Publications in Scientific Journals:
M. Eckhart, B. Brenner, A. Ekelhart, E. Weippl:
"Quantitative Security Risk Assessment for Industrial Control Systems: Research Opportunities and Challenges";
Journal of Internet Services and Information Security (JISIS),
Due to the gradual implementation of the Industry 4.0 vision, information technology is becoming increasingly important in industrial control systems (ICSs), such as production systems. Although the
digital transformation of ICSs represents the foundation for resource-efficient and flexible industrial
plants, this change increases the attack surface, leading to the emergence of new threats. Moreover,
ICSs constitute an attractive target for attackers who may disrupt plant operation, causing severe
physical/material damages (PD/MD), such as machinery breakdowns. In further consequence, asset
owners (i.e., plant operators) may suffer from business interruption (BI) and loss of profit (LOP).
Thus, security risks must be managed in all phases of the ICSsī lifecycle, starting from engineering
to decommissioning. Risk assessment is an integral part of the risk management process in which
risks are identified, analyzed, and evaluated. In this context, the quantitative assessment is vital, since
measuring cyber risks is required to establish an effective decision-making process for security investments. This survey article reviews the state of the art concerning quantitative security risk assessments for ICSs and identifies promising opportunities for future research and associated challenges.
We report that the current state of quantitatively assessing cyber risks for ICSs is characterized by
the absence of adequate (dynamic) security risk assessment methods tailored to the peculiarities of
ICSs. This is aggravated by the fact that the complexity of the threat landscape increases in the light
of Industry 4.0, and historical data on security incidents is lacking. As a consequence, asset owners
may fail to quantitatively assess their cyber risk exposure, leaving them uncertain about security decisions. Furthermore, if they purchase cyber insurance in order to transfer the risks of non-PD BI,
the underlying problem remains unsolved as (re)insurers potentially take on these unassessed risks.
As an initial step to guide individuals seeking to improve the quantification of cyber risks pertaining
to ICSs, this article concludes by outlining several directions for further research that are worth pursuing.
Information Security, Industrial Control Systems, Security Risk Assessment, Cyber Risk Quantification, Cyber Insurance
"Official" electronic version of the publication (accessed through its Digital Object Identifier - DOI)
Electronic version of the publication:
Created from the Publication Database of the Vienna University of Technology.