A Methodology for Online Situational Awareness Provision in a Business Entity

Abstract

This paper presents a practical approach to building situational awareness at a critical infrastructure entity and its implementation in supporting security management. It outlines the main factors for achieving a high level of situational awareness and ensuring the safety and continuity of business objectives. Among other things, situational awareness requires precise identification and understanding of multilateral dependencies of infrastructure, services, and processes executed by the entity and services provided by external businesses, resulting from the strong interrelationship of the critical infrastructure sectors and the sharing of resources. Accordingly, this paper presents a cyberspace modeling methodology that supports an in-depth analysis of the causes and consequences of threat proliferation in a complex infrastructure–business environment and its implementation in a Situational Awareness Management System (SAMS). An emphasis is placed on threat propagation analysis and dynamic risk assessment mechanisms and how they are used to identify and take preemptive actions protecting or limiting the scope of the threats’ propagation. The paper concludes with insights from a pilot implementation of the system prototype and directions for further work.

1. Introduction

The critical dependence of government and corporate organizations on information technology means that cyber threats can significantly affect operational efficiency, causing significant economic and social consequences on both local and global scales. It means that the ability to anticipate severe threats to the operation of networks and information systems, especially those critical to the safety and continuity of business operations, and understanding their determinants and consequences, is becoming a fundamental requirement for security management systems. Such systems should also support building cybersecurity awareness at all levels of the organization and on a national and global scale, enabling it to respond quickly and appropriately to identified threats to avoid potential risks.

Situational awareness provision requires, among other things, the precise identification and understanding of multilateral interdependence of services and tasks provided by enterprises and public institutions, as presented in [1,2], caused by the interrelations of critical infrastructure sectors and the sharing of resources. It significantly expands the area of influence of cyber threats and creates new channels for attacks.

From the perspective of a single entity, the focus should be on more than just effectively managing the security of information infrastructure. It is also necessary to understand the implications of disruptions to the information systems, which can lead to a violation of continuous provision or deterioration of the quality and continuity of all related business processes and services and an inability to accomplish core business objectives. Since no organization operates in isolation, it relies on resources and services provided by various external entities, whose deterioration of continuity and quality can lead to severe consequences for achieving its goals, with the consequent transfer of associated risks to others. Therefore, elaborating a comprehensive modeling methodology of dependent services, business processes, and information and operational infrastructure and its adaptation by critical infrastructure entities can bring significant benefits.

A hierarchically ordered network of the objects’ dependencies, from the lowest infrastructural layers through business processes to the primary business objective, supports building situational awareness at all organizational levels (Figure 1).

It is worth noting that correctly executing the process of dependent object modeling brings several significant values. It enforces in-depth identification of the individual objects’ performance conditions. Thus, it leads to a precise understanding of their role and importance in achieving business objectives safely and effectively. Sometimes, it also permits detecting hidden, unobvious objects’ dependencies and their importance.

The network of dependent objects is the foundation for several detailed analyses. It can be used to assess the scale of risk propagation, enabling it to undertake advanced actions to respond appropriately and on time to threats occurring in lower layers. For instance, the degradation of example selected object X, shown in Figure 1, impacts some infrastructure and business layer objects marked in gray. Suppose the hazard’s spread rate and related objects’ degrading impact are known. Then, it is possible to identify the risks introduced by the event and assign them to the appropriate management levels. Knowing an object’s degrading impact, it is possible to assess its business importance, i.e., its relevance to achieving business goals. The network can be the platform for managing online cybersecurity awareness and conducting a range of “what if” analyses. For instance, it can be applied to detect the most vulnerable objects that are most likely to jeopardize achieving business goals, as discussed by Granat et al. [3], and assess the efficiency of the measures considered to mitigate the detected weaknesses.

From a global perspective, getting a complete situational picture requires individual critical infrastructure entities to share knowledge about the current state, threats to services provided, and tasks essential to ensuring the security of the state and citizens. Several factors significantly determine the effectiveness of the knowledge sharing necessary to achieve a high level of situational awareness. An essential condition is the readiness of all entities to share data about current and potential threats to ongoing tasks and services provided. In practice, the declarative level of information sharing is high; however, significant limitations exist when the sharing of specific data types, including sensitive ones from the entity’s point of view, is needed. This implies building strong trust relationships between partners and using advanced privacy mechanisms to share such data. Trusted data-sharing platforms such as the ISAC (Information Sharing and Analysis Center) are conducive to this, gathering information on cyber threats and allowing two-way sharing of information between the private and public sectors about root causes, incidents, and threats, as well as the sharing of experience, knowledge, and analysis. However, advanced solutions for trusted online data exchanges that support situational awareness provision and enable prompt reaction to identified threats have to be applied. Awareness of the benefits of knowledge sharing, such as acquiring information about the growth in the risk of services provided by external parties or notification of identified cases of IT vulnerability exploitation, can be an additional and crucial motivating factor.

