Present the Ability of Risk Approaches to Adapt to Technology Evolution - Information Systems
For this assignment, you must create a PowerPoint presentation for  technologists and managers in your selected organization that presents the ability of different risk approaches to adapt to the evolution of technology. Your presentation should address the following: Persuasive review of preparations needed to preempt future losses  due to change, including the ability of the organization to adjust Potential risks from technologies that may be adopted by your target organization Anticipated changes resulting from changing threats Implications resulting from new forms of defenses Adjustments required because of compliance and changes in the legal process Improvements available from new theories, models, and frameworks Influences within the industry of your target organization and other external factors Suggested changes to strategy, policy, and governance Your presentation should comply with PowerPoint best practices and be appropriate for the intended audience: Ensure each slide includes one main idea, a maximum of six bullet points, and a maximum of 30 total words. Use short phrases rather than full paragraphs. Do not use more than 5 colors unless they indicate categories or sequences. Avoid using light text on a dark background. Keep the font size between 18–30 points and use the same font throughout the presentation. Use the slide master feature to standardize the header placement and font sizes, etc. Use PowerPoint features to create your own simple tables and images to support your content. Avoid the use of clipart. Be sure all images support the content; they should not be used for decoration purposes. Avoid the use of excessive movement (slide transitions, animated gifs, and word animations). Length: 11 slide presentations with speaker notes of each slide. References: Include at least 5 scholarly references The completed presentation should address all the assignment requirements, exhibit evidence of concept knowledge, and demonstrate thoughtful consideration of the content presented in the course. The  writing should integrate scholarly resources, reflect academic  expectations, and current APA standards Enabling Risk Management for Smart Infrastructures with an Anomaly Behavior Analysis Intrusion Detection System Jesus Pacheco1 Xiaoyang Zhu2 Youakim Badr2 Salim Hariri1 1Electrical and Computer Engineering Department The University of Arizona Tucson, USA {Jpacheco, hariri}@email.arizona.edu 2University Lyon, INSA-Lyon, LIRIS UMR 5205, F-69621 Lyon, France {youakim.badr, xiaoyang.zhu}@insa-lyon.fr Abstract— The Internet of Things (IoT) connects not only computers and mobile devices, but it also interconnects smart buildings, homes, and cities, as well as electrical grids, gas, and water networks, automobiles, airplanes, etc. However, IoT applications introduce grand security challenges due to the increase in the attack surface. Current security approaches do not handle cybersecurity from a holistic point of view; hence a systematic cybersecurity mechanism needs to be adopted when designing IoT- based applications. In this work, we present a risk management framework to deploy secure IoT-based applications for Smart Infrastructures at the design time and the runtime. At the design time, we propose a risk management method that is appropriate for smart infrastructures. At the design time, our framework relies on the Anomaly Behavior Analysis (ABA) methodology enabled by the Autonomic Computing paradigm and an intrusion detection system to detect any threat that can compromise IoT infrastructures by. Our preliminary experimental results show that our framework can be used to detect threats and protect IoT premises and services. Keywords- IoT; cyber security; anomaly behavior analysis; threat model; risk management. I. INTRODUCTION Advances in mobile and pervasive computing, social network technologies and the exponential growth in Internet applications and services lead to the development of the next generation of Internet services known as the Internet of Things. It is expected that the number of IoT devices will reach more than 50 billion devices by 2020 [1]. IoT-based services will be a key enabling technology to the development of smart cities that will revolutionize the way we do business, maintain our health, manage critical infrastructures, conduct education, and how we secure, protect, and entertain ourselves [2][3]. IoT applications, such as critical infrastructures (e.g., smart grid) are large-scale distributed systems, comprised of complex systems and characterized by interdependence, independence, cooperation, competition, and adaptation [4][5]. Examples of large-scale IoT applications comprise electric grids interconnected with other sectors (smart grids), the urban transportation sector interconnected with the wireless network (smart transportation), building devices integrated into a larger home monitoring system (smart buildings), federated health information systems (smart health), just to mention a few. In this context, systems interact with each other using different levels of trust relationships, and consequently, require ultimate security solutions to protect information and processes. With the use of IoT techniques, we are experiencing grand challenges to secure and protect such advanced information services due to the significant increase in the attack surface [6]. The interconnections between growing amounts of devices expose the vulnerability of IoT applications to attackers. Even devices, which are intended to operate only in local area networks, are sometimes connected to the Internet due to careless configuration or to satisfy special needs (e.g., they need to be remotely managed). As a result, devices can be easily compromised and become subject to cyber-security risks and attacks with severe impacts (e.g., life threatening scenarios) [3][5]. In order to reduce security threats, risk management is used to support information systems by identifying security constraints on what should be protected by applying systematic and reliable risk management methodologies [6]. However, applying risk management to the IoT is not as straightforward as the risk management in information systems [7]. In fact, IoT is still in its infancy with lack of common standards and a wildly divergent number of communication protocols, hardware and software platforms to solve IoT problems, and rapid changes in technologies, which bring new, and unforeseen risks. Given this, a new risk management approach is needed to protect IoT-based applications by continuously identifying security risks not only at design time of IoT-based applications but also at runtime. To this end, we introduce an IoT risk management framework for smart Infrastructures to recognize vulnerabilities and identify possible countermeasures in order to mitigate their exploitation. Our framework consists of four layers: devices (end nodes), network, services, and application and relies a general threat model covering risks at each layer. At run-time, the framework provides an Anomaly Behavior Analysis Intrusion Detection System (ABA-IDS) to detect anomalies that could be triggered by attacks against elements in each layer (e.g., sensors, protocols, wireless 2nd IEEE International Workshops on Foundations and Applications of Self* Systems 978-1-5090-6558-5/17 $31.00 © 2017 IEEE DOI 10.1109/FAS*W.2017.71 323 2nd IEEE International Workshops on Foundations and Applications of Self* Systems 978-1-5090-6558-5/17 $31.00 © 2017 IEEE DOI 10.1109/FAS*W.2017.71 324 2017 IEEE 2nd International Workshops on Foundations and Applications of Self* Systems (FAS*W) 978-1-5090-6558-5/17 $31.00 © 2017 IEEE DOI 10.1109/FAS-W.2017.167 324 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply. communication, etc.). The main feature of ABA-IDS is its capability in detecting novel attacks. Our ABA-IDS defines a baseline model for normal behavior of each layer through off-line training, and considers any activity, which lies outside of this normal model as anomaly. From experimental standpoint, we have evaluated our framework by launching several cyberattacks (e.g. Sensor Impersonation, Replay, and Flooding attacks) against our Smart Building testbed developed at the University of Arizona Center for Cloud and Autonomic Computing. The results show that our IoT security framework can be used to develop effective security mechanisms to protect the normal operations of each layer. Moreover, our framework can detect known and unknown attacks against IoT elements with high detection rate and low false alarms. The rest of the paper is organized as follows. Section II gives a brief overview on the related work. Section III is devoted to explain our IoT security framework for smart infrastructures. In section IV we show some of our preliminary results for each layer of our framework. The last section concludes the paper and discusses future research directions. II. RELATED WORK The need for sharing resources and information expose the vulnerability of IoT systems and their data to attacks (e.g., falsification attacks), leading to incorrect information delivery to users and causing them to take wrong and dangerous actions. For example, the case with Stuxnet attack [11], was successfully launched and compromised nuclear plant facilities. In this case, the main concern was the elevation of privileges to perform malicious actions against cyber physical systems. Another example is in [12], where the authors show how a Bluetooth connection was used in a smart city to change traffic sensors firmware to gather information and to modify the data provided by those sensors. In this attack, the main concern is information disclosure and falsification. The aforementioned examples are some real-world scenarios that show how critically important is to secure and protect IoT operations against cyberattacks. Studies have shown that security in any IoT application will be crucial in the years to come. Hence, various approaches have been proposed in the literature to deal with key IoT elements (e.g., end devices, protocols, services, etc.). For instance, in [14] the authors show how the pre-shared keys solutions could be used in limited real-life scenarios where the distribution of keys in an offline mode is possible. In [15] an Internet Key Exchange compression scheme has been proposed to provide a lightweight automatic mechanism to establish security associations for IPsec and HIP Base Exchange. Another approach can be seen in [16], in which the authors introduced a delegation procedure that enables a client to delegate certificate validation to a trusted server. While the proposed delegation approaches reduce the computational load at the constrained nodes, they break the end-to-end principle by requiring a trusted third party. Improving security and reducing risks in the Internet of Things rely on analysing threats, risks and vulnerabilities to specify appropriate countermeasures. Many methodologies of risk assessments are proposed in literature for information systems such as EBIOS [21], OCTAVE [22], CRAMM [23] and MEHARI [24]. These methods cover the identification of asset, access mode, actor involved, motivations, effect and links them to actions and estimates their impacts and cost. They require a well-known context definition as en entry point to asset all related elements to the risk analysis and vulnerability evaluation. Unfortunately, the context is unpredictable in the Internet of Things since all devices and actuators are distributed in a dynamic environment. Despite their differences they share a main factor, which is “The context definition”. This factor makes risk management harder to be adapted in dynamic environments where the system’s context may change permanently. The pervasive, distributed, and evolving nature of IoT applications makes it difficult to consider security from a holistic point of view. To address this problem, we have proposed an IoT risk management framework that can be used at design time when architecting smart infrastructures. We will discuss our approach in the next sections. III. IOT RISK MANAGEMENT FRAMEWORK FOR SMART INFRASTRUCTURES In the realm of the Internet of Things, risk management should take into account dynamic context. In addition, Continuous evolution of dynamic environments and advances of IoT-based technologies require new strategies to secure resources connected devices. Risk evaluation should be adapted to an ever-changing context during the execution of connected devices and without loss of functionalities. A global security policy must be adapted at any time to address new changes, which leads to new challenges in risk management in the Internet of Things. We propose to extend the risk management in traditional information systems to enable security and risk management in the Internet of Things. The first step toward secured critical infrastructures in the Internet of Things in a dynamic environment tackles with the definition of the ‘context’ and the identification of functionalities and characteristics to establish a risk management framework of trust communities. Our proposed risk management framework aims at reducing security risks not only at the design time by assessing risks but also at runtime by enabling an Anomaly Behavior Analysis Intrusion Detection System (ABA-IDS). The risk management framework consists of a risk management methodology, covering four levels (applications, services, communications and end nodes) and applying four fundamental functions (see Fig. 1): • Model Specification: To characterize the normal operations for each layer. This is helpful to build the reference model that describes the normal behavior of the system at each stage. 324325325 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply. • Attack Surface Identification: To identify the entry points that can be exploited by a cyber adversary. • Impact Analysis: To analyze the impact of a cyber- attack. • Risk Mitigation: To accurately choose the protection mechanism to be applied in compliance to the impact analysis. Applications Services Communi- cations End Nodes Applications Model Services Model Communica- tions Model End Devices Model Attack Surface Attack Surface Attack Surface Attack Surface Impact Impact Impact Impact Mitigation Mitigation Mitigation Mitigation Priority Priority Priority Priority Fig. 1. IoT Risk Management Framework for Smart Infrastructures In the first level (end nodes) the information passes through physical devices to identify or modify the physical world. These information include object properties, environmental conditions, raw data, etc. The key components in this level are sensors for capturing and representing the physical world into the digital world, actuators to modify the environment to a desired state, local controllers to take immediate actions when required. The targets at this level are local controllers, sensors, actuators, and information. The impact can be loss or waste of energy, human safety, and provider’s reputation. Mitigation mechanisms include lightweight encryption, sensor authentication, IDS, and behavior analysis. Communications are responsible for reliable transmissions of information from, and to end nodes. The technologies used in this level include the Internet protocols (HTTP, TCI/IP), radio and mobile communication networks (LoRa, GSM, LTE, ...) and network infrastructures,. An intruder can target protocols, firewalls, routers, or communication bus to gather information or to launch malicious commands. The impact can be measured in terms of money loss, human safety, privacy, and energy consumption. To overcome the mentioned issues, authentication and encryption techniques can be used (among other techniques). At service level, all the required computational power is mostly provided as a cloud and/or fog services. This level is used for remotely monitoring and controlling the system, as well as to store data and analyze large amount of information. An attacker can target cloud storage to gather information or change the content in cloud-based databases/containers, leading to scenarios such as life threatening scenarios, loss of money, and information disclosure. Mitigation mechanisms at this level include encryption, intrusion detection systems, selective disclosure, and data distortion. The application layer provides the personalized services according to the needs of the user. The access to the IoT services is through this layer and it can be via mobile technology such as cellphone, mobile applications, or a smart appliance or device. In this layer, data sharing is an important characteristic and consequently application security must address data privacy, and access control. At each level, risk management is assessed by enforcing accurate security policies, this way our framework complies with the National Institute of Standards and Technology (NIST) Security Framework for Critical Infrastructures [8]. As shown in Fig. 1, each layer of the IoT architecture has its own threat model that can be defined in terms of five components: Layer service model, Attack surface, Impact, Mitigation and Priority. For each level, after we define the behavior or functional model, we identify the Attack Surface that characterizes the entry points that can be exploited by attackers to inject malicious events to impact the normal operations of that layer. Then we identify the potential impact of exploiting the vulnerabilities. With the obtained information, we identify the mitigation mechanisms that can be implemented to diminish these threats. Finally we prioritize the mitigation strategies according to the potential impact to the system. By following this architecture, we can ensure the development of highly secure and trustworthy IoT services. IV. PRELIMINARY RESULTS A. End Nodes Level As we previously mentioned, the key components in this layer are the sensors, actuators, and local controllers. We have experimented with sensors in the first level to detect when an IoT sensor has been compromised by an adversary. For this case we first extract unique signatures to describe the behavior of sensors using Discrete Wavelet Transform (DWT) [3]. A set of signatures is used to build the reference model which is built taking into consideration the Euclidean Distance (ED) between signatures. From the obtained EDs, we compute the mean and standard deviation to create establish the limits of normal operation [3]. The reference model contains a sample signature and the limits of normal operation. After we obtain the reference model, we extract runtime signatures to detect any drift in the behavior (when ED exceeds normal operation limits) that we call it abnormal behavior. This method can be also used to create signatures for known attacks (e.g., replay attack), this way our risk management approach can take more accurate mitigation actions. Table I shows some of the results we obtained for a set of attacks against IoT sensors. TABLE I. TESTED ATTACKS VS DETECTION RATE FOR END NODES Attack Detection Rate Replay Attack [17] 98 \% Delay Attack [18] 98 \% DoS Attack [18] 99.9 \% Flooding Attack [18] 98 \% Sensor Impersonation [19] 97.4 \% Pulse DoS [18] 96 \% Noise injection [20] 100 \% 325326326 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply. From Table I, the pulse DoS and noise injection attacks were not used to train the system but they can be detected. There are two cases that trigger false positives, the first case happens when the behavior is not considered in the training phase (e.g. a cold object near the temperature sensor). In the second case, the sensor needs to reach its steady state after an attack. Our experiments show that at most 3.2\% of these situations produced false positives alerts. B. Communications Level A key component in the communications level is the secure gateway which is the point of access (locally) to the system, to monitor sensors or issue commands to the actuators. To highlight the usability of our framework, in this layer we have developed an anomaly behavior analysis (ABA) methodology to detect attacks targeting the availability of a secure gateway, which is part of the communication layer in our IoT risk management framework. Our ABA methodology uses as principle that, systems normal behavior can be characterized using global variables such as system memory, devices mounted, hardware configuration, etc. We divided our methodology in two stages: • Offline training. The final goal of this stage is to create the reference model of the system. The first step is to select the features that are useful to characterize the system, after verifying the correlation of 260 system variables available, we found that 11 are enough to represent the secure gateway normal behavior. The next step is to create a dataset of the selected features. Our dataset contains both the normal data, which represents the normal behavior of the system, and the abnormal data, which represents the behavior of the system under known attacks. We built the model of normal operations based on the selected features using datamining techniques (e.g., JRip [9]). Once the model is extracted, it is tested in the second stage (runtime) looking for detection accuracy and false positive alerts. • Runtime testing. The main goal of the runtime unit is to classify the behavior of the system and rank the impact of an abnormal behavior to perform accurate risk management. The first step is to collect the information (monitoring) about the selected features. Then we classify the incoming traffic as normal or abnormal having into consideration a rule-based model created using JRip. If the traffic has determined to be abnormal, the impact of the abnormality is classified using a decision tree [9]. Some of the obtained results at this level are shown in Table II. As it can be seen from Table II, the worst-case scenario for our methodology is 92.3\% detection rate for Pulse DoS. However some of the detected attacks were not trained in the system, meaning that our ABA methodology can be used to detect known and unknown attacks with high detection rate and low false positives (less than 3\% in the worst-case scenario). TABLE II. TESTED ATTACKS VS DETECTION RATE FOR COMMUNICATIONS Attack Detection Rate (\%) Flooding [18] 94.2 Replay [17] 96.3 PulseDoS [18] 92.3 HTTP GET [20] 98.0 Replay + HTTP GET 99.2 C. Services Level At services layer, all the required computational power is mostly provided by cloud services. This layer is used for remotely monitoring