Final Report Summary - HYRIM (Hybrid Risk Management for Utility Networks)
Executive Summary:
Risk management is a core duty in critical infrastructures as operated by utility providers. Despite the existence of numerous risk assessment tools to support the utility providers in estimating the nature and impact of possible incidents, risk management up till now is mostly a matter of best practice approaches. Additionally, risk management tools are mostly focussing on one of the major network layers operated by utility providers:
- the utility’s physical network infrastructure, consisting of, e.g. gas pipes, water pipes or power lines;
- the utility’s control network including Supervisory Control and Data Acquisition (SCADA) as well as Industrial Control System (ICS) networks;
- the utility’s information and communication technology (ICT) network.
In the context of utility providers, these network types exhibit a significant interaction, and risk management methods focussing on just one of these network types might be insufficient. Therefore, the main objective of this project is to identify and evaluate “Hybrid Risk Metrics” for assessing and categorising security risks in interconnected utility infrastructure networks in order to provide foundations for novel protection and prevention mechanisms.
In the course of the project, we are focusing on sensitive service parameters representing interconnection points between ICT networks, SCADA and ICS networks as well as individual utility networks. Via these interconnections, a security incident in the ICT or SCADA network may result in cascading effects in the utility network and vice versa. Hence, we refer to our approach as “Hybrid Risk Management” and the metrics we are developing as “Hybrid Risk Metrics”. In this context, it is of particular significance to perform the risk management in qualitative terms in order to avoid the illusion of “hard facts” based on subjective numerical risk estimates. To unify the advantages of a quantitative assessment with the ease and efficiency of a qualitative analysis, the HyRiM framework is based on a qualitative assessment with a sound quantitative mathematical underpinning.
Furthermore, we look at the social network of employees as an additional network with in the utility thus considering the “human factor” in our investigations. As a result of this, not only technical but also organisational, sociological and economic effects over the different networks can be well understood. Special attention is also paid to personally owned digital/communication devices used in day to day business life and how they compromise the security of the utility’s network. Another core topic of interest in this investigation is the combination of monitoring and surveillance of the extended perimeter by triggering “on demand” surveillance by monitoring events to provide the foundation for novel surveillance mechanisms. We evaluate the identified security measures and Hybrid Risk Metrics in use cases considering various attack scenarios (social, cyber and physical) on the distinct network infrastructures.
The project provides utility network operators with a risk management tool supporting qualitative risk assessment based on numerical (quantitative) techniques. For that matter, our method explicitly accounts for the infrastructure’s manifold nature in terms of the utility’s social, ICT, SCADA, ICS and physical network. Thus, the resulting concepts, methodologies tools and processes provide utility operators with the means to identify complex interrelations within their networks, assess their potential cascading effects and determine optimal mitigation actions to counter these effects. The expected impact is thus a movement away from best practice only, towards a wholistic perception and treatment of risk in utility networks based on a sound and well-understood mathematical foundation. The project will take a significant step towards considering security in the given context of utility networks, ultimately yielding a specially tailored solution that is optimal for the application at hand.
Project Context and Objectives:
In contrary to classical risk management approaches, the HyRiM project focuses not solely on the risk management in a single network operated within a utility provider (e.g. the social network, the ICT, SCADA or underlying physical network) but also on the sensitive interconnection points between these networks. The main concern is that a security incident in the ICT or SCADA network may not only affect these networks themselves, but also result in cascading effects in physical network due to these interconnection points. Hence, the project investigates novel approaches towards risk management spanning over all different types of networks – referred to as “Hybrid Risk Management” – as well as the respective risk metrics – referred to as “Hybrid Risk Metrics”.
Accordingly, a major objective of the HyRiM project is the definition of such a Hybrid Risk Management process to enable comprehensive risk management for dealing with threats in diverse aspects of utility network infrastructures (social, technical and physical) and to support utility infrastructures in prioritising the implementation of countermeasures. This objective has been tackled by defining the game-theoretic framework together with the percolation-based propagation mechanism in WP 1 and further by the HyRiM Process, which integrates all of the project’s main results into one concise step-by-step guideline.
