Enterprise Architecture Models for Security Analysis
The VIKING project
Teodor Sommestad The Royal Institute of Technology (KTH) Stockholm, [email protected]
SCADA/Industrial Control system security
Forecasting System
GenerationSales O & M T & DPersonnel Billing
TechnicalAdministrative
Company
Billing System
SCADA System
Service Order System
CRM System
GIS System
Asset Management SystemTrading System
Production System
Metering System
Market System
Meteorological System
Governmental Reporting System
GenerationSales O & M T & DPersonnel Billing
TechnicalAdministrative
Company
Production System
Billing SystemSCADA System
The VIKING project From security requirements to social costs (consequences)
SCADA system
Power network
Societal cost
Attack
ETH, Zürich
ViCiSi, in 15 min.
KTH, this presentation
Decision makers in utilities typically have…
• … a poor understanding of the system architecture and its environment
• … a poor understanding of how to achieve security in this complex environment
• … limited resources, time and money
A Bayesian computational engine analyzes your architecture and possible attacks against it
Our solution: the Cyber Security Modeling Language
Concrete Model
Concrete Model
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
Information SecurityInformation Security
Degree of InfoSec
Spent Effort
Concrete Model
Concrete Model
Knowledge based on research
Investigator
”Calculator”
Research
Analyses
Generate Abstract Model
Expert
$$
Decision Maker
Abstract Model
Update Concrete
Model
Documents
Personell
Information Systems
Processes
Organisation
Evidence
CalculateConcrete
ModelValues
VisualizeConcrete
Model
Smile
Evidence
We consolidate theory on security, i.e. what is most important and how important is it.
You represent your system, e.g. add network zones, draw data flows, specify management processes
A Bayesian computational engine analyzes your architecture and possible attacks against it
The result for your architecture is visualized, e.g. which attacks are easy to do and which countermeasures that make a big difference.
Success probabilities of attacks:P(SCADAServer.Access) = 0.14P(SCADAService.InjectCode) = 0.14P(SCADAServer.FindKnownService) = 0.34P(SCADAServer.ConnectTo) = 0.43
Effect of changes:For P(SCADAServer.Access)
Install IPS: 0.14=>0.11Regular security audits: 0.14=>0.12
This tool assess if attacks are possible to do against a system architecture
We do not aim at
• Inventing some new protection apparatus (e.g. firewall), solution or architecture.
• Tell cryptography/authentication/…/firewall experts which of their solutions that are secure and which are not.
• Explain which attacks that probably will be attempted against the system.
• What influences what?- For example, what influences the possibility for an attacker to
compromise a machine? In which ways can it be done?• Which of these things are most important?
- For example, which protection mechanisms against arbitrary code execution attacks are most relevant?
• In essence: What data should be collected (modeled) to say something about the possibility to succeed with attacks?
Qualitative theory
Quantitative theory• How big is the influence?
- For example, how is the attacker’s chance of success influenced by “address space layout randomization”?
• What combinations of things are important?- For example, does “address space layout randomization” make a
difference if you already have an “non-executable memory” turned on?• In essence: How probably are different attacks to succeed?
The metamodelFor example:• The probability that Remote
Arbitrary Code Exploits on a Service can be performed depend on:- If you can connect to the
Service- If it has a high-severity
vulnerability- The attacker can authenticate
itself as a legitimate user- If its OS uses ASLR or NX
memory protection- If there is Deep Packet
Inspection Firewall between the attacker and Service
[Qualitative theory]
Attribute dependencies
Example:Remote Arbitrary Code Exploits on a Service
Scenario1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
The service has high severity vulnerabilities which the attacker has exploits for
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
There is a deep packet inspection firewall in-between the attacker’s IP and the service’s port
No No No No No No No No Yes Yes Yes Yes Yes Yes Yes Yes
The attacker can authenticate itself as a legitimate user of the service
Yes Yes Yes Yes No No No No Yes Yes Yes Yes No No No No
The operating system uses executable space protection (e.g. DEP in Windows)
Yes Yes No No Yes Yes No No Yes Yes No No Yes Yes No No
The operating system running the service uses address space layout randomization (ASLR)
Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No
Low estimate (5 %) 11 14 15 17 4 4 4 5 7 7 5 14 1 4 6 6
Median estimate (50%) 45 66 50 75 21 25 30 41 36 38 27 69 10 15 20 26
High estimate (95%) 88 89 89 94 48 56 63 86 79 79 68 94 51 60 62 69
Expected value 48 59 52 67 24 27 33 43 41 41 31 65 15 20 24 32
[Quantitative theory]
Say that your architecture and our “rules” produces these dependencies
Can this attack be done by professional penetration tester?