and controlling IoT systems, as well as to store data and analyze large amount of information. In general, IoT services can be allocated in four categories: 1) identity services, 2) information aggregation services, 3) collaborative-aware services, and 4) ubiquitous services. Based on our work in [10], we adopted a holistic approach to define a security conceptual model that covers all elements at the business, service, and infrastructure levels (Fig. 2) and illustrates the casual relationships between these levels. In practice, the dependency model is a complex graph because it is built from instances of each type of essential assets, and, hence, it can be learned from lists of essential assets using Bayesian networks for example. Since the information security is subject to uncertain and unforeseen threats, we proposed a fuzzy logic decision system that helps identify security risks based on the security conceptual model and select appropriate security measures based on security objectives. Fig. 2. The Dependency Model 326327327 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply. D. Application Level The application layer provides the services requested by customers. For instance, a mobile application can report home temperature measurements when it is requested by the home user. The relevance of this layer from the point of view of the IoT is that it has the ability to provide high-quality smart services to meet users’ needs. In [6] we distinguish between steady and dynamic environments in which information systems are deployed and monitored. We demonstrated that a global security policy must be adapted at any time to address new changes in dynamic environments to cope with new challenges in risk management. We introduce a holistic approach for risk and security management through the definition of Service Characteristics Infrastructure, including certificate authorities, signed service characteristics, and security policies. V. CONCLUSION AND FUTURE WORK Due to the exponential growth in number of interconnected devices, cyber-security in the IoT is a major challenge. It heavily relies on the digital identity concept to build security mechanisms such as authentication and authorization. In this paper we introduced an IoT Risk Management Framework for Smart Infrastructures that can be used as a systematic way to build general protection mechanisms for IoT applications rather than creating ad-hoc solutions for each IoT application. We are currently experimenting with a Blockchain-based Identity Framework for IoT (BIFIT). The idea is to apply our approach to IoT smart infrastructures to autonomously extract appliances signatures and creates Blockchain-based identities for the appliance owners. Acknowledgements: This work is supported by Thomson Reuters in the framework of the Partner University Fund project: “Cybersecurity Collaboratory: Cyberspace Threat Identification, Analysis and Proactive Response”. The Partner University Fund is a program of the French Embassy in the United States and the FACE Foundation and is supported by American donors and the French government. REFERENCES [1] Verizon (May, 2017). Create intelligent, more meaningful business connections. Retrieved from http://www.verizonenterprise.com/solutions/connected-machines/ [2] Z. Andrea, B. Nicola, Angelo C., Lorenzo V., and Michele Z., “Internet of Things for Smart Cities”, IEEE Internet of Things journal, vol. 1, no. 1, February 2014. [3] J. Pacheco, S. Hariri, “IoT Security Framework for Smart Cyber Infrastructures”, IEEE 1st International Workshops on Foundations and Applications of Self-* Systems, Germany, 2016. [4] V. Chiprianov, L. Gallon, M. Munier, P. Aniorte, and V. Lalanne.. Challenges in Security Engineering of Systems-of-Systems. In Troisième Conférence en IngénieriE du Logiciel (p. 143). [5] R. Valerdi, A.M. Ross, and D.H. Rhodes. A framework for evolving system of systems engineering. [6] P.B. Nassar, Y. Badr, K. Barbar, and F. Biennier, “Risk management and security in service-based architectures.” In Advances in Computational Tools for Engineering Applications, 2009. ACTEA09. International Conference on, pp. 214-218. IEEE, 2009. [7] H. Suo, J. Wan, C. Zou, J. Liu, “Security in the Internet of Things: A Review”, International Conference on Computer Science and Electronics Engineering (ICCSEE), 2012, vol. 3. [8] National Institute of Standards and Technology (NIST), and United States of America. “Framework for Improving Critical Infrastructure Cybersecurity.” (2017) [9] I. Witten, F. Eibe, A.H. Mark, and J.P. Christopher. Data Mining: Practical machine learning tools and techniques. Morgan Kaufmann, 2016. [10] Y. Badr, and Soumya Banerjee. “Managing End-to-End Security Risks with Fuzzy Logic in Service-Oriented Architectures.” In Services (SERVICES), 203 IEEE Ninth World Congress on, pp. 111- 117. IEEE, 2013. [11] D. Kushner, “The Real Story of Stuxnet, How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program”, IEEE Spectrum, February 2013. [12] D. Legezo (Kaspersky lab): How to trick traffic sensors. (April 2016). Retrieved from: https://securelist.com/blog/research/74454/how-to- trick-traffic-sensors/ [13] D. Takahashi, Y. Xiao, and F. Hu, “A survey of security in telemedicine with wireless sensor networks.” Mobile Telemedicine: A Computing and Networking Perspective (2008): 209-235. [14] Prashar M, Vashisht R. Survey on pre-shared keys in wireless sensor network. Int J Sci Emerging Technol Latest Trends. 2012;4(1):42–48. [15] Sahraoui S, Bilami A. Efficient HIP-based approach to ensure lightweight end-to-end security in the internet of things. Comput Networks. 2015;91:26–45. [16] T. Freeman, R. Housley, A. Malpani, D. Cooper, W. Polk, 2007. Server-based certicate validation protocol (scvp). Internet Proposed Standard RFC 5055. [17] A. Hoehn, P. Zhang. “Detection of replay attacks in cyber-physical systems.” In American Control Conference (ACC), 2016, pp. 290- 295. IEEE, 2016. [18] V. Namboodiri, V. Aravinthan, S. Mohapatra, B. Karimi, W. Jewell, “Toward a Secure Wireless-Based Home Area Network for Metering in Smart Grids,” Systems Journal, IEEE, vol.PP, no.99, pp.1,12, 0 doi: 10.1109/JSYST.2013.2260700 [19] N. Tanabe, E. Kohno, Y. Kakuda. “A path authenticating method using bloom filters against impersonation attacks on relaying nodes for wireless sensor networks.” In 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops 2013 Jul 8 (pp. 357-361). IEEE. [20] V.P. Illiano, E. Lupu. “Detecting malicious data injections in wireless sensor networks: A survey”. ACM Computing Surveys (CSUR). 2015 Nov 21;48(2):24. [21] DCSSI: EBIOS - Expression of Needs and Identification of Security Objectives. 2004 http://www.ssi.gouv.fr/en/confidence/ebiospresentation.html [22] J. Eom, S. Park, Y. Han, T. Chung, Risk Assessment Method Based on Business Process-Oriented Asset Evaluation for Information System Security, proc. ICCS 2007, Lecture Notes in Computer Science, Vol. 4489 (Springer Berlin, 2007) 1024-1031. [23] Insight Consulting: CRAMM (CCTA Risk Analysis and Management Method) User Guide version 5.0. SIEMENS http://www.cramm.com/ [24] CLUSIF: MEHARI 2007 (Méthode Harmonisée dAnalyse du Risque Informatique). https://www.clusif.asso.fr/fr/production/mehari/ 327328328 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply. Integrated Safety and Cybersecurity Risk Analysis of Cooperative Intelligent Transport Systems Giedre Sabaliauskaite, Jin Cui, Lin Shen Liew, and Fengjun Zhou Centre for Research in Cyber Security (iTrust) Singapore University of Technology and Design Singapore 487372, Singapore [email protected], jin [email protected], linshen [email protected], fengjun [email protected] Abstract—Automated Vehicles (AVs), the self driving vehicles, are expected to outperform human drivers and improve road safety in the near future. However, to achieve these goals, they need to communicate with each other and the other road participants and coordinate their actions. The systems of connected cooperative AVs are called Cooperative Intelligent Transport Systems (C-ITS). Similar to AVs, C-ITS are vulnerable to failures and cyberattacks. In our previous work, we proposed a method US2 for AV risk analysis. This paper extends US2 and presents a method for integrated C-ITS safety and cybersecurity risk analysis. It takes into consideration automotive safety and cybersecurity standards ISO 26262 and SAE J3061, and utilizes the elements of the previously proposed risk analysis methods US2, EVITA, TVRA, and RACE. Index Terms—automated vehicle, cooperative intelligent trans- port system, safety, security, risk analysis I. INTRODUCTION Automated Vehicles (AVs) are the self-driving vehicles. In AVs, the automated driving system is able to partially or completely replace a human driver in performing the driving functions required to operate the vehicle in on-road traffic. AV technology is promising, as it can help to reduce commuting time and enable more people to enjoy freedom of traveling (e.g. elderly and people with disabilities). But, most importantly, it could help in significantly reducing traffic injuries and fatalities [1]. However, to achieve these goals, AVs must be safe and secure. Unfortunately, the first fatal crash of an AV including pedestrian has been reported in March 2018 [2]. Thus, there is an the urgent need to assure AV safety and security to prevent such accidents from happening in the future. AVs are complex Cyber-Physical Systems (CPSs), which integrate embedded computing technology into physical phe- nomena, and therefore they are vulnerable not only to failures, but also to cyberattacks [3]. Thus, safety and security have to be considered while developing, testing, and deploying AVs on public roads [1]. In order to outperform human drivers, AVs need to communicate with the other traffic participants. The communications will allow road users and traffic managers to share and use information to coordinate their actions [4]. The systems of connected cooperative AVs are called Cooperative Intelligent Transport Systems (C-ITS) [4] [5]. C-ITS may include AVs, roadside infrastructure, and other systems. In Europe, a CAR-2-CAR Communication Consortium (C2C-CC) has been established with the primary objective of further increasing road traffic safety and efficiency by means of C-ITS [6]. C2C-CC has defined a 4-phase roadmap for deploy- ment of C-ITS: awareness driving phase (vehicles disseminate only their status information), sensing driving phase (vehicles exchange their sensor information), cooperative driving phase (vehicles share their intentions with other traffic participants), and, finally, synchronized cooperative driving phase (vehicles exchange and synchronize their driving trajectories to achieve optimal driving patterns) [5]. C-ITS are vulnerable to failures and attacks just as AVs. Thus, assuring safety and security of C-ITS is crucial. How can we assess C-ITS safety and security risks, taking into consideration the above-mentioned C-ITS deployment phases? In our previous research, we proposed a method, US2 [7], for AV safety and security risk analysis at a single vehicle level. In this paper, we extend the earlier approach to enable safety and security risk analysis at C-ITS level. The remainder of the paper is structured as follows. Sec- tion II includes the preliminaries. Section III describes the related work in the area of AV safety and security risk analysis. Section IV explains the proposed approach. Finally, Section V concludes the paper. II. PRELIMINARIES A. Automated Vehicles Automated road vehicles perform the driving functions required to operate the vehicle in on-road traffic. These are the real-time operational and tactical functions, which include lateral and longitudinal vehicle motion control, monitoring the driving environment, object and event response execution, maneuver planning, and enhancing conspicuity via lighting, signaling, etc. These functions are collectively called the Dynamic Driving Task (DDT) [8]. AVs perform entire or part of DDT depending of their au- tomation level. International standard SAE J3016 [8] describes six driving automation levels. At level 0, the human driver performs entire DDT. At level 1, an automated system can assist the human driver to perform either the lateral or the longitudinal vehicle motion. At level 2, an automated system performs the lateral and the longitudinal vehicle motion, while driver monitors the driving environment. At level 3, an 723 2018 Joint 10th International Conference on Soft Computing and Intelligent Systems and 19th International Symposium on Advanced Intelligent Systems 978-1-5386-2633-7/18/$31.00 ©2018 IEEE DOI 10.1109/SCIS-ISIS.2018.00120 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply. automated system can perform entire DDT, but the human driver must be ready to take back control when the automated system requests. There is no human driver at level 4; an automated system conducts the entire DDT, but it can operate only in certain environments and under certain conditions. Finally, at level 5, an automated system performs entire DDT in all environments. Sensor Fusion Self Localization Real world projection Path planning Mission planning Path following & control MAP Sensing World Model Trajectory Execution Maintenance & Diagnostics Emergency Response Figure 1. AV functions [9]. The automated system implements DDT using a set of functions, which can be grouped into three main categories: perception (perception of the external environment/context in which vehicle operates), decision & control (decisions and control of vehicle motion, with respect to the external environment/context that is perceived), and vehicle platform manipulation (sensing, control and actuation of the vehicle, with the intention of achieving desired motion) [9] (see Fig. 1). In addition, maintenance&diagnostics, which handles software and hardware error information and report to manufacturer, and emergency response functions are included in AVs. V2X Network C-ITS level AV level AVAV RSU RSU C-CU On-board computer Sensors and actuators ECU ECU Sensors and actuators LiDAR Camera GNSS Figure 2. AV components and communications. Fig. 2 shows the main components of an AV at two levels: AV level and C-ITS level. The AV’s sensors such as radar, camera and LiDAR (Light Detection and Ranging) are responsible for sensing vehicle’s dynamics (e.g., location and speed) as well as its immediate environment (e.g., distances to neighboring vehicles, road traffic conditions, and traffic signs). The on-board computer processes this information and then sends control commands to the Electronic Control Units (ECUs) which control the corresponding actuators accordingly to achieve desired movement speed and direction. Global Navigation Satellite System (GNSS) is often used by AVs to obtain accurate location information. The connections between on-board computer, sensors, ECUs, and actuators form an in-vehicle network (also called the on-board network). In addition, AVs can communicate with other AVs as well as the road infrastructure (Road Side Units, RSUs) by the use of V2X (Vehicle-to-everything) network. A C-ITS station unit, Cooperative Communication Unit (C-CU), is added to the AV to enable communication with the V2X network, as shown in Fig. 2. See next sub-section for more details. B. Connected Vehicles and Cooperative ITS (C-ITS) Cooperation and coordination among AVs and other traffic participants is becoming increasingly important with the de- velopment of highly automated vehicles in order to produce transportation system benefits [4] [5]. The communication among AVs would enable them to drive closer to each other, operate with better control and have quicker reaction, and eventually avoid collisions. In C-ITS, the service provision is enabled by the use of live dynamic data from other vehicles and infrastructure, which are implemented using vehicle-to-vehicle (V2V) and vehicle-to- infrastructure (V2I) communications, collectively called V2X. An on-board communication unit, C-CU, is used by the AV to enable V2X communication, as shown in Fig. 2. To the best of authors’ knowledge, there are no interna- tional standards for designing C-ITS developed yet. Thus, the standard ISO 21217 (Intelligent transport systems com- munications access for land mobiles (CALM) architecture), which has been developed for defining the common ar- chitectural framework of intelligent transport systems [10], could be used for this purpose. ITS is a system-of-systems, which consists of various traffic participants (systems), such as vehicles, roadside infrastructure, portable devices, control centers, etc., which are connected via various networking and access technologies including the Internet, public and private networks, Bluetooth, Wifi, cellular technologies, etc. Each of these systems contains a communication unit - ITS station - a functional entity specified by ITS architecture. In C-ITS, ITS station corresponds to C-CU. C-ITS is expected to be launched in Europe in 2019 [4] [5] and deployment in four phases: 1 Awareness Driving phase (vehicles disseminate their sta- tus information allowing other vehicle to be aware of the presence of other vehicles and hazards); 2 Sensing Driving phase (vehicles exchange their sensor information, such as camera and radar data, which allows 724 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply. other vehicles see with the eyes of others and detect otherwise hidden objects); 3 Cooperative Driving phase (vehicles share their trajecto- ries or planned maneuvers data with other traffic partic- ipants, allowing them to accurately predict other traffic participant behavior and optimize their own decisions); 4 Synchronized Cooperative Driving phase (vehicles ex- change their coordination data and synchronize their driving trajectories to achieve optimal driving patterns). Fig. 3 shows the C-ITS deployment phases with correspond- ing services and data shared among vehicles, which enables the implementation of these services. The amount of exchanged data varies among phases, e.g., in phase 1, AVs exchange only their status data, while in phase 3 - their status, sensor, and intention data. The deployment of C-ITS needs to be closely coordinated with the AV development and deployment, as C- ITS phases 3 and 4 are feasible only for highly automated vehicles (automation levels 4 and 5). C-ITS services C-ITS deployment phases AV driving automation level Phase 1: Awareness driving Phase 2: Sensing driving Phase 3: Cooperative driving Phase 4: Synchronized cooperative driving Basic warning services: • Intersection warning • Emergency vehicle warning • Hazard warning • Etc. Advanced warning services: • Vulnerable road user warning • Overtaking warning • Etc. • Roadworks assistance • Lane-merging assistance • Platooning • Etc. • Cooperative merging • Overtaking assistance • Dynamic platooning • Etc. Status data Sensor data Status data Intention data Sensor data Status data Coordination data Intention data Sensor data Status data Level 1: Driving assistance Level 5: Full automation Data shared among AVs Figure 3. C-ITS deployment phases [5]. The functions of the AVs, participating in C-ITS, have to be expanded to enable the use of data, received from other ve- hicles. Fig. 4 show two additional functions, Co-sensor fusion and Co-localization, added to AV in C-ITS deployment phases 1 and 2. Co-sensor fusion combines the sensor information of the local sensors, installed in AV, with the sensor information of other vehicles. Co-localization identifies the location of other vehicles. In C-ITS deployment phases 3 and 4, additional functions, such as Mission co-planning and Path co-planning, will be implemented in AVs to manage data of other AV’s planned trajectories and maneuvers. The deployment of C-ITS in Europe will start with phase 1 in 2019 and will continue up to the final phase (EC 2016). III. RELATED WORK IN THE AREAS OF AV SAFETY AND CYBERSECURITY RISK ANALYSIS System safety is the state of a system that does not cause harm to life, property, or the environment, collectively called safety losses, while cybersecurity is the state that does not allow exploitation of vulnerabilities to lead to losses, such as financial, operational, privacy, or safety losses [11]. Thus, in addition to safety, cybersecurity aims at protecting finances, operations, and privacy. Sensor Fusion Self Localization Real world projection Path planning Mission planning Path following & controlMAP Sensing World Model Trajectory Execution Maintenance & Diagnostics Emergency Response Co- Localization Co-Sensor Fusion Figure 4. AV functions in C-ITS deployment phases 1 and 2. Ensuring the safety of autonomous vehicles, i.e., reducing the number of traffic crashes to prevent injuries and save lives, is a top priority in autonomous vehicle development. Safety and security are interdependent (e.g., security attacks can cause safety failures, or security countermeasures may weaken CPS safety and vice versa), therefore they have to be aligned in the early system development phases to ensure the required level of protection [12] [13]. The ISO 26262 standard [14], which defines functional safety for automotive equipment applicable throughout the life-cycle of all automotive Electronic and Electrical (E/E) safety-related, is currently being used for AV safety analysis. It aims to address possible hazards caused by the malfunc- tioning behavior E/E systems. The safety process consists of several phases, such as concept, product development, and production, operation, service and decommissioning. Hazard Analysis and Risk Assessment (HARA) is performed during the concept phase, where hazardous events, safety risks and goals are identified and analyzed. These goals are further refined into the safety requirements, and, subsequently, safety countermeasures are designed and implemented to satisfy the requirements. To analyze safety risks and determine their criticality, an Automotive Safety Integrity Level (ASIL) is assigned to each identified hazard during HARA phase [14]. The hazards are quantified according the severity (S), probability of exposure (E), and controllability (C), as shown in Table I. There are three levels of severity: S1 - light or moderate injuries, S2 - severe injuries, and S3 - life-threatening injuries. Probability of exposure can be equal to very low (E1), low (E2), medium (E3), or high (E4). Finally, four levels of controllability are defined: C0 - controllable in general, C1 - simply controllable, C2 - normally controllable, and C3 - difficult to control or uncontrollable. ASIL A is the