System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure

US 20140137257A1
Filed: 11/12/2013
Published: 05/15/2014
Est. Priority Date: 11/12/2012
Status: Abandoned Application

First Claim

Patent Images

1. A computerized method for assessing a risk of one or more assets within an operational technology infrastructure comprising the steps of:

providing a database containing data relating to the one or more assets;

calculating a threat score for the one or more assets using one or more processors communicably coupled to the database;

calculating a vulnerability score for the one or more assets using the one or more processors;

calculating an impact score for the one or more assets using the one or more processors; and

determining the risk of the one or more assets based on the threat score, the vulnerability score and the impact score using the one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and apparatus assesses a risk of one or more assets within an operational technology infrastructure by providing a database containing data relating to the one or more assets, calculating a threat score for the one or more assets using one or more processors communicably coupled to the database, calculating a vulnerability score for the one or more assets using the one or more processors, calculating an impact score for the one or more assets using the one or more processors, and determining the risk of the one or more assets based on the threat score, the vulnerability score and the impact score using the one or more processors.

Citations

49 Claims

1. A computerized method for assessing a risk of one or more assets within an operational technology infrastructure comprising the steps of:
- providing a database containing data relating to the one or more assets;
  
  calculating a threat score for the one or more assets using one or more processors communicably coupled to the database;
  
  calculating a vulnerability score for the one or more assets using the one or more processors;
  
  calculating an impact score for the one or more assets using the one or more processors; and
  
  determining the risk of the one or more assets based on the threat score, the vulnerability score and the impact score using the one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as recited in claim 1, further comprising the step of identifying the one or more assets within the operational technology infrastructure.
  - 3. The method as recited in claim 1, further comprising the step of determining whether the one or more assets are a critical asset, a critical-cyber asset or a non-critical asset.
  - 4. The method as recited in claim 1, wherein the one or more assets comprise cyber assets and physical assets.
  - 5. The method as recited in claim 1, wherein the operational technology infrastructure comprises a utility infrastructure.
  - 6. The method as recited in claim 1, further comprising the step of identifying and evaluating one or more risk management strategies to lower the risk of the one or more assets.
  - 7. The method as recited in claim 1, wherein the threat score is based on a threat impact score and a likelihood &
    - system effectiveness score.
  - 8. The method as recited in claim 7, wherein the threat impact score is based on an intent value, a motivation value and a capability value.
  - 9. The method as recited in claim 7, wherein the likelihood &
    - system effectiveness score is based on a likelihood value, and a system effectiveness value.
  - 10. The method as recited in claim 1, further comprising the steps of:
    - identifying one or more potential threat-sources;
      
      characterizing the one or more potential threat-sources; and
      
      selecting and adding the one or more assets and the one or more potential threat-sources as a matched pair to a threat/asset list.
  - 11. The method as recited in claim 1, wherein the vulnerability score is based on an impact value, an exploitability value, a confidentiality value, an integrity value and an availability value.
  - 12. The method as recited in claim 10, wherein the exploitability value is based on an access vector value, an access complexity value and an authentication value.
  - 13. The method as recited in claim 1, further comprising the steps of:
    - identifying one or more vulnerability sources related to the one or more assets;
      
      developing an asset and vulnerability scenario;
      
      determining whether the asset and vulnerability scenario is credible; and
      
      performing a system security test based on the asset and vulnerability scenario.
  - 14. The method as recited in claim 1, wherein the impact score is based on a criticality value, a threat value and a vulnerability value.
  - 15. The method as recited in claim 14, wherein the criticality value is based on a death impact value, a repair cost value and an economic disruption value.
  - 16. The method as recited in claim 1, further comprising the step of generating a report containing the risk of the one or more assets.

17. A computer program embodied on a non-transitory computer readable medium for assessing a risk of one or more assets within an operational technology infrastructure comprising:
- a code segment for calculating a threat score for the one or more assets;
  
  a code segment for calculating a vulnerability score for the one or more assets;
  
  a code segment for calculating an impact score for the one or more assets; and
  
  a code segment for determining the risk of the one or more assets based on the threat score, the vulnerability score and the impact score.

18. An apparatus for assessing a risk of one or more assets within an operational technology infrastructure comprising:
- a database containing data relating to the one or more assets; and
  
  one or more processors communicably coupled to the database, wherein the one or more processors calculate a threat score for the one or more assets, calculate a vulnerability score for the one or more assets, calculate an impact score for the one or more assets, and determine the risk of the one or more assets based on the threat score, the vulnerability score and the impact score.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 19. The apparatus as recited in claim 18, wherein the one or more processors further identify the one or more assets within the operational technology infrastructure.
  - 20. The apparatus as recited in claim 18, wherein the one or more processors further determine whether the one or more assets are a critical asset, a critical-cyber asset or a non-critical asset.
  - 21. The apparatus as recited in claim 18, wherein the one or more assets comprise cyber assets and physical assets.
  - 22. The apparatus as recited in claim 18, wherein the operational technology infrastructure comprises a utility infrastructure.
  - 23. The apparatus as recited in claim 18, wherein the one or more processors further identify and evaluate one or more risk management strategies to lower the risk of the one or more assets.
  - 24. The apparatus as recited in claim 18, wherein the threat score is based on a threat impact score and a likelihood &
    - system effectiveness score.
  - 25. The apparatus as recited in claim 24, wherein the threat impact score is based on an intent value, a motivation value and a capability value.
  - 26. The apparatus as recited in claim 24, wherein the likelihood &
    - system effectiveness score is based on a likelihood value, and a system effectiveness value.
  - 27. The apparatus as recited in claim 18, wherein the one or more processors further:
    - identify one or more potential threat-sources;
      
