MoRiA : A model-based method for cybersecurity risk analysis. Application to a complex naval defense system./h3>
Abstract
Risk analysis and systems engineering work on the same subject (the system), but with different perspectives and objectives. A collaboration between these two areas would combine the inherent strengths of these domains and enhance the definition of the analysis context, its overall consistency, as well as taking into account the concerns and challenges of both. This is where my work fits in; its objective is to bridge the gap between the analysis and modeling of functional and non-functional system requirements and the analysis and modeling of analogous cybersecurity risks, as well as their maintenance and updating throughout the system’s lifecycle, from its definition to modeling phase. I propose a method MoRiA: Model-based Cyber Risk Analysis that extends existing model-driven engineering methods, adapted and based on standards, to allow for the identification, evaluation, and management of cyber risks through models.
Security engineering seeks to define design methods for securing a system against risks and to demonstrate that the security level (protection, detection, reaction) is satisfactory.
This requires the introduction of a perspective and leads to the following questions that need to be considered in model engineering:
Open question of the definition of critical resources and processes in risk analysis methods. On the integration of these resources and processes that enable the accomplishment of one or more contributive functions to a mission, considering survivability (in the sense of full or partial continuation of the function) and resilience. Should the model directly integrate the analytical approach for defining assets to protect and the consequences of attacks according to the classic DICT scale (Availability, Integrity, Confidentiality, and Traceability)?
Once the assets and processes to secure are identified, their criticality becomes structuring for modeling. This brings about significant technical, regulatory, and legal constraints. In France, data can be public, private, sensitive, or classified. They can be given a handling notice restricting access to limited communities: i.e., “Special-France.” Similar classifications exist within NATO and in most countries. Security rules such as system compartmentalization arise from this, along with associated risks like ‘contamination’ risks of channels exchanging sensitive information. This perspective is thus structuring for system design. It can also lead to immediately rejecting unproven technical evolutions that would bypass this compartmentalization.
Security capabilities must be integrated into the modeled system for operational security management: detection, reaction, monitoring. The specificity of the naval system comes into play through its operational environment and decision chain.
Finally, security engineering requires considering attack scenarios and demonstrating that the selected technical and organizational security measures ensure the security and protection of the system by making these attacks ineffective or minimizing their effects. In the context of a complex defense system, the system's lifespan exposes it to new attacks, and technological improvements enable previously complex attacks to be carried out, which would have required significant financial means (e.g., cloud password cracking, cloning of access badges, etc.). Engineering must, therefore, be able to integrate future attacks—those the system will face during operational time, not during the design phase. A heuristic approach based on expert knowledge could be used for a simple system. Integrating aggression scenarios into the model would allow for better identification of effects and possible attack sequences on a complex system:
The attacker, taking a deliberate action, makes the probabilistic reduction linked to the low risk of multiple failures irrelevant. On the contrary, a combination of independent and successive vulnerabilities (both technical and non-technical) favors attack scenarios;
Failure analysis evolves over time, depending on the evolution of threats and the revision of risks. Attack scenarios evolve as well, as new vulnerabilities or attack techniques are discovered;
What is an attacker in the case of a complex defense system such as naval, and how can these attack profiles be integrated into the system modeling?
Objectives of the Thesis
To analyze how to integrate the risk analysis perspective into a complex naval system design model;
To express and model constraints (such as confinement or segregation), properties related to security (communication with a peer of the same level, access to an unprotected network, or an unreliable service, etc.), and the associated validation means (to verify that the system respects these constraints);
To formally model attack processes within the model, highlighting the system’s capabilities for monitoring, detection, resilience, and protection;
To define the correct level of security adjustment for the models;
To propose a representative example based on a non-sensitive concrete case of critical functions or sub-functions of embedded equipment;
To develop a prototype illustrating the various contributions related to this thesis.