ICSJWG: Attack Tree Blooms

Wednesday, October 17, 2012 @ 04:10 PM gHale

By Gregory Hale
If users think they know all the attack vectors coming into their system, they are sadly mistaken.

“Asset owners want to know all the ways their system can be compromised,” said Mark Fabro, president and chief technology officer at Lofty Perch during his keynote address Wednesday at the Industrial Control Systems Joint Working Group (ICSJWG) meeting in Denver, CO. “The ways to get into the system are ways we are not thinking about right now.”

ICSJWG: Whitelisting Project
ICSJWG: Cyber Exercises a Key
ICSJWG: Knowledge Sharing
ICSJWG: Researchers on Same Team

“There is so much interconnectivity. Why do we only test what we think is plausible,” Fabro said. “We talk about the chain, but we are not looking at the entire chain.”

Industrial control players, either users or providers, look at the micro aspect of the control system, but not the macro and they are not thinking like an attacker who will look at any way possible to get into a system.

“(Users) look at the specific targets in the control space, but not the plausible path an adversary would take to compromise the system. Many security-savvy asset owners never connect the dots the way an adversary would.

One obvious thing users have to remember is the adversary is rarely sitting in front of a console they are hacking into. That means the actual user has to become the best adversary as possible. That person should know the attack vectors coming into this system better than anyone else so they can defend against the adversary.

To find out the true attack vectors that go beyond what most people think is to create an attack tree. The Defense Department created the attack tree that shows every single vector that could get into a system. Attack trees are conceptual diagrams showing how an asset, or target, might end up attacked.

Every single node the defender faces could be an adversary, Fabro said.

“People are not walking into facilities,” Fabro said. “They are not even in this country. They have to snake their way in.”

One of the benefits of using the attack tree is it focuses on risk prioritization, Fabro said. An attack tree is not simple and it does take time to compile. The user needs to get subject matter experts to build libraries of trees relating to control systems, Fabro said.

To give an example, Fabro pointed out a bulk power system (BPS) that had 143,000 attack scenarios that could potentially allow an attacker into the system.

“Are they plausible attacks?” Fabro asked. “Yes.”

Using an attack tree allows users to employ a defense in depth program and it forces the user to address the right nodes.

In addition, what seems like a benign connection, could be a starting point for an attacker, so they should be looked into.

What Fabro also found out is users seem terrified to find out their weaknesses.

“So what does this tell you? We are not thinking enough out of the box,” Fabro said. “We are not thinking about the adversary.”

Leave a Reply

You must be logged in to post a comment.