lowest safety integrity level, while ASIL D is the highest. QM (Quality Management) indicates that the hazard is of low risk and therefore is not required to comply with the ISO 26262. Currently available version of ISO 26262, published in 2011, requires the presence of the human driver to respond to unexpected environments and conditions, and therefore is not sufficient for highly automated AVs. A new version of ISO 725 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply. Table I AUTOMOTIVE SAFETY INTEGRITY LEVEL (ASIL) [14]. Severity S Exposure E Controllability C 0 1 2 3 1 E1 QM QM QM QM E2 QM QM QM QM E3 QM QM QM A E4 QM QM A B 2 E1 QM QM QM QM E2 QM QM QM A E3 QM QM A B E4 QM A B C 3 E1 QM QM QM A E2 QM QM A B E3 QM A B C E4 A B C D 26262, which will consider highly automated AVs, should be published by the end of 2018. SAE J3061 is a vehicle cybersecurity standard [11], which was developed using the ISO 26262 standard as a guideline. Thus, both standards, ISO 26262 and SAE J3061, consist of similar phases. Security process, defined by SAE J3061, includes concept, product development, and production & op- eration phases. Threat Analysis and Risk Assessment (TARA) is performed during the concept phase, where threats, security risks, and security goals are defined and analyzed. ISO and SAE are currently jointly developing vehicle standard ISO 21434 [15], which will replace SAE J3061 in 2019. SAE J3061 [11] does not provide an unified method for cy- bersecurity risk analysis, however includes several examples, such as EVITA [16] and HEAVENS methods. In addition, the European Telecommunications Standard Institute (ETSI) proposed the TVRA (Threat, Vulnerability, and Risk Analysis) method [17]. Furthermore, in our previous work we proposed the US2 method [7] for unified safety and security risk analysis. There are no standards, which define AV system-of-systems safety and security, available yet. Thus, we can adapt 26262 and SAE J3061 for analyzing C-ITS safety and security risks. In [18], Boudguiga et al. proposed a RACE (Risk Analysis for Cooperative Engines) methods for C-ITS cybersecurity risk analysis, based on EVITA and TVRA methods. In this paper, we extend the US2 [7] method and propose an approach for C-ITS cybersecurity and safety analysis, based on the ISO 26262 and SAE J3061 standards, which uses the elements of previously proposed methods US2, EVITA, TVRA, and RACE. IV. AN APPROACH FOR AV SAFETY AND CYBERSECURITY RISK ANALYSIS IN C-ITS In order to estimate risks, two main factors have to be de- fined: likelihoods (or probabilities) and impacts (or severities). During vehicle hazard risk analysis, likelihood is addressed by the probability of exposure, while impact - by the severity and controllability [14] (see Section III), while cybersecurity threats are evaluated with respect to the severity of the possible outcome of an attack and the likelihood that a potential attack can be successfully carried out (attack potential) [11]. We assume that the AV safety and security risk analysis has been completed at a single AV level before performing the analysis of C-ITS risks. As we can see from Fig. 2, the main C-ITS components are: communication units C-CUs, installed inside AVs, roadside infrastructure, and V2X communication network. C-ITS safety analysis includes the risk analysis of hazards caused by the accidental failures of these components and, consequently, the failures of the C-ITS functions (co-sensor fusion and co-localization functions, as shown in Fig. 4), while the cybersecurity risk analysis focuses on cyberattacks on V2X and C-CU and their affect on C-ITS functions. C-ITS safety risk analysis is performed using the HARA process, defined by the ISO26262 standard [14] (see Sec- tion III). The following sub-sections describe the C-ITS cy- bersecurity risk analysis and its integration with the safety risk analysis. A. C-ITS cybersecurity risk analysis 1) Attack potential: In EVITA [16], the authors define attack potential using the following five parameters: elapsed time, expertise, knowledge of system, window of opportunity and equipment. However, Macher et al. [19] point out that such attack potential classification is too complex and requires a lot of effort. Out of these five parameters, knowledge of system and required equipment are the key parameters, which affect the success of an attack. Thus, we have previously included only these two parameters in US2 method [7] for defining the attack potential P . The same two parameters are used for defining C-ITS attack potential as described below. Three levels of attackers’ knowledge, K, are identified: 0 - attackers do not require prior knowledge of the C-ITS; 1 - attackers need some basic knowledge or some basic under- standing of the C-ITS; level 2 - attackers need comprehensive domain knowledge. The equipment required to perform a successful attack, R, can also be assigned to three levels: 0 - no special equipment is needed; 1 - standard equipment is needed, which can be easily obtained; 2 - specialized, not easy to obtain equipment is required. Using the knowledge K and required equipment R, we can define the attack potential P , as shown in Table II. First, we define two extreme situations: if exerting a threat does not require any tool (R = 0) and any knowledge (K = 0), this threat is of the high attack potential (P = 3); in contrast, if exerting a threat requires advanced tool (R = 2) and specific training or knowledge (K = 2), such threat is of very low attack potential (P = 0). In situations when for achieving a threat an attacker needs either specific knowledge (K = 2) or specific tool (R = 2), the attack potential is considered as low (P = 1). If the requirement of knowledge and equipment is medium (K = 1 or R = 1), the attack potential is also medium (P = 2). All the combinations of (K, R) and associated attack potential are listed in Table II. 726 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply. Table II ATTACK POTENTIAL P . Potential P Description (K,R) combinations 0 Very low (2,2) 1 Low (2,0)(0,2)(1,2)(2,1) 2 Medium (1,1)(0,1)(1,0) 3 High (0,0) 2) Attack severity: Cyberattacks can lead to four different types of losses, i.e. safety, privacy, financial, and operational (as defined by the SAE J3061 standard [11]), which have to be considered while assessing the cybersecurity risks. EVITA [11] [16] has defined attack severity SA as a vector of four components: SS (safety), SP (privacy), SF (financial), and SO (operational). The SS evaluates the attack damage to driver or passengers. SP is related to personal data exposure and vehicle tracking. SF defines economical losses for users and vehicle manufacturers. Finally, SO describes the impact of the attack on vehicle performance. The attack severity types, proposed by EVITA [16], can be applied for evaluating C-ITS attack severity as well, as shown in RACE method [18]. Thus, we will use the same attack severity types in our approach. The severity levels for each severity type are shown in Tables III and IV, where four levels of severity, 0-3, are defined. If an attack causes several types of losses with different level of severity, the highest level is assigned to an attack and its severity SA is determined. E.g., if SS=2 and SP=3, then SA=3. Table III ATTACK SEVERITY WITH RESPECT TO SAFETY AND PRIVACY (FROM RACE METHOD [18]). Severity SA Safety SS Privacy SP 0 No injuries No unauthorized ac- cess to data 1 Light injuries Access to anonymous data 2 Severe injuries, with survival Identification of vehi- cle or driver 3 Life threatening, possible death Driver or vehicle tracking Table IV ATTACK SEVERITY WITH RESPECT TO FINANCIAL AND OPERATIONAL LOSSES (FROM RACE METHOD [18]). Severity SA Financial SF (in $) Operational SO 0 0 < loss < 100 No impact on performance 1 100 < loss < 1000 Impact not detected by driver/system 2 1000 < loss < 10000 Driver/system aware of per- formance degradation 3 loss > 10000 Significant impact on perfor- mance Several authors argue that to compute the final attack sever- ity value, S, we need to consider the attack intensity I, as in TVRA and RACE methods method [17] [18]. Attack intensity is important in C-ITS risk analysis, since the attack severity value is different depending not only on attack instances but also the number of targeted vehicles [18]. Thus, we include the intensity value in computing the total attack severity S. The intensity ranges from 0 to 2, where 0 corresponds to a single attack instance, 1 - moderate number of attack instances on one vehicle or one attack on moderate number of vehicles, and 2 - heavy number of attack instances on many vehicles. The total attack severity, S, is computed as S = SA + I with a truncation to 3 if S >3 (same as in RACE method [18]). 3) AV automation level: Driving automation levels of AV is another important factor, which has to be considered during risk analysis. As the automation level increases, the amount of driving tasks, controlled by the system, increases, while the role of the human driver reduces (see Section II-A for more details). Thus, the risk analysis has to be performed for all automation levels of and AV, at which it is expected to operate. The driving automation level L has not been considered neither in EVITA, nor in RACE methods. However, we took it into account in US2 method [7], where we grouped the automation levels into three groups: low (levels 1 and 2), medium (level 3), and high (levels 4 and 5). The same groups are used in this approach. 4) Cybersecurity risk values: Using the attacks’ total sever- ity S, potential P , and vehicle automation level L values, we can define the Cyber Security Risk Level (CSRL), as shown in Table V. CSRL values 0-3 indicate that the risk is minor, therefore there is no primary need for security countermeasures. CSRL values 4-5 represent major risks, for which countermeasures should be applied. Finally, CSRL values 6-7 indicate critical risks, which should be minimized with highest priority. In EVITA and RACE methods, controllability factor C is added for risk evaluation of attacks that cause safety losses (SS >0). However, controllability is part of safety risk analysis and determination of ASIL level, as described in Section III. Thus, instead of including controllability into the cybersecu- rity risk analysis, we integrate cybersecurity and safety risk analysis processes. In this way, the controllability of attacks that cause safety losses is assessed using the ISO 26262. See Section IV-B for more details. Table V CYBER SECURITY RISK LEVEL (CSRL). Total Severity S Automation Level L Potential P 0 1 2 3 1 Low (1-2) 1 1 2 3 Medium (3) 1 2 3 4 High (4-5) 2 3 4 5 2 Low (1-2) 2 2 3 4 Medium (3) 2 3 4 5 High (4-5) 3 4 5 6 3 Low (1-2) 3 3 4 5 Medium (3) 3 4 5 6 High (4-5) 4 5 6 7 727 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply. B. Integration of C-ITS security and safety risk analysis SAE J3061 standard [11] emphasizes that although automo- tive safety and cybersecurity analysis processes can be per- formed separately, they need to communicate with each other in order to maintain consistency and completeness between them. It can be done via communication links between various phases of safety and cybersecurity processes. One of such links has to be established between safety and cybersecurity risk analysis phases, since cybersecurity vulnerabilities may lead to violation of safety goals. However, SAE J3061 [11] does not provide details on how to establish these links. Hazard identification C-ITS safety risk analysis (ISO 26262) C-ITS cybersecurity risk analysis (proposed) Hazard risk analysis Hazard ASIL levels Safety requirements Threat risk analysis Attack CSRL levels Security requirements Safety losses Privacy losses Financial losses Operational losses Threat identification Integrated requirement analysis Figure 5. Integration of C-ITS safety and cybersecurity risk analysis. We integrate C-ITS safety and cybersecurity risk analysis processes as shown in Fig. 5. Both processes are performed in parallel, and there are two communication links between them: • The first communication link is from cybersecurity threat risk analysis step to safety hazard identification step. This link is needed for the situations when an attack can cause safety losses SS, as described in Section IV-A. In such cases, the information about possible safety losses due to an attack is transferred to the safety analysis process, where hazards related to the attack are identified, analyzed, and their ASIL level is determined; • The second communication link is between safety and security requirements, which are defined based on ASIL and CSRL levels. At the end of safety and cybersecurity risk analysis phases, the safety and security analysts have to work together and review all the requirements to ensure their completeness and consistency. The integrated C-ITS safety and security analysis process enables comprehensive analysis of C-ITS risks. V. CONCLUSIONS This paper presents a method for integrated C-ITS safety and cybersecurity risk analysis. It takes into consideration automotive safety and cybersecurity standards ISO 26262 and SAE J3061, and utilizes the elements of the previously proposed methods US2, EVITA, TVRA, and … 1540-7993/19©2019IEEE Copublished by the IEEE Computer and Reliability Societies March/April 2019 39 ADOPTION DYNAMICS OF IoT PRODUCTS Cyber risk for buyers is a major obstacle to broad adoption of the Internet of Things (IoT). Using a system dynamics approach, we conducted a case study of a connected lighting product to understand how cybersecurity influences IoT adoption. T he research in this article was conducted to better understand the mechanisms by which cybersecu- rity will influence IoT technology adoption. By focus- ing on innovation and marketing to power the growth of a product, there may be unintended consequences for security, such as leaving the product vulnerable to hack- ing. For developers, there is a strong tension between prioritizing product usability and product security, and their responses to the following questions about these new issues will shape the future marketplace. What standards will emerge for the IoT products? How will they prove their security to the market? Will a few key players dominate the market, or will it remain highly fragmented with a high firm entry and exit? Despite the growing literature on cybersecurity, the direct mechanisms by which it may influence IoT adop- tion have not been studied. Given the IoT’s unique vul- nerabilities and relative infancy in the marketplace, it is unclear how a cyberincident could impact consumers’ willingness to adopt it. Will IoT products experience the rapid “hockey stick” growth exhibited by tech companies such as Facebook? (See the green line in Figure 1.) On the other hand, could publicized cyberincidents hamper the growth of an IoT product to an extent that it never gets off the ground? (See the “Start-and-Fizzle” red dot- ted line in Figure 1.) Is the reality somewhere between these two extremes? (See the “Still Successful” and “Par- tially Successful” red dotted lines in Figure 1.) Also, will growth occur for the market as a whole, or will a few dom- inant players emerge? If the latter occurs, will those play- ers be mature companies or start-ups? An example of a cyberincident’s effect on product sales is the “My Friend Cayla” doll. After a feature of the doll (voice transmission to a U.S.-based voice recognition company) was found to be vulnerable to independent and possibly malicious hackers, it received a “trash it” recommendation from the German telecommunication regulator.1 We performed a case study of IoT product develop- ment for commercial building applications. Our subject was a connected lighting product at a large electronics company, which we analyzed using a system dynamics approach. This approach generates a framework that IT executives at supplier companies can use in strategic deci- sion making to better understand what consequences— both intended and unintended—may arise from the The Internet of Things Promises New Benefits and Risks A Systematic Analysis of Adoption Dynamics of IoT Products Mohammad S. Jalali, Jessica P. Kaiser, Michael Siegel, and Stuart Madnick | Sloan School of Management, Massachusetts Institute of Technology Digital Object Identifier 10.1109/MSEC .2018.2888780 Date of publication: 2 April 2019 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply. 40 IEEE Security & Privacy March/April 2019 ADOPTION DYNAMICS OF IoT PRODUCTS choices they make during IoT product development. We refer to customer organizations as adopters and organi- zations that produce IoT products as suppliers. Without this systematic perspective, supplier decision makers might focus on a com- ponent of the system (e.g., innovation) and optimize it locally to achieve suitable out- comes and grow in the market. However, when feedback mech- anisms from other components of the system are activated (e.g., cyber risks), the initially successful strategies may not only become inef- fective but may actually damage their position in the marketplace. Therefore, it is essential to take a systematic approach by looking at the big picture and analyzing the components of the systems and their interconnections. This article proceeds in two sections. In the first, we provide an overview of the concepts we explored in our case study and model. We begin with an overview of the IoT. We then explain the basics of diffusion mod- els, particularly the risk–reward ratio, a concept that our research showed to greatly influence IoT technology purchase decisions. Next, we describe current cyber- security standards for technology purchase decisions. In the second section, we enter the case study, describ- ing the IoT product market studied and then the model derived from our research and its implications. Four cybersecurity-related guidelines that managers can use to influence the market adoption of IoT products are included in “Cybersecurity-Focused Guidelines for Robust and Resilient Market Adoption.” Overview of Concepts Introduction to the IoT “Connected systems are too big of an opportunity to miss because we have some jerks who are hacking into things.”—Potential IoT adopter The goal of the IoT is to translate the physical world into digital signals, ripe for the improvements promised by faster communication and better analytics. Although there is no universally agreed-upon definition of the IoT, most definitions describe systems that collect data from the physical world on devices that process infor- mation.2 The Internet society provides a good summary that explores the benefits and challenges of the IoT.2 The digital processes are often intended to produce kinetic effects and rely heavily on networking with other external devices. Declines in the cost of computing and simultane- ous improvements in sensor performance and range make innovations possible. There is a range of settings for which the IoT might be deployed, ranging from the intimate (i.e., personal health data) to the massive (i.e., a connected sys- tem of street lights, parking meters, tran- sit, and autonomous vehicles that could be used to collect useful municipality data and optimize the delivery of city services to citi- zens). The potential value generated by the IoT is estimated to be at least US$3.9 trillion and possibly up to US$11.1 trillion by 2025, with the higher estimate representing 11\% of projected global gross domestic product in the same year.3 One of the greatest obstacles to broad market adop- tion of IoT technology is the buyers’ fear of cyber risk, both real and perceived. The Open Web Application Security Project4 described IoT technologies as having three unique weaknesses with regard to cybersecurity: a large number of endpoints, inconsistent protocols, and physical safety concerns. There are currently no mecha- nisms that could manage consistent endpoint security for a system that is so vast. Additionally, the diversity of standards across the IoT defrays the responsibility of any single actor in the technology chain for security. As of now, there are two commercially available certification programs for IoT security, one from Underwriter Labora- tories and one from ICSA Labs, an independent division of Verizon (New York). Both were launched in 2016 and have been met with some skepticism, as noted in an ar- ticle in The Register.5 Because the IoT represents a linked N u m b e r o f A d o p te rs Great Growth; No Impact of Cyberincident Still Successful Partially Successful Start and Fizzle... Time (Year) Cyberincident Product Introduction Figure 1. A range of product adoption curves in response to a cyberincident. A better understanding of how a breach may affect product adoption can guide managers who are making security investment decisions early in a product’s development. One of the greatest obstacles to broad mar- ket adoption of IoT technology is the buyers’ fear of cyber risk, both real and perceived. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply. www.computer.org/security 41 set of physical devices, it gives malicious actors the op- portunity to move their criminal activities—previously confined to cyberspace—into the physical world. These characteristics of IoT cybersecurity are not merely pedantic; they are being exploited. A large-scale, distributed denial-of-service (DDoS) attack that took place in 2016 exemplifies this exploitation. In the time leading up to the attack, AT&T tracked a 400\% increase in scans of IoT ports and protocols.6 The attackers took advantage of mostly unaltered default passwords across a huge number of IoT devices to hobble the critical infra- structure of the Internet. Attacks like this have also been documented in private organizations, where a large quan- tity of nodes are used to overwhelm a network with traffic. Finally, both individual and organizational adopt- ers of the IoT have concerns about its security and pri- vacy implications. The 2015 Icontrol State of the Smart Home study found that more than 40\% of Americans were very concerned about the possibility that their information could be stolen from their smart homes.7 Furthermore, potential regulators in the Federal Trade Commission have noted that such concerns may pre- vent IoT technologies from reaching their full potential, although it is not clear how these concerns alter con- sumers’ purchases.8 In industries that have an increased exposure to technology, such as banking, defense, and health care, security concerns are heightened. Basics of the Diffusion Model of Technology One of the most influential adoption models in technol- ogy products is the Bass diffusion model. Our frame- work expands on this model by including the influence of additional market factors related to cybersecurity; however, understanding our new model requires a review of the original Bass diffusion model. Diffusion describes the process by which an innovation spreads and explains the typical S curve seen with product adoption. The S curve describes how the user base is small to start, then increases as adoption increases, and eventually approaches the limit of the potential market. Cybersecurity-Focused Guidelines for Robust and Resilient Market Adoption T o increase their market size and keep their market resilient to cyberincidents, Internet of Things (IoT) product managers should consider these four guidelines, which we have compiled through our case study partner and which were built by our model. 