A Configurable Dependency Model of a SCADA System for Goal-Oriented Risk Assessment
Abstract
:1. Introduction
- What is required for achieving the safe and secure operation of a SCADA system (the core goal)? What does the success of this core goal depend upon?
- What is the likelihood of achieving the core goal?
- What can be done to maximise the likelihood of achieving the core goal?
2. Background: Dependency Modelling
3. Related Literature
4. Research Methodology
- Elicit relevant knowledge from experts using the mind mapping knowledge capture technique;
- Analyse the collected individual mind maps and develop a unified mind map of a SCADA system;
- Translate the unified mind map into a dependency model—the SCADA DM;
- Validate the SCADA DM with experts;
- Demonstrate how the SCADA DM facilities risk assessment and supports decision-making (an illustrative example is presented in Section 6).
4.1. Why Mind Maps?
- It is easy to learn and use so that all experts were able to produce detailed mind maps during a one-hour workshop. Previous work reports the results of a comparative analysis of four knowledge sharing techniques (mind maps, concept maps, conceptual diagrams and visual metaphors). The comparison indicates that mind mapping is the easiest technique to use and learn in comparison to other methods [22].
- It offers a more time-efficient data collection for the researchers. In particular, using this method, we were able to elicit opinions from a group of experts at the same time. It would not be possible with interviews, for example.
- It allows optimising the data analysis by requesting the participants to produce mind maps themselves rather than the researchers producing a mind map based on the analysis of in-depth interviews or observations. According to [24], “mind mapping can allow researchers to make rapid and valid transcriptions of qualitative interviews without the need for interviews to be transcribed verbatim. It may also aid the researcher in the analysis of qualitative data by helping her or him to ‘bracket’ their own preconceptions, which is fundamental in phenomenological research”.
- The similarity of a tree-like structure between a mind map and a dependency model guarantees that the raw data are already well structured and easier to analyse and translate into a dependency model (than for example data from in-depth interviews). In addition, mind maps are association maps [23]—mind maps allow making meaningful connections and associations between various concepts and between different parts of related knowledge—and as such, they could efficiently depict dependency associations.
4.2. Data Collection—The Mind Mapping Workshops
- Place in the centre the name of the main topic—“SCADA” (use blue/black ink);
- Identify the major elements/components of a SCADA system, place them around the main topic and link them to the main topic with lines indicating dependencies within the system;
- For each new element of your mind map, identify sub-elements and connect them using lines to the element;
- Continue identifying sub-elements for each new element of your mind map until you reach the point where no more sub-elements may be specified;
- Use different colours to indicate the criticality of the elements within every node:
- −
- The most critical elements of a node—circle with red;
- −
- The elements of medium criticality—circle with green; and
- −
- The least critical elements of the node—do not circle.
- What is required for successful operation of a SCADA system?
- What does a system depend upon?
- What does each element of a system depend upon?
- How critical is each element (colour-coded answer)?
4.3. Participants’ Profile
4.4. Data Analysis and Development of a Unified Mind Map
- Familiarization—Immersion in the raw data (mind maps) when the researchers observed all mind maps to estimate the richness of the material;
- Identifying themes—Key areas derivation from the raw data;
- Indexing—Linking key areas and other elements throughout all participants’ mind maps;
- Charting—Rearranging the data from individual mind maps into a unified mind map containing the data, first, from some and, then, all respondents;
- Mapping—In its general sense, this stage does not refer to mind mapping specifically, but to any form of creating a mental model or a framework of a phenomenon under investigation. In our case, we used mind mapping at this stage to define the phenomenon and find associations.
4.5. From the Unified Mind Map to a Dependency Model
- Elements from the unified mind map were combined together to form one paragon when an entry in a mind map referred to the characteristics of another entity, e.g., a participant had drawn an element such as “Operating System” and then child elements depicting its characteristics such as “Secure” and “Up-To-Date”.
