Modelling Security of Critical Infrastructures: A Survivability - - PowerPoint PPT Presentation

modelling security of critical infrastructures a
SMART_READER_LITE
LIVE PREVIEW

Modelling Security of Critical Infrastructures: A Survivability - - PowerPoint PPT Presentation

Sep 06, 2023 575 likes •983 views

Modelling Security of Critical Infrastructures: A Survivability Assessment guez , Jos e Merseguer , Simona Bernardi Ricardo J. Rodr { rjrodriguez, jmerse, simonab } @unizar.es All wrongs reversed Dpto. de Inform

slide-1
SLIDE 1

Modelling Security of Critical Infrastructures: A Survivability Assessment

Ricardo J. Rodr´ ıguez†, Jos´ e Merseguer†, Simona Bernardi§

{rjrodriguez, jmerse, simonab}@unizar.es

All wrongs reversed †Dpto. de Inform´

atica e Ingenier´ ıa de Sistemas

§Centro Universitario de la Defensa

Universidad de Zaragoza, Zaragoza, Spain Academia General Militar, Zaragoza, Spain

15 de Junio, 2016 II Jornadas Nacionales de Investigaci´

  • n en Ciberseguridad

Granada, Espa˜ na

Accepted in The Computer Journal. doi: 10.1093/comjnl/BXU096

slide-2
SLIDE 2

Introduction (I)

Critical Infrastructures

Provide essential services to the society

Power distribution, water treatment, telco, financial services. . .

Discontinuity of service may lead to fatalities or injuries

Different nature, from unintended acts of nature to intentional attacks (e.g., sabotage, terrorism)

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 2 / 27

slide-3
SLIDE 3

Introduction (II)

Recent examples

2003 Northeast (U.S.) blackout Attributed to downed power line 11 deaths and an estimated $6B in economic damages, plus disrupted power over a wide area for two days 2013 Bowman Avenue Dam in NY was compromised, and control

  • f the floodgates was gained

Attributed to Iranian hackers 2015 Prykarpattyaoblenergo Control Center (PCC) in the Ivano-Frankivsk region of Western Ukraine Leaving 230K residents without power for up to 6 hours Presumed Russian cyberattacker

Not only safe, but also secure

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 3 / 27

slide-4
SLIDE 4

Introduction (III)

The game just begun. . .

Cyberattacks against SCADA systems doubled in 2014: more than 160K (Dell’s 2015 Annual Security Report) Malware targeting SCADA systems identified:

Examples: Stuxnet, Havex, and BlackEnergy3

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 4 / 27

slide-5
SLIDE 5

Introduction (IV)

Survivability

Capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents Usually qualitative in nature; and not precise or detailed enough to facilitate measurable survivability requirements and evaluations Survivability strategies phases:

1

Resistance

2

Recognition

3

Recovery

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 5 / 27

slide-6
SLIDE 6

Introduction (IV)

Survivability

Capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents Usually qualitative in nature; and not precise or detailed enough to facilitate measurable survivability requirements and evaluations Survivability strategies phases:

1

Resistance

2

Recognition

3

Recovery

Our proposal SecAM (Security Analysis and Modelling) UML profile

Enables survivability analysis for critical infrastructures to provide capabilities for assessing defence plans

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 5 / 27

slide-7
SLIDE 7

Introduction (V)

Advantages

Specification, in a quantitatively and quantitatively manner, of security and survivability in early stages of development Specific models for infrastructures and attack patterns Survivability analysis through formal models (in particular, Generalized Stochastic Petri nets)

Model-checking techniques Allows steady-state analysis Efficient techniques, as linear algebra and linear programming-based techniques

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 6 / 27

slide-8
SLIDE 8

Introduction (V)

Advantages

Specification, in a quantitatively and quantitatively manner, of security and survivability in early stages of development Specific models for infrastructures and attack patterns Survivability analysis through formal models (in particular, Generalized Stochastic Petri nets)

