An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems
Introduction
Cyber attacks have potential to cause significant disruptions to the performance of cyber-enabled physical infrastructure systems. As the importance of cyber infrastructure health becomes increasingly apparent, numerous efforts are underway globally to secure and protect critical national infrastructure systems. For example, in 2018, the United States launched the Cybersecurity and Infrastructure Security Agency (CISA), promoting cybersecurity assessment for the support of critical infrastructures and operations [15]. Similarly, in 2019, the European Union Cybersecurity Act created a permanent mandate for the European Union Agency for Cybersecurity [22]. Within the agency's scope is the intent to protect the cybersecurity network and improve cyber resilience. With increased attention to cybersecurity at a national level, it is critical for government agencies to understand the state of health of their entire cyber infrastructure system. This is a challenging endeavor, as historically, cyber-system modeling literature has addressed security and vulnerability at an organizational level, largely focusing on various software-specific vulnerabilities.
The U.S. National Science Foundation (NSF) defines cyber-physical systems as “engineered systems that are built from, and depend upon, the seamless integration of computation and physical components” [49]. Consider for example reports of software security flaws in vehicles that allow for remote attacks on physical control of vehicles [45], cyber-attacks that can halt operations in shipping, pharmaceuticals, oil and gas, and other industries [25], [56], or large-scale data breaches [32]. Globally, these cyber-enabled physical systems are critical for the movement of people, goods, and services. When compromised, these systems can have disastrous impacts on the safety, security, and economic well-being of organizations [11], [39]. Since application domains comprise of most critical infrastructure systems (such as transportation, energy, communications [18]) and private sector operations involving severe potential health/safety consequences [34], [57], it is critical for owners of these systems to objectively manage system vulnerability and investments as part of enterprise-level risk management processes.
Managing risk for these cyber-enabled physical systems also poses several preventive, reactive, and proactive cybersecurity challenges. These systems involve technologies that are rapidly changing and adapting, with notable recent emergence of: 1) cloud computing [44], 2) large-scale data availability [37], 3) Internet of Things (IoT) capabilities [55], 4) blockchain technologies [60], and 5) sophisticated methods such as hacking exercises and real-world programs used to identify system vulnerabilities [65]. These systems are also sensitive to other dynamic conditions, such as cybersecurity policies, security-related legislation, human error, and operational uncertainties. The impact of these changing conditions can be influenced by several factors in the physical and cyber space, such as: remoteness of the attacker, complexity of the attack, and authentication privileges for the attacker among others [21]. This suggests the need for learning-based vulnerability models that can rapidly adapt to current operational information, emerging conditions, and sudden changes in network characteristics. Additionally, there is need to reconcile vulnerability analyses to the study of zero-day attacks [8] which exploit vulnerabilities that may not yet have even been reported. This suggests that in many cases, the “true” system health due to a vulnerability may not be known by system owners. Instead, owners may observe known vulnerabilities to make generalizations about the overall health of the system.
Operational security management of cyber-enabled physical systems typically involves reactive processes. When a particular vulnerability is discovered, patches are created to minimize or eliminate the vulnerability through some form of enterprise patch management processes [58]. Because no single entity can control each organization's ability to detect and treat cyber vulnerabilities, a national agency or large-scale organization must consider policy-level investments that can minimize vulnerability or exposure of the overall system without directly managing organizational behavior. In some cases, organizations may also focus efforts on proactive processes, such as investing in cyber insurance [5] and increasing system monitoring.
In this paper, we treat an individual organization as a subsystem, thereby assuming a national cyber security agency or large-scale organization as the system of interest. We assume that these subsystems are interdependent, such that an exploited vulnerability in one subsystem can have cascading effects on other connected systems. For example, consider the case of a malicious code spreading across a network [40], possibly causing significant physical damage [13]. Similar to aspects of resilience that do not focus on specific attack scenarios, an overall assessment of vulnerability is not focused on specific vulnerabilities within sub-systems. Instead, overall assessment of vulnerability seeks to understand an inherent characteristic, attribute, or property of the overarching system, with limited knowledge of individual subsystem vulnerabilities. To clarify, we introduce two types of characteristics:
Subsystem vulnerability: Vulnerability characteristics of each organization within the studied system. Each organization is referred to as a subsystem, allowing for each subsystem to manage their own protocol for identifying and treating known vulnerabilities.
