurately calculated, the availability reference model, dependency theory, and a theory of deterministic queuing systems Network calculus are proposed to be utilized. Applying Network calculus to the metric calculation, the article reveals that this problem can be reduced to the problem of obtaining sets of service curves.

sep

Sochi, Russian Federation

https://ieeexplore.ieee.org/document/9896250/