55 research outputs found

    Generalized Fault Trees: from reliability to security

    Get PDF
    Fault Trees (FT) are widespread models in the reliability \ufb01eld, but they lack of modelling power. So, in the literature, several extensions have been proposed and introduced speci\ufb01c new modelling primitives. Attack Trees (AT) have gained acceptance in the \ufb01eld of security. They follow the same notation of standard FT,but they represent the combinations of actions necessary for the success of an attack to a computing system. In this paper, we extend the AT formalism by exploiting the new primitives introduced in speci\ufb01c FT extensions. This leads to more accurate models. The approach is applied to a case study: the AT is exploited to represent the attack mode and compute speci\ufb01c quantitative measures about the system security

    DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

    Full text link
    This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements

    Model-based Safety and Security Co-analysis: a Survey

    Full text link
    We survey the state-of-the-art on model-based formalisms for safety and security analysis, where safety refers to the absence of unintended failures, and security absence of malicious attacks. We consider ten model-based formalisms, comparing their modeling principles, the interaction between safety and security, and analysis methods. In each formalism, we model the classical Locked Door Example where possible. Our key finding is that the exact nature of safety-security interaction is still ill-understood. Existing formalisms merge previous safety and security formalisms, without introducing specific constructs to model safety-security interactions, or metrics to analyze trade offs

    Model-based Joint Analysis of Safety and Security:Survey and Identification of Gaps

    Get PDF
    We survey the state-of-the-art on model-based formalisms for safety and security joint analysis, where safety refers to the absence of unintended failures, and security to absence of malicious attacks. We conduct a thorough literature review and - as a result - we consider fourteen model-based formalisms and compare them with respect to several criteria: (1) Modelling capabilities and Expressiveness: which phenomena can be expressed in these formalisms? To which extent can they capture safety-security interactions? (2) Analytical capabilities: which analysis types are supported? (3) Practical applicability: to what extent have the formalisms been used to analyze small or larger case studies? Furthermore, (1) we present more precise definitions for safety-security dependencies in tree-like formalisms; (2) we showcase the potential of each formalism by modelling the same toy example from the literature and (3) we present our findings and reflect on possible ways to narrow highlighted gaps. In summary, our key findings are the following: (1) the majority of approaches combine tree-like formal models; (2) the exact nature of safety-security interaction is still ill-understood and (3) diverse formalisms can capture different interactions; (4) analyzed formalisms merge modelling constructs from existing safety- and security-specific formalisms, without introducing ad hoc constructs to model safety-security interactions, or (5) metrics to analyze trade offs. Moreover, (6) large case studies representing safety-security interactions are still missing

    ModĂ©lisation conjointe de la sĂ»retĂ© et de la sĂ©curitĂ© pour l’évaluation des risques dans les systĂšmes cyber-physiques

