MUMBA: Multi-faceted Metrics for ICS Business Risk Analysis

Lead Research Organisation: Lancaster University
Department Name: Computing & Communications

Abstract

The evolution of cyber space is transforming the way our infrastructure is managed. Industrial control systems, that is those systems that manage critical utility infrastructure such as Energy, Water and Transport are increasingly interacting with enterprise IT systems in intricate fashions. This leads to an increase in the level of threats to these critical infrastructures. This is only too evident from cyber weapons such as Stuxnet which targeted centrifuges in Iran's nuclear facilities and more recent news that over 60,000 exposed control systems were accessible online. The US Defence Secretary Leon Panetta described a recent spate of cyber attacks against critical infrastructures as a "pre-9/11 moment". The cyber attack surface of future generations of control systems is likely to increase further with new technologies and working practices such as the use of autonomous software agents in their operation and handheld wireless devices in control and maintenance.

Given the importance of industrial control systems to society, it is important that decision-makers are able to effectively articulate the risks posed to them from cyber space. Even more importantly, decision-makers should be able to understand and respond to such risks from a business continuity and recovery perspective in order to evaluate and prioritise their mitigation responses. However, to date, metrics for articulating cyber risk in such settings have largely been driven by technical measures pertaining to security of information or resilience of the control system itself. Though important, these metrics bear little relationship to typical factors used in business risk analysis, such as business continuity, disaster recovery, cost, reputation, impact on resources, etc.

The MUMBA project takes the perspective that metrics for articulating cyber risk (in industrial control systems) as business risk only make sense in the context of what we understand the larger system to be, and cannot sensibly be designed without a model of this system. Post-hoc mapping of security and resilience metrics to business risk fails to account for the complex socio-technical landscape in which current and future generations of control systems reside. Effective articulation of cyber risk as business risk requires multi-faceted metrics that are first and foremost driven by business risk concepts. Such metrics consider business risk both along and across various facets of an industrial control system setting i.e., the control system itself, enterprise systems, business processes, people, third party organisations in the product/service supply chain and new/emergent technologies (and associated working practices). Furthermore, the project addresses the need to contextualise these metrics to a particular critical infrastructure domain to ensure meaningful interpretation of business risks and prioritisation and implementation of responses (i.e., whether to mitigate, transfer, accept or avoid particular risks).

The project involves a world-leading multi-disciplinary team of researchers in cyber security, resilient industrial control systems, risk management and social anthropology from the Security Lancaster research centre. This academic expertise is complemented by practical insights provided by four industry partners: Airbus, Thales, Atkins Global and Raytheon. Through its research into the complex socio-technical processes at play in contemporary industrial control system settings, new metrics and how to instrument such environments to gather relevant data to compute such metrics, the project aims to become a cornerstone for future research and practice on articulating cyber risk as business risk.

Planned Impact

There are four principal beneficiaries of the project:

1. Industry organisations in ICS and critical national infrastructure (CNI) domains will benefit from new and improved metrics enabling them to translate cyber risk to business risk as well as evaluate and understand higher order impacts of cyber risk on business, i.e. across space and time. They will also benefit from a deeper understanding of the broader ICS context in which cyber risk is situated, how intersections of various elements, i.e. ICS, enterprise systems, business processes, people, 3rd parties, new technologies, etc. shape this risk and the associated risk responses. They will also benefit from design principles for new metrics, a methodology and decision-support tool along with guidelines to operationalise them in different organisational contexts. Equally importantly, they will benefit from improved skills in business risk assessment of contemporary and future generations of ICSs.

They will also benefit from economic gain through a reduction in costs from cyber-security breaches - being better equipped with knowledge of associated business risks and strategies to counter/mitigate such risks. The results of the project will prepare risk assessors in these organisations for more effective assessment and communication of cyber risks.

Our industry partners and the various domains they cover will directly benefit from knowledge and technology transfer into their working practices with regards to cyber security and ICS settings.


