Enterprise Architecture Models for Security AnalysisThe VIKING project<br />TeodorSommestad<br />The Royal Institute of Te...
SCADA/Industrial Control system security<br />
The VIKING project<br />From security requirements to social costs  (consequences)<br />Attack<br />SCADA  system<br />Pow...
Decision makers in utilitiestypicallyhave…<br />… a poorunderstandingof the system architecture and itsenvironment<br />… ...
Our solution: the Cyber Security Modeling Language<br />The result for your architecture is visualized, e.g. which attacks...
This tool assess if attacks are possible to do against a system architecture<br />Successprobabilitiesof attacks:<br />P(S...
We do not aim at<br />Inventing some new protection apparatus (e.g. firewall), solution or architecture.<br />Tell cryptog...
Qualitative theory<br />What influences what?<br />For example, what influences the possibility for an attacker to comprom...
[Qualitative theory]<br />The metamodel<br />Attribute dependencies<br />For example:<br />The probability that Remote Arb...
[Quantitative theory]<br />Example:Remote Arbitrary Code Exploits on a Service <br />
Say that your architecture and our “rules” produces these dependencies<br />[Quantitative theory]<br />Canthis attack be d...
Our tool would answer:<br />[Quantitative theory]<br />1.00*0.24*1.00*0.51*1.00=0.1224=12.24% chance of success<br />100%<...
What if analysis:Execute arbitrary code<br />[Quantitative theory]<br />Install a deep-packet-inspection firewall (IPS)<br...
Data sources<br />The relationships and dependency-structure:<br />Literature, e.g. standards or scientific articles.<br /...
Successprobabilitiesof attacks:<br />P(SCADAServer.Access) = 0.14P(SCADAService.InjectCode) = 0.14P(SCADAServer.FindKnownS...
The tool<br />http://www.kth.se/ees/omskolan/organisation/avdelningar/ics/research/eat<br />
Our solution: the Cyber Security Modeling Language<br />The result for your architecture is visualized, e.g. which attacks...
Today’s status of the tool<br />Our theory consolidation  is in version 1.0, soon published.<br />Nah…<br />Calculation en...
Collaboration/usage – VIKING’s “EA models for security analysis”<br />Theory/Modeling language:<br /><ul><li>Adapt to some...
Upcoming SlideShare
Loading in …5
×

VIKING cluster meeting 1

712 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
712
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