    Get PDF
    Cyber physical systems (CPS) denote systems that embed programmable components in order to control a physical process or infrastructure. CPS are henceforth widely used in different industries like energy, aeronautics, automotive, medical or chemical industry. Among the variety of existing CPS stand SCADA (Supervisory Control And Data Acquisition) systems that offer the necessary means to control and supervise critical infrastructures. Their failure or malfunction can engender adverse consequences on the system and its environment.SCADA systems used to be isolated and based on simple components and proprietary standards. They are nowadays increasingly integrating information and communication technologies (ICT) in order to facilitate supervision and control of the industrial process and to reduce exploitation costs. This trend induces more complexity in SCADA systems and exposes them to cyber-attacks that exploit vulnerabilities already existent in the ICT components. Such attacks can reach some critical components within the system and alter its functioning causing safety harms.We associate throughout this dissertation safety with accidental risks originating from the system and security with malicious risks with a focus on cyber-attacks. In this context of industrial systems supervised by new SCADA systems, safety and security requirements and risks converge and can have mutual interactions. A joint risk analysis covering both safety and security aspects would be necessary to identify these interactions and optimize the risk management.In this thesis, we give first a comprehensive survey of existing approaches considering both safety and security issues for industrial systems, and highlight their shortcomings according to the four following criteria that we believe essential for a good model-based approach: formal, automatic, qualitative and quantitative and robust (i.e. easily integrates changes on system into the model).Next, we propose a new model-based approach for a safety and security joint risk analysis: S-cube (SCADA Safety and Security modeling), that satisfies all the above criteria. The S-cube approach enables to formally model CPS and yields the associated qualitative and quantitative risk analysis. Thanks to graphical modeling, S-cube enables to input the system architecture and to easily consider different hypothesis about it. It enables next to automatically generate safety and security risk scenarios likely to happen on this architecture and that lead to a given undesirable event, with an estimation of their probabilities.The S-cube approach is based on a knowledge base that describes the typical components of industrial architectures encompassing information, process control and instrumentation levels. This knowledge base has been built upon a taxonomy of attacks and failure modes and a hierarchical top-down reasoning mechanism. It has been implemented using the Figaro modeling language and the associated tools. In order to build the model of a system, the user only has to describe graphically the physical and functional (in terms of software and data flows) architectures of the system. The association of the knowledge base and the system architecture produces a dynamic state based model: a Continuous Time Markov Chain. Because of the combinatorial explosion of the states, this CTMC cannot be exhaustively built, but it can be explored in two ways: by a search of sequences leading to an undesirable event, or by Monte Carlo simulation. This yields both qualitative and quantitative results.We finally illustrate the S-cube approach on a realistic case study: a pumped storage hydroelectric plant, in order to show its ability to yield a holistic analysis encompassing safety and security risks on such a system. We investigate the results obtained in order to identify potential safety and security interactions and give recommendations.Les SystĂšmes Cyber Physiques (CPS) intĂšgrent des composants programmables afin de contrĂŽler