Title: A security metric for assessing the security level of critical infrastructures
Authors: Andrea Tortorelli; Andrea Fiaschetti; Alessandro Giuseppi; Vincenzo Suraci; Roberto Germanà; Francesco Delli Priscoli
Addresses: Department of Computer, Control and Management Engineering (DIAG), 'Antonio Ruberti' of the University of Rome 'La Sapienza', Via Ariosto 25, 00185, Rome, Italy ' Department of Computer, Control and Management Engineering (DIAG), 'Antonio Ruberti' of the University of Rome 'La Sapienza', Via Ariosto 25, 00185, Rome, Italy ' Department of Computer, Control and Management Engineering (DIAG), 'Antonio Ruberti' of the University of Rome 'La Sapienza', Via Ariosto 25, 00185, Rome, Italy ' Department of Computer, Control and Management Engineering (DIAG), 'Antonio Ruberti' of the University of Rome 'La Sapienza', Via Ariosto 25, 00185, Rome, Italy; Università degli Studi eCampus, Via Isimbardi 10, 22060, Novedrate (CO), Italy ' Department of Computer, Control and Management Engineering (DIAG), 'Antonio Ruberti' of the University of Rome 'La Sapienza', Via Ariosto 25, 00185, Rome, Italy ' Department of Computer, Control and Management Engineering (DIAG), 'Antonio Ruberti' of the University of Rome 'La Sapienza', Via Ariosto 25, 00185, Rome, Italy
Abstract: The deep integration between the cyber and physical domains in complex systems make very challenging the security evaluation process, as security itself is more of a concept (i.e., a subjective property) than a quantifiable characteristic. Traditional security assessing mostly relies on the personal skills of security experts, often based on best practices and personal experience. The present work is aimed at defining a security metric allowing evaluators to assess the security level of complex cyber-physical systems (CPSs), as critical infrastructures, in a holistic, consistent and repeatable way. To achieve this result, the mathematical framework provided by the open source security testing methodology manual (OSSTMM) is used as the backbone of the new security metric, since it allows to provide security indicators capturing, in a non-biased way, the security level of a system. Several concepts, as component lifecycle, vulnerability criticality and damage potential - effort ratio are embedded in the new security metric framework, developed in the scope of the H2020 project ATENA.
Keywords: security metrics; critical infrastructures; cyber-physical systems; CPSs; cyber-physical security.
DOI: 10.1504/IJCCBS.2020.108685
International Journal of Critical Computer-Based Systems, 2020 Vol.10 No.1, pp.74 - 94
Received: 02 May 2019
Accepted: 02 Apr 2020
Published online: 24 Jul 2020 *