VIKING cluster meeting 1

  1. 1. Enterprise Architecture Models for Security AnalysisThe VIKING project<br />TeodorSommestad<br />The Royal Institute of Technology (KTH) Stockholm, Sweden<br />teodor.sommestad@ics.kth.se <br />
  2. 2. SCADA/Industrial Control system security<br />
  3. 3. The VIKING project<br />From security requirements to social costs (consequences)<br />Attack<br />SCADA system<br />Power network<br />Societalcost<br />KTH, this presentation<br />ETH, Zürich<br />ViCiSi, in 15 min.<br />
  4. 4. Decision makers in utilitiestypicallyhave…<br />… a poorunderstandingof the system architecture and itsenvironment<br />… a poorunderstanding of how to achievesecurity in thiscomplexenvironment<br />… limitedresources, time and money<br />A Bayesian computational engine analyzes your architecture and possible attacks against it<br />
  5. 5. Our solution: the Cyber Security Modeling Language<br />The result for your architecture is visualized, e.g. which attacks are easy to do and which countermeasures that make a big difference.<br />We consolidate theory on security, i.e. what is most important and how important is it.<br />A Bayesian computational engine analyzes your architecture and possible attacks against it<br />You represent your system, e.g. add network zones, draw data flows, specify management processes<br />
  6. 6. This tool assess if attacks are possible to do against a system architecture<br />Successprobabilitiesof attacks:<br />P(SCADAServer.Access) = 0.14P(SCADAService.InjectCode) = 0.14P(SCADAServer.FindKnownService) = 0.34<br />P(SCADAServer.ConnectTo) = 0.43<br />Effectofchanges:<br />For P(SCADAServer.Access)Install IPS: 0.14=>0.11<br />Regularsecurityaudits: 0.14=>0.12<br />
  7. 7. We do not aim at<br />Inventing some new protection apparatus (e.g. firewall), solution or architecture.<br />Tell cryptography/authentication/…/firewall experts which of their solutions that are secure and which are not.<br />Explain which attacks that probably will be attempted against the system.<br />
  8. 8. Qualitative theory<br />What influences what?<br />For example, what influences the possibility for an attacker to compromise a machine? In which ways can it be done?<br />Which of these things are most important?<br />For example, which protection mechanisms against arbitrary code execution attacks are most relevant?<br />In essence: What data should be collected (modeled) to say something about the possibility to succeed with attacks?<br />Quantitative theory<br />How big is the influence?<br />For example, how is the attacker’s chance of success influenced by “address space layout randomization”?<br />What combinations of things are important?<br />For example, does “address space layout randomization” make a difference if you already have an “non-executable memory” turned on?<br />In essence: How probably are different attacks to succeed?<br />
  9. 9. [Qualitative theory]<br />The metamodel<br />Attribute dependencies<br />For example:<br />The probability that Remote Arbitrary Code Exploits on a Service can be performed depend on:<br />If you can connect to the Service<br />If it has a high-severity vulnerability<br />The attacker can authenticate itself as a legitimate user<br />If its OS uses ASLR or NX memory protection<br />If there is Deep Packet Inspection Firewall between the attacker and Service<br />
  10. 10. [Quantitative theory]<br />Example:Remote Arbitrary Code Exploits on a Service <br />
  11. 11. Say that your architecture and our “rules” produces these dependencies<br />[Quantitative theory]<br />Canthis attack be done by professional penetration tester?<br />
  12. 12. Our tool would answer:<br />[Quantitative theory]<br />1.00*0.24*1.00*0.51*1.00=0.1224=12.24% chance of success<br />100%<br />100%<br />100%<br />24%<br />51%<br />
  13. 13. What if analysis:Execute arbitrary code<br />[Quantitative theory]<br />Install a deep-packet-inspection firewall (IPS)<br />As is.<br />Remove Address Space Layout Randomization (ASLR)<br />15 % probabilitythat the attacker canexecute his/hercode…<br />24 % probabilitythat the attacker canexecute his/hercode…<br />27 % probabilitythat the attacker canexecutehis/hercode…<br />…8 % for the attack scenario…<br />…12 % for the attack scenario…<br />…14% for the attack scenario…<br />
  14. 14. Data sources<br />The relationships and dependency-structure:<br />Literature, e.g. standards or scientific articles.<br />Review and prioritization by external experts, e.g. FOI, SÄPO, Combitech, Chalmers, Ericsson, BTH, Management Doctors.<br />The probabilities:<br />Logical relationships, e.g.: if the firewalls allow you to connect to A from B and you have access to B, then you can connect.<br />Others’ studies, e.g. time-to-compromise for of authentication codes or patch level vs patching procedures.<br />Experts’ judgments, e.g. 165 intrusion detection system researchers estimating the detection rate in different scenarios.<br />
  15. 15. Successprobabilitiesof attacks:<br />P(SCADAServer.Access) = 0.14P(SCADAService.InjectCode) = 0.14P(SCADAServer.FindKnownService) = 0.04<br />P(SCADAServer.ConnectTo) = 0.23<br />Effectofchanges:<br />For P(SCADAServer.Access)Install IPS: 0.14=>0.11<br />Regularsecurityaudits: 0.14=>0.12<br />Our aim with CySeMoL<br />
  16. 16. The tool<br />http://www.kth.se/ees/omskolan/organisation/avdelningar/ics/research/eat<br />
  17. 17. Our solution: the Cyber Security Modeling Language<br />The result for your architecture is visualized, e.g. which attacks are easy to do and which countermeasures that make a big difference.<br />We consolidate theory on security, i.e. what is most important and how important is it.<br />A Bayesian computational engine analyzes your architecture and possible attacks against it<br />You represent your system, e.g. add network zones, draw data flows, specify management processes<br />
  18. 18. Today’s status of the tool<br />Our theory consolidation is in version 1.0, soon published.<br />Nah…<br />Calculation engine is completed<br />Tests in real life are ongoing<br />
  19. 19. Collaboration/usage – VIKING’s “EA models for security analysis”<br />Theory/Modeling language:<br /><ul><li>Adapt to some other context
  20. 20. Find ways to simplify it
  21. 21. Make assessments more precise
  22. 22. Combine with some other modeling language
  23. 23. Etc.</li></ul>Visualization:<br /><ul><li>Identify /suggest views to show</li></ul>Calculation engine:<br /><ul><li>…</li></ul>Data collection/Modeling:<br /><ul><li>Test/use (there is tool support)
  24. 24. Develop support for automated data collection</li>

×