Defense of Cyber Intelligence

Threats Chris Hankin

Director

Institute for Security Science & Technology

November 2016

ACEs (13)

CDTs (2)

RIs (3+)

Masters

(18)

ATI

PETRAS

UK Cyber Security Programme

Research Institute in Trustworthy

Industrial Control Systems

RITICS: Novel, effective and efficient

interventions

£2.4M programme, 5 coordinated projects.

Phase 1 (Directorship) awarded 01/01/14, Chris Hankin, Imperial College London.

Phase 2 awarded 01/10/14.

MUMBA: Multifaceted metrics for

ICS business risk analysis

CAPRICA: Converged approach towards

resilient industrial control systems and

cyber assurance CEDRICS: Communicating and evaluating

cyber risk and dependencies in ICS

SCEPTICS: A systematic

evaluation process for threats to ICS

(incl. national grid and rail networks)

Key Questions / Challenges

Do we understand the harm threats pose to

our ICS systems and business?

Can we confidently articulate these threats

as business risk?

What could be novel effective and efficient

interventions?

RITICS @ Imperial

Database

Web Server

Workstation

Historian

Remote Workstation

PLCs

Workstation

Insecure Internet

Insecure Remote Access

Infected USB Drive

Social Engineering

Insecure Remote Support

Workstation

Internet

Corporate Network Control Network Field Devices

D

exploitsnetwork ASP

Resources

Control Pairs

Defender Target

Attack Paths

Attacker Target

Resources

Simulation

... ...

D

PSO

D PSO

A

PSO

D PSO

A

PSO A

D A

evolve

Best Response

efender Profile

ttacker ProfileA

0

1

2

n

0

1

2

n

n-I

tera

tio

n O

pti

mis

atio

n

Defender Turn

Attacker TurnOptimal Defensive Strategies for ICS

• Based on APT attack graphs.

• Optimal deployment of Defence-in-depth, critical-

component defence and bottle-neck defence.

• Optimal defence: Particle Swarm Optimisation

• Adaptive Defences for various cost-effectiveness

of investment.

Tolerance against Zero-day exploits

(a) posterior risk distribution with no control deployed.

• Based on Bayesian Networks risk assessment.

• Strategically deploy defence to maximise

tolerance against zero-day exploits.

• Reduce the risk of zero-day exploits to an

acceptable level, and the overall likelihood of a

complete attack chain being exploited.

Database

Web Server

workstation

Histroian Remote Workstation

Workstation

Insecure Internet

Insecure Remote Access

Infected USB Drive

Social Engineering

Workstation

InternetCorporate Network Control Network Field Controllers

PLCs

HMI

0DAY ?

CVE

CVE

CVE

CVE0DAY ?

0DAY ?

Corporate Control Field

Impact

Contribution to new Cyber Security Strategy for

UK railways.

Tools for building models of complex cyber

physical systems.

Testbeds.

A serious game for studying security decisions.

Secure implementation of gateway module

using IEC standard.

Contribution to European work on certification

of ICS components.