Professional Documents
Culture Documents
A. Control center communication networks met when there are one or more countermeasures
Fig. 2 shows the communication paths within power system implemented for an attack leaf. Any technology that is applied
control networks. Entities in the control center, substation to defend the attack leaf would satisfy condition 2. An
automation system, distribution management system, example is a web server installed with a firewall that monitors
Independent System Operator (ISO), and power plant process the access to prevent malicious intrusions through online
control system are interlinked. The interdependency of the traffic. Password implementation for each attack leaf is
communication and power system infrastructures plays an considered for assessment. Poor password practices result in
essential role to wide area monitoring and control. The unauthorized access. A system can face the risks of
communication link is an optical fiber network or a unauthorized access, even though it may be password
microwave system. Backup control centers provide coverage protected. Condition 2 and condition 3 may influence
for disaster scenarios that may disable the primary control condition 1. For instance, implementation of the new
center, e.g., loss of data communication, critical monitoring technological countermeasures can reduce the likelihood of
and control facilities. In addition, Web-Based SCADA is the intrusions. Applying boundary protection in a firewall with a
Internet-Based SCADA and application services to utility set of rules can also reduce access from anonymous users.
industry that provides convenient and low cost maintenance This would reduce attempted intrusions and enhance system
by out-sourcing the maintenance services. This is security. The other example is that condition 3, with stronger
implemented using a client-server architecture though password policies, would also protect the system from being
Internet. compromised. However, this does not change the number of
Primary Path of Communication attempts.
Power Plant Secondary Path of Communication TABLE I
Process Control
System RULES FOR CONDITIONS 1,2, AND 3
(Generators)
Primary
Primary Conditions Rules
ISO
Control
Center
Control The system is free of intrusion attempt
Center
Condition 1 that is concluded from the electronic
Substation
Web-Based
SCADA
Automation
System (Buses)
evidences in the system.
Backup At least one or more countermeasures are
Backup
ISO Condition 2
Control
Center
Control implemented to protect an attack leaf.
Center
Distribution At least one or more password policies
Management
System (loads) Condition 3 are enforced corresponding to each attack
leaf.
Fig. 2. Real-Time Communication within Power System Control Networks
The overall communication and computer infrastructure is III. VULNERABILITY ASSESSMENT OF CYBERSECURITY
complex. Deficiencies of security guidelines and policy The procedure to evaluate vulnerability indices is depicted
enforcements may result in penetration to the networks. in Fig. 3. As shown in the figure, the procedure starts with an
Vulnerability assessment for each entity is to identify the analysis of the attack objectives. Then the attack tree and
access points to the network as well as cyber assets. This countermeasures are established. The system vulnerability
includes comprehensive password policy enforcement and index is obtained by evaluating the scenario vulnerability and
constant auditing of unused default ports available. the leaf vulnerability for selected scenarios and the
corresponding attack leaves.
B. Introduction to the methodology
Identify adversary attack objectives
A cybersecurity vulnerability index is a measure of the
likelihood that an attack tree or attack leaf will be
Identify possible security vulnerability and
compromised by hackers [11]. Each attack leaf may have formulate an attack tree
weaknesses that are prone to attack. The vulnerability index
ranges from 0 to 1, from the most invulnerable (0 value) to
the most vulnerable (1 value). There are separate vulnerability Determine cybersecurity conditions
Identify intrusion scenarios on each attack leaf
indices for each attack leaf and each intrusion scenario. There
based on the attack tree
is also an overall system vulnerability index. All indices range
from 0 to 1. Compute leaf vulnerability
A vulnerability index is determined based on: (1) evidence
of attempted intrusions; (2) existing countermeasures and Evaluate scenario vulnerability
improved countermeasures [12]; and (3) password policy
enforcement [13]. The vulnerability index is evaluated with Determine pivotal attack leaves by limiting the upper
bound of the scenario vulnerability
the hypothesis listed in Table I [14]. Three conditions are
defined in Table I. Condition 1 states that there is no evidence Decision-making to improve
to suggest that there are intrusion attempts for the system. system vulnerability
Condition 1 is not met when there are credible evidences of Fig. 3. Procedure to Evaluate Vulnerability Indices
malicious attempts based on electronic data. Condition 2 is
3
L, i } is a set of intrusion
intrusion scenarios. A vector of scenario vulnerabilities is
A. Cybersecurity conditions given in (2) where I = i1 , i2 , { K
This section evaluates the cybersecurity conditions, ω ,
that is a preliminary evaluation before the specific scenarios. The Vs is determined from the maximum value of
vulnerability indices related to leaves and scenarios are the scenario vulnerability set. Each intrusion scenario is a
calculated. The cybersecurity condition assessment is based possibility that leads to successful penetration of the system.
