threat modeling techniques - safety and · pdf filethis paper aims to contribute to the body...
TRANSCRIPT
Notconfidential
Threat Modeling Techniques
A literature quick scan of 8 threat modeling techniques of which 2 techniques applied on 1 case study and its implications for the cyber security approach of the Dutch Public Water Works
Author: Chun Yu (CY) Cheung
Date: November 2016
Status: Draft 0.91
Page2of31
ProjectCyberEssentials
Author: Chun Yu (CY) Cheung
Date: November 2016
Contact Information: [email protected]
University: Delft University of Technology, the Netherlands
Faculty: Faculty of Technology, Policy and Management
Program: MSc Systems Engineering, Policy Analysis and Management
Course: Cyber Essentials SPM5440 and Project Veiligheidskunde WM0804TU
Page3of31
ExecutiveSummaryAdequate responses lead to a higher safety and security for the Dutch society that is largelydependent on their water infrastructures. However, many underlying control systems of waterinfrastructures are built on legacy systems and existing lifecycle processes are rigid, whichmakesdesigningnewembeddedandintegratedsecuritymeasuresdifficult.This paper explores the field of “threatmodeling” bymeans of a brief literature reviewwith thecontextof thecomplicated threat landscapeofDutchwatersector inmind.To reach this researchobjective,we identified eight threatmodeling technique from scientific literature and applied twotechniquetoapublicwaterworkintheformofacasestudytovalidatetheirrelevancyfortheDutchthreatlandscape.Thecontributionsofthispaperisasfollows:
1. Threatmodelingcanbeviewedfromtheattackersperspective,wheretheattackshavesomeprobability and consequences. Threat modeling can also be viewed from the defendersperspective,wherethesystemisexposedtosomevulnerabilitiesandimpacts.
2. Threatmodelingalsodifferwhenthe informationcontext isdifferent.Whenthecontext isintertwinedandinterrelatedwithdifferentusers,systemownersandcontractors,thethreatmodelingtechniqueswithafocusoninternalinformationcontextisimportant.
Inpractice,theaforementionedtwodimensionscanhelptheanalystconductamorecomprehensivethreatanalysis;techniquesfrombothspectrumofthetwodimensionsshouldbeconsideredastheycanadddifferentvaluesandthereforecomplementeachother.Forinstance,asseenfromthecasestudyforthesluice,theRROtechnique(attackers/externalinformationcontext)incombinationwiththeDFDtechnique(defenders/internalinformationcontext)cancomplementeachother.Keywords: threat modeling techniques, public water infrastructures, industrial control systems,attackanddefendperspective,securitybydesign
Page4of31
Table of Contents 1.Introducingthreatmodelinginthewatersector................................................................................5
1.1Researchquestion.....................................................................................................................5
2.Literaturereview:Threatmodelingtechniques..................................................................................6
2.1AttackTreesforthreatmodeling..............................................................................................6
2.2STRIDEforthreatmodeling.......................................................................................................7
2.3ElevationofPrivilege-aseriousgameforthreatmodeling.....................................................9
2.4ThreatModelingAttackPathsanalysis(T-MAP).....................................................................10
2.5PetriNetsforthreatmodeling................................................................................................11
2.6DataFlowDiagramsforthreatmodeling................................................................................12
2.7ActivityDiagramsforthreatmodeling....................................................................................13
2.8RiskReductionOverviewforthreatmodeling........................................................................15
2.9Reflectionandoutlook............................................................................................................16
3.Dimensionsofthreatmodelingtechniques......................................................................................17
3.1AttackersorDefendersperspective........................................................................................17
3.2Informationcontext................................................................................................................17
3.3UnitofAnalysis........................................................................................................................19
3.4KeyDimensions.......................................................................................................................19
4.Casestudy:Threatmodelinginsluices.............................................................................................20
4.1Generaldescriptionofsluicesinthewatersector..................................................................20
4.2Selectionofsecondtechniqueforthesluicecasestudy.........................................................21
4.3TheDataFlowDiagramtechniqueappliedtothesluice.........................................................21
4.4RiskReductionOverviewtechniqueappliedonthesluice......................................................25
5.Discussionresults..............................................................................................................................26
6.Conclusionandrecommendations....................................................................................................30
Acknowledgements...............................................................................................................................30
References.............................................................................................................................................30
Page5of31
1. Introducing threat modeling in the water sector Threatmodelsaregenerallyusedandcreatedtogainabetterunderstandingofinformationsecurity.In literature, threatmodeling canbeunderstoodasmaking senseof the complexityof the systemand identifying all possible threats of the system and then assessing them in their criticality andlikelihood(Myagmaretal.,2005).Threatmodelingcanalsobeunderstoodas“thedifferentwaysinwhichasystemcanbeattacked”,to“designcountermeasurestothwartthoseattacks”(Sainietal.,2008,p.125).Howeverlittleiswritteninregardstothewatersector,whilethereisarealthreatinthissector(Morley,2015).
In modeling threats, different methods and techniques are used by practitioners and analyst tounderstand the variety of information security threats, for example brainstorming (Schlegel et al.,2015) and checklists (Dhillon et al., 2001). Othermore structured threatmodeling techniques aredeveloped, forexampleAttackTrees, STRIDEandPetri-nets amongothers.However, choosing theright techniquewithout the knowledge of other techniques can be difficult andproblematic. Theimplicationisthatchoosingthetechniqueearlyoncouldexcludeimportantthreats.
Thispaperaims tocontribute to thebodyof knowledgeof threatmodeling in thewater sector. Itaims todo soby surveying several threatmodeling techniquesand find their keydimensions. Theassumption is that knowing these dimensions will help identifying additional threats in generalrelevantforthewatersector.Tocorroboratewiththelatter,acasestudyinthewatersectorwillbeconductedusingthekeydimensions.
1.1ResearchquestionThemainresearchquestionofthispaperis:Whatistheaddedvalueofthreatmodelingtechniquesfor thewater sector? Toanswer this question, twoadditional sub-questionsneed tobe answeredfirst: (1) What are the key dimensions of threat modeling techniques? And (2) what are theimplicationsofapplyingthreatmodelingtechniquesinthewatersector?Thefirstsub-questionswillbeansweredusingaliteraturereviewofeightthreatmodelingtechniques.Thesecondsub-questionwillbeansweredbymeansoftheapplicationoftwodifferentthreatmodelingtechniquesonasluicewater case study, a common water sector infrastructure. The dimensions of the techniques areimportanttoknowanddifferentiate,becausetheeighttechniquesaremerelyasubsetofallthreattechniques. By answering using the key dimensions, we hope to better understand what thetechniques can do generally. As the case study result will only have case specific relevancy, thedimensionsmightalsohelpinexploringrelevancyfortheentirewatersector.
OutlineofpaperIn section 2, eight threat modeling techniques are summarized and the state of the art of thetechniqueswillbepresented.Insection3,thekeydimensionsofthethreatmodelingtechniquesareidentified and elaborated. Then in section 4, the case study is introduced, two threat modelingtechniqueswillbeappliedandtheimplicationsoftheresultswillbepresented.Insection5,wewilldiscussthefindingsandanswerthemainresearchquestion.Insection6,aconclusionwillbegivenandfutureresearchwillbeproposed.
Page6of31
2. Literature review: Threat modeling techniques The literature review isbasedonseveral searchusingGoogleScholar.The firstkeywordsusedare“Threatmodeling”and“threatmodelling”,duetotheUSandUKspelling.HerewehavefoundSainietal.(2008)(58citations),Desmetetal.(2005)(29citations),Shostack(2014)(65citations)andChenet al. (2007) (50 citations). We were also interesting in a particular application area: namely the“SCADA” systems or “cyber physical” systems of public water infrastructures. Using these twoadditional keywords,we have found Byres et al. (2004) (121 citations) and Chen et al. (2011) (89citations).Inthissmallliteraturesearch,wedecidedtostartconvergingbyfocusingonthesecondaryliteratureinthesepapersthatareoftenused,suchasSchneier(1999)withover1355citationsandthepopular“MicrosoftSecurityDevelopmentLifecycle”fromHoward&Lipner(2006)(392citations)and its “threat modeling technique” in Scandariato (2015) (13 citations) and Johstone (2010) (5citations).Wealsodecided to lookatone technique fromthepractice in thecontextof thewatersectorand this resulted in theworksofHavingaandSessink (2014). This finally gaveus the listofeightthreatmodelingtechniquesintheabovesearchorder.
Table1-OverviewselectedThreatModelingTechniquesfromliteratureThreatmodelingtechnique SourceAttackTrees Sainietal(2008),Byresetal(2004),Schneier(1999)STRIDE Desmetetal(2005),Scandariatoetal.(2015)ElevationofPrivilege Shostack(2014)T-MAP Chenetal(2007)PetriNet Chenetal(2011)DataFlowDiagram Howard&Lipner(2006)ActivityDiagram Johnstone(2010)RiskReductionOverview HavingaandSessink(2014)
Toidentifykeydimensionsofthetechniques,weaimtoelaborateonthetechniquesinthreeways.First we give a brief introduction, then we describe the steps that are required to conduct thetechnique.Finally,wemoveawayfromthedescriptiveandreflectonthetechnique.Attheendofthe chapter,we summarize the interestingpoints from the reflections andprovide a basis for theanalysisofthekeydimensionsofthetechniquesinchapter3.
