A Framework for Risk-Informed Metrics-Enriched Cybersecurity Playbooks for CNI Resilience
Lead Research Organisation:
CARDIFF UNIVERSITY
Department Name: Computer Science
Abstract
The ultimate goal of the project is to improve CNI resilience in the UK by enabling timely and efficient incident response. To achieve this, this project will deliver a Framework for creating Risk-Informed Metrics-enriched Playbooks for Critical National Infrastructure (FRIMP4CNI).
We propose to approach incident response playbooks in a fundamentally different way. First, playbooks in this project are integrated into core CNI processes affected by an incident, showing how enacting a particular response affects core processes as well as interdependent processes. Second, our playbooks address more than technical actions, they look at aspects beyond technology, e.g. operational response, issues related to staff availability and costs, reporting process, political and communication response. Third, playbooks are risk-informed because each playbook has an associated risk model; and fourth, they are enriched with business-driven multifaceted metrics which reflect the changes that an incident inflicts on a core process. Fifth feature is that our playbooks are optimal: an optimisation algorithm is applied to a set of alternative response strategies to identify the optimal response playbook for each case. A combination of the features listed above makes our approach unique and allows our playbooks to serve both as an action guide enabling improved cybersecurity incident response and as a decision support tool at the Board level.
The project has three key objectives:
1. Create an empirically-grounded tool-supported actionable framework for developing bespoke risk-informed metrics-enriched cybersecurity playbooks tailored to the challenges of enhancing resilience in CNI by adopting and modelling incident response best practices in a format of integrated playbooks.
2. Design, implement and test software tools supporting the aspects of the framework related to process modelling, risk assessment and response strategy optimisation, and to integrate them into a comprehensive CNI Playbook Design Toolset. The project will deliver the full technology stack required to develop optimal risk-informed and metric-driven playbooks. Tool-support will increase the intention to use and facilitate faster adoption of the framework in practice.
3. Evaluate the framework using existing testbeds at the participating universities and industry partners, and via focus groups and workshops with industry partners and individual domain experts with a broad range of backgrounds and in varying roles from network engineers to ICS operators to Board members to policy makers. It is essential to conduct extensive evaluation with practitioners to ensure that the framework and tools are effective, accessible and fulfil the intended purposes for each group of stakeholders.
We propose to approach incident response playbooks in a fundamentally different way. First, playbooks in this project are integrated into core CNI processes affected by an incident, showing how enacting a particular response affects core processes as well as interdependent processes. Second, our playbooks address more than technical actions, they look at aspects beyond technology, e.g. operational response, issues related to staff availability and costs, reporting process, political and communication response. Third, playbooks are risk-informed because each playbook has an associated risk model; and fourth, they are enriched with business-driven multifaceted metrics which reflect the changes that an incident inflicts on a core process. Fifth feature is that our playbooks are optimal: an optimisation algorithm is applied to a set of alternative response strategies to identify the optimal response playbook for each case. A combination of the features listed above makes our approach unique and allows our playbooks to serve both as an action guide enabling improved cybersecurity incident response and as a decision support tool at the Board level.
The project has three key objectives:
1. Create an empirically-grounded tool-supported actionable framework for developing bespoke risk-informed metrics-enriched cybersecurity playbooks tailored to the challenges of enhancing resilience in CNI by adopting and modelling incident response best practices in a format of integrated playbooks.
2. Design, implement and test software tools supporting the aspects of the framework related to process modelling, risk assessment and response strategy optimisation, and to integrate them into a comprehensive CNI Playbook Design Toolset. The project will deliver the full technology stack required to develop optimal risk-informed and metric-driven playbooks. Tool-support will increase the intention to use and facilitate faster adoption of the framework in practice.
3. Evaluate the framework using existing testbeds at the participating universities and industry partners, and via focus groups and workshops with industry partners and individual domain experts with a broad range of backgrounds and in varying roles from network engineers to ICS operators to Board members to policy makers. It is essential to conduct extensive evaluation with practitioners to ensure that the framework and tools are effective, accessible and fulfil the intended purposes for each group of stakeholders.