on technological countermeasures and enforcement of the The vulnerability of a scenario is the product of leaf
password policy. vulnerabilities where each scenario vulnerability is formed
The cybersecurity condition is measured by a number ω ,
L, s L, n} .
with a different subset of S. Scenario vulnerability indices are
that assumes the values of 0. 0.5, or 1. The value 0 indicates given in (3) where s1 , s2 , K ∈ S and S = {1, 2,
that the system condition is invulnerable while value 1
The symbol s represents an index subset of S that is the
indicates the system is vulnerable.
1) ω =0.00: universal index set of attack leaves and n is the total number
of attack leaves.
If [(Condition 1) AND (Condition 2) AND (Condition 3)],
then ω =0.00
All conditions in Table I are satisfied. Advanced VS = max {V ( i1 ) , V ( i2 ) , L,V ( i )} = max ( V ( I ))
K
(1)
countermeasures are deployed and comprehensive password V ( I ) = ⎣⎡V ( i1 ) V ( i2 ) L V ( iK ) ⎦⎤
T
(2)
policies are enforced. There is no evidence that the system is
subject to malicious attempts. ⎡V ( i1 ) = ∏ v ( G j ) ⎤
⎢ ⎥
2) ω =0.50:
j∈s1
⎢ ⎥
If <[(Condition 1) AND (Condition 2)] OR ⎢V ( i2 ) = ∏ v ( G j ) ⎥ (3)
V(I) = ⎢ j∈s2 ⎥
[(Condition 1) AND (Condition 3)] OR ⎢ ⎥
M
[(Condition 2) AND (Condition 3)]> , ⎢ ⎥
then ω =0.50 ⎢V ( iK ) = ∏ v ( G j ) ⎥
⎢
⎣ j∈sK ⎥
⎦
Any two of the conditions in Table I are satisfied.
3) ω =1.00:
If( [(Condition 1) OR (Condition 2) OR (Condition 3)] OR A leaf vulnerability is evaluated by (4). The cybersecurity
(None of the condition)], then ω =1.00 condition number ω must be identified first. The basis for
Only one of the conditions is met or, evaluation is to pre-determine the leaf vulnerability condition
None of the conditions are satisfied. with respect to the evidence of attempted intrusions,
technological countermeasures, and password policy
B. Evaluation of vulnerability indices enforcement, which was discussed in Section III(A). To
This section is concerned with the cybersecurity vulnerability evaluate the strength of technological countermeasures, the
of an attack tree. There are four steps to assess the security total number of countermeasure types is determined, which is
vulnerability: (1) Identifying the intrusion scenarios, (2) denoted by a constant 5 in (4). Then, the ratio between the
Evaluating vulnerability indices for the system, intrusion countermeasures implemented at the specific attack leaf to the
scenarios, and attack leaves, (3) Evaluating security total number of countermeasure types is determined, where
improvements, and (4) Identifying the pivotal leaves. nC T is the number of countermeasures types implemented at
1) Identifying the intrusion scenarios from the attack tree: an attack leaf [12]. The strength of the ratio is deducted from
First, the intrusion scenarios from the attack tree are 1 to convert it to the vulnerability ratio.