Model-checking techniques Allows steady-state analysis Efficient techniques, as linear algebra and linear programming-based techniques

Disadvantages

Model complexity increased Lack of CASE tools with automated translation

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 6 / 27

slide-9
SLIDE 9

Background (I): UML profile

UML profile

UML tailored for specific purposes: profiling Stereotypes and tagged values

Extend model semantics Allow to express non-functional properties (e.g., performance, reliability, security) within the model

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 7 / 27

slide-10
SLIDE 10

Background (I): UML profile

UML profile

UML tailored for specific purposes: profiling Stereotypes and tagged values

Extend model semantics Allow to express non-functional properties (e.g., performance, reliability, security) within the model

OMG example

Modelling and Analysis of RT Embedded systems (MARTE)

Provides support for performance and schedulability analysis Well-defined language to express NFPs (VSL, Value Specification Language)

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 7 / 27

slide-11
SLIDE 11

Background (II): GSPNs

UML profiling sounds cool, but. . .

Express quantitative properties for analysis

Transformation to formal models (in particular, Generalized Stochastic Petri nets) Good (and mature) analysis framework

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 8 / 27

slide-12
SLIDE 12

Background (II): GSPNs

UML profiling sounds cool, but. . .

Express quantitative properties for analysis

Transformation to formal models (in particular, Generalized Stochastic Petri nets) Good (and mature) analysis framework

GSPN – explanation simplified

Underlying Markov-chain Places (circles, pX) Transitions (white/black bars, tX) Time interpretation

Immediate transitions (t = 0) Timed (allows different probabilistic distributions)

Tokens (black dots)

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 8 / 27

slide-13
SLIDE 13

SecAM Profile (I): a General Overview (1)

<<profile>> MARTE <<profile>> DAM <<profile>> SecAM <<modelLibrary>> SecAM_Library SecAM_UML_Extensions <<modelLibrary>> SecAM::SecAM_Library Basic_SECA_T ypes Complex_SECA_T ypes <<profile>> MARTE::VSL::DataT ype <<modelLibrary>> MARTE::MARTE_Library::BasicNFP_T ypes <<import>> <<apply>> <<import>> <<import>> <<import>> <<import>> <<import>>

SecAM relies on two profiles:

MARTE: analysis capabilities (among other features) Dependability Analysis and Modeling (DAM): concepts shared by the dependability and security fields

Set of stereotypes; and basic and complex types

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 9 / 27

slide-14
SLIDE 14

SecAM Profile (I): a General Overview (2)

Security SecAM packages attributes (P1) (P2) (P3) (P4) Integrity √ √ √ Availability √ √ Confidentiality √ √ √ Authorisation √ Non-repudiation √ Authenticity √ (P1): Cryptographic; (P2): SecurityMechanisms (P3): Resilience; (P4): AccessControl

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 10 / 27

slide-15
SLIDE 15

SecAM Profile (II): Cryptography package (1)

<<modelLibrary>> SecAM::SecAM_Library <<import>> <<Constant>> Software <<Constant>> Hardware <<Constant>> Biometric <<enumeration>> KeyT ype <<Constant>> Assymmetric <<Constant>> Symmetric <<enumeration>> KeyKind <<Constant>> Zero <<Constant>> Bit <<Constant>> Byte <<enumeration>> PaddingScheme <<Constant>> ECB <<Constant>> CBC <<Constant>> CFM <<Constant>> OFM <<Constant>> CTR <<enumeration>> OperationMode <<Constant>> Synchronous <<Constant>> Asynchronous <<enumeration>> StreamT ype <<Constant>> Periodic <<Constant>> NonPeriodic <<enumeration>> Perioricity <<Constant>> vulnerable <<Constant>> intrusion <<Constant>> cryptographic <<Constant>> messageDigest <<enumeration>> SecaStepKind size : NFP_Integer type : KeyT ype kind : KeyKind[0..1] cipher : SecaCipher[0..1] <<tupleT ype>> SecaKey type : StreamT ype perioricity : Perioricity key : SecaKey <<tupleT ype>> SecaStream size : NFP_Integer padding : PaddingScheme[0..1]