2.1AttackTreesforthreatmodeling Introduction AttackTreesareconceptualdiagramsthathaveatree-likestructure.Thetreestructurerepresentsthedifferentwaysthatthesystemcanbeattacked.Theleafsofthetreerepresentstheunderlyingattacktasksthatneedtobeaccomplishedinordertocompromisethespecificsecuritythreathigherupinthetree.
StepsforthreatmodelingwithattacktreesAttack trees can be constructed in severalways and in describing the steps, the case ofMyproxy(Sainietal.,2008)canbeused.Fivestepsweretakentoconstructtheattacktreethatevaluatesthethreatsofthewebservice.First,theoverallgoalofwasdefined:“breachingthesecurity”.Secondly,subgoals, suchas “Attack repository,eavesdrop transmission,attackcertificate,attackwebportal”wereidentified.Thethirdstepistodecomposethesubgoalsintosmallertasks.Thisstepisrepeatedforallsubgoalsandthetree isconstructedgradually,startingfromthetop,extendingdowntothe
Page7of31
leafs.Whenthetasksarerelatedwitheachother,ANDleafsareused. If tasksare independentoneachother,ORleafsareused. IntheMyProxyexample,“attackstorage”and“attacktransmission”are independenttasks forthesubgoalof“attackwebportal”andarethusmodeledasOR leafs. Instep four, each tasks should be assigned with numeric values. In this case study, the costs ofconducting “attack storage” is estimated to be $2500 and the final damage of the attack is only$1000.Inthiscase,theattackcostsmorethanthedamage,sotheattackwillmostlikelynotoccur.Eventually,theattackswhicharethecheapestandpropagateupinthetreeandrepresentacertainrisk.Thefinalstepistoestimatetheoverallsecuritybysummingupallvaluesofthetasks.Theattacktree can then be used for security decisions. On the basis of the tree, some subgoals are nowdisplayedashighrisk.Thehighestriskshouldbedealtwithfirst.Onthebasisoftheattacktrees,theexpectedimpactofthecountermeasurecanfilledinandtheoverallriskcanberecalculatedtoseeitseffects.
Figure1-AttackTreeexampleleftandAttackTreeexamplefromSchneier(1999)ontheright
Reflection BasedonthestepsrequiredforAttackTrees,thetechniqueisonlyusefulinthesituationwhenthetechnicalsystemisquitewell-known.Thetechniqueassumesthatifalltheattacksonthesystemareunderstood, the owner of the system can likely design the appropriate countermeasure for it.Therefore the techniquedoes not provide any guidelines for identifying the system's architecture.Furthermore, it does not provide guidelines for assessing subgoals and tasks. Finally, it relies on(economic) estimation techniques for assessing the actual risk of one particularly subgoal. Thetechniquereliesheavilyonanalystswhoknowtheissues,attacksandriskquantifiersoftheattackorthe damage it may cost. For example, knows how difficult it might be for the attacker, or thelikelihood of apprehension for the attacker (Byres et al., 2004) However, it can be said that thetechniquedoesnotrequiretoknowtheaspectsofthesystem,havingknowledgeofthespecificsofthe attack suffice.Anotherusefulnessof theAttack Tree lies in the fact that it provides a tool formodeling theoverall securityandamind-map fordecisionmaking.Whenall information isknownabouttheattacks,thetechniqueisanexcellentmentalmapforunderstandingthesecurityrisksandtheir assumptions. A commonoutcome is thatmany security risks and their countermeasures arelargely overestimated. A famous example is that of the commonly proposed, but largelyoverestimated effectiveness of encryption countermeasures. By thinking in attack trees,countermeasurescanbecompared,communicatedeffectivelyandlogicaldecisionscanbemade.
2.2STRIDEforthreatmodeling
Page8of31
IntroductionSTRIDEprovidesamnemonicforSpoofing,Tampering,Repudiation,DenialofServiceandElevationofPrivilege(Desmetetal.,2005).Thetechniqueisusedforidentifyingthesesixthreatstypesandisusedasanheuristictoidentifyassociatedthreatstothesystemoncethesystemhasbeendescribed.ThetechniqueisoftenattributedtoHoward&Lipner(2006),ahandbookfromMicrosoftPress.ThecoreofSTRIDEisknowingexactlywhateachindividualthreattypestandsfor.Spoofingcanbeseenastheactofmisrepresentitselfasthereceivingpartyorthesendingpartyinacommunicationline.Tampering focusses onmodifying data in data stores. Repudiation refers to a situationwhere theauthenticationcannotbeverified,assuredoraccountedfor.Informationdisclosuredescribesadatabreach.Denialofservice focusonoverloadingacommunication lineandmake itunavailable.Last,Elevation of Privilege happens when privilege levels are changed or removed. Example of eachSTRIDEelementcanbefoundinappendixx.
StepsformodelingwithSTRIDEIn theoriginalhandbook, threatmodelinghasbeenexplainedasaprocessofninesteps.STRIDE isdescribed instepsix. Inthisstep,theanalystsneedtobeawareofthethreatstypesandgoaboutexaminingthethreatsspecifically instepseven. In thesetwosteps, theanalyst is requiredtohaveexaminedatleasttheassetsandthearchitecturaloverviewofthesystemalready.Thisisexemplifiedby the case study of Desmet et al. (2005), where a web service is analyzed in its threats by firstdescribing the architectural entry points. In another study (Johnstone, 2010), similar steps aresuggested. In the experimental study of Scandariato et al. (2015), a groups of computer sciencemaster students are requested to use the technique in four steps. The first three steps directlycorrespondswiththestepsinthehandbookwrittenbyHoward&Lipner(2006).Thefirststepsisto“modelthesystembymeansofadataflowdiagram”.Inallthesestudies,theanalystshasreacheditsgoaloffindingmorerelevantthreats. Intheexperimentalstudy,thecontrolgroupthatusednoSTRIDE,performedclearworse.
Figure2-STRIDEmnemonic
ReflectionIn these steps, theSTRIDE techniqueneeds tobeput inperspectiveof thewhole threatmodelingprocess, where the technique is only one of the nine steps. STRIDE is assumed to be “anothercommon taxonomy” like CIA (Confidentiality, Integrity and Availability), but it is said to be morecomplete(Howard&Lipner,2006,p.114).Thetechniquealsoassumesthatthepreviousstepsaredone sufficiently and correctly,meaning that at least aData FlowDiagram (DFD) of the system ispresent.DFDcanbeseenasatechniqueontheirown,andwillbediscussed later in3.6.STRIDE isnottobeusedin isolation,andtheanalystneedtobefamiliarwiththeMicrosoftsecurity lifecycledevelopmentprocessaswellasothertechniques,suchasusecasesandarchitecturesamongothers.
Page9of31
ThispaperdidnotlookintoothersecuritydevelopmentprocessesandthereforecannotsaywhetherhavingfamiliaritywithsuchwillsufficeinusingSTRIDE.
2.3ElevationofPrivilege-aseriousgameforthreatmodeling IntroductionElevation of Privilege is a serious game that is developed by Adam Shostack and is based on thepopularSTRIDEthreatmodelingtechnique.Themethodisdesignedasacardgamefor3to6players.Thecardgamehas6suits thatcorrespondwiththeSTRIDEacronymand ismeanttobeplayedbysoftware developers, but also security practitioners. The motivation for the development of thisgame is derived from the assumed trade-offs in efficiency and security that is underlying in theMicrosoftSecurityDevelopmentLifecycleprocess;thisprocessasksallofitssoftwareengineeringtohaveabasicfamiliaritywiththreatmodeling,whichiswhatitshouldbe,buttooidealistic.ElevationofPrivilegeiscreatedinthisscopetoenticesoftwaredeveloperstolearnandalsoexecutesoftware-centricthreatmodelinginanon-invasiveway.
Stepsformodelingwith“ElevationofPrivilege”Inpractice,acertaininteresthastoexiststoinitiatethisgameintoagroupofsoftwaredevelopers,thisduetotheorganizationalconstraintsortheorganizationalculture.However,theseimplicationsbelongtotheconceptofseriousgamesingeneral.Inanycase,thenextstepistopreparethegame.For this “an architectural diagram of the system should be available” (Shostack, 2014, p. 5). Thediagram doesn’t have to be accurate, but the players should agree that the diagram is accurateenough.Atthestartofthegame,thediagramcouldbedepictedonawhiteboardforconsensus.Thenextstepinpreparation istofindawaytotrack thegameprocess,suchasa listorscoreboardtotracktheidentificationofbugs,vulnerabilitiesandcountermeasures.Last,butnotleast,thedeckofcards isneeded toplay thegame. Specificplay instructionsandgameplay interactionsarealreadyincludedinthedeckofcardsintheformoftext,butalsoinflowcharts.Tryingoutthegamewiththeinitiatorsisoftenrecommendedbeforeapplyingitinaworkshopsetting.