The paper presents an original solution for the real-time assessment of the security (in terms of continuity, integrity, and confidentiality) and business continuity status of all infrastructure and business components of a critical infrastructure entity. It enables executives, particularly security managers, to conduct in-depth analyses of the impact of hazard events and their proliferation within the organization on achieving business objectives. The proposed mechanisms enable mitigating actions concerning the threatened components before they are compromised. They support sharing cybersecurity awareness at all organizational levels, stimulating a prompt reaction to potential hazard events and improving the entity’s security resilience. The paper follows up on the results of our earlier work [4,5], expanding them to present the following aspects:

• A comprehensive, methodological approach to online situational awareness management at a company level.
• A methodology for conducting in-depth threat analysis and dynamic risk assessment and propagation in a network of dependent services, business processes, and information infrastructure assets.
• An architecture of a Situational Awareness Management System, its implementation, and its pilot deployment in a critical infrastructure entity.

To the best of the author’s knowledge, the literature does not describe a solution to support the building and management of cybersecurity awareness at all levels of an entity, in its infrastructure and business layers, enabling its operational use to perceive and understand online the impact of hazard events on security and business continuity and make effective decisions in a wide range of threat situations.

The rest of the paper is arranged as follows. Section 2 briefly overviews selected approaches for increasing awareness of cyber threats and improving the security of networks and information systems. Section 3 depicts the modeling methodology for in-depth threats and risk propagation analysis. It outlines the concept of infrastructure and business object description and the process of assessing their dependencies. Emphasis is placed on threat propagation analysis, dynamic risk assessment, and using this knowledge at all the entity’s organizational levels. It also shows how it can be used to identify and take preemptive actions protecting or limiting the scope of the threats’ propagation. Section 4 introduces the Situational Awareness Management System, which implements the mechanisms described in Section 3 and supports the entity in online security and business continuity management. It outlines the system architecture, its basic features, and the user’s interaction with the system. It also includes several visuals to help the readers better understand the system’s operations and usage. Section 5 contains a sample scenario demonstrating the system’s opportunities and their use by a critical infrastructure entity.) Section 6 summarizes observations from the system’s initial implementation, and Section 7 summarizes the results obtained so far and indicates the direction of further work.

2. Related Work

The increasing number of threats targeting critical infrastructure makes its protection a priority research area. Various concepts for modeling threat propagation within interdependent critical infrastructure systems have been proposed to increase awareness of cyber threats and improve the security of networks and information systems. For instance, Wang et al. [6] present an approach to modeling cascading failure due to a natural disaster event in interdependent energy and water supply systems. The authors use a high-level architecture (HLA)-based co-simulation approach to integrate domain-specific models and model their interdependencies. Szpyrka et al. [7] propose modeling risk propagation within interrelated and isomorphic components of information systems with colored Petri nets. Stergiopoulos et al. [8] present a time-based analysis modeling technique for studying the evolution of dependency chains during slow, linear, and rapidly evolving cascading failures. As each dependency may follow a different time model, the authors use fuzzy logic to “fine-tune” each examined dependency and to simulate realistic approximations of dynamic cascading failures. They also describe a proactive modeling and security dependency analysis tool (http://github.com/geostergiop/CIDA, (accessed on 2 December 2024)) that enables the analysis of complex dependency graphs and the identification of critical dependency chains before an actual threat has occurred. They demonstrate its use in evaluating alternative defense strategies for complex, large-scale, and multi-sectoral dependency scenarios.

Several works present the mechanisms for building shared situational awareness based on collaboration and information exchange between organizations to increase information system and network resilience to cyber threats. For example, Puuska et al. [9] present an approach for building a shared situational awareness of critical infrastructure based on the Joint Directors of Laboratories data fusion model [10] for information collection and data processing. By aggregating and analyzing the data obtained from security management systems and their correlation, a global cybersecurity picture is created that also allows—due to the links between critical infrastructure elements—anticipating the risks of threat propagation. The authors examined the performance and the usability of the proposed solution during “human-in-the-loop” simulations incorporating the objective Situational Awareness Global Assessment Technique, the subjective rating approach the Situational Awareness Rating Technique [11], and the System Usability Scale measurements [12].

