Security Risk Assessments: Modeling and Risk Level Propagation

Security risk assessment is an important task in systems engineering. It is used to derive security requirements for a secure system design and to evaluate design alternatives as well as vulnerabilities. Security risk assessment is also a complex and interdisciplinary task, where experts from the application domain and the security domain have to collaborate and understand each other. Automated and tool-supported approaches are desired to help manage the complexity. However, the models used for system engineering usually focus on functional behavior and lack security-related aspects. Therefore, we present our modeling approach that alleviates communication between the involved experts and features steps of computer-aided modeling to achieve consistency and avoid omission errors. We demonstrate our approach with an example. We also describe how to model impact rating and attack feasibility estimation in a modular fashion, along with the propagation and aggregation of these estimations through the model. As a result, experts can make local decisions or changes in the model, which in turn provides the impact of these decisions or changes on the overall risk profile. Finally, we discuss the advantages of our model-based method

A Comparison of Security Risk Analysis in the In-house IT Infrastructure and Cloud Infrastructure for the Payment Gateway System

Infrastruktuuri lahendused viiakse pilve tänu paremale juhtimisvõimekusele, seadmete tehnilisele arengule ning pilve lahenduste paindlikkusele ja kuluefektiivsetele võimalustele. Seetõttu muutub ettevõtte arhitektuur, kui süsteemid viiakse uude infrastruktuuri. Selliste muutuste tõttu võivad turvariskid suureneda või väheneda, avalduda uued riskid või suudetakse kõrvaldada mõned olemasolevad riskid. Ainult äriprotsesside modelleerimisele tugineva riskianalüüsi puhul, kus tuvastatakse ettevõtte varade väärtus, puudub IT-infrastruktuuri ja äriprotsesside omavahelise seose esindamine. Seega võib riskianalüüsis teatud infosüsteemi (IS) varasid hoopis eirata. Kahe infrastruktuuri turvariskide analüüsimisel tuleb arvestada ettevõtte arhitektuurilisi erinevusi, sest identifitseerimata IS varad võivad olla haavatavad ja kujutada ohtu käsitletavale organisatsioonile. Käesolevas töös tuvastatakse arhitektuuri modelleerimise kaudu varad, mis on vajalikud riskianalüüsi tegemiseks. Koostatud mudelid näitavad erinevusi, mis on seotud IS varadega organisatsiooni sisemise infrastruktuuri ja pilves vahel. Organisatsiooni arhitektuurist tulenevate IS varadega seotud turvariskide kindlaksmääramisel kasutatakse STRIDE taksonoomia põhist ohu modelleerimist.Selles uurimistöös esitletakse protseduuri, mis aitab organisatsioonidel tuvastada kahe infrastruktuuri IS varade muutusi ja mõista turvariskide erinevusi. Käesolevas uurimistöös kasutatud arhitektuuri modelleerimine illustreerib IS varade erinevusi ja näitab, kuidas äriprotsesse saab kaardistada tehnoloogia komponentidega. Seejärel võimaldab ohu modelleerimine struktuurselt määrata süsteemi ohtusid. Vastavad turvariskid kategoriseeritakse põhinedes uue infrastruktuuri olemasolule. Riskidega seotud muutused toovad esile ettevõtte sisemise infrastruktuuri ja pilve infrastruktuuri vahe. Selline lähenemisviis on kinnitatud ekspertide poolt. Käesolev uurimistöö põhineb juhtumiuuringul, mis käsitleb Põhja-Euroopas kasutatavat maksekanali süsteemi.In-house infrastructures are migrated to the cloud owing to the enhanced technical management capabilities, technical advancement as well as the flexibility and cost-effective options offered by the cloud. Moreover, an enterprise architecture changes when the sys-tems are moved into a different infrastructure. Due to such infrastructural changes, secu-rity risks can increase or decrease, while new risks can be introduced and some risks can be eliminated. Asset identification for risk analysis based only on business process mod-elling lacks the integration and representation of the interrelationship between IT infra-structure and business processes. Hence, certain information system (IS) assets can be neglected in the risk analysis. When analysing the security risk of two infrastructures, enterprise architectural differences need to be captured, since unidentified IS assets could be vulnerable and pose a security risk to the concerned organisation.In this thesis, assets are identified via architectural modelling to perform risk analysis. Furthermore, models present the differences pertaining to IS assets within in-house infra-structure and cloud infrastructure, in addition to the mapping to corresponding business processes. The STRIDE-based threat modelling is employed to determine the security risks concerning IS assets derived from enterprise architecture.To elaborate, this study will introduce a procedure that will help organisations identify IS asset changes of two different infrastructures and capture security risk changes. Moreover, architectural modelling applied in this research will illustrate the differences regard-ing IS assets and present the way in which business processes are mapped to technology components. Subsequently, a threat modelling method employed will provide a structural way to identify threats to the systems. The changes incorporated concerning the security risks will further present the security risk gap regarding in-house infrastructure and cloud infrastructure. Additionally, the validation of this approach is performed by domain experts. The enterprise architecture modelled in this thesis is based on a case study dealing with a payment gateway system used in North Europe

