Quantitative Security and Safety Analysis with Attack-Fault Trees

Cyber physical systems, like power plants, medical devices and data centers have to meet high standards, both in terms of safety (i.e. absence of unintentional failures) and security(i.e. no disruptions due to malicious attacks). This paper presents attack fault trees (AFTs), a formalism thatmarries fault trees (safety) and attack trees (security). We equipAFTs with stochastic model checking techniques, enabling a rich plethora of qualitative and quantitative analyses. Qualitative metrics pinpoint to root causes of the system failure, while quantitative metrics concern the likelihood, cost, and impact of a disruption. Examples are: (1) the most likely attack path, (2) the most costly system failure, (3) the expected impact of an attack. Each of these metrics can be constrained, i.e., we can provide the most likely disruption within time t and/or budget B. Finally, we can use sensitivity analysis to find the attack step that has the most influence on a given metric. We demonstrate our approach through three realistic cases studies.

[1]  Kim G. Larsen,et al.  Monitor-Based Statistical Model Checking for Weighted Metric Temporal Logic , 2012, LPAR.

[2]  Rajesh Kumar,et al.  Quantitative Attack Tree Analysis via Priced Timed Automata , 2015, FORMATS.

[3]  Eric Armengaud,et al.  SAHARA: A security-aware hazard and risk analysis method , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[4]  John D. Andrews,et al.  Dependability analysis of systems with on-demand and active failure modes, using dynamic fault trees , 2002, IEEE Trans. Reliab..

[5]  Rajesh Kumar,et al.  Sequential and Parallel Attack Tree Modelling , 2015, SAFECOMP Workshops.

[6]  Igor Nai Fovino,et al.  Integrating cyber attacks within fault trees , 2009, Reliab. Eng. Syst. Saf..

[7]  Marta Z. Kwiatkowska,et al.  Probabilistic model checking in practice: case studies with PRISM , 2005, PERV.

[8]  Richard F. Paige,et al.  Fault trees for security system design and analysis , 2003, Comput. Secur..

[9]  Peter Liggesmeyer,et al.  Combination of Safety and Security Analysis - Finding Security Problems That Threaten The Safety of a System , 2013, DECS@SAFECOMP.

[10]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[11]  Ludovic Apvrille,et al.  SysML-Sec: A model driven approach for designing safe and secure systems , 2015, 2015 3rd International Conference on Model-Driven Engineering and Software Development (MODELSWARD).

[12]  Mariëlle Stoelinga,et al.  Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools , 2014, Comput. Sci. Rev..

[13]  Joost-Pieter Katoen,et al.  Safety, Dependability and Performance Analysis of Extended AADL Models , 2011, Comput. J..

[14]  Christel Baier,et al.  Principles of model checking , 2008 .

[15]  Peter T. Popov,et al.  Stochastic Modeling of Safety and Security of the e-Motor, an ASIL-D Device , 2015, SAFECOMP.

[16]  Carl S. Carlson,et al.  Effective FMEAs: Achieving Safe, Reliable, and Economical Products and Processes using Failure Mode and Effects Analysis , 2012 .

[17]  Mariëlle Stoelinga,et al.  DFTCalc: a tool for efficient fault tree analysis (extended version) , 2013 .

[18]  Ludovic Piètre-Cambacédès,et al.  Modeling safety and security interdependencies with BDMP (Boolean logic Driven Markov Processes) , 2010, 2010 IEEE International Conference on Systems, Man and Cybernetics.

[19]  Kim G. Larsen,et al.  Statistical Model Checking for Networks of Priced Timed Automata , 2011, FORMATS.

[20]  Holger Hermanns,et al.  The Value of Attack-Defence Diagrams , 2016, POST.

[21]  Stefano Marrone,et al.  A Petri Net Pattern-Oriented Approach for the Design of Physical Protection Systems , 2014, SAFECOMP.

[22]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[23]  Wolter Pieters,et al.  Integrated Safety and Security Risk Assessment Methods: A Survey of Key Characteristics and Applications , 2016, CRITIS.

[24]  Ludovic Piètre-Cambacédès,et al.  Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline , 2014, SAFECOMP.

[25]  Aditya P. Mathur,et al.  Aligning Cyber-Physical System Safety and Security , 2014, CSDM Asia.

[26]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[27]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[28]  Mariëlle Stoelinga,et al.  A Rigorous, Compositional, and Extensible Framework for Dynamic Fault Tree Analysis , 2010, IEEE Transactions on Dependable and Secure Computing.

[29]  Christoph Schmittner,et al.  FMVEA for Safety and Security Analysis of Intelligent and Cooperative Vehicles , 2014, SAFECOMP Workshops.

[30]  Ludovic Piètre-Cambacédès,et al.  A survey of approaches combining safety and security for industrial control systems , 2015, Reliab. Eng. Syst. Saf..

[31]  Kim G. Larsen,et al.  Uppaal SMC tutorial , 2015, International Journal on Software Tools for Technology Transfer.

[32]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[33]  Andreas L. Opdahl,et al.  Enhancing CHASSIS: A Method for Combining Safety and Security , 2013, 2013 International Conference on Availability, Reliability and Security.

[34]  Marta Z. Kwiatkowska,et al.  Using probabilistic model checking in systems biology , 2008, PERV.

[35]  Reza Pulungan,et al.  Time-Dependent Analysis of Attacks , 2014, POST.

[36]  Thomas Hérault,et al.  Probabilistic Model Checking of the CSMA/CD Protocol Using PRISM and APMC , 2005, AVoCS.