Automated knowledge-based cybersecurity risk assessment of cyber-physical systems
Automated knowledge-based cybersecurity risk assessment of cyber-physical systems
This paper describes a simulation-based approach for automated risk assessment of complex cyber-physical systems to support implementers of ISO 27005. The approach is based on systematic causeand-effect modelling of threats, their causes and effects, and the ways in which the effects of one threat can lead to other threats. In this way, the approach deals with inter-dependencies within the target system, automatically finding attack paths and secondary effect cascades, which generally are very complex and the
source of many challenges when implementing ISO 27005. The approach uses a knowledgebase describing classes of system assets and their possible relationships, along with the associated threats, causes and effects in a generic context. A target system can then be modelled in terms of related assets, describing the intended system structure and purpose (in the absence of any deviations). The knowledgebase is then used to identify which threats are relevant and create a cause-and-effect simulation of those threats. This allows
threat likelihoods and risk levels to be found based on input concerning trust assumptions and the presence of controls in the system. The approach has been implemented by the open source Spyderisk project and validated by modelling a published case study of an attack on a steel mill. Given reasonable assumptions
about security controls in place, the shortest, highest likelihood attack path found coincides with the published analysis. The case study demonstrates the strengths of the approach: transparency, reproducibility, and performance.
Risk analysis, Systems modeling, computer security, cyber-physical systems, information security, threat assessment, Computer security, systems modeling, risk analysis
82482-82505
Phillips, Stephen C.
47610c30-a543-4bac-a96a-bc1fce564a59
Taylor, Steve
9ee68548-2096-4d91-a122-bbde65f91efb
Boniface, Michael
f30bfd7d-20ed-451b-b405-34e3e22fdfba
Modafferi, Stefano
2f15a6fa-a4c3-4f43-998f-df7d88f08a78
Surridge, Mike
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
22 May 2024
Phillips, Stephen C.
47610c30-a543-4bac-a96a-bc1fce564a59
Taylor, Steve
9ee68548-2096-4d91-a122-bbde65f91efb
Boniface, Michael
f30bfd7d-20ed-451b-b405-34e3e22fdfba
Modafferi, Stefano
2f15a6fa-a4c3-4f43-998f-df7d88f08a78
Surridge, Mike
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
Phillips, Stephen C., Taylor, Steve, Boniface, Michael, Modafferi, Stefano and Surridge, Mike
(2024)
Automated knowledge-based cybersecurity risk assessment of cyber-physical systems.
IEEE Access, 12, .
(doi:10.1109/ACCESS.2024.3404264).
Abstract
This paper describes a simulation-based approach for automated risk assessment of complex cyber-physical systems to support implementers of ISO 27005. The approach is based on systematic causeand-effect modelling of threats, their causes and effects, and the ways in which the effects of one threat can lead to other threats. In this way, the approach deals with inter-dependencies within the target system, automatically finding attack paths and secondary effect cascades, which generally are very complex and the
source of many challenges when implementing ISO 27005. The approach uses a knowledgebase describing classes of system assets and their possible relationships, along with the associated threats, causes and effects in a generic context. A target system can then be modelled in terms of related assets, describing the intended system structure and purpose (in the absence of any deviations). The knowledgebase is then used to identify which threats are relevant and create a cause-and-effect simulation of those threats. This allows
threat likelihoods and risk levels to be found based on input concerning trust assumptions and the presence of controls in the system. The approach has been implemented by the open source Spyderisk project and validated by modelling a published case study of an attack on a steel mill. Given reasonable assumptions
about security controls in place, the shortest, highest likelihood attack path found coincides with the published analysis. The case study demonstrates the strengths of the approach: transparency, reproducibility, and performance.
Text
paper15
- Accepted Manuscript
Text
Automated_Knowledge-Based_Cybersecurity_Risk_Assessment_of_Cyber-Physical_Systems
- Version of Record
More information
Accepted/In Press date: 16 May 2024
Published date: 22 May 2024
Additional Information:
Publisher Copyright:
© 2013 IEEE.
Keywords:
Risk analysis, Systems modeling, computer security, cyber-physical systems, information security, threat assessment, Computer security, systems modeling, risk analysis
Identifiers
Local EPrints ID: 490296
URI: http://eprints.soton.ac.uk/id/eprint/490296
ISSN: 2169-3536
PURE UUID: c5e35d3e-fa71-438f-8f82-e57de4af5fc8
Catalogue record
Date deposited: 23 May 2024 16:39
Last modified: 26 Aug 2024 01:32
Export record
Altmetrics
Contributors
Author:
Stephen C. Phillips
Author:
Stefano Modafferi
Author:
Mike Surridge
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics