Defense-in-depth vs. Critical Component Defense for ... · ommended Defense-In-Depth Architecture (Kuipers and Fabro 2006) is designed in Section 4 to demon-strate the effectiveness

DOI: http://dx.doi.org/10.14236/ewic/ICS2016.1

Defense-in-depth vs. Critical ComponentDefense for Industrial Control Systems

Andrew FielderInstitute for Security Science

and TechnologyImperial College London

London, [email protected]

Tingting LiInstitute for Security Science



Chris HankinInstitute for Security Science



Originally designed as self-contained and isolated networks, Industrial Control Systems (ICS) have evolved tobecome increasingly interconnected with IT systems and other wider networks and services, which enablescyber attacks to sabotage the normal operation of ICS. This paper proposes a simulation of attackers anddefenders, who have limited resources that must be applied to either advancing the technology they haveavailable to them or attempting to attack (defend) the system. The objective is to identify the appropriatedeployment of specific defensive strategy, such as Defense-in-depth and Critical Component Defense.The problem is represented as a strategic competitive optimisation problem, which is solved using a co-evolutionary Particle Swarm Optimisation problem. Through the development of optimal defense strategies,it is possible to identify when each specific defensive strategies is most appropriate; where the optimaldefensive strategy depends on the kind of attacker the system is expecting and the structure of the network.

Industrial Control Systems, Defense-in-depth, Defensive Strategy, Agent-based Modelling

1. INTRODUCTION

Industrial Control Systems (ICS) play a crucial rolein supervising industrial processes and production.Disruption to ICS might lead to disastrous damageto the plant, environment and even human health(Stouffer et al. 2011). ICS were originally designedas isolated self-contained systems, which nowadayshave evolved to become increasingly interconnectedwith IT systems and other complex networks.It greatly improves the efficiency of communicationand control of ICS, but has left ICS exposed to cyberthreats. Modern ICS thus have to be tolerant ofaccidental malfunctions, as well as intentional cyberattacks. ICS-CERT received 295 reports in 2015by trusted asset owners1. In particular multi-stageAdvanced Persistent Threats (APT) account forroughly 55% amongst the various cyber attacksagainst ICS 2. ICS-targeted APT often start withgaining access to the target network, propagatethrough the network by continuously exploitingchains of vulnerabilities, and eventually disrupt theoperation of ICS. We outline common ways to stageAPT targeting a typical ICS in Figure 1. The most

1ICS-CERT: Nov.2015 - Dec. 2015. https://ics-cert.us-cert.gov/monitors/ICS-MM2015122ICS-CERT: Sep. 2014 - Feb. 2015. www.ics-cert.us-cert.gov/monitors/ICS-MM201502

Figure 1: Typical ICS architecture threatened by APT

well-known example of such attacks is Stuxnetin 2010 (Falliere et al. 2011), which wasintroduced to the targeted network by a removableflash drive and eventually infected approximately100,000 hosts across over 155 countries untilSeptember 2010 according to the Symantecreport by Falliere et al. (2011). More recentaccidents are the German steel mill breach inDecember 20143 and the Ukrainian power outagesin December 20154.3SANS ICS Case, 2014. https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks Facility.pdf4ICS-CERT Alert, 2016. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

c© Fielder et al. Published byBCS Learning & Development Ltd. 1Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016

Defense-in-depth vs. Critical Component Defense for Industrial Control SystemsFielder • Li • Hankin

To mitigate the increasing cyber threats targetingICS, many government advisory reports and in-dustrial standards propose Defense-in-Depth as thebest practice to defend ICS (Stouffer et al. 2011;Kuipers and Fabro 2006). Defense-in-depth aims toprotect a system by establishing a multi-layer de-fense by combining various defensive controls, suchas advanced firewalls with DMZ, security awarenesstraining programs, a vulnerability management sys-tem, intrusion detection with effective access poli-cies, and incident response mechanisms. However,as there are numerous controls involved, it needs adeployment plan to optimally distribute the defensiveresources over those controls before such practicecould produce the most effective protection withlimited resources. Otherwise the high financial andmanagerial cost make defense-in-depth impracticalto fully implement (Small 2011), because massiveunnecessary efforts might be wasted on irrelevantattack vectors and security activities. With limitedresources, system wide defense-in-depth providesonly a wide but low-level defense across the network,which might be able to stop sophisticated attackers.Therefore, we produce a decision support tool tohelp with better understanding of defense for ICS,and discover the optimal defensive strategy for usein ICS.

