Evaluation of an Automated Security Risk Assessment Based on a Manual Reference

The overall Industry 4.0 developments and the highly dynamic threat landscape enhance the need for continuous security engineering of industrial components, modules, and systems. Security risk assessments play a major role to ensure a secure operation of Industrial Automation and Control Systems (IACSs) but are often neglected due to missing resources and a lack of human experts for the sophisticated manual tasks. To relieve this situation and to increase the degree of automation of security risk assessments, a method for information and process modelling was developed in a previous work. The approach was also implemented prototypically as an expert system but has not been validated, yet. This work therefore presents the validation as an integral part of the overall evaluation of the automated security risk assessment concept. For a systematic validation, a reference security risk assessment is manually defined as a set of data for the comparison with the results of the automated expert system. In addition, the two main hypotheses with regard to the result quality and the process automation evaluated.