      characterize the one or more potential threat-sources; and
      
      select and adding the one or more assets and the one or more potential threat-sources as a matched pair to a threat/asset list.
  - 28. The apparatus as recited in claim 18, wherein the vulnerability score is based on an impact value, an exploitability value, a confidentiality value, an integrity value and an availability value.
  - 29. The apparatus as recited in claim 28, wherein the exploitability value is based on an access vector value, an access complexity value and an authentication value.
  - 30. The apparatus as recited in claim 18, wherein the one or more processors further:
    - identify one or more vulnerability sources related to the one or more assets;
      
      develop an asset and vulnerability scenario;
      
      determine whether the asset and vulnerability scenario is credible; and
      
      perform a system security test based on the asset and vulnerability scenario.
  - 31. The apparatus as recited in claim 18, wherein the impact score is based on a criticality value, a threat value and a vulnerability value.
  - 32. The apparatus as recited in claim 31, wherein the criticality value is based on a death impact value, a repair cost value and an economic disruption value.
  - 33. The apparatus as recited in claim 18, wherein the one or more processors further generate a report containing the risk of the one or more assets.

34. A system for assessing a risk of one or more assets within an operational technology infrastructure comprising:
- a risk assessment subsystem that calculates a threat score for the one or more assets, calculates a vulnerability score for the one or more assets, calculates an impact score for the one or more assets, and determines the risk of the one or more assets based on the threat score, the vulnerability score and the impact score;
  
  a risk visualization subsystem;
  
  a risk mitigation subsystem; and
  
  a controller communicably coupled to the risk assessment subsystem, the risk visualization subsystem and the risk mitigation subsystem.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 35. The system as recited in claim 34, wherein the risk assessment subsystem further comprises:
    - an impact analysis system;
      
      a threat analysis system communicably coupled to the impact analysis system;
      
      a vulnerability analysis system communicably coupled to the impact analysis system;
      
      a critical infrastructure analysis system communicably coupled to the impact analysis system, the threat analysis system and the vulnerability analysis system; and
      
      a risk analysis system communicably coupled to the threat analysis system, the critical infrastructure analysis system and the vulnerability system
  - 36. The system as recited in claim 34, wherein the risk assessment subsystem further identifies the one or more assets within the operational technology infrastructure.
  - 37. The system as recited in claim 34, wherein the risk assessment subsystem further determines whether the one or more assets are a critical asset, a critical-cyber asset or a non-critical asset.
  - 38. The system as recited in claim 34, wherein the one or more assets comprise cyber assets and physical assets.
  - 39. The system as recited in claim 34, wherein the operational technology infrastructure comprises a utility infrastructure.
  - 40. The system as recited in claim 34, wherein the risk assessment subsystem further identifies and evaluates one or more risk management strategies to lower the risk of the one or more assets.
  - 41. The system as recited in claim 34, wherein the threat score is based on a threat impact score and a likelihood &
    - system effectiveness score.
  - 42. The system as recited in claim 41, wherein the threat impact score is based on an intent value, a motivation value and a capability value.
  - 43. The system as recited in claim 41, wherein the likelihood &
    - system effectiveness score is based on a likelihood value, and a system effectiveness value.
  - 44. The system as recited in claim 34, wherein the risk assessment subsystem further:
    - identifies one or more potential threat-sources;
      
      characterizes the one or more potential threat-sources; and
      
      selects and adds the one or more assets and the one or more potential threat-sources as a matched pair to a threat/asset list.
  - 45. The system as recited in claim 34, wherein the vulnerability score is based on an impact value, an exploitability value, a confidentiality value, an integrity value and an availability value.
  - 46. The system as recited in claim 45, wherein the exploitability value is based on an access vector value, an access complexity value and an authentication value.
  - 47. The system as recited in claim 34, wherein the risk assessment subsystem further:
    - identifies one or more vulnerability sources related to the one or more assets;
      
      develops an asset and vulnerability scenario;
      
      determines whether the asset and vulnerability scenario is credible; and
      
      performs a system security test based on the asset and vulnerability scenario.
  - 48. The system as recited in claim 34, wherein the impact score is based on a criticality value, a threat value and a vulnerability value.
  - 49. The system as recited in claim 48, wherein the criticality value is based on a death impact value, a repair cost value and an economic disruption value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Board of Regents of the University of Texas System (University of Texas System)
Original Assignee
Board of Regents of the University of Texas System (University of Texas System)
Inventors
Martinez, Ralph, Cordero, Salvador, Obregon, Eduardo, Gallegos, Irbis

Application Number

US14/078,514
Publication Number

US 20140137257A1
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06Q 10/0635   Risk analysis of enterprise...

H04L 63/1433   Vulnerability analysis

System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links