by Konrad Czyzewski, Cyber Security Integrator ICS
Digitalisation and automation are considered to be two of the key enablers for ensuring future profitability of factories. The Factory of the Future (FoF) is no longer a collection of individual systems, but becomes a multifunctional production system. Consequently, new techniques are needed to improve the level of optimisation and cyber resilience of the FoF. Two beneficial techniques to ensure resilient FoF developments on an early stage are Risk Assessments (RA) and Misuse-Cases (MUC) development, both presented in this article.
At the beginning of a Risk Assessment, a suitable methodology must be selected. As a leading partner in the Cyberfactory#1 project, we initially set up workshops to ensure that all parties fully understand our approach. The next step is the Risk Assessment, followed by a complete review of the risks. Next, Misuse-Cases are generated and documented. After an internal quality check the documentation is handed over to the Use-Case (UC) owner. These process steps are depicted in Figure 1.
Figure 1: Cyberfactory #1 Risk Assessment and Misuse-Case apporach
Risk Assessment based on IEC-62443
A RA is a systematic approach to discover, evaluate and record potential risks which can harm an underlying system or process. This is done on an individual basis in collaboration with external and internal partners. We, at Airbus CyberSecurity, defined our own RA approach and adapted the IEC-62443 RA methodology for Industrial Control Systems Security. The alignment has some strong benefits. First of all, this standard follows an international established standard that was created specifically for the industrial environment and fulfils the ISO27000 norm family. Secondly, it is still under development with focus to Industry 4.0 which makes it applicable for upcoming tasks. Third, it focuses on ICS environments that help us to apply it out-of-the-box in current projects.
Our Risk Assessment approach
The RA approach consists of four phases: information gathering, high-level RA, detailed RA and summary.
The first stage addresses the process of information gathering. This includes the following:
- Provisioning of information about customer’s architecture design and used assets
- Determination of topics that must be addressed during the upcoming phases of the RA
- Documentation of questions and estimation of RA duration (on average three days)
The high-level phase defines the scope and approach of the RA. The use-case owner is familiarised with the approach, upcoming tasks and responsibilities that will arise during the RA. One of the first tasks in this step is to divide the Use-Case into topic clusters like systems and subsystems, communication infrastructure or human interaction, as well as to discuss the scope. After the clustering the RA participants go through every cluster and list the corresponding assets. The output of this phase is a classification of risk groups that serve as the input for the detailed phase.
The detailed phase takes the most effort of the whole process. In regular exchange with the Use-Case owner risks are identified and discussed. In this process the Use-Case owner is the most valuable stakeholder, knowing the environment best to estimate together with the expert the impact and probability levels of each risk for his systems.
Last but not least, the summary phase is needed to summarise the work by putting all gathered information together and enriching the Risk Assessment documentation with further information like linking risks to each other. After an internal quality assurance check the documentation is handed over to the Use-Case owner.
A Misuse-Case that is associated to a Use-Case, describes the steps and scenarios that lead to behaviour of the involved systems that is unintended by the system operator, i.e. behaviour that conflicts with the systems requirements. These are similar to Use-Cases in the sense that they also define scenarios that lead to fulfilment of goals, even if they are not positive or desired from the business process perspective or from the point of view of system designers.
The Misuse-Case development is conducted after the risk assessment and is used to prioritise and aggregate documented risks as part of an attack story, as well as to describe them in more detail while reflecting a possible attacker profile and attack vectors and ideally to demonstrate the Misuse-Case scenario. Furthermore, mitigations are developed and suggested to the Use-Case owner in order to enable adjustment of the security measures which will lead to a more resilient FoF. In addition, each Misuse-Case discovers mitigation gaps which cannot always be addressed by State-of-the-Art (SotA) security measures and by doing so, it shows the need to adapt or develop security measures leading to a more resilient secure FoF environment.
Meaningful resilience effects to FoF environments
Risk Assessment and Misuse-Case developments generate together meaningful effects to the resilience of the Use-Cases inside the FoF. Experience has shown that RA are beneficial to fully understand the Use Case from a holistic point of view. This is supported by visiting the facilities associated to a Use-Case and getting into direct dialogue with the Use-Case owners. Furthermore, on-site reconnaissance has shown that hidden interfaces and more specific details of potential risks were brought to light during these activities. It must be underlined that the Use-Case owner is an indispensable asset and therefore is involved in the whole process.
Likewise, high-level RA are beneficial for Use-Case owners as well as for the whole supply chain. Use-Case owners are not always familiar with RA or cyber risks and therefore a high-level Risk Assessment provides them with the right tool to understand the conducted activities and more importantly the inputs they have to deliver. For the Risk Assessment provider like Airbus CyberSecurity, a high-level assessment lays the foundation for an effective and successful Risk Assessment by setting the scope of work.
The detailed Risk Assessment is not just an activity to list risks, rather more; it helps the Use-Case owner to identify the risk’s root causes by up- and down-streaming analysis. Figure 2 illustrates the process.
Figure 2: Up- and Down-streaming of Risks
The Up- and Down-streaming approach helps to identify root causes that trigger other less probable risks which help the Use-Case owner to implement effective mitigations to achieve a more resilient environment.
Misuse-Case development offers the ability to model it in a monitored environment to find adequate mitigations. Using such models, attacker profiles and attack vectors are simulated and analysed. Furthermore, mitigations are derived and proposed to the Use-Case owner.
Lastly, information gathered during the process is documented and facilitates the Use-Case owner to understand the challenges and how to tackle them. This documentation can also be used to follow up possible risks during further development of FoF Use-Cases and enables the development of resilient FoF environments.
Risk Assessments are essential for implementing strong and effective security measures, but beforehand it is necessary to evaluate the best fitting approach for the examined environment. Furthermore, a Risk Assessment contributes to fully understand a Use-Case by being in direct exchange with the Use-Case owner and also be able to visit the environment.
Misuse-Case development is facilitating the whole process to obtain a resilient FoF environment. First, the Use-Case owner gets a hands-on demonstration of risks that were documented during the Risk Assessment. Secondly, it’s beneficial for the Use-Case owner to be aware of risks in his environment, so that effective mitigations can be put in place afterwards.
We, at Airbus CyberSecurity, have good experiences using this approach on half a dozen FoF Use-Cases owned by Airbus and our research partners.
Find out more about our offering
We, at Airbus CyberSecurity, help critical infrastructure and industry to build and maintain persistent CyberResilience for the interconnected industrial systems of tomorrow. We support you with our industry proven step by step approach – Assess – Protect – Manage. Find out more here about our OT-Security offerings here.