2. Cyber-security industry will benefit from improved methods and tools and new insights into how to tackle the complex landscape of cyber-security and ICS/CNI they encounter on a regular basis and how best to articulate business risk and the impact on business continuity in such settings. They will also benefit from metrics, methodology and tools to provide innovative services to the ICS sector to help manage the impact of increasing connectivity, virtualisation and use of mobile handheld (wireless) devices.

3. Policy makers and government organisations charged with CNI protection will benefit from a deeper understanding of the role that various facets of a modern ICS environment play with regards to cyber risk, how this exposes various business sectors to a range of threats and what mitigation approaches can have the maximum impact in minimising the potential economic and security impact. Equally importantly, they will gain insights into developing good practice guidelines to help businesses protect themselves against a range of known and future cyber-security risks in modern (and future) ICS settings.

4. Last, but not least, the general public will benefit from more resilient utility infrastructures that are better equipped to manage the risks arising from an increasingly complex, highly connected landscape where battles are often being fought in cyber space and the impact of any compromise of such infrastructure will be most felt by citizens.

Publications

10 25 50
 
Description A number of key findings have emerged from the project:

1. The role of latent design conditions in cyber security of industrial control systems
We have undertaken a study of historical security incidents to analyse the factors that impact the cyber security of industrial control systems (ICS). Our study challenges the usual tendency to blame human fallibility or resort to simple explanations for what are often complex issues that lead to a security incident. We highlight that (i) perception errors are key in such incidents (ii) latent design conditions - e.g., improper specifications of a system's borders and capabilities - play a fundamental role in shaping perceptions, leading to security issues. Such design-time considerations are particularly critical for ICS, the life-cycle of which is usually measured in decades. Based on this analysis, we also discuss how key characteristics of future smart CPS in such industrial settings can pose further challenges with regards to tackling latent design flaws.

2. Contextualising and Aligning Security Metrics and Business Objectives
Pre-defined security metrics suffer from the problem of contextualisation, i.e. a lack of adaptability to particular organisational contexts - domain, technical infrastructure, stakeholders, business process, etc. Adapting metrics to an organisational context is essential (i) for the metrics to align with business requirements (ii) for decision makers to maintain relevant security goals based on measurements from the field. We have developed a methodology, SYMBIOSIS, that defines a goal elicitation and refinement process - mapping business objectives to security measurement goals via the use of systematic templates that capture relevant context elements (business goals, purpose, stakeholders, system scope). This well-defined process enforces that (i) metrics align with business objectives via a top-down derivation that refines top-level business objectives to a manageable granularity (ii) the impact of metrics on business objectives is explicitly traced via a bottom-up feedback mechanism, allowing an incremental approach where feedback from metrics influences business goals, and vice-versa. The methodology has been validated using three case-studies, which show how the aforementioned pitfalls of security metrics development processes affected the outcome of several high-profile security incidents and how SYMBIOSIS addresses such issues.

3. Decision-making behaviours and patters of cyber security stakeholders in an industrial control systems setting
Stakeholders' security decisions play a fundamental role in determining security requirements and their relative prioritisation given budgetary constraints and trade-offs with other requirements. Little is currently understood about how different stakeholder groups within an organisation approach security decisions and the drivers and tacit biases underpinning their decisions. Yet, understanding the "how" and "why" behind security decision processes is essential to building a common understanding of the issues at play during requirements elicitation and prioritization. We studied and contrasted the security decisions and the underlying strategies of three demographics - security experts, computer scientists and managers - when playing a tabletop game (Decisions and Disruptions) that we designed and developed. The game tasks a group of players with managing the security of a cyber-physical environment, specifically a small utility company, while facing various threats. Analysis of the players' actions reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions - and especially the "big shiny boxes" - over training and awareness-raising activities, which computer scientists preferred. Surprisingly, security experts were not ipso facto better at making security decisions - in some cases, they made very questionable decisions when contrasted with groups in the other two categories; yet they showed a higher level of confidence in those decisions. We also classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We further analyzed the players' actions to elicit decision patterns - both good practices and typical errors and pitfalls. Feedback from players also highlights the value of our game as a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.
Exploitation Route These are fundamental insights into factors that impact cyber security risk decisions in industrial control systems. They can form the basis of future research in improving cyber security of such infrastructures.
Sectors Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Electronics,Government, Democracy and Justice,Manufacturing, including Industrial Biotechology,Transport