Figure3-ElevationofPrivilege(Shostack,2014)
ReflectionBased on the description of Elevation of Privilege, the technique has to fit into the culture of thecompany.Italsoimpliesthatthegameshouldbepreparedbyaninternalteamfirst,andplay-tested.Thetechniquestates it requiresan initialdiagramofthesystemsarchitectureandthetechnique is
Page10of31
bestdone inaworkshop setting. The techniquehas the capability toproducea threatmodel,butcouldalsobeusedasatrainingtool.Shostack(2014)describedthatthereceptionofthetechniqueispositive;indicatorsforthisare“outofstock”,notonlyindividualbuyers,butalsocompaniesthatbuyit for their employees, and the use in educational settings. It should be noted that the game hasstronglinkswithsoftwaredeveloperswhoarefamiliarwiththeMicrosoftdevelopmentprocess.Aswith theSTRIDE technique, theauthorsdonotknowwhetherother softwaredeveloperswillhavesimilar experiences, but as the technique is described to be used so differently from STRIDE,ElevationofPrivilegeshouldbesuitableforeverytypeofsoftwaredevelopers.
2.4ThreatModelingAttackPathsanalysis(T-MAP) IntroductionT-MAPisanovelquantitativethreatmodelingtechniqueproposedbyChenetal(2007)thatassessessecurity threats by “calculating the total severity weights of relevant attack paths” (p. 1). Thetechnique is designed for assessing CommercialOff the Shelf (COTS) systems in the context of anorganization'sbusinessvalue.
StepsformodelingwithT-MAPFirst,attackpathsaredescribed.Attackpathsareconceptualrepresentationofthebusiness’systemarchitecture in four layers. These are the firewall, the COTS, the IT infrastructure and theorganization’s core values. The four layers together is described in terms of 22 attributes. Theseattributesareinspiredbythe“CommonVulnerabilityScoringSystem”developedbyCisco,Microsoftandotherlargeindustrygiants.Theninthenextstep,theT-MAPweightingsystemshouldbeused.Bymeansofthisweightingsystemratings,eachofthe22attributesareratedontheirseverityandeachattackpathcanbecalculated.Bysummingupallthecalculatedattackpaths(apseudo-codeofanalgorithm isshownfor thiscalculation), theoverall threat isknown.The laststep is toevaluateany new countermeasures with the attack paths it might eliminate. This way the efficientcountermeasurescanbetaken.ThestepsaretobetakenwithintheT-MAPframeworkandthisistobe implemented within the organization. For this a high level layered software architecture isproposedtogetherwithademonstrationinasoftwaretest-bed.
Figure4-T-MAP,ThreatModelingAttackPathfromChenetal.(2007)
Page11of31
ReflectionThetechniqueT-MAPisadescriptionforacomprehensiveriskquantificationsystem.TheunderlyingtechniquesrevolvesaroundtheconceptoftheAttackPaths.Severalformulasandweightingsystemsareusedtoquantifytheoverallthreatlevelbysummingupalltheattackpaths.WhenanynewCOTSare added to the organization, all related COTS attributes are examined and compared with theexistingoverallthreatleveloftheorganizationinanembeddedmanagementenvironment.Thereisgreat value of having more insight in how threat modeling techniques could be used as amanagementtool,buttheunderlyingconsiderationsforthecalculationsoftheAttackPathsorthetheoriesarelacking.Forexample, itseemsthattheAttackPathsaredefinedbyonly lookingattheCOTSsoftware in relation to theorganizationalnetwork.Othervulnerabilitiesnot related toCOTS,forexamplenetworkwidevulnerabilities,arenotconsidered.Thesetof22attributesseemstobeincorporated arbitrary as well, as the attributes are “based on, but are not limited to the CVSSstandard” and “managers can further customize the values” of the attributes. As with the AttackTrees, italsoassumes,toacertaindegree,thatallattackscanbecapturedandquantified insomeway.
2.5PetriNetsforthreatmodeling IntroductionPetrinetsarealsoknownasp/tnets;placesandtransitionsnets,whicharethekeycomponentsofthis technique.Theuseofpetrinets for threatmodeling is suggested in2000asanalternative forattacktrees(Chenetal.,2011).Chenetal.(2011)explainsthatabasicpetrinetconsistsofplaces(orstates,drawnascircles), transitions(oractions,typicallydrawnasbarsorboxes)anddirectedarcs(drawnasarrows).Anumberoftokensmovearoundthepetrinetfromplacestoplaceviathearcs,andthedistributionoftokensamongtheplacesrepresentsthedynamicstateoftheentiremodeledsystem. In the past, petri nets has been used for various types of asynchronous and concurrentprocesses due to this dynamic state approach. For threat modeling, the technique is particularlyuseful for attacks that need representation from different attack source at the same time. Forexample, disabling the alarm system to create “an opportunity for another attacker to break inwithoutsettingoffanalarm”(Chenetal.,2011,p.2).
StepsformodelingwithpetrinetsIn threatmodelingwithpetrinets,Chenetal., (2011)modeledablackoutexample inasmartgridthatwassubjectedtobothphysicalandcyber-attacks.Theauthorpresentshismodelconstructioninfivesteps.First,separatelowlevelpetrinetsarecreatedbydomainexpertsforattackswithintheirareasofexpertise.Thenahighlevelpetrinetiscreatedforthesystematahighlevelofabstractionthatincludesimportantplaces,butignoresdetailsoftransitions.Instepthree,thedefinitionsofallplacesandtransitionsaregivenusinga“modeldescription language”.Thebasic ideaof themodeldescription language is that places and transitions should be defined as logical statementsof “atomic formulae” (p.6) .Forexample,aplace isdefinedas “variableX= intact&variabley=compromised&…”.Otherlanguagescanbeusedaswell.Inthisstep,oftenatableisusedtodepictallthevariablesandtheirpossiblevalues.Instepfouridenticalplacesinthehighlevelandlowlevelpetrinetsarethenmatched.Inthefinalstep,thehighlevelpetrinetisexpandedwiththeplacesandtransitionsfromthelowlevelpetrinets.
Page12of31
ReflectionThetechniquecanbeconsideredtobenovel,andisthereforenotexaminedempirically.Thecasestudyisfictionalandmeanttoshowthatitcanbeusefulfor the threat modeling of concurrent cyber-physical attacks. Another usefulness of thetechnique is that it is designed to reconcile theknowledge from different experts into one threatmodel by working with generic places andtransitions.Thetechniqueseemstobesuitable fora distributed network setting, where concurrentactions need to be undertaken to execute asuccessful attack. This attack can be physical (forexample break a sensor) or cyber (alteringfirmware). However, the technique assumes suchactions (or transitions)withoutmentioninghow tobreakoralterthesystemcomponent.Italsoseemsthat thetechnique ismostsuitableasa retrospectivemethodtoevaluatehowcyber-attackscouldhaveoccurred.The techniquemightbe seenashigh level, as the “places” canbeeverywhere (forexampleaplaceinahousehold,powerdistributioncenter,orpowerplant)andassumesnocentralownershipofthecomponentsintheattackpointsofthesystem,orinotherwordstheplacesdoesn’thavetobewithinoneorganization.Therefore,thetechniqueassumesthatknowledgefromspecificplacesandtransitionsareneededfrom(security)practitioners,theoperatorsorusersinthefield.
2.6DataFlowDiagramsforthreatmodelingIntroductionData Flow Diagram (DFD) is a graphical representation of the dataflow or just data through ansystem.Howard&Lipner(2006)generallydifferentiatesixelementsoftheDFD.Acomplexprocess(double circle), the process (single circle), the external entity (rectangle), the data store (parallellines), the data flow (arrows) and the trust boundary (dotted line). Four elements of DFD arerelevantforthreatmodeling:theexternalentity,thedataflow,datastore,andtheprocess.ComplexprocessesaretobeelaboratedinasecondDFDforanalysis,whilethetrustboundariesaredrawntoshow that data flows go from one system level to another system level. Usually this also meansanotherprivilegelevel.
StepsformodelingwithDataFlowDiagramsIngeneral,DataFlowDiagramscanbecreatedinasmanystepsthatisrequired.Thefirststepistocreateacontextdiagram.Thisdiagramisusuallyrepresentedbyonecomplexprocessinthemiddle,withdataflowstoexternalentitiesoutsidethetrustboundaries.Theninthesecondstep,thelevel-1diagramwillbecreatedanddescribesinmoredetailsthecomplexprocessofthecontextdiagram.Inalldiagrams,thedataflowscanbeofgenericCRUD(creating,read,updateordelete)processes,butcanbedescribedmoreaccurately.Datastoreswillalsobecomevisiblestartingfromthislevel.Oftenone or several complex diagrams are left to describe in the level-2 diagram. In Howard & Lipner(2006), theDFDdescribesapet shop.Thecomplexprocess in thepet shop is thewebapplication
Figure5-Petrinet(Chenetal.,2011)
Page13of31
process, inwhichdatastores,suchastheuserprofilesdata,themembershipregistryandinventorywarehouse, and processes, such as themembership ordering process are described. The externalentitiescouldbetheadminaccessingthewebapplicationofthepetshop,oranormalcustomeroranonymous(unregistered)visitor.Whenthefinaldiagramismade,thedifferentcomponentsofthesystemaredescribedontherightaggregation levelandthreatsassociatedwitheachelementscanbelisted.Howard&LipnerprescribestofirstmakeacategorizationofthreattypesusingSTRIDEandthencreate threat treesofeach threat type.For theDFDtechniquehowever, the threatmodelingprocessstopshere.