identified. Then, the possible intrusion scenarios are ⎪
v ( Gk ) = ⎨
{ ( C ) T {
⎧max ω ⋅ 1 − ( n 5 ) , ω ⋅ max Θ ( C P )
} } ,ω > 0 (4)
enumerated. Each of the intrusion scenarios is the ⎪ max
⎩ { (1 − ( n 5)) ,
CT { ( )} } 3
max Θ C
P ,ω = 0
combination of attack leaves that are formed with “AND” or
“OR” attributes configured in the attack tree. The leaf Second, the weighting factor of the password policy
vulnerability index v(Gk ) of each attack leaf is evaluated
enforcement is evaluated. Each password policy should be
assigned with a value Θ(C P ) based on Table II. The weight
once all the intrusion scenarios are determined. The scenario
assignment of the password policy enforcement indicates the
vulnerability is the product of the corresponding attack leaf
level of difficulty to crack the password. In Table II, an
vulnerabilities.
increment of (approximately) 0.33 point starting from the
strong password policies of 0 value for Θ(C P ) is used. The
2) Evaluating vulnerability indices:
There are three security vulnerability indices: (i) system strongest password policies deter or prolong the cracking
vulnerability, (ii) scenario vulnerability, and (iii) leaf process. Neither brute-force trials nor social engineering
techniques can break through in a short period of time.
4
{ ( )}
TABLE II
i.e., max Θ C = 0.67 .
P WEIGHT ASSIGNMENT FOR PASSWORD POLICY ENFORCEMENT
Descriptions Θ(C P )
In (4), for ϖ > 0 , the final evaluation of leaf vulnerability Absence of password policies
is based on the more vulnerable of the two measures, which is No password exists for a user
account
the higher value among the two sets, C , C ∈ C where
P T
1.00
Existence of a guest account that is
C P ⊄ C T , and C T ⊄ C P . On the other hand, for ϖ = 0 , known to many, e.g., the password
is the same as username
the more vulnerable of two countermeasures is divided to
Poor password policies
reflect the fact that 3 measures are used for cybersecurity With factory default password
conditions, i.e., evidence of malicious attempts, technology Set with combination of username,
countermeasures, and password policy enforcement. 0.67
company name, date of birth, that is
possible to crack using social
3) Evaluating security improvements engineering
Security improvement can be achieved by a replacement or Good password policies
additional countermeasures. The improvements for an attack Password length with 7 characters
0.33
long
leaf and intrusion scenario can be measured with the
Implement maximum password age
implementation of the defense nodes denoted as v′ ( G ) and Comprehensive password policies
V ′ ( i ) respectively, for the leaf and scenario vulnerability after The old passwords are not allowed
for new password change
an improvement is implemented. The degree of improvement 4-character categories of
for a leaf vulnerability is given by combination (A-Z, a-z, 0-9, !@#
0.00
⎡⎣ v′ ( G ) − v ( G ) ⎤⎦ v ( G ) ×100% and similarly for scenario (non-alphabetic characters) )
Password length with 8 characters
improvement. or longer
Enforce a password age to less than
4) Determine the pivotal leaves 3 months
The system vulnerability is evaluated based on (2).
Improvements of the leaf vulnerability can lead to higher IV. CASE STUDIES
system vulnerability. To identify the pivotal leaves for system The methodology proposed in the previous section is
vulnerability enhancement, an optimization problem is applied to study cases here. The purpose is to identify the
proposed: access points of power system control networks and evaluate
the network vulnerability. The objective of the proposed
min VS (5) attack tree is focused on penetration of the control center
s.t. intranet from others, e.g., substation intranet with Virtual
V(I ) ≤ V(I ) (6)
Private Network (VPN) connection. An attack tree based on
Fig. 2 is constructed; the case studies are subject to specific
v (G ) ≤ v (G ) (7) business practices. The model incorporates the existence of
factory default password and insufficient security
( ) ( )
where 0 ≤ v G , V I ≤ 1 improvement [16]. The attack leaves include countermeasures
The combination of scenario vulnerability is subject to the to improve the system vulnerability.
