China Safety Science Journal ›› 2019, Vol. 29 ›› Issue (8): 157-163.doi: 10.16265/j.cnki.issn1003-3033.2019.08.025

• Public Safety • Previous Articles     Next Articles

Quantitative risk assessment method for information security of SCADA systems

XIONG Wenze1, JIN Jianghong2, TANG Junmei2   

  1. 1 Functional Safety Center, Instrumentation Technology and Economy Institute, Beijing 100055, China;
    2 Laboratory of Industrial Explosion Protection, Beijing Municipal Institute of Labor Protection, Beijing 100054, China
  • Received:2019-04-23 Revised:2019-06-20 Published:2020-10-21

Abstract: In order to effectively analyze and assess information security risk of SCADA systems and solve the problem of quantifying information security risk which is difficult for traditional methods. Firstly, three elements, threat, vulnerability and assets, were confirmed based on information safety risk evaluation model, and possible threats, vulnerability and assets were obtained through analyzing and deconstructing typical SCADA system structure. Secondly, AHP was used to determine the influence extent of different elements on SCADA systems. Then the judgment matrix and combination weight of the three elements to security risk were studied and threat-vulnerability-asset were combined and compared to obtain relatively quantifiable and comparable risk parameters. Finally, the method was applied to assess information security risk of a typical SCADA system. Results show that AHP has good operability in identifying weak points in system information security, and hierarchical construction can clearly show the internal relationship of a complex SCADA system, the finer the hierarchy is, the more accurate analysis would be, but overelaborate construction may lead to heavy dependence on experts' experience.

Key words: supervisory control and data acquisition (SCADA), information security, quantitative risk assessment, analytic hierarchy process (AHP), vulnerability

CLC Number: