Design and Implement Machine Learning Tool for Cyber Security Risk Assessment

Cyber-attacks have increased in number and severity, which has negatively affected businesses and their services. As such, cyber security is no longer considered merely a technological problem, but must also be considered as critical to the economy and society. Existing solutions struggle to find indicators of unexpected risks, which limits their ability to make accurate risk assessments. This study presents a risk assessment method based on Machine Learning, an approach used to assess and predict companies' exposure to cybersecurity risks. For this purpose, four algorithm implementations from Machine Learning (Light Gradient Boosting, AdaBoost, CatBoost, Multi-Layer Perceptron) were implemented, trained, and evaluated using generative datasets representing the characteristics of different volumes of data (for example, number of employees, business sector, and known vulnerabilities and externel advisor). The quantitative evaluation conducted on this study shows the high accuracy of Machine Learning models and Especially Multi-Layer Perceptron was the best accuracy when working compared to previous work

An Indicators-of-Risk Library for Industrial Network Security

This paper introduces an “Indicator of Risk (IoR) Library" that leverages the MITRE ATT&CK for Industrial Control Systems (ICS) knowledge base to support continuous risk monitoring. This allows also making use of variables that are already being monitored to analyse risks in a continuous basis. IoRs broaden the concept of Indicators of Compromise by combining detection strategies with probabilistic inference as a tool for quantifying cyber-security risks. The latest version of the Library has 95 IoRs and has been reviewed by professionals from three major companies and cross-referenced against detection use-cases implemented by other researchers to validate its potential to identify variables for monitoring cyber-risks in ICS

A fuzzy probability Bayesian network approach for dynamic cybersecurity risk assessment in industrial control systems

With the increasing deployment of data network technologies in industrial control systems (ICSs), cybersecurity becomes a challenging problem in ICSs. Dynamic cybersecurity risk assessment plays a vital role in ICS cybersecurity protection. \ud \ud However, it is difficult to build a risk propagation model for ICSs due to the lack of sufficient historical data. In this paper, a fuzzy probability Bayesian network (FPBN) approach is presented for dynamic risk assessment. \ud \ud Firstly, an FPBN is established for analysis and prediction of the propagation of cybersecurity risks. To overcome the difficulty of limited historical data, the crisp probabilities used in standard Bayesian networks (BNs) are replaced in our approach by fuzzy probabilities. \ud \ud Then, an approximate dynamic inference algorithm is developed for dynamic assessment of ICS cybersecurity risk. It is embedded with a noise evidence filter in order to reduce the impact from noise evidence caused by system faults. Experiments are conducted on a simplified chemical reactor control system to demonstrate the effectiveness of the presented approach

Anomalous behaviour detection for cyber defence in modern industrial control systems

A thesis submitted in partial fulfilment of the requirements of the University of Wolverhampton for the degree of Doctor of Philosophy.The fusion of pervasive internet connectivity and emerging technologies in smart cities creates fragile cyber-physical-natural ecosystems. Industrial Control Systems (ICS) are intrinsic parts of smart cities and critical to modern societies. Not designed for interconnectivity or security, disruptor technologies enable ubiquitous computing in modern ICS. Aided by artificial intelligence and the industrial internet of things they transform the ICS environment towards better automation, process control and monitoring. However, investigations reveal that leveraging disruptive technologies in ICS creates security challenges exposing critical infrastructure to sophisticated threat actors including increasingly hostile, well-organised cybercrimes and Advanced Persistent Threats. Besides external factors, the prevalence of insider threats includes malicious intent, accidental hazards and professional errors. The sensing capabilities create opportunities to capture various data types. Apart from operational use, this data combined with artificial intelligence can be innovatively utilised to model anomalous behaviour as part of defence-in-depth strategies. As such, this research aims to investigate and develop a security mechanism to improve cyber defence in ICS. Firstly, this thesis contributes a Systematic Literature Review (SLR), which helps analyse frameworks and systems that address CPS’ cyber resilience and digital forensic incident response in smart cities. The SLR uncovers emerging themes and concludes several key findings. For example, the chronological analysis reveals key influencing factors, whereas the data source analysis points to a lack of real CPS datasets with prevalent utilisation of software and infrastructure-based simulations. Further in-depth analysis shows that cross-sector proposals or applications to improve digital forensics focusing on cyber resilience are addressed by a small number of research studies in some smart sectors. Next, this research introduces a novel super learner ensemble anomaly detection and cyber risk quantification framework to profile anomalous behaviour in ICS and derive a cyber risk score. The proposed framework and associated learning models are experimentally validated. The produced results are promising and achieve an overall F1-score of 99.13%, and an anomalous recall score of 99% detecting anomalies lasting only 17 seconds ranging from 0.5% to 89% of the dataset. Further, a one-class classification model is developed, leveraging stream rebalancing followed by adaptive machine learning algorithms and drift detection methods. The model is experimentally validated producing promising results including an overall Matthews Correlation Coefficient (MCC) score of 0.999 and the Cohen’s Kappa (K) score of 0.9986 on limited variable single-type anomalous behaviour per data stream. Wide data streams achieve an MCC score of 0.981 and a K score of 0.9808 in the prevalence of multiple types of anomalous instances. Additionally, the thesis scrutinises the applicability of the learning models to support digital forensic readiness. The research study presents the concept of digital witness and digital chain of custody in ICS. Following that, a use case integrating blockchain technologies into the design of ICS to support digital forensic readiness is discussed. In conclusion, the contributions of this research thesis help towards developing the next generation of state-of-the-art methods for anomalous behaviour detection in ICS defence-in-depth

A Continuous Risk Management Approach for Cyber-Security in Industrial Control Systems

In industrial networks, a cyber-incident can have, as a consequence, the interference with physical processes, which can potentially cause damages to property, to humans’ health and safety, and to the environment. Currently most safeguards built into Industrial Control Systems provide mitigations against accidents and faults but are not necessarily effective against malicious acts. Moreover, even if cyber-threats can be contained, significant costs will be incurred whenever operations have to shut down in response to a cyber-attack. As there are important gaps in Industrial Control Systems, they have increasingly been targeted over the past decade, creating concern among the cyber-security and the process control engineering communities. Operators may be reluctant or unable to implement standard cyber-security controls in this type of systems because they might interfere with time-sensitive control loops, interrupt continuous operation or potentially compromise safety. This situation calls for a more proactive approach to monitor cyber-risks since many of them cannot be totally eliminated or properly controlled by preventative measures. Traditional risk management approaches do not address this, since they are not conceived to work at the same speed that changes can occur in cyber-security operations. This thesis aims to facilitate the adoption of Continuous Risk Management in industrial networks by proposing a risk assessment methodology focused mainly on the aspect of risk likelihood updates. The approach proposed is based on a Continuous Risk Assessment Methodology, which is derived from a typical Risk Management process and modified to work in a continuous basis. The methodology consists of workflows and a description of each process involved, including its inputs and outputs. Additionally, a number of resources to support the implementation of the methodology on industrial environments were developed. These resources consist of the introduction and categorisation of the concept of “Indicator of Risk” (IoR), a knowledge base, containing a set of different categories of IoRs, named as the “IoR Library” and the implementation of this knowledge base on a Bayesian Network template. Finally, behavioural anomaly detection using sensors data is demonstrated to illustrate the use of IoRs based on data from physical processes as a resource to detect possible cyber-risks. These resources provided concrete means to address issues in industrial cyber-security risk management such as the availability and quality of information, the complexity of defining rules and identifying normal and abnormal states, the limited scope of academic work, and the lack of integration between risk management and cyber-security operations