Automating Security Risk and Requirements Management for Cyber-Physical Systems

Cyber-physische Systeme ermöglichen zahlreiche moderne Anwendungsfälle und Geschäftsmodelle wie vernetzte Fahrzeuge, das intelligente Stromnetz (Smart Grid) oder das industrielle Internet der Dinge. Ihre Schlüsselmerkmale Komplexität, Heterogenität und Langlebigkeit machen den langfristigen Schutz dieser Systeme zu einer anspruchsvollen, aber unverzichtbaren Aufgabe. In der physischen Welt stellen die Gesetze der Physik einen festen Rahmen für Risiken und deren Behandlung dar. Im Cyberspace gibt es dagegen keine vergleichbare Konstante, die der Erosion von Sicherheitsmerkmalen entgegenwirkt. Hierdurch können sich bestehende Sicherheitsrisiken laufend ändern und neue entstehen. Um Schäden durch böswillige Handlungen zu verhindern, ist es notwendig, hohe und unbekannte Risiken frühzeitig zu erkennen und ihnen angemessen zu begegnen. Die Berücksichtigung der zahlreichen dynamischen sicherheitsrelevanten Faktoren erfordert einen neuen Automatisierungsgrad im Management von Sicherheitsrisiken und -anforderungen, der über den aktuellen Stand der Wissenschaft und Technik hinausgeht. Nur so kann langfristig ein angemessenes, umfassendes und konsistentes Sicherheitsniveau erreicht werden. Diese Arbeit adressiert den dringenden Bedarf an einer Automatisierungsmethodik bei der Analyse von Sicherheitsrisiken sowie der Erzeugung und dem Management von Sicherheitsanforderungen für Cyber-physische Systeme. Das dazu vorgestellte Rahmenwerk umfasst drei Komponenten: (1) eine modelbasierte Methodik zur Ermittlung und Bewertung von Sicherheitsrisiken; (2) Methoden zur Vereinheitlichung, Ableitung und Verwaltung von Sicherheitsanforderungen sowie (3) eine Reihe von Werkzeugen und Verfahren zur Erkennung und Reaktion auf sicherheitsrelevante Situationen. Der Schutzbedarf und die angemessene Stringenz werden durch die Sicherheitsrisikobewertung mit Hilfe von Graphen und einer sicherheitsspezifischen Modellierung ermittelt und bewertet. Basierend auf dem Modell und den bewerteten Risiken werden anschließend fundierte Sicherheitsanforderungen zum Schutz des Gesamtsystems und seiner Funktionalität systematisch abgeleitet und in einer einheitlichen, maschinenlesbaren Struktur formuliert. Diese maschinenlesbare Struktur ermöglicht es, Sicherheitsanforderungen automatisiert entlang der Lieferkette zu propagieren. Ebenso ermöglicht sie den effizienten Abgleich der vorhandenen Fähigkeiten mit externen Sicherheitsanforderungen aus Vorschriften, Prozessen und von Geschäftspartnern. Trotz aller getroffenen Maßnahmen verbleibt immer ein gewisses Restrisiko einer Kompromittierung, worauf angemessen reagiert werden muss. Dieses Restrisiko wird durch Werkzeuge und Prozesse adressiert, die sowohl die lokale und als auch die großräumige Erkennung, Klassifizierung und Korrelation von Vorfällen verbessern. Die Integration der Erkenntnisse aus solchen Vorfällen in das Modell führt häufig zu aktualisierten Bewertungen, neuen Anforderungen und verbessert weitere Analysen. Abschließend wird das vorgestellte Rahmenwerk anhand eines aktuellen Anwendungsfalls aus dem Automobilbereich demonstriert.Cyber-Physical Systems enable various modern use cases and business models such as connected vehicles, the Smart (power) Grid, or the Industrial Internet of Things. Their key characteristics, complexity, heterogeneity, and longevity make the long-term protection of these systems a demanding but indispensable task. In the physical world, the laws of physics provide a constant scope for risks and their treatment. In cyberspace, on the other hand, there is no such constant to counteract the erosion of security features. As a result, existing security risks can constantly change and new ones can arise. To prevent damage caused by malicious acts, it is necessary to identify high and unknown risks early and counter them appropriately. Considering the numerous dynamic security-relevant factors requires a new level of automation in the management of security risks and requirements, which goes beyond the current state of the art. Only in this way can an appropriate, comprehensive, and consistent level of security be achieved in the long term. This work addresses the pressing lack of an automation methodology for the security-risk assessment as well as the generation and management of security requirements for Cyber-Physical Systems. The presented framework accordingly comprises three components: (1) a model-based security risk assessment methodology, (2) methods to unify, deduce and manage security requirements, and (3) a set of tools and procedures to detect and respond to security-relevant situations. The need for protection and the appropriate rigor are determined and evaluated by the security risk assessment using graphs and a security-specific modeling. Based on the model and the assessed risks, well-founded security requirements for protecting the overall system and its functionality are systematically derived and formulated in a uniform, machine-readable structure. This machine-readable structure makes it possible to propagate security requirements automatically along the supply chain. Furthermore, they enable the efficient reconciliation of present capabilities with external security requirements from regulations, processes, and business partners. Despite all measures taken, there is always a slight risk of compromise, which requires an appropriate response. This residual risk is addressed by tools and processes that improve the local and large-scale detection, classification, and correlation of incidents. Integrating the findings from such incidents into the model often leads to updated assessments, new requirements, and improves further analyses. Finally, the presented framework is demonstrated by a recent application example from the automotive domain

Automatisierte, minimalinvasive Sicherheitsanalyse und Vorfallreaktion für industrielle Systeme

Automated defense and prevention measures designed to protect industrial automation and control systems often compromise their real-time processing, resilience and redundancy. Therefore, they need to be performed as non-invasively as possible. Nevertheless, particularly minimally invasive security analysis and incident response are still poorly researched. This work presents solutions based on new semantic- and SDN-based approaches to some of the most important problems in these areas

Automatisierte, minimalinvasive Sicherheitsanalyse und Vorfallreaktion für industrielle Systeme

Automated defense and prevention measures designed to protect industrial automation and control systems often compromise their real-time processing, resilience and redundancy. Therefore, they need to be performed as non-invasively as possible. Nevertheless, particularly minimally invasive security analysis and incident response are still poorly researched. This work presents solutions based on new semantic- and SDN-based approaches to some of the most important problems in these areas