A Framework for Risk-Informed Metrics-Enriched Cybersecurity Playbooks for CNI Resilience
Lead Research Organisation:
Cardiff University
Department Name: Computer Science
Abstract
The ultimate goal of the project is to improve CNI resilience in the UK by enabling timely and efficient incident response. To achieve this, this project will deliver a Framework for creating Risk-Informed Metrics-enriched Playbooks for Critical National Infrastructure (FRIMP4CNI).
We propose to approach incident response playbooks in a fundamentally different way. First, playbooks in this project are integrated into core CNI processes affected by an incident, showing how enacting a particular response affects core processes as well as interdependent processes. Second, our playbooks address more than technical actions, they look at aspects beyond technology, e.g. operational response, issues related to staff availability and costs, reporting process, political and communication response. Third, playbooks are risk-informed because each playbook has an associated risk model; and fourth, they are enriched with business-driven multifaceted metrics which reflect the changes that an incident inflicts on a core process. Fifth feature is that our playbooks are optimal: an optimisation algorithm is applied to a set of alternative response strategies to identify the optimal response playbook for each case. A combination of the features listed above makes our approach unique and allows our playbooks to serve both as an action guide enabling improved cybersecurity incident response and as a decision support tool at the Board level.
The project has three key objectives:
1. Create an empirically-grounded tool-supported actionable framework for developing bespoke risk-informed metrics-enriched cybersecurity playbooks tailored to the challenges of enhancing resilience in CNI by adopting and modelling incident response best practices in a format of integrated playbooks.
2. Design, implement and test software tools supporting the aspects of the framework related to process modelling, risk assessment and response strategy optimisation, and to integrate them into a comprehensive CNI Playbook Design Toolset. The project will deliver the full technology stack required to develop optimal risk-informed and metric-driven playbooks. Tool-support will increase the intention to use and facilitate faster adoption of the framework in practice.
3. Evaluate the framework using existing testbeds at the participating universities and industry partners, and via focus groups and workshops with industry partners and individual domain experts with a broad range of backgrounds and in varying roles from network engineers to ICS operators to Board members to policy makers. It is essential to conduct extensive evaluation with practitioners to ensure that the framework and tools are effective, accessible and fulfil the intended purposes for each group of stakeholders.
We propose to approach incident response playbooks in a fundamentally different way. First, playbooks in this project are integrated into core CNI processes affected by an incident, showing how enacting a particular response affects core processes as well as interdependent processes. Second, our playbooks address more than technical actions, they look at aspects beyond technology, e.g. operational response, issues related to staff availability and costs, reporting process, political and communication response. Third, playbooks are risk-informed because each playbook has an associated risk model; and fourth, they are enriched with business-driven multifaceted metrics which reflect the changes that an incident inflicts on a core process. Fifth feature is that our playbooks are optimal: an optimisation algorithm is applied to a set of alternative response strategies to identify the optimal response playbook for each case. A combination of the features listed above makes our approach unique and allows our playbooks to serve both as an action guide enabling improved cybersecurity incident response and as a decision support tool at the Board level.
The project has three key objectives:
1. Create an empirically-grounded tool-supported actionable framework for developing bespoke risk-informed metrics-enriched cybersecurity playbooks tailored to the challenges of enhancing resilience in CNI by adopting and modelling incident response best practices in a format of integrated playbooks.
2. Design, implement and test software tools supporting the aspects of the framework related to process modelling, risk assessment and response strategy optimisation, and to integrate them into a comprehensive CNI Playbook Design Toolset. The project will deliver the full technology stack required to develop optimal risk-informed and metric-driven playbooks. Tool-support will increase the intention to use and facilitate faster adoption of the framework in practice.
3. Evaluate the framework using existing testbeds at the participating universities and industry partners, and via focus groups and workshops with industry partners and individual domain experts with a broad range of backgrounds and in varying roles from network engineers to ICS operators to Board members to policy makers. It is essential to conduct extensive evaluation with practitioners to ensure that the framework and tools are effective, accessible and fulfil the intended purposes for each group of stakeholders.
Publications
Shaked A
(2023)
Operations-informed incident response playbooks
in Computers & Security
Shaked A
(2022)
Model-Based Incident Response Playbooks
| Description | We developed a software tool for modelling incident response playbooks. The repository is at https://github.com/ASH-SYSTEMS/SecMOF. The most recent product version is https://github.com/ASH-SYSTEMS/SecMOF/releases/tag/v0.0.2-beta. |
| Exploitation Route | no |
| Sectors | Digital/Communication/Information Technologies (including Software) |
| URL | https://github.com/ASH-SYSTEMS/SecMOF |
| Title | Security Modelling Framework |
| Description | The framework allows modelling cyber security incident response playbooks based on model-diven principles. It also allows modelling dependencies in the system using dependency modelling approach. The further functionality of the tool allows mapping business processes and dependencies. |
| Type Of Technology | Software |
| Year Produced | 2022 |
| Open Source License? | Yes |
| Impact | no |
| URL | https://github.com/ASH-SYSTEMS/SecMOF |
| Description | Achieving Resilience with Playbooks - an invited talk for Connected Everything Workshop on Resilience |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Dr Avi Shaked gave a presentation about our work and how it can be applied in a new context to address the challenges of the specific community of interest. |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://connectedeverything.ac.uk/2022/08/09/defining-and-measuring-resilience-in-high-value-manufac... |
| Description | An invited talk for Imperial College's Resilient Systems Security Group |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Postgraduate students |
| Results and Impact | 10 Phd students and Research Associates attended this talk, in which preliminary results from the research were shared. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Annual Systems Engineering Conference 2022 Tutorial on Model-based Security |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | About 20 systems engineering practitioners and researchers attended our tutorial, which included a modelling suite developed as part of our project. The participants showed enthusiasm about the modelling suite and gave positive feedback and agreement about the embedded concepts |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://www.asec2022.org.uk/Pages/Standard/Programme/Tutorial_Schedule?Day=2 |
| Description | Guest lecture and workshop for MSc students at Cardiff University |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Postgraduate students |
| Results and Impact | Teaching the students how to use our new modelling solutions for Dependency Modelling and for Incident Response playbooks design. |
| Year(s) Of Engagement Activity | 2022 |
| Description | International Conference on Availability, Reliability and Security (ARES 2023) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | The initial output of the project and a proof of concept tool were presented and published as a paper by ARES 2022 |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://2022.ares-conference.eu/conference-2022-2/accepted-papers/index.html |
| Description | Talk at EPSRC's Model-Driven Engineering Network Annual Symposium |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Other audiences |
| Results and Impact | Dr Shaked presented our Incident Response playbook case and solution as one of three examples of using modelling to promote better understanding. |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://www.youtube.com/watch?v=3yBdLD2Wsm4 |