Publications
Shaked A
(2022)
Model-Based Incident Response Playbooks
Shaked A
(2023)
Operations-informed incident response playbooks
in Computers & Security
| Description | We developed a software tool - an open source modelling framework - for modelling incident response playbooks, cyber attacks, dependency models and for creating the associations between the former and the latter. The repository is at https://github.com/CardiffUniCOMSC/SecMoF. Security Modelling Framework (SecMoF) supports modelling of cyber attacks and cyber incident response playbooks, and for demonstrating the feasibility of the better integration between risk management and IR at the modelling level. SecMoF is an Open-Source Eclipse-based modelling tool for the design and editing of Operations-Informed Incident Response Playbooks (OIIRP). SecMoF incorporates 3 modelling modules and supports the creation of • Formalised Response to Incident Process Playbook (FRIPP) [11] representing the IR-focused approach; • Dependency Models representing a typical risk management-focused approach and is based on constructing quantitative a data model for risk assessment in a positivistic top-down approach. • OIIRP which is an integration of FRIPPs and dependency models into a mutually dependent model offering a unified approach to capturing both IR steps and operational impact that IR steps incur in a system. We posit that the use of SecMoF with its novel approach to modelling OIIRP (as an integration of a playbook and dependency model) for modelling cyber-attacks enables the development of consistent and compatible IR playbooks and attack models, and yields novel insights into the analysis of attacks and response actions. We also developed a Security Model Converter (SMC), an Open-Source command-line application written in GoLang that converts security model data to different formats. SMC supports conversion between SAND Attack Trees, Dependency Models, and FRIPP. SMC is designed to work alongside the Security Modelling Framework (SecMoF) tool. SMC uses GraphML as an intermediate format to allow conversion of the different formats, since GraphML is a widely used format it may be used to import/export the models into other tools, including and beyond SecMoF. |
| Exploitation Route | The SecMOF modelling framework is an open source tool and could be used by academics and practitioners for furthering research in cyber security incident response and cyber risk assessment. |
| Sectors | Digital/Communication/Information Technologies (including Software) Energy Transport |
| URL | https://github.com/CardiffUniCOMSC/SecMoF |
| Title | Extended SecMOF (Security Modelling Framework) |
| Description | https://github.com/CardiffUniCOMSC/SecMoF (The framework has received software updates, new features have been added and the repository was enriched with documentation/examples) https://github.com/CardiffUniCOMSC/SecMoF/tree/main/Documentation https://github.com/CardiffUniCOMSC/SecMoF/tree/main/ExamplesAndTemplates Security Modelling Framework (SecMoF) [1], [2] is an framework for modelling attacks and playbooks, and for demonstrating the feasibility of the better integration between risk management and IR at the modelling level. SecMoF [3] is an Open-Source Eclipse-based modelling tool for the design and editing of Operations-Informed Incident Response Playbooks (OIIRP) [2]. SecMoF incorporates 3 modelling modules and supports the creation of: • Formalised Response to Incident Process Playbook (FRIPP) [1] representing the IR-focused approach.; • Dependency Models representing a typical risk management-focused approach and is based on constructing quantitative a data model for risk assessment in a positivistic top-down approach. • OIIRP which is an integration of FRIPPs and dependency models into a mutually dependent model offering a unified approach to capturing both IR steps and operational impact that IR steps incur in a system. [1] A. Shaked, Y. Cherdantseva, and P. Burnap, ''Model-Based Incident Response Playbooks,'' pp. 1-7. [2] A. Shaked, Y. Cherdantseva, P. Burnap, and P. Maynard, ''Operationsinformed incident response playbooks,'' vol. 134, p. 103454. [3] A. Shaked, ''Security Modelling Framework (SecMoF), GitHub, https://github.com/CardiffUniCOMSC/SecMoF.'' |
| Type Of Technology | Software |
| Year Produced | 2023 |
| Open Source License? | Yes |
| Impact | Open source framework. |
| URL | https://github.com/CardiffUniCOMSC/SecMoF |
| Title | Security Model Converter (SMC) |
| Description | The SMC (https://github.com/PMaynard/smc) is an Open-Source command-line application written in GoLang that converts security model data to different formats. SMC supports conversion between SAND Attack Trees, Dependency Models, and FRIPP. Attack trees are typically written as tab-indented plain text (See Section III-A) while more complex models such as FRIPP use XML to capture more detail. SMC uses GraphML as an intermediate format to allow conversion of the different formats, since GraphML is a widely used format it may be used to import/export the models into other tools, including and beyond SecMoF. SMC works alongside SecMoF as an independent tool which is used to help manage the datasets used by SecMoF. SMC does not support verification of the models as this is done within SecMoF (https://github.com/CardiffUniCOMSC/SecMoF). CC BY-SA 4.0. |