The concept of attacker denotes the possible cyberattackers attemping to breach an ICS, while defenderacts as the security manager who needs to deployavailable defensive controls to protect the ICS.Given an established network, we first generate theunderlying attack graph for it by using our logic-based reasoning engine. The attack graph chainsvarious weaknesses of the network that can beexploited by attackers to stage an APT attack. Theattacker and defender are then modelled as a pairof competing agents in a co-evolutionary simulation.Particle Swarm Optimisation (PSO) (Kennedy 2010)is adopted to aid agents in finding the mostoptimal strategy to attack and defend given differentconditions and profiles. Agents’ gains and lossesare qualified in iterated games, by which an overallscore can be produced to evaluate the performanceof the chosen strategy. Eventually both the attackerand defender would co-evolve to their best strategiesagainst each other. From this work, we discoverthat the decision on defensive strategies shouldrely on the type of attacks we are combating andthe network layout including network topology anddistribution of valuable targets. Particularly we findout that system wide defense-in-depth is viablein protecting the system from greedy attackers,where lower-level conventional attacks are generallyused. However, defense-in-depth is less capableof defending against more sophisticated attacks, in

which case the defensive effort should be focusedon the critical targets in the system. Furthermore,we run extended experiments to investigate the roleof network topology in deciding defensive strategies.Specifically we look at the performance of defendingbottleneck nodes of a network to produce effectiveprotection with minimised defensive efforts.

The paper starts with a related work section wherethe work on attack modelling of ICS and APT at-tacks, agent-based coevolutionary approaches andPSO-related topics are presented. The approachproposed in this paper is discussed in Section 3.1,including the modelling of the key elements (e.g.attacker methods, defense controls, network archi-tecture) and the development of the agent-basedsimulation. A case study extracted from CSSP Rec-ommended Defense-In-Depth Architecture (Kuipersand Fabro 2006) is designed in Section 4 to demon-strate the effectiveness of our proposed tools infinding optimal defense deployment. Five differentscenarios are provided to capture attackers anddefenders with different profiles. Relevant results arepresented in Section 5 and discussed in Section 6.The paper concludes with a summary and discus-sion of further directions of research in Section 7.

2. RELATED WORK

Stouffer et al. (2011) provided a comprehensiveintroduction to the key ICS-specific cyber threats.Automatic generation of attack graphs based onCommon Vulnerabilities and Exposures (CVE)vulnerabilities has been well developed, such asthe tool MulVal by Ou et al. (2006) and NetSPAby Lippmann et al. (2005). However, such completeCVE-based attack graphs are often very complex tounderstand and analyse. Thus our work producedattack graphs based on common weaknesses ofICS, rather than specific vulnerabilities on eachhost, by which we can lift our focus of defenseto combat generic classes of attacks and henceproduce a broader view to deploy defensive controls.Lippmann et al. (2005) also abstracted completeattack graphs by classifying vulnerabilities in termsof CVE factors. Attack graphs have been appliedeffectively to assess the potential risks of anetwork. Noel et al. (2010) introduced a metricfor quantifying the security of a network based onattack graphs with assigned likelihoods of eachattack edge. Using attack graphs for risk analysisof critical infrastructures was reported by Ma andSmith (2013). Attack graphs are able to help withfinding effective defensive measures by studyingthe network structure and required vulnerabilitiesto comprise a system. Thus we also adopt attackgraphs for the initial representation of the problem.

2


Another closely related area to this work isthe concept of network hardening. Fielder et al.(2014) present a game theoretic approach to theoptimal allocation of system administrator timeto defensive tasks. One important finding of thework shows that a greater emphasis of thelimited administrator time should be placed onthe most valuable assets, which is conceptuallyconsistent with the Critical Component Defensestrategy discussed in this paper. Game theoreticapproaches using Stackelberg games to findingoptimal security decisions for real-world scenarioshave been extensively studied, such as schedulingof airport security (Korzhyk et al. 2010), allocationof air marshals to flight paths (Tsai et al. 2009) anddeployment of honeypots (Durkota et al. 2015).

PSO was originally proposed by Eberhart andKennedy (1995), and a more up-to-date reviewof this area was provided by Poli et al. (2007).Poli (2008) identified active applications of PSO,and also pointed out that very little work hasundertaken by applying PSO to cyber securityproblems, with only 1.3% of the literature coveringthe whole security field, such as security predictions(Gao et al. 2011), intrusion detection (Srinoy 2007)and authentication (Karnan and Akila 2010).A similar PSO-based simulation was also employedto investigate the impact of cost-efficiency of defenceon deciding the optimal defence for ICS in ourprevious work (Fielder et al. 2016) .

The elements of studying cyber security scenariosare often represented in literature as adversarialmodels, like those presented in the game theoreticmanner. However the strategy space available isnot as effective at representing the fluid nature ofAPT attacks, which features an evolving strategyspace. The use of PSO for defining strategy aims toovercome the problems of an evolving high variancestrategy space.

