Using Assurance Cases and Boolean Logic Driven Markov Processes to Formalise Cyber Security Concerns for Safety-Critical Interaction with Global Navigation Satellite Systems

Satellite-based location and timing systems support a wide range of mass market applications, typically using the GPS infrastructure. Until recently, these applications could not be used within safety-critical interfaces. Limits to the accuracy, availability, integrity and continuity of the space-based signals prevented regulatory agencies from certifying their use. Over the last three months, however, the latest generation of augmented Global Navigation Satellite Systems (GNSS) have been approved for use in safety-related applications. They use a range of techniques to overcome the limitations of previous infrastructures. This means that they can be used as primary navigation tools in a wide range of interactive systems, including aircraft cockpits, railway signalling tools etc. Unfortunately, a range of organisations including the UK Ministry of Defence, have raised concerns about our increasing vulnerability to attacks on these satellite based architectures. These threats are compounded by the difficulty of representing and reasoning about the impact of jamming, spoofing and insider threats for the end-users of safety-critical systems. A sudden loss of navigational support can undermine users confidence in complex applications and pose a significant threat to distributed situation awareness. We show how formal reasoning techniques can be used to identify the safety and security concerns that jeopardise interaction with future generations of Global Navigation Satellite Systems applications

Combined Safety and Security Risk Evaluation Considering Safety and Security-Type Initiating Events

Destruction to critical nuclear infrastructures would have a debilitating effect on national public health safety, national economy, security, etc. For this reason, analysts perform safety risk analyses to quantify and understand the nature of unwanted events. Since the world has gone through many changes after the terrorist attacks of 9/11, nuclear security risk analysis became a necessity. So far, the safety and security risk analyses were done separately without a combined analyses and evaluation. This research thesis contains three major analysis sections that provides security, safety, and combined safety-security risk analysis that studied and analyzed possible accident scenarios. This research starts with the security pathway analysis, which eventually calculated the initiating event frequency of a successful adversary attack and estimated the security risk value. The safety analysis represented a series of natural (random) safety systems failure events. On the other hand, the safety-security analysis considered a security initiating event followed by safety systems failure. Fault and event trees were formed using the SAPHIRE software and used for the description of failure scenarios. The main outcome of this research is a methodology development to perform combined safety-security initiating event analysis to compute the joint top event system failure frequency. Along with the calculation of the systems’ failure frequency, estimation of the public risk associated for sample failure scenarios, and the determination of how security initiating events in a series of safety events failure affect the total risk value was also carried out. Considering a security attack as an initiating event that triggers safety system failure was analyzed for developing the methodology to perform a combined safety-security risk analysis estimation. The analysis showed that the security attack substantially changed the risk value when it was considered in the failure process. This created a major need to consider both the security and safety failures together in the future systems for failure scenarios. More evaluations should be done to the security system measures to reduce the total associated risk value. Future efforts should look for further enhancements and development in the analysis of the deployed safety and security systems

An integrated risk analysis framework for safety and cybersecurity of industrial SCADA system

The industrial control system (ICS) refers to a collection of various types of control systems commonly found in industrial sectors and critical infrastructures such as energy, oil and gas, transportation, and manufacturing. The supervisory control and data acquisition (SCADA) system is a type of ICS that controls and monitors operations and industrial processes scattered across a large geographic area. SCADA systems are relying on information and communication technology to improve the efficiency of operations. This integration means that SCADA systems are targeted by the same threats and vulnerabilities that affect ICT assets. This means that the cybersecurity problem in SCADA system is exacerbated by the IT heritage issue. If the control system is compromised due to this connection, serious consequences may follow. This leads to the necessity to have an integrated framework that covers both safety and security risk analysis in this context. This thesis proposes an integrated risk analysis framework that comprise of four stages, and that build on the advances of risk science and industry standards, to improve understanding of SCADA system complexity, and manage risks considering process safety and cybersecurity in a holistic approach. The suggested framework is committed to improving safety and security risk analysis by examining the expected consequences through integrated risk identifications and identifying adequate safeguards and countermeasures to defend cyber-attack scenarios. A simplified SCADA system and an undesirable scenario of overpressure in the pipeline are presented in which the relevant stages of the framework are applied