- The entities which outlined various concrete implementations of higher-level entities were not included; e.g., we only kept a paragon for an Operating System (OS), but we did not include all the different types of OSs listed by the participants (e.g., Linux, Windows, MAC OS), similarly for communication protocols. As the model is configurable, it is expected that a user will enrich the model with the paragons for every operating system that is in use by the organisation and paragons for every communication protocol that is relevant to the system being modelled.
- A small number of elements did not find a place in the final model as the elements either were not fit with the main structure of the model or were specific to a particular sub-domain rather than being relevant to SCADA systems in general.
- In a small number of cases, it was not possible to establish the meaning of the entity based on the information provided by the participants. This is one of the limitations of the chosen approach to data collection where we did not have an opportunity to clarify information provided during the workshops at a later stage.
4.6. Validation by Experts
- Does the top-level mind map reflect your vision of a SCADA system?
- Are there any irrelevant elements?
- Are there any elements missing (completeness and coverage)?
- Is the suggested hierarchy of elements consistent with your understanding of dependencies within a SCADA system?
- An ISC manager at a manufacturing plant: “It is useful to have an extensive model on its own to look at. It is very difficult to sit down in a traditional workshop and cover every scenario: you always forget something, you always miss something. Getting the right people round the table, being able to manage those people to go though all the scenarios is very time consuming and expensive. Most people do not want to be there it becomes boring after a while for them. Certainly, if there is a predefined model that covers the majority of the scenarios, you miss less. To have a model which captures that wider experience saves us money, saves us time. Certainly, it is a useful tool”.
- An ICT manager at a manufacturing plant: “There is not really anything we use in terms of modelling that helps us accurately look at probabilities. That is why a dependency model may be quite useful, because you do not want to spend a huge amount of money if there is a very low probability and because for everything we do we have to justify costs against benefits. Without understanding probabilities it is very difficult to do that”.
- A SCADA specialist: “Never I could come up with over 400 elements in a model, I would have struggled. It is certainly useful as it is all about knowledge sharing”.
5. The SCADA Dependency Model
5.1. Top Level of the SCADA DM
- Management;
- System Architecture;
- Employees;
- External Dependencies (Environment);
- Data (Information); and
- System Life Cycle.
5.2. Key Areas Overview
- Availability;
- Integrity;
- Confidentiality;
- Agility;
- Sustainability;
- Maintainability;
- Operability;
- Resilience;
- Reliability; and
- Incident response readiness.
5.3. Configurability of the Model
6. Illustrative Example: Water Distribution System
6.1. Scenario Description
6.2. Configuring SCADA DM for the Scenario
6.3. Introducing Countermeasures into the Dependency Model
7. Conclusions and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Abbreviations
BPMN | Business Process Model and Notation |
CNI | Critical National Infrastructure |
DM | Dependency Model |
HMI | Human–Machine Interface |
ICS | Industrial Control Systems |
OS | Operating System |
PRA | Probabilistic Risk Assessment |
SCADA | Supervisory Control and Data Acquisition |
RTU | Remote Terminal Unit |
Appendix A. Participants’ Profile
Participant No. | Domain | Role |