[Quantitative theory]
Our tool would answer:
51%
100%
24%
100%
100%
1.00*0.24*1.00*0.51*1.00=0.1224=12.24% chance of success
[Quantitative theory]
What if analysis:Execute arbitrary code
• Install a deep-packet-inspection firewall (IPS)
15 % probability that the attacker can execute his/her code…
…8 % for the attack scenario…
• Remove Address Space Layout Randomization (ASLR)
• As is.
24 % probability that the attacker can execute his/her code…
…12 % for the attack scenario…
27 % probability that the attacker can execute his/her code…
…14% for the attack scenario…
[Quantitative theory]
Data sources
• The relationships and dependency-structure:- Literature, e.g. standards or scientific articles.- Review and prioritization by external experts, e.g. FOI,
SÄPO, Combitech, Chalmers, Ericsson, BTH, Management Doctors.
• The probabilities:- Logical relationships, e.g.: if the firewalls allow you to
connect to A from B and you have access to B, then you can connect.
- Others’ studies, e.g. time-to-compromise for of authentication codes or patch level vs patching procedures.
- Experts’ judgments, e.g. 165 intrusion detection system researchers estimating the detection rate in different scenarios.
Success probabilities of attacks:P(SCADAServer.Access) = 0.14P(SCADAService.InjectCode) = 0.14P(SCADAServer.FindKnownService) = 0.04P(SCADAServer.ConnectTo) = 0.23
Effect of changes:For P(SCADAServer.Access)
Install IPS: 0.14=>0.11Regular security audits: 0.14=>0.12
Our aim with CySeMoL
The tool
http://www.kth.se/ees/omskolan/organisation/avdelningar/ics/research/eat
Our solution: the Cyber Security Modeling Language
Concrete Model
Concrete Model
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
Information SecurityInformation Security
Degree of InfoSec
Spent Effort
Concrete Model
Concrete Model
Knowledge based on research
Investigator
”Calculator”
Research
Analyses
Generate Abstract Model
Expert
$$
Decision Maker
Abstract Model
Update Concrete
Model
Documents
Personell
Information Systems
Processes
Organisation
Evidence
CalculateConcrete
ModelValues
VisualizeConcrete
Model
Smile
Evidence
We consolidate theory on security, i.e. what is most important and how important is it.
You represent your system, e.g. add network zones, draw data flows, specify management processes
A Bayesian computational engine analyzes your architecture and possible attacks against it
The result for your architecture is visualized, e.g. which attacks are easy to do and which countermeasures that make a big difference.
Today’s status of the tool
Concrete Model
Concrete Model
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
Information SecurityInformation Security
Degree of InfoSec
Spent Effort
Concrete Model
Concrete Model
Knowledge based on research
Investigator
”Calculator”
Research
Analyses
Generate Abstract Model
Expert
$$
Decision Maker
Abstract Model
Update Concrete
Model
Documents
Personell
Information Systems
Processes
Organisation
Evidence
CalculateConcrete
ModelValues
VisualizeConcrete
Model
Smile
Evidence
Our theory consolidation is in version 1.0, soon published.
Tests in real life are ongoing
Calculation engine is completed
Nah…
Collaboration/usage – VIKING’s “EA models for security analysis”
Concrete Model
Concrete Model
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
Information SecurityInformation Security
Degree of InfoSec
Spent Effort
Concrete Model
Concrete Model
Knowledge based on research
Investigator
”Calculator”
Research
Analyses
Generate Abstract Model
Expert
$$
Decision Maker
Abstract Model
Update Concrete
Model
Documents
Personell
Information Systems
Processes
Organisation
Evidence
CalculateConcrete
ModelValues
VisualizeConcrete
Model
Smile
Evidence
Theory/Modeling language:• Adapt to some other context• Find ways to simplify it• Make assessments more precise• Combine with some other modeling
language• Etc.
Data collection/Modeling:• Test/use (there is tool support)• Develop support for automated
data collection
Calculation engine:• …
Visualization:• Identify /suggest
views to show
Top Related