Fig 1 - uploaded by Marc Bouissou
Content may be subject to copyright.
![represents a very simple BDMP modeling a two step attack with two alternatives for Step 1. The "trigger", represented by the dotted arrow, ensures that the leaf representing Step 2 is realizable only if Step 1 has been completed. The times needed for the realization of the leaves are defined by stochastic processes; their behaviors can be made dependent on other leaves by means of the triggers. Tab. 1 shows the three kinds of leaves defined for security modeling. Their complete definitions can be found in [PCB10b].](profile/Marc-Bouissou-2/publication/224243701/figure/fig1/AS:670006308245533@1536753360664/represents-a-very-simple-BDMP-modeling-a-two-step-attack-with-two-alternatives-for-Step.png)
represents a very simple BDMP modeling a two step attack with two alternatives for Step 1. The "trigger", represented by the dotted arrow, ensures that the leaf representing Step 2 is realizable only if Step 1 has been completed. The times needed for the realization of the leaves are defined by stochastic processes; their behaviors can be made dependent on other leaves by means of the triggers. Tab. 1 shows the three kinds of leaves defined for security modeling. Their complete definitions can be found in [PCB10b].
Source publication
This paper discusses the implementation and use of the BDMP (Boolean logic Driven Markov Processes) formalism, recently adapted to graphical attack modeling. Theoretically, it offers an attractive trade-off between readability, scalability, modeling power and quantification capabilities. In practice, efficient model construction and analysis need c...
Citations
... Since this date, it has been also used for security analysis of these systems. 12,13 GBDMP is a proposal to take benefit of the strengths of the BDMP framework and to remove some of its limitations, in particular for analysis of reconfigurable systems. ...
Minimal cut sequences computation is the main objective of qualitative safety analysis of dynamic systems. This article shows first that the existing definitions of minimal cut sequences are not suitable when these systems are both repairable and reconfigurable. A new definition for this class of systems as well as an algorithm to compute these sequences from a safety analysis model, in the form of a Generalized Boolean logic Driven Markov Processes model, are then proposed. These contributions are illustrated on a case study from power industry. Comparison of the obtained minimal cut sequences to those which are yielded by algorithms based on the previous definitions permits to highlight the relevance of the approach.
... The concept of BDMP is inherited from combining fault trees and Markov models. In [126], the BDMP is adapted to the security domain in order to graphically model cyber attacks. ...
Risk analysis is a critical part for regulatory decision-making related to high-risk risk industries. A systematic risk analysis is made up of three steps: (i) identifying the undesirable risk scenarios. A risk scenario is characterized by referencing to the potential event with its causes and consequences. (ii) Estimating the likelihood of occurrence of risk scenarios. (iii) Calculating the effect of consequences of the identified risk scenarios. Likelihood and effect analysis are carried out with the help of models that depend on several number of input parameters.However, the trustworthiness of risk analysis is limited when inaccuracies in the results can occur, and are due to various sources of uncertainty. Parameter, model and completeness uncertainties are the main sources of uncertainty. Parameter uncertainty arises from the inability to set exact values for certain input parameters used for likelihood and severity analysis. Completeness uncertainty originates from not considering all contributions to risk in the identification process (some initiating events are ignored). Model uncertainty is not considered in this work.The INERIS (French National Institute for Industrial Environment and Risks) has developed an interval semi-quantitative approach that uses both quantitative information if available or qualitative information if not. However, this interval semi-quantitative approach has some drawbacks due to parameter uncertainty.Information regarding model parameters used for effect analysis is often incomplete, vague, imprecise or subjective. Moreover, some of the parameters may be random in nature and have different values. This leads to two different types of parameter uncertainty that need to be accounted for an accurate risk analysis and effective decision-making. Aleatoric uncertainty arises from randomness due to natural variability resulting from the variation of a value in time. Or epistemic uncertainty caused by the lack of information resulting, for example, from measurement errors, subjectivity expert judgment or incompleteness.Moreover, the identification step is incomplete where only safety related scenarios caused by accidental events are considered. The introduction of connected systems and digital technology in process industries creates new cyber-security threats that can lead to undesirable safety accidents. These cyber-security related events should be considered during industrial risk analysis.This research aims to develop uncertainty analysis methodologies to treat uncertainty in the INERIS risk analysis process. In other words, to analyze uncertainty in likelihood analysis, effect analysis and the identification step.In this work, we propose a fuzzy semi-quantitative approach to deal with parameter uncertainty in the likelihood analysis step. We handle the limits of the interval semi-quantitative approach by introducing the concept of fuzzy numbers instead of intervals. Fuzzy numbers are used to represent subjectivity in expert judgments (qualitative data) and covers uncertainty in the quantitative data if this data exists.A hybrid methodology that treat each cause of parameter uncertainty in effect analysis with the right theory is developed. Probability theory is used to represent variability, fuzzy numbers are used to represent imprecision and evidence theory is used to represent vagueness, incompleteness and the lack of consensus.A new risk identification methodology that considers safety and security together during industrial risk analysis is developed. This approach combines Bow-Tie Analysis (BTA), commonly used for safety analysis, with a new extended version of Attack Tree Analysis (ATA), introduced for security analysis of industrial control systems. The combined use of AT-BT provides an exhaustive representation of risk scenarios in terms of safety and security.
