The document discusses the Cyber Security Modeling Language (CySeMoL) tool developed by the VIKING project. The tool allows users to model their system architecture, visualize potential attacks, and calculate success probabilities of attacks. It consolidates security theory to identify the most important factors that influence attack success. The tool is currently being tested in real-life cases and the developers are seeking collaboration to improve the modeling language, calculation engine, and data collection capabilities.

1. Enterprise Architecture Models for Security AnalysisThe VIKING projectTeodorSommestadThe Royal Institute of Technology (KTH) Stockholm, Swedenteodor.sommestad@ics.kth.se

2. SCADA/Industrial Control system security

3. The VIKING projectFrom security requirements to social costs (consequences)AttackSCADA systemPower networkSocietalcostKTH, this presentationETH, ZürichViCiSi, in 15 min.

4. Decision makers in utilitiestypicallyhave…… a poorunderstandingof the system architecture and itsenvironment… a poorunderstanding of how to achievesecurity in thiscomplexenvironment… limitedresources, time and moneyA Bayesian computational engine analyzes your architecture and possible attacks against it

5. Our solution: the Cyber Security Modeling LanguageThe result for your architecture is visualized, e.g. which attacks are easy to do and which countermeasures that make a big difference.We consolidate theory on security, i.e. what is most important and how important is it.A Bayesian computational engine analyzes your architecture and possible attacks against itYou represent your system, e.g. add network zones, draw data flows, specify management processes

6. This tool assess if attacks are possible to do against a system architectureSuccessprobabilitiesof attacks:P(SCADAServer.Access) = 0.14P(SCADAService.InjectCode) = 0.14P(SCADAServer.FindKnownService) = 0.34P(SCADAServer.ConnectTo) = 0.43Effectofchanges:For P(SCADAServer.Access)Install IPS: 0.14=>0.11Regularsecurityaudits: 0.14=>0.12

7. We do not aim atInventing some new protection apparatus (e.g. firewall), solution or architecture.Tell cryptography/authentication/…/firewall experts which of their solutions that are secure and which are not.Explain which attacks that probably will be attempted against the system.

8. Qualitative theoryWhat influences what?For example, what influences the possibility for an attacker to compromise a machine? In which ways can it be done?Which of these things are most important?For example, which protection mechanisms against arbitrary code execution attacks are most relevant?In essence: What data should be collected (modeled) to say something about the possibility to succeed with attacks?Quantitative theoryHow big is the influence?For example, how is the attacker’s chance of success influenced by “address space layout randomization”?What combinations of things are important?For example, does “address space layout randomization” make a difference if you already have an “non-executable memory” turned on?In essence: How probably are different attacks to succeed?

9. [Qualitative theory]The metamodelAttribute dependenciesFor example:The probability that Remote Arbitrary Code Exploits on a Service can be performed depend on:If you can connect to the ServiceIf it has a high-severity vulnerabilityThe attacker can authenticate itself as a legitimate userIf its OS uses ASLR or NX memory protectionIf there is Deep Packet Inspection Firewall between the attacker and Service

10. [Quantitative theory]Example:Remote Arbitrary Code Exploits on a Service

11. Say that your architecture and our “rules” produces these dependencies[Quantitative theory]Canthis attack be done by professional penetration tester?

12. Our tool would answer:[Quantitative theory]1.00*0.24*1.00*0.51*1.00=0.1224=12.24% chance of success100%100%100%24%51%

13. What if analysis:Execute arbitrary code[Quantitative theory]Install a deep-packet-inspection firewall (IPS)As is.Remove Address Space Layout Randomization (ASLR)15 % probabilitythat the attacker canexecute his/hercode…24 % probabilitythat the attacker canexecute his/hercode…27 % probabilitythat the attacker canexecutehis/hercode……8 % for the attack scenario……12 % for the attack scenario……14% for the attack scenario…

14. Data sourcesThe relationships and dependency-structure:Literature, e.g. standards or scientific articles.Review and prioritization by external experts, e.g. FOI, SÄPO, Combitech, Chalmers, Ericsson, BTH, Management Doctors.The probabilities:Logical relationships, e.g.: if the firewalls allow you to connect to A from B and you have access to B, then you can connect.Others’ studies, e.g. time-to-compromise for of authentication codes or patch level vs patching procedures.Experts’ judgments, e.g. 165 intrusion detection system researchers estimating the detection rate in different scenarios.

15. Successprobabilitiesof attacks:P(SCADAServer.Access) = 0.14P(SCADAService.InjectCode) = 0.14P(SCADAServer.FindKnownService) = 0.04P(SCADAServer.ConnectTo) = 0.23Effectofchanges:For P(SCADAServer.Access)Install IPS: 0.14=>0.11Regularsecurityaudits: 0.14=>0.12Our aim with CySeMoL

16. The toolhttp://www.kth.se/ees/omskolan/organisation/avdelningar/ics/research/eat

17. Our solution: the Cyber Security Modeling LanguageThe result for your architecture is visualized, e.g. which attacks are easy to do and which countermeasures that make a big difference.We consolidate theory on security, i.e. what is most important and how important is it.A Bayesian computational engine analyzes your architecture and possible attacks against itYou represent your system, e.g. add network zones, draw data flows, specify management processes

18. Today’s status of the toolOur theory consolidation is in version 1.0, soon published.Nah…Calculation engine is completedTests in real life are ongoing

19. Collaboration/usage – VIKING’s “EA models for security analysis”Theory/Modeling language:Adapt to some other context