| Type Of Technology | Software |
| Year Produced | 2023 |
| Open Source License? | Yes |
| Impact | The Converter receives input in the format of SAND attack trees and coverts them into FRIPP models. |
| URL | https://github.com/PMaynard/smc |
| Title | Security Modelling Framework |
| Description | The framework allows modelling cyber security incident response playbooks based on model-diven principles. It also allows modelling dependencies in the system using dependency modelling approach. The further functionality of the tool allows mapping business processes and dependencies. |
| Type Of Technology | Software |
| Year Produced | 2022 |
| Open Source License? | Yes |
| Impact | no |
| URL | https://github.com/ASH-SYSTEMS/SecMOF |
| Description | Achieving Resilience with Playbooks - an invited talk for Connected Everything Workshop on Resilience |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Dr Avi Shaked gave a presentation about our work and how it can be applied in a new context to address the challenges of the specific community of interest. |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://connectedeverything.ac.uk/2022/08/09/defining-and-measuring-resilience-in-high-value-manufac... |
| Description | An invited talk for Imperial College's Resilient Systems Security Group |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Postgraduate students |
| Results and Impact | 10 Phd students and Research Associates attended this talk, in which preliminary results from the research were shared. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Annual Systems Engineering Conference 2022 Tutorial on Model-based Security |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | About 20 systems engineering practitioners and researchers attended our tutorial, which included a modelling suite developed as part of our project. The participants showed enthusiasm about the modelling suite and gave positive feedback and agreement about the embedded concepts |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://www.asec2022.org.uk/Pages/Standard/Programme/Tutorial_Schedule?Day=2 |
| Description | Evaluation Workshop at Bristol University |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Postgraduate students |
| Results and Impact | A workshop to present and evaluate the SecMOF. |
| Year(s) Of Engagement Activity | 2023 |
| Description | Evaluation Workshop at Queen's University Belfast |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Postgraduate students |
| Results and Impact | A workshop presenting and evaluating the modelling framework (SecMOF) |
| Year(s) Of Engagement Activity | 2024 |
| Description | Guest lecture and workshop for MSc students at Cardiff University |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Postgraduate students |
| Results and Impact | Teaching the students how to use our new modelling solutions for Dependency Modelling and for Incident Response playbooks design. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Guest lecture for UG students at Polytechnic University of Yucatan, Mexico |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Undergraduate students |
| Results and Impact | A guest lecture was given to UG students in Mexico on cyber security incident response sharing the findings from the research projects and promoting the new modelling framework. |
| Year(s) Of Engagement Activity | 2023 |
| Description | International Conference on Availability, Reliability and Security (ARES 2023) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | The initial output of the project and a proof of concept tool were presented and published as a paper by ARES 2022 |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://2022.ares-conference.eu/conference-2022-2/accepted-papers/index.html |
| Description | Ofgem Cyber team: Knowledge Sharing sessions |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Professional Practitioners |
| Results and Impact | The playbooks framework and the tool has been presented to the cyber team of Ofgem. |
| Year(s) Of Engagement Activity | 2023 |
| Description | Presentation to the delegation from Yucatan, Mexico |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Policymakers/politicians |
| Results and Impact | A delegation led by the Governor of Yucatan, Mexico visited Cardiff University in January 2024. The modelling framework was presented to the Governor and the team from the Ministry of HE, Innovation and Research of Yucatan. |
| Year(s) Of Engagement Activity | 2024 |
| Description | Talk at EPSRC's Model-Driven Engineering Network Annual Symposium |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Other audiences |
| Results and Impact | Dr Shaked presented our Incident Response playbook case and solution as one of three examples of using modelling to promote better understanding. |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://www.youtube.com/watch?v=3yBdLD2Wsm4 |