1. Invest in cybersecurity capabilities from product design to sales to ongoing support: Cybersecurity expertise is required not only to build security products and processes, but to explain it to customers. As cybersecurity becomes a top-of-mind concern for most customers, it will become more important to have cybersecurity experts at every customer touchpoint. These experts can address concerns, prevent and detect threats, and respond to incidents. Additionally, organizations must have a detailed incident-response plan with clear actions and owners. Make sure transferring ownership is a part of succession planning and conduct regular reviews of the response plan to ensure that it remains up to date. 2. Measure and monitor your product’s risk–reward ratio: The risk–reward ratio measures the benefits and risks of adopting a new technology, and can help developers to understand the potential impact of a cyberincident on market adoption. It can also guide investment decisions as you develop the product or its new features. The risk–reward ratio of IoT products has a dynamic mechanism and changes over time, so be sure to mea- sure and monitor it regularly. 3. Capture data at the granularity level that shows measurable benefits for customers, and no lower : The benefits of many IoT technologies cannot be fully realized without granular data capture and processing. If it is too granular, however, two things happen: 1) cyber-risk exposure increases considerably and 2) the product’s benefits become more difficult to understand and capture. In both cases, market adoption slows. When ex- panding into new market features and more granular data is required, partner with firms with strong analytic capabilities and data-protection practices for case studies that show measurable benefits. 4. Take responsibility for security along your technology supply chain, up to the last mile: If you choose to develop on a platform, choose a platform that has a reputation for strong security. If you develop your own platform, work with third-party companies to certify its safety. If creating hardware, buy it from manufacturers with certifications and reputations to uphold. Only allow customers to customize the final layer of the product to ensure that built-in protections cannot be overridden. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply. 42 IEEE Security & Privacy March/April 2019 ADOPTION DYNAMICS OF IoT PRODUCTS It has been observed in the diffusion of many diverse innovations, such as electricity, the washing machine, and most recently social media networks such as Face- book (shown with the green line in Figure 1). Vernardakis9 grounds the underlying Bass diffusion model on an understanding of the diffusion process as an epidemic. The innovation spreads through infor- mation exchange, and the time lags between potential users and installed users explain the observed S curve. In addition to potential users and installed users, some entities (firms or individuals) learn about the innova- tion but do not adopt it. This suggests that there is an adoption process that includes the awareness, consider- ation, opinion formation, and implementation phases. A crucial variable in diffusion models is the speed of diffusion, which several factors affect. A critical fac- tor that affects the speed of diffusion is what relative advantage the innovation provides. The relative advan- tage is the amount by which the innovation improves upon previous circumstances. The number of potential adopters is another such factor as a larger number cre- ates more opportunities for sharing information about the innovation. The information channels and the sup- plier’s ability to affect these channels also are powerful forces affecting information transmission. A feature of the Bass diffusion model is that it leads to “winner-take-most” scenarios because only an infor- mation exchange is needed to catalyze the innovation adoption process. Systems scientists have defined tipping point as the point at which adoption begins to grow so quickly that one supplier can become market dominant simply by riding a wave of rapid adoption. Standards play an important role in innovation diffusion because they demonstrate that a product is compliant, and compliance reduces the friction and delays that would otherwise present themselves during the opinion formation stage. Many supplier companies compete to become the stan- dard in their industry and thus reach the tipping point. Krishnan et al.10 show that additional products entering an innovation marketplace late can increase the speed of diffusion, although the evidence is mixed with regard to how it impacts the incumbent’s market share. For start-ups, this is a powerful incentive to enter the market- place as a small start-up can capture sales growth by accel- erating the speed of diffusion for the overall technology. For both mature companies and start-ups, this presents a conundrum in regard to developing standards. It might be better to achieve immediate revenue by adopting another company’s standard and reducing decision friction for customers. However, if a firm can create its own standards, it might be able to prevent other firms from entering the marketplace and thus reduce competitors’ market share. The Risk–Reward Ratio: The IoT’s Relative Advantage to the Status Quo “[Cybersecurity] is more a concern for late-majority adopters.” —Product manager Within the context of IoT technologies, a product gains an advantage if connecting an object to a network improves the adopter’s operations. The data that IoT devices pro- duce is often what creates the relative advantage. In our research, we call this the risk–reward ratio, noting that as the granularity and utility of data produced by an IoT prod- uct increase, security and privacy risks increase as well. With many firms eager to capitalize on data, a cursory glance may suggest that an IoT product’s relative advan- tage would be enormous because some data must be better than no data. However, not every IoT product is adopted as quickly as expected. Although many individuals are installing connected thermostats, few are connecting their microwaves, and connecting stove knobs is unheard of despite the benefit that acquiring cooking data could bring. As we will explore, in the case of commercial build- ing operators, businesses have adopted connected heat- ing, ventilation, and air-conditioning (HVAC) systems more quickly than they have adopted connected lighting, despite the cost-savings benefits across both products. Therefore, it must be the case that there are drawbacks to an IoT product, decreasing its relative advantage. These are just two examples of IoT products in build- ing technologies. Other examples could be in plumbing or in physical security. Connecting these infrastructures can provide multiple benefits, most frequently the cen- tral control and visibility that allow building managers to manage their use and maintenance more efficiently. We will discuss more benefits for connected lighting systems (CLS) in particular over the course of this arti- cle. We summarize the effects of the risk–reward ratio on adoption in Figure 2 and discuss this framework more in our case study in the “Adoption of Connected Lighting Systems” section. Risk Reward High Risk Low Reward High Risk High Reward Low Risk High Reward Low Risk Low Reward No Adoption Variable Adoption Affected by Cyberincidents High AdoptionLow Adoption Figure 2. The adoption of the IoT based on risk and reward. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply. www.computer.org/security 43 Cybersecurity Standards in Technology Adoption Decisions It is valuable to review how practitioners assess the secu- rity risk in technology when making purchasing decisions. However, because cybersecurity as a discipline is evolving rapidly, practitioners have not yet arrived at consistent, universal standards for evaluating cybersecurity risks. The National Institute of Standards and Technology (NIST) Cybersecurity Framework, born out of a 2013 Executive Order and now in Draft Version 1.1, is the leading frame- work that has emerged. It provides high-level direction on steps that organizations should take to improve cyberse- curity iteratively, steps that an organization would use to adopt a new technology. They roughly align with the adop- tion process that we discussed in the “Basics of the Diffu- sion Model of Technology” section. One critique by IoT adopters is that no standards cur- rently define the market. Suppliers, however, have a mixed perspective. Although the lack of standards is a possible strategic advantage, particularly for start-ups because it is easier to enter the market, the lack of standards also makes it difficult to articulate to adopters how to manage cyber risk. The NIST framework is technology neutral precisely because no standards yet exist. The government has been ineffective in creating and enforcing standards for the technology industry, leaving it instead to private players. Taken together, these facts suggest that we are early in the adoption process of the IoT, before the winner-take-most effect takes hold in the marketplace. The current market presents a potentially lucrative opportunity for IoT sup- pliers, start-ups, and incumbents alike. Adoption of Connected Lighting Systems Case Study Approach to Effects of Cybersecurity on CLS Adoption “Right now, [customers] can’t see the reward [of IoT]. We can’t install products. We can’t show the benefits because we don’t meet their cybersecurity requirements.” —Sales representative Although there is research on cybersecurity, the IoT, and technology adoption individually, research that articulates how each contributes to overall market adoption is lacking. In this article, we approach cybersecurity and IoT adoption from a systems science perspective. We interviewed prac- titioners from the security, product, marketing, and sales departments of a large electronics company that produces an IoT lighting product. We also interviewed potential adopters and experts in the industry. From these inter- views, we describe the benefits and risks associated with the IoT lighting product and a connected HVAC prod- uct that is closely associated with lighting. Based on their articulation and a comparison of the risk–reward ratios for both products, we use their responses to adjust the typi- cal Bass diffusion model to include cybersecurity-related variables. Next, we use this model to articulate implica- tions that reflect what impact cyberincidents may have on an IoT product market. Finally, we encourage managers to adopt IoT products by using these implications to outline four cybersecurity-related guidelines. CLS: Product Benefits “People are clear on the rhetoric of IoT, but not what value it delivers.” —Manager for lighting products CLS are one of a few building infrastructures that can be transitioned to the IoT because: 1) they are a point of frequent interaction for building occupants; 2) there is a large number of nodes, and light bulbs are good can- didates for granular data collection; and 3) there is an opportunity for personalization as lighting preference is highly individualized. Connecting lighting systems to a network can provide both local and central control, making it easier to provide personalization and energy savings simultaneously. Lighting systems have already benefitted from inno- vations that have recouped significant cost savings, without transitioning them to an IoT product. Two examples are occupancy sensors and LED light bulbs. Occupancy sensors turn lights on and off only when they are needed, without end-user intervention, and LED light bulbs require little maintenance. When describing the benefits of CLS, interview- ees used the “US$3–US$30–US$300 rule” to describe the value opportunity of CLS. No external source was found to validate this rule. Connecting lighting alone represents an energy-efficiency cost-savings opportu- nity of only US$3 per square foot per year, but space optimization represents US$30 and employee produc- tivity is an additional US$300 cost per square foot per year savings opportunities. This rule is derived from ex post facto analysis and has not been verified empirically. Connected light bulbs can detect that a company uses a conference room only 20\% of the time while employees use desks outside the conference room 100\% of the time. These data could signal that the space is underoccupied and that they could use the conference room space more efficiently. Also, consider an office building that has an “open desk” policy, in which employees are not assigned to desks and can use any open space. Motion sensors on light bulbs can detect which desks employees are using, allowing IT sys- tems to direct employees to an available desk when they enter the building. Practitioners believe that occupancy data and space-saving systems such as these represented a US$30 per square foot per year cost-saving opportunity. The ultimate goal of CLS for commercial applications lies in collecting data about productivity that occurs under Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply. 44 IEEE Security & Privacy March/April 2019 ADOPTION DYNAMICS OF IoT PRODUCTS the light bulbs. Practitioners note that lighting has a strong physiological and psychological effect on workers, so a CLS could adjust the hues and saturation of light to create a personalized environment to complement an employ- ee’s work style and thus generate additional productivity for a firm. If implemented correctly, interviewees believe that this application represents an enormous cost-savings opportunity of US$300 per square foot per year. For home rather than business adopters, the US$3– US$30–US$300 rule is believed to apply directionally. However, adopters are unlikely to attempt to justify their purchase by quantifying the benefits without the resources of a larger organization. Instead, the product’s relative advantage depends on how important customiz- ing lighting hues and saturation in a home environment is to a customer. Given the lack of case studies or empirical data supporting the rule, the underlying theory has not been proven and makes the relative advantage of CLS confusing to both home and business adopters. The confusion regarding the benefits of CLS is in contrast to connected HVAC systems, another build- ing system that has been connected to the IoT. When compared with HVAC systems, which represent about 44\% of energy costs in commercial buildings, light- ing systems represent about only 10\% of a building’s energy costs.12 Because HVAC systems contribute such a large portion of a building’s energy bill, and compo- nents such as chillers are more expensive to maintain proactively, connecting HVAC systems to the IoT pres- ents immediate and easily quantifiable benefits to the adopter. Interviewees felt that the rewards of connected HVAC systems are easy to measure. This means that the relative advantage is more apparent to adopters than the relative advantage of CLS. However, they felt that CLS offered potentially higher rewards that were simply more difficult to quantify. Potential Cyber Risks of CLS “It’s so complicated that to minimize the risk, we just don’t network the lighting system… it’s slowed us and the market.” —Director of infrastructure operations responsible for over 150 networked buildings When describing the features of CLS most often con- sidered prior to adoption, an important yet confusing aspect is its “cybersecurity” component. Interestingly, only one feature of CLS presents a cyber risk that is unique to lighting, yet interviewees are more concerned about the cyber-risk exposure of CLS than about the cyber-risk exposure of HVAC. (See Table 1 for a list of features and their achievements across CLS.) We pro- pose four possible explanations for this discrepancy. 1. CLS has orders of magnitude more nodes than HVAC (e.g., multiple light bulbs in a room versus one control panel on a floor), which makes it more difficult to manage endpoint security. 2. The cost of a single point of failure or overload for CLS is much lower than for other building systems (e.g., less than US$100 for a light bulb, versus thou- sands of dollars for a chiller). 3. Potential adopters did not have the internal analytic capabilities, including sufficient data security and Table 1. Feature-exploit analysis of connected building infrastructure (e.g., CLS and HVAC). Feature Value Exploit Personalization (e.g., color or temperature control) Greater occupant satisfaction and productivity Ability to create annoyance, harassment, or physical discomfort Ability to overload output for physical damage Wireless control system Insight into energy, occupant utilization, and component use Integration to improve efficiency and occupant satisfaction Ability to access core IT for espionage or use in illegal activities Packet sniffing, replay, trashcan, social engineering, and others Central and local control Balance between energy use and occupant comfort Greater ease of use Potential for DDoS attacks through nodes Opportunity to sabotage or interfere with operations through ransomware Occupancy sensor Greater ease of use Space optimization Coordinated responses Energy efficiency Passive surveillance Maximization of damage during kinetic attacks Minimized risk of being caught (e.g., burglary) Power over Ethernet Lower installation costs Energy reporting Potentially easier to disrupt Limited security literature Only the power over Ethernet is unique to CLS. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply. www.computer.org/security 45 privacy protection, to leverage the space optimiza- tion and productivity benefits of CLS. 4. The product and its associated service do not meet the cybersecurity standards of the adopting organization. In connected building infrastructures, it … Risk Analysis, Vol. 39, No. 9, 2019 DOI: 10.1111/risa.13269 A Robust Approach for Mitigating Risks in Cyber Supply Chains Kaiyue Zheng1 and Laura A. Albert 2,∗ In recent years, there have been growing concerns regarding risks in federal information tech- nology (IT) supply chains in the United States that protect cyber infrastructure. A critical need faced by decisionmakers is to prioritize investment in security mitigations to maximally reduce risks in IT supply chains. We extend existing stochastic expected budgeted maximum multiple coverage models that identify “good” solutions on average that may be unaccept- able in certain circumstances. We propose three alternative models that consider different robustness methods that hedge against worst-case risks, including models that maximize the worst-case coverage, minimize the worst-case regret, and maximize the average coverage in the (1 − α) worst cases (conditional value at risk). We illustrate the solutions to the robust methods with a case study and discuss the insights their solutions provide into mitigation selection compared to an expected-value maximizer. Our study provides valuable tools and insights for decisionmakers with different risk attitudes to manage cybersecurity risks un- der uncertainty. KEY WORDS: Cybersecurity; infrastructure risk mitigation; robust optimization 1. INTRODUCTION Reliance on a global supply chain introduces enormous cybersecurity risks to the information technology (IT) in the United States, including risks due to counterfeit materials, malicious software, unqualified vendors, and poorly trained employees. Cybersecurity risks in the federal IT supply chains have increased dramatically in recent years (Director of National Intelligence, 2015; U.S. Government Accountability Office, 2013). According to a 2015 Government Accountability Office report (2015), the number of reported cyber incidents has increased 1,121\% between 2006 and 2014. The White House (2013a, 2013b) proposed new policy directives for securing critical IT physical assets that reflect the 1Amazon, Seattle, WA, USA. 2University of Wisconsin–Madison, Madison, WI, USA. ∗Address correspondence to Laura A. Albert, Industrial and Sys- tems Engineering, University of Wisconsin–Madison, Madison, WI 53706, USA; tel: +1-1-608-262-3002; [email protected] awareness of the increasing concern of cyber security in critical infrastructure and for directing federal funding to develop mitigation approaches for global supply chain risk management (2015). There is great interest in studying how to prioritize the investment in security mitigations to balance cost and threat reduction, since federal agencies have a limited budget for selecting and deploying mitigations (Hamlet et al., 2015). Moreover, cyber risks stem from various sources, vary in their forms, and vary in their severity of impact, which makes these risks very difficult to assess and analyze (Edwards, Kao, Hamlet, Bailon, & Liptak, 2016). Effort has been made toward assessing the risks in federal IT supply chains (Hamlet et al., 2015; The White House, 2016). However, comprehensive security policies and mit- igations have not been developed and implemented (U.S. Government Accountability Office, 2015). Therefore, there is a need to identify policies that systematically design cost-effective processes for reducing the risk introduced by supply chains. 