A review of cyber security risk assessment methods for SCADA systems

This paper reviews the state of the art in cyber security risk assessment of Supervisory Control and Data Acquisition (SCADA) systems. We select and in-detail examine twenty-four risk assessment methods developed for or applied in the context of a SCADA system. We describe the essence of the methods and then analyse them in terms of aim; application domain; the stages of risk management addressed; key risk management concepts covered; impact measurement; sources of probabilistic data; evaluation and tool support. Based on the analysis, we suggest an intuitive scheme for the categorisation of cyber security risk assessment methods for SCADA systems. We also outline five research challenges facing the domain and point out the approaches that might be taken

Critical Infrastructure Protection Approaches: Analytical Outlook on Capacity Responsiveness to Dynamic Trends

Overview: Critical infrastructures (CIs) – any asset with a functionality that is critical to normal societal functions, safety, security, economic or social wellbeing of people, and disruption or destruction of which would have a very significant negative societal impact. CIs are clearly central to the normal functioning of a nation’s economy and require to be protected from both intentional and unintentional sabotages. It is important to correctly discern and aptly manage security risks within CI domains. The protection (security) of CIs and their networks can provide clear benefits to owner organizations and nations including: enabling the attainment of a properly functioning social environment and economic market, improving service security, enabling integration to external markets, and enabling service recipients (consumers, clients, and users) to benefit from new and emerging technological developments. To effectively secure CI system, firstly, it is crucial to understand three things - what can happen, how likely it is to happen, and the consequences of such happenings. One way to achieve this is through modelling and simulations of CI attributes, functionalities, operations, and behaviours to support security analysis perspectives, and especially considering the dynamics in trends and technological adoptions. Despite the availability of several security-related CI modelling approaches (tools and techniques), trends such as inter-networking, internet and IoT integrations raise new issues. Part of the issues relate to how to effectively (more precisely and realistically) model the complex behavior of interconnected CIs and their protection as system of systems (SoS). This report attempts to address the broad goal around this issue by reviewing a sample of critical infrastructure protection approaches; comprising tools, techniques, and frameworks (methodologies). The analysis covers contexts relating to the types of critical infrastructures, applicable modelling techniques, risk management scope covered, considerations for resilience, interdependency, and policy and regulations factors. Key Findings: This research presents the following key findings: 1. There is not a single specific Critical Infrastructure Protection (CIP) approach – tool, technique, methodology or framework – that exists or emerges as a ‘fit-for-all’; to allow the modelling and simulation of cyber security risks, resilience, dependency, and impact attributes in all critical infrastructure set-ups. 2. Typically, two or more modelling techniques can be (need to be) merged to cover a broader scope and context of modelling and simulation applications (areas) to achieve desirable highlevel protection and security for critical infrastructures. 3. Empirical-based, network-based, agent-based, and system dynamics-based modelling techniques are more widely used, and all offer gains for their use. 4. The deciding factors for choosing modelling techniques often rest on; complexity of use, popularity of approach, types and objectives of user Organisation and sector. 5. The scope of modelling functions and operations also help to strike the balance between ‘specificity’ and ‘generality’ of modelling technique and approach for the gains of in-depth analysis and wider coverage respectively. 6. Interdependency and resilience modelling and simulations in critical infrastructure operations, as well as associated security and safety risks; are crucial characteristics that need to be considered and explored in revising existing or developing new CIP modelling approaches. Recommendations: Key recommendations from this research include: 1. Other critical infrastructure sectors such as emergency services, food & agriculture, and dams; need to draw lessons from the energy and transportation sectors for the successive benefits of: i. Amplifying the drive and efforts towards evaluating and understanding security risks to their infrastructure and operations. ii. Support better understanding of any associated dependencies and cascading impacts. iii. Learning how to establish effective security and resilience. iv. Support the decision-making process linked with measuring the effectiveness of preparedness activities and investments. v. Improve the behavioural security-related responses of CI to disturbances or disruptions. 2. Security-related critical infrastructure modelling approaches should be developed or revised to include wider scopes of security risk management – from identification to effectiveness evaluations, to support: i. Appropriate alignment and responsiveness to the dynamic trends introduced by new technologies such as IoT and IIoT. ii. Dynamic security risk management – especially the assessment section needs to be more dynamic than static, to address the recurrent and impactful risks that emerge in critical infrastructures

