Cybersecurity Assessment: Challenges and Advancements around the ADVISE Meta Framework

A Cyber-Physical System (CPS) is a system consisting of a computer system (the cyber system), a controlled object (the physical system) and possibly interacting humans. In the past, CPSs were mainly designed to work in isolation. Nowadays, due to the increasing complexity and need for automation, such systems are becoming highly interconnected and remotely accessible for monitoring and control. Therefore, they are potentially exposed to malicious threats which could lead to catastrophic consequences. For this reason, cybersecurity is becoming extremely important for CPSs. Cybersecurity assessment is fundamental for identifying possible threats that could maliciously cause damage to a system. In industry, there is an increasing interest in assessing the security of CPSs; see as an example the emergence of cybersecurity standards like ISA/IEC 62443 for industrial automation control systems, CENELEC CLC/TS 50701 for railway, and ISO/SAE 21434 for automotive. From an industry viewpoint, there are several needs that a cybersecurity assessment approach should take into account like the management of the complexity of the process, the possibility to apply the assessment from the initial stages of system development, and the reusability of the approach to perform analysis of different but similar systems. Due to the complexity of such systems, experts need methodologies and tools to face this not-easy task. To help them evaluate the system’s security, it is needed to have i) a (semi-)formal approach to represent and compare different system components and architectures; ii) a well-founded and reasonably large catalog of attacks; iii) a standardized collection of adversaries; iv) a way to represent and analyse possible defense mechanism and to capture system’s safety and security interdependencies. Among other cybersecurity assessment approaches, like penetration testing and threat analysis, model-based evaluation is well-known and used to analyse system’s properties, such as safety, availability, reliability, and security. Thanks to its high level of abstraction it brings benefits like complexity management, early-stage application, and reusability. In this thesis, we rely on an existing modeling framework, ADVISE Meta, which, starting from an ontology (specifying system components, attacks, and adversaries) and a user-defined architectural model of the system, allows to automatically derive stochastic security models, specified in the ADVISE formalism). These models can be used to evaluate the attack paths that can be carried out by adversaries, analysing, e.g., the probability that an adversary can reach a specific security goal, and compare different architectural solutions. Concerning the overmentioned needs, we identified the following research challenges around the ADVISE Meta framework: i) the attacks and adversaries available in the ontology of the framework are few and generic; ii) only the adversary point of view is considered, without taking into account possible defense mechanisms and system dynamics. In this thesis, we propose some contributions to face these challenges. First, we define a methodology to extend the ADVISE Meta ontology with a well-founded collection of attacks and adversaries’ profiles coming, respectively, from the CAPEC database and the Threat Agent Library (TAL). Moreover, since the manual integration of the CAPEC database is a time-consuming task, we propose to use artificial intelligence as a support tool for the semi-automated integration of CAPEC attacks into the ADVISE Meta ontology. Then, to overcome the fact that the ADVISE formalism only takes into account the viewpoint of the adversary, we rely on a more flexible modeling formalism, that is Stochastic Activity Networks (SAN). Hence, we perform a model-to-model transformation from ADVISE to SAN formalism. This facilitates the composition with other SAN models, which can be used to represent defense mechanisms and system aspects, e.g., to analyse the interdependencies between safety and security. Moreover, with SAN, compared to ADVISE, we can represent additional attack scenarios, like simulating the execution of multiple attacks in parallel.