Formalizing Attack Trees for a SCADA System

1
Formalizing Attack Treesfor a SCADA System

• Krishna Mohan Moleyar
• Dr. Ann Miller
• University of Missouri - Rolla

2
Outline

• Abstract
• The Problem
• Approaching the Solution GSN
• Example Scenario
• SCADA Attack Tree Demonstration
• Conclusion and Future Work

3
Abstract

• Goal To develop a formal method for documenting
  information security attacks on critical
  infrastructure in a structured and reusable form.
• Approach Use of Goal Structuring Notation (GSN)
• Project demonstrates the use of GSN in
  representing attack trees such that its
  applicability to other types of Assurance Cases
  can be viably considered.

4
Backbone

• A generic attack tree backbone was developed
  which enumerates and elaborates the ways in which
  an attacker can compromise a SCADA system in
  order to accomplish his mission.

5
The Problem

• The attack attributes should be able to associate
  risk with an attack and ease the process of
  analysis
• One Solution A more structured language for
  documenting identified attack patterns.

6
Goal Structuring Notation
7
Tool Support

• We have used the Adelard Safety Case Environment
  (ASCE V3.5) to generate our GSN attack trees.
• The trial version of the tool is freely available
  at the Adelard website http//www.adelard.com

8
Issues that a GSN based Attack Tree addresses

• Risk imposed on a system in case of a successful
  attack (1-5)
• Technical difficulty and cost of the attack (1-5)
• Likelihood of attack success (Low, Med, High)
• Approach to draw conclusions from the attack graph

9
Risk Assessment Value At Risk (VAR)

• Dependencies
• Value for the attacker
• Technical difficulty and cost of the attack
• Likelihood of attack occurrence and success
• Countermeasures
• Traceability
• Recovery mechanisms
• Impact

10
Example Scenario

• Officer X belonging to company XYZ is going to
  type and send some sensitive, confidential
  information to Officer Y via electronic mail -
  context
• Top Goal of the attacker is to read the
  confidential information sent through E-mail.
• Assumption is that the attacker knows the
  context and has profiled both Officers.
• The strategy to achieve this goal is to analyze
  the underlying context and find a suitable method
  to obtain required information with available
  resources. The attacker will want to concentrate
  on minimizing cost and technical difficulty,
  while maximizing the probability of attack
  success.

11
Simplified GSN Attack Tree for the Scenario
12
Attack Tree for a SCADA System

• This attack tree framework is in a generalized
  format which may be reused and referenced by
  security analysts while assessing their
  individual systems.

13
High Level Backbone
14
Backbone Electronic Attack
15
SCADA Attack Tree Demonstration

• HTML version
• http//web.umr.edu/km7w2/SCADAattackTree/

16
Conclusion

• Successfully creating an attack tree is not a
  complete solution for system security.
• Once we create a model of ways the system can be
  attacked, next step would be to predict how the
  enemies will attack by comparing their
  capabilities with the systems vulnerabilities,
  and estimating the benefits they will obtain from
  each attack.
• The findings of this analysis can be used to
  propose a strategy of countermeasures.
• An attack tree may always be compared with an
  assurance case to find any loop holes in the
  systems security.

17
Future Work

• We have developed the example attack tree for a
  small robot system in our factory automation
  laboratory.
• Future work should refine and validate the
  practicality and scalability of the approach
  through its application to several real-world
  examples.
• A broad range of attack profiles must be analyzed
  and the results must be documented over the
  developed backbone so that commonly occurring
  attack patterns may be reviewed to develop more
  survivable systems.

18
Comments or Questions?
Thank You!