PSAM 16 - Session W24 Overview

PSAM 16 Conference Session W24 Overview

Session Chair: Yunfei Zhao (zhao.2263@osu.edu)

Paper 1 FA293

Lead Author: Fan Zhang Co-author(s): N/A

A Dynamic Cyber-Attack Analysis, Risk Assessment and Management Framework for Industrial Control Systems
As the number and quality of digital devices used to control industrial infrastructure continues to grow and evolve, assessing the cyber risk posed by these networked devices is a critical concern. Traditional security methods use a combination of intrusion prevention systems (IPSs) and intrusion detection systems (IDSs) to protect against cyber-attacks. However, these defenses do not provide real-time knowledge of the risk profile of an ICS under a cyber-attack scenario. Previous work has studied dynamic risk assessment as a way to provide near-real-time risk evaluation, with the assumption that the compromised device or component is known. However, these information are not given by existing IDSs. The location and level of compromise in the operational technology (OT) process is crucial for decision making since the risk analysis and management for a pump that deviates 10% from normal operation is likely to be very different than the analysis for a pump deviating by 50. The gap in cyber-attack detection and real-time understanding of the risk profile posed must be bridged by identifying what information can be obtained from the cyber-attack detection process, and how this knowledge can be used to perform dynamic risk assessment. In this research, a dynamic Cyber-Attack Analysis, Risk Assessment and Management (CATARAM) framework that detects cyber-attacks is proposed, providing near real-time analysis, and generating a dynamic risk profile correlating to the progress of the cyber-attack. In this framework, a cyber-attack detection system detects cyber-attack, a cyber-attack analysis system identifies the location and the level of compromise using machine learning methods, and a dynamic risk assessment system based on Bayesian Network calculates risk in real-time. The CATARAM also provides risk management suggestions according to the dynamic risk profile.

A Dynamic Cyber-Attack Analysis, Risk Assessment and Management Framework for Industrial Control Systems

As the number and quality of digital devices used to control industrial infrastructure continues to grow and evolve, assessing the cyber risk posed by these networked devices is a critical concern. Traditional security methods use a combination of intrusion prevention systems (IPSs) and intrusion detection systems (IDSs) to protect against cyber-attacks. However, these defenses do not provide real-time knowledge of the risk profile of an ICS under a cyber-attack scenario. Previous work has studied dynamic risk assessment as a way to provide near-real-time risk evaluation, with the assumption that the compromised device or component is known. However, these information are not given by existing IDSs. The location and level of compromise in the operational technology (OT) process is crucial for decision making since the risk analysis and management for a pump that deviates 10% from normal operation is likely to be very different than the analysis for a pump deviating by 50. The gap in cyber-attack detection and real-time understanding of the risk profile posed must be bridged by identifying what information can be obtained from the cyber-attack detection process, and how this knowledge can be used to perform dynamic risk assessment. In this research, a dynamic Cyber-Attack Analysis, Risk Assessment and Management (CATARAM) framework that detects cyber-attacks is proposed, providing near real-time analysis, and generating a dynamic risk profile correlating to the progress of the cyber-attack. In this framework, a cyber-attack detection system detects cyber-attack, a cyber-attack analysis system identifies the location and the level of compromise using machine learning methods, and a dynamic risk assessment system based on Bayesian Network calculates risk in real-time. The CATARAM also provides risk management suggestions according to the dynamic risk profile.