Overall system health: System health that is influenced by vulnerability of the interacting subsystems as a whole.
We introduce the term System Posture (SP) to represent metrics that characterize the overall system health. This SP metric can apply to a single system or a system-of-systems that may be geographically dispersed or autonomously managed. We assume the subsystems interact while the system manager has no knowledge or ability to predict the interaction patterns. Therefore, the interactions are treated as unknown or unstructured. This overall system has limited control over the vulnerability management behavior of subsystems, yet is tasked with supporting the maintenance of overall health of the system through monitoring of the SP metric.
While the use of vulnerability scoring and other real-time assessment metrics have been adopted industry-wide, these types of metrics illustrate only current conditions based on steady-state/equilibrium assumptions. These approaches are helpful for near-term reactions to current vulnerabilities, such as immediate patch management practices. However, there is need to use this information to inform strategic and tactical strategies that are able to respond to trends or changes in conditions with recognition that various types of vulnerability conditions may require tailored vulnerability management strategies. We address these shortcomings by developing a data-driven learning and stochastic modeling approach to classify system vulnerabilities. The approach consists of modeling dynamic system vulnerabilities using a hidden state-based approach to understand system posture for overall system health, and identifying system properties that are most important for reinforcement with vulnerability management practices.
To the best of our knowledge, this paper is one of the first to study the dynamic characteristics of cyber-system vulnerabilities, recognizing that the system properties can be adaptive and change rapidly. We also introduce vulnerability metrics while considering both observable and hidden states of such cyber-enabled physical systems. This state-based approach includes model learning, such that it can adapt to changing technologies and conditions. Moreover, we model the “hidden” properties of system vulnerability while acknowledging risks that are considered to be unknown knowns, such that the assessors may not know that they lack some knowledge that potential attackers (or system users) may have. This is consistent with similar attacker-related contexts, in which the system managers have limited knowledge of attacker intents and exploits. It also addresses previous shortcomings of vulnerability assessments, by acknowledging dynamic system properties that can help address zero-day attacks or persistent system attacks. To the best of our knowledge, while this paper represents one of the first efforts to address dynamic properties of system vulnerabilities, the intent is to serve as a springboard for further research that explores other data-driven and statistically well-grounded machine learning/artificial intelligence methods. These methods can be used for optimal determination of model parameters, key system vulnerabilities necessary for modeling, and how system managers should use this information within decision-making processes.
Section 2 provides background on modeling of cyber-system vulnerability, stochastic modeling of hidden system states, and the relevance of the methods to cyber-enabled physical systems. Section 3 presents our iterative learning and inference methodology. Section 4 applies the methodology to a real dataset cataloging all Common Vulnerability Scoring System (CVSS) vulnerabilities over an 18-year period. Section 5 provides concluding remarks and opportunities for future research.
Section snippets
Background
This section provides a background of core issues in the modeling of vulnerability and risk, with particular emphasis on cyber-enabled physical systems. Section 2.1 discusses the modeling of vulnerability. Section 2.2 discusses the role of vulnerability modeling in emerging risk management principles.