3. MODELLING AND SIMULATION

Figure 2 shows the schematic diagram of thesimulation. The Attacker Profile and DefenderProfile collect key elements to decide attackersand defenders’ strategies and actions respectively.Attackers’ strategies are decided by attack targets(e.g. espionage or sabotage), resources available forattackers and all possible attack paths. Particularlythe attack paths are generated by an automaticreasoning engine by a logic programming technique- Answer Set Programming (ASP) byGebser et al. (2011) analysing an establishednetwork and exploits on each host in the network.Defenders also have to decide the preference oftargets to defend, based on the available resource

Figure 2: system overview

and control pairs. Formal definitions of the abovenotions above are given in Section 3.1. Theright part of Figure 2 depicts the development ofoptimal solutions by using our simulation. Followingthe optimization algorithm PSO, each candidatestrategy is encoded as a particle of a swarm andall such particles are gradually moving towards thebest solution. In each iteration of evaluation, bothattackers and defenders generate the best responseto compete with each other, and eventually co-evolveto optimal solutions. Details of the simulation andoptimisation process are discussed in Section 3.2.

3.1. Modelling and Representation

We start with the representation of the pair ofcompeting agents – Attackers and Defenders,including the key components for defining theirstrategies. We model a typical ICS architecture asa network graph, where each host/asset is identifiedas a target node ti ∈ T , an edge e ∈ E indicatesa valid connection between a pair of targets.Each target has different impacts on attackers anddefenders. A compromised target produces certaingains Ia : T → Z

+ for attackers, while causingcertain damage for defenders Id : T → Z

−.

The notion attack methods M = {m1, . . . ,mn}collects all weaknesses of the targets in a networkand we mainly have three types of attack methodsin terms of their origins: (i) primary attacks: allowattackers to gain initial access to the network,such as Internet malware, social engineering, andremovable drives malware. (ii) subsequent attacks:help attackers penetrate further into the network,such as SQL-injection, weak authentication bypassand other LAN-based infection. (iii) final attacks:cause actual damage on the field devices, such asbuffer-overflow and man-in-the-middle attacks.

An attack path 〈(ti, tj),mk〉 is derived by attachingan applicable attack method mk to an edge in the

3


network, indicating a possible way to progress theattack from one target ti to another tj . For this paper,we develop a logic reasoning engine to generateall possible attack paths for a given network, whichaltogether render an attack graph. An example ofsuch an attack graph is given in the Fig3(a) of thecase study section. O(ti) has all outbound pathsfrom the target ti. At each step of an APT, attackersdecides either to upgrade an attack method, or toperform an attack aganist a target. In the cases ofupgrading, attackers have to further select the attackmethod to upgrade, while in the cases of actualattacking, attackers have to decide which outboundattack path to proceed.

Definition 1 An attack mixed strategy a :=〈α, β,Φ,Ψ〉, where

• α ∈ [0, 1], probability of upgrading a method.• β ∈ [0, 1], probability of launching attacks, andα+ β = 1.

• Φ = [φ1, . . . φn], probability distribution over Mand φk denotes the probability of upgrading theattack method mk and

∑ni=1 φi = 1, φi � 0.

• Ψ = {ψ1, . . . ψm}, a set of probability distributionsover outbound paths from all targets, and ψi =[ϕ1

i , . . . , ϕki ] denotes the probability distribution

over all outbound paths from the target ti, denotedby O(ti) = [p1

i , . . . , pki ] and

∑kj=1 ϕ

ji = 1, ϕj

i � 0.

Upgrading attack methods is likely to increase thechance of success, while only attacking brings actualimpacts. Both actions consume resources. A greedyattacker spends most effort on performing attacksrather than upgrading, but such attacks would notsucceed on heavily defended targets. A methodicalattacker tends to launch infrequent attacks withmore advanced attack methods. Finding an optimaldistribution between upgrading attack methods andactual attacking is not an easy task, particularlysince the chosen attack strategy has to be evaluatedagainst unknown defender’s strategy.

The notion of defenders characterises the role ofa security manager who needs to find a way ofdeploying defense controls to protect an ICS. Wedefine a set of defense controls C = {c1, . . . , cm},that are available for an defender to employ andD(ci) is the set of attack methods ci counters.Defenders also have two actions to comprise adefense strategy – advancing a defense control oractually deploying a control. Unlike attackers whohave specific targets to plan attacks, defendershave to protect a number of targets at differentlevels of a network from numerous possible attacks.Particularly, to combat APT-like attacks, defendersare required to consider not only defending oneparticular attack, but also stopping the exploit and

formation of a complete attack route reaching themost valuable targets.

Definition 2 A defense mixed strategy d :=〈γ, δ,Θ,Ω〉, where

• γ ∈ [0, 1], probability of advancing the defenselevel of a control.