Figure6-DataFlowDiagram
ReflectionDataFlowDiagramsaresimplediagramstodisplayseveralelementsofgenericinformationsystems.Using the trust boundariesone caneasily relate and communicatewith expertswhether the rightlevel ismodeled.Thediagram isquiteexpressiveandeasy to readand the functionsbetween thecomponents of the system are clear. However, DFD are often used for web applications wherethreatsaremostly in theovertheairnetworkandoperateusingthe internetprotocol.Forprivatenetworks, the DFD might be less useful due to the more restricted network specifications. Thetechniquedoes not assume that all threats can be covered, but simply provide an overviewof allcomponentsandprocessesthatcanbeathreat.Thetechniquedoesnotgointotheprocessesoftheexternalentitiesandfocussesmostlywithintheirowntrustboundariesorinthiscasethepetshopapplication.Finally,limitedinformationisshownabouttheelementitself,suchasthetypeofdataordetailsabouttheprocesses.
2.7ActivityDiagramsforthreatmodeling IntroductionActivityDiagrams(ADs)areoneofthemanyUMLdiagramsinUML2.0.ADsareprocessmodelsandmodeltheworkflowofasystem.ADissuggestedasanalternativeforDataFlowDiagrams(DFD),adiagramthat isoftenused inexistingthreatmodeling,suchas instepfiveof theninestepsof thethreatmodelingprocess in theMicrosoftSecurityDevelopmentLifecycle (Howard&Lipner,2006).To compare, Johnstone (2010)hasuseda standard case toevaluate theADseffectivenessagainstDFD for threat modeling. In this comparison, Johnstone (2010) also showed how to do threatmodelingwithADs.
Page14of31
StepsformodelingwithActivityDiagramsADs are build up using a set of defined (UML) elements. Johnstone (2011), adapted the elementsfromAmbler(2010).Thefirststepofcreatinganactivitydiagramistoconstructaworkflowdiagramusingonly theelementsof “initialnode”, “activity” “fork”, “join”, “condition”and“finalnode” . Inthe case study, the pet shop’s workflow starts with creating a customer’s order, then queue theorderorimmediatelyplacetheorder.Thentheactivitycheckinventoryismodeled,whereeitheranaudit iswrittennextor, if the item isunavailable, abackorder isplaced. In theaudit activity, theprocesspayment activity ismodeledand in theprocess “item is unavailable”, thenotify customeractivity is modeled. Both activities end with the final node. The second step is construct theorganizational activity diagram. In this AD, the elements “partitions” or “swimming lanes” areintroduced.Theyareused to sort theactivities according to theorganizational view. Forexample,the sales system queues up the order and finalizes the order for the next system, which is theinventorysystem.Intheinventorysystem,thewarehouseischeckedandeitheranauditiswrittenorabackorderiswrittenbytheinventorysystem.Lastbutnotleast,theorder,iftheitemisavailable,isprocessedinthepaymentsystem.Instep3,athirdADismodeledusingatechnologyviewfortheswimming lanes. These are defined by the underlying technologies. For example, the web servercreatestheorderpage.Thentheapplicationorderservercreatestheshoppingcartforqueuingtheorderandchecksthe inventory. Inthiscase, thesameapplication isusedforwritinganaudit.Thisaudit is sent to the payment gateway at the bank’s payment system. When the payment isprocessed,thepaymentreconcileswiththeorderapplicationandareceiptissenttothewebserver,wheretheconfirmationpage isshownonthecustomer'swebbrowser.Finally,onthebasisof thetwodiagrams,allelementsaresummedupandeachisexaminedforthreats.Inthiscasestudy,thisstep isnotdescribed,butthecasestudyusestheSTRIDEtechniquetoexaminethethreatsof fourelementsoftheActivityDiagram:actor,activityarcs,conditionsandactivityelements.
Figure7-ActivityDiagram
ReflectionIntheUMLcomparisonofDFDandADbyJohnstone(2010),theauthorarguethatActivitydiagramsshould be used. The reason is that AD are more expressive, while retaining similar functionalitytowards threatmodelingon thebasisofSTRIDE. Theexpressiveness lies in the fact thatADhasaguard condition for theactivityelement,whileDFDhavenoanalogue for thiselement. This is the
Page15of31
same for parallel activities, while DFD provides no explicit notation for this. However, the authoracknowledge that this is based on one hypothetical case study only, and that within the UML-framework, potentially other diagrams exists to generate better threat models. For example, theauthordidnotmentionthattheADhaslessexpressiveelementsfordatastoresofdatabases,whichpossiblyhamperthefurtherthethreatmodelingprocess.Ingeneral,theextraelementsinADcouldmodelmorecomplexsituation,butcouldalsomakethediagramunnecessarycomplicated.Finally,aswithDFD, theAD seems to have similar steps, such as definingboundaries, differentiate betweendifferentsystems,addressescomponentsandtheirfunctionsanddependencies.Itdoesnotassumeallthreatsorattack,butratherassumesamorecompleteoverviewofthetargetsystem.
2.8RiskReductionOverviewforthreatmodeling IntroductionRiskReductionOverview(RRO)isavisualizationtechniqueto“giveinsightinthecoherencebetweenrisks,measures and residual risks” (Havinga& Sessink, 2014). The RRO is built up using five basicelements; the initial risk (hexagon, red), the residual risk (hexagon, yellow), the final residual risk(hexagon, green), themeasure (rectangle) and in between the arcs to connect the elements. TheRROismeanttobeusedbysecuritydesignersandtheirreviewers,forexamplethesystemowner,toclarifytheoftentextualdesignofasetofmeasuresandtheirreducedrisks.
StepsformodelingwithRiskReductionOverviewThe RRO consists of two parts; one with the visualoverviewandthesecondonethatdescribeeachriskandmeasure. The first step is to identify and place allidentified initial risks at the top of the visual overview.Then a list is to be created with various technical andproceduralmeasures. For example, users are instructedhowtohandleattachmentsorafirewall is installedthatonlyallowsSMTPemailcommunication.Thethirdstepistoplacemeasures corresponding to the initial risks anddescribethesubsequentresidualrisk.Continuewiththisstepuntilafinalresidualisidentified.Inthefourthstep,similarrisksandmeasuresarejoinedtogethertosimplifytheoverview.Thisisbecausetheinitiallistsofmeasurescanbelongandsubsequentriskscanbedifferentatfirst,butusuallyquite similar. In thisphase, it isalsowise totakeintoaccountthatsomemeasurecanintroducenewrisks, for example patching could restrict a securityservice.Thelaststepistoenumerateanddescribeeachrisk and measure in the second part. The second partshouldconsistof1)all initialrisks,2)allmeasures,3)allresidualrisks,4)allfinalresidualrisks.
ReflectionTheRROprovidesagoodoverviewforcomplicateddecisionmaking indesigningand justifying theright setup of coherent security system. The steps to make the RRO are easy and the result isrelativelyeasytoread.However,intheinitialstep,theassumptionisthatasetofinitialriskshould
Figure8-RRO(Havinga&Sessink,2014)
Page16of31
beknown.Thisimpliesthataweaknessisalreadyknown.Second,ineachadditionalsteptothefinalresidualrisk,limitedguidelinesareinplacetoassessresidualrisks.Forexample,theanalystdoesnotknow when he need to stop looking at the design space of all relevant measures. Thirdly, whileeffectsofeachmeasuresarelargelyknown,theimpactsonthetargetsystemcouldbedifferentandhardtoassess.Theassociatedrisks“changeovertime”forthemeasureandresidualrisksmightnot“match the described residual risks” (Havinga & Sessink, p.247). The first two points are largelydependenton the“competence”of theanalysts (Havinga&Sessink,p.247).Fortunately, it seemsthatthetechnique isdesignedtobeusedbydifferentexperts inseveralroundsandaims,throughthis path, come to a final accepted risk by reviewers. However, this process takes up “significantamountoftime”andmight“discourage”reviewers(Havinga&Sessink,p.247).
2.9ReflectionandoutlookTheliteraturechapterendshereandseveral interestingobservationscanbemade.Thetechniquesvaryintheirapproachtoanalyzethetargetedsystem,forexamplesomestartwithaninitialattack(AttackTree)orrisk(RRO),whilesomeotherstartwiththedefendingsystemscomponent(DFD)andthe different threat types (STRIDE). Some techniques look at attacks in the organization usingexternaldatabases(T-MAP),whilesomelookatconcurrentattacksfortheorganizationinitsrelatednetwork(Petri-net).Certaintechniquefocusmainlyongatheringinformationfromdifferentusersofthe systems (EoP), while other techniques aim to converge gather additional expert information(RRO).Wehavealsoseenthatcertaintechniquescanbeusedtogether,suchasSTRIDEandDFD.Wehavealsoseenthatmanycanbeusedindependently.Somearemorenovel(T-MAPandPetrinet),whileothersaremorematureandbasedonstrongempiricalevidence(AttackTree,STRDE).Intermsof application areas, the techniques cover VPN servers, business applications, COTS, smart grids,SCADAsystemsamongothers.Inthenextchapter,wewillbringtheseobservationsintoasetofkeydimensions.
Page17of31
3. Dimensions of threat modeling techniques Onthebasisofliteraturereviewoftheeightthreatmodelingtechniques,thetechniquescanbesplitinto two camps of “perspectives”. In the literature review study by Kordy et al., (2014), whichreviewedover30techniquesofdirectedgraphthreatmodels,thesamenotionofperspectiveswasalso present. Furthermore, the dimension of “information context” of the techniques can be verydifferent. Last but not least, the “unit of analysis” of the techniques is deemed to be a good forfurtherdiscussion,especiallywhenitcomestoavailabledataforcasestudies.
