Automated Knowledge-Based Cybersecurity Risk Assessment of Cyber-Physical Systems
Automated Knowledge-Based Cybersecurity Risk Assessment of Cyber-Physical Systems
EXISTING SYSTEM
General approaches such as ISO 27005, NIST SP 800-30 [7], and OCTAVE [8] have
a very strong theoretical power, but their implementation often leaves the risk analyst
to manually consider the possible threats, consequences and risks, which imposes too
much effort on the analyst. Mnemonics such as CIA and methodologies such as
STRIDE [9] and LINDDUN [10] help the analyst consider a variety of information
security or privacy threats, but alone they cannot assess risk. Other quantitative
approaches like FAIR [11] and CORAS [12] require extensive knowledge and effort
to identify all the inputs to the system, while FRAAP [13] is more qualitative and
prioritises a fast result, becoming suitable only for relatively small projects.
Any risk assessment method requires the definition of the meaning of terms and
some use ontologies for this. Several information security risk assessment domain
ontologies [16], [17], [18], [19] have been created and are useful to provide a
common language for such risk assessment processes. A comparative study of ISO
27000 series ontologies is presented in [20].
While other ontologies often take a theoretical approach to formalise terms used in
the field, we have defined a minimum set of generic risk assessment concepts for
practically supporting automation. Furthermore, the Spyderiskknowledgebase which
describes specific asset types, relations, threats and controls for information security
is also described using an ontology, including a type hierarchy, and describing many
generic threat types and controls. The D3FEND ontology [21] similarly takes a
practical approach in using an ontology to model known defensive techniques. The
main feature of the Spyderisk ontology is that it is designed to support a cause-and-
effect approach to risk modelling.
The ThreMA approach [31] (extended in [32]) has some similarity to Spyderisk in
that it includes a formal vocabulary for modelling ICT infrastructure along with a
threat catalogue and a reasoning process, but uses the Protégé ontology tool rather
than a specialised client interface and scalable multi-user service. APSIA [33]
considers both cyberand privacy risks but has only six inter-asset relation types,
limiting the scope and specificity of the threat analysis. AMBIENT [34] incorporates
data from many sources and combines a cyber-security risk assessment (using
CORAS models) with a separate privacy risk assessment (using the same limited
inter-asset dependency model as APSIA).
Disadvantages
• A Threat is not presented in a System Model if a defined pattern of Assets and
Relations is found. Each Threat has a cause and effect.
• A Primary Threat is not a deliberate or accidental event made more likely by low
Trustworthiness Attribute levels on the Assets it relates to.
Proposed System
In this paper we describe a modelling approach for automated risk assessment of
complex cyber-physical systems as implemented by the open source Spyderisk
project [2]. We describe a practical application in information security demonstrating
how the approach supports system designers and operators in risk assessment
processes defined in ISO 27005 [3] and Information Security Management System
defined in ISO 27001 [4]. The approach aims to foster trust and security in complex
systems by supporting both security by-design and risk assessment during operations
in ways that explain how harm can arise before it happens.
The scope of any risk assessment is limited by what is known by those undertaking
the analysis. This can be knowledge provided by experts or knowledge encoded into
taxonomies or more complex data structures such as ontologies. Our knowledgebase
has been developed for over 10 years of case studies and published evidence. This
includes threats to information systems of natural or human origin, and which could
be accidental or deliberate, along with mechanisms for inferring complex features
(such as network paths and data flows in the case of information systems). In the
paper, we also describe a software implementation of our approach known as
Spyderisk. With a minimal amount of input from the user, Spyderisk can compute
the threats to a system, ordered by risk level, where the risk level combines the
business impact of a consequence as well as the computed likelihood.
Advantages
1) The System Model is augmented using Construction Patterns to infer additional
Assets and Relations that enable the following step, threat discovery.
2) Threats are discovered via comparison of the System Model’s topology with the
specifications for each Threat.
3) Threat likelihood is determined, and from this, the likelihood of the Consequences
resulting from them are determined.
4) Risk levels are set via the combination of the impact level (set by the risk analyst)
and the Consequence likelihood level calculated previously.
SYSTEM REQUIREMENTS
Software Requirements:
Operating System - Windows XP
Coding Language - Java/J2EE(JSP,Servlet)
Front End - J2EE
Back End - MySQL