• δ ∈ [0, 1], probability of deploy a control, andγ + δ = 1.

• Θ = [θ1, . . . θn], probability distribution over C. θi,probability of advancing ci and

∑ni=1 θi = 1, θi � 0.

• Ω = [ω1, . . . ωm], probability distribution overtargets T and ωj is the probability of deployingcontrols on target tj , and

∑mj=1 ωj = 1, ωj � 0.

Finding the most optimal defense strategy againstvarious unknown attack strategies is challenging.Several well known defensive strategies are givenas follows: (i) system wide defense-in-depth (DID);(ii) focusing the defense on the critical components(CCD) in the network; (iii) defend the bottlenecktargets through which all attacks have to pass; or (iv)mixture of the above. It is not easy to tell which oneis the most appropriate strategy combating varioustypes of attackers, and therefore we provide anagent-based solution to this problem.

3.2. Simulation

We first model an attacker and a defender as a pairof competing agents in a co-evolutionary process,where both agents aim to produce the optimalmixed strategies to maximise their payoffs. A PSOalgorithm is developed to solve such a problem.It starts with an initial set of randomised mixedstrategies for the attacker and defender, representedas particles in a swarm. The PSO then runs anumber of iterations in order to generate the bestresponse strategies to compete with each other. Ineach run, the algorithm moves the particles towardsa better solution, which is achieved by applyinga movement parameter (called a velocity) to theparticles. The velocity of a particle is a specialform of the mixed strategy, where the sum of allcomponents must equal zero.

The evaluation of a particle is conducted bysimulating the interactions between the attacker andthe defender over a fixed number of time steps.In terms of the damage that successful attackscause, the payoff of chosen actions at each step arescored, by which an overall score can be produced toevaluate their performance and the chosen strategy.At each time step the defender chooses an action,corresponding to advancing a control with probabilityγ and deploys new defenses to a network componentwith probability δ. If advance is selected, then thedefender increases the level of a control ci by

4


Figure 3: Case study on ICS security management: (a) attack graph with all attack paths(dashed edges are removedfor Case 5); (b) attack methods from top weaknesses of ICS; (c) Common defense controls for ICS and attack methodsdefended.

1 based on a single selection from amongst theprobabilities defined by Θ. If the defender choosesto deploy a defense, then they select a device givenby the distribution and apply all available controlsfor that device up to the maximal level advanced sofar. In a similar manner, the attacker advances themethods which they are able to exploit the systemwith probability α and attempt to attack the systemwith probability β. When an attacker chooses toattack, the attacker starts at the node labelled EXTand selects a node to attack, and an associatedmethod to advance to that node. An attack can onlybe considered successful if the level of the attackis greater than the level of defense at that node,the success of an attack is given by comparing thelevel of the method of attack used and the highestlevel of control implemented on that node. If anattack is considered successful, then the attackerselects a new node from that location and a newmethod to attack, and the process is repeated untileither an attack is unsuccessful or, there are nomore outward paths from the current node. Whenan attack is halted, the players each receive ascore associated with the last node that has beensuccessfully reached.

4. CASE STUDY

In this section, we demonstrate the effectivenessof our tools with a case study on ICS securitymanagement. The case study uses a typical three-zone ICS architecture extracted from Kuipers andFabro (2006); Stouffer et al. (2011). As givenin Figure 3(a), there are three zones in thearchitecture, Corporate Network, Control Networkand Field Devices. Each circle represents acommon type of host in each specific zone.For instance, cpWs stands for a workstation inthe corporate network, and ctRWs for a remoteworkstation in the control zone. EXT and PLC

are two special nodes, representing the externaluntrusted environment and the key control unitsrespectively. Besides, a number of attack methodsare gathered in Figure 3(b) from ICS Top 10 Threatsand Countermeasures, BSI (2014) and CommonCybersecurity Vulnerabilities in ICS, Department ofHomeland Security (2011). The corresponding set ofdefense controls is given in Figure 3(c), derived fromBSI (2014) and Kuipers and Fabro (2006).

A complete attack graph in Figure 3(a) is thengenerated by our ASP reasoning engine for thecase study. Each exploitation of a weakness of thesystem is represented by an edge in the graph.For instance, all attacks aiming to PLC have toat least comprise either ctRWs or ctWs which hasdirect access the PLC, and then launch attacks suchas Buffer Overflow (finM1) and Man-in-the-middle(finM2). These control workstations are generally notconnected to any untrusted network, but they can beinfected by other hosts in the same control networksuch as ctHmi and ctHist in the example. Besides,remote workstations used by remote maintenancecontractors are threatened by viruses infected byother external assets.