configuration of an attack tree because system vulnerability is An attack tree illustrated in Fig. 4 consists of disruptions
expressed as a function of scenario vulnerability. The through a power plant, substation, or web-based SCADA. The
objective of this formulation is to minimize system disruptions include sabotage on computer systems and power
vulnerability by lowering the upper bound of the scenario systems. These combinations may result in an intrusion into
V ( I ) . By doing so, the pivotal leaf
the control center. To derive the scenario combination, groups
vulnerability,
of attack leaves are arranged as follows:
combination for system improvement is determined. The
Remarks:
5
Enterprise mission to
AND Leaf disrupt power system control
Group 1 Group 2
Defense
OR countermeasure Disrupt web-based
Disrupt
sets control center SCADA system
Group 1c Group 1d
Attack the system G19: Inhibit the
Disrupt G16: Disrupt by opening the status of the
backup real-time switching devices switching devices
control services
center c26
c25 G17: Exploit G18: Exploit
G14: Disrupt Disrupt VPN the online the web server c11
G15: Disrupt connection to c26 vulnerability vulnerability
communication distributed relational
servers substations
c16 c25 c23
database c20
c19 c11 c26 c15 c1
c16
c12 c6
c19
Group 1b
c2 Disrupt power Group 1a Disrupt
plant operations substation
c4
G4: Disrupt G5:Exploit Disrupt the G10: Disrupt G11: Exploit G12: Exploit G13: Exploit
G1: Exploit Shut down G6: Inhibit all the G7:Exploit
communication remote terminal substation relational the VPN wireless dial-up
the services online status communication
wireless servers connection SCADA database connection connection connection
connection of substation
c9 c9 c23 SCADA c16 c20 c20 c20
c2 G2: Search for unit
G8: Exploit G : Exploit
9
c25 c25 c26 c3 available relevant files c19 c19 c26 c25
c3 equipment
ports
management control c26 c4 c2 c8 c2 c2
commands c22 c10
G3: Disrupt
c2 c21 c4 c21 c4 c4
c8 c1
unit loading
c10 control service
c1
c24 c25
c1 c16
c2
⎡ G1 ⎤
⎡ G7 ⎤ ∏G i → i1 ∏G i → i2 ∏G i → i3
⎢
G × G9 ⎥⎥
i =1,14 ,15 ,16 i = 2 , 3,14,15,16 i = 4 ,14,15,16
⎢
G × G3 ⎥⎥
⎢ 2
⎢ 8
∏G i → i4 ∏G i → i5 ∏G i → i6
⎢ G10 ⎥
i =5 ,14 ,15 ,16 i = 6 ,14 ,15,16 i = 7 ,14,15,16
Group 1a: ⎢ G4 ⎥ ; Group 1b: ⎢ ⎥;
⎢
⎢ G5 ⎥
⎥ ⎢ G11 ⎥ ∏G i → i7 ∏G i → i8 ∏G i → i9
⎢ G ⎥ i =8, 9 ,14,15,16 i =10,14,15,16 i =11,14,15,16
⎢ G ⎥ 12
⎣ 6 ⎦ ⎢
⎣ G13 ⎥
⎢
⎥
⎦
∏G i
i =12,14,15,16
→ i10 ∏G i
i =13,14,15,16
→ i11 ∏G
i =17 ,18
i → i12
[
Group 1c: G14 × G15 ; Group 1d: G16 ; ] [ ] ∏G i → i13 (8)
⎡G17 × G18 ⎤
L,i
i =19
Group 2: ⎢ ⎥ where i1 , i2 , 13 ∈I
⎣ G19 ⎦
These attack leaves include countermeasures that can be
Each group represents the security flaw of a sub-network from technological countermeasures or password policy
power plant, substation networks, and web-based SCADA
L, c } and
enforcements. The description of each countermeasure is
C P = {c1 , c2 ,
system. Groups 1a and 1b represent a disruption of power
listed in the Appendix. The sets
L c } are countermeasure sets for password
plant operations and substation automation. Security breaches 7
in these groups may also result in penetration to the control C = {c8 , c9
T
26
center. Groups 1c and 1d represent a disruption of the backup
L
Each intrusion scenario is derived from attack leaves, factory default password and enhancing security
where G1 , G2 , , G19 are attack leaves. Intrusion scenarios countermeasures, the leaf vulnerability has been improved.
