A contract-oriented view on threat modelling Ketil Stlen SINTEF - - PowerPoint PPT Presentation

a contract oriented view on threat modelling
SMART_READER_LITE
LIVE PREVIEW

A contract-oriented view on threat modelling Ketil Stlen SINTEF - - PowerPoint PPT Presentation

Nov 27, 2023 424 likes •808 views

A contract-oriented view on threat modelling Ketil Stlen SINTEF ICT and University of Oslo Joint work with Gyrd Brndeland, Heidi Dahl, Olav Ligaarden FLACOS Malta, November 27, 2008 ICT Motivation How to modularize threat modelling

slide-1
SLIDE 1

ICT

A contract-oriented view on threat modelling

Ketil Stølen SINTEF ICT and University of Oslo Joint work with Gyrd Brændeland, Heidi Dahl, Olav Ligaarden

FLACOS Malta, November 27, 2008

slide-2
SLIDE 2

2 ICT

Motivation

How to modularize threat modelling How to deal with mutual dependencies in threat modeling of complex systems

We need a notion of contract at the abstraction level of threat models

slide-3
SLIDE 3

3 ICT

Problem of risk analysis

Systems

are complex mutually dependent cross national borders are continuously updated

You never have full access to all documentation And, if you had, there would just be too much of it

slide-4
SLIDE 4

4 ICT

There is only one way forward

We need a reductionistic approach to risk analysis

Decomposing analyses into smaller parts Composing (already completed) analyses into an overall risk

picture

Methodological reductionism is the idea that developing an understanding of a complex system's constituent parts (and their interactions) is the best way to develop an understanding of the system as a whole

slide-5
SLIDE 5

5 ICT

Reductionistic approach to the modeling

  • f threat scenarios

I will illustrate the approach on CORAS CORAS is

a method for model-driven security risk analysis a graphical language

for structured brainstorming and analysis semantics defined as schematic translation of diagrams into English

a tool

You may do likewise with your favorite threat scenario modeling language – (or your favorite risk table)

slide-6
SLIDE 6

6 ICT

Approach

Extend the graphical CORAS language to cope with context dependencies

We refer to the extended language as Dependent CORAS

Update the semantics of the CORAS language to deal with context dependencies Define rules to reason about context dependencies Define rules for simplifying composed scenarios

slide-7
SLIDE 7

7 ICT

Analysis context

Target

One Step Back: What is Security Risk Analysis?

Likelihood Consequence Treatment Asset Unwanted incident Threat Risk Vulnerability

slide-8
SLIDE 8

8 ICT

The CORAS security risk modeling language

human threat (accidental) non-human threat human threat (deliberate) vulnerability threat scenario unwanted incident asset treatment

slide-9
SLIDE 9

9 ICT

Threat Diagram

Power supply in Norway breaks down Power supply in Sweden breaks down [1:5 years] Blackout in Norway [3:100 years] 1.0 0.1 [1:100 years] critical Threat Threat scenario Unwanted incident Asset Hacker Power production in Norway

slide-10
SLIDE 10

10 ICT

Semantics: Translation into English

Vertices

”Hacker” is a deliberate threat. Threat scenario ”Power supply in Norway breaks down” occurs with undefined

likelihood.

Threat scenario ”Power supply in Sweden breaks down” occurs with likelihood ”1:5

years”.

Unwanted incident ”Blackout in Norway” occurs with likelihood ”3:100 years”. ”Power production in Norway” is an asset.

Relations

Hacker initiates ”Power supply in Norway breaks down” with likelihood ”1:100”

years.

”Power supply in Norway breaks down” leads to ”Blackout in Norway” with

conditional likelihood ”1.0”.

”Power supply in Sweden breaks down” leads to ”Blackout in Norway” with

conditional likelihood ”0.1”.