  • pMode : OperationMode

concreteAlgorithm : NFP_String <<tupleT ype>> SecaBlock errorRate : NFP_Real

  • perationalRate : NFP_Real

kind : CipherKind <<tupleT ype>> SecaCipher <<Constant>> Stream <<Constant>> Block <<enumeration>> CipherKind kind : SecaStepKind cryptographic : SecaKey hash : SecaMessageDigest <<stereotype>> SecaStep <<stereotype>> DAM::DaStep length : NFP_DataSize padding : PaddingScheme[0..1]

  • pMode : OperationMode

blocks : SecaBlock [1..*] <<tupleT ype>> SecaMessageDigest key : SecaKey <<tupleT ype>> SecaMAC SecAM::Cryptography <<profile>>

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 11 / 27

slide-16
SLIDE 16

SecAM Profile (III): SecurityMechanisms package

<<Constant>> Low <<Constant>> Medium <<Constant>> High <<enumeration>> Degree <<Constant>> OnDemand <<Constant>> RealTime <<enumeration>> ScanningMode <<Constant>> VirtualMachine <<Constant>> Logical <<Constant>> CapabilitySystem <<enumeration>> HPotType <<Constant>> SignatureBased <<Constant>> AnomalyBased <<Constant>> StatefulBased <<Constant>> Other <<enumeration>> DetectionMethod <<Constant>> DataLink <<Constant>> Packet <<Constant>> Stateful <<Constant>> Circuit <<Constant>> Application <<enumeration>> FilterLevel <<Constant>> FileSystem <<Constant>> Registry <<Constant>> Process <<Constant>> Memory <<Constant>> Services <<Constant>> Ports <<Constant>> All <<enumeration>> Feature <<Constant>> Read <<Constant>> Write <<Constant>> Create <<Constant>> Delete <<Constant>> Open <<Constant>> Kill <<Constant>> Close <<Constant>> All <<enumeration>> OpMonitored <<Constant>> Host <<Constant>> Network <<enumeration>> Location <<Constant>> Proactive <<Constant>> Reactive <<Constant>> Both <<enumeration>> DefenceType <<Constant>> Web <<Constant>> Mail <<Constant>> FTP <<Constant>> DNS <<Constant>> Proxy <<Constant>> VPN <<Constant>> Honeypot <<Constant>> Other <<enumeration>> ServiceOffered antivirus : SecaAntivirus [0..*] hostFirewall : SecaHostFirewall [0..*] idpsSoftware : SecaIDPSsoftware [0..*] webBrowser : SecaWebBrowser [0..*] <<tupleType>> SecaOperativeSystem scanningMode : ScanningMode <<tupleType>> SecaAntivirus filterLevel : FilterLevel <<tupleType>> SecaHostFirewall detection : DetectionMethod <<tupleType>> SecaIDPSsoftware <<tupleType>> SecaWBPlugin wbPlugins : SecaWBPlugin [0..*] securityLevel : Degree <<tupleType>> SecaWebBrowser feature : Feature

  • peration : OpMonitored [1..*]

<<tupleType>> SecaMonitorFeature name : NFP_String version : NFP_String vulnerabilities : SecaVulnerable [0..*] <<tupleType>> SecaCommonType <<modelLibrary>> SecAM::SecAM_Library <<import>> <<stereotype>> MARTE::GRM::Resource location : Location defenceType : DefenceType hitRate : NFP_Real <<stereotype>> SecaSecurityDevice key : SecaKey <<stereotype>> SecaCryptoHW nParallel : NFP_Integer nFaulty : NFP_Integer tPeriod : NFP_Duration tRecovery : NFP_Duration <<stereotype>> SecaWormhole detection : DetectionMethod[1..*] <<stereotype>> SecaIDPS filterLevel : FilterLevel <<stereotype>> SecaFirewall <<metaclass>> UML::Package service : ServiceOffered <<stereotype>> SecaBastion <<stereotype>> SecaDMZ type : HPotType duration : NFP_DataTime