un processus physique. Ils sont dĂ©sormais largement rĂ©pandus dans diffĂ©rentes industries comme l’énergie, l’aĂ©ronautique, l’automobile ou l’industrie chimique. Parmi les diffĂ©rents CPS existants, les systĂšmes SCADA (Supervisory Control And Data Acquisition) permettent le contrĂŽle et la supervision des installations industrielles critiques. Leur dysfonctionnement peut engendrer des impacts nĂ©fastes sur l’installation et son environnement.Les systĂšmes SCADA ont d’abord Ă©tĂ© isolĂ©s et basĂ©s sur des composants et standards propriĂ©taires. Afin de faciliter la supervision du processus industriel et rĂ©duire les coĂ»ts, ils intĂšgrent de plus en plus les technologies de communication et de l’information (TIC). Ceci les rend plus complexes et les expose Ă  des cyber-attaques qui exploitent les vulnĂ©rabilitĂ©s existantes des TIC. Ces attaques peuvent modifier le fonctionnement du systĂšme et nuire Ă  sa sĂ»retĂ©.On associe dans la suite la sĂ»retĂ© aux risques de nature accidentelle provenant du systĂšme, et la sĂ©curitĂ© aux risques d’origine malveillante et en particulier les cyber-attaques. Dans ce contexte oĂč les infrastructures industrielles sont contrĂŽlĂ©es par les nouveaux systĂšmes SCADA, les risques et les exigences liĂ©s Ă  la sĂ»retĂ© et Ă  la sĂ©curitĂ© convergent et peuvent avoir des interactions mutuelles. Une analyse de risque qui couvre Ă  la fois la sĂ»retĂ© et la sĂ©curitĂ© est indispensable pour l’identification de ces interactions ce qui conditionne l’optimalitĂ© de la gestion de risque.Dans cette thĂšse, on donne d’abord un Ă©tat de l’art complet des approches qui traitent la sĂ»retĂ© et la sĂ©curitĂ© des systĂšmes industriels et on souligne leur carences par rapport aux quatre critĂšres suivants qu’on juge nĂ©cessaires pour une bonne approche basĂ©e sur les modĂšles : formelle, automatique, qualitative et quantitative, et robuste (i.e. intĂšgre facilement dans le modĂšle des variations d’hypothĂšses sur le systĂšme).On propose ensuite une nouvelle approche orientĂ©e modĂšle d’analyse conjointe de la sĂ»retĂ© et de la sĂ©curitĂ© : S-cube (SCADA Safety and Security modeling), qui satisfait les critĂšres ci-dessus. Elle permet une modĂ©lisation formelle des CPS et gĂ©nĂšre l’analyse de risque qualitative et quantitative associĂ©e. GrĂące Ă  une modĂ©lisation graphique de l’architecture du systĂšme, S-cube permet de prendre en compte diffĂ©rentes hypothĂšses et de gĂ©nĂ©rer automatiquement les scenarios de risque liĂ©s Ă  la sĂ»retĂ© et Ă  la sĂ©curitĂ© qui amĂšnent Ă  un Ă©vĂšnement indĂ©sirable donnĂ©, avec une estimation de leurs probabilitĂ©s.L’approche S-cube est basĂ©e sur une base de connaissance (BDC) qui dĂ©crit les composants typiques des architectures industrielles incluant les systĂšmes d’information, le contrĂŽle et la supervision, et l’instrumentation. Cette BDC a Ă©tĂ© conçue sur la base d’une taxonomie d’attaques et modes de dĂ©faillances et un mĂ©canisme de raisonnement hiĂ©rarchique. Elle a Ă©tĂ© mise en Ɠuvre Ă  l’aide du langage de modĂ©lisation Figaro et ses outils associĂ©s. Afin de construire le modĂšle du systĂšme, l’utilisateur saisit graphiquement l’architecture physique et fonctionnelle (logiciels et flux de donnĂ©es) du systĂšme. L’association entre la BDC et ce modĂšle produit un modĂšle d’états dynamiques : une chaĂźne de Markov Ă  temps continu. Pour limiter l’explosion combinatoire, cette chaĂźne n’est pas construite mais peut ĂȘtre explorĂ©e de deux façons : recherche de sĂ©quences amenant Ă  un Ă©vĂšnement indĂ©sirable ou simulation de Monte Carlo, ce qui gĂ©nĂšre des rĂ©sultats qualitatifs et quantitatifs.On illustre enfin l’approche S-cube sur un cas d’étude rĂ©aliste : un systĂšme de stockage d’énergie par pompage, et on montre sa capacitĂ© Ă  gĂ©nĂ©rer une analyse holistique couvrant les risques liĂ©s Ă  la sĂ»retĂ© et Ă  la sĂ©curitĂ©. Les rĂ©sultats sont ensuite analysĂ©s afin d’identifier les interactions potentielles entre sĂ»retĂ© et sĂ©curitĂ© et de donner des recommandations