Objective 2 in HyRiM is the evaluation of the Hybrid Risk Metrics in context of targeted attacks at utility providers. This evaluation of the game-theoretic framework and the tools building on it is carried out using generic (artificial) data in the curse of WP 1 as well as more tailored scenarios in WPs 2 – 4. An in-depth evaluation in realistic scenarios is performed in the three different use cases (cf. also objective six).
The development of risk assessment methodologies and tools for new threats like APTs or ransomware is Objective 3. This is covered by the results stemming from WP 2, in particular by the R library implementing the game-theoretic frameworks as well as by the simulation tools and the Smart SecPlan, which build upon this R library.
Objective 4 deals with the definition of security architectures and guidelines to mitigate threats related to human and organisational risk. WP 3 mainly tackles this field, describing how ethnographic studies can be used to obtain better insights in the operation of an organisation and identifying possible mitigation strategies. Additionally, the developed set of risk metrics and the policy-based anomaly detection framework target this objective.
HyRiM’s Objective 5 focuses on surveillance aspects and the application of novel, on-demand technologies in the extended perimeter of utility networks. The main outcomes of WP 4 cover these aspects, i.e. the definition of the extended perimeter, the development of the simulation framework for physical intrusion as well as the concepts of mobile ID checks and physical anomaly detection using 3D cameras.
The demonstration and evaluation of the project’s results in simulated and real testbed environments (which is Objective 6) was carried out in WP 5. To obtain a realistic view on the functioning of utility networks from different fields, the expert knowledge of the end user partners was used to build up the test scenarios. In this way, the disclosure of sensitive information was avoided without compromising the relevance of the results.
As a final objective, the project has the aim to increase awareness of policy makers and pave the way for new legislation and pre-standardisation efforts. This objective is mainly tackled in the course of the three end user workshops held during the project, where experts from other projects, the industry, legislative bodies and policy makers had been presented the main findings of the projects. Further, numerous dissemination activities also increased the visibility of the project and the awareness towards the main challenges in this field.
Project Results:
Whereas in the first 18 months of the project, a major focus was laid on WP 1 where the conceptual and mathematical foundations for Hybrid Risk Metrics were defined, during the second period the focus was laid on the implementation of these concepts and the integration into use case scenarios. WP 1 finished after Month 24, providing a detailed mathematical framework for Hybrid Risk Management, which extends classical game theory by adding uncertainty to the notion of payoffs. This allows utility providers to model the networks they operate together with their interrelations and analyse the potential cascading effects of incidents within them.
The work in WP 2 the methodologies from WP 1 have been adapted to fit the specific requirements of SCADA networks. Therefore, SCADA-related attack characteristics, threat trends and mitigation tools have been identified and analysed. Furthermore, an Attribute Based Access Control (ABAC) model able to enforce security policies applicable in the utilities’ environments has been defined. Building on the conceptual results of WP 1, the main objective of WP 2 was two-fold: developing tools for Hybrid Risk Management, which implement the game-theoretic framework, and defining a Hybrid Risk Management process, which integrates the different concepts and tools into a step-by-step guideline for utility providers. The first goal has been achieved by compiling the core algorithms of the game-theoretic framework into an R library. Further, a prototype tool for simulating and visualizing the propagation of an incident (e.g. a malware infection) through different network layers (ICT; SCADA, social, physical, etc.) as well as a web-based risk management tool have been developed, both building on the R library.
In contrary to WP 2, the focus of WP 3 was laid on the investigation of organisational and human factors, as they are a core part of a successful security architecture within any organisation. Ethnographic studies together with secondary data on real world incidents provided an insight into how security policies are implemented (and lived) within the end user partners. Besides the social aspects within an organisation also the society’s perception of threats and risks towards a utility provider have been studied. All this information has been used to develop a vulnerability evolution framework and to define a set of risk metrics. Both parts have further been integrated into a policy-based anomaly detection framework.