A comprehensive and distributed solution for the continuous monitoring, detection, and warning of threats affecting essential services provision, allowing for gathering processes and sharing distributed knowledge on hazard events, is presented in [13]. The system adopts a partnership model of cooperation between the system’s users, which means that the service providers are free to decide to join and comply with mutually accepted principles of collaboration, especially regarding shared data protection. Thus, coordinated actions at the central level enable building global cyber threat awareness and assessing cyber risk for a near-real-time response. A state-level risk assessment considers the dependencies of the services provided by the various operators and the threats posed by, among others, identified vulnerabilities and reported incidents. The implication of these threats is estimated based on the service impact metrics, and the aggregate risk is determined for a set of services rendered by a single operator or a group of operators within and between the sectors and in cyberspace.

Luidold et al. present in [14] the approach for smart collaboration of organizations operating in a highly dynamic cybersecurity environment required to comply with the European Network and Information Security (NIS/NIS2) directive. Based on a reference scenario for managing local and regional incidents and risks, the authors present the system architecture that supports the gathering, filtering, and sharing of relevant information within the multi-level European cybersecurity framework. It considers systemic and human aspects of cybersecurity in an organization, allowing it to define what is normal or abnormal based on its specific business, social, and technical context. Using these patterns, they leverage machine learning techniques to identify abnormal behavior, contextualize it with information about the threat/attack causing this behavior, and provide tailored mitigations to counter the attacks. It is worth noting that such an approach can also offer interesting technological support for sectoral information exchange and analysis centers (ISACs), which have been developing intensively recently.

The studies above present the mechanisms for collaboration and exchanging relevant data between organizations to build a common operational picture and shared situational awareness. However, they do not provide tools for the individual parties to support them in building local situational awareness and enabling them to analyze online cyber threats and risks that impact particular business processes and services rendered. Assessing the impact of threats in information systems and networks on the security and continuity of crucial business processes requires accurately mapping the dependence of the infrastructure and business layers (Figure 1) and appropriate risk propagation modeling techniques.

3. Impact of Hazard Events

3.1. Model of Cyberspace

For this paper, cyberspace denotes the complex environment resulting in the interaction of dependent information and operational systems, business processes, and services vital to accomplishing the entity’s goals and objectives. A reliable model of such cyberspace, considering the types of dependencies and the degree of interaction of its components, becomes the basis for conducting detailed analyses to identify potential threats and understand their sources and consequences for the organization.

In each layer of cyberspace, single or complex objects may exist. In the case of a single object, its intrinsic security and operational continuity features, such as exposure to security degradation, do not depend on the attributes of other objects. A complex object’s features are a function of the characteristics of a subset of its constituent objects and their impacts. Their typical examples are a redundant group consisting of a primary object and several backups or a high-availability cluster of grouped objects that operate as a single unified one, providing continuous availability.

An abstract object whose characteristics are derived from the internal organization of a group and the current values of the attributes of its components represents a redundant group in the model. The internal organization determines the reservation type (cold, hot, with or without limited resources), the type of object (primary, reserve), and the switching rules.

The various interactions between the objects can be defined. Depending on the context, they can represent resource or data flows, physical connections, or determinants of action. For situational awareness management purposes, the model should reflect the dependencies of objects expressed in terms of the impact of threat propagation resulting from the degradation of confidentiality (c), integrity (i), and availability (a).

Accordingly, the entity’s cyberspace can be modeled as a network:

$$\begin{array}{c}\hfill \mathit{N}=<\mathit{G},\mathit{F},\mathit{f}>\end{array}$$

(1)

where G = <V, E>—digraph, V—set of vertices representing objects, E—set of arcs representing object dependencies, F—set of functions defined at vertices of the graph, and f—set of functions defined at arcs of the graph.

At least two static metrics characterize each object:

• Relative criticality, $w_{nj}$, characterizing the significance of the object $V_n$’s impact on a dependent one, $V_j$;
• Business criticality, ${\upsilon }_n$, describing the importance of the object in accomplishing business objectives.

In addition, each business layer object is characterized by its maturity level $M\left(V_n\right)$, which indicates how it ensures operational capability by complying with security and business continuity standards, such as [15].

Each pair of related objects ($V_n$,$V_j$) is characterized by two metrics:

• Impact time, ${\tau }_{nj}$, determining the time after which the degradation of the security attribute of object $V_n$ will affect the values of the security attributes of the related object $V_j$;
• Impact scale, ${\Delta }_{nj}$, defining the level of degradation of the security attribute of object $V_j$ as a result of the security degradation of impacting object $V_n$.

Furthermore, two dynamic metrics, whose values depend on the level of threats identified at time t, are assigned to each object:

• Exposure to degradation $E_t\left(V_n\right)$, representing the likelihood of object degradation associated with identified vulnerabilities and hazard events at time t;
• Security risk $R_t\left(V_n\right)$, representing the impact of the security degradation of the object $V_n$ occurring at time t on accomplishing business objectives.

All object metrics are defined concerning confidentiality (c), integrity (i), and availability (a) except $M\left(V_n\right)$, which reflects availability only.