... In 2012, Kriaa et al. [10] present a method based on fault trees combined with Markov processes to model attacks on industrial systems. They implement this approach with the KB3 [11] tool and apply it to the Stuxnet attack. In 2015, they publish S-CUBE [12], an implementation of the former approach in the Figaro language. ...
In the context of security, risk analyzes are widely recognized as essential. However, such analyzes need to be replayed frequently to take into account new vulnerabilities, new protections, etc.. As exploits can now easily be found on internet, allowing a wide range of possible intruders with various capacities, motivations and resources. In particular in the case of industrial control systems (also called SCADA) that interact with the physical world, any breach can lead to disasters for humans and the environment. Alongside of classical security properties such as secrecy or authentication, SCADA must ensure safety properties relative to the industrial process they control. In this paper, we propose an approach to assess the security of industrial systems. This approach aims to find applicative attacks taking into account various parameters such as the behavior of the process, the safety properties that must be ensured. We also model the possible positions and capacities of attackers allowing a precise control of these attackers. We instrument our approach using the well known model-checker UPPAAL, we apply it on a case study and show how variations of properties, network topologies, and attacker models can drastically change the obtained results.
... Graphical Methods GSN [5], [28], [63], [64] x x x x NFR [65] x x x x Extended fault trees Fovino [67] x x x x Bezzateev [69] x x x x Kornecki [22] x x x x x Steiner [70] x x x x BDMP [123] x x x x x x BBN [84] x x x x x Misuse cases [87] x x x x CHASSIS [48] x x x x UMLsec/UMLsafe [93] x x x SysML-Sec [95] x ...
... Gates and links: the BDMP models use classical logic gates "AND", "OR" and "k out of n"; and more specific gates (e.g. "PAND" "Aggregate OR") defined in [123]. In Addition to classical logic links used to connect a gate to its sons (represented as solid black lines), BDMP models contain other specific links described in Table 5. ...
... For "Security BDMP", the attack leaves and the corresponding modeled behavior described in Table 6 are depicted in the "Security KB" [123]; ...
... Unlike static fault trees, the BDMP formalism enables dynamic features to be modeled with a special type of link called a "trigger." The BDMP formalism has recently been adapted to the security field [62][63][64]. New security leaves have been defined to model attack steps, or in some cases, security events that are not under the direct control of the attacker (e.g., the opening of an email containing a malicious payload by a victim of the attacker). ...
... These parameters are estimated by security and safety experts based on the assumptions made on the system, and enable to process the model using quantification tools that generate results for the qualitative and quantitative analyses. A complete software workbench to build and analyze BDMP models is available in [63]. ...
... Extended fault trees Fovino [56] x x x x Bezzateev [58] x x x x Kornecki [25] x x x x x Steiner [59] x x x x BDMP [63] x x x x x x BBN [77] x x x x Misuse cases [80] x x x x CHASSIS [43] x x x x UMLsec/UMLsafe [86] x x x SysML-Sec [88] x x x x x Stochastic Petri nets [67,68,70] x x x x x x MBSE [90] x x x x ...
The migration towards digital control systems creates new security threats that can endanger the safety of industrial infrastructures. Addressing the convergence of safety and security concerns in this context, we provide a comprehensive survey of existing approaches to industrial facility design and risk assessment that consider both safety and security. We also provide a comparative analysis of the different approaches identified in the literature.
Free download of the article on the following link until May 21, 2015 http://authors.elsevier.com/a/1Qn-43OQ~f8zFQ
... The BDMP formalism enables graphical modeling of safety [2] and security [11,14,15,8]. BDMP models integrating both aspects are introduced in [12]. Visually similar to fault trees (or attack trees), BDMP provide good readability and a hierarchical representation. ...
... The relevance of using Markov processes for security modeling is discussed in [11]. The KB3 platform [14] enables to input graphically BDMP models and generates textual models (in the Figaro modeling language) describing them. These latter are used as input to the KB3 quantification tools (FigSeq and Yams) in order to compute the probability of the top event and the different possible scenarios leading to it, sorted by decreasing contribution to the top event probability. ...
The digitalization of industrial control systems (ICS) raises several security threats that can endanger the safety of the critical infrastructures supervised by such systems. This paper presents an analysis method that enables the identification and ranking of risks leading to a safety issue, regardless of the origin of those risks: accidental or due to malevolence. This method relies on a modeling formalism called BDMP (Boolean logic Driven Markov Processes) that was initially created for safety studies, and then adapted to security. The use of the method is first illustrated on a simple case to show how it can be used to make decisions in a situation where security requirements are in conflict with safety requirements. Then it is applied to a realistic industrial system: a pipeline and its instrumentation and control system in order to highlight possible interactions between safety and security.
... The BDMP formalism enables graphical modeling of safety [2] and security [11,14,15,8]. BDMP models integrating both aspects are introduced in [12]. Visually similar to fault trees (or attack trees), BDMP provide good readability and a hierarchical representation. ...