  • perativeSystem : SecaOperativeSystem

cryptoHW : SecaCryptoHW [0..*] monitor : SecaMonitorFeature [0..*] <<stereotype>> SecaHoneyPot <<extend>> <<profile>> SecAM::SecureMechanisms nFactor : NFP_Integer layer : ProtocolLayer protocol : NFP_String <<stereotype>> SecaLink nFactor : NFP_Integer layer : ProtocolLayer protocol : NFP_String <<stereotype>> SecaLink CommunicationMedia <<stereotype>> MARTE::GRM::

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 12 / 27

slide-17
SLIDE 17

SecAM Profile (IV): Resilience package

<<stereotype>> SecaAttackGenerator attack : SecaAttack <<stereotype>> DAM::DaFaultGenerator <<profile>> SecAM::Resilience <<tupleT ype>> DAM::DaFault

  • currenceProb : NFP_Real[*]

<<tupleT ype>> SecaCoordAttack coordT ype : CoordinationT ype attacks : SecaAttack[2..*] / ocurrenceProb : NFP_Real[*] <<tupleT ype>> SecaIntrusion successProb : NFP_Real

  • rigin : SecaVulnerable

cause : SecaAttack <<tupleT ype>> SecaVulnerable degree : Degree composed : SecaVulnerable[*] <<tupleT ype>> SecaAttack type : T ypeOfAttack class : ClassOfAttack location : AttackLocation

  • bjective : AttackObjective

kind: KindOfAttack[*] target: GaExecHost <<stereotype>> DAM::DaStep <<stereotype>> SecaStep vulnerability : SecaVulnerable intrusion : SecaIntrusion kind :SecaStepKind <<Constant>> Injection <<Constant>> ResourceModification <<Constant>> ProtocolManipulation <<Constant>> Analysis <<Constant>> APIabuse <<Constant>> BruteForce <<Constant>> Flooding <<Constant>> Spoofing <<Constant>> SocialEngineering <<Constant>> Explosive <<enumeration>> KindOfAttack <<Constant>> Denial-Of-Service <<Constant>> RunArbitraryCode <<Constant>> PrivilegeScalation <<Constant>> DataModification <<Constant>> InformationLeakage <<enumeration>> AttackObjective <<Constant>> Single-source <<Constant>> Multi-source <<Constant>> Reflector-source <<enumeration>> AttackLocation <<Constant>> Virus <<Constant>> Worm <<Constant>> BufferOverflow <<Constant>> ResourceConsuming <<Constant>> Physical <<Constant>> Password <<Constant>> InformationGathering <<Constant>> Trojan <<enumeration>> ClassOfAttack <<Constant>> Cumulative <<Constant>> Replicated <<Constant>> Mixed <<enumeration>> CoordinationT ype <<Constant>> Active <<Constant>> Passive <<enumeration>> T ypeOfAttack <<modelLibrary>> SecAM::SecAM_Library <<import>>

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 13 / 27

slide-18
SLIDE 18

SecAM Profile (V): AccessControl package

Proposal (draft)

Subjects, operations and objects Operations: kind and granted/not granted (boolean)

Read Write Access Execution?

Subjects: self-association

Delegation of authorisation Separation of duties

Idea: access control policies specified by OCL (UML constraints)

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 14 / 27

slide-19
SLIDE 19

Model-based Methodology

CI Flow model (UML Activity diag.) CI Resource model (UML deplyment diag.) CI Model SecAM

<<profile>>

SecAM

<<profile>>

Survivability pattern Annotating security Model to model transformation Annotating security Model to model transformation Attack Model (UML Activity diag.) CI GSPN Model GSPN composition GSPN Model4Analysis Qualitative analysis Quantitative assessment (through sensitivity analysis)

UML models Petri net models Analysis & Assessment

Survivability pattern library (coordinated attacks, cyber-attacks, ..)