The relative criticality of the object $V_n$ concerning security attribute z that takes into account the impact of all P objects affecting the object $V_j$ is calculated using Equation (2):

$$\begin{array}{c}\hfill w_{nj}^z={\displaystyle \frac{s_{nj}^z}{{\sum }_{x=1}^P{s}_{xj}^z}},z\in (a,i,c),\end{array}$$

(2)

where $s_{nj}^z$—the level of impact of threats resulting from the degradation of security attribute z of the object $V_n$ on the corresponding security attribute of the related object $V_j$.

The business criticality of object $V_n$ is calculated using Equation (3):

$$\begin{array}{c}\hfill {\upsilon }_n=\sum _{z=1}^Z{s}_{nz}{\upsilon }_z\end{array}$$

(3)

Knowing the objects’ criticality makes it possible to prepare and implement preventive measures to reduce threats’ impact on achieving the entity’s strategic goals. It also supports conducting in-depth analysis to seek technical and procedural solutions that can mitigate business risks arising from the propagation of threats within the entity’s cyberspace.

Dynamic attributes are calculated based on the acquired data on detected hazard events affecting the objects’ current and predicted security status. Their values are real numbers in the interval [0, 10].

Each infrastructure layer object may have some vulnerabilities that express its exposure to a cyberattack. The number of associated vulnerabilities and the level of the object’s exposure may frequently change over time due to the detection of new vulnerabilities or the mitigation of those already identified. For this paper, the numerical values of the potential exposure to degradation resulting from identified vulnerabilities for each infrastructure layer object $V_n$ are calculated from a modified Equation (4) proposed by Kim et al. [16]:

$$\begin{array}{c}\hfill E_t\left(V_n\right)=\min [10,[I{C}_t\left(V_n\right)(10-y){M{I}_t\left(V_n\right)}^{w_{MI}}M{V}_t{\left(V_n\right)}^{w_{MV}}AC{A}_t{\left(V_n\right)}^{w_{ACA}}+\\ \hfill +AT{T}_t(V_n,x,y)\left]\right]\end{array}$$

(4)

where

$I{C}_t\left(V_n\right)$—the object’s potential level of compromise due to exploitation of some combination of the vulnerabilities existing at time t that impact confidentiality, integrity, and availability.

$M{I}_t\left(V_n\right)$—maximum impact of vulnerabilities existing at time t.

$M{V}_t\left(V_n\right)$—vulnerability existing at time t posing the greatest threat to the object $V_n$.

$AC{A}_t\left(V_n\right)$—combined parameter of maximum access and access complexity.

$AT{T}_t(V_n,x,y)$—attack surface, a function of the number of vulnerabilities concerning the object $V_n$ and the threat they present at time t. The value of this function is expressed on a logarithmic scale, where x is the base for the logarithmic function, and y is its maximum value (limit).

$w_{MI}$, $w_{MV}$, $w_{ACA}$—weights of relevant parameters.

Exposure to degradation of business layer object $V_n$ is calculated using (5) based on the results of the maturity level assessment procedure elaborated based on [15]:

$$\begin{array}{c}\hfill E\left(V_n\right)={\displaystyle \frac{z}{M\left(V_n\right)}}\end{array}$$

(5)

where $M\left(V_n\right)$—maturity level of object $V_n$, z > 0—fixed value.

Exposure to degradation of an external service can be assessed based on historical data on complying with the Service Layer Specification (SLS) agreed upon with the service provider.

As mentioned earlier, complex objects, like redundant ones, may also exist in each cyberspace layer. Assuming that all objects N of the redundant group affect the related objects in the same way, their potential exposure to degradation is determined for an abstract object $V_x$ representing the entire group (6):

$$\begin{array}{c}\hfill E_t\left(V_x\right)=10\prod _{i=1}^N{\displaystyle \frac{E_t\left(V_i\right)}{10}}\end{array}$$

(6)

3.2. Dynamic Risk Assessment

Consider the following types of cybersecurity risks that are inherent to cyberspace objects:

• Intrinsic risk $R_t\left(V_n\right)$ resulting from identified weaknesses associated with the object;
• External risk (contributed) $R_t^e\left(V_n\right)$ resulting from the propagation of risk in cyberspace;
• Overall risk $R_t^o\left(V_n\right)$, which is a composite of intrinsic and external risks.

