NTUA and KTH joined forces to write an article together that conceptually maps the SBA and the VA tool to each other. Therefore, they facilitated the MITRE ATT&CK matrix to link the meta model of SBA to the icsLang, which is used as meta model for VA. The paper will be presented at the EPESec workshop at the ARES conference.

The abstract reads as follows:

The increase of cyber-attacks raised security concerns for critical assets worldwide in the last decade. Leading to more efforts spent towards increasing the cyber security among companies and countries. For the sake of enhancing cyber security, representation and testing of attacks have prime importance in understanding system vulnerabilities. One of the available tools for simulating attacks on systems is the Meta Attack Language (MAL), which allows representing the effects of certain cyber-attacks. However, only understanding the component vulnerabilities is not enough in securing enterprise systems. Another important factor is the `human`, which constitutes the biggest `insider threat`. For this, Security Behavior Analysis (SBA) helps understanding which system components that might be directly affected by the `human`. As such, in this work, the authors present an approach for integrating user actions, so called “security behavior”, by mapping SBA to a MAL-based language through MITRE ATT&CK techniques.

The EnergyShield project has joined the European Cluster for Securing Critical Infrastructures (ECSCI). The main objective of this cluster is to create synergies and foster emerging disruptive solutions to security issues via cross-projects collaboration and innovation. Research activities will focus on how to protect critical infrastructures and services, highlighting the different approaches between the clustered projects and establishing tight and productive connections with closely related and complementary H2020 projects. To promote the activities of the cluster, ECSCI will organize international conferences, and national or international workshops, involving both policy makers, industry and academic, practitioners, and representatives from the European Commission.

Further information on the cluster can be found on the website of the organizing FINSEC project.

Our academic partners again were very productiv resulting in two articles accepted for publications in two journals. The first article “A Method for Assigning Probability Distributions in Attack Simulation Languages” is written by KTH and proposes a method to determine probability distributions used in the attack simulations of the vulnerability assessment. The abstract is as following:

Cyber attacks on IT and OT systems can have severe consequences for individuals and organizations, from water or energy distribution systems to online banking services. To respond to these threats, attack simulations can be used to assess the cyber security of systems to foster a higher degree of resilience against cyber attacks; the steps taken by an attacker to compromise sensitive system assets can be traced, and a time estimate can be computed from the initial step to the compromise of assets of interest.

Previously, the Meta Attack Language (MAL) was introduced as a framework to develop security-oriented domain-specific languages. It allows attack simulations on modeled systems and analyzes weaknesses related to known attacks. To produce more realistic simulation results, probability distributions can be assigned to attack steps and defenses to describe the efforts required for attackers to exploit certain attack steps. However, research on assessing such probability distributions is scarce, and we often rely on security experts to model attackers’ efforts. To address this gap, we propose a method to assign probability distributions to the attack steps and defenses of MAL-based languages. We demonstrate the proposed method by assigning probability distributions to a MAL-based language. Finally, the resulting language is evaluated by modeling and simulating a known cyber attack.

The second article “Detecting Insider Threat via a Cyber-Security Culture Framework” is written by NTUA and elaborates on the method used in the SBA tool and links it to insider threats. The abstract is as following:

Insider threat has been recognized by both scientific community and security professionals as one of the gravest security hazards for private companies, institutions, and governmental organizations. Extended research on the types, associated internal and external factors, detection approaches and mitigation strategies has been conducted over the last decades. Various frameworks have been introduced in an attempt to understand and reflect the danger posed by this threat, whereas multiple identified cases have been classified in private or public databases. This paper aims to present how a cyber-security culture framework with a clear focus on the human factor can assist in detecting possible threats of both malicious and unintentional insiders. We link current insider threat categories with specific security domains of the framework and introduce an assessment methodology of the core contributing parameters. Specific approach takes into consideration technical, behavioral, cultural, and personal indicators and assists in identifying possible security perils deriving from privileged individuals.

Our partners from KTH got another paper accepted at the EMMSAD’21 conference. The article proposes different coverage metrics to assess the extend MAL-based languages are tested to secure their functionality. Moreover, they have developed an extension to the MAL compiler that performs this measurement automatically. The abstract is as follows:

Designing secure and reliable systems is a difficult task. Threat modeling is a process that supports the secure design of systems by easing the understanding of the system’s complexity, as well as identifying and modeling potential threats. These threat models can serve as input for attack simulations, which are used to analyze the behavior of attackers within the system. To ensure the correct functionality of these attack simulations, automated tests are designed that check if an attacker can reach a certain point in the threat model. Currently, there is no way for developers to estimate the degree to which their tests cover the attack simulations and, thus, they cannot the determine the quality of their tests. To resolve this shortcoming, we analyze structural testing methods from the software engineering domain and transfer them to the threat modeling domain by following an Action Design Research approach. Further, we develop a first prototype, which is able to assess the test coverage in an automated way. This will enable threat modeler to determine the quality of their tests and, simultaneously, increase the quality of the threat models.

Our partners from KTH, got their paper entitled “Towards an Ecosystem of Domain Specific Languages for Threat Modeling” accepted at the 33rd International Conference on Advanced Information Systems Engineering (CAiSE’21). The abstract is as follows:

Today, many of our activities depend on the normal operation of the IT infrastructures that supports them. However, cyber-attacks on these infrastructures can lead to disastrous consequences. Therefore, efforts towards assessing the cyber-security are being done, such as attack graph simulations based on system architecture models.