We design five scenarios for different analysispurposes. Table 1 highlights the key settingsof the cases. Case 1 aims to find out theoptimal defense for protecting a single high-valuedtarget PLC, while Case 2 increases the valuesof ctRWs and ctWs to create a larger defensecoverage to consider. Case 3(a) and 3(b) implementpaired strategies for both the attacker and thedefender, to investigate the interactions betweendifferent strategies. Case 4 particularly studiesthe the performance of defense-in-depth against amethodical attacker. A complementary Case 5 isdesigned to find out effective defensive strategies toprotect a network with bottleneck nodes.

5


Table 1: Case study settings

Case 1 Single high-valued target (e.g. PLC)Case 2 Multiple high-valued targetsCase 3(a) DID defender vs. Greedy attackerCase 3(b) CCD defender vs. Methodical attackerCase 4 DID defendervs. Methodical attackerCase 5 Bottleneck-node Defense

The PSO algorithm sets the size of a swarm at200, which was sufficient to represent and explorethe search space. The simulation operates over100 moves per particle and for 100 generations ofcompetition between the two agents. The w valuesfor all factors contributing to the velocity were setat 0.05, this was set so as to allow for betterexploration of the strategy space, by not favouringa single component. It runs over 50 time steps forthe attacker and defender strategies and a particle isevaluated 30 times to reduce variance from the non-deterministic nature of the simulated environment.

5. RESULTS

The results of the simulations are represented ascombined effort heat maps of the network, shownin Figure 4. The results represent the combinedeffort that should be applied to the asset in thenetwork. For the defender, the combined effort isthe probability of upgrading the defense of a node,added to the probabilities associated with advancingthe controls that are relevant to defending that node.Additionally, the attackers effort is represented bythe lines connecting the node, where the combinedeffort is the probability of using that attack path andthe probability of using and advancing the attackmethods relevant to that line. In Figure 4, the higherthe combined effort, the darker the colour of eitherthe line or node.

In this initial case 1, where we consider that eachplayer only has interest in the PLC, we see that inFigure 4(a) that the defender chooses to apply alarge proportion of effort to the PLC Node.

The results present a case where the defenderchooses to split effort evenly between advancing andupgrading, but chooses with p > 0.95 to advancecontrol c6 and applying that defense to the PLCnode. While the defender chooses to upgrade andimplement c6 in the results presented, c5 is equallypreferable in this scenario since it also protects PLC.In addition to this, it is in the best interest of thedefender to upgrade only a single control and notattempt to use both c5 and c6, since the effort wouldbe split between the two, but would not achievethe same level of defense, since we consider thedefensive level to be equal to the highest of thecontrols implemented.

Since the only damage in the system is representedat the PLC node, this reduces the expected damageto near zero levels. Since the damage reachesa near zero level, the attacker has relatively fewstrategic choices, with the primary method beingto be as aggressive as possible, with the aimof exploiting the system before the defender hasestablished an effective defense.

As part of this, we see some incidental effort that isapplied to both cpServer and ctHist, this is becausecontrol c6, has some protective capability for bothof those nodes, however the actual level of upgradeapplied to those nodes is very minimal.

Case 2 in Figure 4(b) represents a scenario, wherethree nodes in the system are considered valuableto both the attacker and the defender.

Unlike Case 1, the defender in this scenario choosesto use control c5 instead of c6. The reason for this isthat in Case 1, there is no reason to try and defendany other nodes, because the one valuable node isfully protected, however with additional nodes thatare valuable there may be a justification for applyingdefense elsewhere, which would warrant the use ofa control that is effective against the highest numberof additional vulnerabilities.

In this case slightly more emphasis has been placedby the attacker on attacking ctWs over ctRWs, sincethe former has a slightly higher value for the attackerif it is compromised. While the defender does playa defense-in-depth strategy, that would allow for theattacker to attack ctWs with p = 1 to get a higherscore, the defender would be able to shift defensivestrategy to that node to reduce the damage evenfurther, as such it is in the best interest of the attackerto spread the attack between ctWs and ctRWs.

Case 3 presents a scenario where there is value toboth players across the whole of the system. Unlikein other cases, we see that there is no single strategythat provides the best defense for the defender.In this case we see that there are two possibilitiesfor both the attacker and the defender.

Figure 4(c) shows the first pair of strategies, whichrepresents a defense-in-depth and a greedy attacker.

