Security risk analysis of system changes exemplified within the oil and gas domain

Abstract

Changes, such as the introduction of new technology, may have considerable impact on the risk to which a system or organization is exposed. For example, in the oil and gas domain, introduction of technology that allows offshore installations to be operated from onshore means that fewer people are exposed to risk on the installation, but it also introduces new risks and vulnerabilities. We need suitable methods and techniques to understand how a change will affect the risk picture. This paper presents an approach that offers specialized support for analysis of risk with respect to change. The approach allows links between elements of the target of analyses and the related parts of the risk model to be explicitly captured, which facilitates tool support for identifying the parts of a risk model that need to be reconsidered when a change is made to the target. Moreover, the approach offers language constructs for capturing the risk picture before and after a change. The approach is demonstrated on a case concerning new software technology to support decision making on petroleum installations.

Appendices

Appendix A: Formal foundation

In the following we introduce the formal machinery.

1.1 A.1 Basics

\({\mathbb {N}}\) and \({\mathbb {R}}\) denote the sets of natural numbers and real numbers, respectively. We use \({\mathbb {N}}_0\) to denote the set of natural numbers including 0, while \({\mathbb {R}}^+\) denotes the set of nonnegative real numbers. This means that

$$\begin{aligned} {\mathbb {N}}_0{\ \mathop {=}\limits ^{{\mathsf {def}}}\ }{\mathbb {N}}\cup \{0\},\quad {\mathbb {R}}^+{\ \mathop {=}\limits ^{{\mathsf {def}}}\ }\{r\in {\mathbb {R}}\mid r\ge 0\} \end{aligned}$$

For any set of elements, we use \({{\mathbb P}(A)}\) to denote the powerset of \(A\).

A tuple is an element of a Cartesian product. We use \(\pi _j\) to extract the \(j\)th element of a tuple. Hence, if

$$\begin{aligned} (a,a')\in A\times A' \end{aligned}$$

then \(\pi _1.(a,a')=a\) and \(\pi _2.(a,a')=a'\).

1.2 A.2 Sequences

By \({A\,^{\infty }}, {A\,^{\omega }}\) and \({A\,^{*}}\) we denote the set of all infinite sequences, the set of all finite and infinite sequences and the set of all finite sequences over some set of elements \(A\), respectively. Hence, we have that

$$\begin{aligned} {A\,^{\omega }}={A\,^{\infty }}\cup {A\,^{*}} \end{aligned}$$

We define the functions

$$\begin{aligned} \#\,\_\,\in {A\,^{\omega }}\rightarrow {\mathbb {N}}_0\cup \{\infty \},\quad \_\,[\,\_\,]\in {A\,^{\omega }}\times {\mathbb {N}}\rightarrow A \end{aligned}$$

to yield the length and the \(n\)th element of a sequence. Hence, \(\#s\) yields the number of elements in \(s\), and \(s[n]\) yields the \(n\)th element of \(s\) if \(n\le \# s\).

We also need functions for concatenation and filtering:

Concatenating two sequences implies gluing them together. Hence, \(s_{1}{\mathop {\mathop {\ }\limits ^{\frown }}}s_{2}\) denotes a sequence of length \(\#s_{1}+\#s_{2}\) that equals \(s_{1}\) if \(s_{1}\) is infinite and is prefixed by \(s_{1}\) and suffixed by \(s_{2}\), otherwise.

The filtering operator is used to filter away elements. denotes the subsequence obtained from \(s\) by removing all elements in \(s\) that are not in the set \(B\).

