Pattern Recognitionand Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic Engineering

Risk management

Giorgio Fumera

http://pralab.diee.unica.it

Real-world examplesof risk assessment

1

http://pralab.diee.unica.it

Introduction

• Standards, frameworks and guidelines (ISO, NIST, etc.) do not

define nor suggest specific risk assessment techniques

• Several techniques have been developed over the years for

different application scenarios:

– process industries

– financial institutions

– civil and environmental engineering

– computer security

– ...

• In practice, each organization may need to adapt one or more

of the existing techniques to its specific requirements

2

http://pralab.diee.unica.it

Introduction

Real-world examples of risk assessment are presented in the

following, in two different application fields:

– process industries: evaluating the risk related to safety events (e.g.,

explosions) due to mechanical failure or to cyber-attacks

– enterprises financial risk assessment, in the context of the enterprise

risk management (ERM) framework

3

http://pralab.diee.unica.it

Example 1

Risk assessment in process industries

Source:

H. Abdo, M. Kaouk, J.-M. Flaus, F. Masse, A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie – combining new version of attack tree with bowtie analysis, Computers & Security, Vol. 72,

Jan. 2018, pp. 175–195

Available from inside UNICA network at:

https://www.sciencedirect.com/science/article/pii/S0167404817301931

4

http://pralab.diee.unica.it

Safety and security risks

5

Safety(industry)

• accidental risks caused by component failures, human errors or any non-deliberatesource of hazard

• relatively rareevents

Security(information systems)

• deliberate risks originating from malicious attacks, accomplished physically or by cyber means

• common events

http://pralab.diee.unica.it

Industrial automation and control systems

6

Digital technology is widely used nowadays in process industries for

instrumentation and industrial automation: SCADA systems monitor

and control equipment that deals with critical and time-sensitive

materials or events.

Cyber-security risks can affect the safety of industrial systems.

Supervisory Control And

Data Acquisition

Manufactory Execution

System

Enterprise Resource

Planning

Programmable Logic

Controller

http://pralab.diee.unica.it

Risk analysis techniques

• Safety-related events (industry)

– fault tree analysis: indentifying the causes of an undesired event

– event tree analysis: indentifying the consequences of an undesired

event

– bowtie analysis: combines fault and event trees

All the above model can also be used to evaluate the likelihood of

undesired events

• Security-related events (attacks to information systems)

– attack tree analysis: describes the sequence of steps in order to

perform an attack

7

http://pralab.diee.unica.it

Safety risks: bowtie analysis

8

http://pralab.diee.unica.it

Security risks: attack scenario

9

http://pralab.diee.unica.it

Security risks: attack tree

10

Extended version of attack trees

proposed by Abdo et al. (2018)

http://pralab.diee.unica.it

Security risks: attack tree

11

Three kinds of security events:

Extended version of attack trees

proposed by Abdo et al. (2018)

http://pralab.diee.unica.it

Example of attack tree

12

WannaCry ransomware attack model

http://pralab.diee.unica.it

Combined bowtie-attack tree

13

Model proposed by Abdo et al. (2018) to analyze risks related to safety

events or to cyber attacks.

Main goal: estimating the likelihood of undesired events.

http://pralab.diee.unica.it

Likelihood evaluation of safety events

14

Qualitative scale

http://pralab.diee.unica.it

Likelihood evaluation of security events

15

http://pralab.diee.unica.it

Likelihood evaluation of security events

16

Qualitative scale

http://pralab.diee.unica.it

Overall likelihood evaluation

17

http://pralab.diee.unica.it

Minimal cut set

18

T

G

S B

Minimal cut set: smallest collections of

basic events whose simultaneousoccurrence leads to the occurrence of the

top event.

In the fault tree on the left:

• !, #• $, !

http://pralab.diee.unica.it

Example: likelihood of a minimal cut set

19

AND gates: min rule

http://pralab.diee.unica.it

Case study

20

Chemical reactor with its SCADA system

structure.

Two physical parameters under control:

• temperature• pressureComponents (valves, pumps, etc.)

are controlled by PLCs and supervised

by a SCADA system.

Main undesired event:

overheating and overpressureinside the reactor.

http://pralab.diee.unica.it

Case study

21Combined AT-BT of the scenario under study

http://pralab.diee.unica.it

Case study

22

AT for the goal: gain unauthorized access to SCADA

http://pralab.diee.unica.it

Case study

23

Example of min cut

http://pralab.diee.unica.it

Likelihood evaluation of a min cut

24

http://pralab.diee.unica.it

Example 2

Enterprise Risk Management field

Source:

P. Curtis, M. Carey. Risk assessment in practice. Committee of Sponsoring

Organizations (COSO) of the Treadway Commission, 2012

Available at: https://www.coso.org/Pages/guidance.aspx

25

http://pralab.diee.unica.it

The risk assessment process

26

http://pralab.diee.unica.it

Impact scale

27

http://pralab.diee.unica.it

Likelihood scale

28

http://pralab.diee.unica.it

Vulnerability scale

29

http://pralab.diee.unica.it

Speed of onset scale

30

http://pralab.diee.unica.it

Qualitative vs quantitative evaluations

31

http://pralab.diee.unica.it

Scenario analysis

32

http://pralab.diee.unica.it

Bowtie diagram

33

http://pralab.diee.unica.it

Risk hierarchies

34

http://pralab.diee.unica.it

Combined risk and opportunity map

35

http://pralab.diee.unica.it

Risk heat map

36

http://pralab.diee.unica.it

MARCI chart

37

Mitigate, Assure, Redeploy, and Cumulative ImpactUseful when the primary purpose of the prioritization exercise is for risk response