The heat map displayed in Figure 4(c) shows alow effort value on all of the nodes. The reasonfor this apparently low effort, is that the defensiveactions are spread across all the nodes and controls.This defensive strategy aims to provide a basicdefense on all of the nodes as quickly as possibleand then tries to slowly upgrade the whole defenseover time. This is a simple strategy that will preventmost conventional attacks, but would not provide an

6


Figure 4: Simulation Results

Table 2: Optimal Distribution in Strategies

Case 1 Case 2 Case 3a Case 3b

DefenderUpgrade 0.47 0.47 0.77 0.47Advance 0.53 0.53 0.23 0.53

AttackerAttack 0.9 0.83 0.85 0.61Advance 0.1 0.17 0.15 0.39

effective mechanism against sophisticated attacks.The attacker we see in Figure 4(c) is similar to theattackers in both cases 1 and 2, which is considereda greedy attacker, since it attacks frequently tomaximise score by launching lots of unsophisticatedattacks. In this case the attacker is able to potentiallyscore quickly as there are a number of nodes thatthe attacker can exploit early.

Counter to this strategy, we have a defenderemploying critical component defense and a moremethodical attacker in Figure 4(d). The methodicalattacker, still prefers to attack, since continuallyadvancing the attack methods does not impacttheir score directly, however unlike the previouslyseen greedy attackers, the methodical attackerattempts to advance attack methods to be able toreliably overcome low level defenses that might beprotecting the outer components of the system. Thisis represented in in Figure 4(d) as a lower attackeffort across all lines.

The defender is the same critical component defensestyle defender that we saw in case 2, where despitethe system having a number of nodes with value thedefender chooses to defend only the most important.We have seen in Case 3a that this is not the onlypossible choice for the defender and is relevant tothe attack strategy.

It is important to note, that both the defensivestrategies shown for case 3 in Figure 4 are thecounter to the paired attacker strategy. A greedyattacker who is using low level attacks is counteredby a strategy that employs basic defenses acrossthe whole of the network, i.e. defense-in-depth.However a methodical attacker will be able to beatthis strategy, since they advance the attack methodsover the basic controls that are present in the systemwide defenses, allowing them to more frequentlyexploit the system to reach the high valued PLCnode. Against this methodical attacker, the defenderis best advised to play a critical component defensestrategy, since the attacker attacks less frequently,so the average expected loss is reduced and thePLC is not normally compromised. In this case theattacker is more incentivised to launch numerous lowlevel attacks that are able to get past basic defenses,which is akin to the initial greedy attacker.

Table 2 shows the distribution of optimal strategiesfor each player amongst the two main actions. Thedefender’s actions in Cases 1, 2 and 3b have thesame optimal probabilities, in which the defendersplits the effort in a near even manner betweenadvancing the level of the control and implementingthe upgrades. Likewise in Cases 1, 2 and 3a,the attacker chooses to attack with probabilityp(A) > 0.8. This represents the consistent behaviour

7


Table 3: Distribution of Upgrade Effort by Node

Node cpWS cpEmail cpDatabase cpServer ctWS ctRW ctHmi ctHist DataCase 3a 0.05 0.01 0.13 0.01 0.18 0.18 0.04 0.17 0.22Case 3b 0.1 0.1 0.1 0.1 0.1 0.1 0.1 0.1 0.92

of an aggressive attacker and a critical componentdefender. However if we consider the patient attackerin case 3b, we see that they attack with a lowerprobability, increasing the the likelihood that theirattacks are more sophisticated. The defender incase 3a upgrades the defense more frequently thanthe other defenders, where the defender advancesthe controls rarely, opting to implement lower levelcontrols where available, this is consistent with adefense-in-depth style approach.

Table 3 shows the distribution of emphasis onupgrading the defense at each node in the network.Case 3b shows that there is little emphasis placedon any node other than data, with a value of 0.1 oneach node except for Data, which has a upgradeprobability of 0.92. This is in contrast to case 3a,where Data only has an upgrade probability of 0.22.The rest of the probability is then distributed amongstthe rest of the node. This is also reflected in the effortplace on controls, where in case 3b control c5 isused with p(c5) = 0.97, but in case 3a the highestdistribution for any control is c3 with a p(c3) = 0.25.

6. DISCUSSION

The results present a scenario where we seethat there is a rationale to consider that criticalcomponent defense is the most viable defensivestrategy given a limited amount of resources fordefending a system. This appears to hold true inthe case of industrial control systems with a singleasset or set of assets that are considered particularlyvaluable compared to the rest of the system. Witha single point of failure, the defender is incentivisedto defend that node very heavily, even in the faceof other low value attacks. As the value of thedamage across the system rises, in comparison tothe node with a single point of failure, the defendernow has more incentive to protect more of the nodesif possible. The results of case 3 identify that there isa certain point where the value of the system causesthe defender to look at the trade-off between multiplelow level threats and single highly sophisticatedattacks. While the specific view of an ICS in thispaper focusses on those with highly valuable fieldcontrollers, however not all ICS systems have thesesingle high value nodes; it is ICS with this kindof property that with limited resources it would bebest to employ a critical component defense stylesystem.