URL http://ritics.org
 
Description A cyber-physical systems security game, Decisions and Disruptions has been designed to study security decision-making by security experts and non-experts in industrial control systems environments. The game has been played with a number of industry participants - from security, IT and management backgrounds. The game has not only provided key insights into decision-making behaviours of various demographics but has also been highly successful in educating participants about cyber security in such critical infrastructure settings. We are currently in the process of developing a number of "game boxes" to be shared with a range of interested industry and practice organisations for use in cyber security training. A number of other engagements with industry partners have taken place in order to understand the issue that impact cyber security of industrial control systems. A series of studies have been undertaken to study the cyber risk decisions of experts. Regular engagement with industry takes place through the RITICS advisory board. Several invited talks at industry events have been given including the SMI Oil and Gas cyber security conference. The game has been adopted by the Metropolitan Police Service to teach leaders about how to protect their companies from cyber attacks.
First Year Of Impact 2016
Sector Digital/Communication/Information Technologies (including Software),Other
Impact Types Economic,Policy & public services

 
Description Adoption of the Decisions and Disruptions game by Metropolitan Police Service
Geographic Reach National 
Policy Influence Type Influenced training of practitioners or researchers
Impact The use of the Decisions and Disruptions game raises awareness of cyber security issues across organisations and provides an innovative and fun way to learn about cyber security decision-making.
URL http://www.bris.ac.uk/news/2018/march/cyber-security.html
 
Description Article in CREST Security Review: Cyber Security Decisions: How Do You Make Yours? 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Policymakers/politicians
Results and Impact Professor Awais Rashid and Dr Sylvain Frey investigate cyber security decision making processes through a tabletop game.
Year(s) Of Engagement Activity 2017
URL https://crestresearch.ac.uk/comment/cyber-security-decisions/
 
Description Decisions and Disruptions Workshops 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact A number of workshops were organised using the Decisions and Disruptions game developed as part of the Mumba project. The game provides a sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security. The game has been played with a number of industry organisations (research ethics prohibit naming the organisations) and has also been requested for use internationally. The game has been adopted by the Metropolitan Police Service to teach business leaders how to protect their companies from cyber attacks. The game is continuing to grow in popularity and is being utilised by a number of organisations for raising awareness about cyber security.
Year(s) Of Engagement Activity 2016,2017
URL http://www.bris.ac.uk/news/2018/march/cyber-security.html
 
Description Fourth ACM Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC) in conjunction with the ACM Conference on Computer and Communications Security (CCS) in Toronto, Canada. 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact Professor Rashid chaired the workshop that brought together international researchers to discuss key challenges and new approaches for security and privacy in cyber-physical systems, including industrial control systems.
Year(s) Of Engagement Activity 2018
URL https://cps-spc.org
 
Description Google Talk 2017 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Invited Talk: Everything is Awesome! or is it? Cyber Security Risk in Critical Infrastructure, Google Zurich, 2017. This talk discussed insights from three years of research studying cyber security in such settings. The talk highlighted the complexity of managing security in a landscape shaped by the often competing demands of a variety of stakeholders, e.g., managers, control engineers, enterprise IT personnel and field site operators. It also covered how the security decision-making patterns of the various stakeholders contrast, with some surprising (or perhaps not so surprising) insights into the decision patterns of security experts and so-called non-experts. The talk concluded by discussing risks arising from the prevalence of social media information especially how these may be utilised to infer employees of a critical infrastructure organisation - leading to the potential for highly targeted spear-phishing campaigns.
Year(s) Of Engagement Activity 2017
 