”Power supply in Norway breaks down” impacts ”Power production in Norway” with

consequence ”critical”.

slide-11
SLIDE 11

11 ICT

Checking Likelihoods

Power supply in Norway breaks down Power supply in Sweden breaks down [1:5 years] Blackout in Norway [3:100 years] 1.0 0.1 [1:100 years] critical Hacker Power production in Norway

[1:5 years] * 0.1 = [1:50 years] [1:100 years] + [1:50 years] = [3:100 years]

slide-12
SLIDE 12

12 ICT

Dependent Diagram

Norwegian Power Supply Power supply in Norway breaks down Power supply in Sweden breaks down [1:5 years] Blackout in Norway [3:100 years] 1.0 0.1 CONTEXT SCENARIO TARGET SCENARIO [1:100 years] critical Hacker Power production in Norway

slide-13
SLIDE 13

13 ICT

Semantics of Dependent Diagram

[[ ]] := [[ T ]] assuming [[ C ]] to the extent there are explicit dependencies

Norwegian Power Supply Power supply in Norway breaks down Power supply in Sweden breaks down [1:5 years] Blackout in Norway [3:100 years] 1.0 0.1 [1:100 years] critical Hacker Power production in Norway

slide-14
SLIDE 14

14 ICT

Independence of Context

: T is independent of C if there are no paths from C to T

slide-15
SLIDE 15

15 ICT

Norwegian Power Supply Power supply in Norway breaks down Power supply in Sweden breaks down [1:5 years] Blackout in Norway [3:100 years] 1.0 0.1 [1:100 years] critical Hacker Power production in Norway

Rule of Independence

slide-16
SLIDE 16

16 ICT

Modus Ponens

slide-17
SLIDE 17

17 ICT

Applying the Deduction Rules

Swedish Power Supply Power supply in Sweden breaks down [1:5 years] Power supply in Norway breaks down [1:100 years] Blackout in Sweden [21:100 years] 1.0 1.0 critical Norwegian Power Supply Power supply in Norway breaks down Power supply in Sweden breaks down [1:5 years] Blackout in Norway [3:100 years] 1.0 0.1 [1:100 years] critical Hacker Operator error Power production in Norway Power production in Sweden

slide-18
SLIDE 18

18 ICT

The Combined Diagram

slide-19
SLIDE 19

19 ICT

slide-20
SLIDE 20

20 ICT

0.4 0.4 critical moderate 0.1 1.0 0.4 0.5 0.5 Blackout in southern Sweden and Norway 0.1 moderate critical Grid

  • verload causes

multiple outages [1:10years] 0.07 1.0 1.0 0.01 0.4 0.2 0.5 Power market Lack of rain in Norway Lack of rain in Sweden High export from area [1:1years] High load on transmission corridor Protection failure 1.0 Transmission line outage [1:1year] Power production in Sweden Power production in Norway Minor export area blackout in Norway [1:20years] Low hydro availability [1:5years] High import from Sweden [1:5years] High load on transmission corridor Grid

  • verload causes

multiple outages [1:10years] Failed area protection Failed area protection Total area blackout [1:20years] Interface bottleneck Failed load shedding Blackout in southern Sweden [1:20years] Minor area blackout [1:20years] Reduced nuclear availability [1:20years] Unstable network [1:10years] Capacity shortage [1:4years] Low hydro availability [1:5years] Outage of two

  • r more transmission lines in

the north/south corridor [1: 1year] Grid overload causes multiple

  • utages in export

area [1:10years] Hacker Operator error

slide-21
SLIDE 21

21 ICT

Horizontal Composition

0.1 0.5 High export from area [1:1years] High load on transmission corridor Protection failure 1.0 Transmission line outage [1:1year] Grid overload causes multiple

  • utages in export

area [1:10years]

slide-22
SLIDE 22

22 ICT

0.4 0.4 critical moderate 1.0 0.4 0.5 0.5 Blackout in southern Sweden and Norway 0.1 moderate critical Grid

  • verload causes

multiple outages [1:10years] 0.07 1.0 1.0 0.01 0.4 0.2 0.5 Power market Lack of rain in Norway Lack of rain in Sweden Power production in Sweden Power production in Norway Minor export area blackout in Norway [1:20years] Low hydro availability [1:5years] High import from Sweden [1:5years] High load on transmission corridor Grid

  • verload causes

multiple outages [1:10years] Failed area protection Failed area protection Total area blackout [1:20years] Interface bottleneck Failed load shedding Blackout in southern Sweden [1:20years] Minor area blackout [1:20years] Reduced nuclear availability [1:20years] Unstable network [1:10years] Capacity shortage [1:4years] Low hydro availability [1:5years] Outage of two

