6/24/2019 12019 Copyright KDM Analytics

Prioritize, Measure and Quantify Cyber Security Risk

CYBERSECURITY BEST PRACTICES: AUTOMATED

MODEL-BASED RISK ASSESSMENT

Dr. Nikolai Mansourov, CTO KDM Analytics

6/24/2019 22019 Copyright KDM Analytics

CASE STUDYEPBIH PRODUCTION SCADA

6/24/2019 32019 Copyright KDM Analytics

Case Study

• System under Assessment: SCADA – EPBIH implementation -Production level▪ Only a model is assessed, NOT the real implementation

• Selected lightweight input format - Word doc with structured tables▪ 12 tables

▪ Effort ~ 3 days (mostly to understand the details of the data flows)

• Imported the description into the Blade Risk Manager (BRM) tool▪ 30 assets

▪ 28 attacker types

▪ 1294 attacks

▪ 41 identified risks

6/24/2019 3

6/24/2019 42019 Copyright KDM Analytics

The architecture diagram

6/24/2019 4

6/24/2019 52019 Copyright KDM Analytics

Using Word document as the model

6/24/2019 62019 Copyright KDM Analytics

Structured content in tables

6/24/2019 72019 Copyright KDM Analytics

System Description Table

6/24/2019 7

6/24/2019 82019 Copyright KDM Analytics

Data Flow Table (fragment)

6/24/2019 8

6/24/2019 92019 Copyright KDM Analytics

External Interface Table

6/24/2019 9

6/24/2019 102019 Copyright KDM Analytics

Data Type Table

6/24/2019 10

6/24/2019 112019 Copyright KDM Analytics

Capability Table

6/24/2019 11

6/24/2019 122019 Copyright KDM Analytics

Imported Model

6/24/2019 12

6/24/2019 132019 Copyright KDM Analytics

Architecture with “real” connections

6/24/2019 13

6/24/2019 142019 Copyright KDM Analytics

Risk Matrix

6/24/2019 14

6/24/2019 152019 Copyright KDM Analytics

Risk Matrix and Risk Inventory

6/24/2019 15

6/24/2019 162019 Copyright KDM Analytics

Evaluated some controls

6/24/2019 16

• Raw Risk (no controls)

▪ Unmitigated Risk Value is 1694.7❑ very high risks: 1

❑ high risks: 3

❑ moderate risks: 27

❑ low risks: 5

❑ very low risks: 4

• Asked BRM to automatically suggest controls that mitigate the top risk in NIST low impact baseline

▪ 76 controls are recommended

▪ mitigated risk is 503.6❑ very high risks: 0

❑ high risks: 2

❑ moderate risks: 23

❑ low risks: 11

❑ very low risks: 4

This risk is determined onlyby the means and opportunities of the attackers given the targetswithin the system

6/24/2019 172019 Copyright KDM Analytics

More controls

• Asked BRM to mitigate the next top risk in NIST low impact baseline ▪ Same 76 controls, additional targets

▪ mitigated risk is 63.4❑ very high risks: 0

❑ high risks: 0

❑ moderate risks: 6

❑ low risks: 25

❑ very low risks: 9

6/24/2019 17

This risk is a what-if scenario; given the model of the system;A possible next step might be to consider the real controls known to the system owners

6/24/2019 182019 Copyright KDM Analytics

Risk Distribution after mitigation

6/24/2019 18

6/24/2019 192019 Copyright KDM Analytics

Conclusions

• Automated risk assessment capability is

▪ Objective

▪ Systematic

▪ Repeatable

▪ Cheap to iterate (!)

• Top-down presentation of risk (risk matrix, risk distributions) help focus on proper risk framing

• Easy to steer the tool based on your policy (e.g. adjustments of criticality and opportunities for attacks)

• Full traceability of risks all the way to the input facts

• Description of the system through Word document not ideal, but reasonably quick

▪ Better to import directly from the SCU files

▪ Easy to spot inconsistencies and re-run analysis

▪ Easy to introduce additional detail

▪ Easy to copy and paste to jumpstart next project

6/24/2019 19

6/24/2019 202019 Copyright KDM Analytics

QUESTIONS ?