Communicating and evaluating cyber risk and dependencies

Industrial computer-based control systems are crucial to society, they control the water we drink, the power we use, the cars we drive as well as railways and air transportation. These systems need to be trusted and trustworthy. They are often networked into complex and interconnected systems of systems and control and protect the UK national infrastructure.

An important aspect of infrastructures is their interactions and interdependencies: the functioning of one infrastructures service often depends on the functioning of another. As the infrastructure becomes layered and there are secondary services layered on top of these primary infrastructures and as the network becomes dynamic and controlled by computer networks and systems there is considerable potential for unforeseen interaction and dependencies.

As Industrial control systems become more networked, the previous strategy of making them secure by isolating them from the world becomes ineffective. In addition those who might harm the system either out of maliciousness or misplaced curiosity proliferate and their expertise increases, so the importance of security for the availability and integrity of services and systems is becoming ever more significant.

The research focuses on the importance of dependencies and interdependencies in this security context. These have been studied for a number of years and it is known that unforeseen interdependencies are a source of threat to systems and an important factor in our uncertainty of risk assessment, particularly risk due to cascade failures in which the rate and size of loss is amplified.

However there two faces to interdependencies, while we are concerned about how they might make attacking the system easier and a source of unforeseen behaviours, it is also central to providing tolerance to attack and failure. Redundancy, diversity, defence in depth are deliberately engineered into control systems to increase dependability and are an important mechanism for adaptation and overall resilience.

Any risk assessment of computer based control systems has to take into account uncertainty about the structure of the system. It is not just the uncertainty of when events might happen but uncertainty about the world, so-called epistemic uncertainty. For example, audits for the US DHS states that they find, on average, 11 unexpected connections between the SCADA system and the enterprise network for each audit
A key part of risk assessment is communication to stakeholders and society as appropriate. We will develop a security informed (or cyber-informed) enhancement to evaluating and communicating business and other risks from lack of control system integrity and availability based on a claims, arguments, evidence (CAE) framework. Our focus will be to include cyber informed dependency analysis within these assessments. The research to do this will follow an impact driven, threat-informed and vulnerability-focused strategy.

We will also develop probabilistic models that address explicitly the evolving relationship between an adversary and attacks on the one hand and of the consequences of a successful attack as well as the dependencies between the mitigations and barriers. We are particularly interested in modelling and evaluating defence in depth as a fundamental part of any resilient and trustworthy system yet estimating its effectiveness given uncertainties in the system structure and the attack space is enormously difficult. We will develop a modelling toolset based on existing tools we have developed within EU, Artemis and TSB projects that integrate stochastic and deterministic (e.g. of power flow). We will conduct case studies based on problems provided by our project partners Adelard (a specialist SME that evaluates ICS systems and components) and Alsthom.

The relevance and increasing importance of trust in Industrial Control Systems will provide enormous scope for impact. The potential for wider industrial and societal impact is articulated in the call for proposals: the specific work on interdependencies is also recognised in the UK Infrastructure Plan.
Although this is a research proposal we have designed it to have broader impact: there are short term impact from engaging with our industrial partners, longer term, through tackling important underlying technical issues of modelling defence in depth.
The proposers are well connected with the networks on dependability and security and impact will be sought via these channels. For example through our membership of the ISA working group on cyber and industrial control system standards and the work of the Open Group on Dependability of open systems. As the international reviewer we have collaboration with a large Japanese dependability project DEOS project and its industrial partners. Bloomfield and Bishop work closely with CPNi on other projects and are familiar with the industry forums that CPNI facilitates. We will brief these group as appropriate, providing as they do important points of contact with industry and also stakeholders in shaping and providing feedback to the project.
The industrial collaborators will be involved in the development; some of the work is directly addressing their concerns. Thus, we expect to test applicability of the research results to industrial practice. Practitioners in Adelard and having to deal with risk assessment of large scale ICS systems and there will be opportunities and demand for using any near term results. Although Adelard is an SME it has a software product (ASCE) used worldwide (ASCE) and this could provide significant leveraged impact of the results.
Recognising the scarcity of detailed case studies we would release in the public domain:
1. A version of the case studies we are going to be developed in detail and use in the project to validate the theories and new assessment methods.
2. A light version of the software tools for building hybrid models of industrial systems, their ICS and probabilistic descriptions of the adversary, asset defences and attacks together with the solvers of the models.

As Assistant Editor in Chief of IEEE Security and Privacy, Bloomfield is well placed to find dissemination routes for the results of the work either in his column for the magazine or in specific articles.
Academic impact will not only be achieved through the usual publication and conference channels but also by working with other cyber-related research institutes. For example, the need to model and establish connectivity of systems and software could exploit links to the Automated Program Analysis and Verification Research Institute, as could the need to make judgments of vulnerabilities. The need to address socio-technical issues within dependency analysis provides a natural link to some of the work on organisational security and decision-making proposed in the Science of Security Institute.