3.1AttackersorDefendersperspectiveTheeightthreatmodelingtechniquescanbegrosslyseparated intoanattackersperspectiveandadefendersperspective.Fromthestepwisedescription,onecanseethattheAttackTree,theT-MAP,the Petri net and the Risk Reduction Overview (RRO) techniques are formed from an attackersperspective. In Attack Trees, the initial step is to set a high level (attackers) goal. In the T-MAPtechnique,theattackersgoalistocomprisetheCOTSsoftwaretohurttheorganization.ForthePetrinet,itisimportanttoidentifyconcurrentattacksatahighlevelandmatchandreplacethedomainspecific attacks identified on the lower level. The RRO assumes several initial risks first and thenfocusses on system. In general, the attackers perspective focus on the attacker’s goal, the attackpath,theattackers’chancesandtheirskillset.
The“defenders”techniquesareSTRIDE,ElevationofPrivilege(EoP),DataFlowDiagram(DFD)andActivityDiagram.STRIDEismainlyconcernedwiththesixdifferenttypesofthreatson(architectural)componentsandtheirspecifics.ElevationofPrivilegeisbuiltonSTRIDE,sothistechniqueinheritsthedefendersperspectiveaswell. TheDFDandActivityDiagramsareboth techniques todescribe thedifferent componentsof the system ithas todefend,whereas theDFD focusonelementsofdatastoresanddataflows,theActivityDiagramfocusonworkflowsandprocesses.Ingeneral,defenderslookatthetargetedsystem,theirsystemsboundaries,componentsandtheflowsofthesystem.
Table2-AttackersandDefendersperspectiveinThreatModelingTechniques Attackersperspective DefendersperspectiveStartingfocus Whatistheattacker’sgoal? Whatisthetargetedsystem?
Analysisviewpoint
Whatdoeshisattackslooklike?Whataretheattackerschances?Whatistheattackersprofile?Howtofendoffattackerssufficiently?
Whataretheboundariesofthesystems?Whatarethesystemscomponents?Whataretheactivitiesofthesystem?Howtofortifythesystemsufficiently?
3.2InformationcontextTheeight techniques canalsobedifferentiatedby theway inwhich theanalystsof the techniqueassumes relevant information. We differentiated between relevant information that the analystsfinds internally or externally. While outcomes of all eight technique can be improved by peerreviewers to increase the overall quality, outcomes of some techniques can only be improved bygathering specific internal information. These are information embedded in the organization,sometimes referred to as “tacit knowledge” (Reber, 1989). This can be due to a high internalemployeedynamics (forexample likely ina largeorganization)orworkingwith interimcontractorsfrequently, where information is likely going to be dispersed and decentralized. Some techniquesimprovesitsoutcomebyfocusingonexternalinformation,suchasstateoftheartexpertknowledge
Page18of31
or specific industrialdatabasesamongothers. This canbeassumedwhen theanalysts resides inastatic and controlled environment, where the internal information is sufficiently centralized andreadilyavailable,andthereforefocusonanalyzingandintegratingexternalinformation.Thisisoftenthecase for smallerandmediumsizeorganizations.These techniques focusseson the informationoutsidethespanofcontroloftheanalysts.
On the basis of chapter 2, one can argue that the techniques that assume relevant informationexternallyare,AttackTrees,STRIDE,T-MAPandRRO.AttackTreesassumethattheinitialattacker’sgoalisknown,whereasthetechniquecontinuebyfocusingonthesophisticationoftheattacks.Thetechniqueassumesthattheanalystsknowthespecificpropertiesof theattacks,especiallywhen itconcernstheimpactsoftheattacksontheorganization,duetohisexpertknowledge.Iftheanalystsdoesnotknow,theAttacktreetechniqueprescribesthattheanalystsshouldpresenttheattacktreeto external reviewers to overcome this knowledge gap. STRIDE assumes that the six threat typessufficiently covers all relevant threats. The analysts only have to be knowexactlywhat the threattypesmeanorhowtorecognizethem.Forthis,theanalystneedtomasterthetechniquethoroughly.ThiscanbedonebyanITconsultationoramastercourse.T-MAPisaproofofconceptofhowAttackPaths from COTS (commercially of-the-shelf) software can be conceptualized, weighted andcompared. The technique assumes that the analysts are sufficiently equipped by providing thisconcept. The analysts then only need to focus on the attributes of the Attack Paths and itsimplementationintheorganization.Thisfocusthentranslatesintosettingupaweightingsystemforthe attributes and integrating few external vulnerability databases for the vulnerabilities of COTS.Finally,theRROisatechniquethatstartswithasetofinitialrisksandcountermeasures.Theanalystsmightderive the initial risks internally, but due to thedifficultyof assessing the residual risks, theRROprescribes theanalysts toconsultwith industryexperts toovercomethis.Theauthors reckonthat the “competence” of the analysts (Havinga & Sessink, 2014. p. 247) is still one of the mostimportantsuccessfactorsfortheRRO.
Techniques that assume relevant information to be internal areElevation of Privilege (EoP),Petrinets,DataFlowDiagram (DFD),andActivityDiagrams.EoP,althoughbuiltontheSTRIDEconcept,assumesthatacertaintacitknowledgeorgapexistsforthreatmodeling.EoPassumesthatthisgapcanbeovercomebyexaminingtheinteractionandtheknowledgeexchangebetweenthedevelopersteam, the implementation team, the end-users of the system or any other users of the targetedsystem. EoP aims to provide a non-intrusive, serious game to accomplish that. Petri net focus onconcurrentattacksthatarerelevantinadecentralizednetworksystem.Thepetrinetcasedescribesa smart-meter sensory system,wheremostly contextual dataof the concurrent attackswithin thenetworkisneededtodescribethestateandtransitionsofthedecentralizedsystem.Thisinformationis assumed to be retrievedby reviewing low andhigh level petri netswith the users, the securitydevelopersortheoperatorsofthesmartsensornetwork.DFDarevisualdiagramsofkeyelementsofthesystem.Theassumptionisthattheadmin,usersorownersofthesystemdoesnotknowhowthesystemlooklikespecificallyandDFDhelpstostructuretheirowninformationaboutthesystem.ThisassumptionisfairlythesamefortheActivityDiagrams,butthedifferencehereisthedifferentfocusonelementsofthesystem:namelytheactivitiesandworkflows,insteadofthedataflowsintheDFD.
Page19of31
Table3-Informationcontext ExternalInformationcontext InternalinformationcontextKnowledgetype Stateoftheartinformationis
important Tacitknowledgeisimportant
Knowledgespread
Highinternalknowledgeofsystemandorganization.Fewindustrypartnersduetospecificknowledge.Informationoutsidethespanofcontrolofanalysts.
Highdynamicsinnumberofemployees,frequentinterimcontractorswithinorganization,differentusers,operatorsandimplementersduetolargeorganization.Informationinsidethespanofcontrolofanalysts.
3.3UnitofAnalysisThefinaldimensionofthetechniquescanbesaidtobetheirspecificunitofanalysis,independentlyfromthedifferentperspectivesortheinformationcontext.Whiletheprevioustwodimensionscanbeputona spectrumof twoends, thisdimensionwillbeof severalnominalvaluesandcandiffermuchforeachtechnique.Forexample,theAttackTreesreasonsfromanattacker’sgoalandanalyzestherelevantsubgoals.ForSTRIDE,themanifestationofdifferentthreattypesistheunitofanalysis.FortheEoP,thisisthesame,butthistechniquefocusontheinteractionsorgameplaybetweenthedifferentusersorplayersof the system.T-MAP is concernedaboutanew (COTS) softwareand itsknownweaknesses to the organization. Petri nets look at the concurrent attacks from a networkpointofview.Furthermore, theDataFlowDiagramanalyzes thedata flowsof theunderlyingdatastores,while theActivityDiagrams analyzes theworkflows of the organization and the underlyingapplications.Finally,theRRO’sanalysisisaboutthesetofinitialrisksanditssubsequentresidualriskthrough theuseof (counter)measures.Byexamining theunitof analysis, theanalysts knowwhichspecificdataisrequiredforthemainanalysispartofthetechnique.
3.4KeyDimensionsThischapterconcludesbyansweringthefirstresearchsubquestion:“Whatarethekeydimensionsofthreat modeling techniques?” We have concluded on three dimensions: The dimension of“perspectives”givesapreferredmodelingapproachandthedimension“informationcontext”givestheanalystacontextinwhichthetechniqueismeanttobeusedfor.Thedimensionof“theunitofanalysis”givesusthepracticalguidelineswhenlookingatthecasestudy’sdata,seetable4.
