Table 1 A list of our TTC model inputs
From: Risk mitigation in electric power systems: Where to start?
Var. | Description and information source |
|---|---|
N | The total number of disclosed vulnerabilities. Major vulnerability databases catalogue about 141348 vulnerabilities (RAPID7 2018; NVD 2018). |
nH | The number of known high-complex vulnerabilities (visible at DEST) that require a measurable amount of investments and efforts to be successfully exploited. We use the “Attack Complexity (AC)” metric of the open standard CVSS to retrieve such details (CVSS 2015). |
nL | The number of known low-complex vulnerabilities (visible at DEST) exploitable without special conditions or circumstances (CVSS 2015). |
n | The number of known vulnerabilities visible at DEST; n=nL+nH. The “Attack Vector (AV)” metric of the CVSS system can be further used to identify the vulnerabilities’ exploitation contexts, i.e. exploitable from (remote) network, or adjacent/local access. This piece of information is used to identify which vulnerabilities are exploitable through inter-layer transitions or intra-layer transitions. |
S | The adversary’s experience and skill level function. S has a significant impact on the different time and probability computations of our model. For example, it is more certain that an expert adversary can employ existing exploits or even craft her/his own one with less time than the time needed by a beginner hacker. Based on an existing statistical study (Leversage and Byres 2008), S can equal to Expert=1.0, Intermediate= 0.55, Beginner= 0.3, or Novice=0.15. |
E | The total number of existing exploits. Rapid7, a major exploit database, catalogues about 3859 readily available exploits (RAPID7 2018). |
M | The average number of readily available exploits that can be adapted or modified given the adversary skill level; M=E×S (Leversage and Byres 2008). |
C | The average number of vulnerabilities for which an exploit can be found or crafted by an adversary given her/his S; C=n×S (Leversage and Byres 2008). |
β1 | The time needed for a successful compromise attempt using a readily available exploit code of known vulnerability. It is described by a random variable following the beta distribution with the mean of 1 day and a value range [0…5] days (McQueen et al. 2006a). |
Γ5.8 | The time needed to craft a working exploit code for a specific vulnerability. It is described by a random variable following the gamma distribution with the mean value of 5.8 days. 5.8 days has been derived based on the observed average time between a vulnerability announcement and the release of the first exploit (McQueen et al. 2006a). |
Γ65 | The time to find a new zero-day vulnerability. It is described, similar to Γ5.8, by a random variable following the gamma distribution with the mean value of 65 days. 65 days is derived based on observations of the lifetime of zero-day vulnerabilities (Nzoukou et al. 2013; McQueen et al. 2009). |