Formalizing Threat Models for Virtualized Systems

We propose a framework, called FATHoM (FormAlizing THreat Models), to define threat models for virtualized systems. For each component of a virtualized system, we specify a set of security properties that defines its control responsibility, its vulnerability and protection states. Relations are used to represent how assumptions made about a component’s security state restrict the assumptions that can be made on the other components. FATHoM includes a set of rules to compute the derived security states from the assumptions and the components’ relations. A further set of relations and rules is used to define how to protect the derived vulnerable components. The resulting system is then analysed, among others, for consistency of the threat model. We have developed a tool that implements FATHoM, and have validated it with use-cases adapted from the literature

A Comparison of Security Risk Analysis in the In-house IT Infrastructure and Cloud Infrastructure for the Payment Gateway System

Infrastruktuuri lahendused viiakse pilve tänu paremale juhtimisvõimekusele, seadmete tehnilisele arengule ning pilve lahenduste paindlikkusele ja kuluefektiivsetele võimalustele. Seetõttu muutub ettevõtte arhitektuur, kui süsteemid viiakse uude infrastruktuuri. Selliste muutuste tõttu võivad turvariskid suureneda või väheneda, avalduda uued riskid või suudetakse kõrvaldada mõned olemasolevad riskid. Ainult äriprotsesside modelleerimisele tugineva riskianalüüsi puhul, kus tuvastatakse ettevõtte varade väärtus, puudub IT-infrastruktuuri ja äriprotsesside omavahelise seose esindamine. Seega võib riskianalüüsis teatud infosüsteemi (IS) varasid hoopis eirata. Kahe infrastruktuuri turvariskide analüüsimisel tuleb arvestada ettevõtte arhitektuurilisi erinevusi, sest identifitseerimata IS varad võivad olla haavatavad ja kujutada ohtu käsitletavale organisatsioonile. Käesolevas töös tuvastatakse arhitektuuri modelleerimise kaudu varad, mis on vajalikud riskianalüüsi tegemiseks. Koostatud mudelid näitavad erinevusi, mis on seotud IS varadega organisatsiooni sisemise infrastruktuuri ja pilves vahel. Organisatsiooni arhitektuurist tulenevate IS varadega seotud turvariskide kindlaksmääramisel kasutatakse STRIDE taksonoomia põhist ohu modelleerimist.Selles uurimistöös esitletakse protseduuri, mis aitab organisatsioonidel tuvastada kahe infrastruktuuri IS varade muutusi ja mõista turvariskide erinevusi. Käesolevas uurimistöös kasutatud arhitektuuri modelleerimine illustreerib IS varade erinevusi ja näitab, kuidas äriprotsesse saab kaardistada tehnoloogia komponentidega. Seejärel võimaldab ohu modelleerimine struktuurselt määrata süsteemi ohtusid. Vastavad turvariskid kategoriseeritakse põhinedes uue infrastruktuuri olemasolule. Riskidega seotud muutused toovad esile ettevõtte sisemise infrastruktuuri ja pilve infrastruktuuri vahe. Selline lähenemisviis on kinnitatud ekspertide poolt. Käesolev uurimistöö põhineb juhtumiuuringul, mis käsitleb Põhja-Euroopas kasutatavat maksekanali süsteemi.In-house infrastructures are migrated to the cloud owing to the enhanced technical management capabilities, technical advancement as well as the flexibility and cost-effective options offered by the cloud. Moreover, an enterprise architecture changes when the sys-tems are moved into a different infrastructure. Due to such infrastructural changes, secu-rity risks can increase or decrease, while new risks can be introduced and some risks can be eliminated. Asset identification for risk analysis based only on business process mod-elling lacks the integration and representation of the interrelationship between IT infra-structure and business processes. Hence, certain information system (IS) assets can be neglected in the risk analysis. When analysing the security risk of two infrastructures, enterprise architectural differences need to be captured, since unidentified IS assets could be vulnerable and pose a security risk to the concerned organisation.In this thesis, assets are identified via architectural modelling to perform risk analysis. Furthermore, models present the differences pertaining to IS assets within in-house infra-structure and cloud infrastructure, in addition to the mapping to corresponding business processes. The STRIDE-based threat modelling is employed to determine the security risks concerning IS assets derived from enterprise architecture.To elaborate, this study will introduce a procedure that will help organisations identify IS asset changes of two different infrastructures and capture security risk changes. Moreover, architectural modelling applied in this research will illustrate the differences regard-ing IS assets and present the way in which business processes are mapped to technology components. Subsequently, a threat modelling method employed will provide a structural way to identify threats to the systems. The changes incorporated concerning the security risks will further present the security risk gap regarding in-house infrastructure and cloud infrastructure. Additionally, the validation of this approach is performed by domain experts. The enterprise architecture modelled in this thesis is based on a case study dealing with a payment gateway system used in North Europe