Table4-DimensionsofThreatModelingTechniquesTechnique Perspectives Informationcontext UnitofAnalysisAttackTree Attackers External Attacker’smainandsubgoalsSTRIDE Defenders External ThreattypesElevationofPrivilege Defenders Internal Threattypesandplayers
T-MAP Attackers External New(COTS)softwareinorganizationPetrinets Attackers Internal ConcurrentattacksinnetworkDataFlowDiagrams Defenders Internal Thedatastoresanddataflows
ActivityDiagrams Defenders Internal Theworkflowsandapplications
RiskReductionOverview Attackers External initialrisksandmeasureand
residualrisks
Page20of31
4. Case study: Threat modeling in sluices Thischapteraimstohelpanswerthesecondresearchquestionbyconductingtwotechniquesononewatercasestudy.Torelatemoretothepracticeandassumingthatalreadyonetechnique isbeingusedinpracticeinthewatersector(theRRO),thesecondtechniquewillbechosenonthebasisofanopposite“perspective”and“informationcontext”.Thedimensionof“unitofanalysis”hasmultiplevalues and therefore has no real opposite and thus not considered for now. As seen in figure 1,choosingtheoppositeismadeeasyanditcanbeseenthatEoP,DFDandActivityDiagramsaregoodcandidatesforthecasestudy.Tofurtherspecifybetweenthethreecandidates,additionalcasestudydataisneeded.Topreventacherrypickingbias,ageneralcasedescriptionwillbegivenfirstandonthis basis, a technique will be selected. This corresponds with how we have conducted the fieldresearch.
Figure9-Quadrantsofthethreatmodelingtechniques
4.1GeneraldescriptionofsluicesinthewatersectorManycomponentsofthewatersectorexists.Forthiscasestudy,wehaveselectedasluiceorashiplock.Ingeneral,asluiceisdesignedtohelpshipsovercomeadifferencein(anartificiallymaintained)water level between two areas. Simply said, the sluice acts like an elevator for ships. The keycomponentsofthesluicearethegates,thelockchamberandthewaterpumps.Sluicesarebuiltanddesignedfortensofyears.Differenttypesofsluicesexiststhatachievesthesamegoal,forexampleverticalliftgates,orgatesthatmovesidewaystoclosethegate.Alsodifferentpumpingsystemsexisttoequalizethewaterlevelinthe“lockchamber”;theareainwhichtheshipsresideswhenelevatedtoanotherwater level.Thegatesand locksofasluicecanbecontrolledbyhandorbyelectronics.However,fordailyoperationsmanysluicesareremotelycontrolledbyindustrialcontrolsystems.Inthis system, thekey componentsof the sluiceare connectedwithhighquality fiber cables. Inandoutsidethelockoperations,manysafetyandsecuritymeasuresareinplacefortheemployees(theoperators, themechanics,cleaningcrew, tugboatpersonnelamongothers)due toamultiplicityofcompanies affiliated with running the sluice. Safety and security measures among others are
Page21of31
electronicaccesskeys,device/passwordpoliciesandcredentialschecks,butalsov-shapedgatesandsafety modules for the valves and controls. V-shaped gates, can be seen as a safety measure,becausetheyaregatesthataredesignedtopointstothedirectionofthehigherlevelinflowingwatertoautomaticallyclosegatesunderthenaturalforcesofwaterflows.Thiswayfloodingwon’toccurifthe gates areoffline in anemergency event. The safetymodules for thehydraulics are essentiallyrulesprogrammedintheProgrammableLogicControllers(PLCs).ThesesafetyPLCsareoftenfoundinindustrialcontrolsystems.Specificsluicesrulesmayapply,forexample,PLCscanbeprogrammedtoneverhavetwogatesopenatthesametime.Generalrulesmayapplytoo,suchasorganizationalrules for manual controls or rules to go into a safety modus when certain components aredisconnected.
4.2SelectionofsecondtechniqueforthesluicecasestudyFortheselectionofthetechnique,weassumethatthesluicecanonlybecontrolledbyanindustrialcontrol system and that the sluice is designed, operated and maintained by different types oforganizations. We also assume that valuable and relevant knowledge for threat modeling is stillpresent within the boundaries of the sluice. Furthermore, we assume that the attacker has thecapabilitytoexploiteveryvulnerabilityofthesluicesystem,whetherphysicalorlogical.Asintended,thissetofassumptionsexcludesalltechniqueswiththedimensionsoftheattackersperspectiveandtheexternalinformationcontext;AttackTrees,STRIDE,PetriNets,T-MAP.
As for the selection between EoP, Activity Diagram and DFD, we look at the “unit of analysis”dimension.Thecasedescriptionoffersinsightsintothedifferentcomponentsandboundariesofthesystem. This data seems tomatch thatof theDFD technique. TheEoP technique,with a focusoninteraction of different users of the system, cannot be applied due to practical reasons, as actualplayer’sinteractionisrequiredforthetechnique.TheActivityDiagramremainstobeagoodoption.However,insightsintotheworkflowsofthedifferentpersonnelseemslimited.Giventhecasestudydimensionsandtheimportanceoftheconnectionsofthesafetyandsecuritymeasuresandrules(ordatastores),theDFDisselectedforansweringthesecondresearchquestion.
4.3TheDataFlowDiagramtechniqueappliedtothesluiceBeforemodelingwiththedataflowdiagram(DFD),itisimportanttoarrangeallrelevantinformationof the sluice in a high level overview. TheDFD focus on data flows and specific physical, but alsologicalboundaries.Thehighleveloverviewprovidesafirstphysicalboundaryofthesluicesystem.
Inthehighleveloverviewofthesluicesystem(figure1),thesluice’soperationismainlycontrolledwithinaoperationtowerclosetotheactualsluice.Intheoperationtower,theOperatorchecksthepassing vessel’s credentials, monitor the incoming and outgoing traffic, but also guides andcoordinatestheshipforasafetripintothesluice.Theoperatorisalsothefirstresponderintimesofemergencies. Inorder toexecuteall these functions, theOperationTowerneeds, importantdata,suchastrafficandvesseldatafromseveralmarinesystemsforthesafeoperationsofthesluice.Forthe hydraulic controls, theOperation Tower needs data from the sensors of the sluice and sendscommandstotheactuatorsofthesluicestoopenandclosethegates.TheOperationTowerisalsoconnectedtotheVendorRemoteCenterforthediagnosticsandsoftwareupdatesofitssystems.
Page22of31
Figure10-Highleveloverviewofthesluicesystem
Toputit inDataFlowDiagramterminologyanditsrelatedelements,theOperationTowerhasfourdataflowswithfourentities;thedataflowsfromthemarinesystemsandthevendorcenter,butalsothe sluice end-user and the sluice. These four entities are all outside the trust boundaries of theOperationTower.TheOperatorisphysicallyandlegallyconnectedtotheLockPlanningSystem,andis thereforewithin the trust boundaries. In theOperation Tower, the Lock Planning system is themain system responsible for reading, receiving, updating and controlling all the incoming andoutgoingdataandinformation.Thisisacomplexprocessandrequiresthereforemorespecificationinthenextdiagram.Seefigure2forthecontextdataflowdiagramoftheconnectedentitiestothemainlockplanningsystem.
Figure11–Contextdataflowdiagramofthemainlockplanningsystem
TheLockPlanningSystemTheLockPlanningSystem(LPS)isusedtoefficientlyplanandqueuethevesselsforthesluice.Dataaboutthevesselanddataofthetraffic isthereforeneeded.Dataaboutthevesselscanbecreatedseveral days upfront or several hours upfront. Vessel data are therefore stored in the LPS and innormalsituationthevesseldataisstoredforsevendays.Undernormalconditions,vesseldataisnotupdated regularly.Exampleofvesseldataare:nameship,departureandarrival locations,physicaldimensionofship,depthof loadedvessel,crewmembersanddetailsofcargo. Trafficdata is,duethedynamicsoftheshipsandthedynamicsofthetrafficintheshippingchannel,continuouslybeingcreated and updated. Traffic data about the vessel is especially important to plan efficiently; ifanothervessel isapproachingwithinthequeuetimeand if thethatvesselcanstill fit inthesluice,thebestdecisionistowaitforthevesselforanoptimaluseofthesluice.Vesseldataisreportedbythe vessel users, the traffic data is reportedby themarine systems.Vessel data is needed for theeffectiveuseofthelockhandlingprocess,andtrafficdataisneededfortheefficientuseofthelock.
Page23of31
TheLockControlprocessisconsideredtobeamorecomplicatedprocessandisthereforeoncemorefurtherspecifiedinthefollowingparagraph.
Tobemorespecific,vesseldatacomesfromtheAutomatic IdentificationSystem(AIS)(VesseldataalsocomefromtheVeryHighFrequency(VHF)communicationsystems,butthisisradiowavebasedand is therefore out of the scope, because it does not have a physical or logical link to the LockPlanningSystem).TrafficdatacomesfromtheVesselTrafficControl(VTS)system,whichispartofthechannelmarineandnauticalsystem.Thesesystemsarenotspecificallyincludedinthediagramsof figure3,because theyare considered tobe the sameas thedata flows from the “Vessel”- and“Marine Systems” entity on the left of the level-1 diagram respectively. This modeling choice ischosen,becauseonthebasisofthedata,wecannotdifferentiateanysubstantialdifferencesinthesedata flows. It is (only) important to note that the Lock Planning system is still within the trustboundaries,buttheinputforthevesseldatastoresandthetrafficdatastoresareoutsidethetrustboundaries.
Figure12–Level-1diagramofLockPlanningsystem
TheLockControlprocessTheLockControlprocessistheprocessthatcontrolsthemechanicalpartsofthesluiceandconsistsofmultipleProgrammableLogicControllers (PLC’s).PLC’s canbeprogrammed indifferentkindsofwaysdependingonthedigitaloranalogueinputandoutputs.PLC’scanbeseenascomputersinitssimplestandoneofthesmallestforms:Throughasetofstoredrules,theinputs,whetherdigitaloranalogue,aretransformedintoanoutput(alsobothdigital/analogue).Duetothesimplicity,theycando this consistently, accuratelyand reliably.PLC’shaveaprocessorand somememory toperformthesetasks.IntheLockControlprocess,threesubprocesses(drivenbyPLCs)canbedifferentiated.These threeprocessesare the resultof theway inwhichmultiplePLC’sworkandcoordinatedatawitheachother.