1.3 A.3 Timed events

\({{\mathbb {E}}}\) denotes the set of all events, while the set of all timestamps is defined by

$$\begin{aligned} {{\mathbb {T}}}{\ \mathop {=}\limits ^{{\mathsf {def}}}\ }{\mathbb {R}}^+ \end{aligned}$$

A timed event is an element of

$$\begin{aligned} {{\mathbb {E}}}\times {{\mathbb {T}}}\end{aligned}$$

1.4 A.4 Histories

A history is an infinite sequence of timed events that is ordered by time and progresses beyond any finite point in time. Hence, a history is an element of:¹

$$\begin{aligned} \begin{array}{@{}lll} {{\mathbb {H}}}{\ \mathop {=}\limits ^{{\mathsf {def}}}\ }\{\!\!\!&{}h\in {({{\mathbb {E}}}\times {{\mathbb {T}}})\,^{\infty }}\mid &{} \\ &{}\forall n\in {\mathbb {N}}: \pi _2.h[n]\le \pi _2.h[n+1] &{} \\ &{}\forall t\in {{\mathbb {T}}}: \exists n\in {\mathbb {N}}: \pi _2.h[n]>t &{}\!\!\!\!\!\!\! \} \end{array} \end{aligned}$$

The first conjunct requires the timestamp of a timed event to be at least as great as that of its predecessor. The second conjunct makes sure that time will always progress beyond any finite point in time. That is, for any timestamp \(t\) and history \(h\) there is a timed event in \(h\) whose timestamp is greater than \(t\).

We also need a function for truncating histories

$$\begin{aligned} {\_\!\!\mid \!\!_{\_}}\in {{\mathbb {H}}}\times {{\mathbb {T}}}\rightarrow {({{\mathbb {E}}}\times {{\mathbb {T}}})\,^{*}} \end{aligned}$$

The truncation operator captures the prefix of a history up to and including a certain point in time. Hence, \({h\!\!\mid \!\!_{t}}\) describes the maximal prefix of \(h\) whose timed events all have timestamps less than or equal to \(t\).

1.5 A.5 Frequencies

As explained above, we use the nonnegative real numbers to represent time. The time unit is equal to 1. For simplicity, we assume that all frequencies are per time unit. The set of frequencies \(F\) is therefore defined as follows:

$$\begin{aligned} {{\mathbb {F}}}{\ \mathop {=}\limits ^{{\mathsf {def}}}\ }{\mathbb {R}}^+ \end{aligned}$$

Hence, \(f\in {{\mathbb {F}}}\) denotes the frequency of \(f\) occurrences per time unit.

Appendix B: Risk graphs

1.1 B.1 Syntax of risk graph formulas

1.1.1 B.1.1 Risk graph definition

A risk graph \(G\) is a pair of two sets \((V,R)\) where

$$\begin{aligned} V\subseteq {{\mathbb P}({{\mathbb {E}}})}\times {{\mathbb {F}}},\quad R\subseteq V\times {\mathbb {R}}^+\times V \end{aligned}$$

We refer to the elements of \(V\) as vertices and to the elements of \(R\) as relations. We use \(v(f)\) to denote a vertex, while \(v\xrightarrow {r} v'\) denotes a relation.

1.1.2 B.1.2 Vertex expressions

The set of vertex expressions is the smallest set \(X_V\) such that

We need a function

$$\begin{aligned} s\in X_V\rightarrow {{\mathbb P}({{\mathbb {E}}})} \end{aligned}$$

that for any vertex expression yields its set of events. Formally, \(s\) is defined recursively as follows:

1.1.3 B.1.3 Risk graph formulas

A risk graph formula is of one of the following forms:

• \(H\vdash v(f)\)

• \(H\vdash v\xrightarrow {r} v'\)

• \(H\vdash v\sqcup v'(f)\)

• ,

where

• \(H\in {{\mathbb P}({{\mathbb {H}}})}\!\setminus \!\)Ø

• \(v,v'\in X_V\)

• \(f\in {{\mathbb {F}}}\)

• \(r\in {\mathbb {R}}^+\)

1.2 B.2 Semantics of risk graph formulas

We use the brackets \({[\![\ \ ]\!]}\) to extract the semantics of a risk graph formula. If \(v\in {{\mathbb P}({{\mathbb {E}}})}\) we define

The semantics of any other risk graph formula is defined recursively as follows:

For a risk graph \(G = (V,R)\) the semantics of \(H \vdash G\) is defined as follows:

$$\begin{aligned} {[\![\ H \vdash (V,R)\ ]\!]} {\ \mathop {=}\limits ^{{\mathsf {def}}}\ }\bigwedge \limits _{e \in V \cup R} {[\![\ H \vdash e\ ]\!]} \end{aligned}$$

1.3 B.3 Calculus of risk graph formulas—proofs of soundness

We now prove soundness of three example rules. The three rules below correspond to rules 13.10, 13.11 and 13.12 in the CORAS book [15], respectively. There are some minor differences. In the CORAS book the real number decorating a leads-to relation is restricted to \([0,1]\). The statistical independence constraint in Rule 13.12 of the CORAS book is not needed.