Figure 5: Case 4: methodical attack vs. defense-in-depth

To demonstrate this we considered a further case,where each of the nodes has a similar value forsuccessful compromise, with the outermost nodes allvalued at 100 with nodes at each successive depthworth an additional 10 to the attacker. This removesa single critical point of failure for the defender, whichwould spread the damage out across the systemmore evenly. Without a single point of failure for thenetwork, the defender is offered two main strategies,a system wide defense-in-depth, that protects theslightly more valuable inner nodes, while providingbasic security across the network, or a perimeterdefense strategy, where the defender attempts toprotect each of the outer nodes as highly as possible.

The results presented in Figure 5 show that byapplying a more even spread of value across thenetwork, the defensive strategy is consistent with thestrategy presented in case 3 for the defense-in-depthstyle defender. Unlike case 3 we are presented withonly a single attacker and defender strategy, wherethe attacker is a methodical attacker. The reason forthis is that since the defender has equal value acrosstheir system, there is no incentive to try and defend asingle point, given that any targeted defense strategywould be met with an attacker strategy that wouldobtain better results by ignoring that node. Forthis reason it means given a methodical attacker,the attacker has no incentive to change to a lesseffective greedy approach, which dictates that thesame cyclical nature of attack and defense strategiespresented in the results of case 3 do not occur.

While exploring the concept of defense-in-depth, weidentified that this strategy does not make sensewhen there is a single focal point to defend andmultiple routes to reach that node. We consideredthat if there was a defensive point earlier in the attackgraph, that had the same defensive properties as

8


Figure 6: Case 5: defending bottleneck

the single valuable node, then it might be preferableto defend at that point instead. Thus we consideredthat if we could create a bottleneck for the attacker,then it would be more preferable for the defender tonot protect the vulnerable node directly, but insteadprotect the system at a node causing a bottleneckearlier in the system. The reason for this, is thatwhile defending at bottleneck, the defender is ableto protect not only the most vulnerable node, but allnodes after the bottleneck in the graph. The rationalefor this is similar to that of perimeter defense.

To test the idea of defense in bottlenecks, wehave designed an additional Case 5, where all ofthe attacks must pass through the node ctHist inorder to reach the PLC node. We modified thescenario for case 3, by removing three attack paths(highlighted in dashed lines in Figure 3(a)) from theattacker.

The results in Figure 6, show that by creating abottleneck of attacks at an earlier stage of the attack,it is better to defend ctHist. Since ctHist is protected,then ctWs, ctRWs and PLC are all effectivelycovered as well, which is better than the alternativecritical component defense scenario, which wouldleave ctHist, ctWs and ctRWs uncovered. Thesystem wide defense presented in case 3a wouldalso be less efficient in a number of cases, sincespreading the defense would potentially open theattacker to higher value nodes if the attacker wereto implement a more methodical approach.

From the results, the defender uses c5 to defendthe node, since it covers the vulnerabilities at ctHist.Much like in cases 2 and 3, the defender chooses c5as the primary control to upgrade, because it givesthe best opportunities for covering additional nodeswith minimal additional investment of time.

Conceptually we believe that critical componentdefense makes sense, but as a special case of thewider concept of defending bottlenecks. As such,a system that represents defense in bottlenecksconsiders that the defense should be centred aroundthe set of minimal elements that all attacks must

pass through, and if there are multiple minimal setsof nodes, then the defense should be applied at theset of nodes that occur earliest in the collection ofattack paths. It should be noted that this applieswhen the value of assets increases with depth of theattack or with a single level of highly valuable nodes,such as those in an industrial control system.

7. CONCLUSIONS

This work shows that when a defender has relativelyfew valuable assets in a system, the best use ofresources and effort available is to apply the defenseto the most valuable nodes. This kind of defenseis particularly important in a number of ICS, wherethere is a single critical point of failure for theorganisation. This strategy does not work effectivelyif the system has a wide spread of valuabletargets, since there is no single place to focusthe defensive strategy to protect the system. Underthese circumstances, defense-in-depth is generallypreferable, since a set of controls across all nodesof the network will reduce the viable attack surface.The defense-in-depth strategy works most effectivelyagainst volumes of attacks, not sophistication, whenwe consider limited resources.

When there is a network that also contains othervaluable assets, the optimal defensive strategy mustconsider the kind of attacker the system faces.Where we consider that critical security controls isbest applied to those scenarios where the attackerdevelops sophisticated attack methods and attacksless frequently. However, when there is a hyperaggressive attacker that is attempting to attack thesystem frequently using relatively low effort attacks,then a defense-in-depth strategy is preferred.

