Abstract
The identification and analysis of potential paths that an adversary may exploit to attack Cyber Physical Systems comprising sub-systems enables the comprehensive understanding of the attacks and the impact that may have to the overall system, thus facilitating the definition of appropriate countermeasures that will satisfy the pertinent security requirements. To this end, several attack modelling techniques can be employed, the attack graph being the most prevalent among them. Unfortunately, the discovery and analysis of all possible attack paths in an attack graph is not possible in systems even of a moderate size. In this work we propose a novel systematic method for discovering and analyzing attack paths in real-world scale interconnected Cyber Physical Systems. The method considers the criticality of each sub-system in discovering paths and the risk to the overall system that each path presents to analyze and prioritize paths. We illustrate the workings of the method by applying to the navigational Cyber Physical Systems of the Cyber-Enabled Ship to identify and analyze highly critical attack paths originating from the Automatic Identification System (AIS) and targeting the Autonomous Navigation System (ANS).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The lower the Z value of a sub-system the more critical the sub-system is.
References
Al-Mhiqani, M.N., Ahmad, R., Yassin, W., Hassan, A., Abidin, Z.Z., Ali, N.S., Abdulkareem, K.H.: Cyber-security incidents: a review cases in cyber-physical systems. Int. J. Adv. Comput. Sci. Appl. 9(1), 499–508 (2018)
Kavallieratos, G., Katsikas, S., Gkioulos, V.: Modelling shipping 4.0: a reference architecture for the cyber-enabled ship. In: Nguyen, N.T., Jearanaitanakij, K., Selamat, A., Trawiński, B., Chittayasothorn, S. (eds.) ACIIDS 2020. LNCS (LNAI), vol. 12034, pp. 202–217. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42058-1_17
Emad, G.R., Khabir, M., Shahbakhsh, M.: Shipping 4.0 and training seafarers for the future autonomous and unmanned ships. In: Proceedings of the 21th Marine Industries Conference (MIC 2019), pp. 202–217(2020)
Chang, C.H., Wenming, S., Wei, Z., Changki, P., Kontovas, C.A.: Evaluating cybersecurity risks in the maritime industry: a literature review. In: Proceedings of the International Association of Maritime Universities (IAMU) Conference (2019)
Silgado, D.M.: Cyber-attacks: a digital threat reality affecting the maritime industry (2018)
Hassani, V., Crasta, N., Pascoal, A.M.: Cyber security issues in navigation systems of marine vessels from a control perspective. In: Proceedings of the ASME: 36th International Conference on Ocean, p. 2017. American Society of Mechanical Engineers Digital Collection, Offshore and Arctic Engineering (2017)
Kavallieratos, G., Katsikas, S., Gkioulos, V.: Cyber-attacks against the autonomous ship. In: Katsikas, S.K., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Antón, A., Gritzalis, S., Mylopoulos, J., Kalloniatis, C. (eds.) SECPRE/CyberICPS -2018. LNCS, vol. 11387, pp. 20–36. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12786-2_2
Chen, Y.C., Mooney, V., Grijalva, S.: A survey of attack models for cyber-physical security assessment in electricity grid. In: Proceedings of the 2019 IFIP/IEEE 27th International Conference on Very Large Scale Integration (VLSI-SoC), pp. 242–243. IEEE (2019)
Lallie, H.S., Debattista, K., Bal, J.: A review of attack graph and attack tree visual syntax in cyber security. Comput. Sci. Rev. 35, 100219 (2020)
Al-Mohannadi, H., Mirza, Q., Namanya, A., Awan, I., Cullen, A., Disso, J.: Cyber-attack modeling analysis techniques: an overview. In: Proceedings of the 2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW), pp. 69–76. IEEE (2016)
Hong, J.B., Kim, D.S.: Performance analysis of scalable attack representation models. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol. 405, pp. 330–343. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39218-4_25
Xie, A., Cai, Z., Tang, C., Hu, J., Chen, Z.: Evaluating network security with two-layer attack graphs. In: Proceedings of the 2009 Annual Computer Security Applications Conference, pp. 127–136 (2009)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 336–345. Association for Computing Machinery, New York, NY, USA (2006)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 273–284 (2002)
Dacier, M., Deswarte, Y., Kaâniche, M.: Models and tools for quantitative assessment of operational security. SEC 1996. IAICT, pp. 177–186. Springer, Boston, MA (1996). https://doi.org/10.1007/978-1-5041-2919-0_15
Dacier, M.: Towards Quantitative Evaluation of Computer Security. Ph.D. thesis, Institut National Polytechnique de Toulouse (1994)
