requirements for software support for targets identification are defined. In the next step, the available methods and techniques such as event trees, fault trees and ...
Does appropriate software support for target identification exist? Zdenek Vintr University of Defence Kounicova 65 662 10 Brno
Michal Vintr EBIS, spol. s r. o. Krizikova 2962/70a 612 00 Brno
Jindrich Malach EBIS, spol. s r. o. Krizikova 2962/70a 612 00 Brno
Czech Republic
Czech Republic
Czech Republic
Abstract - The paper deals with the evaluation and the selection of available software tools that can be utilized in solving problems related to the identification of the targets of malicious acts. The paper presents grant project requirements that focus on the development of methods for the target identification in the field of nuclear energy and critical infrastructure in the Czech Republic. The main requirements are related primarily to the modeling of unacceptable effects of malicious acts. Based on the project purposes, the specific requirements for software support for targets identification are defined. In the next step, the available methods and techniques such as event trees, fault trees and attack trees are introduced. After that there is a summary of available software tools focused on modeling and solving event, fault and attack trees. Individual software tools made by reputable producers are characterized in detail. Finally the paper compares the capability of available software tools with the specified requirements. Index Terms — Threat, Event Tree, Fault Tree, Attack Tree I.
INTRODUCTION
The target identification of malicious acts is one of the basic steps which precede before the design of an effective physical protection system. The target identification is focused mainly on the identification of areas, materials, equipment or activities which are to be protected, and are called vital areas. Higher level of protection of these materials and equipments which become more important when considering possible effects after a malicious attack is required not only in the area of the physical protection of nuclear materials and equipment. Therefore it is strongly advisable to deal with the target identification namely in the areas of nuclear energy and critical infrastructure. The team consisting of company providing security services in the field of critical infrastructure protection, university and research institute specialists, based in the Czech Republic have been working at present on a security research grant project aimed, among others, at the target identification in nuclear facilities.1 When identifying the targets, it is important to set a proper logic diagram which enables to find possible malicious attacks and their combinations that can result in an undesired event or consequence. The prime purpose of the diagram is to illustrate relation between a possible undesired top event and its causes – basic events (malicious attacks on materials and equipment) which are called the initiating events 1 This research was supported by the Ministry of Interior of the Czech Republic (project no. VG20112015040).
of malicious origin (IEMO). Within the scope of the project it was necessary to select an appropriate method which enables the logic diagram to be recorded, modelled and solved. For this purpose the potential of the logic diagrams used in the area of technical systems dependability and safety and in the field of information systems security was evaluated. Next, available software tools targeted at handling logic diagrams were examined. The potential and the efficiency of available methods and software tools were compared with the requirements reflecting the needs of the grant project. II.
METHOD AND SOFTWARE TOOL REQUIREMENTS
During the initial stages of the project it was necessary to find an appropriate method and then a software tool which allows the already mentioned logic diagram to be recorded, modelled and solved. Method and software tool requirements were specified in two basic areas: • Data entering – what inputs the method or software is expected to handle. • Calculations, modelling and outputs – what results and outputs the method or software should provide. When entering data, the following basic requirements were determined – a method or software shall: • Enable the logic diagram to be graphically recorded. • Enable to define and graphically record one undesired top event with undesired effects (e.g. radiation leaking into the atmosphere). • Enable to evaluate each IEMO using any number of the following characteristics: o probability defined by a numeric value or a function (e.g. the probability of event occurrence); o a category expressed by an integral number (e.g. the required number of attackers, a required equipment category, or a knowledge category); o information describing a location (e.g. coordinates, building identification). • Enable to define logic relations between single IEMOs and an undesired top event. • Enable to define any number of threats (the types of attackers) (design basis threat) and their characteristics which will be set by categories. In the area of calculations, modelling and outputs there were specified the following basic requirements – a method, or software shall: • Enable to determine minimal cut sets (including their characteristics) and show them in graphs or tables (e.g. as logic diagrams).
•
Enable to apply a design basis threat and create a graph which shows a reduced logic diagram or reduced cut sets, i.e.: o the illustration what the attacker is capable of; o the presentation of reduced logic diagrams or cut sets which result in undesired event occurrence. • Provide such output from reduced logic diagrams or cuts (e.g. coordinates) which allows to place in a map the location of IEMOs the attacker is capable of, eventually resulting in undesired top event occurrence. Basic method and software requirements have been introduced in the information above. The next step has been taken to verify the potential of proper methods. III. SUITABLE METHODS The methods which might meet the specified requirements include the methods applied in the area of technical systems dependability and safety, and in the area of information systems security. In these areas logic diagrams, such as fault trees, event trees and attack trees are used. A.