    A review of cyber security risk assessment methods for SCADA systems

    Get PDF
    This paper reviews the state of the art in cyber security risk assessment of Supervisory Control and Data Acquisition (SCADA) systems. We select and in-detail examine twenty-four risk assessment methods developed for or applied in the context of a SCADA system. We describe the essence of the methods and then analyse them in terms of aim; application domain; the stages of risk management addressed; key risk management concepts covered; impact measurement; sources of probabilistic data; evaluation and tool support. Based on the analysis, we suggest an intuitive scheme for the categorisation of cyber security risk assessment methods for SCADA systems. We also outline five research challenges facing the domain and point out the approaches that might be taken

    Developing Secure and Safe Systems with Knowledge Acquisition for Automated Specification

    Get PDF
    On spetsiaalsed tehnikad, mida kasutatakse riskihalduses nii turvalisuse kui ohutuse konstrueerimise domeenides. Nende tehnikate vĂ€ljundid, mida tuntakse artefaktidena, on ĂŒksteisest eraldatud, mis toob kaasa mitmeid probleeme, kuna domeenid on sĂ”ltumatud ja ei ole domeeni, mis ĂŒhendaks neid mĂ”lemat. Probleemi keskmes on see, et turvalisus- ja ohutusinsenerid töötavad erinevates meeskondades kogu sĂŒsteemiarenduse elutsĂŒkli jooksul, mille tulemusena riskid ja ohud on ebapiisavalt kaetud. KĂ€esolevas magistritöös rakendatakse struktuurset lĂ€henemist, turvalisuse ja ohutuse integreerimiseks lĂ€bi SaS (Safety and Security) domeeni mudeli loomise, mis integreerib neid mĂ”lemaid. Lisaks töö kĂ€igus nĂ€idatakse, et on vĂ”imalik kasutada eesmĂ€rgipĂ”hist KAOS (Knowledge Acquisition in autOmated Specification) keelt ohtude ja riskide analĂŒĂŒsiks, nii et kaetud saavad nii ohutus- kui ka turvadomeen, muutes nende vĂ€ljundid e. artefaktid hĂ€sti struktureerituks, mille tulemusena toimub pĂ”hjalik analĂŒĂŒs ja suureneb usaldatavus. Me pakume vĂ€lja lahenduse, mis sisaldab sellise domeeni mudeli loomist, milles on integreeritud ohtutuse ja turvalisuse domeenid. See annab parema vĂ”rdlus- ja integreerimisvĂ”imaluse, leidmaks kahe domeeni vahelise kesktee ning ĂŒhendavad definitsioonid lĂ€bi nende kaardistamise ĂŒldises ontoloogias. Selline lahendus toob kokku turvalisuse ja ohutusedomeenide integratsiooni ĂŒhtsesse mudelisse, mille tulemusena tekib ohutus- ja turvalisustehnikate vahel vastastikune mĂ”justus ning toodab vĂ€ljundeid, mida peetakse usaldusartefaktideks ning kasutab KAOSt domeeni mudeliga, mis on ehitatud juhtumianalĂŒĂŒsi pĂ”hjal. Peale vastloodud mudeli rakendumist viiakse lĂ€bi katse, milles analĂŒĂŒsitakse sedasama juhtumit, vĂ”rdlemaks selle tulemusi teiste juba olemasolevate mudelite tulemustega, et uurida sellise domeeni mĂ”ttekust. Struktureeritud lĂ€henemine vĂ”ib seega toimida liidesena, mis lihtsustab aktiivset interaktsiooni riski- ja ohuhalduses, aidates leida lahendusi probleemidele ja vastuoludele, mille lahendamiseks on vaja integreerida ohutuse ja turvalisuse domeenid ja kasutada unifitseeritud sĂŒsteemianalĂŒĂŒsi tehnikat, mille tulemusena tekib analĂŒĂŒsi tsentraalsus.There are special techniques languages that are used in risk management in both domains of safety engineering and security engineering. The outputs, known as artifacts, of these techniques are separated from each other leading to several difficulties due to the fact that domains are independent and that there is no one unifying domain for the two. The problem is that safety engineers and security engineers work in separated teams from throughout the system development life cycle, which results in incomplete coverage of risks and threats. The thesis applies a structured approach to integration between security and safety by creating a SaS (Safety and Security) domain model. Furthermore, it demonstrates that it is possible to use goal-oriented KAOS (Knowledge Acquisition in automated Specification) language in threat and hazard analysis to cover both safety and security domains making their outputs, or artifacts, well-structured and comprehensive, which results in dependability due to the comprehensiveness of the analysis. The structured approach can thereby act as an interface for active interactions in risk and hazard management in terms of universal coverage, finding solutions for differences and contradictions which can be overcome by integrating the safety and security domains and using a unified system analysis technique (KAOS) that will result in analysis centrality
    • 

    corecore