  • r more transmission lines in

the north/south corridor [1: 1year] High export leads to grid overload in Norway [1:10years] Hacker Operator error

slide-23
SLIDE 23

23 ICT

Horizontal Composition

0.2 critical 0.2 Total area blackout [1:20years]

slide-24
SLIDE 24

24 ICT

0.4 0.2 critical moderate 1.0 0.2 0.5 Blackout in southern Sweden and Norway 0.1 moderate critical Grid

  • verload causes

multiple outages [1:10years] 0.07 1.0 1.0 0.01 0.4 0.2 0.5 Power market Lack of rain in Norway Lack of rain in Sweden Power production in Sweden Power production in Norway Minor export area blackout in Norway [1:20years] Low hydro availability [1:5years] High import from Sweden [1:5years] High load on transmission corridor Failed area protection Total area blackout [1:20years] Interface bottleneck Failed load shedding Blackout in southern Sweden [1:20years] Minor area blackout [1:20years] Reduced nuclear availability [1:20years] Unstable network [1:10years] Capacity shortage [1:4years] Low hydro availability [1:5years] Outage of two

  • r more transmission lines in

the north/south corridor [1: 1year] High export leads to grid overload in Norway [1:10years] Hacker Operator error

slide-25
SLIDE 25

25 ICT

Horizontal Composition

critical 0.2 critical 0.1 Total area blackout [1:20years] critical Total area blackout in southern Sweden and Norway [1:100years]

slide-26
SLIDE 26

26 ICT

0.4 critical moderate 1.0 0.2 0.5 Blackout in southern Sweden and Norway 0.1 moderate critical Grid

  • verload causes

multiple outages [1:10years] 0.07 1.0 1.0 0.01 0.4 0.2 0.1 Power market Lack of rain in Norway Lack of rain in Sweden Power production in Sweden Power production in Norway Minor export area blackout in Norway [1:20years] Low hydro availability [1:5years] High import from Sweden [1:5years] High load on transmission corridor Failed area protection Total area blackout [1:20years] Interface bottleneck Failed load shedding Minor area blackout [1:20years] Reduced nuclear availability [1:20years] Unstable network [1:10years] Capacity shortage [1:4years] Low hydro availability [1:5years] Outage of two

  • r more transmission lines in

the north/south corridor [1: 1year] High export leads to grid overload in Norway [1:10years] critical Total area blackout in southern Sweden and Norway [1:100years] Hacker Operator error

slide-27
SLIDE 27

27 ICT

Asset Composition

critical Power production in Sweden Power production in Norway critical Total area blackout in southern Sweden and Norway [1:100years] critical Power production in Norway and Sweden Total area blackout in southern Sweden and Norway [1:100years]

slide-28
SLIDE 28

28 ICT

0.4 critical moderate 1.0 0.2 0.5 Blackout in southern Sweden and Norway 0.1 moderate critical Grid

  • verload causes

multiple outages [1:10years] 0.07 1.0 1.0 0.01 0.4 0.2 0.1 Power market Lack of rain in Norway Lack of rain in Sweden Power production in Sweden Power production in Norway Minor export area blackout in Norway [1:20years] Low hydro availability [1:5years] High import from Sweden [1:5years] High load on transmission corridor Failed area protection Total area blackout [1:20years] Interface bottleneck Failed load shedding Minor area blackout [1:20years] Reduced nuclear availability [1:20years] Unstable network [1:10years] Capacity shortage [1:4years] Low hydro availability [1:5years] Outage of two

  • r more transmission lines in

the north/south corridor [1: 1year] High export leads to grid overload in Norway [1:10years] Power production in Norway and Sweden Total area blackout in southern Sweden and Norway [1:100years] Hacker Operator error

slide-29
SLIDE 29

29 ICT

Vertical Composition

slide-30
SLIDE 30

30 ICT

0.4 critical moderate 1.0 0.2 0.5 Blackout in southern Sweden and Norway 0.1 moderate critical Grid