Fault tree
Fault trees and Fault Tree Analysis (FTA) was originally developed in 1961 – 1962 at Bell Telephone Laboratories to evaluate the safety of Minuteman Intercontinental Ballistic Missile Launch Control System [1]. A fault tree is a special directed graph which is of use most often when analyzing systems dependability and safety. The fault tree is illustrated by a logic diagram which shows logic relations between a potential undesired top event and the causes of this event occurrence. Operating conditions, system element failures, operating errors, etc. might give cause for this event occurrence. The fault tree represents all important combinations of causes (events) which might result in undesired top event occurrence. A fault tree analysis is a deductive analysis method which can be qualitative or quantitative. The objective of the fault tree qualitative analysis is to find all possible combinations of operating condition factors, environmental conditions, human factor errors and system element failures which might lead to undesired top event occurrence. Minimal cut sets become most often the output of the qualitative analysis. The aim of the quantitative analysis might be to determine quite a few measures describing a top event. The output of the quantitative analysis can be for example the probability of top event occurrence. In this case each event has to be expressed by occurrence probability. More information on FTA might be found in [14]. Information on how to apply FTA when analyzing system security is available in [4], [6], [7]. B.
Event tree
An event tree and an Event Tree Analysis (ETA) were developed in the USA as part of solving nuclear power plant safety in 1974 [1]. The event tree is a special graph used most often when analyzing safety and risks. The event tree is represented as a logic diagram which illustrates logic relations between initiating events and their consequences. The event tree is
based on binary logic, in which an event either has or has not occurred. The event tree analysis is an inductive analysis method. It is used for analyzing the consequences of an initiating event, whereas a fault tree analysis is applied when analyzing top event causes. The event tree analysis considers the initiating event response of safety systems and operators. The objective of the qualitative analysis is to evaluate what undesired consequences the initiating event might cause. Socalled accident scenarios which express a succession of events caused by initiating events are usually the outcome. The aim of the quantitative analysis is to evaluate the probability of occurring scenarios (a succession of consequences) and find the most probable scenario. More information on ETA can be found in [15]. C.
Attack tree
An attack tree was introduced for the first time in 1999 when dealing with information technology security [10]. The concept was suggested by B. Schneier, a specialist in cryptography, who developed the attack tree for modelling threats and attacks on information technologies (computers and nets). The attack tree is a special graph used mostly in system security analyses. The attack tree is in the form of a logic diagram which shows logic relations between an attack objective (it is represented by a root node) and the ways of achieving the objectives by partial attacks (they are represented by leaf nodes). At the basic level, the attack tree illustrates attacks on a system which are arranged in a tree structure similar to the fault tree. Unlike the fault tree, in the attack tree there are used only AND, OR gates. Each attack (leaf nodes) might be specified by a number of quantities which can be basically of two types: • a Boolean type: e.g. possible/impossible, able/unable, etc.; • a continuous type: e.g. an attack or protection price, the time needed for performing an attack or taking protective measures, the probability of a successful attack, the probability of an attempted attack, etc. An attack tree analysis is a deductive analysis method. The prime aim of the attack tree analysis is to evaluate an attack objective by quantities characterizing single attacks. By this it is possible to find out, whether all the system is vulnerable and if it is vulnerable to a certain type of an attack or combinations of the different types of attacks. More information on the attack tree method can be found for example in [10]. A few authors suggested and introduced the possibilities of modifying and extending the basic idea of the attack tree [7], [9], [11], [12]. Some others have brought in recently the ways of using the attack tree when dealing with specific system security problems [3], [5], [8]. IV. AVAILABLE SOFTWARE TOOLS To make the work with the methods mentioned in a previous chapter easier, it is advisable to use a software tool available on the market. In the chapter below we have described shortly renowned producers´ single software tools which are focused on the computer support of the methods mentioned above.
A.
Software tools for fault tree analysis
At present a relatively great amount of software products aimed at a fault tree analysis is available on the market. They are mainly renowned software producers´ products focused on the support of system dependability and safety. The products listed below are quite widespread: • FaultTree+ developed by the Isograph; • Windchill FTA (formerly Relex Fault Tree) developed by the PTC; • BlockSim developed by the Reliasoft; • Fault Tree Analysis developed by the ITEM Software; • RAM Commander Fault Tree Analysis developed by the ALD; • RiskSpectrum FTA developed by the Scandpower. Most of the producers deliver software for FTA separately, but the software for FTA can be also included in a complete software package which supports dependability and safety. With the software package FTA can be connected with other methods such as a reliability block diagram method. The products for FTA which currently contain also an event tree analysis (e.g. the FaultTree+ product) can be found on the market. Single software products primarily enable us: • to model in a graphic form relations between a top event and its causes (events); • to determine relations between events using common types of gates; • to express single events at least by occurrence probability, but usually applying availability, reliability and maintainability measures; • to analyze a created fault tree – to rate a top event using availability, reliability and maintainability measures; • to analyze a created fault tree – to determine and rate minimal cut sets. B.
