Intelligent Systems Research Laboratory Technical Report TR-ISRL-06-01 Dept. of Computer Engineering and Computer Science University of Louisville Louisville, KY 40292 July 2006 Literature Review of Security and Risk Assessment of SCADA and DCS Systems Dr. Patricia A. Ralston, Dr. James H. Graham and Dr. Sandip C. Patel. Abstract The growing dependence of critical infrastructures and industrial automation on interconnected physical and cyber based control systems has resulted in a growing and previously unforeseen cyber security threat to SCADA and DCS systems. Industry organizations such as NERC and AGA as well as government organizations like NIST and SANDIA are responding to the cyber security threat faced by control systems and critical infrastructure through the development of guidelines, best practices, test beds, security tools and new technology. Published papers such as (Byres and Lowe, 2005; Miller, 2005; and Greer, 2006) describe the threats and vulnerabilities faced by SCADA and DCS systems and the challenges presented in attempting to secure these systems. Other papers, such as (Byres and Franz, 2006, Strickles, et al 2003) describe the application of existing security technologies and security practices. The articulation of risk is an important component of a comprehensive, realistic, and long term commitment to securing SCADA and DCS systems. Risk assessment methods such as HHM, IIM, and RFRM have been successfully applied to SCADA systems and have highlighted the need for quantifiable metrics. Quantifiable risk analysis falls under the general category of probability risk analysis (PRA) which includes methods like FTA, ETA, and FEMA. What is needed for SCADA and DCS cyber security risk analysis is to quantitatively determine the probability of an attack, the impact of the attack, and the reduction in risk associated with a particular countermeasure. Two recent methods, one based on compromise graphs and one on augmented vulnerability trees, have specifically targeted SCADA security. Keywords: SCADA, DCS, risk analysis, vulnerability.