Reliability and Cyber-Physical Threat Model Generation from a Standards Influenced Ontology

s
Industry Collaborators: 
  • ABB
  • Duke Energy
  • Also seeking additional industry collaborators in the electric power and O&G pipeline sectors.
Summary Statement: 

We propose to develop a theoretically sound methodology and associated tools to enable EDS stakeholders to model cyber adversaries, identify likely attack paths through an EDS, and identify candidate countermeasures to thwart attacker objectives. This will be based on an existing and proven adversary modeling framework, extended to comprehend an underlying physical EDS, and loosely coupled with a physical system simulation to estimate system impact of evolving attacker capability and identify the most damaging attacker pathways. By “loosely coupled,” we mean that model results when an attacker reaches an intermediate objective, as well as the system state, will form inputs to a physical system simulation to determine how the physical system would evolve from that point, with intermediate results fed back to the evolving adversary model.

ADversary VIew Security Evaluation (ADVISE) [1] [2] [3] has been developed and implemented in the Möbius modeling tool [4] to construct formal models of adversaries attempting to compromise a cyber-physical system. The Möbius tool evaluates ADVISE models using discrete-event simulation to gather observations and calculate estimated values of custom system metric functions. Several case studies [2] [5] [6] have examined the effectiveness of the Möbius ADVISE approach. While ADVISE models have proven useful in understanding threats against a system, the complexity of real world models prove to be too challenging for human modelers to effectively construct ADVISE models directly.

The ADVISE Meta approach resolves this problem by abstracting and formalizing the ADVISE model construction process by using the Möbius ontology framework. With ADVISE Meta, the modeler develops an ontology of component types, semantic relationship types among components, and ADVISE model fragments that are used to automatically generate an ADVISE model from a high-level system definition (System Instance Diagram) using the types defined in the ontology. Case studies [7] [8] have shown that this ontology-based model generation approach is practical and useful.

Dynamic Reliability Block Diagrams (DRBD) [9] [10] provide a rich, flexible way for modeling the reliability of systems and their constituent components. DRBD models are based on traditional, combinatorial reliability block diagram analysis methods, but incorporates a dynamic state over time to allow for evaluation of models using discrete-event simulation, which enables the evaluation of more complex systems. While the DRBD formalism has been implemented in the Möbius tool, the model generation extensions using the Möbius ontology framework have not.

The Möbius tool has a mature modeling framework that allows multiple models to be connected together to create a composed model. This composition is done by formally specifying how model state variables are unified or actions are synchronized. While Möbius has several composed model formalisms, the Rep/Join formalism is very well suited for connecting ADVISE and DRBD models to result in a comprehensive model for understanding intentional and unintentional faults. As ADVISE and DRBD models scale, this model composition can become difficult and would also benefit from the model generation approach offered by the Möbius ontology framework.

Möbius also allows the connection of outside code libraries and information sources in the execution and evaluation of its models. An important enhancement resulting from this activity will be a loose coupling of the ADVISE/ Möbius framework with high-fidelity simulations of the underlying physical system. For example, as an attack scenario evolves, the attacker may disable components such as relays (electric) or valves (O&G), which results in physical changes to the system. In the case of electric power, we will study and enable options for connecting external simulations implemented on platforms such as MatPower, Opal-RT, and RTDS. MatPower is software-only and runs in simulated time. Opal and RTDS support hardware-in-the-loop and real-time simulation.

This project seeks to enable the generation of comprehensive, detailed, stochastic models for exploring the reliability and security of energy delivery systems from high-level block-diagram system specifications. To accomplish this, the previous ADVISE Meta work will be expanded to generate dynamic reliability block diagram (DRBD) models using the Möbius ontology framework. ADVISE security models and DRBD reliability models will be generated from the same high-level system diagram. Additionally, Rep/Join models that connect the reliability and security models together will also be generated from the single system diagram.

In conjunction with expanding the model generation capabilities of the Möbius ontology framework, we will develop a new Möbius ontology that connects with previous ontology work and enables the generation of models that accurately represent an EDS. This ontology can be used for generating comprehensive, useful, stochastic models for exploring the reliability and security of energy delivery systems.

To develop and validate the information in the EDS ontology, as well as the models and metric values Möbius produces, we will engage an industry partner to develop an EDS case study. At regular meetings, we will continually discuss system definitions, intentional and unintentional fault risks, operations behavior, and metrics of interest.

The tool and the ontology (including model fragments) can be used by EDS stakeholders to assess relative security of alternative system configurations and identify security-critical system components that are candidates for increased investment in security and redundancy.

NOTE: A list of bibliographic references are in the fact sheet (PDF)

Energy Delivery System (EDS) Gap Analysis: 

Modern energy delivery systems (EDS) are an especially attractive target for attackers due to the high potential for damage to life and property. EDS owners, managers, designers, and other stakeholders lack risk assessment and adversary modeling methodologies and tools that (1) are theoretically sound, but usable, (2) consider both cyber and physical aspects of system operation, and (3) consider both intentional and unintentional faults, as well as how faults in one class can cascade into faults of the other.

Such a suite of tools and methodologies will allow an EDS stakeholder to formally model the threat to an infrastructure as that threat evolves. The benefit is a comparative analysis from a security standpoint of system design alternatives, as well as an identification of security-critical components in which to invest extra hardening measures.

Reference the research activity fact sheet (PDF) for an extended gap analysis and bibliography.

How does this research activity address the Roadmap to Achieve Energy Delivery Systems Cybersecurity?
In order to effectively maintain and improve an existing EDS or design a new EDS, an analysis of cyber-physical threats must be undertaken. This project will provide the necessary tools to conduct such a rigorous analysis. With it, stakeholders will be able to assess their system designs for weak points. Users will be able to consider various design options and understand how different changes or improvements will impact overall system reliability and security.

The activity directly supports Roadmap objectives to “Assess and Monitor Risk” with a sound methodology that models risk dynamically as a threat to a system evolves [11].

More specifically, this work will develop methodology and tools to assess aspects of the NESCOR failure scenarios[12], for example, by providing a formal way to model criteria for effects on (attack) likelihood and opportunity (NESCOR section 4.2) as well as the stepwise evolution of the attack scenarios themselves (NESCOR chapter 5).

More Information: 
Status of Activity: 
Active