Software tools for event tree analysis
At present the selection of software products the purpose of which is to analyze an event tree is not as extensive on the market as software for FTA. Specific products were developed by renowned software producers and the purpose of the products is to support system safety. The products listed below are quite wide-spread: • FaultTree+ developed by the Isograph; • Event Tree Analysis developed by the ITEM Software; • RAM Commander Event Tree Analysis developed by the ALD. Most of the producers deliver software for ETA separately, but the software for FTA can be also included in a complete software package which supports safety. There is also the software for ETA which is included in the software for FTA (e.g. the FaultTree+ product). Single software products primarily enable us: • to model in a graphic form relations between an initiating event and its consequences; • to evaluate the probability of the consequence occurrence / non-occurrence of an initiating event; • to analyze a created event tree – to determine single scenarios and express their occurrence probability.
C.
Software tools for attack tree analysis
In the area of an attack tree analysis only two products made by reputable producers have been found on the market. Each of them will be described separately in the chapters below. 1)
AttackTree+
It is a single software product developed by the Isograph producer who makes software used mainly for supporting dependability and safety. This product can be to a certain degree included in other Isograph products. The software AttackTree+ primarily enables: • to model in a graphic form relations between an attack objective and the ways of achieving this objective (attacks); • to describe single attacks using three basic indicators: the probability of having the attack successful, the cost of the attack, the kind of necessary equipment; • to determine other indicators for single attacks; to analyze a created attack tree – to determine and rate • (using indicators) minimal cut sets; • to analyze a created attack tree – to rate (using indicators) single gates; • to analyze minimal cut sets – to filter them depending on the values of single indicators. 2)
SecurITree
It is a separate and the only product developed by the Amenaza Technologies producer. The SecurITree is made mainly for information technologies security, but it can be also applied in other areas. The software SecurITree primarily enables: • to model in a graphic form relations between an attack objective and the ways of achieving this objective (attacks); • to describe single attacks using any number of indicators which determine either attacker (design basis threat) or the impact of his activities (attack); the indicators might be of a Boolean, a continuous or a probability type; • to determine any number of attackers (to set design basis threat) and specify their characteristics (using indicators); • to analyze a created attack tree – to determine and rate (using indicators) minimal cut sets (called attack scenarios) and show single attack scenarios as separate attack trees; • to analyze a created attack tree – to make a pruning tree which illustrates only the attacks which might be performed by a specified attacker; • to analyze a pruning tree – to determine and evaluate (using indicators) attack scenarios and illustrate single attack scenarios as separate attack trees. The SecurITree advantage is the possibility of adjusting the software through extensions which might be made by customers themselves using application programming interface.
V.
COMPARISON OF REQUIREMENTS AND SOFTWARE TOOLS
VII. REFERENCES
[1]
If we compare the potential of the single methods introduced in chapter III with the requirements as stated in chapter II, we might claim that in view of the topic we are dealing with, the event tree cannot be used because the project requires that the method enables to illustrate the relation between a potential undesired top event and its causes. Conversely, the event tree is aimed at showing the effects of an undesired initiating event. In view of the topic we have discussed the fault tree is the one to be applied and it would represent the combination of malicious attacks which would result in the occurrence of an undesired top event. The attack tree can be used in a similar way and it would represent the combinations of malicious attacks which would lead to the achievement of target objectives. As for the outcome introduced above, the efficiency of software tools focused only on fault trees and attack trees have been examined. The efficiency of software tools have been examined through demo versions and compared with the requirements specified in chapter II. Since all of the tested software products aimed at fault trees are somewhat similar, they have been included in one common category – the FTA software. In the Table I there have been stated the results achieved after comparing the requirements and software capability. VI. CONCLUSION After comparing the software tool capability with the requirements arising from the grant project it is obvious that the software tools aimed at attack trees – AttackTree+ and SecurITree fit the requirements best. Of those two, the software SecurITree has been rated as more suitable namely because of its potential when characterizing attackers (design basis threat) and making pruning trees, and because of its possibility to adapt to a customer. Based on the performed analysis it can be stated that there is a suitable software support for target identification. However, it will be necessary to adapt somewhat the selected software tool (SecurITree) to specific requirements to meet the needs of the grant project.