---|---|---|
1 | Government | Head of CNI/ICS defence |
2 | Academia | Research Assistant |
3 | Energy-Nuclear | C&I Safety Assessor/Inspector |
4 | Built Environment | Director |
5 | Aerospace, Marine, Energy and Defence | Software Intensive Systems Specialist |
6 | Nuclear, Defence, Aerospace and Marine | Strategy Lead/Consultant |
7 | Oil, Gas & Petrochemicals | Chief Engineer Control Systems |
8 | Academia/Electrical Energy | Lecturer |
9 | Various domains from risk perspective | Team Lead/ Cyber Security Consultant |
10 | Defence | Security researcher |
11 | Defence | Senior Engineer |
12 | Government and water | Security advisor |
13 | Academia | Technical Lead/Researcher |
14 | Academia | Professor |
15 | Aerospace | Cyber Technical Lead for Forensics |
16 | Energy, Gas and Smart Metering | Managing Consultant, R&D in Technology Group |
17 | Energy, water | Cyber security consultant |
18 | Academia | Research |
19 | Academia | Lecturer |
20 | Transport | Lecturer |
21 | Defence and space | Sales manager |
22 | Transport (Airports) | Technical architect |
23 | Transport (Rail and MRTS) | Senior Executive Officer |
24 | Energy, Net Grid | Technical Advisor |
25 | Energy | Developer |
26 | Energy | Consultant |
27 | Energy/Electricity | Technology Developer |
28 | Energy | SCADA System administrator |
29 | Space and Geographical Systems | Senior Software Developer |
30 | Energy (Transport) | Operations Manager |
31 | Various domains | Advisor, requirements, assessment |
32 | Energy | Product manager |
33 | Critical Infrastructure | CTO |
34 | Transport | Infrastructure specialist |
35 | Energy | Operations/System Engineer |
36 | Energy/Transport | Technical specialist |
Partic. No. | Years in SCADA | Aspects of SCADA | Years in Security | Aspects of Security |
---|---|---|---|---|
1 | 2.5 | Response/assurance testing | 20 | Malware, pen-testing, incident response, forensics etc. |
2 | 1 | SCADA forensics | 4 | Cyber security, digital forensics |
3 | 40 | SCADA/ICS | 4 | Computer-based safety systems |
4 | 3 | Business Processes & System Engineering | 18 | InfoSec, cyber security, system engineering and development of code of practice |
5 | 37 | Protection (safety) systems | 37 | Defence, information assurance |
6 | 2 | System design/integration, information assurance | 10 | secure systems design, secure life cycle, safety and security |
7 | 10 | Specification, Procurement, Functional Definition | 3 | Theory |
8 | 9 | WAN telecom delivery technology, synchro phasors | 0 | N/A |
9 | 1 | Cyber risk | 12 | Security architecture, cyber risk identification and mitigation |
10 | 5 | Not specified | 5 | Embedded systems |
11 | 1 | Research | 20 | Certification management, key management, system level, SOCs |
12 | 3 | Protective security of SCADA systems | 30 | Military, Management, policy and advisory role |
13 | 5 | Architecture and technologies | 5 | Networks |
14 | 2 | Aircraft Docking Systems and Taxiway routing | 7 | Detection and prediction of cyber attacks |
15 | 1.5 | Various | 8.5 | Forensics |
16 | 6 | Security Architecture and Integration, Response systems | 16 | System Architecture and Network security, cryptographic protocols, development, InfoSec Management, Systems and Governance |
17 | 1.5 | Risk assessment | 10 | IT |
18 | 3 | Resilience Modelling | 3 | Resilience Modelling |
19 | 6 | Networks | 6 | Networks |
20 | 2 | Their use in remote condition monitoring | 0 | N/A |
21 | 1 | Sales | 0 | N/A |
22 | 20 | Design and implementation (complete life cycle) | 0 | N/A |
23 | 7 | Complete SCADA System with main focus on Control Centre (Software, Hardware, Networking, System Integration etc.) | 15 | Information Security – ensure integrity of recording data, maintain data flows, controlled deletion |
24 | 30 | Statistics | 0 | N/A |