Paper FA293 | |

Name: Fan Zhang (fan@gatech.edu)

Bio:

Country: ---
Company: Georgia Tech
Job Title: Assistant Professor

Paper 2 JA248

Lead Author: Jason Reinhardt Co-author(s): Ron Lafond (ronald.lafond@cisa.dhs.gov), Derek Koolman (derek.koolman@cisa.dhs.gov), Raymond Ludwig (raymond.ludwig@associates.cisa.dhs.gov), Lindsey Miles (lindsey.miles@cisa.dhs.gov), Jeffrey Munns (jeffrey.munns@associates.cisa.dhs.gov), Merideth Secor (merideth.secor@cisa.dhs.gov), Lauren Wind (lauren.wind@associates.cisa.dhs.gov)

A Risk Assessment and Reduction Approach for National Critical Infrastructure
The United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) leads the National effort to understand, manage, and reduce risk to our cyber and physical infrastructure. CISA must assess risks that cover a broad range of scenarios over a complex set of interdependent critical infrastructure (CI) systems. While many models and data sets exist that provide detailed analyses of threat and hazard impacts to CI, there is no overarching analytic structure that organizes and integrates these disparate sources into a unified risk assessment. CISA is building capabilities that will address these challenges to support stakeholders across all levels of government and the private sector. First, CISA has developed a National Critical Functions (NCFs) data structure to organize and describe critical infrastructure. This data set provides a set of decompositions structured as directed graphs that break down each identified NCF into enabling sub-functions that detail the operation and interdependencies across disparate CI systems. The functional description of NCFs serves as a complementary lens to the sector-based organization of CI and better facilitates systemic and cross-sector risk analysis. Additionally, CISA has begun developing the Risk Architecture, a technology-enabled analytic tool that contains a set of standards, scenarios, visualizations, and workflows that leverage the NCF and other integrated CI data sets. This paper describes the need for an integrated approach to CI risk assessment, describes the NCF decomposition structure, the principles and concepts behind the Risk Architecture, approaches to functional interdependency analysis, and provides initial use examples.

A Risk Assessment and Reduction Approach for National Critical Infrastructure

The United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) leads the National effort to understand, manage, and reduce risk to our cyber and physical infrastructure. CISA must assess risks that cover a broad range of scenarios over a complex set of interdependent critical infrastructure (CI) systems. While many models and data sets exist that provide detailed analyses of threat and hazard impacts to CI, there is no overarching analytic structure that organizes and integrates these disparate sources into a unified risk assessment. CISA is building capabilities that will address these challenges to support stakeholders across all levels of government and the private sector. First, CISA has developed a National Critical Functions (NCFs) data structure to organize and describe critical infrastructure. This data set provides a set of decompositions structured as directed graphs that break down each identified NCF into enabling sub-functions that detail the operation and interdependencies across disparate CI systems. The functional description of NCFs serves as a complementary lens to the sector-based organization of CI and better facilitates systemic and cross-sector risk analysis. Additionally, CISA has begun developing the Risk Architecture, a technology-enabled analytic tool that contains a set of standards, scenarios, visualizations, and workflows that leverage the NCF and other integrated CI data sets. This paper describes the need for an integrated approach to CI risk assessment, describes the NCF decomposition structure, the principles and concepts behind the Risk Architecture, approaches to functional interdependency analysis, and provides initial use examples.

Paper JA248 | Download the paper file. | Download the presentation PowerPoint file.

A PSAM Profile is not yet available for this author.

Paper 3 ME306

Lead Author: Isaac Faber Co-author(s): Elisabeth Paté-Cornell, mep@stanford.edu

Presenter of this paper: Elisabeth Pate-Cornell (mep@stanford.edu)

Warning and management of cyber threats by a hybrid AI system (robot and operator)
This paper presents a warning system and risk management model, in which early signals of cyber threats are generated using machine learning and artificial intelligence to support the defender’s decisions. Cyber threats and attacks are modeled as a set of discrete observable steps in the “kill chain”. A hybrid AI system (a “super-agent” including a robot and human being) allows the robot, when it has acquired sufficient information, to make automatic defensive responses before losses occur. The quantitative model that supports these decisions is based on machine learning and decision analysis. The model allows the robot to call on the operator (“person in the loop”) when the situation requires it. This overall model guides decisions to open or close gates in a system, based on attack and behavior signals at the beginning of the kill chain.