1.3.1 B.3.1 Rule for leads-to

Soundness

Assume

$$\begin{aligned} \begin{array}{@{}ll} (1)&{} {[\![\ H\vdash v_1(f)\ ]\!]}\\ (2)&{} {[\![\ H\vdash v_1\xrightarrow {r} v_2\ ]\!]} \end{array} \end{aligned}$$

Then

Proof: (2) implies there are \(f_1, f_2\in {{\mathbb {F}}}\) such that

$$\begin{aligned} \begin{array}{@{}ll} (4)&{} {[\![\ H\vdash v_1(f_1)\ ]\!]}\\ (5)&{} {[\![\ H\vdash v_2(f_2)\ ]\!]}\\ (6)&{} f_2\ge f_1\cdot r \end{array} \end{aligned}$$

(1) and (4) imply

$$\begin{aligned} \begin{array}{@{}ll} (7)&f=f_1 \end{array} \end{aligned}$$

(6) and (7) imply

$$\begin{aligned} \begin{array}{@{}ll} (8)&f_2\ge f\cdot r \end{array} \end{aligned}$$

(5) and (8) imply (3).

1.3.2 B.3.2 Rule for mutually exclusive vertices

For simplicity we have merged four premises into two using logical conjunction.²

Soundness

Assume

$$\begin{aligned} \begin{array}{@{}ll} (1)&{} {[\![\ \!\!H_1\vdash v_1(f)\wedge v_2(0)\!\!\ ]\!]}\\ (2)&{} {[\![\ \!\!H_2\vdash v_2(f)\wedge v_1(0)\!\!\ ]\!]} \end{array} \end{aligned}$$

Then

$$\begin{aligned} \begin{array}{@{}ll} (3)&{[\![\ \!\!H_1\cup H_2\vdash v_1\sqcup v_2(f)\!\!\ ]\!]} \end{array} \end{aligned}$$

Proof: (1) and (2) imply

(1) and (2) imply

$$\begin{aligned} \begin{array}{@{}ll} (5)&{} {[\![\ H_1\vdash v_1\sqcup v_2(f)\ ]\!]}\\ (6)&{} {[\![\ H_2\vdash v_1\sqcup v_2(f)\ ]\!]} \end{array} \end{aligned}$$

(4), (5) and (6) imply (3).

1.3.3 B.3.3 Rule for separate vertices

Soundness

Assume

Then

Proof: (3) implies

(1), (2), (5) and the fact that \(f_1+f_2-0\le f_1+f_2\le f_1+f_2\) imply (4).

Appendix C: Binary risk graphs

1.1 C.1 Syntax of binary risk graph formulas

A binary risk graph formula is of the form

$$\begin{aligned} (H_1,H_2)\vdash (G_1,G_2), \end{aligned}$$

where \(H_1 \vdash G_1\) and \(H_2 \vdash G_2\) are risk graph formulas. A pair of histories \((H_1,H_2)\) fulfills a pair of risk graphs \((G_1,G_2)\), written

$$\begin{aligned} (H_1,H_2) \vdash (G_1,G_2) \end{aligned}$$

if

$$\begin{aligned} H_1 \vdash G_1 \wedge H_2 \vdash G_2 \end{aligned}$$

1.2 C.2 Semantics of binary risk graph formulas

$$\begin{aligned} {[\![\ (H_1,H_2)\vdash (G_1,G_2)\ ]\!]}{\ \mathop {=}\limits ^{{\mathsf {def}}}\ }{[\![\ H_1 \vdash G_1\ ]\!]}\wedge {[\![\ H_2 \vdash G_2\ ]\!]}. \end{aligned}$$