The security risk resulting from the exposure of an infrastructure object $V_n$ to the accomplishment of business objectives is determined using Equation (7):

$$\begin{array}{c}\hfill R_t\left(V_n\right)=E_t\left(V_N\right){\upsilon }_n\end{array}$$

(7)

For the redundant group of N objects represented by an abstract object $V_x$, the intrinsic risk is calculated from (8):

$$\begin{array}{c}\hfill R_t\left(V_x\right)=10\prod _{i=1}^N{\displaystyle \frac{R_t\left(V_i\right)}{10}}\end{array}$$

(8)

The external risk, resulting from the propagation of risk, coming from X objects impacting the object $V_n^X$, is determined by the overall risk of all interacting objects and the level of their influence on $V_n$ degradation (9):

$$\begin{array}{c}\hfill R_t^e\left(V_n^X\right)=\sum _{i=1}^X{R}_t^o\left(V_{in}\right)w_{in}\end{array}$$

(9)

where

$w_{in}$—relative criticality of object $V_i$ impact on $V_n$;

$R_t^o\left(V_{in}\right)$—overall risk of object $V_i$ impacting $V_n$.

For an object, the operation of which is not conditioned by any other object (no impact from other objects), $R_t^e\left(V_n\right)$ = 0 and, consequently, $R_t^o\left(V_n\right)$ = $R_t\left(V_n\right)$.

The overall risk of a single object $V_n^X$ impacted by a certain number of X objects is determined from (10):

$$\begin{array}{c}\hfill R_t^o\left(V_n^X\right)=min[10,(R_t\left(V_n\right)+R_t^e\left(V_n^X\right)]\end{array}$$

(10)

For a redundant group of N objects represented by an abstract object $V_x$, its overall risk is calculated from (11):

$$\begin{array}{c}\hfill R_t^o\left(V_x\right)=10\prod _{i=1}^N{\displaystyle \frac{R_t^o\left(V_i\right)}{10}}\end{array}$$

(11)

The occurrence of an event at time $t_d$ affecting the security attributes of the object $V_i$ triggers an update of its exposure to degradation and intrinsic risk according to Equations (12) and (13), respectively.

$$\begin{array}{c}\hfill E_{t_d}^{{\Delta }_z}\left(V_i\right)=min[10,E_t\left(V_i\right)(1+{\displaystyle \frac{{\Delta }_z\left(V_i\right)}{100}})],z\in (c,i,a)\end{array}$$

(12)

$$\begin{array}{c}\hfill R_t^{{\Delta }_z}\left(V_i\right)=E_{t_d}^{{\Delta }_z}\left(V_i\right){\upsilon }_i\end{array}$$

(13)

where ${\Delta }_z\left(V_i\right)$—object $V_i$ degradation level.

As a result, the exposures to degradation and external and overall risks of all objects along the propagation paths of the event should be changed, considering the values of attributes $\tau$ and $\Delta$.

3.3. Threat Propagation Paths

Degradation of an object’s security attributes caused by a hazard event results in the threat propagation through cyberspace along paths leading from the degraded object $V_s$ to object $V_d$, representing core business objectives, such as the service provided. The following two attributes associated with each such path are relevant for predicting the impact of incidents and taking preventive mitigation measures:

• Threat propagation time $T_{sd}$;
• Significance of the impact $S_{sd}$.

Since there may be multiple paths in cyberspace with the same or similar value of the threat propagation time but with varying impact significance, it is reasonable to determine k > 1 of such critical paths. Each path $R_s^d$ from an object $V_s$ to object $V_d$ is an alternating sequence of objects and their relations (14),

$$\begin{array}{c}\hfill R_s^d:V_s,(V_s,V_{i_1}),V_{i_1},(V_{i_1},V_{i_2}),V_{i_2},\dots ,V_{i_{n-1}},(V_{i_{n-1}},V_{i_n}),V_{i_n},(V_n,V_d),V_d\end{array}$$

(14)

Several algorithms, such as [17,18,19,20], can be used for k-shortest path selection.

Assume that for each pair of impacting objects ($V_i$, $V_j$), the threat impact time ${\tau }_{ij}$ is known, i.e., the time after an object $V_j$ suffers the effect of the degradation of an object $V_i$. Thus, the threat propagation time from the degraded object $V_s$ to the object $V_d$ is calculated from (15):

$$\begin{array}{c}\hfill T_{sd}=\sum _{(V_i,V_j)\in R_s^d}{\tau }_{ij}\end{array}$$

(15)

The significance of the impact can be expressed in terms of the operation readiness level of the object $V_d$ resulting from a threat propagating along the path $R_s^d$. Let $y_{jz}$ denote the level of operational capability of object $V_j$ in aspect $\mathit{z}\in (c,i,a)$. It is the sum of the autonomous state of the object and the aggregate influence of other objects; ${\mathsf{\Phi }}_{jz}{\left(\mathbf{U}\right)|}_0^1$ is calculated from (16):

$$\begin{array}{c}\hfill y_{jz}=x_{jz}+{\mathsf{\Phi }}_{jz}{\left(\mathbf{U}\right)|}_0^1\end{array}$$

(16)

Matrixes Y and X contain resultant and autonomous states of cyberspace objects. The tensor U represents the impact of other objects’ dysfunction aggregated by a function ${\mathsf{\Phi }}_{jz}$ on a subsequent state $y_{jz}$. The element $u_{ij}^z\in \mathbf{U}$ represents the individual impact of $y_i^z$ (resultant state of objects $V_i$ in aspect z) on $y_j^z$, expressed by (17):

$$\begin{array}{c}\hfill u_{ij}^z=a_{ij}^z(y_i^z-1)\end{array}$$

(17)

where $a_{ij}^z$—amplification factor of the state $y_i^z$’s impact on the aspect z of the object $V_j$.

