Attack graphs are potentially powerful tools for industrial control system (ICS) cybersecurity analysis and improving cyber risk management but building accurate models requires skill, information and time, Ofgem reports.
The report from Britain’s regulator follows a trial of the effectiveness of attack graphs with an unnamed gas or electricity operator.
Attack graphs provide a structure for capturing system security-related data that enables detailed analysis of attack paths, i.e. the possible sequences of steps that cyber-attackers could take to cause harm.
They are not primarily used for assessing compliance with security requirements, but for answering the question, ‘given my level of compliance and my implementation of other security controls, what is the easiest way for cyber-attackers to compromise my system of interest?’
Typically, an attack graph consists of a set of nodes connected via links. The nodes represent a level of privilege or access achieved by an attacker on the target network, e.g. user privileges on a particular device and application. The links represent attack steps to gain further access or privilege.
The level of difficulty of an attack step can be derived by considering the availability of exploits and the type of defences in place.
Ofgem says in its report that while there have been considerable advances by academia
in modelling the cybersecurity of IT and SCADA systems, there has been little use of attack graphs by the industry.
Ofgem reports that the trial found the use of attack graphs enabled a more detailed understanding and discussion of the cyber risks to the associated essential service than would typically be achieved through analysis of system documentation and component level vulnerability analysis.
They enable much data to be captured into a data structure for automated analysis and a summary of its implications for cyber risks. They also could provide security insights overlooked by other methods.
However, they are not a panacea for cyber risk analysis. Cyber expertise is required to understand their limitations and interpret attack paths. Attack path analysis also is highly dependent on accurate modelling of the control system.
The value for money of attack graph analysis also is heavily dependent upon when in the system lifecycle it takes place and would be most cost-effective at the early system design stage.
As a conclusion, Ofgem recommends that with the considerable investment in industrial control systems being embarked upon to enable decarbonisation and digitalisation, consideration should be given to the use of attack graphs and computer-aided modelling from the system design stage onwards.