Abstract
Recently, Energy Delivery Systems (EDS) has been the target of several sophisticated attacks with potentials for catastrophic damages. These attacks are diverse in techniques, attack progression, and impacts. System administrators require comprehensive analytics to assess their defense against these diverse adversarial strategies. To address this challenge, this paper proposes a methodology to assess cyber threats proactively by characterizing adversary behavior. First, we describe the different level of threat indicators and their effectiveness to understand the adversary activity. Next, we integrate static network information with dynamic attack strategy by mapping attack graphs into attacker’s techniques and tactics. This contextual integration provides insights into attacker’s stealthy behavior. Following the enumeration of complexity and effort for attack progression, we devise a metric to quantify the likelihood of an adversary taking an attack path for compromising an asset in EDS. We empirically evaluated our approach within an ICS test-bed. The results show the significance of our approach for characterizing adversarial behavior and gaining valuable insights on cyber risk management.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Public exploit database. http://www.exploit-db.com
Common weakness enumeration, January 2017. http://cwe.mitre.org
National vulnerability database, January 2017. https://nvd.nist.gov
Mitre adversarial tactics, techniues, and common knowledge, August 2018. https://attack.mitre.org/techniques/enterprise
Al-Shaer, R., Ahmed, M., Al-Shaer, E.: Statistical learning of APT TTP chains from mitre ATT&CK
Allodi, L., Massacci, F.: Comparing vulnerability severity and exploits using case-control studies. ACM Trans. Inf. Syst. Secur. 17(1), 1–20 (2014). https://doi.org/10.1145/2630069
Bianco, D.: The pyramid of plain (2014). http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.htmldossier.pdf
Bronk, C., Tikk-Ringas, E.: The cyber attack on saudi aramco. Survival 55(2), 81–96 (2013)
Carcano, A.: Understanding triton, the first sis cyber attack, August 2018. http://www.nozominetworks.com/blog/black-hat-understanding-triton-the-first-sis-cyber-attack
Davis, K.R., et al.: A cyber-physical modeling and assessment framework for power grid infrastructures. IEEE Trans. Smart Grid 6(5), 2464–2475 (2015)
Falliere, N., Murchu, L.O., Chien, E.: W32.stuxnet dossier version 1.3, November 2010. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Hassanzadeh, A., Burkett, R.: SAMIIT: spiral attack model in iiot mapping security alerts to attack life cycle phases. ics & scada cyber security research. In: 5th International Symposium for ICS & SCADA Cyber Security Research 2018, vol. 5, pp. 11–20. Hamburg, Germany (2018)
Hassanzadeh, A., Modi, S., Mulchandani, S.: Towards effective security control assignment in the industrial Internet of Things. In: 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), pp. 795–800. IEEE (2015)
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)
Idika, N., Bhargava, B.: Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dependable Secure Comput. 9(1), 75–85 (2012)
Nayak, K., Marino, D., Efstathopoulos, P., Dumitraş, T.: Some vulnerabilities are different than others. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 426–446. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_21
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: The 13th ACM conference on Computer and Communications Security (CCS), Alexandria, Virginia, USA, October-November 2006
Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: a logic-based network security analyzer. In: The 14th Conference on USENIX Security Symposium (SSYM), Baltimore, MD, USA, July-August 2005
Ullah, S., Shetty, S., Hassanzadeh, A.: Towards modeling attacker’s opportunity for improving cyber resilience in energy delivery systems. In: 2018 Resilience Week (RWS). IEEE, August 2018
Zhang, Y., Lingfeng, W., Xiang, Y., Ten, C.: Power system reliability evaluation with scada cybersecurity considerations. IEEE Trans. Smart Grid 6, 1707–1721 (2015)
Acknowledgment
This material is based upon work supported by the Department of Energy under award number DE-OE0000780 and Department of Homeland Security Grant 2015-ST-061-CIRC01. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Ullah, S., Shetty, S., Nayak, A., Hassanzadeh, A., Hasan, K. (2019). Cyber Threat Analysis Based on Characterizing Adversarial Behavior for Energy Delivery System. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-37231-6_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37230-9
Online ISBN: 978-3-030-37231-6
eBook Packages: Computer ScienceComputer Science (R0)