GSPN Attack Model

  • Param. for

analysis

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 15 / 27

slide-20
SLIDE 20

Case Study (I)

Saudi Arabia crude-oil pipeline network (1)

Highlights

World’s largest

exporter of petroleum liquids crude oil producer (8-10 mmbbl/day)

National distribution network > 9, 000 miles long

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 16 / 27

slide-21
SLIDE 21

Case Study (I)

Saudi Arabia crude-oil pipeline network (2)

Terrorist target

physical attacks (Abqaiq oil facility, 2006) cyberattacks (Shamoon malware, 2012)

aChaney and Berner. Global: oil price update: still higher and more uncertain.

Global Economic Forum. Morgan& Stanley. 2004

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 17 / 27

slide-22
SLIDE 22

Case Study (I)

Saudi Arabia crude-oil pipeline network (2)

Terrorist target

physical attacks (Abqaiq oil facility, 2006) cyberattacks (Shamoon malware, 2012)

A 50% reduction of Saudi Arabia crude-oil output would lead to a global recession if the infrastructure could not be repaired within few monthsa

aChaney and Berner. Global: oil price update: still higher and more uncertain.

Global Economic Forum. Morgan& Stanley. 2004

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 17 / 27

slide-23
SLIDE 23

Case Study (I)

Saudi Arabia crude-oil pipeline network (2)

Terrorist target

physical attacks (Abqaiq oil facility, 2006) cyberattacks (Shamoon malware, 2012)

A 50% reduction of Saudi Arabia crude-oil output would lead to a global recession if the infrastructure could not be repaired within few monthsa Survivability strategies are a must to quickly recover -hours/days- the infrastructure

aChaney and Berner. Global: oil price update: still higher and more uncertain.

Global Economic Forum. Morgan& Stanley. 2004

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 17 / 27

slide-24
SLIDE 24

Case Study (II): Distribution network model

<<device>> <<gaExecHost>> Abqaiq <<device>> <<gaExecHost>> Ras Al-Juaymah <<device>> <<gaExecHost>> Yanbu <<device>> <<gaExecHost>> Ras Tanura <<device>> <<gaExecHost>> Ras Al-Khafji <<device>> <<gaExecHost>> Jubail

<<device>> <<gaExecHost>> Qadif <<device>> <<gaExecHost>> Pipe P1

source plant crude-oil seaports

<<device>> <<gaExecHost>> Pipe P3

MARTE: devices & exec. hosts

SecAM: security mechs

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 18 / 27

slide-25
SLIDE 25

Case Study (III): Crude-oil system flow model

T

  • Ras Al-Juaymah

T

  • Yanbu

T

  • Ras T

anura T

  • Ras Al-Khafji

T

  • Jubail

Through Pipe P1 Through Pipe P3 Through Junction J1 Through Pipe P2 Through Junction J2 Through Pipe P4 In Yanbu In Jubail In Ras Al-Juaymah In Ras T anura In Ras Al-Khafji {prob=(value=$path2,src=est)} MergeNode Which path?

SecAM annotations to specify

crude-oil traversal time in pipe, junctions routing probabilities

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 19 / 27

slide-26
SLIDE 26

Case Study (IV): Physical Attack (1)

Survivability scenario

<<secaAttackGenerator>> Attacking <<secaStep>> Recovering <<secaStep>> Repairing <<secaStep>> <<secaStep>> <<secaStep>> System Repairs Attack System Recognizes and Recovers Attack System Resists Attack Recognition success? Resistance success? No Yes Yes No Survivability scenario (physical attack)

SecAM annotations to specify:

Attack type and concrete target nodes in the network Resistance & recognition probabilities Time to recovery & repair

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 20 / 27

slide-27
SLIDE 27

Case Study (IV): Physical Attack (2)

