Skip to main content

Advertisement

Table 1 A list of our TTC model inputs

From: Risk mitigation in electric power systems: Where to start?

Var.Description and information source
NThe total number of disclosed vulnerabilities. Major vulnerability databases catalogue about 141348 vulnerabilities (RAPID7 2018; NVD 2018).
nHThe number of known high-complex vulnerabilities (visible at DEST) that require a measurable amount of investments and efforts to be successfully exploited. We use the “Attack Complexity (AC)” metric of the open standard CVSS to retrieve such details (CVSS 2015).
nLThe number of known low-complex vulnerabilities (visible at DEST) exploitable without special conditions or circumstances (CVSS 2015).
nThe number of known vulnerabilities visible at DEST; n=nL+nH. The “Attack Vector (AV)” metric of the CVSS system can be further used to identify the vulnerabilities’ exploitation contexts, i.e. exploitable from (remote) network, or adjacent/local access. This piece of information is used to identify which vulnerabilities are exploitable through inter-layer transitions or intra-layer transitions.
SThe adversary’s experience and skill level function. S has a significant impact on the different time and probability computations of our model. For example, it is more certain that an expert adversary can employ existing exploits or even craft her/his own one with less time than the time needed by a beginner hacker. Based on an existing statistical study (Leversage and Byres 2008), S can equal to Expert=1.0, Intermediate= 0.55, Beginner= 0.3, or Novice=0.15.
EThe total number of existing exploits. Rapid7, a major exploit database, catalogues about 3859 readily available exploits (RAPID7 2018).
MThe average number of readily available exploits that can be adapted or modified given the adversary skill level; M=E×S (Leversage and Byres 2008).
CThe average number of vulnerabilities for which an exploit can be found or crafted by an adversary given her/his S; C=n×S (Leversage and Byres 2008).
β1The time needed for a successful compromise attempt using a readily available exploit code of known vulnerability. It is described by a random variable following the beta distribution with the mean of 1 day and a value range [0…5] days (McQueen et al. 2006a).
Γ5.8The time needed to craft a working exploit code for a specific vulnerability. It is described by a random variable following the gamma distribution with the mean value of 5.8 days. 5.8 days has been derived based on the observed average time between a vulnerability announcement and the release of the first exploit (McQueen et al. 2006a).
Γ65The time to find a new zero-day vulnerability. It is described, similar to Γ5.8, by a random variable following the gamma distribution with the mean value of 65 days. 65 days is derived based on observations of the lifetime of zero-day vulnerabilities (Nzoukou et al. 2013; McQueen et al. 2009).