Accordingly, the impact of object $V_i$’s degradation on object $V_d$ is determined based on successive calculations following Equation (16) for all objects along the path $R_s^d$.

4. Situational Awareness System

4.1. Goals and Objectives

The approach to modeling cyberspace and analyzing the impact of cyber threats on business objectives presented in Section 3 was the theoretical foundation for developing the Situational Awareness Management System (SAMS). It is designed primarily for critical infrastructure entities; however, it can also be used by any business entity to manage situational awareness continuously and increase the efficiency of a company’s security management.

The SAMS’s primary objective is to support the entity in building online cybersecurity awareness through the following aspects:

• Assessment of occurring or potential security hazard events, their magnitude, and their significance for business continuity;
• Ensuring an understanding of the impact of a security breach, including threat propagation and associated risks and the impact on achieving business objectives;
• Delivering the details on hazard event propagation, enabling the undertaking of preemptive action to reduce the consequences of identified or potential risks;
• Dynamic assessment of cybersecurity risk for all cyberspace objects following the occurred or identified potential hazard events;
• Predicting the impact on security and business continuity of planned changes in infrastructure and business layers.

To achieve these goals, the SAMS leverages several mechanisms that allow the following:

• Supporting the process of building a company’s cyberspace representation, composed of the following elements:

  –

  Key services provided or overarching business processes;

  –

  Internal business processes and services;

  –

  Services or resources provided by external organizations;

  –

  Information and operational technology systems used and their components;

  –

  Supporting technical systems and their components.

• Ongoing updating of the knowledge of cyberspace and its status;
• Visualization of the following:

  –

  The current and predicted security status of all cyberspace elements;

  –

  The results of the dynamic assessment of risk and its propagation.

• Predicting the impact of security hazard events on the state of cyberspace and its elements;
• Supporting the carrying out of in-depth analysis, including the “what-if” type.

The SAMS enables the retrieval and processing of data from various management systems that the entity exploits to accomplish these tasks and the sharing of the results with teams responsible for maintaining security and business continuity (Figure 2).

The authorized business managers also have access to the system, enabling them to understand the present or predicted status of the cyberspace part they are responsible for and perform in-depth analysis to identify the sources of increased risk and the consequences for the entire organization. For example, they can identify the critical path of hazard event propagation in cyberspace, enabling them to undertake timely mitigation measures. They can also determine the most essential vulnerabilities regarding their impact on business objectives, objects where they occur, etc. Risk and incident managers are responsible for reporting data to the Computer Security Incidents Response Team (CSIRT), which is required to provide situational awareness at the state level.

However, to create an isomorphic model of cyberspace, detailed and trustworthy data consistent with reality must be available on all its objects and their relationships. This means that validation of the cyberspace model is an essential condition for its operational use. As it is up to the entity to determine the scope and level of the detail of cyberspace that should be modeled, an appropriate validation mechanism has been put in place. It requires confirmation by the entity’s manager that all necessary components of cyberspace have been included and correctly represented during the modeling phase. The management systems shown in Figure 2 can support the manager in accomplishing this task. However, as practice shows, not all entities have regularly updated systems, and some do not have them. In addition, parts of the detailed knowledge, like the conditions of object operation or the significance of the impact, mainly due to a specific security attribute, are rarely archived. Sometimes, they can be retrieved from Business Impact Assessment (BIA) documentation or obtained from experienced personnel. This requires the system to allow the validation manager to enter missing data or updates manually.

4.2. System Description

The SAMS is an application system whose generic architecture is shown in Figure 3.

The SAMS’s architecture relies on microservices deployed in the Kubernetes platform. Microservices that execute business logic were developed using Python/FastAPI. Other mandatory services are the PostgreSQL database cluster, which stores the system’s data, and the Redis distributed key–value store, used for messaging between microservices. The SAMS uses the OpenID Connect protocol for identity management. The application can be integrated with the Single Sign-On infrastructure deployed in the organization, allowing users to use one set of credentials to enter multiple websites and applications.