  • verload causes

multiple outages [1:10years] 0.07 1.0 0.01 0.4 0.2 0.1 Power market Lack of rain in Norway Lack of rain in Sweden Power production in Sweden Power production in Norway Minor export area blackout in Norway [1:20years] Low hydro availability [1:5years] High import from Sweden [1:5years] High load on transmission corridor Failed area protection Total area blackout [1:20years] Interface bottleneck Failed load shedding Minor area blackout [1:20years] Unstable network [1:10years] Capacity shortage [1:4years] Outage of two

  • r more transmission lines in

the north/south corridor [1: 1year] High export leads to grid overload in Norway [1:10years] Power production in Norway and Sweden Total area blackout in southern Sweden and Norway [1:100years] Low energy availability [1:4years] Hacker Operator error

slide-31
SLIDE 31

31 ICT

Horizontal Composition

slide-32
SLIDE 32

32 ICT

0.4 critical moderate 1.0 0.2 0.5 Blackout in southern Sweden and Norway 0.1 moderate critical Grid

  • verload causes

multiple outages [1:10years] 0.07 0.01 0.2 0.1 Power market Lack of rain in Norway Lack of rain in Sweden Power production in Sweden Power production in Norway Minor export area blackout in Norway [1:20years] Low hydro availability [1:5years] High import from Sweden [1:5years] High load on transmission corridor Failed area protection Total area blackout [1:20years] Interface bottleneck Failed load shedding Minor area blackout [1:20years] Outage of two

  • r more transmission lines in

the north/south corridor [1: 1year] High export leads to grid overload in Norway [1:10years] Power production in Norway and Sweden High load in combination with extreme demand in Southern Sweden [1:10years] Total area blackout in southern Sweden and Norway [1:100years] Hacker Operator error

slide-33
SLIDE 33

33 ICT

Horizontal & Asset Composition

0.4 moderate 0.5 moderate 0.01 0.2 Minor export area blackout in Norway [1:20years] Minor area blackout [1:20years] Power production in Sweden Power production in Norway

slide-34
SLIDE 34

34 ICT

moderate critical 1.0 0.2 0.5 Blackout in southern Sweden and Norway 0.1 moderate critical Grid

  • verload causes

multiple outages [1:10years] 0.07 0.01 0.2 0.1 Power market Lack of rain in Norway Lack of rain in Sweden Power production in Sweden Power production in Norway Low hydro availability [1:5years] High import from Sweden [1:5years] High load on transmission corridor Failed area protection Total area blackout [1:20years] Interface bottleneck Failed load shedding Minor area blackout [1:20years] Outage of two

  • r more transmission lines in

the north/south corridor [1: 1year] High export leads to grid overload in Norway [1:10years] Power production in Norway and Sweden High load in combination with extreme demand in Southern Sweden [1:10years] Multiple area blackout [1:50years] Total area blackout in southern Sweden and Norway [1:100years] Hacker Operator error

slide-35
SLIDE 35

35 ICT

Conclusions

We have argued the need for a reductionistic approach to risk analysis

  • utlined a generic strategy to facilitate modular threat

modelling illustrated the generic strategy on the CORAS language

slide-36
SLIDE 36

36 ICT

Resources: http://coras.sourceforge.net/

Downloads

The CORAS diagram editor The CORAS icons (Visio stencil, PNG, SVG)

Publications:

Folker den Braber, Ida Hogganvik, Mass Soldal Lund, Ketil Stølen,

and Fredrik Vraalsen. Model-based security analysis in seven steps – a guided tour to the CORAS method. BT Technology Journal, 25(1): 101 – 117, 2007.

Ida Hogganvik. A graphical approach to security risk analysis.

PhD thesis, Faculty of Mathematics and Natural Sciences, University of Oslo, 2007.

Gyrd Brændeland, Heidi E.I. Dahl, Iselin Engan, Ketil Stølen.

Using dependent CORAS diagrams to analyse mutual

  • dependency. To appear in Proc. 2nd International Workshop on

Critical Information Infrastructure Security (CRITIS'2007).

slide-37
SLIDE 37

ICT

Questions?

Ketil Stølen SINTEF ICT and University of Oslo Ketil.Stolen@sintef.no