WP 4 covered the physical aspects of the Hybrid Risk Management by looking into existing and potential future surveillance technologies. In this context, two promising novel technologies were investigated and also evaluated with the end user partners in further detail: mobile device-based surveillance technologies and anomaly detection for surveillance systems based on 3D cameras. The application of the Hybrid Risk Management in this context was carried out by a simulation framework for physical intrusion scenarios. Therein, the area of a utility provider together with the security guards patrolling this area are modelled and various physical intrusion scenarios involving one or multiple adversaries can be simulated. Results are then fed into the game-theory framework to obtain optimal patrolling routes.
The conceptual methodologies, processes, libraries and tools developed throughout WPs 1 – 4 have been integrated and evaluated in three use case scenarios in WP 5. The main goal was to show how Hybrid Risk Management can be applied in the context of different utilities (power, water, oil and gas) and can work with distinct types of attacks (ransomware, APTs and physical intrusion). The applicability and usefulness was evaluated by the end user partners within the project but also by external utility providers. As a major benefit, the end user partners were able to directly use the results from the respective analyses to improve their security situation.
Potential Impact:
The main result of the HyRiM project is to develop a risk management framework to account for the highly interconnected and interdependent network infrastructures operated by utility providers. In this context, the aim is to gain a holistic view on the infrastructure, to identify threats stemming from various domains (cyber, physical, organisational, human, etc.) and their potential cascading effects onto other domains. To achieve that a well-defined mathematical framework is required since decisions to use, extend, improve, or even refrain from using a network must rest on sound facts with unambiguous interpretations.
In HyRiM, the mathematical framework of choice is game theory, which naturally models the interplay between an adversary (e.g. a hacker) and a defender (e.g. the utility provider’s risk or security manager). The main challenge in this context is to take into consideration the uncertainty about the adversary’s intention, capabilities or even external influences in general. As a main output, a novel game-theoretic framework was defined which extends classical models such that they can handle the intrinsic uncertainty risk and security managers are faced with in day-to-day business life. This framework has been implemented into a R library and can be used stand-alone as a package in R or as a web service but can also be easily integrated into other software tools.
Novel concepts like the extended perimeter, a threat awareness architecture or the application of ethnographic studies mark the main outputs of the project regarding the holistic view on the utility provider’s organisation. The combination of these concepts ensures a deep understanding of the systems, actors, processes and their interactions, which is required for a successful risk management. To identify and assess the potential cascading effects due to these interactions, several simulation approaches (i.e. percolation theory, co-simulation, agent-based modelling, physical surveillance simulation) have been discussed in HyRiM. Based on those approaches, a tool to compute and visualise the propagation of a malware through the different networks as well as a framework to simulate the physical intrusion into the utility provider’s premises have been implemented. These tools build upon the game-theoretic framework to be used as a supporting mechanism for decision makers.
One major output of the project is the Hybrid Risk Management (HyRiM) Process. The HyRiM Process, based on the international standard ISO 31000, integrates all concepts, frameworks, tools and libraries developed throughout the project into a concise step-by-step guideline for utility providers. It describes, how the various outputs of the project work together and in which parts of the general risk management they can be applied. This gives users the chance to either implement only individual solutions they deem fit for their needs or adapt the entire process in their organisation.
The web-based tool Smart SecPlan provides a straight-forward implementation of the HyRiM Process. In Smart SecPlan, the focus lies more on the business processes running within an organisation and how they interact with each other than on the technical network infrastructures. Nevertheless, inputs from the simulation tools can be integrated into Smart SecPlan. Additionally, expert knowledge coming from distributed questionnaires can also be incorporated into the risk analysis. The evaluation of the possible mitigation actions is carried out using the R library.
In general, we envisage the main impact of the HyRiM project as a significant increase in the utility providers’ awareness towards cyber security, resilience, and the human factor as a major problem in their infrastructures. The HyRiM Process offers utility providers new ways of assessing the risk in their interconnected network structures, particularly considering the propagation of threats inside those networks.
