Taking a systems approach to cyber security
Date:
March 2, 2022
Source:
International Institute for Applied Systems Analysis
Summary:
A new study proposes a framework featuring a more holistic
picture of the cybersecurity landscape, along with a model that
explicitly represents multiple dimensions of the potential impacts
of successful cyberattacks.
FULL STORY ==========================================================================
The frequency and severity of cyber-attacks on critical infrastructure is
a subject of concern for many governments, as are the costs associated
with cyber security, making the efficient allocation of resources
paramount. A new study proposes a framework featuring a more holistic
picture of the cybersecurity landscape, along with a model that explicitly represents multiple dimensions of the potential impacts of successful cyberattacks.
==========================================================================
As critical infrastructure such as electric power grids become more sophisticated, they are also becoming increasingly more reliant on
digital networks and smart sensors to optimize their operations, and
thus more vulnerable to cyber-attacks. Over the past couple of years, cyber-attacks on critical infrastructure have become ever more complex
and disruptive, causing systems to shut down, disrupting operations, or enabling attackers to remotely control affected systems. Importantly,
the impacts of successful attacks on critical cyber-physical systems
are multidimensional in nature, which means that impacts are not only
limited to losses incurred by the operators of the compromised system,
but also economic losses to other parties relying on their services as
well as public safety or environmental hazards.
According to the study just published in the journal Risk Analysis,
this makes it important to have a tool that distinguishes between
different dimensions of cyber-risks and also allows for the design
of security measures that are able to make the most efficient use of
limited resources. The authors set out to answer two main questions in
this regard: first, whether it is possible to find vulnerabilities, the exploitation of which opens ways for several attack scenarios to proceed;
and second, if it is possible to take advantage of this knowledge and
deploy countermeasures to simultaneously protect the system from several threats.
One of the ways in which cyber threats are commonly managed, is to
conduct an analysis of individual attack scenarios through risk matrices, prioritizing the scenarios according to their perceived urgency (depending
on their likelihoods of occurrence and severity of potential impacts),
and then addressing them in order until all the resources available for cybersecurity are spent. According to the authors, this approach may
however lead to suboptimal resource allocations, given that potential
synergies between different attack scenarios and among available security measures are not taken into consideration.
"Existing assessment frameworks and cybersecurity models assume the
perspective of the operator of the system and support her cost-benefit analysis, in other words, the cost of security measures versus potential
losses in the case of a successful cyber-attack. Yet, this approach is
not satisfactory in the context of security of critical infrastructure,
where the potential impacts are multidimensional and may affect multiple stakeholders. We endeavored to address this problem by explicitly modeling multiple relevant impact dimensions of successful cyber-attacks," explains
lead author Piotr Żebrowski a researcher in the Exploratory Modeling
of Human-natural Systems Research Group of the IIASA Advancing Systems
Analysis Program.
To overcome this shortcoming, the researchers propose a quantitative
framework that features a more holistic picture of the cybersecurity
landscape that encompasses multiple attack scenarios, thus allowing for
a better appreciation of vulnerabilities. To do this, the team developed
a Bayesian network model representing a cybersecurity landscape of a
system. This method has gained popularity in the last few years due to
its ability to describe risks in probabilistic terms and to explicitly incorporate prior knowledge about them into a model that can be used to
monitor the exposure to cyber threats and allow for real-time updates
if some vulnerabilities have been exploited.
In addition to this, the researchers built a multi-objective optimization
model on top of the Bayesian network that explicitly represents multiple dimensions of the potential impacts of successful cyberattacks. The
framework adopts a broader perspective than the standard cost-benefit
analysis and allows for the formulation of more nuanced security
objectives. The study also proposes an algorithm that is able to identify
a set of optimal portfolios of security measures that simultaneously
minimize various types of expected cyberattack impacts, while also
satisfying budgetary and other constraints.
The researchers note that while the use of models like this in
cybersecurity is not entirely unheard of, the practical implementation
of such models usually requires extensive study of systems
vulnerabilities. In their study, the team however suggests how such a
model can be built based on a set of attack trees, which is a standard representation of attack scenarios commonly used by the industry in
security assessments. The researchers demonstrated their method with the
help of readily available attack trees presented in security assessments
of electric power grids in the US.
"Our method offers the possibility to explicitly represent and mitigate
the exposure of different stakeholders other than system operators
to the consequences of successful cyber-attacks. This allows relevant stakeholders to meaningfully participate in shaping the cybersecurity
of critical infrastructure," notes Żebrowski.
In conclusion, the researchers highlight that it is important to have
a systemic perspective on the issue of cyber security. This is crucial
both in terms of establishing a more accurate landscape of cyber threats
to critical infrastructure and in the efficient and inclusive management
of important systems in the interest of multiple stakeholders.
========================================================================== Story Source: Materials provided by International_Institute_for_Applied_Systems_Analysis.
Note: Content may be edited for style and length.
========================================================================== Journal Reference:
1. Piotr Żebrowski, Aitor Couce‐Vieira, Alessandro
Mancuso. A
Bayesian Framework for the Analysis and Optimal Mitigation of
Cyber Threats to Cyber‐Physical Systems. Risk Analysis,
2022; DOI: 10.1111/risa.13900 ==========================================================================
Link to news story:
https://www.sciencedaily.com/releases/2022/03/220302110616.htm
--- up 2 days, 10 hours, 51 minutes
* Origin: -=> Castle Rock BBS <=- Now Husky HPT Powered! (1:317/3)