Analysis with GSPN

(A2)

attackQadif attackP3 attackP1 coordAttack attacking attacking attacking resistance recQadifOK resistance resistance recP3KO recP1KO resP1OK resP3OK resQadifOK resP1KO resP3KO resQadifKO recP1OK recP1OK recP1OK repairP1 recognition repairP3 repairQadif recoveryQadif recoveryP3 recoveryP1 ResP1 ResP3 ResQadif

(A1)

Oil Distribution Network Survivability scenario of a physical attack start end network throughput = X(end) shared resource places

pipe P1 pipe P3 junction Qadif

recovering repairing recognition recovering repairing recognition recovering repairing

.....

wait4P1

Parameters Value(s) GSPN transitions resistance [0.05-0.95] recP1OK, recP3OK, recQadifOK recognition 1 recP1OK, recP3OK, recQadifOK recovery [72-3] hrs recoveryP1, recoveryP3, recoveryQadif MTTR 6 months repairP1, repairP2 repairQadif

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 21 / 27

slide-28
SLIDE 28

Case Study (IV): Physical Attack (3)

Analysis results

Throughput loss (%)

80 70 60 50 40

  • 10

recovery (hrs)

1.0 10 30 0.9 20 0.8

throughput loss (%)

30 0.7 20 40 0.6 50 0.5 60 0.4 10 70 0.3 80 0.2

resistance

0.1 0.0

Mbbl/day loss

80 70 60 50 40 recovery (hrs) 0.7 30 200 0.6 400 0.5 20 0.4

Mbbl/day loss

600 0.3 10 800 0.2

resistance

1000 0.1 0.0 1200 1400

rec < 6hrs → X < 20%, n < 240 Mbbl/day

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 22 / 27

slide-29
SLIDE 29

Case Study (IV): Physical Attack (3)

Analysis results

Throughput loss (%)

80 70 60 50 40

  • 10

recovery (hrs)

1.0 10 30 0.9 20 0.8

throughput loss (%)

30 0.7 20 40 0.6 50 0.5 60 0.4 10 70 0.3 80 0.2

resistance

0.1 0.0

Mbbl/day loss

80 70 60 50 40 recovery (hrs) 0.7 30 200 0.6 400 0.5 20 0.4

Mbbl/day loss

600 0.3 10 800 0.2

resistance

1000 0.1 0.0 1200 1400

rec < 6hrs → X < 20%, n < 240 Mbbl/day res < 50%, rec ∈ [1 − 3]days → X ∈ [40 − 77]%, n ∈ [990K − 1.2M]

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 22 / 27

slide-30
SLIDE 30

Case Study (IV): Physical Attack (3)

Analysis results

Throughput loss (%)

80 70 60 50 40

  • 10

recovery (hrs)

1.0 10 30 0.9 20 0.8

throughput loss (%)

30 0.7 20 40 0.6 50 0.5 60 0.4 10 70 0.3 80 0.2

resistance

0.1 0.0

Mbbl/day loss

80 70 60 50 40 recovery (hrs) 0.7 30 200 0.6 400 0.5 20 0.4

Mbbl/day loss

600 0.3 10 800 0.2

resistance

1000 0.1 0.0 1200 1400

rec < 6hrs → X < 20%, n < 240 Mbbl/day res < 50%, rec ∈ [1 − 3]days → X ∈ [40 − 77]%, n ∈ [990K − 1.2M] Hard resistance solutions required to maintain X < 50%

Example: surveillance combined with external perimeter security

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 22 / 27

slide-31
SLIDE 31

Case Study (V): Cyber Attack (1)

Survivability scenario

<<secaAttackGenerator>> Survivability Qadif Attacking <<secaAttackGenerator>> Survivability P1 <<secaStep>> Filtering packets <<secaStep>> Recovering Init Process next packets <<secaStep>> Init <<secaStep>> Deciphering packets Process next packets Resistance success? Yes No Survivability scenario (cyber attack)