According to (4), the number of countermeasures types
are expressed as follows:
implemented at an attack leaf is essential because it influences
the vulnerability of a leaf. Attack leaves 5 and 17 do not
6
on the same countermeasure technology, i.e., access control.) leaves 7, 15, 16, 17, 18, 19 are the pivotal leaves to improve
Attack leaf 3 has the greatest improvement. This is due to the the security measure in order to satisfy V I . ( )
combination of technological countermeasure types and
elimination of the guest account. Eliminating the factory V. CONCLUSION AND FUTURE WORK
default password and guest account improved the leaf
vulnerability. The proposed methodology can be used to systematically
In the next step, V (I) and V′ (I ) are evaluated using
evaluate the vulnerability and improvements based on
cybersecurity conditions, technological countermeasures, and
(3). Each intrusion scenario is the product of attack leaves in password policy enforcement. Security improvement of an
(8). The scenario vulnerability is plotted in Fig. 6. Note that attack tree depends on the total number of countermeasure
the logarithmic scale is used in Fig. 6(a) to highlight the types and password policy enforcement on each attack leaf.
difference between V (I ) and V′ ( I ) . As shown in Fig. Case studies of the power system control networks have been
performed to determine the vulnerability indices. To avoid
6(a), the first 11 intrusion scenarios have a greater manual, exhaustive search on each attack leaf, an optimization
improvement. However, intrusion scenarios 12 and 13 do not problem is formulated that can be solved to determine pivotal
show much improvement. Fig. 6(b) shows vulnerability leaves for security improvements.
improvement for each intrusion scenario. Finally, the system The formulation of attack trees does not capture the
vulnerability indices before and after the improved sequence in which attack leaves are penetrated in a scenario,
countermeasures are implemented, Vs and Vs′ , respectively, however, an attack tree can be used as the foundation to
emulate penetration testing, confirm the hypothesis, and study
are determined from V (I ) and V′ (I ) . The system security flaws. Besides, attack trees can include budgetary
constraints to evaluate system vulnerability that determines
vulnerability indices, Vs and Vs′ , are 0.33 and 0.13, the optimal security investment based on this framework.
(a) Scenario vulnerability
respectively. 0
10
(a) Leaf vulnerability
Existing countermeasures
1
Existing countermeasures
Improved countermeasures
−1
10
Improved countermeasures
0.8
Vulnerability Index
Vulnerability Index
−2
0.6 10
0.4 −3
10
0.2
−4
10
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Attack Leaf, G −5
10
1 2 3 4 5 6 7 8 9 10 11 12 13
Intrusion Scenarios, I
(b) Vulnerability improvement for each attack leaf
80
70
(b) Vulnerability improvement for each intrusion scenario
Vulnerabilty Improvement, %
60 100
50 90
40 80
Vulnerability Improvement, %
30 70
20 60
10 50
0 40
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Attack Leaf, G
30
Fig. 5. Leaf Vulnerability with Existing and Improved Countermeasures
20
10
It is desirable to identify critical attack leaves that are
0
influential for the improvement of system vulnerability. Table 1 2 3 4 5 6 7 8
Intrusion Scenarios, I
9 10 11 12 13
III shows the numerical results based on (5)-(7). The upper Fig. 6. Scenario Vulnerability with Existing and Improved Countermeasures
bound of the v G ( ) is set to 0.5 which represents an
TABLE III
intermediate level of vulnerability. Table III shows the FOUR UPPER BOUNDS ON SCENARIO VULNERABILITY FOR EACH LEAF
required changes for each attack leaf with a different upper V(I ) 1 0.01 0.0001 0.000001
bound of scenario vulnerability shown in each column. The v(G1) 0.3611 0.3611 0.4355 0.4407
highlights are changes from the output of optimization. By v’(G1) 0.2000 0.2000 0.1995 0.1980
7