Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling

Konstantinos

Maraslis

Theodoros Spyridopoulos

Theo

Tryfonas

George

Oikonomou

Shancang

Li

© 2014 INCOSE UK Ltd.

What is it about? • Importance Industrial Control Systems (ICSs) can be considered as Critical Infrastructure (CI) and play a major role in Industry as they are used to control fundamental industrial processes such as power production, power distribution, transportation etc. Due to their national significance their protection is of vital importance. • Scope The creation of a method that provides cost-efficient Risk Management for an ICS. • Novelty The method takes into account the proprietary and interconnected nature of an ICS while combines Viable System Modelling (VSM) and Game Theory (GT).

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 2

VSM in Details

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 3

Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

A zero-sum Game is constructed where an attacker tries to harm an ICS as much as possible while a defender tries to defend the ICS in the best possible way. Both are rational players who seek for the strategy that will lead them to the highest individual reward.

Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 4

VSM in Details

Although we can easily identify the assets, valuating them requires: • Capturing the relationships between

the Asset of an ICS • Capturing the relationships between

the components of different ICSs • Consideration of the effect of a

component’s failure to the rest of the components (within the same and different ICSs)

Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 5

VSM in Details

Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 6

VSM in Details

1

3

2

4

Environment

3*

5

4 Communicates 5's Decisions

Audits its Operations

Manages/Controls its Units

Manages its Operations and Coordinates its Activities

Transfers Results of

Coordination

4 Identifies Changes in

the Environment

Transfers Results of Audit

Info about System’s Current Status

Makes and Delivers

Decisions about

Changes Need to be

Made

Proposes Approaches for

System’s Evolution

Data Exchange

Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 7

VSM in Details

Value of Asset = (Market price) x (Number of connections) x (Effect on other ICSs) x (Role of the Asset) where, Effect on other ICSs = (Role of the Asset) / (Number of devices with the same role)

Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 8

VSM in Details

Identification and Assessment of Threads and Vulnerabilities is now possible since all interconnections are known. We only need to know the probability that a thread/attack is successful

Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 9

VSM in Details Attacker’s Strategies

Espionage Yes or No

Security Attribute

Confidentiality

Integrity

Availability

Inveteracy of

Vulnerability

<1Year

>1Year

Difficulty of

Detection

Very difficult

Difficult

Easy

Difficulty of Recovery

(Cost of Healing)

Very Difficult

Difficult

Easy

Defender’s Strategies

R&D Yes or No

Patch Frequency

Never

1 Year

>1 Year

IDS Yes or No

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 10

VSM in Details Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 11

VSM in Details Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Under the rules: • Attack against Confidentiality

cannot be very difficult to recover • Zero day attack cannot be easy to

detect • >1Years attacks can only be easy to

detect

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 12

Game Theory Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Attacker’s Reward = Gain + Cost of Defense + Cost of Healing – Cost of Attack where, Gain = Value of Asset × Security Attribute × Probability of Successful Attack Cost of Defense = R&D + Patch Frequency + IDS Cost of Healing = Difficulty of Recovery Cost of Attack = Espionage + Inveteracy of Vulnerability × Difficulty of Detection

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 13

Game Theory Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Attacker’s Strategies

Espionage 30,000

Security Attribute

Confidentiality 0.33

Integrity 1

Availability 1

Inveteracy of

Vulnerability

<1Year 1,000

>1Year 10

Difficulty of

Detection

Very difficult 4

Difficult 1

Easy 0.5

Difficulty of Recovery

(Cost of Healing)

Very Difficult 101,000

Difficult 1,000

Easy 10

Defender’s Strategies

R&D 10,000

Patch Frequency

Never 0

1 Year 1,000

>1 Year 100

IDS 10

Value of Asset Under Attack 90,000

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 14

Results Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Two Nash Equilibria in the form:

A: (Attack, Espionage, Core Attribute, Inveteracy of Vulnerability, Difficulty of Detection, Difficulty of Recovery) D: (R&D, Patch Frequency, IDS) A: (Yes, No, Integrity, < 1 Year, Very Difficult, Very Difficult) D: (Yes, > 1 Year, No) A: (Yes, No, Availability, 1 Year, Very Difficult, Very Difficult) D: (Yes, > 1 Year, No)

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 15

Results Risk Management

Asset Identification and Evaluation

1. Asset Identification

2. Asset Valuation

Risk Analysis

3. Thread Identification

4. Thread Assessment

5. Vulnerability and Strategy Identification

6. Vulnerability Assessment

7. Risk Evaluation

Strategies Proposed

8. Strategies Assessment and Outcome (GT)

Both Nash Equilibria lead to a reward for the attacker equal to 182,000 which means 182,000 loss for the defender since it is a zero-sum game.

Managing Cyber Security Risks in Industrial Control Systems with Game Theory and Viable System Modelling 16

Summary

A novel cyber security risk management approach in ICSs which combines VSM with GT and takes into account the proprietary and interconnected nature of an ICS.

17

References [1] K. Stouffer, J. Falco, and K. Scarfone, "Guide to industrial control systems (ICS) security," NIST Special Publication, pp. 800-82, 2011. [2] G. Digioia, C. Foglietta, S. Panzieri, and A. Falleni, "Mixed holistic reductionistic approach for impact assessment of cyber attacks," in Intelligence and Security Informatics Conference (EISIC), 2012 European, 2012, pp. 123-130. [3] M. Esmalifalak, G. Shi, Z. Han, and L. Song, "Bad data injection attack and defense in electricity market using game theory study," 2013. [4] M. Tambe and B. An, "Game Theory for Security: A Real-World Challenge Problem for Multiagent Systems and Beyond," Association for the Advancement of Artificial Intelligence, 2011.

18

Questions?

19