All data, including security ones, are stored within the entity and protected according to internal security regulations. The SAMS uses a role-based identity management system that allows access to the application, as mentioned in Section 4.1. In addition, an interface provided by the national-level situational awareness building system (NPC) is used to transfer data from the SAMS to the national-level CSIRT. As discussed in [13], it uses extensive mechanisms to protect sensitive data and entities’ privacy.

The application system architecture includes the following components:

• A web user interface (WebUI) enabling user interaction with the system;
• A front-end load-balancing layer, designed to provide the users with an interface for highly available applications;
• An application layer containing specific, interconnected microservices performing the system business logic that communicates with database back-ends and serves data to the front-end application for user interactions, including the following:

  –

  Cyberspace model generation and management;

  –

  Hazard events processing;

  –

  Dynamic risk assessment;

  –

  Critical path selection and analysis;

  –

  Vulnerability data integration and processing;

  –

  Identity management;

  –

  Execution of computationally demanding tasks to conduct simulations and predictions of the state of cyberspace;

  –

  Gathering data on security events and visualization of global statistics on cyberspace security;

  –

  Acquisition and processing of data from external management systems.

• The database back-end layer contains a database cluster that stores operational data and a message broker to synchronize notifications between WebSockets.

The SAMS implements several abovementioned procedures, like cyberspace model generation, dynamic risk assessment, critical path selection and analysis, etc. The entity manager initiates the cyberspace model generation procedure to create a representation of the company’s cyberspace. The application collects the required data from the management systems indicated in Section 4.1.

Once generated, the model is then used to execute the necessary analysis depending on the user’s needs, allowing the understanding of the ongoing situation and the impact of hazard events on security and business continuity.

The system provides users with various dashboards to manage cybersecurity awareness. Figure 4 shows an example of a global view of the business criticality of the entity cyberspace objects regarding their availability.

Corresponding graphic symbols represent particular categories of objects; for example, a rhombus represents a component of the information infrastructure (hardware and software), a circle represents business processes, and an asterisk, the service provided. The color of an object indicates the level of its business criticality, from low (in green) to very high (in red). Depending on the current needs, the user can change the view’s content by indicating the objects’ attributes to be demonstrated (box indicated by the arrow in Figure 4).

The system provides the user with detailed data about the object of interest, including the current values of its attributes (Figure 5). In addition, users can get relevant data on other objects that directly or indirectly affect the security of the concerned object, as indicated by the arrow in Figure 5. This enables drill-down analysis to identify sources of potential threats.

Figure 6 shows the results of critical path calculations from the selected object EL1 to the core business objects, i.e., services provided. They are displayed as a graph (left part) and plotted on a chart (right upper part). By selecting the path of interest on a chart, its structure (marked in red on the graph) and details of threat propagation time and impact significance in terms of availability (A), integrity (I), confidentiality (C), and total (T) (right lower part) are shown.

The application provides the user with detailed information about the current attribute values of the selected path and their sources (as shown in Figure 5). In this way, the user can identify, in advance, i.e., before the threat occurs, the objects on the path that significantly contribute to the degradation of the core business objectives and initiate the appropriate actions for risk mitigation.

The SAMS application also allows for conducting other “what-if”-like analyses. The application’s user can assess the impact of changes to the cybersecurity model resulting from the need to improve security and business continuity and planned organizational or technological transformations. The application offers an interface for manually executing a wide range of modifications, such as adding a new object or deleting an existing one, inserting redundant objects, changing relationships between objects, or changing attribute values. This makes it possible to assess the rationale behind proposed modifications in advance.

The SAMS application also provides a range of global cybersecurity statistics. Users can customize the set of statistics according to their needs. In addition, these data can be exported to the external Business Intelligence (BI) system for integration with other data the entity collects. Figure 7 shows an example of some of such statistics. They present, among other things, the risk share of each type of object, the objects with the highest level of risk and top exposure to degradation, or the most significant vulnerabilities.

The following section discusses more examples of dashboards and users’ interaction with the application for situational awareness management.

5. Example of SAMS Usage

Consider the following example of using the SAMS to assess the effects of degradation of the critical infrastructure entity’s cyberspace triggered by an incident. The cyberspace model of a real digital infrastructure entity consists of 111 objects and 327 object dependencies. The objects represent sixty-five information infrastructure components (hardware and software), twenty-six business processes, twelve internal and six external services, and two provided services.

The Security Incident Management system (ref. to Figure 2) has identified a security event related to exploiting a database vulnerability (object EL1 in Figure 8), resulting in a stored data integrity compromise. The event description forwarded to the SAMS triggers displays of the lightning symbol shown in Figure 8 along with information about the type and degree of the object degradation (marked with a circle).