A. Ericson II, Hazard Analysis Techniques for System Safety, Hoboken, NJ: John Wiley & Sons, 2005. [2] M. L. Garcia, The Design and Evaluation of Physical Protection Systems, Burlington, MA: Elsevier Butterworth–Heinemann, 2001. [3] S. Bistarelli, P. Perettia and I. Trubitsyna, “Analyzing Security Scenarios Using Defence Trees and Answer Set Programming,” Electronic Notes in Theoretical Computer Science, vol. 197, issue 2, pp 121-129, 2008. [4] P. J. Brooke and R. F. Paige, “Fault trees for security system design and analysis,” Computers & Security, vol. 22, no. 3, pp 256-264, 2003. [5] Buldas, P. Laud, J. Priisalu, M. Saarepera and J. Willemson, “Rational Choice of Security Measures Via Multi-parameter Attack Trees,” in Critical Information Infrastructures Security: First International Workshop, CRITIS 2006, 2006, pp 235-248. [6] S. Contini, G. G. M. Cojazzi and G. Renda, “On the use of non-coherent fault trees in safety and security studies,” Reliability Engineering & System Safety, vol. 93, issue 12, pp 1886-1895, 2008 [7] N. Fovino, M. Masera and A. De Cian, “Integrating cyber attacks within fault trees,” Reliability Engineering & System Safety, vol. 94, issue 9, pp 1394-1402, 2009. [8] L. Opdahl and G. Sindre, “Experimental comparison of attack trees and misuse cases for security threat identification,” Information and Software Technology, vol. 51, issue 5, pp 916-932, 2009. [9] S. Pudar, G. Manimaran and C.-C. Liu, “PENET: A practical method and tool for integrated modeling of security attacks and countermeasures,” Computers & Security, vol. 28, issue 8, pp 754-771, 2009. [10] Schneier, “Attack Trees: Modeling Security Threats,” Dr. Dobb's Journal, December 1999. [11] R. R. Yager, “OWA trees and their role in security modeling using attack trees,” Information Sciences, vol. 176, issue 20, pp 2933-2959, 2006. [12] N. Zhu, X. Chen, Y. Zhang and S. Xin, “Design and Application of Penetration Attack Tree Model Oriented to Attack Resistance Test,” in 2008 International Conference on Computer Science and Software Engineering, 2008, pp 622-626.
TABLE I COMPARING THE REQUIREMENTS AND SOFTWARE CAPABILITY Requirement for software Graphical record of logic diagram Graphical record of one undesired top event Rating of a IEMO by probability Rating of a IEMO by an integral number category Rating of a IEMO by information which indicates location Determining the relation between IEMOs and a top event Determining any number of threats and their characteristics Determining minimal cut sets Design basis threat application Output which enables IEMOs location to be recorded in a map
Has the requirement been met by the software? FTA software AttackTree+ SecurITree Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes No Partially (not directly) Partially (not directly) Yes Yes Yes No No Yes Yes Yes Yes No No Yes No No Partially (not directly)
[13] IEC 60300-3-1:2003, Dependability management – Part 3-1: Application guide - Analysis techniques for dependability – Guide on methodology, Geneva: IEC. [14] IEC 61025: 2006, Fault Tree Analysis (FTA), Geneva: IEC. [15] IEC 62502:2010, Analysis techniques for dependability – Event tree analysis (ETA), Geneva: IEC. VIII. VITA Dr. Zdenek Vintr is a professor & dean at the Faculty of Military Technology, University of Defence, Brno, Czech Republic. He has taught reliability and maintainability of complex systems at the University of Defence and Brno University of Technology. The core of his scientific and technical activity lies in the development of dependability theory and safety of complex technical systems focusing on military and transport equipment. He is the author or co-author of 16 monographs and manuscripts, and more than 200 articles in scientific journals and proceedings. He cooperates closely with industrial companies in the area of dependability assurance and safety of technical systems.
Dr. Michal Vintr is a consultant in reliability and safety and external lecturer at Brno University of Technology, Czech Republic. He obtained his MSc and PhD degrees from the Faculty of Mechanical Engineering, Brno University of Technology. He has taught reliability and safety at the Brno University of Technology. He is author or co-author of more than 50 papers in technical journals and national and international conference papers. He cooperates with several industrial companies in the solution of product reliability and safety related problems. He is a member of research team working on grant projects focused on physical protection systems design and evaluation. Dr. Jindrich Malach is a managing director and head of research teams in the field of security of nuclear material and facilities, radioactive sources and critical infrastructure facilities at EBIS, spol. s r.o. He has supervised many projects on design, evaluation, supplies and testing of physical protection systems. He works as an external consultant and lecturer of International Atomic Energy Agency at national and regional training courses on physical protection.
