IoT devices are vulnerable to breach from a number of attack vectors – from Web application exploits to RansomWare. The impact of attacks can affect local networks (to which the devices are attached) but can also lead to large-scale attacks on remote network endpoints (e.g. DDoS). IoT attack vectors and impacts are broad in that they include processes, physical devices, human resource, comms links etc – all of which are interdependent and attack or failure on one threat surface can cascade across the others. From an industry control systems (SCADA) perspective we will test the utility of Dependency Modeling (DM) – a top-down, goal-to-dependencies risk assessment approach [1] – with a focus on responding to emerging threats and resilience (reducing downtime) through a better understanding of complex socio-technical interdependencies. This is a collaborative project with project partner Airbus, hosted at the Centre of Excellence for Cyber Security Analytics at Cardiff University. Airbus are leaders in SCADA security research.
The Dependency Modelling (DM) method for building a top-down model of a system begins by identifying an overall goal and its first-level dependencies. We then determine the next-level dependencies and so on. Loosely speaking, risk is about failing to achieve goals. Thus, goals are central to the system model. In DM terms, risk in complex systems (which include IoT systems and critical infrastructure) relates to achieving, or the failure to achieve, the provision of the fully functioning entities that goals depend upon. We refer to the successful provision as a goal. Without a goal there is no risk, and changing goals alters the threat landscape. As IoT is not necessarily even developed with goals in mind – this changes the landscape massively. Every element in a dependency model is an abstract goal. In other words, we are not interested in having an access control system (ACS) for its own sake; rather, we want to keep hackers out of the network. It quickly becomes clear that all goals are abstract in this sense. Having an ACS does not necessarily achieve the goal. Successfully defending a system depends on a number of factors (we refer to these as the threat surface), including technology (such as an ACS), expert knowledge (how to configure the ACS), and people (abiding by the expected security policy). Simply requiring the existence of an ACS amounts to a box-ticking risk-management approach, which is unlikely to see the goal achieved.
The proposed scope of the project is to enhance the SCADA testbed at Airbus using IoT devices from Cardiff’s IoT lab to enhance Airbus’ knowledge and expertise in IoT risks to SCADA, and to test the utility of Dependency Modelling to incorporate goal success probability data derived from ‘canned attacks’ on IoT devices into a risk model of a SCADA system to simulate failure. Dependency Modelling should enable us to determine (i) how IoT attack surfaces map onto industry control systems (and therefore critical infrastructure), (ii) how goal-oriented models of risk compare with traditional failure-oriented risk models when attack vectors are not always known but impacts are required to be known, and (iii) how useful Dependency Modelling is for determining response plans and, if possible, how system downtime could be reduced through Bayesian analysis.
Project outcomes include:
- Develop Dependency models to include industry control system (SCADA) specific goals – including a broad threat surface from human resource to cyber-physical security without needing to specify implementation detail
- Conduct a gap analysis lit review on SCADA attack vectors and threat surfaces w.r.t IoT
- Develop multiple forms of attack vector and simulate attacks on IoT devices (social engineering, network intrusion, logic bomb, RansomWare) within Airbus’ SCADA testbed using equipment from Cardiff’s IoT Lab
[1] Burnap et al., “Determining and Sharing Risk Data in Distributed Interdependent Systems,” in Computer, vol. 50, no. 4, pp. 72-79, April 2017.