2076 0272-4332/19/0100-2076$22.00/1 C© 2019 Society for Risk Analysis https://orcid.org/0000-0001-7079-4473 A Robust Approach for Mitigating Risks in Cyber Supply Chains 2077 Federal organizations’ IT infrastructure rely on a complex network of third-party suppliers, and some attacks against IT networks originate in supply chains. Adversarial attacks in IT supply chains target weak links in the supply network, including activities involved in handling, distributing, manufacturing, and processing. For example, as one of the largest data breaches in the private sector, more than 40 mil- lion Target customers’ payment cards were stolen in 2013 after malware was introduced into the retailer’s point of sale (POS) system. The initial intrusion to Target’s main system can be traced back to a third-party heating, ventilation, and air conditioning (HVAC) vendor (supplier), where attackers ex- ploited a vulnerability in its remote diagnostics and stole network credentials (Krebs, 2014). It is believed that another large retailer, Home Depot, which expe- rienced credit card breaches in 2014, traced its initial security breach to a third-party vendor (Kirk, 2014). Automated teller machine (ATM) malware attacks in recent years are another example of a supply chain attack. In 2014, the so-called Tyupkin malware affected ATMs from a major manufacturer running Microsoft Windows’ 32-bit operating system, and spread to several countries including Russia, the United States, India, and China (Kaspersky Lab, 2014). Federal IT infrastructure faces similar risks brought by the globalization and increasing sophisti- cation of supply chains. Public information regarding federal supply chain attacks is limited due to confi- dentiality. One published incident is the data breach of the U.S. Office of Personnel Management (OPM) in 2015, when over 22 million federal employees’ information was hacked. Investigation shows that the attackers likely exploited the vulnerability in a third-party background-check provider, KeyPoint Government Solutions, by stealing credentials and inserting malware. To reduce cyber risks in the supply chain, deci- sionmakers need to design a cost-effective process to support supply chain risk management to systemat- ically prevent IT infrastructure from being exposed to new risks. This process supports policy-level de- cisions for reducing risk across the supply chain life cycle, not merely acquisition decisions. Examples of IT supply chain mitigations include replacing physi- cal components of the IT infrastructure that contain vulnerabilities, replacing malicious or unqualified vendors, requiring tamper-proof components, estab- lishing security policies or procedures, and training employees. The National Institute of Standards and Technology (NIST) provides guidance to federal agencies for identifying, assessing, and implementing risk management processes and controls to proac- tively manage supply chain risks (2015). This article explores how to operationalize these recommenda- tions by formulating models that identify a set of security controls that are cost effective, reduce risk, and are robust to uncertainty or the role of adaptive adversaries. These security controls form the basis of a secure process to inform best practices. The process design decisions studied in this article are updated periodically, such as yearly, and are separate from response and recovery decisions, such as installing software updates to patch known software vulnera- bilities, and real-time intrusion-detection decisions. This article builds upon initial work in this area by Zheng, Albert, Luedtke, and Towle (2018), who propose deterministic and stochastic budgeted max- imum multiple coverage models (MaxCoverage and MaxExpCoverage, respectively) that investigate how to identify the best combination of mitigations to maximize the coverage of vulnerabilities in the sys- tem with a layered defense. These models generalize the maximal covering location problem (Church & ReVelle, 1974) and the maximal expected cover- age location problem (Daskin, 1983) by explicitly considering the steps taken to carry out a complete attack on system vulnerabilities. Accordingly, they model attacks as “attack paths,” each of which contains multiple nodes that represent the vulnera- bilities (exploits) required to successfully carry out an attack. Attack paths are used to characterize the possible attacks against a system and identify protections against such attacks (Mauw & Oostdijk, 2006). An attack path could capture the threat of hardware delivered with malware installed on it after the hardware is intercepted from legitimate suppliers. Two of the possible vulnerability nodes on this attack path could represent stealing the hard- ware’s shipping information and breaching a cargo container shipping the hardware. Mitigations that prevent a vulnerability from being exploited are said to “cover” the vulnerability. Mitigations sometimes have overlapping capabilities and mutually affect the same vulnerabilities. Additionally, some mitigations do not prevent a vulnerability as expected and may “fail,” which occurs because cyber threats have evolved or subject matter experts (SMEs) do not manage to accurately assess the effectiveness of the mitigations (Edwards et al., 2016). In the expected-value stochastic model (Max- ExpCoverage), random variables characterize two states of the mitigation coverage, effective 2078 Zheng and Albert or ineffective. Zheng et al. (2018) show that the stochastic solution tends to select mitigations that cover vulnerabilities multiple times, so that they are likely to remain covered in the case when some mitigations are not effective as anticipated. By maximizing the expected coverage over all scenarios, MaxExpCoverage provides a solution that performs well on average, i.e., a solution that is satisfactory in most scenarios when uncertainty regarding mitigation effectiveness arises. However, an expected-value model like MaxExpCoverage does not always provide solutions that prepare the system against worst-case scenarios. It is possible that a combination of mitigations could not prevent vulnerabilities as intended and leaves the system unacceptably vulnerable to a serious attack. As a result, expected-value solutions might lead to actual situations that are unacceptable for decisionmakers. To address these limitations, we introduce and compare three robust models that extend MaxExp- Coverage to capture risk associated with uncertain mitigation performance. A mitigation “fails” if it is ineffective and does not in actuality cover the vulnerability node. We model the effectiveness of a mitigation covering a vulnerability node as a binary random variable that is only known to the decisionmaker through a probability mass distribu- tion with a finite probability space or a finite set of scenarios. Therefore, the mitigation uncertainty is considered through the coverage functions. The goal is to compare and contrast risk-based models for cyber security planning in their ability to identify robust ways to prioritize the selection of mitigations. The models inform decisions regarding how to use a budget to select a portfolio of mitigations that is robust to worst-case failures over uncertainties in the performance of the mitigations. First, we consider two of the most common robustness measures in a maximization context: maximizing the minimal coverage across all sce- narios, and minimizing the maximal regret across all scenarios. Both measures are robust in that they are “distribution-free” and focus only on the worst-case performance of the system regardless of the probability distribution that represents the un- certainty. Regret is defined for each scenario as the difference between the coverage of a solution in that scenario and the coverage of the optimal solution for that single scenario. This involves presolving the problem for each individual scenario to obtain a corresponding optimal solution, which can be seen as the best strategy that would have been selected if this realization of the future occurred. Therefore, regret is often interpreted as the opportunity loss for an uncertain future. Moreover, we are interested in the conditional value at risk (CVaR), a popular risk measure in stochastic programming (Ahmed, 2006). CVaR is defined as the expected loss in the α worst-case tail of the loss distribution, initially proposed to quantify the risk for loss in finance (Rockafellar & Uryasev, 2000, 2002). CVaR is coherent and computationally tractable through linear programming techniques. In our context, CVaR is the expected coverage in the (1 − α) worst-case scenarios. Compared to max-min coverage and min-max regret, the quantile-based CVaR measure is less pessimistic, since it provides solutions that are robust to the worst cases and also captures the magnitude of the coverage in the worst cases. Unlike maximizing the minimal coverage and minimizing the maximal regret, CVaR is not distribution-free. By varying the confidence level α, the decisionmaker can select a solution corresponding to different risk preferences, with α = 1 being totally risk conservative and α = 0 being totally risk neutral. 1.1. Literature Review Robust optimization methodologies provide a useful analytical framework for homeland security applications given their practical advantages. Robust methods typically require as input a set of realiza- tions of the uncertain parameters, not an explicit probability distribution as in stochastic optimization and, therefore, robust methods have a clear advan- tage in homeland security applications where many of the model inputs rely on the estimation from the SMEs who have limited knowledge of the problem, its inputs, and associated probability distributions. Robust optimization has been a powerful and popular tool for decision making in different areas, such as supply chain disruption planning (Snyder, Scaparra, Daskin, & Church, 2006) and adversarial risk analysis (McLay, Rothschild, & Guikema, 2012). We refer to Bertsimas, Brown, and Caramanis (2010) for a recent review on robust optimization that highlights its computational tractability and broad range of application, and Ben-Tal, Ghaoui, and Nemirovski (2009) for a textbook treatment. We include CVaR in our robust method frame- work, since it also provides risk insights for a robust decisionmaker who wants to maximize the per- formance for a set of worst-case scenarios. Unlike A Robust Approach for Mitigating Risks in Cyber Supply Chains 2079 robust optimization, CVaR requires an estimation of probability distributions. Chen, Daskin, Shen, and Uryasev (2006) apply CVaR to a facility location problem where they compare the model and its com- putational efficiency to earlier models that feature an α-reliable min-max regret model (Daskin, Hesse, & ReVelle, 1997) and demonstrate the advantage of CVaR. Noyan (2012) incorporates CVaR in a two- stage stochastic disaster preparedness management problem, where a weighted sum of expected value and CVaR is optimized to determine the facility lo- cations, and their corresponding inventory levels are determined under different types of uncertainties. Our study similarly demonstrates the applicability of CVaR in robust decision making. Robust optimization methods have been applied to coverage problems. Church, Scaparra, and Mid- dleton (2004) propose and formulate an interdiction covering problem (RIC) and interdiction median problem (RIM) that identify the most critical fa- cilities whose loss leads to the most damage to the system. The facilities are analogous to mitigations in our article. Scaparra and Church (2008a, 2008b) extend the interdiction median problem to consider a fortification layer that identifies the subset of facilities to fortify to protect against worst-case interdiction of the unfortified facilities. They formu- late the interdiction-fortification model as a bi-level defender–attacker Stackelberg game and identify a tree search algorithm (2008a) and an interval search algorithm (2008b) for solving the interdiction model. Scaparra and Church (2012) introduce a tri-level fortification and interdiction problem to inform disaster mitigation planning. The interdiction papers study a system’s vulnerability due to the worst-case combination of failures, which could occur due to the actions of an adversary. In contrast, in this article, we consider mitigation failure scenarios that could reflect uncertainty in the mitigations’ effectiveness due to SME estimation errors, SME misperceptions of the mitigations’ level of control, or the decision of an adversary who selects a scenario instead of a combination of mitigation failures. 1.2. Contribution The central contribution of this article is to intro- duce and assess models for managing risk associated with cyber security planning decisions. These models apply robust coverage models to a new application area to inform supply chain risk management and planning decisions that are cost effective and reduce worst-case risks introduced by adversaries. We com- pare three robust models that address uncertainty in mitigation effectiveness that together form a risk analysis framework for a robust decisionmaker, and we compare these models to an expected coverage model. The robust methods are more conservative to worst-case risks than an expected-value maxi- mization model, and thereby provide insight into planning for the risks introduced by adversarial attacks or disastrous events, which is important in security applications like cyber security, where incidents often lead to tremendous loss and damage. The robust optimization models provide insight into a defensive stance against adversarial attacks by assuming the adversary (e.g., hackers, criminal groups, nations, terrorists, etc.) is limited to select the worst-case attack scenario(s). Earlier research that applies expected coverage models to cyber secu- rity planning problems does not consider the impact of an adaptive adversary. Decisionmakers can gain practical insights quickly from the robust methods without the need to quantify the adversarial attacks in cyber infrastructure, which can be very challenging given lack of information (e.g., attacker profiles), or solve two-stage interdiction models (Morton, 2010; Smith, Prince, & Geunes, 2013; Scaparra & Church, 2008b), which can be computationally intensive. Each robust method provides a different per- spective into interpreting the worst-case response, which can be employed by decisionmakers to eval- uate the tradeoffs and select the solution that best suits their goals. The robust model solutions provide decisionmakers with a set of solutions, which is often more useful in practice than a single “best” solution. The first two worst-case robust methods, i.e., maxi- mizing the worst coverage and minimizing the worst regret, do not require an explicit distribution of the uncertain parameters, which makes them practical for homeland security problems. However, their solutions are sensitive to the uncertainty scenarios selected. The third robust method, maximizing the expected coverage in the (1 − α) worst cases, can be seen as a combination of the worst-case risk measure and the expected-value measure. It allows decision- makers the flexibility to obtain a solution with their desired risk preference by adjusting α. Moreover, the solutions are less sensitive to the uncertainty scenar- ios selected, particularly for relatively small values of α. This is advantageous in that it yields model so- lutions that are useful for informing policy decisions. We proceed as follows. In Section 2, we first describe the MaxExpCoverage model in Zheng et al. 2080 Zheng and Albert (2018) and introduce the robust coverage models that maximize the worst-case coverage, minimize the worst-case regret, and maximize the expected coverage in the (1 − α) worst case, respectively. In Section 3, we illustrate the model solutions and insights with a case study. We provide additional computational results conducted on a variety of instances to further demonstrate the differences be- tween proposed models and provide insight into the types of solutions the models could yield in different settings. In Section 4, we summarize the article. 2. THE ROBUST COVERAGE MODELS In this section, we introduce and compare the fol- lowing four models: 1. a model that maximizes the expected cover- age across all scenarios, denoted MaxExpCov- erage; 2. a model that maximizes the worst-case cover- age across all scenarios, denoted MaxMinCov- erage; 3. a model that minimizes the maximal regret across all scenarios, denoted MinMaxRegret; 4. a model that maximizes the conditional ex- pected coverage that does not exceed a prespecified quantile level in the coverage (CVaR), denoted MaxCVaR. Attack scenario modeling is an important first step in cyber security planning. In classic network vulnerability analysis, SMEs construct attack trees or attack graphs (Mauw & Oostdijk, 2006; Schneier, 1999) to characterize possible attacks and to identify security controls to reduce risk. In the attack trees, nodes represent attack states and arcs represent transition of states completed by attack exploits. A path from root to leaf corresponds to a likely attack against the system. An attack tree is a powerful tool to organize vulnerabilities in a system and to visual- ize their dependencies. Attacks on IT supply chains can be constructed in a similar manner, which also corresponds to the recommendations of NIST (2015) for a more structured approach to represent supply chain threat scenarios. It is worth mentioning that an extension of attack trees with countermeasures, called the attack–defense trees, has been proposed and formalized (Kordy, Mauw, Radomirović, & Schweitzer, 2011). Kordy and Widel (2017) integrate attack–defense trees with integer programming to optimize the selection of countermeasures for securing a system. Cyber attackers exploit vulnerabilities in IT supply chains and usually take several exploits to achieve attack goals. In this article, we use attack paths to represent supply chain attacks with multiple nodes on each of them representing the attack steps (exploits). Attack paths can be easily enumerated from an attack tree. Input from collaborators sug- gests that the size of attack trees for this application is anticipated to be moderate, since there are limited opportunities or access points for influence and control in the supply chains under consideration. Let S be a set of attack paths recognized by SMEs, each of which contains a subset of vulnerability nodes Ns , s ∈ S with ⋃ s∈S Ns = N the entire set of nodes. Some attack paths may have more strategic importance due to their potential consequences if successful and, therefore, we let as capture the importance (weight) of attack path s ∈ S. Let M be the set of applicable mitigations iden- tified by SMEs, and Mn be the subset of mitigations that cover node n ∈ N. A vulnerability node is said to be protected if it is covered by at least one mitiga- tion. A layered defense is achieved through multiple coverage of an attack path, i.e., covering different nodes in an attack path. We define a general cover- age function fs (·) to quantify the coverage of attack path s ∈ S with respect to the number of nodes cov- ered on it. We assume that it is nondecreasing and concave, since better security is achieved when more nodes are covered and the marginal benefit from covering more nodes is decreasing. Additionally, we associate each mitigation m ∈ M with a cost bm that captures its deployment and implementation. Let the total budget for selecting mitigations be B. Inputs for the models are based on SME elicita- tion. The attack paths can be constructed with the aid of SMEs, which yields N, S, Ns , s ∈ S, and as , s ∈ S. Similarly, the mitigations that control each node, Mn, n ∈ N, can be obtained through SME elicitation. Coverage functions are desirable for this application, since they reduce the SME data elicitation burden while also capturing the most salient aspects of the application. Coverage functions could be constructed from relative risk scores based on data collected from stakeholders and SMEs via questionnaires, where the data reflect risk indicators such as control, exposure, and criticality (Edwards et al., 2016). A coverage function could be constructed from the data by exam- ining how an improvement in any risk indicator over a base level, which could be achieved by a mitigation A Robust Approach for Mitigating Risks in Cyber Supply Chains 2081 “covering” a node, would decrease the relative risk score by, say, increased control over an entity or step. Additionally, the risk scores are relative scores and could therefore be mapped onto a coverage level scaled between 0 and 1. The set of mitigations M, their costs bm, m ∈ M, and total budget B can be ob- tained from federal decisionmakers, managers, and experts who are familiar with the mitigation options available and have estimates of their associated costs. Mitigation coverage may “fail”—meaning that coverage is not realized—due to uncertain miti- gation coverage or limited knowledge SMEs have about their effectiveness. We consider a set of realizations of mitigation effectiveness |�|, where the corresponding random variable ξ ωmn is equal to 1 if the coverage of m ∈ M on node n ∈ N is effective in scenario ω, and 0 otherwise. We assume that each scenario ω ∈ � occurs with probability pω ∈ [0, 1], ω ∈ � with ∑ ω∈� p ω = 1. Information collected by SMEs can be used to construct a set of realizations for mitigation effectiveness ξ ωmn, ω ∈ � and their associated probabilities pω ∈ [0, 1], ω ∈ � with ∑ ω∈� p ω = 1, potentially by sampling. All models use a common set of decision vari- ables, which are defined as follows: � xm = 1 if mitigation m ∈ M is chosen, and 0 oth- erwise; � zωn = 1 if node n ∈ N is covered by at least one selected mitigation under scenario ω ∈ �, and 0 otherwise; � yωs = the number of nodes in attack path s ∈ S that are covered under scenario ω ∈ �. The expected coverage maximization model, MaxExpCoverage, which corresponds to the SAA- EBMMC model in Zheng et al. (2018), is formu- lated below. MaxExpCoverage: max ∑ ω∈� pω ∑ s∈S as fs (y ω s ) (1) s.t. yωs ≤ ∑ n∈NS zωn , s ∈ S, ω ∈ �, (2) zωn ≤ ∑ m∈Mn ξ ω mn xm, n ∈ N, ω ∈ �, (3) ∑ m∈M bmxm ≤ B. (4) xm ∈ {0, 1}, m ∈ M (5) zωn ∈ {0, 1}, n ∈ N, ω ∈ � (6) The objective function in (1) is the expected value of the total coverage of all attack paths across all scenarios. This nonlinear function can be easily linearized by adding new variables and constraints; see Zheng et al. (2018) for details. Constraint set (2) sets the value of yωs , the number of nodes covered in attack path s ∈ S in scenario ω ∈ �, and constraint set (3) states that node n ∈ N is covered in scenario ω ∈ � (i.e., zωn = 1) if there exists at least one se- lected mitigation that covers it. Constraint (4) is the budget constraint. Constraint sets (5) and (6) require the x and z variables to be binary. MaxExpCoverage