25 | 30 | Statistics | 0 | N/A |
26 | 8 | All aspects of SCADA | 8 | General knowledge |
27 | 20 | High level and generalisation at staff level | 2 | General and related to high level |
28 | 6 | Servers, security, network, changes/updates, education etc. | 10 | General knowledge |
29 | 1 | Design and architecture | 4 | Data Leakage Prevention, Security Policies |
30 | 22 | RTU, control systems integration | 5 | Ethical hacking, server hardening, DMZ |
31 | 15 | Cyber security | 20 | Diverse range of topics |
32 | 20 | Development | 5 | Security architectures, access control |
33 | 5 | Security and risk management | 20 | Governance and defence |
34 | 40 | Availability, procurement, projects, IT security, safety | 15 | Regulation, networks and other |
35 | 7 | Central system, RU, HMI, IED | 2 | VPN, tunnelling, firewalls, routing, DMZ |
36 | 15 | Remote control of substations | 0 | Some knowledge |
Average | 10.79 | 9.01 |
References
- Miller, T.; Staves, A.; Maesschalck, S.; Sturdee, M.; Green, B. Looking back to look forward: Lessons learnt from cyber-attacks on Industrial Control Systems. Int. J. Crit. Infrastruct. Prot. 2021, 35, 100464. [Google Scholar] [CrossRef]
- Miller, B.; Rowe, D. A survey SCADA of and critical infrastructure incidents. In Proceedings of the 1st Annual Conference on Research in Information Technology, Calgary, AL, Canada, 11–13 October 2012. [Google Scholar]
- Maglaras, L.; Ferrag, M.A.; Derhab, A.; Mukherjee, M.; Janicke, H.; Rallis, S. Threats, protection and attribution of cyber attacks on critical infrastructures. arXiv 2019, arXiv:1901.03899. [Google Scholar]
- Cherdantseva, Y.; Burnap, P.; Blyth, A.; Eden, P.; Jones, K.; Soulsby, H.; Stoddart, K. A Review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 2016, 56, 1–27. [Google Scholar] [CrossRef] [Green Version]
- The Open Group. Dependency Modeling (O-DM). Constructing a Data Model to Manage Risk and Build Trust between Inter-Dependent Enterprises; Open Group: San Francisco, CA, USA, 2012. [Google Scholar]
- Patel, S.; Graham, J.; Ralston, P. Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements. Int. J. Inf. Manag. 2008, 28, 483–491. [Google Scholar] [CrossRef]
- Codetta-Raiteri, D.; Portinale, L. Decision Networks for Security Risk Assessment of Critical Infrastructures. ACM Trans. Internet Technol. (TOIT) 2018, 18, 29. [Google Scholar] [CrossRef]
- Cheminod, M.; Durante, L.; Valenzano, A. Review of Security Issues in Industrial Networks. IEEE Trans. Ind. Inform. 2013, 9, 277–293. [Google Scholar] [CrossRef]
- Ralston, P.; Graham, J.; Hieb, J. Cyber security risk assessment for SCADA and DCS networks. ISA Trans. 2007, 46, 583–594. [Google Scholar] [CrossRef] [PubMed]
- Taylor, C.; Krings, A.; Alves-Foss, J. Risk analysis and probabilistic survivability assessment (RAPSA): An assessment approach for power substation hardening. In Proceedings of the ACM Workshop on Scientific Aspects of Cyber Terrorism, (SACT), Washington, DC, USA, 21 November 2002; p. 64. [Google Scholar]
- Roy, A.; Kim, D.; Trivedi, K.S. Cyber security analysis using attack countermeasure trees. In Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, Oak Ridge, TN, USA, 21–23 April 2010; p. 28. [Google Scholar]
- Guan, J.; Graham, J.; Hieb, J. A digraph model for risk identification and management in SCADA systems. In Proceedings of the IEEE International Conference on Intelligence and Security Informatics (ISI), Beijing, China, 10–12 July 2011; pp. 150–155. [Google Scholar]
- Zhang, Q.; Zhou, C.; Xiong, N.; Qin, Y.; Li, X.; Huang, S. Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE Trans. Syst. Man Cybern. Syst. 2016, 46, 1429–1444. [Google Scholar] [CrossRef]
- Baiardi, F.; Telmon, C.; Sgandurra, D. Hierarchical, model-based risk management of critical infrastructures. Reliab. Eng. Syst. 2009, 94, 1403–1415. [Google Scholar] [CrossRef] [Green Version]