These initiated data recovery efforts, along with the following actions, aid in the understanding of the consequences of the event for the security and business continuity and enable the implementation in advance of mitigation measures limiting its impact on the core business objectives:

• Identify the part of the organization that may be affected by the event and the time and scale of its impact;
• Alert relevant management staff of potential incident impacts on objects they are responsible for, enabling them to take preemptive actions to mitigate the threat and reduce its propagation.

Performing the first action, the risk manager used the threat propagation application to predict the consequences of the incident, with results shown in Figure 9. Information is also available on objects that could be affected at a particular time and their details, including the predicted risk level (objects marked with the corresponding color in the left part of Figure 9).

The execution of the second action enabled the owner of potentially affected objects to conduct an in-depth analysis, including assessing the degrading impact from other objects and initiating—in advance—the mitigation measures specified in the business continuity plan. Figure 10 shows all objects impacting the selected one (in this case, BP21) and their details (in the right part of Figure 10).

The implementation of mitigation measures has reduced the threat propagation scale and protected the organization from losing the continuity of the services provided.

6. Discussion

The initial outcomes from the system’s pilot deployment at a critical infrastructure entity confirm the added value provided to the security personnel and its usability in building cybersecurity awareness at all organizational levels, stimulating a prompt reaction to potential hazard events. They also provide stimulating findings regarding the proposed approach and indicate areas for further development. This confirms that a correctly executed cyberspace modeling process creates significant added value, enabling the complete identification of the objects needed to accomplish the main business processes and discovery of their dependencies, which are not always obvious.

An important insight from SAMS users is that its functions can effectively foster the business impact analysis process by delivering objectified data to predict the consequences of security disruptions and building the knowledge needed for business continuity management. The SAMS makes it possible to obtain reliable data on cyberspace security and its elements in near real time. It also provides information supporting an advanced response to cyber threats, including early action to limit their propagation.

The lessons learned indicated several challenging issues that may impact the effectiveness of the proposed solution and determine its further development. Without the ability to obtain data on the entity’s cyberspace from management systems indicated in Figure 2 and the need to manually build its model from scratch, the process becomes highly time-consuming. Therefore, integrating the SAMS with the management systems indicated in Section 4 and automatically enabling the collection of the required data becomes a necessary application functionality.

As mentioned earlier, detailed data on object attributes and their dependencies regarding confidentiality and integrity are rarely archived and generally difficult to obtain. The unavailability of such data means that an organization’s security status can only be assessed in terms of availability. A possible way to overcome this limitation may include identifying such data during the business impact analysis procedure. This particular challenge refers to the validation of the cyberspace model based on the objective procedures. The current solution based on human experience should be only temporarily considered. Attention should also be paid to confirmation of the generality of the proposed approach to situational awareness provision at the single-entity level.

The ongoing efforts focus on incorporating the lessons learned from the pilot implementation of the SAMS, and further improving the application, mainly related to the following aspects:

• Simplifying user interaction with the system;
• Customizing user interfaces;
• Automated report generation of daily reports;
• Integration of the SAMS with Business Intelligence platforms;
• Developing a simplified version of the system that could be offered to a broader community for examination;
• Examination of the impact of the configuration attributes of the dynamic risk assessment method on the evaluation results and determining their reference values;
• Objects attribute specification, supported by machine learning techniques;
• Inclusion of complex models of redundant groups, allowing their dynamic reconfiguration.

7. Conclusions

The paper presents a comprehensive solution for the online assessment of critical infrastructure entity security (regarding availability, integrity, and confidentiality) and business continuity. Original cyberspace modeling methodologies, dynamic risk assessment, threat propagation across infrastructure and business layers, and extensive visualization mechanisms provide valuable insights into an organization’s current and projected security state.

To the best of the author’s knowledge, such a comprehensive approach, enabling an entity to predict online the impact of threats in information infrastructure on the execution of business processes and the achievement of core objectives, has not been demonstrated before.

By design, the SAMS can be used by various entities. Using the microservices implemented in the SAMS, the system’s user builds a representation of its cyberspace (i.e., a network of related objects in the infrastructure and business layers), obtaining data from management systems, as shown in Figure 2. It is also possible to enter data manually if these systems are unavailable. Implementation of the application in a specific entity may involve updating the implementation of interfaces to particular management systems used in the organization.

The SAMS supports the implementation of the NIS/NIS-2 directive. It provides an online assessment of the security status of key players and the consequences of security disruptions and provides relevant data to CSIRT at the national level (see Figure 2). In this way, it contributes to building shared situational awareness and improving the security of information systems.

Further work will also cover assessing the feasibility of approaches that overcome the challenges outlined in Section 6 and evaluating their effectiveness. This also includes experimental verification of the system in other environments, especially in entities based on operational technology and those using different types of management systems in their infrastructure.