Dacier, M., Deswarte, Y.: Privilege graph: an extension to the typed access matrix model. In: Gollmann, D. (ed.) ESORICS 1994. LNCS, vol. 875, pp. 319–334. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-58618-0_72
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In Proceedings of the 1998 Workshop on New Security Paradigms, NSPW 1998, pp. 71–79. Association for Computing Machinery, New York, NY, USA (1998)
Khaitan, S., Raheja, S.: Finding optimal attack path using attack graphs: a survey. Int. J. Soft Comput. Eng. 1(3), 2231–2307 (2011)
Ou, X., Singhal, A.: Quantitative security risk assessment of enterprise networks. In: Ou, X., Singhal, A. (eds.) Attack Graph Techniques, pp. 5–8. Springer, New York (2011)
Swiler, L.P., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX 2001, Vol. 2, pp. 307–321 (2001)
Ou, X., Govindavajhala, S., Appel, A.: MulVAL: a logic-based network security analyzer. In: Proceedings of the USENIX Security Symposium 2005, pp. 113–127 (2005)
Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats Massive Computing, pp. 244–266. Springer, Boston, MA (2005)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 217–224. Association for Computing Machinery, New York, NY, USA (2002)
Zeng, J., Wu, S., Chen, Y., Zeng, R., Wu, C.: Survey of attack graph analysis methods from the perspective of data and knowledge processing. Secur. Commun. Netw. 2019, 1–17 (2019)
Hsu, L.H., Lin, C.K.: Graph Theory and Interconnection Networks. CRC Press, Boca Raton (2019)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC2006), pp. 121–130 (2006)
Kaynar, K., Sivrikaya, F.: Distributed attack graph generation. IEEE Trans. Depend. Secur. Comput. 13(5), 519–532 (2016)
Bi, K., Han, D., Jun, W.: K maximum probability attack paths dynamic generation algorithm. Comput. Sci. Inform. Syst. 13(2), 677–689 (2016)
Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Depend. Secur. Comput. 9(1), 61–74 (2012)
Jehyun L., Heejo L., Peter, H.: Scalable attack graph for risk assessment. In: Proceedings of the International Conference on Information Networking, pp. 1–5 (2009)
Dai, F., Hu, Y., Zheng, K., Wu, B.: Exploring risk flow attack graph for security risk assessment. IET Inform. Secur. 9(6), 344–353 (2015)
Castellanos, J.H., Ochoa, M., Zhou, J.: Finding dependencies between cyber-physical domains for security testing of industrial control systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 582–594 (2018)
Polatidis, N., Pavlidis, M., Mouratidis, H.: Cyber-attack path discovery in a dynamic supply chain maritime risk management system. Comput. Stand. Interf. 56, 74–82 (2018)
Mouratidis, H., Diamantopoulou, V.: A security analysis method for industrial internet of things. IEEE Trans. Indust. Inform. 14(9), 4093–4100 (2018)
Ibrahim, M., Al-Hindawi, Q., Elhafiz, R., Alsheikh, A., Alquq, O.: Attack graph implementation and visualization for cyber physical systems. Processes 8(1), 12 (2020)
Bolbot, V., Theotokatos, G., Boulougouris, E., Vassalos, D.: Safety related cyber-attacks identification and assessment for autonomous inland ships. In: Proceedings of the International Seminar on Safety and Security of Autonomous Vessels (ISSAV) (2019)
Akbarzadeh, A., Katsikas, S.: Identifying critical components in large scale cyber physical systems. In: Proceedings of the 1st International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) (2020)
Shostack, A.: Threat modeling: Designing for security. John Wiley & Sons, New Jersey (2014)
Microsoft. Chapter 3 - Threat modeling (2010). https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=pandp.10)?redirectedfrom=MSDN. Accessed 26 May 2020
Zinsmaier, S.D., Langweg, H., Waldvogel, M.: A practical approach to stakeholder-driven determination of security requirements based on the GDPR and common criteria. In: Proceedings of the International Conference on Information Systems Security and Privacy ICISSP, pp. 473–480 (2020)
CASOS. http://www.casos.cs.cmu.edu/index.php. Accessed 09 Dec 2019
Guide for conducting risk assessments. NIST SP 800–30 Rev. 1, National Institute of Standards and Technology, Gaithersburg MD, USA (2012)
Kavallieratos, G., Diamantopoulou, V., Katsikas, S.K.: Shipping 4.0: Security requirements for the cyber-enabled ship. IEEE Trans. Indust. Inform. 16(10), 6617–6625 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kavallieratos, G., Katsikas, S. (2020). Attack Path Analysis for Cyber Physical Systems. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE ADIoT 2020 2020 2020. Lecture Notes in Computer Science(), vol 12501. Springer, Cham. https://doi.org/10.1007/978-3-030-64330-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-64330-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64329-4
Online ISBN: 978-3-030-64330-0
eBook Packages: Computer ScienceComputer Science (R0)