- Gonzalez-Granadillo, G.; Dubus, S.; Motzek, A.; Garcia-Alfaro, J.; Alvarez, E.; Merialdo, M.; Debar, H. Dynamic risk management response system to handle cyber threats. Future Gener. Comput. Syst. 2018, 83, 535–552. [Google Scholar] [CrossRef]
- Kure, H.I.; Islam, S.; Razzaque, M.A. An integrated cyber security risk management approach for a cyber-physical system. Appl. Sci. 2018, 8, 898. [Google Scholar] [CrossRef] [Green Version]
- Taormina, R.; Galelli, S.; Tippenhauer, N.O.; Salomons, E.; Ostfeld, A. Characterizing cyber-physical attacks on water distribution systems. J. Water Resour. Plan. Manag. 2017, 143, 04017009. [Google Scholar] [CrossRef]
- Berglund, E.Z.; Pesantez, J.E.; Rasekh, A.; Shafiee, M.E.; Sela, L.; Haxton, T. Review of modeling methodologies for managing water distribution security. J. Water Resour. Plan. Manag. 2020, 146, 03120001. [Google Scholar] [CrossRef]
- Chittester, C.; Haimes, Y.Y. Risks of terrorism to information technology and to critical interdependent infrastructures. J. Homel. Secur. Emerg. Manag. 2004, 1, 402. [Google Scholar] [CrossRef]
- Haimes, Y.V. Hierarchical holographic modeling. IEEE Trans. Syst. Man Cybern. 1981, 11, 606–617. [Google Scholar] [CrossRef]
- Buzan, T. The Mind Map Book; Penguin: New York, NY, USA, 1991. [Google Scholar]
- Eppler, M.J. A comparison between concept maps, mind maps, conceptual diagrams, and visual metaphors as complementary tools for knowledge construction and sharing. Inf. Vis. 2006, 5, 202–210. [Google Scholar] [CrossRef]
- Dixon, R.A.; Lammi, M. Cognitive Mapping Techniques: Implications for Research in Engineering and Technology Education. J. Technol. Educ. 2014, 25, 2–17. [Google Scholar] [CrossRef]
- Tattersall, C.; Powell, J.; Stroud, J.; Pringle, J. Mind mapping in qualitative research. Nurs. Times 2011, 107, 20–22. [Google Scholar] [PubMed]
- Ritchie, J.; Spencer, L. Qualitative data analysis for applied policy research. Qual. Res. Companion 2002, 573, 305–329. [Google Scholar]
- King, N. Using templates in the thematic analysis of text. In Essential Guide to Qualitative Methods in Organizational Research; Cassell, C., Symon, G., Eds.; Sage: Newcastle upon Tyne, UK, 2004. [Google Scholar]
- Gertman, D.; Folkers, R.; Roberts, J. Scenario-based approach to risk analysis in support of cyber security. In Proceedings of the 5th International Topical Meeting on Nuclear Plant Instrumentation Controls, and Human Machine Interface Technology, Albuquerque, NM, USA, 12–16 November 2006. [Google Scholar]
- Campbell Scientific. CR1000 Measurement and Control System; Revision: 7/08; Campbell Scientific: Logan, UT, USA, 2008. [Google Scholar]
- ISO/IEC 19510:2013(E); Information Technology-Object Management Group Business Process Model and Notation. ISO: Geneva, Switzerland, 2013.
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Cherdantseva, Y.; Burnap, P.; Nadjm-Tehrani, S.; Jones, K. A Configurable Dependency Model of a SCADA System for Goal-Oriented Risk Assessment. Appl. Sci. 2022, 12, 4880. https://doi.org/10.3390/app12104880
Cherdantseva Y, Burnap P, Nadjm-Tehrani S, Jones K. A Configurable Dependency Model of a SCADA System for Goal-Oriented Risk Assessment. Applied Sciences. 2022; 12(10):4880. https://doi.org/10.3390/app12104880
Chicago/Turabian StyleCherdantseva, Yulia, Pete Burnap, Simin Nadjm-Tehrani, and Kevin Jones. 2022. "A Configurable Dependency Model of a SCADA System for Goal-Oriented Risk Assessment" Applied Sciences 12, no. 10: 4880. https://doi.org/10.3390/app12104880
APA StyleCherdantseva, Y., Burnap, P., Nadjm-Tehrani, S., & Jones, K. (2022). A Configurable Dependency Model of a SCADA System for Goal-Oriented Risk Assessment. Applied Sciences, 12(10), 4880. https://doi.org/10.3390/app12104880