1. The first is the sensory process, the network of sensors that are present in the lock arepresenttoensurethattheoperatorcanknowexactlywhatisgoingonwiththelock,eveniftheoperatordoesnothavedirecteyesightonthelock.Theseincludeinformationsuchasthewaterlevelindifferentpartsofthelock,thewaterflowrate,theelectricalpower,thestatusofthegatesandvalvesamongothers.
Page24of31
2. Thesecondprocessistheactuatorprocess.Actuatorsfunctionsinvolvesintheactivationofthemechanical,thehydraulicorothertypesofphysicalmachinery,suchasthewaterpumps,the gates, and the traffic lights. Under a set of rules, guarded by the safety module, theactuators thenprocess the commands that is the results of theQueuingprocess from theLockPlanningSystem.
3. Thethirdisthesafetyprocess.Thesafetymodulemainlyfocusitsoutputontheactuatorsonthebasisofthesensors.Ifthedatafromthesensorsarenotaccordingtoasetofindustrialsafetyrules(forexampleasdescribedinthe“SafetyIntegrityLevels”)orifitdoesnotmeetthe configuration data specified for the object, then the safety module will restrict orcompletelyshutdowntheActuatorprocessandfallbacktothenormal(closedgates)modus.
Thesafetymodulesignalscanbevery“objectspecific”,orinthiscasesluice-specific.Forexample,itis known in thewater sector that certainvaluesare imperative for the controlof thegatesof thesluices;atanytime,itiscriticalthatatleastoneofthegatesareclosed,otherwisetheresultwillbeamini-tsunami for the lower lying hinterland. The safety module can also react according to moregenericsafetyrules,suchasrulesrelatedtothestabilityofcomponentsandthelinks(orphysicallywires). In specific, if a component is offline or simply because the link for that component isinterrupted,thencertainfunctions,orthewholefunctionofthesluicewillbeterminated,giventhesafetyintegrityleveloftheaffectedcomponent.
Figure13–Level-2diagramoftheLockControlprocess
Inthis last level-2overview,theDataFlowDiagramhasbuiltacaseforthenextstepof identifyingthreats.ThisnextstepcouldbefacilitatedbythethreattypesinSTRIDE,seetable5,ortheDFDcanactasaninputinaworkshopsetting,thiscanadditionallybedoneusingtheprescribedElevationofPrivilegetechnique.AsfortheDFDtechnique,theanalysisisessentiallyfinalized.
Table5-Threattypesforthe4elementsofDFDDFDElementType S T R I D EExternalEntity X X DataFlow X X X DataStore X X X X Process X X X X X X
Page25of31
4.4RiskReductionOverviewtechniqueappliedonthesluiceAccordingtothestepsoftheRRO,wecanassumeacertaininitialrisk,forexample“VendorRemoteCentercompromised”,seefigure5.ThiscouldtranslateintoseveralinitialrisksatthetopoftheRROdiagram, such as through malware, email attachments or low quality safety standards. Differentmeasures can be taken into account. Measures for malware can be limited through the use ofexternal devices. Email attachments can be reduced by email policies and in company awarenessprograms (M4). Low safety standards can be reduced by comparing to industrywhite lists (M10).Residual riskscanbe thatmalwareupdates fromthevendoraredelayedor thatwrongemailsareopenedanyways.Throughanother layerofthecountermeasure“LoggingandMonitoring”,theriskcanbeloweredevenmore.Finally,whentheattackcannotbestoppedbymonitoring,themeasure“SecurityIncidentResponsePlan”iscalledupon.Afinalresidualriskisshown,andastheimpactsofthe attack are lower through the Response Plan,thefinalriskisaccepted.
Anotherinitialriskcanbeassumed,forexampleacompromised Marine Systems, which isresponsible for the traffic data to the Operationtower.Thiscouldtranslateintoseveralinitialrisks,suchasDatatampering(i1)andserviceavailability(i2). Measures that could be taken are thatcommunicationsfromtheMarinesystemisalwaysset on read only and outbound only. (M1) Forservice availability, the measure is to have aredundant (radio)communicationsystem inplace(M2) to avoid long downtime of the sluicesoperation.Thefinalresidualriskofacompromisedmarinesystemcouldbeaccepted,duetothe lowprobability of the data tampering risk or the lowimpact of the availability issue. The final risk iseasier to accept, as the marine systems are notcrucial for the core safety functionalities of thesluice. The comprised marine system would justresultinwrongvesselinformationanddelays.
Another initial risk can be examined: that is acompromisedphysicalcablesystem.Theinitialriskcould be network unavailability (i1) orunauthorized access (i2) to the operation towersystems. A measure for the initial risk ofunavailability could be a redundant networkbackbone(M1).Themeasurestakenfortheunauthorizedaccesscouldbeanauthenticationsystemfor the transport network (M2). Additional VPN tunneling (M3) can be applied as part of theauthentication system. A residual risk can still occur through the use of an (expensive) zero dayexploit. This is hard to deal with by anymeasure, as the hacker will be able to get into internalnetworkandintotheoperatingsystemoftheoperatortowerasa“normalandsafe’user.Ameasure
Figure14-RiskReductionOverview-Illustrativeexample
Page26of31
thatknows theoperators“usual,normalandsafe”behavioralcanbe implemented tomonitor theoperation tower real-time and warns when an unusual and dangerous behavior is detected. Thismeasure can be referred to as Anomaly Detection System (Hong & Govindarasu, 2014) (M4). Aresidual risk for theunavailability canbeanDDOSattack. This canbe counteredbyannetworkedrelaysystem,suchasa“sinkholing”server(Lederetal.,2009),todivertthemultiplerequestsbytheDDOS attack. The final residual risk would have a very low probability of unavailability andunauthorized access, whereas the unavailability risk has a much lower impact compared to theunauthorizedaccess.
This paragraph concludes the application of the two techniques on the sluice water case for thischapter.Theimplicationsoftheapplicationsofthetwotechniquesforthesluices(subquestiontwo),and for the eight techniques for the entire water sector (main question) will be discussed in thefollowingchapter.
5. Discussion results Inthischapter,firstseveraldiscussionpointsareraisedinregardstothekeydimensions.Thentheresultsfromthecasestudyarediscussed.Finally,thechapterendsbyansweringanddiscussingthemain research question: “What are the added value of threatmodeling techniques for thewatersector?”
KeyDimensionsusefulforcaseandtheorydevelopment,butnotexhaustiveFortheselectingofthesecondtechniqueforthecasestudy,wehaveusedthethreedimensionsinthesamewayasselectioncriteria.Thedifferenceisthatwhilethefirsttwodimensionaredependenton some underlying thoughts and approach (perspective and situational information context), thethirddimensionisamorepracticalone.It isbasedonwhateverdataispresent.Thiscouldindicatethatthethirddimensionlackstheoryandfocus,itismerelydependentontheavailabledata.Forthisandmore, it is recognizedthat theotherdimensionscouldalsoberelevant.Forexample, the finalpurposeofmodeling(riskassessment,intrusiondetection,requirementengineering),thematurityofthetechnique(opensource,commercialpackage,conceptualproof),thematurityofthesystem(lifecyclephases)ortheapplicationarea(VPNservers,businessapplications,COTS,smartgrids,SCADAsystems).Forthesakeofexploringthethreatmodelingtechniquesingeneral,wedidnotgoindepthinregardstotheseinterestingdimensionsofthreatmodeling.
Inselectingthecasestudy,wehavecreatedthethreatmodelingtechniquequadrants,seefigure1.This figureoffersanother interestingobservationon thebasisof the literature.The leftupperandthebottomrightquadrantsarelesspopulatedthantherest.ThiscouldindicatethattheAttacker’sperspectiveleanstowardsorevencorrelateswiththeuseofexternalinformation.Thiscouldbedueto that many organizations do not have a clear view of how attackers look like and what theircapabilities are. This is reasonable to suggest as the core business of many organizations do notinvolve in gaining knowledge about possible adversaries. However, on the other hand, Petri netsshows that information from each node within the network can be very valuable for analyzingattacks.TheDefender’sperspectiveleanstowardstheinternal information.ThiscouldrelatetothecommonpracticethatITsystemsarebuiltasblackboxesorbythirdparties.Thenthereisaneedforan analyst in an organization to adopt a defenders perspective and look for and use internalinformation fromwithin the organization to identify threats. However, exploits and vulnerabilities
Page27of31
areoftenveryspecificandknowmanythreattypes,suchasinthedescriptionsofSTRIDE.Thesecanmanifest in many different ways in existing and new IT systems and internal members of theorganizationdonot always knowhow these canbe identified, let alone assess the impact for theorganization.However,thesmallsamplesizeoftheexaminedtechniquescanmerelygiveindicationsofpossibleexplanationsoftheunbalancedthreatmodelingtechniquequadrants.
ImplicationsofusingthetwothreatmodelingtechniquesonthesluicecasestudyTogaininsightsintoansweringthesecondresearchquestion:“Whataretheimplicationsofapplyingthreat modeling techniques in the water sector?”. Two different threat modeling techniques areconducted on one specific water case: sluices. First, sluice specific implications per technique arediscussed,thenageneralizationfollowsforthewatersector.