List of Websites:
www.hyrim.net
Risk management is a core duty in critical infrastructures as operated by utility providers. Despite the existence of numerous risk assessment tools to support the utility providers in estimating the nature and impact of possible incidents, risk management up till now is mostly a matter of best practice approaches. Additionally, risk management tools are mostly focussing on one of the major network layers operated by utility providers:
- the utility’s physical network infrastructure, consisting of, e.g. gas pipes, water pipes or power lines;
- the utility’s control network including Supervisory Control and Data Acquisition (SCADA) as well as Industrial Control System (ICS) networks;
- the utility’s information and communication technology (ICT) network.
In the context of utility providers, these network types exhibit a significant interaction, and risk management methods focussing on just one of these network types might be insufficient. Therefore, the main objective of this project is to identify and evaluate “Hybrid Risk Metrics” for assessing and categorising security risks in interconnected utility infrastructure networks in order to provide foundations for novel protection and prevention mechanisms.
In the course of the project, we are focusing on sensitive service parameters representing interconnection points between ICT networks, SCADA and ICS networks as well as individual utility networks. Via these interconnections, a security incident in the ICT or SCADA network may result in cascading effects in the utility network and vice versa. Hence, we refer to our approach as “Hybrid Risk Management” and the metrics we are developing as “Hybrid Risk Metrics”. In this context, it is of particular significance to perform the risk management in qualitative terms in order to avoid the illusion of “hard facts” based on subjective numerical risk estimates. To unify the advantages of a quantitative assessment with the ease and efficiency of a qualitative analysis, the HyRiM framework is based on a qualitative assessment with a sound quantitative mathematical underpinning.
Furthermore, we look at the social network of employees as an additional network with in the utility thus considering the “human factor” in our investigations. As a result of this, not only technical but also organisational, sociological and economic effects over the different networks can be well understood. Special attention is also paid to personally owned digital/communication devices used in day to day business life and how they compromise the security of the utility’s network. Another core topic of interest in this investigation is the combination of monitoring and surveillance of the extended perimeter by triggering “on demand” surveillance by monitoring events to provide the foundation for novel surveillance mechanisms. We evaluate the identified security measures and Hybrid Risk Metrics in use cases considering various attack scenarios (social, cyber and physical) on the distinct network infrastructures.
The project provides utility network operators with a risk management tool supporting qualitative risk assessment based on numerical (quantitative) techniques. For that matter, our method explicitly accounts for the infrastructure’s manifold nature in terms of the utility’s social, ICT, SCADA, ICS and physical network. Thus, the resulting concepts, methodologies tools and processes provide utility operators with the means to identify complex interrelations within their networks, assess their potential cascading effects and determine optimal mitigation actions to counter these effects. The expected impact is thus a movement away from best practice only, towards a wholistic perception and treatment of risk in utility networks based on a sound and well-understood mathematical foundation. The project will take a significant step towards considering security in the given context of utility networks, ultimately yielding a specially tailored solution that is optimal for the application at hand.
Project Context and Objectives:
In contrary to classical risk management approaches, the HyRiM project focuses not solely on the risk management in a single network operated within a utility provider (e.g. the social network, the ICT, SCADA or underlying physical network) but also on the sensitive interconnection points between these networks. The main concern is that a security incident in the ICT or SCADA network may not only affect these networks themselves, but also result in cascading effects in physical network due to these interconnection points. Hence, the project investigates novel approaches towards risk management spanning over all different types of networks – referred to as “Hybrid Risk Management” – as well as the respective risk metrics – referred to as “Hybrid Risk Metrics”.
Accordingly, a major objective of the HyRiM project is the definition of such a Hybrid Risk Management process to enable comprehensive risk management for dealing with threats in diverse aspects of utility network infrastructures (social, technical and physical) and to support utility infrastructures in prioritising the implementation of countermeasures. This objective has been tackled by defining the game-theoretic framework together with the percolation-based propagation mechanism in WP 1 and further by the HyRiM Process, which integrates all of the project’s main results into one concise step-by-step guideline.
