Research Article

Comprehensive Risk Identification Model for SCADA Systems

Table 3

Risk Identification Six Parameters.

Risk (What?):Risk Agents (Who?):Risk Motivations (Why?):System Components (Where?):Component Vulnerabilities (When?):Penetration technique (How?):

(1) Human risks (R19:Inappropriate control commands)
(2) Physical risks (R20:Site penetration, R1:Physical theft of hardware, R2:Device power failure, R3:Destruction of hardware, R6:Site- building destruction, R7:Network wires stealing, R8:Network wires damage, R15:Physical theft of data, R22:Hardware failure, R24: Disable Device, and R27: Equipment crash)
(3) Software risks (R4: Device compromise, R5: Device misconfiguration, R16: Gain physical access, R17: Gain remote access, R18: Identify network devices, R21: Gain device administrator password, R23: Bypass Device admin password, R25: Network outage, R26: Software failure)
(4) Data risks (R9: Network wireless signal disruption, R10: Data sniffing, R11: Data interception, R12: Data distortion, R13: Data discloser, R14: Losing data)
(A1) Current Employee
(A2) Former Employee
(A3) Current business partner.
(A4) Former business partner
(A5) Customer
(A6) Script Kidies
(A7) Industrial spies
(A8) Online social hacker
(A9) Corporate/competitors
(A10) Hacktivist
(A11) Cyber-criminal group
(A12) Cyber terrorist
(A13) National state
(A14) Earthquakes
(A15) Floods
(A16) Tsunamis
(A17) Landslides
(A18) Lightning
(A19) Heavy rains
(A20) Heavy snowfalls
(A21) Tornado
(A22) Wildfire
(A23) Fires
(A24) Explosions
(M1) Convenience.
(M2) Monetization
(M3) Revenge.
(M4) Socially.
(M5) Ideologically
(M6) Nationally.
(M7) Environmental changes.
(1) Remote station (RT1: sensor, RT2: actuator, RT3: RTU, RT4: PLC and RT5: IED).
(2) Communication device (CD1: switch, CD2: router, CD3: repeater, CD4: modem, CD5: WLAN access point and CD6: Firewall).
(3) Wire media (WM1: coaxial cable, WM2: twisted pair cable and WM3: Fiber optic cable).
(4) Wireless media (WLM1: radio frequency, WLM2: microwave and WLM3: satellite).
(5) Master station (MS1: communication server, MS2: SCADA server, MS3: historian Server and MS4: HMI)
(6) Corporate network (CN1: Application server, CN2: web server, CN3: mobile server, TR1: PC/laptop and TR2: smart phone/tablet).
(7) People (PE1: system employees, PE2: system clients and PE3: 3rd party stuff).
(8) BS1: Building & site.
(1) Human errors (V1: display information about the system and who operate it, V2: unqualified employee, V3: Leak of skills, knowledge and training, V4: Sharing password among users, V5: password disclosure, V6: Former employees/contactor expose their system knowledge to external persons, V7: Account still activated for former employee and partners, V13: Using default password, V14: No password used, V15: Using weak password polices, V27: Inappropriate or unauthorized access controls, V36: Lack of remote access control)
(2) Physical vulnerabilities (V8: Isolated sites, V9: Poor maintenance, V10: Absence of alarm system, V11: Weak windows and doors controlling, V12: Lack or weak of physical security tools, V24: Lack of diversity in communication paths lead to communication failure, V28: Absence of ups and power generator not exists, V29: Air-conditioning failure, V30: Lack of redundant hardware, V33: No warranty agreement, V34: No spares management)
(3) Software vulnerabilities (V18: Critical configurations are not stored or backed up, V20: Open communication/unprotected protocols are used, V25: Poor or non-existent software updates, V21: Unsecured wireless networks, V26: Unsecured physical ports, V31: Intrusion detection/prevention software not used, not updated, or not tested, V32: Anti-virus/anti-malware not used, not updated, or not tested, V33: No warranty agreement, V35: Memory overflow)
(4) Data vulnerabilities (V16: Sensitive data unprotected with encryption and password protection, V17: Unprotected data transferred, V19: Absence or untested backup procedure, V22: System log not maintained or revised periodically, V23: Sensitive data are not encrypted in transit)
(PT1) Social engineering/phishing.
(PT2) Interception/eavesdropping/espionage.
(PT3) Exploit kits.
(PT4) Malicious code.
(PT5) Spamming.
(PT6) Web-based attacks.
(PT7) Web application attacks.
(PT8) Botnets.
(PT9) Spoofing.
(PT10) Physical attack.
(PT11) Disaster (geological/hydrological/meteorological).
(PT12) Human error/misuse of resources.
(PT13) Malfunction of equipment.
(PT14) Data manipulation or froging.