Coordinated attack to two computation nodes

DoS to Qadif node & run arbitrary code to P1 node Resistance strategies: IPDS & cryptographic algorithm

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 23 / 27

slide-32
SLIDE 32

Case Study (V): Cyber Attack (2)

Analysis with GSPN

(B1)

Oil Distribution Network Control System Survivability scenario of a cyber attack start end network throughput = X(end) shared resource places

beginFilter init filteringPackets resistance recoverQadif ResQadif filtering resQadifOK resQadifKO endFilter beginDecipher decipheringPacket ResP1 deciphering endDecipher

(B2)

init recovering processNextPacket processNextPacket attacking

Parameters Value(s) GSPN transitions filterPb [0.50;..;0.95] resQadifOK filter [1.44min;..;14.4min] filtering decipher 2.88 min deciphering recovery [11min-12hrs] recoveryQadif

Overhead due filtering solution filter and filterPb are in direct proportion

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 24 / 27

slide-33
SLIDE 33

Case Study (V): Cyber Attack (3)

Analysis results

rec < 3hrs → Ov < 16%

  • 10

10

  • verhead (%)

800 20 2.5 30 700 40 600 50 60 500 70

filter (min)

2.0 400 recovery (min) 300 200 100 1.5

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 25 / 27

slide-34
SLIDE 34

Case Study (V): Cyber Attack (3)

Analysis results

rec < 3hrs → Ov < 16% rec ∈ [6 − 12]hrs →

  • 10

10

  • verhead (%)

800 20 2.5 30 700 40 600 50 60 500 70

filter (min)

2.0 400 recovery (min) 300 200 100 1.5

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 25 / 27

slide-35
SLIDE 35

Case Study (V): Cyber Attack (3)

Analysis results

rec < 3hrs → Ov < 16% rec ∈ [6 − 12]hrs →

Ov ∼ 60% for low quality filters

  • 10

10

  • verhead (%)

800 20 2.5 30 700 40 600 50 60 500 70

filter (min)

2.0 400 recovery (min) 300 200 100 1.5

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 25 / 27

slide-36
SLIDE 36

Case Study (V): Cyber Attack (3)

Analysis results

rec < 3hrs → Ov < 16% rec ∈ [6 − 12]hrs →

Ov ∼ 60% for low quality filters Ov ∼ 30% for high quality ones

  • 10

10

  • verhead (%)

800 20 2.5 30 700 40 600 50 60 500 70

filter (min)

2.0 400 recovery (min) 300 200 100 1.5

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 25 / 27

slide-37
SLIDE 37

Conclusions and Future Work

Conclusions SecAM enables to express security parameters and requirements

Formal models to perform survivability analysis Evaluate survivability strategies under different scenarios

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 26 / 27

slide-38
SLIDE 38

Conclusions and Future Work

Conclusions SecAM enables to express security parameters and requirements

Formal models to perform survivability analysis Evaluate survivability strategies under different scenarios

Future Work

Automated tool to complete transformation (and feedback!) Combine SecAM with other formal methods (e.g., Fault Trees or Bayesian Networks)

  • R. J. Rodr´

ıguez, J. Merseguer, S. Bernardi Modelling Security of CIs: A Survivability Assessment JNIC 2016 26 / 27

slide-39
SLIDE 39

Modelling Security of Critical Infrastructures: A Survivability Assessment

Ricardo J. Rodr´ ıguez†, Jos´ e Merseguer†, Simona Bernardi§

{rjrodriguez, jmerse, simonab}@unizar.es

All wrongs reversed †Dpto. de Inform´

atica e Ingenier´ ıa de Sistemas

§Centro Universitario de la Defensa

Universidad de Zaragoza, Zaragoza, Spain Academia General Militar, Zaragoza, Spain

15 de Junio, 2016 II Jornadas Nacionales de Investigaci´

  • n en Ciberseguridad

Granada, Espa˜ na

Accepted in The Computer Journal. doi: 10.1093/comjnl/BXU096