Methodology
In light of the challenges and opportunities described above, our proposed methodology is summarized in Fig. 3, noting that each step of the methodology relates directly to a subsection in this paper. The methodological workflow consists of: (1) Modeling system properties and evolution using Markov assumptions for the cyber-enabled physical system, (2) Learning model parameters from historical observable cyber vulnerabilities, (3) Inferring likely system state sequences (referred to as the
Demonstration of methods using CVSS scoring system
This section provides a demonstration of the methods described in Section 3 of this paper. The demonstration of methods uses CVSS scores to provide a foundation for evaluating system vulnerabilities and overall system health. Consider the CVE vulnerability data from the National Vulnerability Database by the National Institute of Standards and Technology. One analysis of historical documented CVSS vulnerabilities [16] that is classified using keyword matching for CVSS Base Scores resulted in
Conclusions
This paper presented an iterative learning and inference approach to evaluate the dynamic properties of vulnerability for cyber-enabled physical systems. The approach distinguishes between subsystem vulnerability (vulnerability of each firm within a larger system), and overall system health (influenced by vulnerability of interacting sub-systems). We introduced four system posture metrics, consisting of: System Posture Metric #1 (Stability), System Posture Metric #2 (Antifragility), System
References (68)
Vulnerabilities and safety assurance methods in cyber-physical systems: a comprehensive review
Reliab Eng Syst Saf
(2019)- et al.
Predicting system failure rates of SRAM-based FPGA on-board processors in space radiation environments
Reliab Eng Syst Saf
(2019) - et al.
Trends in big data analytics
J Parall Distrib Comput
(2014) - et al.
A survey of approaches combining safety and security for industrial control systems
Reliab Eng Syst Saf
(2015) - et al.
Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements
Int J Inf Manag
(2008) - et al.
An approach based on behavioral models and critical states distance notion for improving cybersecurity of industrial control systems
Reliab Eng Syst Saf
(2019) - et al.
A field study on root cause analysis of defects in space software
Reliab Eng Syst Saf
(2017) - et al.
Dynamic functional modelling of vulnerability and interoperability of Critical Infrastructures
Reliab Eng Syst Saf
(2012) - Amazon (2018). [online] Amazon Web Services, Inc. Available at:...
- et al.
Scalable, graph-based network vulnerability analysis
A screening methodology for the identification and ranking of infrastructure vulnerabilities due to terrorism
Risk Anal Int J
Using hidden markov models to evaluate the risks of intrusions
Cyberinsurance in IT security management
IEEE Secur Privacy
A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains
Ann Math Stat
Before we knew it: an empirical study of zero-day attacks in the real world
Pattern Recognition–Based approach for dynamic vulnerability status prediction
Dynamic vulnerability assessment and intelligent control: for sustainable power systems
Lessons from stuxnet
Computer
Machine learning for cybersecurity
The little-known challenge of maritime cyber security
Pattern classification
Maersk, WPP and FedEx Still Struggling with Cyber Attack Fallout
Financ Times Financ Times
Measuring network security using dynamic bayesian network
Cited by (19)
Enhancing cybersecurity capability investments: Evidence from an experiment
2024, Technology in SocietyMulti-level fine-tuning, data augmentation, and few-shot learning for specialized cyber threat intelligence
2023, Computers and SecurityArtificial intelligence for cybersecurity: Literature review and future research directions
2023, Information FusionResilient backstepping control for a class of switched nonlinear time-delay systems under hybrid cyber-attacks
2023, Engineering Applications of Artificial IntelligenceModel-based IDS design for ICSs
2022, Reliability Engineering and System SafetyCitation Excerpt :On the other hand, the second model focuses on the quantitative and qualitative evaluation of the effects of system-specific vulnerabilities and the mitigation measures against them on cyber-security. Chatterjee et al. [15] present an iterative learning approach to evaluate the dynamic properties of vulnerabilities of the CPS. Their approach distinguishes between subsystem vulnerability and overall system health.
A clustering-based framework for searching vulnerabilities in the operation dynamics of Cyber-Physical Energy Systems
2022, Reliability Engineering and System SafetyCitation Excerpt :In this regards, investigation of the system operation dynamics is fundamental. For instance, Ref [9] recognized multiple types of vulnerabilities in time-varying system properties classified by a Hidden Markov Model. Ref [29] proposed a machine learning technique to reveal the time-varying vulnerability features of a CPES and defend them against continuous cyber-attacks.