An Insider Misuse Threat Detection and Prediction Language

Numerous studies indicate that amongst the various types of security threats, the problem of insider misuse of IT systems can have serious consequences for the health of computing infrastructures. Although incidents of external origin are also dangerous, the insider IT misuse problem is difficult to address for a number of reasons. A fundamental reason that makes the problem mitigation difficult relates to the level of trust legitimate users possess inside the organization. The trust factor makes it difficult to detect threats originating from the actions and credentials of individual users. An equally important difficulty in the process of mitigating insider IT threats is based on the variability of the problem. The nature of Insider IT misuse varies amongst organizations. Hence, the problem of expressing what constitutes a threat, as well as the process of detecting and predicting it are non trivial tasks that add up to the multi- factorial nature of insider IT misuse. This thesis is concerned with the process of systematizing the specification of insider threats, focusing on their system-level detection and prediction. The design of suitable user audit mechanisms and semantics form a Domain Specific Language to detect and predict insider misuse incidents. As a result, the thesis proposes in detail ways to construct standardized descriptions (signatures) of insider threat incidents, as means of aiding researchers and IT system experts mitigate the problem of insider IT misuse. The produced audit engine (LUARM – Logging User Actions in Relational Mode) and the Insider Threat Prediction and Specification Language (ITPSL) are two utilities that can be added to the IT insider misuse mitigation arsenal. LUARM is a novel audit engine designed specifically to address the needs of monitoring insider actions. These needs cannot be met by traditional open source audit utilities. ITPSL is an XML based markup that can standardize the description of incidents and threats and thus make use of the LUARM audit data. Its novelty lies on the fact that it can be used to detect as well as predict instances of threats, a task that has not been achieved to this date by a domain specific language to address threats. The research project evaluated the produced language using a cyber-misuse experiment approach derived from real world misuse incident data. The results of the experiment showed that the ITPSL and its associated audit engine LUARM provide a good foundation for insider threat specification and prediction. Some language deficiencies relate to the fact that the insider threat specification process requires a good knowledge of the software applications used in a computer system. As the language is easily expandable, future developments to improve the language towards this direction are suggested

Transportation, Terrorism and Crime: Deterrence, Disruption and Resilience

Abstract: Terrorists likely have adopted vehicle ramming as a tactic because it can be carried out by an individual (or “lone wolf terrorist”), and because the skills required are minimal (e.g. the ability to drive a car and determine locations for creating maximum carnage). Studies of terrorist activities against transportation assets have been conducted to help law enforcement agencies prepare their communities, create mitigation measures, conduct effective surveillance and respond quickly to attacks. This study reviews current research on terrorist tactics against transportation assets, with an emphasis on vehicle ramming attacks. It evaluates some of the current attack strategies, and the possible mitigation or response tactics that may be effective in deterring attacks or saving lives in the event of an attack. It includes case studies that can be used as educational tools for understanding terrorist methodologies, as well as ordinary emergencies that might become a terrorist’s blueprint

Conceptual Model and Architecture of MAFTIA

This deliverable builds on the work reported in [MAFTIA 2000] and [Powell and Stroud 2001]. It contains a further refinement of the MAFTIA conceptual model and a revised discussion of the MAFTIA architecture. It also introduces the work done in MAFTIA on verification and assessment of security properties, which is reported on in more detail in [Adelsbach and Creese 2003

MAFTIA Conceptual Model and Architecture

This document builds on the work reported in MAFTIA deliverable D1. It contains a refinement of the MAFTIA conceptual model and a discussion of the MAFTIA architecture. It also introduces the work done in WP6 on verification and assessment of security properties, which is reported on in more detail in MAFTIA deliverable D

Evaluating Information Assurance Control Effectiveness on an Air Force Supervisory Control and Data Acquisition (SCADA) System

Supervisory Control and Data Acquisition (SCADA) systems are increasingly being connected to corporate networks which has dramatically expanded their attack surface to remote cyber attack. Adversaries are targeting these systems with increasing frequency and sophistication. This thesis seeks to answer the research question addressing which Information Assurance (IA) controls are most significant for network defenders and SCADA system managers/operators to focus on in order to increase the security of critical infrastructure systems against a Stuxnet-like cyber attack. This research applies the National Institute of Science and Technology (NIST) IA controls to an attack tree modeled on a remote Stuxnet-like cyber attack against the WPAFB fuels operation. The probability of adversary success of specific attack scenarios is developed via the attack tree. Then an impact assessment is obtained via a survey of WPAFB fuels operation subject matter experts (SMEs). The probabilities of adversary success and impact analysis are used to create a Risk Level matrix, which is analyzed to identify recommended IA controls. The culmination of this research identified 14 IA controls associated with mitigating an adversary from gaining remote access and deploying an exploit as the most influential for SCADA managers, operators and network defenders to focus on in order to maximize system security against a Stuxnet-like remote cyber attack