Objective 2 in HyRiM is the evaluation of the Hybrid Risk Metrics in context of targeted attacks at utility providers. This evaluation of the game-theoretic framework and the tools building on it is carried out using generic (artificial) data in the curse of WP 1 as well as more tailored scenarios in WPs 2 – 4. An in-depth evaluation in realistic scenarios is performed in the three different use cases (cf. also objective six).
The development of risk assessment methodologies and tools for new threats like APTs or ransomware is Objective 3. This is covered by the results stemming from WP 2, in particular by the R library implementing the game-theoretic frameworks as well as by the simulation tools and the Smart SecPlan, which build upon this R library.
Objective 4 deals with the definition of security architectures and guidelines to mitigate threats related to human and organisational risk. WP 3 mainly tackles this field, describing how ethnographic studies can be used to obtain better insights in the operation of an organisation and identifying possible mitigation strategies. Additionally, the developed set of risk metrics and the policy-based anomaly detection framework target this objective.
HyRiM’s Objective 5 focuses on surveillance aspects and the application of novel, on-demand technologies in the extended perimeter of utility networks. The main outcomes of WP 4 cover these aspects, i.e. the definition of the extended perimeter, the development of the simulation framework for physical intrusion as well as the concepts of mobile ID checks and physical anomaly detection using 3D cameras.
The demonstration and evaluation of the project’s results in simulated and real testbed environments (which is Objective 6) was carried out in WP 5. To obtain a realistic view on the functioning of utility networks from different fields, the expert knowledge of the end user partners was used to build up the test scenarios. In this way, the disclosure of sensitive information was avoided without compromising the relevance of the results.
As a final objective, the project has the aim to increase awareness of policy makers and pave the way for new legislation and pre-standardisation efforts. This objective is mainly tackled in the course of the three end user workshops held during the project, where experts from other projects, the industry, legislative bodies and policy makers had been presented the main findings of the projects. Further, numerous dissemination activities also increased the visibility of the project and the awareness towards the main challenges in this field.
Project Results:
Whereas in the first 18 months of the project, a major focus was laid on WP 1 where the conceptual and mathematical foundations for Hybrid Risk Metrics were defined, during the second period the focus was laid on the implementation of these concepts and the integration into use case scenarios. WP 1 finished after Month 24, providing a detailed mathematical framework for Hybrid Risk Management, which extends classical game theory by adding uncertainty to the notion of payoffs. This allows utility providers to model the networks they operate together with their interrelations and analyse the potential cascading effects of incidents within them.
The work in WP 2 the methodologies from WP 1 have been adapted to fit the specific requirements of SCADA networks. Therefore, SCADA-related attack characteristics, threat trends and mitigation tools have been identified and analysed. Furthermore, an Attribute Based Access Control (ABAC) model able to enforce security policies applicable in the utilities’ environments has been defined. Building on the conceptual results of WP 1, the main objective of WP 2 was two-fold: developing tools for Hybrid Risk Management, which implement the game-theoretic framework, and defining a Hybrid Risk Management process, which integrates the different concepts and tools into a step-by-step guideline for utility providers. The first goal has been achieved by compiling the core algorithms of the game-theoretic framework into an R library. Further, a prototype tool for simulating and visualizing the propagation of an incident (e.g. a malware infection) through different network layers (ICT; SCADA, social, physical, etc.) as well as a web-based risk management tool have been developed, both building on the R library.
In contrary to WP 2, the focus of WP 3 was laid on the investigation of organisational and human factors, as they are a core part of a successful security architecture within any organisation. Ethnographic studies together with secondary data on real world incidents provided an insight into how security policies are implemented (and lived) within the end user partners. Besides the social aspects within an organisation also the society’s perception of threats and risks towards a utility provider have been studied. All this information has been used to develop a vulnerability evolution framework and to define a set of risk metrics. Both parts have further been integrated into a policy-based anomaly detection framework.