Additionally, we have also introduced the notionthat a more general form of the critical componentdefense strategy is to consider a defensive strategythat operates at bottlenecks in the system byconsidering at a location that provides the minimalattack surface. It should be noted that not alldefenses in ICS are equal, and defending at certainnodes, such as the PLC, might not be viable due toa reduction in performance, such as the battery lifeof controllers in the field. In addition to consideringperformance metrics for implementing defensivestrategies in a system, further work would be carriedout looking at alternative network structures thatwould be capable of testing the idea of defense atbottlenecks further. Coupled with this we aim to lookat the relative amount of resources that each playerhas available to identify if the strategies diversify andwhat causes the diversification. We will also considerassigning a temporal factor to each attack in order toconduct time-dependent analysis.

9


ACKNOWLEDGEMENT

This work is funded by the EPSRC project Trustwor-thy Industrial Control Systems (EP/L021013/1).

REFERENCES

BSI (2014, Mar.) Industrial control systemsecurity top 10 threats and countermeasures2014. Available from https://www.allianz-fuer-cybersicherheit.de/ACS/DE/ downloads/techniker/hardware/BSI-CS 005E.pdf

Department of Homeland Security, U. S. (2011)Common cybersecurity vulnerabilities in industrialcontrol systems. Available from www.ics-cert.us-cert.gov/sites/default/files/documents/DHSCommon Cybersecurity Vulnerabilities ICS20110523.pdf

Durkota, K., et al. (2015). Game-theoretic algorithmsfor optimal network security hardening usingattack graphs. In: Proceedings of the 2015International Conference on Autonomous Agentsand Multiagent Systems. 1773–1774.

Eberhart, R. C. and Kennedy, J. (1995). A newoptimizer using particle swarm theory. In: Proceed-ings of the sixth international symposium on micromachine and human science. New York, NY, USA,1, 39–43.

Falliere, N., et al. (2011). W32. stuxnet dossier. whitepaper, Symantec Corp., Security Response 5.

Fielder, A., et al. (2016). Modelling cost-effectiveness of defenses in industrial controlsystems. In: Computer Safety, Reliability, andSecurity (SAFECOMP). Springer.

Fielder, A., et al. (2014). Game theory meetsinformation security management. In: ICTSystems Security and Privacy Protection.Springer, 15–29.

Gao, K., et al. (2011). A hybrid security situationprediction model for information network basedon support vector machine and particle swarmoptimization. Power System Technology, 4, 033.

Gebser, M., et al. (2011). Potassco: The Potsdamanswer set solving collection. AI Communications,24(2), 107–124.

Karnan, M. and M. Akila. (2010). Personal authen-tication based on keystroke dynamics using softcomputing techniques. In: Communication Soft-ware and Networks, 2010. ICCSN’10. SecondInternational Conference on. 334–338.

Kennedy, J. (2010). Particle swarm optimiza-tion. In: Encyclopedia of Machine Learning.Springer, 760–766.

Korzhyk, D., et al. (2010). Complexity of computingoptimal stackelberg strategies in security resourceallocation games. In: AAAI.

Kuipers, D. and Fabro, M., (2006). Control systemscyber security: Defense in depth strategies. UnitedStates. Department of Energy.

Lippmann, R. P., et al. (2005). Evaluating andstrengthening enterprise network security usingattack graphs. Defense Technical InformationCenter.

Ma, Z. and P. Smith (2013). Determining risksfrom advanced multi-step attacks to criticalinformation infrastructures. In: Critical InformationInfrastructures Security. Springer, 142–154.

Noel, S., et al. (2010). Measuring security riskof networks using attack graphs. InternationalJournal of Next-Generation Computing, 1(1),135–147.

Ou, X., et al. (2006). A scalable approach to attackgraph generation. In: Proceedings of the 13th ACMconference on Computer and communicationssecurity. 336–345.

Poli, R. (2008). Analysis of the publications onthe applications of particle swarm optimisation.Journal of Artificial Evolution and Applications, 3,2008.

Poli, R., et al. (2007). Particle swarm optimization.Swarm intelligence, 1(1), 33–57.

Small, P. E. (2011). Defense in depth: An impracticalstrategy for a cyber world. SANS Institute,Bethesda.

Srinoy, S. (2007). Intrusion detection model basedon particle swarm optimization and supportvector machine. In: Computational Intelligence inSecurity and Defense Applications, 2007. CISDA2007. IEEE Symposium on. 186–192.

Stouffer, K., et al. (2011). Guide toindustrial control systems (ics) security.NIST special publication. Available fromhttp://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

Tsai, J., et al. (2009). IRIS - A tool for strategicsecurity allocation in transportation networks, 2.International Foundation for Autonomous Agentsand Multiagent Systems (IFAAMAS), 1327–1334.

10

Documents

Defense-in-depth vs. Critical Component Defense for ... · ommended Defense-In-Depth Architecture (Kuipers and Fabro 2006) is designed in Section 4 to demon-strate the effectiveness