Description Lightening Talk at Advances in Security Education Workshop, USENIX Security Symposium, 2017. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact Decisions & Disruptions: A Tabletop Game for Industrial Control Systems Security Education

As connectivity moves beyond traditional enterprise systems to cyber-physical infrastructures such as industrial control systems (ICS), one must consider the specific needs for security education in such environments. There is an increasing recognition of gamification as a means for delivering security education. However, games designed for traditional enterprise systems do not readily translate onto such infrastructures. ICS are complex environments incorporating a plethora of devices from sensors and actuators through to programmable logic controllers (PLCs) and remote telemetry units (RTUs) that monitor and control the physical process (through the aforementioned sensors and actuators). Contemporary ICS are also increasingly linked to and communicate with a range of enterprise-level business applications. The user base in such environments is, therefore, much more diverse than traditional enterprise systems, including field workers, Supervisory Control and Data Acquisition (SCADA) operators, control engineers and plant managers in addition to regular IT users, administrators, security personnel and business managers. Educating such a diverse user base about cyber security is challenging. Different user groups have their own cultures and perceptions or lack thereof security.

Decisions & Disruptions (D-D) (http://www.decisions-disruptions.org) is a tabletop game to educate this variety of users about security risks in ICS. It provides a rich yet intuitive sandbox environment where players from varied backgrounds can familiarise themselves with the ins and outs of ICS protection, experiment with risk-driven decision-making, and discover and assess their own cyber security culture. In this lightening talk, we will discuss the design and gameplay within D-D and present initial insights from 14 game sessions played, involving a total of 52 players. These include 5 groups of post-graduate and undergraduate students (2 groups of security students, 1 group of general computer science students, 2 groups of management students), 6 groups from industry (2 groups of security experts, 2 groups of general computer scientists, 2 groups of non-technical managers) and 3 groups of mixed players from diverse backgrounds: academics in computer science, PhD students in security, and non-technical players (e.g., economists).
Year(s) Of Engagement Activity 2017
 
Description Lunchtime Talk at Pervasive Media Studio: "Everything is Awesome!!!" or is it? Cyber Security Risks in Critical Infrastructure 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Public/other audiences
Results and Impact Industrial Control Systems play an important role in the monitoring, control, and automation of critical infrastructure such as water, gas, oil, and electricity. Recent years have seen a number of high profile cyber attacks on such infrastructure exemplified by Stuxnet and the Ukrainian Power Grid attacks. This naturally begs the question: how should we manage cyber security risks in such infrastructure on which the day-to-day functioning of our society relies?

In this talk Awais Rashid will discuss insights from three years of research studying cyber security in such settings. The talk will highlight the complexity of managing security in a landscape shaped by the often competing demands of a variety of stakeholders, e.g., managers, control engineers, enterprise IT personnel and field site operators. He will also discuss how the security decision-making patterns of the various stakeholders contrast, with some surprising (or perhaps not so surprising) insights into the decision patterns of security experts and so-called non-experts.
Year(s) Of Engagement Activity 2018
URL https://www.watershed.co.uk/studio/events/2018/10/05/"everything-awesome"-or-it-cyber-security-risks...
 
Description Research Seminar at Cardiff University 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Postgraduate students
Results and Impact Understanding Cyber Risk as Business Risk in Industrial Control Environments
Year(s) Of Engagement Activity 2016
 
Description Third ACM Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC) in conjunction with the ACM Conference on Computer and Communications Security (CCS) in Dallas, Texas, USA. 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact Professor Rashid co-chaired the workshop that brought together international researchers to discuss key challenges and new approaches for security and privacy in cyber-physical systems, including industrial control systems.
Year(s) Of Engagement Activity 2017
URL https://cps-spc.org/