Implementing the ADVISE Security Modeling Formalism in Möbius

Abstract-The ADversary VIew Security Evaluation (ADVISE) model formalism provides a system security model from the perspective of an adversary. An ADVISE atomic model consists of an attack execution graph (AEG) composed of attack steps, system state variables, and attack goals, as well as an adversary profile that defines the abilities and interests of a particular adversary. The ADVISE formalism has been implemented as a Möbius atomic model formalism in order to leverage the existing set of mature modeling formalisms and solution techniques offered by Möbius. This tool paper explains the ADVISE implementation in Möbius and provides technical details for Möbius users who want to use ADVISE either alone or in combination with other modeling formalisms provided by Möbius

Quantification of the Impact of Cyber Attack in Critical Infrastructures

In this paper we report on a recent study of the impact of cyber-attacks on the resilience of complex industrial systems. We describe our approach to building a hybrid model consisting of both the system under study and an Adversary, and we demonstrate its use on a complex case study - a reference power transmission network (NORDIC 32), enhanced with a detailed model of the computer and communication system used for monitoring, protection and control. We studied the resilience of the modelled system under different scenarios: i) a base-line scenario in which the modelled system operates in the presence of accidental failures without cyber-attacks; ii) scenarios in which cyber-attacks can occur. We discuss the usefulness of our findings and outline directions for further work

Model-based Evaluation of the Resilience of Critical Infrastructures under Cyber Attacks

In this paper we report recent results on modelling the impact of cy-ber-attacks on the resilience of complex industrial systems. We use a hybrid model of the system under study in which the accidental failures and the mali-cious behaviour of the Adversary are modelled stochastically, while the conse-quences of failures and attacks are modelled in detail using deterministic mod-els. This modelling approach is demonstrated on a complex case study - a refer-ence power transmission network (NORDIC 32), enhanced with a detailed model of the computer and communication network used for monitoring, pro-tection and control compliant with the international standard IEC 61850. We studied the resilience of the modelled system under different scenarios: i) a base-line scenario in which the modelled system operates in the presence of ac-cidental failures without cyber-attacks; ii) several different scenarios of cyber-attacks. We discuss the usefulness of the modelling approach, of the findings, and outline directions for further work

Preliminary Interdependency Analysis: An Approach to Support Critical Infrastructure Risk Assessment

We present a methodology, Preliminary Interdependency Analysis (PIA), for analysing interdependencies between critical infrastructure (CI). Consisting of two phases – qualitative analysis followed by quantitative analysis – an application of PIA progresses from a relatively quick elicitation of CI-interdependencies to the building of representative CI models, and the subsequent estimation of any resilience, risk or criticality measures an assessor might be interested in. By design, stages in the methodology are both flexible and iterative, resulting in interacting CI models that are scalable and may vary significantly in complexity and fidelity, depending on the needs and requirements of an assessor. For model parameterisation, one relies on a combination of field data, sensitivity analysis and expert judgement. Facilitated by dedicated software tool support, we illustrate PIA by applying it to a complex case-study of interacting Power (distribution and transmission) and Telecommunications networks in the Rome area. A number of studies are carried out, including: 1) an investigation of how “strength of dependence” between the CIs’ components affects various measures of risk and uncertainty, 2) for resource allocation, an exploration of different, but related, notions of CI component importance, and 3) highlighting the impact of model fidelity on the estimated risk of cascades