T1-J
Security riskGibson 9:40 AM
|
| Chair(s): Peter Merkle pbmerkl@sandia.gov
|
| This session explores methods and tools for estimating security risks including a dynamic risk assessment and management model for supervisory control and data acquisition networks, techniques for estimating security risks and the impacts of perturbations on the system, and methods for exploring adversary-defender strategies. |
|
T1-J.1 9:40 AM Estimating security risk. Biringer B*; Sandia National Laboratories bebirin@sandia.gov
Abstract: Security risk assessment provides a systematic approach for security risk managers to make logical, defendable decisions based on a relative security risk estimate. Before the year 2000, Sandia began the development of a risk assessment methodology for federal dams for the Interagency Forum for Infrastructure Protection which was formed to address protection of our nation's critical infrastructure components from the terrorist threat. The first version of the Risk Assessment Methodology for Dams was completed in August 2001. Soon after September 11, 2001, the basic methodology was frantically applied to federal dams, high-voltage electric power transmission, chemical facilities, municipal water systems, and communities. Since then, the methodology has been applied to hundreds of different facilities; the lessons learned together with new development have resulted in a state-of-the-art method. The security risk assessment methodology is based on the traditional risk equation: Security Risk = f (Threat Potential, Security System Effectiveness, Consequence of Attack). Threat Potential, a qualitative estimate of the likelihood of adversary attack, is based on characteristics of the adversary group relative to the asset to be protected and the relative attractiveness of the asset to the adversary group. Security System Effectiveness is estimated for the ability of the security system to protect against physical attacks and cyber attacks on the facility. Consequences of Attack are assessed for each analyzed undesired security event. Estimating Security Risk supports risk management decisions concerning how much security is enough for a facility or corporation or industry. A qualitative, but measurable security risk estimate is valuable to support decisions concerning acceptability of the risk level, how risk can be reduced by improving security system protection and/or reducing consequences, and what cost options and operational trade-offs are involved.
|
T1-J.2 10:00 AM A new dynamic risk assessment and management model for supervisory control and data acquisition networks. Henry MH*, Haimes YY; University of Virginia mhenry@virginia.edu
Abstract: This work develops and parameterizes a model for dynamically assessing and managing the risk of cyber attacks on supervisory control and data acquisition (SCADA) networks embedded in civil infrastructures. The risk management model extends the envelope approach to multi-objective dynamic programming (MODP) to permit sequential discounted Pareto-optimization of multiple non-differentiable objective functions, where a subset of the objective functions is defined by the risk assessment model. Decisions made in the risk management process and exogenous perturbations corresponding to the discovery and exploitation of new software vulnerabilities are collectively mapped to the risk assessment model parameters, thereby driving the risk assessment for the next decision period. The risk assessment model is a stochastic shortest path decision process that captures the tactical dynamics of cyber attackers on a specified network under the assumption of a time-invariant security system. The equilibrium solution yields a probability distribution over the set of possible consequences. For this problem, risk management is the strategic selection and implementation of network security technologies over the lifecycle of the network. The risk management process is achieved by sequentially generating sets of Pareto-optimal security technology options that are efficient in a cost-benefit multi-objective space. Finding the Pareto frontier at each stage is equivalent to finding the envelope of next-stage decision frontiers corresponding to the available options. Parameterizing the risk assessment and management model is accomplished using a combination of structured expert elicitation via the Adaptive Multi-Player Hierarchical Holographic Model, economic effects analysis via the Inoperability Input-output Model and its extensions, and model-based network security parameter estimation.
|
T1-J.3 10:20 AM Inoperability input-output model with multiple probabilistic sector inputs. Santos JR*, Haimes YY; University of Virginia jrs8e@virginia.edu
Abstract: The inoperability input-output model (IIM) is a methodology for analyzing perturbations to a system and the associated ripple effects. In this paper, the IIM is extended to address disruptions that comprise of multiple perturbation inputs (which take the form of probability functions) to a particular sector of the economy. The probability densities of ripple effects are generated via Monte Carlo simulation; hence, providing estimates of the mean and extreme values of economic losses and corresponding levels of sector inoperability. The methodology is demonstrated through a transportation security case study.
|
T1-J.4 10:40 AM Adversary-Defender Modeling Grammar for Vulnerability Analysis and Threat Assessment. Merkle PB*; Sandia National Laboratories pbmerkl@sandia.gov
Abstract: Vulnerability analysis and threat assessment require systematic treatments of adversary and defender characteristics. Analytical methods treating both linguistic and numerical information should ensure that neither aspect has disproportionate influence on assessment outcomes. The adversary-defender modeling (ADM) grammar employs classical set theory and notation. It is designed to incorporate contributions from subject matter experts in all relevant disciplines, without bias. The Attack Scenario Space U(s) is the set universe of all scenarios possible under physical laws. An attack scenario is a postulated event consisting of the active engagement of at least one adversary with at least one defended target. Target Information Space I(s) is the universe of information about targets and defenders. Adversary and defender groups are described by their respective Character super-sets, {A}p and {D}f. Each super-set contains six elements: Objectives, Knowledge, Veracity, Plans, Resources, and Skills. The Objectives are the desired end-state outcomes. Knowledge is comprised of empirical and theoretical a priori knowledge and emergent knowledge (learned during an attack), while Veracity is the correspondence of Knowledge with fact or outcome. Plans are ordered activity-task sequences (tuples) with logical contingencies. Resources are the a priori and opportunistic physical assets and intangible attributes applied to the execution of associated Plans elements. Skills for both adversary and defender include the assumed general and task competencies for the associated plan set, the realized value of competence in execution or exercise, and the opponent's planning assumption of the task competence.
|
