Journal Article
Journal of Computing and Information Science in Engineering, vol. 19, iss. 4, 2019
Authors
Arun Veeramany, William J. Hutton, Siddharth Sridhar, Sri Nikhil Gupta Gourisetti, Garill A. Coles, Paul M. Skare
Abstract
This article details a framework and methodology to risk-inform the decisions of an unsupervised cyber controller. A risk assessment methodology within this framework uses a combination of fault trees, event trees, and attack graphs to trace and map cyber elements with business processes. The methodology attempts to prevent and mitigate cyberattacks by using adaptive controllers that proactively reconfigure a network based on actionable risk estimates. The estimates are based on vulnerabilities and potential business consequences. A generic enterprise-control system is used to demonstrate the wide applicability of the methodology. In addition, data needs, implementation, and potential pitfalls are discussed.
