Go with the flow: toward workflow-oriented security assessment

In this paper we advocate the use of workflow---describing how a system provides its intended functionality---as a pillar of cybersecurity analysis and propose a holistic workflow-oriented assessment framework. While workflow models are currently used in the area of performance and reliability assessment, these approaches are designed neither to assess a system in the presence of an active attacker, nor to assess security aspects such as confidentiality. On the other hand, existing security assessment methods typically focus on modeling the active attacker (e.g., attack graphs), but many rely on restrictive models that are not readily applicable to complex (e.g., cyber-physical or cyber-human) systems. By "going with the flow," our assessment framework can naturally adopt a holistic view of such systems, unifying information about system components, their properties, and possible attacks to argue about a security goal. The argument is expressed in a graph structure, based on inputs from several distinct classes that are integrated in a systematic manner. That rigorous structure allows our approach to provide quantitative assessment in an automated fashion (like reliability assessment tools and attack graphs), while maintaining a broad assessment scope. We demonstrate our security assessment process using the case of Advanced Metering Infrastructure in a smart power grid and obtain quantitative results for system availability and confidentiality.

[1]  Binbin Chen,et al.  Delay makes a difference: Smart grid resilience under remote meter disconnect attack , 2013, 2013 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[2]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[3]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Douglas . Eskins,et al.  Modeling human decision points in complex systems , 2012 .

[5]  David L. Dill,et al.  Applying a Reusable Election Threat Model at the County Level , 2011, EVT/WOTE.

[6]  Sherali Zeadally,et al.  Smart Grid Privacy: Issues and Solutions , 2012, 2012 21st International Conference on Computer Communications and Networks (ICCCN).

[7]  Dmitry Podkuiko,et al.  Energy Theft in the Advanced Metering Infrastructure , 2009, CRITIS.

[8]  Yih-Chun Hu,et al.  Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks , 2002, MobiCom '02.

[9]  Zahid Anwar,et al.  Automatic security assessment of critical cyber-infrastructures , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[10]  Margo I. Seltzer,et al.  Layering in Provenance Systems , 2009, USENIX Annual Technical Conference.

[11]  Carrie Gates,et al.  One of These Records Is Not Like the Others , 2011, TaPP.

[12]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[13]  William A. Wulf,et al.  A practical approach to security assessment , 1998, NSPW '97.

[14]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[15]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[16]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[17]  Bratislav Milic,et al.  Automatic Generation of Service Availability Models , 2011, IEEE Transactions on Services Computing.

[18]  Borislava I. Simidchieva,et al.  Modeling and Analyzing Faults to Improve Election Process Robustness , 2010, EVT/WOTE.

[19]  Kobra Khanmohammadi,et al.  Business Process-Based Information Security Risk Assessment , 2010, 2010 Fourth International Conference on Network and System Security.

[20]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[21]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[22]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.

[23]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[24]  Vincenzo Grassi,et al.  Reliability Modeling and Analysis of Service-Oriented Architectures , 2007, Test and Analysis of Web Services.

[25]  Tim Kelly,et al.  The Goal Structuring Notation – A Safety Argument Notation , 2004 .

[26]  Ross Anderson,et al.  Who Controls the off Switch? , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[27]  George S. Avrunin,et al.  A Systematic Process-Model-based Approach for Synthesizing Attacks and Evaluating Them , 2012, EVT/WOTE.

[28]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[29]  William H. Sanders,et al.  Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE) , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[30]  Lori A. Clarke,et al.  Experience in using a process language to define scientific workflow and generate dataset provenance , 2008, SIGSOFT '08/FSE-16.

[31]  Barbara Kordy,et al.  Quantitative Questions on Attack-Defense Trees , 2012, ICISC.

[32]  William H. Sanders,et al.  AMI threats, intrusion detection requirements and deployment recommendations , 2012, 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm).

[33]  John Goodenough,et al.  Arguing Security – Creating Security Assurance Cases , 2014 .