Models for Cyber Security Analysis

(1)

E t

i A hit t

Enterprise Architecture

Models for Cyber Security

Analysis

Mathias Ekstedt

1

Teodor Sommestad

Industrial Information and Control Systems

Royal Institute of Technology – KTH

Stockholm, Sweden

Industrial Information and Control Systems Mathias Ekstedt

Consequences of Cyber

Security Incidents… (?)

CIA senior analyst Tom Donahue:

“We have information that cyberattacks have been used to disrupt power equipment in several

regions outside the United States. In at least one case, the disruption caused a power outage

(2)

Cyber security managment

is difficult!

Is my control

t

system secure

enough?

3

Head of Operations

Which parameters decides cyber security?

The control system is complex

• Much advance functionality

• Interconnected

• Heterogenous Third party components

• Heterogenous Third-party components

Actually, I don’t even

know everything I have

out there

4

(3)

Vulnerabilities are

potentially everywhere

5

• A system is not securer than its weakest

link

And security is a complex area…

• A wide-spanning area:

– Business Organization Requirements

Risk anal sis info mation and f nctionalit c iticalit

• Risk analysis, information and functionality criticality

classification, staff access rights, business continuity

management, …

– IT Organization Requirements

• Testing tools and competence, configuration management, IT

policies, acquisition processes, coding practices…

– IT System requirements

• Firewalls, IDS, access control, authentication, encryption,

execution environment limitations, network configurations,

protocol limitations internal application design

protocol limitations, internal application design, …

– Vulnerabilities/attack vectors

• denial of service, default passwords, man in the middle,

buffer overflow, ….

• And all of this is connected…

• systems to systems to organization to organization to

vulnerabilities to vulnerabilities to attacks to attacks …

(4)

Poor decision support for

cyber security

• Plenty of reference material:

Plenty of reference material:

– NIST SP 800-82 (and others), NERC CIP, ISO 17799,

ISO 27004, ISA-SP99, material from US-CERT,

SCADA Procurement Language, …, books, articles …

• But, they don’t help much with how-to,

prioriteies, or causalities..

7

Should I spend my

security budget on a

training program or

new firewalls?

The life for our

decsision-maker in summary…

• Poor understanding of the system

architecture configuration and its

environment

• Poor understanding of how to achieve

security

• Limited resources, time and money

(5)

A promising approach:

Enterprise Architecture

• Take a holistic and business oriented

approach to IT-managment

• Use graphical models

– Business (processes and organizational

structure)

– Information

– Application

9

– Infrastructure technology

Models for

Control Systems!?

CEO T&D Maintenance Distribution operation Network Planning … T&D

(6)

Theory for Control

System models!?

_CEO

T&D Maintenance Distribution operation Network Planning … T&D

Operation Maintenance Planning

?

11

Distance between

Paris and Dakar

=

F(x)

Cyber Security

Level

=

F(x)

The VIKING project

Vital Infrastructure, Networks, Information and Control Systems Management

• A cyber physical project analyzing how cyber

attacks ends in consequnces in society by

Probability

for control

orders

attacks ends in consequnces in society by

connecting control system architecture

models and power system models

Control

System

Architecture

Power

12

System

Simulator

Societal

Impact

Probability

for power

delivery

$

Attacks

(7)

Partners

• ABB

– Developer of SCADA systems

• E.ON

– Power transmission and distribution, SCADA system user

• Astron

– SCADA system integration

• KTH - Stockholm

– Software system architecture, networked control systems,

communication networks

• ETH - Zurich

– Power system modeling, cyber-physical modeling, game

theory

13

theory

• UC Berkeley

– Computer security, systems modeling

• University of Maryland

– Hybrid networks, network security

Our approach to cyber attack

analysis is based on defense

graphs

+

=>

Attacks Countermeasures Defense graphs

Gives:

• The probability that an attack is successful

• An index on how secure the system is

(8)

Example defense graph

15

Using Bayesian statistics for

quantifying the defense graphs

Existence of default passwords T F

16

Passwords used in multiple systems T F T F Personnel susceptible to social engineering T F T F T F T F Success 0.9 0.8 0.8 0.7 0.8 0.7 0.7 0.1 Failure 0.1 0.2 0.2 0.3 0.2 0.3 0.3 0.9

(9)

Coping with uncertainty

• Bayesian statistics capture uncertainty in:

– Theoretical structure

– Values of parameters

17

Adding architecture model

elements

(10)

Architecture (meta-)models

with an integrated analysis

framework

19

Architectural decision-support

n ce 20 -1000 -800 -600 -400 -200 0 Scenario 1 Scenario 2 Scenario 3 E x tected conseque n