A Comprehensive and Open Framework for Classifying Incidents Involving Cyber-Physical Systems

In recent years, events such as the Stuxnet nuclear plant cyber-attack have brought the security of industrial control systems under scrutiny. Most of this focus has been on supervisory control and data acquisition (SCADA) systems (more generically known as ICS or industrial control systems). While these systems play a major role in our daily lives, this focus tends to overlook the broader scope of cyber-physical systems (CPS) and the impact they have on human lives (e.g., vehicles, mobile devices, agriculture). There are currently no open databases to record and classify CPS incidents that include systems outside of ICS. While it may be possible to adapt existing databases, we have found that those suitable for adaptation have multiple drawbacks, including proprietary ownership, requirement of a paid subscription and/or limited access, and design scope. In this paper, we propose an open standards framework for classifying a wide variety of CPS incidents. As part of this framework, we introduce a new taxonomy that facilitates the rapid categorization of such incidents by a variety of criteria. An important new parameter of this taxonomy is a hierarchy of market sector classifications, allowing incidents to be evaluated in their application of context. Other factors of the taxonomy include source profile, impact (both direct and indirect), method, and a comprehensive victim profile. We compare our framework to other existing approaches by classifying several incidents occurring over the last twenty years and demonstrate the wide capabilities of our method by including incidents outside of industrial control systems. We further note that the flexibility of the framework caters for multiple CPU types and provides a context rich description of incidents. Finally, we note that the system allows multiple classifications so an incident can be identified in multiple relevant contexts.