CEDRICS INFO

Description

CEDRICS (RITICS@City)

CEDRICS addresses the following objectives:

  • To develop sound and scalable approaches to communicate the cyber security component of business risk to a range of stakeholders. This will address the need to communicate understanding of the threats, the vulnerabilities, their business impact and their mitigations.
  • To develop a risk based approach to assessing defence in depth of industrial control systems (ICS) with specific focus on cyber security. This will involve developing probabilistic models that address explicitly the evolving relationship between an Adversary, the attacks, the potential consequences and the effectiveness of the mitigations and barriers.

The work is conducted in two interrelated packages:

WP1 Understanding and communicating cyber risks

What is argument? What is evidence? How are people to be persuaded? How should they be persuaded? Such questions about ‘argumentation’ cross many disciplines (mathematics, logic, philosophy, ethics to name a few) and have been widely studied over many years. We have been developing, with industry funding, an approach to argumentation that is based on claims, arguments and evidence (CAE) to enable reasoning and communication about the trustworthiness of socio-technical systems. Currently, the application of CAE is often deliberately simplified and constrained in what it expresses and how it argues. The aim here is to improve the rigour, facilitate challenge and enhance the communication of risk and assurance. We draw on work on safety cases and assurance and argumentation, both formal and informal.

We will explore how stakeholders, at different levels within organisations, can obtain the understanding they need of cyber risks. We will apply this Claims Argument Evidence (CAE) framework to explain cyber related risk, exploiting our experience of designing safety and assurance cases. CAE has been successfully used to communicate to stakeholders at different levels, both within safety-critical industries and in some leading finance sector applications.

We will extend this preliminary work in two specific areas: i) how to improve its rigour; the need for a semantics for CAE that covers both informal and formal aspects of the risk communication will be addressed; ii) how to deal with the scale and level of detail that is needed in a cyber informed risk assessment; an abstraction framework that supports the scale and compositionality is required.

WP2 Evaluating defence in depth and impact of dependencies

WP2 addresses factors of risk and uncertainty that are especially hard to assess and to communicate for a typical cyber-physical system. In this WP will build on own work on modelling interdependencies of critical infrastructures which is characterised by a few essential features:

  • The modelled elements operate non-independently: their dependencies may be either deterministic (e.g. functional) or stochastic (e.g. common stress).
  • We combine stochastic modelling based on the stochastic activity networks formalism (SAN) with deterministic models (e.g. flow models) specific to the modelled infrastructures.
  • A model of an Adversary is defined which is coupled with a specific CPS. The decisions taken by the Adversary and the uncertainty associated with them are captured by the model in the form of probabilistic parameters.
  • The model of CPS, subjected to cyber-attacks, is solved via Monte Carlo simulation to establish the specific losses due to cyber-attacks. This approach allows for objective comparison of different attacks and also the effectiveness of the available defences, thus allowing for rational decisions about cost-effective investment in cyber-defences.

WP1

We have identified the following distinct tasks to operationalize the research in WP1:

Task 1.1. Undertake an impact analysis for integrating cyber issues into current risk assessment of ICS. Input from project partners and other stakeholders will be important here to identify communication needs of stakeholders. We will explore how to communicate epistemic uncertainties associated with High Impact Low Probability Risks as well as the socio-technical and psychological aspects on regulatory decision making.

Task 1.2. Define a set of archetypal argument fragments that are CAE “building blocks” for security and assurance cases. The scope of the blocks will be based on an analysis of real risk assessments as well as requirements captured from first principles. These might address, for example, describing the impact of a security control on a system. Define a semantics for the “blocks” that combines the informality of uninterpreted terms with the power of formal techniques such as model checkers and SAT solvers. Prove the formal parts of the fragments correct and well formed.

Task 1.3. Experiment with the expressiveness of the CAE “block” approach to determine if it adequately captures the stakeholder risk assessments. Consider ways of graduated rigour for deploying the CAE fragments i.e. using the formal semantics to underpin less formal uses. Review and revise CAE in the light of this.

Task 1.4. Research issues of compositionality and scale. Develop further the abstraction models which range from policy level to implementation level and build on other research on layered assurance. This will be driven by the stakeholder examples.

