Dr. Barry Ezell is the President of the Security Analysis and Risk Management Association and Chief Scientist at Old Dominion University’s Virginia Modeling Analysis and Simulation Center. Barry is best known for his contributions in terrorism risk analysis, critical infrastructure and industrial control system risk analytics. Barry is a retired U.S. Army military officer and has 24 years of experience in military decision-making, operations research and risk analysis in the U.S. Department of Defense and U.S. Department of Homeland Security. Ongoing applied research and analytic work combines advanced concepts in adversary modeling, verification and validation, transportation infrastructure cyber risk assessment, and developing risk models to inform programmatic acquisition decisions at the federal, state, and local levels of government.
This paper is a result of a cyber risk assessment undertaken with the goal of increasing the cyber awareness of operators of infrastructure, managers, and political leadership. The meaning of cyber has, in our opinion, been aggregated to a bumper sticker label so generic, it means very little of anything to anyone trying to understand cyber risk. Senior executives and political leaders have a very limited understanding of industrial control systems (ICS) and the crucial role ICS provide to public/private infrastructure, industry, and military systems. Therefore, to accomplish our
purpose, we conducted a cyber-risk study focusing on a bridge tunnel ICS – a scenario of concern. In this paper we present the analytic approach, discuss our model, simulation, and analyze the results using a notational data and generic system description. As a result of this study we were able to discuss the importance of controls systems with senior leaders. We were able to demystify what we mean by “cyber” showing that it is possible through simulation to inject the effects of cyber scenarios of concern into simulations to assess impact. There was also an unintended benefit: During a system audit, ICS operators with decades of engineering experiences began to realize that the ICS is vulnerable to willful intrusion. More of these studies are needed to raise awareness.