Risk Management - INCOSE UK Chapter

Managing Cyber Security Risks in
Industrial Control Systems with Game
Theory and Viable System Modelling
Konstantinos
Theodoros
Spyridopoulos
Maraslis
Theo
Tryfonas
© 2014 INCOSE UK Ltd.
George
Oikonomou
Shancang
Li
What is it about?
• Importance
Industrial Control Systems (ICSs) can be considered as Critical
Infrastructure (CI) and play a major role in Industry as they are used to
control fundamental industrial processes such as power production,
power distribution, transportation etc. Due to their national
significance their protection is of vital importance.
• Scope
The creation of a method that provides cost-efficient Risk Management
for an ICS.
• Novelty
The method takes into account the proprietary and interconnected
nature of an ICS while combines Viable System Modelling (VSM) and
Game Theory (GT).
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
2
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
A zero-sum Game is constructed
where an attacker tries to harm an
ICS as much as possible while a
defender tries to defend the ICS in
the best possible way. Both are
rational players who seek for the
strategy that will lead them to the
highest individual reward.
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
3
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Strategies Proposed
Although we can easily identify the
assets, valuating them requires:
• Capturing the relationships between
the Asset of an ICS
• Capturing the relationships between
the components of different ICSs
• Consideration of the effect of a
component’s failure to the rest of the
components (within the same and
different ICSs)
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
4
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
5
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
2
Info about
System’s
Current
Status
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
8. Strategies Assessment and Outcome (GT)
3
4 Communicates
5's Decisions
Proposes
Approaches for
System’s
Evolution
5
Manages/Controls its
Units
Audits its
Operations
3*
7. Risk Evaluation
Strategies Proposed
Transfers
Results of
Coordination
Transfers
Results
of Audit
Risk Analysis
Manages its Operations and
Coordinates its Activities
4
Makes and
Delivers
Decisions
about
Changes
Need to be
Made
4 Identifies
Changes in
the
Environment
1
Data
Exchange
Environ
ment
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
6
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Value of Asset = (Market price) x (Number
of connections) x (Effect on other ICSs) x
(Role of the Asset)
where,
Effect on other ICSs = (Role of the Asset) /
(Number of devices with the same role)
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
7
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Strategies Proposed
Identification and Assessment
of Threads and Vulnerabilities
is now possible since all
interconnections are known. We
only need to know the
probability that a thread/attack
is successful
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
8
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
Attacker’s Strategies
Espionage
Yes or No
Confidentiality
Security Attribute
Integrity
Availability
Inveteracy of
<1Year
>1Year
Vulnerability
Very difficult
Difficulty of
Difficult
Detection
Easy
Very Difficult
Difficulty of Recovery
Difficult
(Cost of Healing)
Easy
Defender’s Strategies
R&D
Yes or No
Never
Patch Frequency
1 Year
>1 Year
IDS
Yes or No
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
9
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
10
VSM in Details
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Under the rules:
• Attack against Confidentiality
cannot be very difficult to recover
• Zero day attack cannot be easy to
detect
• >1Years attacks can only be easy to
detect
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
11
Game Theory
Risk Management
Asset Identification and Evaluation
Attacker’s Reward = Gain + Cost of
Defense + Cost of Healing – Cost of Attack
1. Asset Identification
2. Asset Valuation
where,
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Strategies Proposed
Gain = Value of Asset × Security Attribute
× Probability of Successful Attack
Cost of Defense = R&D + Patch Frequency
+ IDS
Cost of Healing = Difficulty of Recovery
Cost of Attack = Espionage + Inveteracy of
Vulnerability × Difficulty of Detection
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
12
Game Theory
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
Attacker’s Strategies
Espionage
Confidentiality
Security Attribute
Integrity
Availability
Inveteracy of
<1Year
Vulnerability
>1Year
Very difficult
Difficulty of
Difficult
Detection
Easy
Very Difficult
Difficulty of Recovery
Difficult
(Cost of Healing)
Easy
Defender’s Strategies
R&D
Never
Patch Frequency
1 Year
>1 Year
IDS
Value of Asset Under Attack
30,000
0.33
1
1
1,000
10
4
1
0.5
101,000
1,000
10
10,000
0
1,000
100
10
90,000
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
13
Results
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
Two Nash Equilibria in the form:
A: (Attack, Espionage, Core Attribute,
Inveteracy of Vulnerability, Difficulty of
Detection, Difficulty of Recovery)
D: (R&D, Patch Frequency, IDS)
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
7. Risk Evaluation
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
A: (Yes, No, Integrity, < 1 Year, Very Difficult,
Very Difficult)
D: (Yes, > 1 Year, No)
A: (Yes, No, Availability, 1 Year, Very Difficult,
Very Difficult)
D: (Yes, > 1 Year, No)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
14
Results
Risk Management
Asset Identification and Evaluation
1. Asset Identification
2. Asset Valuation
Risk Analysis
3. Thread Identification
4. Thread Assessment
5. Vulnerability and Strategy Identification
6. Vulnerability Assessment
Both Nash Equilibria lead to a
reward for the attacker equal to
182,000 which means 182,000 loss
for the defender since it is a zerosum game.
7. Risk Evaluation
Strategies Proposed
8. Strategies Assessment and Outcome (GT)
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
15
Summary
A novel cyber security risk
management approach in ICSs
which combines VSM with GT and
takes into account the proprietary
and interconnected nature of an
ICS.
Managing Cyber Security Risks in I ndustrial Control Systems with Game Theory and Viable System Modelling
16
References
[1]
K. Stouffer, J. Falco, and K. Scarfone, "Guide to industrial control
systems (ICS) security," NIST Special Publication, pp. 800-82, 2011.
[2]
G. Digioia, C. Foglietta, S. Panzieri, and A. Falleni, "Mixed holistic
reductionistic approach for impact assessment of cyber attacks," in
Intelligence and Security Informatics Conference (EISIC), 2012 European, 2012,
pp. 123-130.
[3]
M. Esmalifalak, G. Shi, Z. Han, and L. Song, "Bad data injection
attack and defense in electricity market using game theory study," 2013.
[4]
M. Tambe and B. An, "Game Theory for Security: A Real-World
Challenge Problem for Multiagent Systems and Beyond," Association for the
Advancement of Artificial Intelligence, 2011.
17
Questions?
18
19