Formalised approach to the management of risk

Taking a pragmatic, systems engineering approach, this thesis identifies a number of fundamental issues that presently arise in risk management, primarily as a result of the overly complex and somewhat outdated approach conventionally taken in process definition and a lack of coherence within the current risk management vocabulary. It is suggested that many recent developments in systems engineering have largely been ignored by the risk management community. The objective of this work is to develop a formalised approach to the management of risk using a model based approach this will enable a fundamental simplification of the risk management process, resulting - amongst other things - in an improved understanding of the associated terminology. An object oriented modelling approach, now widely exploited in systems engineering, has been used to provide an insight into many existing risk management standards considering the approaches they present and terminology used. It has also been used to derive both a set of processes for risk management and a methodology for implementation. Alongside this, a consistent, inter-related terminology as been proposed for use with these processes. The outcome of this work is a formalised but pragmatic approach to risk management including the definition of processes, ontology for risk management and a pragmatic methodology for the application of the processes. This approach has been validated in a number of case studies of varying depth and breadth, covering health & safety, business, project and individual needs, showing that the proposed processes and terminology can be used effectively in different organisations and industries.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Decision support for choice of security solution: the Aspect-Oriented Risk Driven Development (AORDD)framework

In security assessment and management there is no single correct solution to the identified security problems or challenges. Instead there are only choices and tradeoffs. The main reason for this is that modern information systems and security critical information systems in particular must perform at the contracted or expected security level, make effective use of available resources and meet end-users' expectations. Balancing these needs while also fulfilling development, project and financial perspectives, such as budget and TTM constraints, mean that decision makers have to evaluate alternative security solutions.\ud \ud This work describes parts of an approach that supports decision makers in choosing one or a set of security solutions among alternatives. The approach is called the Aspect-Oriented Risk Driven Development (AORDD) framework, combines Aspect-Oriented Modeling (AOM) and Risk Driven Development (RDD) techniques and consists of the seven components: (1) An iterative AORDD process. (2) Security solution aspect repository. (3) Estimation repository to store experience from estimation of security risks and security solution variables involved in security solution decisions. (4) RDD annotation rules for security risk and security solution variable estimation. (5) The AORDD security solution trade-off analysis and trade-o¤ tool BBN topology. (6) Rule set for how to transfer RDD information from the annotated UML diagrams into the trad-off tool BBN topology. (7) Trust-based information aggregation schema to aggregate disparate information in the trade-o¤ tool BBN topology. This work focuses on components 5 and 7, which are the two core components in the AORDD framework

Vulnerability Identification Errors in Security Risk Assessments

At present, companies rely on information technology systems to achieve their business objectives, making them vulnerable to cybersecurity threats. Information security risk assessments help organisations to identify their risks and vulnerabilities. An accurate identification of risks and vulnerabilities is a challenge, because the input data is uncertain. So-called ’vulnerability identification errors‘ can occur if false positive vulnerabilities are identified, or if vulnerabilities remain unidentified (false negatives). ‘Accurate identification’ in this context means that all vulnerabilities identified do indeed pose a risk of a security breach for the organisation. An experiment performed with German IT security professionals in 2011 confirmed that vulnerability identification errors do occur in practice. In particular, false positive vulnerabilities were identified by participants. In information security (IS) risk assessments, security experts analyze the organisation’s assets in order to identify vulnerabilities. Methods such as brainstorming, checklists, scenario-analysis, impact-analysis, and cause-analysis (ISO, 2009b) are used to identify vulnerabilities. These methods use uncertain input data for vulnerability identification, because the probabilities, effects and losses of vulnerabilities cannot be determined exactly (Fenz and Ekelhart, 2011). Furthermore, business security needs are not considered properly; the security checklists and standards used to identify vulnerabilities do not consider company-specific security requirements (Siponen and Willison, 2009). In addition, the intentional behaviour of an attacker when exploiting vulnerabilities for malicious purposes further increases the uncertainty, because predicting human behaviour is not just about existing vulnerabilities and their consequences (Pieters and Consoli, 2009), rather than preparing for future attacks. As a result, current approaches determine risks and vulnerabilities under a high degree of uncertainty, which can lead to errors. This thesis proposes an approach to resolve vulnerability identification errors using security requirements and business process models. Security requirements represent the business security needs and determine whether any given vulnerability is a security risk for the business. Information assets’ security requirements are evaluated in the context of the business process model, in order to determine whether security functions are implemented and operating correctly. Systems, personnel and physical parts of business processes, as well as IT processes, are considered in the security requirement evaluation, and this approach is validated in three steps. Firstly, the systematic procedure is compared to two best-practice approaches. Secondly, the risk result accuracy is compared to a best-practice risk-assessment approach, as applied to several real-world examples within an insurance company. Thirdly, the capability to determine risk more accurately by using business processes and security requirements is tested in a quasi-experiment, using security professionals. This thesis demonstrates that risk assessment methods can benefit from explicit evaluation of security requirements in the business context during risk identification, in order to resolve vulnerability identification errors and to provide a criterion for security

