Security Risk Assessment for Complex Cyber-Physical Systems

Cyber-Physical Systems (CPS) are usually tightly coupled with their environment as they are expected to provide seamlessly control and actuation tasks. Those tasks are a diverse set of operations not just directed toward modifying the physical process but also to change its own behavior. Therefore any security compromise of a CPS system could have profound consequences. So it is of the utmost importance to provide a tool where properties and actuation of a CPS can be analyzed and the design of the CPS can be improved prior to its production.

The COSSIM project aims to provide an integrated CPS simulation framework that will allow CPS designers to simulate both the networking and processing parts of a system under design. Apart from offering an integrated simulation solution, the COSSIM framework integrates for the first time security measurement models and methodologies. The COSSIM security module is a set of tools making the security evaluation of CPS simulated within the COSSIM framework easier and more efficient. One of the main objectives identified of the security module is to observe the state of the simulated CPS to calculate various types of security metrics, allowing the system’s developers to assess the system’s behaviour in certain types of situations.

TECNALIA is contributing to this objective developing a tool to assist security managers in the manual security evaluation of a CPS, by defining relevant metrics for the CPS, acquiring inputs to calculate these metrics and showing in a graphical and understandable way the status of the CPS according to them. A security evaluation methodology is also being defined to take advantage of the COSSIM framework security evaluation unique features.The aim is to help security analysts or testers to find general security weaknesses.

In brief, end-users will characterize multiple metrics in order to measure quantifiably threats impact. The security monitoring tool will then calculate a colour-code matrix which allows observing the overall health of the system and spotting any anomalous operation.

Procedure of the multi-metric security approach
  • Tool Configuration:

    • The first step is to define the security metrics to be observed. System operators should select the metrics according to CPS security requirements and risks in the business operation. The metrics are heterogeneous and can be structured in different layers.
    • The second step is to proceed to the metric normalisation and regression. Since every metric has different measure units and values ranges, they need to be normalised in order to have a common value range domain. Additionally, it is needed to determine how this metric impacts on the CPS security properties.
    In COSSIM, security metrics can be structured in 2 layers or levels: network and node. These are the two main type of components considered for a CPS. On the other hand every metric can be configured to contribute to a different security property, such as confidentiality, availability, integrity or privacy.

  • Operation: Multi-metric aggregation based on expert systems

    Whenever a simulation takes place in the COSSIM framework, the monitoring tool continuously derives the metric values thanks to the aggregation of the specific measurement values produced by the different COSSIM framework modules. This consists of an aggregation and decision making engine that processes the numerical values of the monitored security metrics based on the configuration parameters.

    The output will be a fuzzy representation of the risk level of the CPS. The aggregation system comprises a set of human understandable linguistic to ease their supervision. That is an intensity, coloured, real-valued indicator of the level of risk for the Confidentiality, Integrity and Availability properties of the devices at each of the considered layers (processing and network), in the form of an output matrix. Thanks to the coloured matrix the end-user is able to detect in a user-friendly way any unexpected behaviour of the CPS, showing which property is not satisfied at processing and/or network levels.

The methodology and supporting tool will be validated and evaluated against two of the major types of attacks to CPS: Denial of Service (DoS) and Man-in-the-Middle (MitM). Specific metrics and properties will be defined for a CPS operating in a BMS (Building Management System) scenario. The evaluation of the security properties, such us privacy or integrity, of a system like this is needed, since the attraction of increasing the operational efficiency of a building can be rapidly overshadowed by the loss of the benefit in case of a breach.

Share this post