Warning and management of cyber threats by a hybrid AI system (robot and operator)

This paper presents a warning system and risk management model, in which early signals of cyber threats are generated using machine learning and artificial intelligence to support the defender’s decisions. Cyber threats and attacks are modeled as a set of discrete observable steps in the “kill chain”. A hybrid AI system (a “super-agent” including a robot and human being) allows the robot, when it has acquired sufficient information, to make automatic defensive responses before losses occur. The quantitative model that supports these decisions is based on machine learning and decision analysis. The model allows the robot to call on the operator (“person in the loop”) when the situation requires it. This overall model guides decisions to open or close gates in a system, based on attack and behavior signals at the beginning of the kill chain.

Paper ME306 | Download the paper file. |

A PSAM Profile is not yet available for this author.
Presenter Name: Elisabeth Pate-Cornell (mep@stanford.edu)

Bio:

Professor of Management and Engineering at Stanford. Teaching and research in engineering risk analysis. Member of the National Academy of Engineering. Co-chair of NASEM committee on risk analysis methods for nuclear weapons and terrorism. 2021 IEEE Ramo medal in systems engineering and science.

Country: United States of America
Company: Stanford
Job Title: Professor

Paper 4 VA167

Lead Author: Pavan Kumar Vaddi Co-author(s): Carol Smidts, smidts.1@osu.edu

Reinforcement Learning based Autonomous Cyber Attack Response in Nuclear Power Plants.
Cyber-attacks on digital industrial control systems (ICSs) are becoming increasingly frequent. Given the rise of digitalization in nuclear power plants (NPPs) and the potentially hazardous consequences of a successful cyber-attack on NPPs and similar safety-critical systems, it is imperative that research should be focused on ICS cyber-attack detection and mitigation. In this paper we explore the use of reinforcement learning (RL) to develop an autonomous cyber-attack response system for NPPs, specifically the digital feedwater control system (DFWCS) of a pressurized water reactor (PWR). The cyber-attacks are modeled as Stackelberg games between the defender i.e., the plant operator and the attacker, with the defender acting as the leader in the games. The system state transition probabilities are defined using probabilistic risk assessment (PRA). The optimal defender strategy is computed using multi-agent Q-learning, where the Stackelberg equilibrium over the current Q-values is used at every update. The advent of digital twins for nuclear power plants enables us to simulate a wide variety of cyber-attacks for as many instances as needed to fully train the RL agent.

Reinforcement Learning based Autonomous Cyber Attack Response in Nuclear Power Plants.

Cyber-attacks on digital industrial control systems (ICSs) are becoming increasingly frequent. Given the rise of digitalization in nuclear power plants (NPPs) and the potentially hazardous consequences of a successful cyber-attack on NPPs and similar safety-critical systems, it is imperative that research should be focused on ICS cyber-attack detection and mitigation. In this paper we explore the use of reinforcement learning (RL) to develop an autonomous cyber-attack response system for NPPs, specifically the digital feedwater control system (DFWCS) of a pressurized water reactor (PWR). The cyber-attacks are modeled as Stackelberg games between the defender i.e., the plant operator and the attacker, with the defender acting as the leader in the games. The system state transition probabilities are defined using probabilistic risk assessment (PRA). The optimal defender strategy is computed using multi-agent Q-learning, where the Stackelberg equilibrium over the current Q-values is used at every update. The advent of digital twins for nuclear power plants enables us to simulate a wide variety of cyber-attacks for as many instances as needed to fully train the RL agent.

Paper VA167 | Download the paper file. | Download the presentation pdf file.

Name: Pavan Kumar Vaddi (vaddi.3@osu.edu)

Bio: Mr. PavanKumar Vaddi is a mechanical engineering grad student working in the Reliability and Risk Laboratory headed by Dr. Carol Smidts at The Ohio State University. He received his B.Tech degree in mechanical engineering from IIT Madras in 2017. His research interests include Probabilistic Risk Assessment for ICS cybersecurity and Fault diagnosis in industrial control systems.

Country: USA
Company: Ohio State University
Job Title: Student