The Meta Attack Language (MAL) was previously proposed as a framework for developing Domain Specific Languages (DSLs) that can be used for the aforementioned purpose. Since many common components exist among different domains, a way to prevent repeating work had to be defined. To facilitate this goal, we adapt taxonomy building by Nickerson and propose an ecosystem of MAL-based DSLs that describes a systematic approach for not only developing, but also maintaining them over time. This can foster the usage of MAL for modeling new domains.

EnergyShield Consortium is inviting you to join us in an online workshop engaging different stakeholders in cross-domain topics on the 15th of April 2021 starting from 10:00 CET.

Register here to the online workshop on Trends, opportunities and choices in designing a cyber resilient EPES infrastructure organized by EnergyShield Consortium. 

Five interesting presentations and two panels elaborating on actual opportunities for security in the energy domain are scheduled during the event. .

After a short introduction, the EnergyShield project officer will talk about recent policy developments in cybersecurity for critical infrastructure protection. Presentations on different aspects ranging from ENISA’s activities in the energy sector, over cyber security in the EPES sector, to standardization efforts to assess cyber security in UK will follow.

The workshop will be concluded by two exciting panel discussions, equipped with high profiled experts from the field. The first will elaborate on the effect of work from home on energy and IT infrastructures, while the second addresses latest incidents targeting critical infrastructure.

Do not miss the chance to participate in the workshop and register for this event!

Follow us to meet the speakers and to find out how you can contribute to this event. 

By today February 26, our colleagues from NTUA have published a new article with the title “Working from home during COVID-19 crisis: a cyber security culture assessment survey” in the Security Journal of Springer Nature. The abstract is as follows:

This paper aims to evaluate the cyber security culture readiness of organizations from different countries and business domains when teleworking became a necessity due to the COVID-19 crisis. We have designed a targeted questionnaire and conducted a web-based survey addressing employees while working from home during the COVID-19 spread over the globe. The questionnaire contained no more than 23 questions and was available for almost a month, from 7th April 2020 until 3rd May 2020. During that period, 264 participants from 13 European countries spent approximately 8 minutes to answer it. Gathered data were analyzed from different perspectives leading to evolutionary findings regarding information security readiness and resilience of both individuals and organizations. In this paper, results are being presented and discussed in detail while focusing on future scientific routes and research paths that need to be explored. It concludes on a number of cyber security recommendations addressing both the emerged vulnerabilities and the need for security culture evolution.

The entire article can be found here.

The year starts successfully for the EnergyShield project and our partners from the NTUA, who got their publication “Designing a Cyber-security Culture Assessment Survey Targeting Critical Infrastructures During Covid-19 Crisis” published by The International Journal of Network Security and Its Applications (IJNSA). The article proposes a concrete use case for the SBA tool developed within our project. The abstract is as follows:

The paper at hand presents the design of a survey aiming at the cyber-security culture assessment of critical infrastructures during the COVID-19 crisis, when living reality was heavily disturbed and working conditions fundamentally affected. The survey is rooted in a security culture framework layered into two levels, organizational and individual, further analyzed into 10 different security dimensions consisted of 52 domains. An in-depth questionnaire building analysis is presented focusing on the aims, goals, and expected results. It concludes with the survey implementation approach while underlining the framework’s first application and its revealing insights during a global crisis.

If you are interested in the entire paper, you can read it on the website of the journal.

Our colleagues from KTH and foreseeti, got another paper published on “coreLang” that provides common assets that are needed for modelling IT environments in their Meta Attack Language. The abstract is as follows:

Cyber-attacks on IT infrastructures can have disastrous con-sequences for individuals, regions, as well as whole nations. In order torespond to these threats, the cyber security assessment of IT infrastruc-tures can foster a higher degree of safety and resilience against cyber-attacks. Therefore, the use of attack simulations based on system ar-chitecture models is proposed. To reduce the effort of creating new at-tack graphs for each system under assessment, domain-specific languages (DSLs) can be employed. DSLs codify the common attack logics of theconsidered domain.

Previously, MAL (the Meta Attack Language) was proposed, which servesas a framework to develop DSLs and generate attack graphs for mod-eled infrastructures. In this article, we propose coreLang as a MAL-basedDSL for modeling IT infrastructures and analyzing weaknesses related toknown attacks. To model domain-specific attributes, we studied existingcyber-attacks to develop a comprehensive language, which was iterativelyverified through a series of brainstorming sessions with domain modelers.Finally, this first version of the language was validated against knowncyber-attack scenarios.

Interested in reading more? You can read the pre-print here.

Our partners from KTH got their article on “powerLang: a probabilistic attack simulation language for the power domain” accepted at the Open Access Journal of Energy Informatics. The abstract is as follows:

Cyber-attacks these threats, the cyber security assessment of IT and OT infrastructures can foster a higher degree of safety and resilience against cyber-attacks. Therefore, the use of attack simulations based on system architecture models is proposed. To reduce the effort of creating new attack graphs for each system under assessment, domain-specific languages (DSLs) can be employed. DSLs codify the common attack logics of the considered domain.Previously, MAL (the Meta Attack Language) was proposed, which serves as a framework to develop DSLs and generate attack graphs for modeled infrastructures. In this article, powerLang as a MAL-based DSL for modeling IT and OT infrastructures in the power domain is proposed. Further, it allows analyzing weaknesses related to known attacks. To comprise powerLang, two existing MAL-based DSL are combined with a new language focusing on industrial control systems (ICS). Finally, this first version of the language was validated against a known cyber-attack.