returns a solution that performs well on average. However, its actual per- formance could be unacceptable to decisionmakers for some realizations of ξ if it yields extremely low coverage in a few scenarios to achieve a better expected coverage across all scenarios. Therefore, we are motivated to identify robust solutions that avoid worst-case performance. The following ro- bust models address the uncertainty from different perspectives and identify solutions that plan for different risk situations. In the first robust model, we aim to identify a solution that has the best worst-case performance across all scenarios. Denote variable u as the min- imal coverage across all scenarios. We present the following model, MaxMinCoverage, that maximizes the worst-case coverage. MaxMinCoverage: max u (7) s.t. u ≤ ∑ s∈S as fs (y ω s ), ∀ω ∈ �. (8) (2)−(6) The minimal coverage u across all scenarios, as defined by constraint (8), is maximized in the objective (7). This measure is often considered to be overly pessimistic by evaluating only the most extreme scenario, regardless of the coverage in other scenarios. We list two examples when MaxMinCoverage is overly pessimistic. First, if the worst-case scenario occurs with an extremely small probability but requires an expensive mitigation to cover, MaxMinCoverage would suggest selecting this mitigation even when the coverage in most scenarios is high. Second, consider the case when there are several equivalent worst-case scenarios that employ different sets of mitigations. If the total budget is 2082 Zheng and Albert not enough to select all required mitigations, the resulting minimal coverage is not improved after ex- hausting the entire budget. Meanwhile, coverage in most scenarios is neglected in this decision process. While MaxMinCoverage allocates mitigations to improve the worst-case scenarios, these scenarios might not “demand” the most defensive resources. In the case when the worst-case coverage is only improved by a small amount in a MaxMinCoverage solution, it is likely that other … 978-1-5386-7531-1/18/$31.00 ©2018 IEEE Intelligent System for Risk Identification of Cybersecurity Violations in Energy Facility Gaskova Daria, Aleksei Massel Laboratory of Information Systems in energetics Melentiev Energy Systems Institute of SB RAS Irkutsk, Russia [email protected], [email protected] Abstract—The article describes risk-based approach intended for analyzing threat and assessing risk of cybersecurity violations in the energy facilities. In the energy sector this approach should consider harm produced by damage or demolition of the object using quantitative and qualitative parameters. It is based on the probability of damage or destruction of the facility resulting in the cascade failure. It can be employed for developing the information-analytical system aimed to monitor cybersecurity violations in the energy sector. Keywords—cybersecurity; critical infrastacture; risk assessment; intelligent system I. INTRODUCTION The Russian energy infrastructure is truly significant, as it combines power plants and energy systems, including energy transporting main lines. The critical infrastructures are currently being explored [1-2]. Because the energy penetrated all life spheres in the modern society, it is believed to be the vital component of national security [3]. It is noteworthy, that energy security (ES) makes an important part of Russia’s national security. The development of Smart Grid conception in Russia exacerbates the problem of cybersecurity in energy. ES threats are traditionally classified into five main groups: economic, social-political, technogenous, natural and managerial-legal [4]. This threat list was supplemented with the cybersecurity threats [2], their implementation possibly provoking serious emergency situations in energy fraught with drastic reduction of energy resources to be provided to consumers. The rapid spread of the computer environment, development of information technologies and the trend of transition to intellectual energy make the cyber threats most notable tactical threats of ES. As a matter of fact, both systematic preventive measures of cyber threats averting and continuous protection updating are underrated. It can lead to significant long-term deficit of energy supply, which negative impacts depend on cyber threats scale and damage. Complimented by the reasons above, the authors propose to create an intelligent system capable to identify risk of cybersecurity violations in the energy facility based on a risk- based approach. II. ENERGY AS AN IMPORTANT CRITICAL INFRASTRUCTURE Critical infrastructure is part of civil infrastructure, which makes up a combination of physical or virtual systems and means that are important for the country, as their failure or destruction can trigger disastrous consequences in the fields of defense, economy, and health and nation security [1]. The requirements for ensuring cybersecurity in the energy sector were formed in the foreign countries [5]. Actually in Russia the normative framework for ensuring cybersecurity in critical infrastructures is beginning to be formed. Information protection in the automatic process control system in energy is usually provided on the basis of the Federal Service for Technical and Export Control of Russia order № 31 [6]. This order establishes requirements to ensure protection of information in critical objects from illegal actions, including computer attacks. The development of the normative framework of the information protection in critical infrastructure is that the project stage of the Federal Law “On the Security of the Critical Information Infrastructure of the Russian Federation (RF)”. The draft law establishes the main directions and principles to ensuring security of critical information infrastructure, the government agent powers of the RF in this area, and also the rights, duties and responsibilities of owners, communications, providers and operators and also state information system operators that provide the functioning and interaction of these facilities [7]. Investigations of critical infrastructure and, in particular, identification of critically dangerous facilities are a focus area in many countries and primarily in the United States. The reason for this is that the development level of information technologies and capacity of modern simulation complexes constantly increase [1]. Nowadays the energy sector in Russia occurs at the stage of intellectualization, including both technological equipment (e.g. smart sensors, data transmission networks) and application of modern information technologies, primarily in the electrical energy industry. At the same time, the introduction of information technologies into the energy industry carries many risks and threats [8]. III. CYBERSECURITY According to the standard T-REC-X.1205 - ITU-T [9], cybersecurity is treated as a set of tools, strategies, principles of security, security guarantees, guidelines, risk management approaches, actions, training, experience, insurance and technologies that can be used to protect the cyber environment, resources, organizations and users. This work was partially supported by RFBR grants №15-07-01284, №17- 07-01341. The authors are grateful to this organization. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply. Cyber environment is connected with computing devices, personnel, infrastructure, applications, services, telecommunications systems, as well as the totality of transmitted and / or stored information. Cybersecurity is an attempt to achieve and maintain the security properties from the resources of the organization or user against relevant security threats in the cyber environment. According to ISO 27032: 2012 [10], cybersecurity is based on: Applications Security, Information Security; Network Security, Internet Security and Critical Information Infrastructure Protection, but – isn’t their synonymous. The protection of key information systems of critical infrastructures primarily concerns ensuring ES facility. The main concepts of cybersecurity are the asset, threat, vulnerability and risk. The main definitions of security and their relationships, described in foreign and translated standards [2] share similarities. Security is concerned with the assets protecting from threats classified based on the potential of protected assets abuse, and particular attention is paid to the threats that are associated with malicious or other human actions [11]. The ontology of cybersecurity in the energy sector [12] and the methodology for threats analysis and risk assessment of security violations in energy complexes were developed at the Melentiev Energy Systems Institute SB RAS. The methodology including eight stages is based on expert assessments and methods of qualitative risk analysis [13]. An asset is some entity valuable to a person or organization [11]. A security threat is possible action that can directly or indirectly damage the information security. The damage to security is understood as violation of confidentiality, accessibility or / and integrity of information. Threats are classified by the nature of the occurrence, deliberateness degree, manifestation of direct threat source, position of threat source, extent of dependence upon activity, degree of impact on the system, resources access methods, current location of information stored and processed in the system. In particular threats are classified by the degree of deliberateness: Threats caused by human errors or negligence. Threats of deliberate action. Cybernetic attack is the threat of deliberate action, initiated by a man. Vulnerability is the weakness in the information system, security system and internal controls gaps that can be exploited or caused by a threat source [14]. Risk is an event with negative consequences caused by external or internal factors [14]. Risk can be defined as a combination of the accident probability and the scale of the damage it can cause, or as a combination of the event probability and impact [2]. Risk management is the process of in-depth study factors that can lead to realization of possible threats to the assets of the system. The PDCA (Plan, Do, Check, Act) process model also known as the Deming-Shewhart cycle is common for risk assessment [11]. The widespread interest in the industrial systems security arose not so long ago after a series of specialized computer virus incidents, such as Flame and Stuxnet. At that time it was transpired, that international intelligence agencies, competing corporations or cyber-terrorists can use inadequate attention to the information security of the automatic process control system and their components for their own purposes (for instance, Supervisory Control And Data Acquisition SCADA / Power-Line Communication PLC) [15]. The development of an effective cybersecurity strategy requires a holistic approach to risk analysis. This means that systematic documentation and prioritization of the existing vulnerabilities (threats) of the management system and their possible consequences are required. Therefore, the owners of energy assets can make adequate decisions to anticipate and respond to the existing and potential threats. IV. RISK-BASED APPROACH Risk-based approach considers harm from damage or demolition of the object using quantitative and qualitative parameters, as well as further damage or destruction probability of the object components, based on probability of damage or destruction of object leading to cascade failure. The formula of risks consists of three components (1), R = {T, V, D}, (1) T – threats, V – vulnerabilities, D – damage by threat realization. Threats are defined through the probability of events occurrence leading to critical situations (for example, conditional probabilities used in the Bayesian networks). Cyber threats can call subsequent implementation of the other ES threats. It was suggested to apply the Bayesian networks to build cyber threats implementation scenarios using conditional probability. Assets vulnerabilities are determined by an expert poll using production expert system. The knowledge base of the expert system includes the standards of the five components of cybersecurity. The damage is traditionally evaluated in monetary terms; however, conventional units are applied at this stage. It is proposed to develop an intelligent system to support decision-making concerning assurance of energy facility cybersecurity by a specialist involved in information security. This system utilizing the risk-based approach should contribute to identifying critical assets, their vulnerabilities and threats to security violations, determination scenarios for applying threats and measures to protect assets from threats. The system will dwell upon the methodology for analyzing threats and assessing risk of information technology security violations of the energy complexes proposed by A. Massel [16]. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply. V. THE INTELLIGENT SYSTEM DEVELOPMENT In current times the structure of intelligent system for risk identification of cybersecurity violations in energy facilities is designed, and also scientific-research prototype for system describe above is implemented. One consists of three interrelated components: (1) an expert system for recognizing vulnerability and primary threats, (2) the Bayesian network for modeling threat scenarios, and (3) the module for assessing risk of cybersecurity violations, which includes visualization as a risk map. The intelligent system structure is shown in Figure 1. Expert system Bayesian network Risk evaluation Expert List of vulnerabilities List of threats Threats scenarios Damage Threats scenarios Map of risks Fig. 1. Structure of intelligent system. Figure 2 shows the ontology of basic concepts of cyber threats incorporated into an intelligent system. Fig. 2. The ontology of basic concepts of cyber threats. Assets are considered in terms of the information infrastructure of critical facility, e.g. assets of automatic process control system are considered at the levels of: operator, automatic control, and executive devices. Threats and vulnerabilities are first considered at the top level, including general concepts and their most extensive list, and then at a detailed level that provides specific names, technical and software types and species. The expert system involves three issues: (1) the energy facility asset, (2) vulnerability of information technology system and (3) cybersecurity violation threat of the facility. The expert system is intended for detecting primary vulnerabilities and threats of the facility. It is based on the user that is information security specialist answers to the questions offered by the system in the form of a questionnaire. The interconnection between assets, vulnerabilities and threats within the system is established by templates. The template has a number of main fields. The vulnerability pattern is exemplified as: <Vulnerabilities > < Title >…</ Title > <Assets >…</Assets > <Threats>…</Threats> or <List of threats> …</List of threats> <Control>…</ Control> </Vulnerabilities > The most common vulnerabilities and threats described to instance energy facility are searched for, and then their list is formed. Further the list of threats is delivered to the Bayesian network to determine conditional probabilities and build threats realization scenarios. The scientific prototype of the production expert system has been recently implemented. Figure 3 illustrates the prototype structure. JAVA CLIPS JNI Swing Listeners Core of Expert system Knowledge base Inference engine Rules Templates Graphical Users Interface Interaction interface Fig. 3. Prototype structure. The graphical user interface (GUI) includes data display, user interface event service; it is accomplished in the high-level Java language using the Swing library. The interaction interface is a Java native interface (JNI) mechanism for running code controlled by the Java virtual machine, which is employed for the GUI to C Language Integrated Production System (CLIPS) interaction. The core of the expert system is produced using software environment for the expert systems development CLIPS, and it is a logical inference mechanism and knowledge base. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply. The Bayesian network will be employed with the same software tools that were used for the expert system prototype for their integration. Threats and their partial communication established in the expert system are transferred to the Bayesian network for the expert work. It is assumed that the threat pattern has tag fields containing lists of threats that usually cause or are the cause of the other threat. An expert checks the existing links and establishes the missing links between the threats, resulting in a threat graph, i.e. scenarios of threat realization. The graph model determines conditional probabilities sated a priori probability of realizing threats acting as an initiating event. The use of the Bayesian network allows analyzing the cyber threats impact on energy security violation threats. Figure 4 illustrates the “unauthorized access” threat scenario. Fig. 4. Realization of threat “unauthorized access” using the Bayesian network in the Netica program. For example, let us define the probability of “unauthorized access” to the automated workstation of the SCADA system manager threat. Suppose that the result of the experts work with the expert system is a list of threats, such as the possibility to steal password, weak password policy and, as a consequence, the probability of unauthorized access by an attacker. The easy, average and difficult accessibility of stolen password are the three states of the “steal a password” threat. The password policy can also have three states: weak, medium and strong. Depending on the likelihood of described above threats implementing the threat of “unauthorized access” can be either realizable or unrealizable with a certain calculated probability. The attacker’s obtained access can affect the state of the energy facility data transmission. With that energy facility functioning can be disrupted, if information about the pre-crisis state of the system will be significantly detained or lost. The presented example assumes weak password policy, and that the password on the facility can be easily stolen. Then the fact of the system pre-crisis state is the case. Most probably, an attacker will not disclose his unauthorized access and will delay information on the system state. In this case, the probability of transiting from the pre-crisis to the crisis state is high. Risk will be assessed by graph traversing for each plausible scenario in the expert view. In order to do that an expert will fill in “damage” fields for each field of final states in the scenario. The module will calculate risk, where the risk is a multiplication of the likelihood of the threat realized for damage from it, and display a ranked list of scenarios. In addition, the risk assessment module should provide a visualization of threat implementation risk card for a certain asset. A risk map is needed to display risks following threat types and the risk acceptance boundary. Figure 5 displays a risk map. The ranked list of critical assets of the facility is also supposed to be displayed. In these instances, critical assets are the assets, which accounted for the greatest number of threats in the scenarios, and the likelihoods of the threat implementation are over than the limit likelihood assigned by an expert. Type of threats1 Ty pe of th re ats 2 Type of threats3 Ty pe of th re ats 2 Ty pe of th re ats 2 Critical threats Type of threats1 Type of threats1 Type of threats3 Type of threats3 Risk acceptability line Fig. 5. Example of risk map. VI. CONCLUSION The article reports the energy sector as a critical infrastructure and important part of national security. Considering, there is a tendency to introduce new information and telecommunication technologies into the energy sector, it is vital to ensure high-quality provision of cybersecurity. A risk-based approach is proposed to allow linking cybersecurity violations vulnerabilities, threats and damages. It is proposed to develop an intelligent system for risk assessment of cybersecurity violations from most feasible cyber threats with risk-based approach and the methodology of threat analysis and risk assessment applied. REFERENCES [1] A. Kondratev, “The current trends in research of Critical Infrastructure in foreign countries,” Foreign Military Review, no. 1, 2012, pp. 19-30. [2] L.V. Massel, N.I. Voropai, S.M. Senderov, A.G. Massel, “Cybersecurity as one of the strategic threats to energy security,” Cybersecurity issues, no. 4 (17), 2016, pp. 2-10. [3] B.G. Saneev, S.P. Filipov et al, “System researches of energy problems”, Novosibirsk: Nauka, p. 588, 2000. [4] N.I. Pyatkova, V.I. Rabchuk, S.M. Senderov, M.B. Cheltsov, “Energy security of Russia: problems and solutions,” SB RAS Publishing House Novosibirsk, p. 211, 2011. Unauthorized access Realizable Unrealizable 99.0 1.0 System state Normal Precrisis Crisis 0 100 0 Steal password Easy Average Difficult 100 0 0 Password policy Weak Medium Strong 100 0 0 Violation of energy facility function Normal function Precrisis function Crisis 14.5 31.5 54.0 Pre-emergency information transfer Successful transfer Information loss Information delay 15.1 29.9 55.0 Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply. [5] L.V. Massel, A.G. Massel, “Cyber security of Russia’s energy infrastructure as a component of national security,” 6th International Conference on Liberalization and Modernization of Power Systems, 2015, pp. 66-72. [6] Requirements to ensure the information protection in automatic process control system of production and technological processes in critical facilities, potentially hazardous facilities, and also objects that present an increased danger to human life and the environment, [Online]. Available: http://fstec.ru/prikazy/864-prikaz-fstek-rossii-ot-14-marta- 2014-g-n-31 [7] The Security of the Critical Information Infrastructure of the Russian Federation, [Online]. Available: https://www.consultant.ru/law/hotdocs/48095.html [8] L.V. Massel, “Modern information technologies in the Smart Grid as a threat to the cybersecurity of Russias energy systems,” Information technology and security Kiev, no. 1 (3), 2013, pp. 56-65. [9] T-REC-X.1205 – ITU-T: Overview of cybersecurity, [Online]. Available: https://www.itu.int/rec/T-REC-X.1205-200804-I [10] ISO standard of Information technology. Security techniques. Guidelines for cybersecurity, ISO/IEC 27032:2012. [11] V.V. Mohor, A.M. Bogdanov, A.S. Kilevoj, “Information Technology. Methods of security. Сybersecurity manual (ISO/IES 27032:2012),” Three-K Kiev, p. 129, 2013. [12] T.N. Vorozhtsova, “Development of the ontology of cybersecurity in the energy sector,” International Conference “Cybersecurity-2013” Kiev, 2013, pp. 19-25. [13] L.V. Massel, A.G. Massel, “The current state of cyber security in Russias energy systems and the proposed activities for situation improving,” 6th International Conference on Liberalization and Modernization of Power Systems, 2015, pp. 165-170. [14] V.F. Shanguin, “Protection of information in computer systems and networks,” DMK Moscow, p. 593, 2012. [15] G.V. Grytsay, A.G. Timorin, “Safety of industrial systems in figures,” Positive Technologies, 2012, [Online]. Available: http://www.ptsecurity.ru/download/SCADA_analytics_russian.pdf [16] A.G. Massel, “Methodology for threat analysis and risk assessment of information technology security violation of energy complexes,” 20th Baikal Russian Conference, vol. 3, 2015, pp. 186-195. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply. << /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles false /AutoRotatePages /None /Binding /Left /CalGrayProfile (Gray Gamma 2.2) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Warning /CompatibilityLevel 1.4 /CompressObjects /Off /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.0000 /ColorConversionStrategy /LeaveColorUnchanged /DoThumbnails false /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams true /MaxSubsetPct 100 /Optimize false /OPM 0 /ParseDSCComments false /ParseDSCCommentsForDocInfo false /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo false /PreserveFlatness true /PreserveHalftoneInfo true /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts false /TransferFunctionInfo /Remove /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true /Arial-Black /Arial-BoldItalicMT /Arial-BoldMT /Arial-ItalicMT /ArialMT /ArialNarrow /ArialNarrow-Bold /ArialNarrow-BoldItalic /ArialNarrow-Italic /ArialUnicodeMS /BookAntiqua /BookAntiqua-Bold /BookAntiqua-BoldItalic /BookAntiqua-Italic /BookmanOldStyle /BookmanOldStyle-Bold /BookmanOldStyle-BoldItalic /BookmanOldStyle-Italic /BookshelfSymbolSeven /Century /CenturyGothic /CenturyGothic-Bold /CenturyGothic-BoldItalic /CenturyGothic-Italic /CenturySchoolbook /CenturySchoolbook-Bold /CenturySchoolbook-BoldItalic /CenturySchoolbook-Italic /ComicSansMS /ComicSansMS-Bold /CourierNewPS-BoldItalicMT /CourierNewPS-BoldMT /CourierNewPS-ItalicMT /CourierNewPSMT /EstrangeloEdessa /FranklinGothic-Medium /FranklinGothic-MediumItalic /Garamond /Garamond-Bold /Garamond-Italic /Gautami /Georgia /Georgia-Bold /Georgia-BoldItalic /Georgia-Italic /Haettenschweiler /Impact /Kartika /Latha /LetterGothicMT /LetterGothicMT-Bold /LetterGothicMT-BoldOblique /LetterGothicMT-Oblique /LucidaConsole /LucidaSans /LucidaSans-Demi /LucidaSans-DemiItalic /LucidaSans-Italic /LucidaSansUnicode /Mangal-Regular /MicrosoftSansSerif /MonotypeCorsiva /MSReferenceSansSerif /MSReferenceSpecialty /MVBoli /PalatinoLinotype-Bold /PalatinoLinotype-BoldItalic /PalatinoLinotype-Italic /PalatinoLinotype-Roman /Raavi /Shruti /Sylfaen /SymbolMT /Tahoma /Tahoma-Bold /TimesNewRomanMT-ExtraBold /TimesNewRomanPS-BoldItalicMT /TimesNewRomanPS-BoldMT /TimesNewRomanPS-ItalicMT /TimesNewRomanPSMT /Trebuchet-BoldItalic /TrebuchetMS /TrebuchetMS-Bold /TrebuchetMS-Italic /Tunga-Regular /Verdana /Verdana-Bold /Verdana-BoldItalic /Verdana-Italic /Vrinda /Webdings /Wingdings2 /Wingdings3 /Wingdings-Regular /ZWAdobeF ] /NeverEmbed [ true ] /AntiAliasColorImages false /CropColorImages true /ColorImageMinResolution 200 /ColorImageMinResolutionPolicy /OK /DownsampleColorImages true /ColorImageDownsampleType /Bicubic /ColorImageResolution 300 /ColorImageDepth -1 /ColorImageMinDownsampleDepth 1 /ColorImageDownsampleThreshold 1.50000 /EncodeColorImages true /ColorImageFilter /DCTEncode /AutoFilterColorImages false /ColorImageAutoFilterStrategy /JPEG /ColorACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /ColorImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /JPEG2000ColorACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000ColorImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 200 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /GrayImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /JPEG2000GrayACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000GrayImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 400 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict << /K -1 >> /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False /CreateJDFFile false /Description << /CHS <FEFF4f7f75288fd94e9b8bbe5b9a521b5efa7684002000410064006f006200650020005000440046002065876863900275284e8e55464e1a65876863768467e5770b548c62535370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c676562535f00521b5efa768400200050004400460020658768633002> /CHT … IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS, VOL. 46, NO. 10, OCTOBER 2016 1429 Multimodel-Based Incident Prediction and Risk Assessment in Dynamic Cybersecurity Protection for Industrial Control Systems Qi Zhang, Chunjie Zhou, Naixue Xiong, Senior Member, IEEE, Yuanqing Qin, Xuan Li, and Shuang Huang Abstract—Currently, an increasing number of informa- tion/communication technologies are adopted into the industrial control systems (ICSs). While these IT technologies offer high flexibility, interoperability, and convenient administration of ICSs, they also introduce cybersecurity risks. Dynamic cybersecu- rity risk assessment is a key foundational component of security protection. However, due to the characteristics of ICSs, the risk assessment for IT systems is not completely applicable for ICSs. In this paper, through the consideration of the characteristics of ICSs, a targeted multilevel Bayesian network containing attack, function, and incident models is proposed. Following this pro- posal, a novel multimodel-based hazardous incident prediction approach is designed. On this basis, a dynamic cybersecurity risk assessment approach, which has the ability to assess the risk caused by unknown attacks, is also devised. Furthermore, to improve the accuracy of the risk assessment, which may be reduced by the redundant accumulation of overlaps amongst dif- ferent consequences, a unified consequence quantification method is presented. Finally, to verify the effectiveness of the proposed approach, a simulation of a simplified chemical reactor control system is conducted in MATLAB. The simulation results can clearly demonstrate that the proposed approach has the abil- ity to dynamically calculate the cybersecurity risk of ICSs in a timely manner. Additionally, the result of a different comparative simulation shows that our approach has the ability to assess the risk caused by unknown attacks. Index Terms—Bayesian network, cybersecurity, incident pre- diction, industrial control system (ICS), multiple models, risk assessment. Manuscript received May 26, 2015; revised August 13, 2015; accepted August 20, 2015. Date of publication December 18, 2015; date of cur- rent version September 14, 2016. This work was supported in part by the National Natural Science Foundation of China under Grant 61272204 and Grant 61433006, and in part by the Fundamental Research Funds for the Central Universities of China (HUST) under Grant 2013ZZGH006. This paper was recommended by Associate Editor T.-M. Choi. (Corresponding authors: Chunjie Zhou and Yuanqing Qin.) Q. Zhang, C. Zhou, Y. Qin, X. Li, and S. Huang are with the Key Laboratory of Ministry of Education for Image Processing and Intelligent Control, School of Automation, Huazhong University of Science and Technology, Wuhan 430074, China (e-mail: [email protected]; [email protected]; [email protected]; [email protected]; [email protected]). N. Xiong is with the Department of Business and Computer Science, Southwestern Oklahoma State University, Weatherford, OK 73096, USA (e-mail: [email protected]). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TSMC.2015.2503399 NOMENCLATURE List of Notation T A boolean, means that condition is satisfied. F A boolean, means that condition is not satisfied. R Cybersecurity risk of the system. ai ith malicious atom attack (node). ri ith system resource (node). fi ith system function (node). ei ith hazardous incident (node). xi ith auxiliary incident (node). ci ith consequence. p(ei) Occurrence probability of ei. q(ei) Consequence quantification ei. O(ri) Event that attacker has obtained ri. O(ri) Event that attacker has not obtained ri. ori,j Conditional probability that O(ri) happens in the jth condition. C(ai) Event that the condition of launching ai has been satisfied. C(ai) Event that the condition of launching ai has not been satisfied. cai,j Conditional probability that C(ai) happens in the jth condition. L(ai) Event that ai has been launched. L(ai) Event that ai has not been launched. �ai Probability that L(ai) happens in the condition that C(ai) has happened. lai,j Conditional probability that L(ai) happens in the jth condition. F( fi) Event that fi has been invalidated. F( fi) Event that fi has not been invalidated. bfi,j Conditional probability that F( fi) happens in the jth condition. H(ei) Event that ei has occurred. H(ei) Event that ei has not occurred. hei,j Conditional probability that H(ei) happens in the jth condition. H(xi) Event that xi has occurred. H(xi) Event that xi has not occurred. hxi,j Conditional probability that H(xi) happens in the jth condition. Ea Set of attack evidence. Eb Set of anomaly evidence. 2168-2216 c© 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply. mailto:[email protected] mailto:[email protected] mailto:[email protected] mailto:[email protected] mailto:[email protected] mailto:[email protected] http://ieeexplore.ieee.org http://www.ieee.org/publications_standards/publications/rights/index.html 1430 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS, VOL. 46, NO. 10, OCTOBER 2016 E Set of evidence. ci Set of consequence of ei. C Set of ci. c′i Set of consequence of xi. C′ Set of c′i. ei Set of hazardous incidents. Tmax Maximum time interval of adjacent continuous atom attacks. QH Quantification of harm to people. QE Quantification of environmental pollution. QP Quantification of property loss. I. INTRODUCTION W ITH the rapid development of industrial control sys-tems (ICSs), ICSs are susceptible to the attacks and threats of typical IT systems [1]–[4]. Even worse, the number of vulnerabilities and cyber incidents of ICSs are increasing rapidly every year [5]. In the year 2000, a former employee attacked the supervisory control and data acquisition system of a sewage treatment plant in Queensland. This malicious attack caused 800 000 L of raw sewage to spill out into local parks and rivers [6], [7]. Stuxnet, which was discov- ered in June 2010, reportedly ruined almost one-fifth of Iran’s nuclear centrifuges. As a result, it led to the repeated postponement of Iran’s nuclear power plant and grid devel- opment [3], [8]. Unlike traditional IT systems, the security incidents of ICSs can cause irreparable harm to the physical systems they control and to the people dependent on them. Basically, protecting ICSs against cyberattacks is vital to both economy and stability of a nation. Therefore, the cybersecurity issue of ICSs must be taken seriously and solved as soon as possible. As production and operation systems, ICSs have a relatively greater demand on timeliness and availability [9], requiring the need for dynamic cybersecurity protection. The objec- tive of cybersecurity protection of the ICSs is to maintain a normally running system by lowering the dynamic risk below an acceptable risk threshold [10]. Thus, risk-based dynamic cybersecurity protection is an effective approach against cyberattacks [11], [12]. In risk-based dynamic cyber- security protection, together with the target systems, intru- sion detection, risk assessment, decision-making, and policy enforcement [4], [13], [14] form a closed-loop. As a vital role in the closed-loop, risk assessment is used to collect a wide variety of information, perceive the functioning state of the system, and assess the current cybersecurity risk of the sys- tem [10]. This evaluation or assessment assists decision makers in achieving benchmark performances and taking necessary actions to prevent the deterioration of the system [15], [16]. Cybersecurity risk assessment in the IT domain is not entirely applicable to ICSs because ICSs are relatively dif- ferent in some aspects from traditional IT systems. First, the cybersecurity objectives are different. Traditional IT systems require first an ensuring of confidentiality, then integrity, and finally availability. In contrast, for ICSs, the priorities of these three security objectives are first availability, then integrity, and finally confidentiality [17], because timeliness and avail- ability are the primary concerns. Malicious attacks introduce the cybersecurity risk to ICSs by demolishing the timeliness and availability. Therefore, the risk assessment of ICSs needs a novel risk propagation analysis approach. On the other hand, the different weight assignments of these three security objec- tives create the need for the consequence quantification of ICSs to be redesigned. Second, most ICSs are real-time systems whose correctness is based on both correctness and timeless of the output [9]. This means that a deferred response will lead to the reduction of control quality. Additionally, ICSs have more complicated and more tightly coupled physical systems. This characteristic may lead to a domino effect [18], which often takes place in process industries. For example, a spoof attack to a programmable logic controller (PLC) which controls a reducing valve, will cause excessively high pressure and can even lead to the explosion of a chemical reactor. Generally, this kind of chain of events happens simultaneously or in a rapid subsequent order [19]. Even worse is that most ICSs run in an embedded system environment with limited computing capabilities. With consideration of the three points above, the risk assessment algorithm of ICSs requires low computational complexity to reduce time consumption. Finally, in a continu- ous operation system, ICSs cannot tolerate frequent software patching or updates [4]. This causes the database of attack signatures to lag far behind the rapid development of attacks. With this defect, several intrusion detection system (IDS)- based misuse detections would miss unknown attacks. On the other hand, without information about unknown attacks, such as purposes, consequences, and further steps, these unknown attacks and their consequences cannot be accurately predicted. As a result, the risk assessment module will generate erroneous risk values, which may lead to a wrong decision. In conclusion, although considerable research undertaken in past decades has made a contribution to risk assessment, research dedicated to cybersecurity protection of ICSs has remained limited. In this paper, a multimodel-based incident prediction and risk assessment approach is designed for ICSs, which can perceive and understand the situation of ICSs, utilize the multiple models to predict hazardous incidents caused by mali- cious attacks, and generate the dynamic cybersecurity risk value of ICSs. Furthermore, the proposed approach can also assess the risk caused by unknown attacks. First, by ana- lyzing the process of malicious attacks that lead to loss in ICSs, a multilevel Bayesian network, which consists of an attack model, a function model, and an incident model, is built to describe the propagation of risk caused by cyberattacks. Second, a multimodel-based cybersecurity risk assessment approach for ICSs is designed, which is able to generate the current cybersecurity risk value by calculating the probabili- ties and quantifying the consequences of a variety of potential hazardous incidents caused by malicious attacks. The pro- posed multimodel-based approach can predict the incidents caused by unknown attacks, which is impossible for prediction approaches-based purely on attack knowledge. Then, to elimi- nate the risk error caused by the repeated accumulation of the overlaps amongst different consequences, a decouple method for the consequences of an incident is proposed. Finally, the Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: MULTIMODEL-BASED INCIDENT PREDICTION AND RISK ASSESSMENT 1431 effectiveness of the proposed approach is verified through the use of a simulation, which is a simplified system of a chemical reactor control system. The rest of this paper is organized as follows. Section II first analyzes the requirement of cybersecurity risk assess- ment according to the characteristics of ICSs and then presents the architecture of our approach. Section III builds a novel multilevel Bayesian network and proposes an approach to pre- dict hazardous incidents with the multilevel Bayesian network. Section IV introduces consequence-unified quantification and proposes an approach of dynamic cybersecurity risk assess- ment on the foundation of incident prediction. To verify the effectiveness of the proposed approach, a simulation is conducted in Section V. The concluding remarks are made in Section VI. II. RELATED WORKS A. Cybersecurity Risk Assessment for ICSs In recent years, considerable researches have been under- taken to study cybersecurity risk assessment methods. Tsai and Huang [20] used the analytic hierarchy process to qualitatively assess the cybersecurity risk of wireless net- works. Feng and Li [21] used an information systems security model in order to cope with the uncertainty in the infor- mation system. Shi [22] adopted a simulation of attacks to analyze the impact of each attack, which led to the proposal for an approach of the risk assessment for enterprise networks. Poolsappasit et al. [23] proposed a risk assessment approach using Bayesian networks which enabled a system adminis- trator to quantify the chances of network compromise. This literature introduced a model named Bayesian attack graph to describe the causal relationship between multistep attacks and to analyze the potential attack. Cárdenas et al. [4] presented an approach for analyzing the loss of events, and used prob- abilistic risk assessment to calculate the risk. In conclusion, the existing researches of risk assessment are mainly divided into two directions. One direction focuses on the relation- ship between multistep attacks and the prediction of potential attacks. The quantification methods of the consequence of malicious attacks are mainly based on confidentiality, integrity, and availability. Another direction performs work on the causal relationship of hazardous incidents, which can be used to predict the occurrence of these hazardous incidents. Unlike IT systems, such as the intranet or Internet of things (IoT), ICSs have rigorous requirements on timeliness and availability [9]. The cybersecurity risks of ICSs are pri- marily from the potential loss caused by cyberattacks which demolish the timeliness and availability of the control system. Therefore, the cybersecurity risk propagation of ICSs is differ- ent from that of IT systems, and many risk assessment models for IT systems are not suitable for ICSs. Thus, cybersecurity risk assessment in ICSs requires a novel model to analyze the risk propagation. The majority of the existing quantitative risk assess- ment approaches [4], [11], [24], [25] use the definition R = ∑i S(ei)P(ei) to calculate the risk R, where S(ei) is the severity of the incident ei and P(ei) is the probability of the incident ei. This definition requires that the severity of haz- ardous incidents should be quantified in the same unit. It is also worth noting that there is a problem when this definition is used in ICS risk assessment. This is due to the fact that, for ICSs, different hazardous incidents may cause the same consequence; whereby, using this definition to assess risk will cause the severity of the same consequence to be accumulated multiple times. As a result, there is an error which cannot be ignored in the risk assessment. Worst of all, the decision- making may generate a wrong policy with this inaccurate risk value. Many ICSs run constantly [4], [9], and therefore the updates must be planned and scheduled days or weeks in advance. After the updates, exhaustive testing is necessary to ensure the high availability of the ICS [9]. This leads to the inability of attack knowledge of ICSs to be updated in a timely manner. Several attack knowledge-based risk assessments cannot work well on ICSs. Therefore, the risk assessment should have the ability of assessing the risk caused by unknown attacks without corresponding attack knowledge. Based on the above analysis, the requirements of cyberse- curity risk assessment for ICSs can be summarized as follows. The risk assessment of ICSs needs the following. 1) A novel and targeted risk model to analyze the risk propagation. 2) A unified quantification approach to calculate the risk quantitatively without the error caused by the overlaps amongst consequences. 3) Finally, the risk assessment of ICSs should have the abil- ity to assess the risks caused by unknown attacks without corresponding attack knowledge. B. Model-Based Risk Assessment Although the aforementioned characteristics of ICSs bring more demanding requirements of risk assessment for ICSs, the characteristics of the function and structure of ICSs make some approaches which are hard to implement in IT systems work well. More specifically, the network structure, functions, and tasks of ICSs are usually relatively fixed [26]. Compared with IT systems, which are more flexible, building a system model for ICSs is relatively easy and does not require fre- quent updates or modifications. Therefore, model-based risk assessment is suitable for ICSs. Throughout the history of cyberattacks to ICSs, it is noted that the main purpose of the attackers is to damage the control system. To achieve this destructive purpose, attackers gener- ally need to complete part or all of the following three steps: 1) infiltrate the field network; 2) invalidate system functions; and/or 3) cause incidents. To assess the risk, it is necessary to model attacks, functions, and incidents. One typical modeling approach of attacks that is widely used is the Bayesian network, which is a significant part of risk assessment. Poolsappasit et al. [23] and Xie et al. [27] estab- lished models of attack knowledge with the Bayesian network and used attack models to predict future attacks and assess the risk. Wrona and Hallingstad [28] used the Bayesian network to assess the connectivity risk of protected core networking. Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply. 1432 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS, VOL. 46, NO. 10, OCTOBER 2016 Szpyrka et al. [29] proposed a risk assessment approach for telecommunication networks by using the Bayesian network to analyze the impact of attacks on the work-flow. However, the Bayesian network has a defect of not containing the informa- tion of the unknown attack, such as the zero-day attack. If the system is compromised by an unknown attack, the Bayesian network cannot predict its next step or potential impact. Fault tree is the mainstream approach to model the rela- tionship of functions. Fault tree analysis (FTA) is a top-down, deductive failure analysis approach [30]. FTA uses Boolean logic and anomaly events to analyze the undesired system state. FTA is mainly used in the fields of safety engineer- ing and reliability engineering to assess system risk [31]–[35], but this type of risk refers to the potential loss caused by sys- tem fault rather than the one caused by a cyberattack. It is noted that the fault tree model is rarely used in IT systems, such as the intranet, IoT, etc. This is because the structure and functions of IT systems often change with the change of business. An event tree is an effective way to describe the causal relationship of incidents. Event tree analysis (ETA) is a for- ward, bottom-up, and logical modeling technique. In using a single initiating event, ETA can assess the probabilities of the outcomes. ETA can be applied to nuclear power plants, space- craft, chemical plants, etc. Like the FTA, ETA is often used in risk assessment [36]–[38]. Due to the flexibility of IT sys- tems, ETA is not adaptable for IT systems. Like the event tree, a Petri net is also used to model relationship of various kinds events. Many researches did work on risk assessment with Petri net. Cho et al. [39] used the generalized stochastic Petri nets to model intrusion, failure, and repair events, and then analyzed the security and dependability of a control sys- tem. Fanti et al. [40] proposed a risk assessment framework by modeling accidents of high-way networks with a colored timed Petri net. However, a Petri net may become too large to generate all states of the system. As a result, it can be difficult to dynamically analyze. In recent years, several comprehensive methods for model- based risk assessment have been designed. Operationally criti- cal threat asset and vulnerability evaluation (OCTAVE) [41] is an approach for identifying, assessing, and managing informa- tion security risks. OCTAVE can identify and assess the risk to critical assets and set an optimal security policy by ana- lyzing the multiple domain knowledge. OCTAVE integrates many approaches, such as the aforementioned FTA and ETA, to model the threads. CORAS [42]–[44], which is built on many methods, such as hazard and operability study, FTA, Markov analysis, etc., is used to deal with complex systems such as ICSs. However, as these are static approaches of risk assessment, OCTAVE and CORAS cannot be adopted to assess the dynamic risk of ICSs. C. Architecture of Cybersecurity Risk Assessment for ICSs To meet the requirement of risk assessment for ICSs men- tioned in Section II-A, a dynamic cybersecurity risk assess- ment based on the multimodel is proposed, which is shown in Fig. 1. Fig. 1. Architecture of the dynamic cybersecurity risk of ICSs. There are two kinds of inputs for dynamic cybersecurity risk assessment: 1) attack evidence and 2) anomaly evidence. Attack evidence, which contains information about the type, target, and timestamp of the detected attack, is derived from IDS. Anomaly evidence, containing the information of the anomaly, such as the invalidation of a function, the occur- rence of a hazardous incident, etc., can be obtained from the supervisor system of ICSs. Dynamic cybersecurity risk assessment is divided into two phases: 1) hazardous incident prediction and 2) risk assess- ment. During the hazardous incident prediction phase, attack evidence and anomaly evidence are collected and marked in a multilevel Bayesian network. Then, probabilities of all the potential hazardous incidents can be calculated by ana- lyzing the collected evidence and the multilevel Bayesian network. During the risk assessment phase, the consequences of hazardous incidents are first classified, then each type of consequence is quantified using the same unit. Second, the overlaps amongst hazardous incidents must be addressed so that the error caused by accumulation of overlaps amongst different consequences can be eliminated. Finally, the proba- bilities and consequences of hazardous incidents are combined into the cybersecurity risk. III. MULTIMODEL-BASED INCIDENT PREDICTION In this section, the relationship between atom attacks in multistep attacks, the dependency of system functions, and the causality of incidents are analyzed first. Then the multidomain knowledge is modeled into a multilevel Bayesian network. Finally, a multimodel-based hazardous incident prediction approach will be introduced. A. Bayesian Network-Based Knowledge Modeling As mentioned in Section II-B, in order to achieve the destructive purpose, attackers generally need to follow part or all of these three steps: 1) infiltrate the field network; 2) inval- idate system functions; and/or 3) cause incidents. Therefore, multidomain knowledge of malicious attacks, invalidation of functions, and occurrence of incidents should be considered, Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: MULTIMODEL-BASED INCIDENT PREDICTION AND RISK ASSESSMENT 1433 making it necessary to establish multiple models of attacks, system functions, and hazardous incidents. Theoretically, probabilistic inference requires a joint prob- ability distribution, but it suffers from exponential complexity with the number of variables. There are various potential attacks, many system functions, and a great number of unan- ticipated incidents, making the joint probability distribution too large to be available. The Bayesian network is devel- oped to solve this problem, as it can split the complicated joint probability distribution into a series of simple nodes, which reduces the difficulty of knowledge acquisition and the complexity of probabilistic inference. The Bayesian net- work is widely used in fault diagnosis [45], decision-theoretic troubleshooting [46], etc. As mentioned previously, in order to be used to predict the occurrences of incidents, attack, function, and incident knowl- edge should be modeled. In this paper, to help facilitate the inferences, these three types of knowledge are converted into a multilevel Bayesian network, which consists of four parts: 1) attack level; 2) function level; 3) incident level; and 4) infor- mation transfer between levels. The modeling procedures of these four parts are described in detail as follows. 1) Attack Level: Cyberattacks are becoming increasingly complex, especially when the target is an ICS characterized by a layered architecture that integrates several security tech- nologies. These contexts can be violated by a multistep attack, which is a complex attack strategy comprised of multiple cor- related atom attacks. To launch an atom attack, all conditions of this attack must be satisfied. If an atom attack works, the attacker will obtain some resources which may be the condi- tions of other atom attacks. The purpose of launching any atom attack is to prepare for subsequent atom attacks. To describe the atom attacks of a multistep attack with the Bayesian net- work, two sorts of nodes are proposed: 1) an atom attack node and 2) a resource node. In this paper, the Bayesian network is used to describe the relationships between attack nodes and resource nodes. There are two steps to generate a Bayesian network: 1) generating a directed acyclic graph (DAG) and 2) generating a conditional probability table for each node in DAG. Through vulnerability scanning, vulnerabilities of ICSs can be obtained. Then all possible attack scenarios are enumerated with the information of system vulnerabilities. Next, the condi- tions and results of each atom attack in the attack scenarios are analyzed. Assuming there are m atom attacks and n resources, an (m+n)×(m+n) incidence matrix [Ai,j] can be established. If the conditions of an atom attack aj are ri1, ri2, . . . , rix, then let Aik,j = 1, where k = 1, 2, . . . , x. If the attacker can obtain the resources rj1, rj2, . . . , rjy by launching an atom attack ai, then let Ai,jk = 1, where k = 1, 2, . . . , y. Finally, a DAG that is described by the incidence matrix [Ai,j] can be generated. Assuming there are n resource nodes, r1, r2, . . . , rn, point- ing to the attack node ai. In other words, attack node ai has n parent nodes. The Bayesian network adopts a conditional probability table to depict the condition of attack ai, which is shown in Table I. In general, satisfying the condition of an attack does not mean that the attacker must launch the attack, so the TABLE I CONDITION OF ATTACK ai TABLE II PROBABILITIES OF LAUNCHING ATTACK ai TABLE III CONDITIONAL PROBABILITY OF ai TABLE IV PROBABILITIES OF OBTAINING RESOURCE rj Bayesian network uses the �ai to describe the probability of launching an attack ai. The probability of launching an attack ai is shown in Table II. To simplify the Bayesian network, Tables I and II can be merged into one table, as shown in Table III, where lai,x = �ai cai,x, x = 1, 2, . . . , 2n. Assuming that the resource node rj has m parent nodes a1, a2, . . . , am, and the attacker has launched several attacks in a1, a2, . . . , am, he will have a chance to obtain the resource rj. The probabilities of obtaining resource rj are shown in Table IV. The aforementioned parameters, such as ori,j, cai,j, and �ai , can be obtained from the statistical analysis of historical data or from experts in the cybersecurity field. 2) Function Level: ICSs usually have tight coupled phys- ical systems. If a function becomes invalid due to malicious attacks, it may cause other functions to become invalid, too. This phenomenon is called cascading failure. FTA is used Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply. 1434 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS, VOL. 46, NO. 10, OCTOBER 2016 extensively to analyze the cascading failure of a control system [47]–[49]. The main objectives of FTA are as follows. 1) To identify all possible combinations of basic events that may result in a critical event in the system. 2) To find the probability that the critical event will occur during a specified time interval or the frequency of the critical event. 3) To identify aspects of the system which need to be improved in order to reduce the probability of the critical event. There are many methods involved in establishing a fault tree; therefore, the …
CATEGORIES
Economics Nursing Applied Sciences Psychology Science Management Computer Science Human Resource Management Accounting Information Systems English Anatomy Operations Management Sociology Literature Education Business & Finance Marketing Engineering Statistics Biology Political Science Reading History Financial markets Philosophy Mathematics Law Criminal Architecture and Design Government Social Science World history Chemistry Humanities Business Finance Writing Programming Telecommunications Engineering Geography Physics Spanish ach e. Embedded Entrepreneurship f. Three Social Entrepreneurship Models g. Social-Founder Identity h. Micros-enterprise Development Outcomes Subset 2. Indigenous Entrepreneurship Approaches (Outside of Canada) a. Indigenous Australian Entrepreneurs Exami Calculus (people influence of  others) processes that you perceived occurs in this specific Institution Select one of the forms of stratification highlighted (focus on inter the intersectionalities  of these three) to reflect and analyze the potential ways these ( American history Pharmacology Ancient history . Also Numerical analysis Environmental science Electrical Engineering Precalculus Physiology Civil Engineering Electronic Engineering ness Horizons Algebra Geology Physical chemistry nt When considering both O lassrooms Civil Probability ions Identify a specific consumer product that you or your family have used for quite some time. This might be a branded smartphone (if you have used several versions over the years) or the court to consider in its deliberations. Locard’s exchange principle argues that during the commission of a crime Chemical Engineering Ecology aragraphs (meaning 25 sentences or more). Your assignment may be more than 5 paragraphs but not less. INSTRUCTIONS:  To access the FNU Online Library for journals and articles you can go the FNU library link here:  https://www.fnu.edu/library/ In order to n that draws upon the theoretical reading to explain and contextualize the design choices. Be sure to directly quote or paraphrase the reading ce to the vaccine. Your campaign must educate and inform the audience on the benefits but also create for safe and open dialogue. A key metric of your campaign will be the direct increase in numbers.  Key outcomes: The approach that you take must be clear Mechanical Engineering Organic chemistry Geometry nment Topic You will need to pick one topic for your project (5 pts) Literature search You will need to perform a literature search for your topic Geophysics you been involved with a company doing a redesign of business processes Communication on Customer Relations. Discuss how two-way communication on social media channels impacts businesses both positively and negatively. Provide any personal examples from your experience od pressure and hypertension via a community-wide intervention that targets the problem across the lifespan (i.e. includes all ages). Develop a community-wide intervention to reduce elevated blood pressure and hypertension in the State of Alabama that in in body of the report Conclusions References (8 References Minimum) *** Words count = 2000 words. *** In-Text Citations and References using Harvard style. *** In Task section I’ve chose (Economic issues in overseas contracting)" Electromagnetism w or quality improvement; it was just all part of good nursing care.  The goal for quality improvement is to monitor patient outcomes using statistics for comparison to standards of care for different diseases e a 1 to 2 slide Microsoft PowerPoint presentation on the different models of case management.  Include speaker notes... .....Describe three different models of case management. visual representations of information. They can include numbers SSAY ame workbook for all 3 milestones. You do not need to download a new copy for Milestones 2 or 3. When you submit Milestone 3 pages): Provide a description of an existing intervention in Canada making the appropriate buying decisions in an ethical and professional manner. Topic: Purchasing and Technology You read about blockchain ledger technology. Now do some additional research out on the Internet and share your URL with the rest of the class be aware of which features their competitors are opting to include so the product development teams can design similar or enhanced features to attract more of the market. The more unique low (The Top Health Industry Trends to Watch in 2015) to assist you with this discussion.         https://youtu.be/fRym_jyuBc0 Next year the $2.8 trillion U.S. healthcare industry will   finally begin to look and feel more like the rest of the business wo evidence-based primary care curriculum. Throughout your nurse practitioner program Vignette Understanding Gender Fluidity Providing Inclusive Quality Care Affirming Clinical Encounters Conclusion References Nurse Practitioner Knowledge Mechanics and word limit is unit as a guide only. The assessment may be re-attempted on two further occasions (maximum three attempts in total). All assessments must be resubmitted 3 days within receiving your unsatisfactory grade. You must clearly indicate “Re-su Trigonometry Article writing Other 5. June 29 After the components sending to the manufacturing house 1. In 1972 the Furman v. Georgia case resulted in a decision that would put action into motion. Furman was originally sentenced to death because of a murder he committed in Georgia but the court debated whether or not this was a violation of his 8th amend One of the first conflicts that would need to be investigated would be whether the human service professional followed the responsibility to client ethical standard.  While developing a relationship with client it is important to clarify that if danger or Ethical behavior is a critical topic in the workplace because the impact of it can make or break a business No matter which type of health care organization With a direct sale During the pandemic Computers are being used to monitor the spread of outbreaks in different areas of the world and with this record 3. Furman v. Georgia is a U.S Supreme Court case that resolves around the Eighth Amendments ban on cruel and unsual punishment in death penalty cases. The Furman v. Georgia case was based on Furman being convicted of murder in Georgia. Furman was caught i One major ethical conflict that may arise in my investigation is the Responsibility to Client in both Standard 3 and Standard 4 of the Ethical Standards for Human Service Professionals (2015).  Making sure we do not disclose information without consent ev 4. Identify two examples of real world problems that you have observed in your personal Summary & Evaluation: Reference & 188. Academic Search Ultimate Ethics We can mention at least one example of how the violation of ethical standards can be prevented. Many organizations promote ethical self-regulation by creating moral codes to help direct their business activities *DDB is used for the first three years For example The inbound logistics for William Instrument refer to purchase components from various electronic firms. During the purchase process William need to consider the quality and price of the components. In this case 4. A U.S. Supreme Court case known as Furman v. Georgia (1972) is a landmark case that involved Eighth Amendment’s ban of unusual and cruel punishment in death penalty cases (Furman v. Georgia (1972) With covid coming into place In my opinion with Not necessarily all home buyers are the same! When you choose to work with we buy ugly houses Baltimore & nationwide USA The ability to view ourselves from an unbiased perspective allows us to critically assess our personal strengths and weaknesses. This is an important step in the process of finding the right resources for our personal learning style. Ego and pride can be · By Day 1 of this week While you must form your answers to the questions below from our assigned reading material CliftonLarsonAllen LLP (2013) 5 The family dynamic is awkward at first since the most outgoing and straight forward person in the family in Linda Urien The most important benefit of my statistical analysis would be the accuracy with which I interpret the data. The greatest obstacle From a similar but larger point of view 4 In order to get the entire family to come back for another session I would suggest coming in on a day the restaurant is not open When seeking to identify a patient’s health condition After viewing the you tube videos on prayer Your paper must be at least two pages in length (not counting the title and reference pages) The word assimilate is negative to me. I believe everyone should learn about a country that they are going to live in. It doesnt mean that they have to believe that everything in America is better than where they came from. It means that they care enough Data collection Single Subject Chris is a social worker in a geriatric case management program located in a midsize Northeastern town. She has an MSW and is part of a team of case managers that likes to continuously improve on its practice. The team is currently using an I would start off with Linda on repeating her options for the child and going over what she is feeling with each option.  I would want to find out what she is afraid of.  I would avoid asking her any “why” questions because I want her to be in the here an Summarize the advantages and disadvantages of using an Internet site as means of collecting data for psychological research (Comp 2.1) 25.0\% Summarization of the advantages and disadvantages of using an Internet site as means of collecting data for psych Identify the type of research used in a chosen study Compose a 1 Optics effect relationship becomes more difficult—as the researcher cannot enact total control of another person even in an experimental environment. Social workers serve clients in highly complex real-world environments. Clients often implement recommended inte I think knowing more about you will allow you to be able to choose the right resources Be 4 pages in length soft MB-920 dumps review and documentation and high-quality listing pdf MB-920 braindumps also recommended and approved by Microsoft experts. The practical test g One thing you will need to do in college is learn how to find and use references. References support your ideas. College-level work must be supported by research. You are expected to do that for this paper. You will research Elaborate on any potential confounds or ethical concerns while participating in the psychological study 20.0\% Elaboration on any potential confounds or ethical concerns while participating in the psychological study is missing. Elaboration on any potenti 3 The first thing I would do in the family’s first session is develop a genogram of the family to get an idea of all the individuals who play a major role in Linda’s life. After establishing where each member is in relation to the family A Health in All Policies approach Note: The requirements outlined below correspond to the grading criteria in the scoring guide. At a minimum Chen Read Connecting Communities and Complexity: A Case Study in Creating the Conditions for Transformational Change Read Reflections on Cultural Humility Read A Basic Guide to ABCD Community Organizing Use the bolded black section and sub-section titles below to organize your paper. For each section Losinski forwarded the article on a priority basis to Mary Scott Losinksi wanted details on use of the ED at CGH. He asked the administrative resident