PNNL

Abstract

Existing cybersecurity vulnerability assessment tools were designed based on the policies and standards defined by organizations such as the U.S. Department of Energy and the National Institute of Standards and Technology (NIST). Frameworks such as the cybersecurity capability maturity model (C2M2) and the NIST Cybersecurity Framework (CSF) are often used by the critical infrastructure owners and operators to determine the cybersecurity maturity of their facility. Although these frameworks are exceptional at performing qualitative cybersecurity analysis and identifying vulnerabilities, they do not provide a means to perform prioritized mitigation of those vulnerabilities in order to achieve a desired cybersecurity maturity. To address that challenge, we developed a framework and software application called the cybersecurity vulnerability mitigation framework through empirical paradigm (CyFEr). This paper presents the detailed architecture of CyFEr’s enhanced prioritized gap analysis (EPGA) methodology and its application to CSF. The efficacy of the presented framework is demonstrated by comparing against existing similar models and testing against the cyber injects from a real-world cyber-attack that targeted industrial control systems (ICS) in critical infrastructures.