WP 4 covered the physical aspects of the Hybrid Risk Management by looking into existing and potential future surveillance technologies. In this context, two promising novel technologies were investigated and also evaluated with the end user partners in further detail: mobile device-based surveillance technologies and anomaly detection for surveillance systems based on 3D cameras. The application of the Hybrid Risk Management in this context was carried out by a simulation framework for physical intrusion scenarios. Therein, the area of a utility provider together with the security guards patrolling this area are modelled and various physical intrusion scenarios involving one or multiple adversaries can be simulated. Results are then fed into the game-theory framework to obtain optimal patrolling routes.
The conceptual methodologies, processes, libraries and tools developed throughout WPs 1 – 4 have been integrated and evaluated in three use case scenarios in WP 5. The main goal was to show how Hybrid Risk Management can be applied in the context of different utilities (power, water, oil and gas) and can work with distinct types of attacks (ransomware, APTs and physical intrusion). The applicability and usefulness was evaluated by the end user partners within the project but also by external utility providers. As a major benefit, the end user partners were able to directly use the results from the respective analyses to improve their security situation.
Potential Impact:
The main result of the HyRiM project is to develop a risk management framework to account for the highly interconnected and interdependent network infrastructures operated by utility providers. In this context, the aim is to gain a holistic view on the infrastructure, to identify threats stemming from various domains (cyber, physical, organisational, human, etc.) and their potential cascading effects onto other domains. To achieve that a well-defined mathematical framework is required since decisions to use, extend, improve, or even refrain from using a network must rest on sound facts with unambiguous interpretations.
In HyRiM, the mathematical framework of choice is game theory, which naturally models the interplay between an adversary (e.g. a hacker) and a defender (e.g. the utility provider’s risk or security manager). The main challenge in this context is to take into consideration the uncertainty about the adversary’s intention, capabilities or even external influences in general. As a main output, a novel game-theoretic framework was defined which extends classical models such that they can handle the intrinsic uncertainty risk and security managers are faced with in day-to-day business life. This framework has been implemented into a R library and can be used stand-alone as a package in R or as a web service but can also be easily integrated into other software tools.
Novel concepts like the extended perimeter, a threat awareness architecture or the application of ethnographic studies mark the main outputs of the project regarding the holistic view on the utility provider’s organisation. The combination of these concepts ensures a deep understanding of the systems, actors, processes and their interactions, which is required for a successful risk management. To identify and assess the potential cascading effects due to these interactions, several simulation approaches (i.e. percolation theory, co-simulation, agent-based modelling, physical surveillance simulation) have been discussed in HyRiM. Based on those approaches, a tool to compute and visualise the propagation of a malware through the different networks as well as a framework to simulate the physical intrusion into the utility provider’s premises have been implemented. These tools build upon the game-theoretic framework to be used as a supporting mechanism for decision makers.
One major output of the project is the Hybrid Risk Management (HyRiM) Process. The HyRiM Process, based on the international standard ISO 31000, integrates all concepts, frameworks, tools and libraries developed throughout the project into a concise step-by-step guideline for utility providers. It describes, how the various outputs of the project work together and in which parts of the general risk management they can be applied. This gives users the chance to either implement only individual solutions they deem fit for their needs or adapt the entire process in their organisation.
The web-based tool Smart SecPlan provides a straight-forward implementation of the HyRiM Process. In Smart SecPlan, the focus lies more on the business processes running within an organisation and how they interact with each other than on the technical network infrastructures. Nevertheless, inputs from the simulation tools can be integrated into Smart SecPlan. Additionally, expert knowledge coming from distributed questionnaires can also be incorporated into the risk analysis. The evaluation of the possible mitigation actions is carried out using the R library.
In general, we envisage the main impact of the HyRiM project as a significant increase in the utility providers’ awareness towards cyber security, resilience, and the human factor as a major problem in their infrastructures. The HyRiM Process offers utility providers new ways of assessing the risk in their interconnected network structures, particularly considering the propagation of threats inside those networks.
List of Websites:
www.hyrim.net