Models for Cyber Security Analysis

Transcription

1 Enterprise Architecture t Models for Cyber Security Analysis Teodor Sommestad Royal Institute of Technology KTH Stockholm, Sweden 1 Consequences of Cyber Security Incidents (?) CIA senior analyst Tom Donahue: We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. 2 1

2 Cyber security managment is difficult! Is my control system secure enough? Head of Operations Which parameters decides cyber security? 3 The control system is complex Much advance functionality Interconnected Heterogenous Third-party components Actually, I don t even know everything I have out there 4 2

3 Vulnerabilities are potentially everywhere A system is not securer than its weakest link 5 And security is a complex area A wide-spanning area: Business Organization Requirements Risk analysis, information and functionality criticality classification, staff access rights, business continuity management, IT Organization Requirements Testing tools and competence, configuration management, IT policies, acquisition processes, coding practices IT System requirements Firewalls, IDS, access control, authentication, encryption, execution environment limitations, network configurations, protocol limitations, internal application design, Vulnerabilities/attack vectors denial of service, default passwords, man in the middle, buffer overflow,. And all of this is connected systems to systems to organization to organization to vulnerabilities to vulnerabilities to attacks to attacks 6 3

4 Poor decision support for cyber security Plenty of reference material: NIST SP (and others), NERC CIP, ISO 17799, ISO 27004, ISA-SP99, material from US-CERT, SCADA Procurement Language,, books, articles But, they don t help much with how-to, prioriteies, or causalities.. Should I spend my security budget on a training program or new firewalls? 7 The life for our decsisionmaker in summary Poor understanding of the system architecture configuration and its environment Poor understanding of how to achieve security Limited resources, time and money 8 4

5 A promising approach: Enterprise Architecture Take a holistic and business oriented approach to IT-managment Use graphical models Business (processes and organizational structure) Information Application Infrastructure technology 9 Models for Control Systems!? CEO T&D Maintenance Operation Maintenance Distribution operation Network Planning Planning 10 5

6 Theory for Control System models!? CEO T&D Maintenance Operation Maintenance Distribution operation Network Planning Planning? Distance between Paris and Dakar = F(x) Cyber Security Level = F(x) 11 Control System Architecture Attacks The VIKING project Vital Infrastructure, Networks, Information and Control Systems Management A cyber physical project analyzing how cyber attacks ends in consequnces in society by connecting control system architecture models and power system models Probability for control orders Power System Simulator Probability for power delivery Societal Impact $ 12 6

7 Partners ABB Developer of SCADA systems E.ON Power transmission and distribution, SCADA system user Astron SCADA system integration KTH -Stockholm Software system architecture, networked control systems, communication networks ETH -Zurich Power system modeling, cyber-physical modeling, game theory UC Berkeley Computer security, systems modeling University of Maryland Hybrid networks, network security 13 Our approach to cyber attack analysis is based on defense graphs Countermeasures + => Attacks Defense graphs Gives: The probability that an attack is successful An index on how secure the system is 14 7

8 Example defense graph 15 Using Bayesian statistics for quantifying the defense graphs Existence of default passwords T F Passwords used in multiple systems T F T F Personnel susceptible to social engineering T F T F T F T F Success Failure

9 Coping with uncertainty Bayesian statistics capture uncertainty in: Theoretical structure Values of parameters 17 Adding architecture model elements 18 9

10 Architecture (meta-)models with an integrated analysis framework 19 Architectural decision-support nce Extected consequen Scenario 3 Scenario 2 Scenario

11 Thank you! Questions? 21 11