... The relevance of using Markov processes for security modeling is discussed in [11]. The KB3 platform [14] enables to input graphically BDMP models and generates textual models (in the Figaro modeling language) describing them. These latter are used as input to the KB3 quantification tools (FigSeq and Yams) in order to compute the probability of the top event and the different possible scenarios leading to it, sorted by decreasing contribution to the top event probability. ...
The digitalization of industrial control systems (ICS) raises
several security threats that can endanger the safety of the critical infrastructures supervised by such systems. This paper presents an analysis
method that enables the identification and ranking of risks leading to a
safety issue, regardless of the origin of those risks: accidental or due to
malevolence. This method relies on a modeling formalism called BDMP
(Boolean logic Driven Markov Processes) that was initially created for
safety studies, and then adapted to security. The use of the method is
first illustrated on a simple case to show how it can be used to make
decisions in a situation where security requirements are in conflict with
safety requirements. Then it is applied to a realistic industrial system: a
pipeline and its instrumentation and control system in order to highlight
possible interactions between safety and security.
... BDMPs for security allow for different types of quantification. These quantifications include the computation of time-domain metrics (overall mean-time to success, probability of success in a given time, ordered list of attack sequences leading to the objectives), attack tree related metrics like costs of attacks, handling of Boolean indicators (e.g., specific requirements), and risk analysis oriented tools like sensibility graphs by attack step or event [231], etc. ...
... The model construction and its analysis are supported by an industrial tool, called KB3 [79]. In [231], implementation issues and user feedback are discussed and analyzed. BDMPs are used in [230,123,153] to integrate safety and security analyses while [154] develops a realistic use case based on the Stuxnet attack. ...
... In several papers [229,228,231], the authors point out the intrinsic limits of BDMPs to model cyclic behaviors and loops, as well as the difficulties to assign relevant values for the leaves. ...
This paper presents the current state of the art on attack and defense
modeling approaches that are based on directed acyclic graphs (DAGs).
DAGs allow for a hierarchical decomposition of complex scenarios into
simple, easily understandable and quantifiable actions. Methods based on
threat trees and Bayesian networks are two well-known approaches to
security modeling. However there exist more than 30 DAG-based
methodologies, each having different features and goals. The objective
of this survey is to present a complete overview of graphical attack and
defense modeling techniques based on DAGs. This consists of summarizing
the existing methodologies, comparing their features and proposing a
taxonomy of the described formalisms. This article also supports the
selection of an adequate modeling technique depending on user
requirements.
... The BDMP formalism has recently been adapted to the security field [8], [6], [9]. New security leaves have been defined to model attack steps or in some cases security events. ...
... Detection and reaction aspects can also be modeled. A complete software workbench is available to build and analyze the model in [9]. ...
... More specific gates (e.g. "PAND" "Aggregate OR") are defined in the documentation associated to the modeling tools [9]. In addition to classical logic links, BDMP models introduce other specific links. ...
Attack modeling has recently been adopted by security analysts as a useful tool in risk assessment of cyber-physical systems. We propose in this paper to model the Stuxnet attack with BDMP (Boolean logic Driven Markov Processes) formalism and to show the advantages of such modeling. After a description of the architecture targeted by Stuxnet, we explain the steps of the attack and model them formally with a BDMP. Based on estimated values of the success probabilities and rates of the elementary attack steps, we give a quantification of the main possible sequences leading to the physical destruction of the targeted industrial facility. This example completes a series of papers on BDMP applied to security by modeling a real case study. It highlights the advantages of BDMP compared to attack trees often used in security assessment.
Society is increasingly dependent upon the use of distributed cyber-physical systems (CPSs), such as energy networks, chemical processing plants and transport systems. Such CPSs typically have multiple layers of protection to prevent harm to people or the CPS. However, if both the control and protection systems are vulnerable to cyber-attacks, an attack may cause CPS damage or breaches of safety. Such weaknesses in the combined control and protection system are described here as hazardous vulnerabilities (HVs). Providing assurance that a complex CPS has no HVs requires a rigorous process that first identifies potential hazard scenarios and then searches for possible ways that a cyber-attacker could cause them. This article identifies the attributes that a rigorous hazardous vulnerability analysis (HVA) process would require and compares them against related works. None fully meet the requirements for rigour. A solution is proposed, HVA_CPS, which does have the required attributes. HVA_CPS applies a novel combination of two existing analysis techniques: control signal analysis and attack path analysis. The former identifies control actions that lead to hazards, known as hazardous control actions (HCAs); the latter models the system and searches the model for sequences of attack steps that can cause the HCAs. Both analysis techniques have previously been applied alone on different CPSs. The two techniques are integrated by extending the formalism for attack path analysis to capture HCAs. This converts the automated search for attack paths to a selected asset into an exhaustive search for HVs. The integration of the two techniques has been applied using HCAs from an actual CPS. To preserve confidentiality, the application of HVA_CPS is described on a notional electricity generator and its connection to the grid. The value of HVA_CPS is that it delivers rigorous analysis of HVs at system design stage, enabling assurance of their absence throughout the remaining system lifecycle.