A Graphical Approach to Security Risk Analysis

"The CORAS language is a graphical modeling language used to support the security analysis process with its customized diagrams. The language has been developed within the research project "SECURIS" (SINTEF ICT/University of Oslo), where it has been applied and evaluated in seven major industrial field trials. Experiences from the field trials show that the CORAS language has contributed to a more actively involvement of the participants, and it has eased the communication within the analysis group. The language has been found easy to understand and suitable for presentation purposes. With time we have become more and more dependent on various kinds of computerized systems. When the complexity of the systems increases, the number of security risks is likely to increase. Security analyses are often considered complicated and time consuming. A well developed security analysis method should support the analysis process by simplifying communication, interaction and understanding between the participants in the analysis. This thesis describes the development of the CORAS language that is particularly suited for security analyses where "structured brainstorming" is part of the process. Important design decisions are based on empirical investigations. The thesis has resulted in the following artifacts: - A modeling guideline that explains how to draw the different kind of diagrams for each step of the analysis. - Rules for translation which enables consistent translation from graphical diagrams to text. - Concept definitions that contributes to a consistent use of security analysis terms. - An evaluation framework to evaluate and compare the quality of security analysis modeling languages.

Towards Optimal IT Availability Planning: Methods and Tools

The availability of an organisation’s IT infrastructure is of vital importance for supporting business activities. IT outages are a cause of competitive liability, chipping away at a company financial performance and reputation. To achieve the maximum possible IT availability within the available budget, organisations need to carry out a set of analysis activities to prioritise efforts and take decisions based on the business needs. This set of analysis activities is called IT availability planning. Most (large) organisations address IT availability planning from one or more of the three main angles: information risk management, business continuity and service level management. Information risk management consists of identifying, analysing, evaluating and mitigating the risks that can affect the information processed by an organisation and the information-processing (IT) systems. Business continuity consists of creating a logistic plan, called business continuity plan, which contains the procedures and all the useful information needed to recover an organisations’ critical processes after major disruption. Service level management mainly consists of organising, documenting and ensuring a certain quality level (e.g. the availability level) for the services offered by IT systems to the business units of an organisation. There exist several standard documents that provide the guidelines to set up the processes of risk, business continuity and service level management. However, to be as generally applicable as possible, these standards do not include implementation details. Consequently, to do IT availability planning each organisation needs to develop the concrete techniques that suit its needs. To be of practical use, these techniques must be accurate enough to deal with the increasing complexity of IT infrastructures, but remain feasible within the budget available to organisations. As we argue in this dissertation, basic approaches currently adopted by organisations are feasible but often lack of accuracy. In this thesis we propose a graph-based framework for modelling the availability dependencies of the components of an IT infrastructure and we develop techniques based on this framework to support availability planning. In more detail we present: 1. the Time Dependency model, which is meant to support IT managers in the selection of a cost-optimal set of countermeasures to mitigate availability-related IT risks; 2. the Qualitative Time Dependency model, which is meant to be used to systematically assess availability-related IT risks in combination with existing risk assessment methods; 3. the Time Dependency and Recovery model, which provides a tool for IT managers to set or validate the recovery time objectives on the components of an IT architecture, which are then used to create the IT-related part of a business continuity plan; 4. A2THOS, to verify if availability SLAs, regulating the provisioning of IT services between business units of the same organisation, can be respected when the implementation of these services is partially outsourced to external companies, and to choose outsourcing offers accordingly. We run case studies with the data of a primary insurance company and a large multinational company to test the proposed techniques. The results indicate that organisations such as insurance or manufacturing companies, which use IT to support their business can benefit from the optimisation of the availability of their IT infrastructure: it is possible to develop techniques that support IT availability planning while guaranteeing feasibility within budget. The framework we propose shows that the structure of the IT architecture can be practically employed with such techniques to increase their accuracy over current practice