Security Metrics

The idea of ICS security metrics is popular, but actual measurable metrics are rare. The ISA99 committee is tackling this hard problem with Technical Report 62443-1-3 System Security Conformance Metrics, now out for ballot.

Section 4.2 Metrics Development Checklist is direct in stating “Qualitative labels like high, medium and low are not acceptable.” The metric must be “Measurable: consistently measured with objective criteria” and “expressed as a cardinal number or percentage”.

The meat of the Technical Report is two pages with 17 metrics. They met the goals in the Metrics Development Checklist. These metrics can be objectively measured.

The value of the metrics is a harder question and varies quite a bit by metric. It read to me as a list of security items that could be objectively measured rather than a list of what metrics would be useful. We would not recommend collecting and monitoring all of this short list of metrics for most of our clients, but we do recommend some of them already and will consider recommending others on the list.

I wonder if metrics related to completeness of inventory, variances from expected data flows and other documentation and system state metrics might be helpful.

This is a credible and helpful first pass at the security metrics challenge. The best part is the committee didn’t wimp out on the metrics criteria.

The ISA99 committee recognized there is work to be done by calling this a Technical Report rather than a Standard at this point in it’s development.

Image by nsub1