WP2

The work in WP is conducted in a number of interrelated tasks:

Task 2.1 Probabilistic models of an Adversary applicable to modern ICS. We extend the state-of-the art as follows:

  • capture dependence of the adversary profile on the likelihood of successful attack on ICS;
  • adversaries act either in isolation or in collusion, e.g. SWARM attacks which in turn can be either pure cyber-attacks or a combination of vandalism and cyber-attacks;
  • capture evolution of the adversary profiles over time. This evolution may be due to successful attacks or due to ‘strengthening’ the defences of the ICS, e.g. due to introducing new technologies.

Task 2.2: Toolset for model-based risk assessment. Since the WP is driven by examples, the existing tools will be continuously enhanced to allow for studies, as summarised in Task 2.1, to be conducted.

Task 2.3: Industrial examples. We will apply the new modelling techniques and tools on a number of realistically complex case-studies:

  • We already have several detailed descriptions of complex power systems (transmission and distribution) and the respective ICS (based on the international standard IEC 61850 for a substation in power systems). These will be used in the work on WP2.
  • With our partner ALSTOM Grid we have identified a number of practically interesting problems, specific for ICS, e.g. the impact of limited observability of the state of the power networks (e.g. due to sensor failures or DoS attacks) on the accuracy of the advice produced by so called “special purpose software”, i.e. advisory software which assists operators with the control decisions in case of emergency. Analysing how limited observability affects the decisions taken by the operators will be studied in detail.

CEDRICS Publications

PROJECT PARTICIPANTS

Professor Robin Bloomfield
Professor Robin BloomfieldPrincipal Investigator
Professor Robin Bloomfield is a Professor of System and Software Dependability in the Department of Computer Science at City, University of London and a founder of Adelard LLP, a dependable systems consultancy. He is a Fellow of the Royal Academy of Engineering.

Contact him at reb@adelard.com or at R.E.Bloomfield@city.ac.uk.

Professor Peter Bishop
Professor Peter BishopCo-Investigator
Professor Peter Bishop is a Professor in the Department of Computer Science at City, University of London and a Chief Scientist at Adelard LLP, a dependable systems consultancy.

Contact him at P.Bishop@city.ac.uk or at pgb@adelard.com.

Dr Peter Popov
Dr Peter PopovCo-Investigator
Dr Peter Popov is a Reader in the Department of Computer Science at City, University of London.

Contact him at P.T.Popov@city.ac.uk.

Dr Kateryna Netkachova
Dr Kateryna NetkachovaResearcher
Dr Kate Netkachova is a Research Assistant in the Department of Computer Science at City, University of London and a Product Manager at Adelard LLP, a dependable systems consultancy.

Contact her at Kateryna.Netkachova.2@city.ac.uk or at kn@adelard.com.

Dr Kizito Salako
Dr Kizito SalakoResearcher
Dr Kizito Salako is a Research Fellow in the Department of Computer Science at City, University of London.

Contact him at K.O.Salako@city.ac.uk.

PARTNERED WITH

UNIVERSITY INFORMATION

City, University of London – Centre for Software Reliability (UK)

Company Profile and Expertise

The Centre for Software Reliability (CSR) is an independent research centre in the School of Informatics at City, University of London. The Centre was founded in 1983 to address the new reliability problems posed by software. Its scope of research now covers various aspects of system dependability and resilience, including quantitative methods for security assessment, dependability of human-machine systems, and assessment of interdependent critical infrastructures. Over the years, CSR has attracted research funding from the UK Research Councils and the EU Framework Programmes (on many projects on dependability), from industry, such as British Energy, EdF, Rolls Royce, from other UK and international agencies and private foundations; and built an international reputation for research achievements, acknowledged as world-class in the periodic UK-wide “research assessment exercises”.

CSR applies rigorous probabilistic/statistical methods and engineering expertise to difficult problems of prediction and decision. Throughout the years, CSR has been influential in advocating and in defining a rigorous, quantitative approach to reasoning about dependability and safety, and in this direction it has given substantial contributions, for instance in software reliability, software metrics, and diversity for dependability.
Contact Us

City, University of London

+44 (0)20 7040 5060