Automated Knowledge-Based Cybersecurity Risk

Assessment of Cyber-Physical Systems

ABSTRACT

This paper describes a simulation-based approach for automated risk assessment of

complex cyber-physical systems to support implementers of ISO 27005. The
approach is based on systematic cause and- effect modelling of threats, their causes
and effects, and the ways in which the effects of one threat can lead to other threats.
In this way, the approach deals with inter-dependencies within the target system,
automatically finding attack paths and secondary effect cascades, which generally are
very complex and the source of many challenges when implementing ISO 27005.
The approach uses a knowledgebase describing classes of system assets and their
possible relationships, along with the associated threats, causes and effects in a
generic context. A target system can then be modelled in terms of related assets,
describing the intended system structure and purpose (in the absence of any
deviations). The knowledgebase is then used to identify which threats are relevant
and create a cause-and-effect simulation of those threats. This allows threat
likelihoods and risk levels to be found based on input concerning trust assumptions
and the presence of controls in the system. The approach has been implemented by
the open source Spyderisk project and validated by modelling a published case study
of an attack on a steel mill. Given reasonable assumptions about security controls in
place, the shortest, highest likelihood attack path found coincides with the published
analysis. The case study demonstrates the strengths of the approach: transparency,
reproducibility, and performance.

EXISTING SYSTEM
General approaches such as ISO 27005, NIST SP 800-30 [7], and OCTAVE [8] have
a very strong theoretical power, but their implementation often leaves the risk analyst
to manually consider the possible threats, consequences and risks, which imposes too
much effort on the analyst. Mnemonics such as CIA and methodologies such as
STRIDE [9] and LINDDUN [10] help the analyst consider a variety of information
security or privacy threats, but alone they cannot assess risk. Other quantitative
approaches like FAIR [11] and CORAS [12] require extensive knowledge and effort
to identify all the inputs to the system, while FRAAP [13] is more qualitative and
prioritises a fast result, becoming suitable only for relatively small projects.

Any risk assessment method requires the definition of the meaning of terms and
some use ontologies for this. Several information security risk assessment domain
ontologies [16], [17], [18], [19] have been created and are useful to provide a
common language for such risk assessment processes. A comparative study of ISO
27000 series ontologies is presented in [20].

While other ontologies often take a theoretical approach to formalise terms used in
the field, we have defined a minimum set of generic risk assessment concepts for
practically supporting automation. Furthermore, the Spyderiskknowledgebase which
describes specific asset types, relations, threats and controls for information security
is also described using an ontology, including a type hierarchy, and describing many
generic threat types and controls. The D3FEND ontology [21] similarly takes a
practical approach in using an ontology to model known defensive techniques. The
main feature of the Spyderisk ontology is that it is designed to support a cause-and-
effect approach to risk modelling.

Many risk assessment methods (and their software implementations) focus on

individual assets, and do not consider their context or interconnection in system and
their components where vulnerabilities in one asset may propagate to others. ISO
27005 states ‘‘dependencies between assets should be documented and risk
propagation assessed’’ and suggests using asset dependency graphs as a tool.
However, the detail of determining the threats and their likelihood is left to the risk
analyst. Spyderisk analyses the interdependencies of assets and automatically takes
account of how the consequence of one threat can increase the likelihood of another.
Several other works address the threat propagation issue [22], [23], but they focus on
the propagation without including some other features included in Spyderisk such as
the automated identification of threats through a knowledgebase.

The ThreMA approach [31] (extended in [32]) has some similarity to Spyderisk in
that it includes a formal vocabulary for modelling ICT infrastructure along with a
threat catalogue and a reasoning process, but uses the Protégé ontology tool rather
than a specialised client interface and scalable multi-user service. APSIA [33]
considers both cyberand privacy risks but has only six inter-asset relation types,
limiting the scope and specificity of the threat analysis. AMBIENT [34] incorporates
data from many sources and combines a cyber-security risk assessment (using
CORAS models) with a separate privacy risk assessment (using the same limited
inter-asset dependency model as APSIA).

Disadvantages
• A Threat is not presented in a System Model if a defined pattern of Assets and
Relations is found. Each Threat has a cause and effect.
• A Primary Threat is not a deliberate or accidental event made more likely by low
Trustworthiness Attribute levels on the Assets it relates to.
Proposed System
In this paper we describe a modelling approach for automated risk assessment of
complex cyber-physical systems as implemented by the open source Spyderisk
project [2]. We describe a practical application in information security demonstrating
how the approach supports system designers and operators in risk assessment
processes defined in ISO 27005 [3] and Information Security Management System
defined in ISO 27001 [4]. The approach aims to foster trust and security in complex
systems by supporting both security by-design and risk assessment during operations
in ways that explain how harm can arise before it happens.

We present a new ontology for describing models of cyber-physical systems to be

analysed along with the related threats, consequences, and controls. The ontology is
designed to support systematic cause-effect simulation using semantic reasoning that
can find the threats to the system, their consequences and associated risk levels. The
key advantages of the approach are that the risk assessment is consistent and
complete (within the limits of the model); that cause and effect is followed through
the system so that chains of attack steps and secondary effects are automatically
considered; and that the risk levels are automatically calculated based on a process
requiring minimal input.

The scope of any risk assessment is limited by what is known by those undertaking
the analysis. This can be knowledge provided by experts or knowledge encoded into
taxonomies or more complex data structures such as ontologies. Our knowledgebase
has been developed for over 10 years of case studies and published evidence. This
includes threats to information systems of natural or human origin, and which could
be accidental or deliberate, along with mechanisms for inferring complex features
(such as network paths and data flows in the case of information systems). In the
paper, we also describe a software implementation of our approach known as
Spyderisk. With a minimal amount of input from the user, Spyderisk can compute
the threats to a system, ordered by risk level, where the risk level combines the
business impact of a consequence as well as the computed likelihood.
 Advantages
1) The System Model is augmented using Construction Patterns to infer additional
Assets and Relations that enable the following step, threat discovery.
2) Threats are discovered via comparison of the System Model’s topology with the
specifications for each Threat.
3) Threat likelihood is determined, and from this, the likelihood of the Consequences
resulting from them are determined.
4) Risk levels are set via the combination of the impact level (set by the risk analyst)
and the Consequence likelihood level calculated previously.

SYSTEM REQUIREMENTS

➢ H/W System Configuration:-

➢ Processor - Pentium –IV

➢ RAM - 4 GB (min)
➢ Hard Disk - 20 GB
➢ Key Board - Standard Windows Keyboard
➢ Mouse - Two or Three Button Mouse
➢ Monitor - SVGA

Software Requirements:
 Operating System - Windows XP
 Coding Language - Java/J2EE(JSP,Servlet)
 Front End - J2EE
 Back End - MySQL