Firstly, the implication of usingDFDon the sluice case is that it becomes clear that theexaminedsluiceisnotanisolatenetwork.Byidentifyingandfollowingthedataflows,wecanseethatvarioustrustboundariesare crossedand thatmanyof them involve crossingbothaphysical anda logicalboundary. For example, the components of the lock control process (in the level-2 diagram) aresubjected to multiple data flows crossing both a physical and logical trust boundary. ThesecomponentsarethetwodatastoresandthesafetyandsensoryPLCs.Secondly,theDFDtechniquesucceededinmakingasystemsoverviewandwhilesomecountermeasurescanbecaptured,suchasthe safetyPLCsand firewalls (not includednow),other typesof countermeasuresmightnotbe soeasilybecapturedintheDFD,forexampleintangiblesecurityrulesforoperatorsorotheremployees.Lastly,thediagramprovidesonlylimitedguidelinesinhowtomodeldatatypesanddatarestrictionsin various data flows. The DFD technique could help the manager of the sluice in assessing aresponsibility in dealingwith the threats from the Vendor Remote Center. This could be a sharedresponsibilitywith, for example the vendor itself, but also the network owners ofwhere the dataflowsgo through. Furtherdata is required to specify this responsibility, for example thedata flowtypeandnetworktype.MakingaDFDcanbetime-consuminganditisnottobeusedinisolation,itcanbesaidthatitisonlyonephaseofthethreatmodelingprocess.
Although the modeled RRO is illustrative and limited through the lack of case data, the firstimplicationofusingRROisthattherearelimitedguidelinesforassessinginitialrisks.Thisallowsforaquickand‘dirty’modelingofamultitudeofrisks(orattacks).Thismaycausemanyunnecessaryredflags,especiallywhentheRRO isusedforthefirst time.However,onceaRRO ispresent, itmakesreflecting,evaluatingandbeingthe first responder tonewrisksmoreeasily.The“multiple line”ofdefenseinRROprovidesacertainclarityinaformofamindmap.TheRROmindmapdoesn’tonlyhelp the sluice manager in communicating that certain countermeasures are existent andfunctioning,buttheRROalsohelpsinassessingtherelevanceofthenewriskstothecurrentsystem.However, initialrisksremaintobedifficultto identify.Asystemoverview(DFDorAD)ofthesluicecould be useful as a guidance for assessing initial risks. In the case study, the initial riskswere allderived from theDFD. Secondly, thedifferent typesof countermeasures (fromoutside andwithinthesluice)canbealsomodeledquickly.However,itisdifficultfortheanalystsorthesluicemanagertoassesstheeffectsofthecountermeasures,becausein-depthknowledgeoftherelationbetweentherisksandthecountermeasuresisneeded.Thismayexceedthecorecapabilitiesoftheanalystorthe span of control of the sluice manager, because the risks may relate to the sluice hydrauliccomponentsand their specifications,and thecountermeasurescanbe fromthe (global)marketoroutside the reach of the sluice’s organization.Moreover, froma high level organizational point of
Page28of31
view,using theRROcouldalsobeuseful forassessing theexisting countermeasureseffectiveness.Duetochangingrisks,suchasencryptiontechnologyorpasswordspolicies,newcountermeasures,such as anomaly detection and “sinkholes” may be more effective. New or additional lines ofdefense,canbedesigned(albeitpreliminary)byeitherthehighlevelmanagerorthemanagerofthesluice.However,all thisonlymakessense if there isanagreementonsuchanrelated initialrisk inthe RRO of the sluice in the first place. Lastly, the residual risks and new countermeasures wereselectedon thebasisof coincidental knowledgeof the initial risk.While theRRO templates in theRROhandbookwereusefulinthisphase,itisonlysoinitiallyandonaconceptuallevel,becausethetemplatesarenotcomprehensiveandtoocasespecific.Inthisassessmentphase,knowledgeaboutcertainthreattypes(STRIDE)couldbeuseful.
AddedvalueofthreatmodelingtechniquesingeneralThetwotechniquepresentedausefulcase forsluices.However,whatdoes thatsay ingeneral forthethreatmodelingtechniques?Forthisquestion,thedimensionsofthreatmodelingtechniquesareuseful,fortheyareidentifiedasthemaindenominatorfortheeighttechniques.Infigure1,wehaveshownthattheeighttechniquescanbeput inamatrixusingthetwodimensions.Byanalyzingthecase study with two techniques from the opposite quadrants of the matrix, we have may firstconclude that the both the attackers/defenders perspective can complement each other. Forinstance,inthecasestudy,theDFD(defenderperspective)wasinstrumental inassessingtheinitialrisksfortheRROtechnique(attackersperspective).Specifically, theRROlackedguidelinestocomeupwiththeinitialrisks.Inaddition,attacksfromanattackersperspective,canbecategorizedusingclassifications or threat types from a defenders perspective. For example, the RROmight benefitfromidentifyingsubsequentresidualriskswiththeSTRIDEthreattypes.AswithSTRIDES’promisetodetect more threats, STRIDE could also help RRO detect more residual “risks”. Continuing withSTRIDE,thedifferenttypescouldalsohelprankthedifferentattacksfromtheRRO.This isbecausethe STRIDE threat types say something about the way in which a defender’s system can becompromised; some typesmight therefore bemore or less (ir)relevant.However this needsmoreresearch.AsidefromSTRIDE,especiallyifitconcernsanon-Microsoftsecuritylifecycledevelopmentcase,othertypesofclassificationsfromadefendersperspectivecanbeuseful.
Thedefendersperspectivecanalsolearnfromtheattackers.Inretrospect,providingcertainattacksdetailsor scenariohadbeenuseful inengagingpractitioners in the field inaconstructivedialogueandgatherforexamplethesystem’scomponentsandtheircharacteristics intheDFD.Eventhoughthe descriptions of the attackswere superficial and based on generic concepts, such as questionsabout possible entry points for hackers through switches or routers of the network, or anunauthorized/malwareinfectedUSBusageinthetechnicalrooms.Descriptionofattackerandtheirgoals (for example an insider with the goal to compromise the sluice) have been fruitful in thedialogues.
Onthebasisofthecasestudyandthetwodimensionsfromthetechniquesfromliterature,wecanprovidethefollowingfourframesforthreatmodelinganalysts.Thesefourframesusesnotionsfrommilitary strategies and tactics to give form to aworldview that the analyst could have at timesofcreatingathreatmodelforanygivensituation.
Page29of31
Figure15–Fourframesofthreatmodelingtechniques
1. Inattritionwarfare,attrition refers to thestrategyofwearingdown theenemyand forcing itsretreat.FortheAttritioners,thetechniquesintheirpossessionsfocusoncountermeasuresthatare effective for most attackers. Depending on the assessment of the risks of attackers,attritionersvaryintheirmultiplelinesofcountermeasures.
2. The Reinforcer refers to bringing reinforcement to specific points that attackers could attack.Theseareoftenspecializedattacks,suchasconcurrentattacks.TheReinforcerusesavariationofdomainknowledgetospecifythesepointsofattackandtheirlikelihood.
3. TheFortifier focusonseveraltypesofdefenses.Thesedefensesarebasedoncommonthreatsandvulnerabilitiesoftheprotectedsystems.TheFortifieraimstobuildupalargeanddefensivestructures.Dependingon the importanceof the systemor its part, varyingmultiple layers arebuilt.
4. TheArchitectfocusonhowexactlythesystemworksinitsspecificcomponents.Bypinpointingtheimportantaspects,itaimstodesignspecificdefensestructures.Thesecouldvaryfrommorededicated specification of defense mechanism (sometimes from the design phase already) toadditionaldefensemechanism(fornewincidentslater).
The attackers perspectives seem to assume that the system is exposed to a finite amount ofattackersandattacks.Whilethedefendersperspectivealwaysassumethatattacksarepresentandfocus on their vulnerable and valuable components. TheReinforce andAttritioner reason from anattackersmotivationandspecializedattacksand theArchitect andFortifier reason fromtheassetsand their importance. Both perspective can come to a set of similar countermeasures on atechnologicallevelintheend,butthepathwayto“risk”canbeverydifferent.
The information context seem to assume a certain phase of risk assessment. The Architects andReinforcer focus on adding new knowledge for the riskmodel, while theAttritioners and Fortifierfocusonconsolidatingtheriskmodelandmakingorganizationaldecisions.Bothinformationcontextneedtobetakenintoaccountforacomprehensiveriskassessmentifpossible.Fromamanagementperspective,sufficientresourcesshouldbeallocatedtobothinformationcontext.Forexample,newthreattrendsneedtobeexplored locallyandinternallyfirst.Thiscanbedonebyupdatingtherisk
Page30of31
(conceptual)model. Andwhen using external information, such as best practices and common orhighlevelthreats,itisbesttogowithtechniquesthatbestfitabusiness-likedecisionmakingsetting.
LimitationsofthreatmodelingtechniquesThe sluices are but one of the many water sector objects. For public safety, one can grosslydifferentiatebetween two sub sectors:waterdefenses andwaterquality. For thewaterdefenses,other objects exists, such as water pumps, surge barriers, floodgates, weirs and more. Theaforementionedgeneralizationsof threatmodelingtechniquesareallderivedfromthesluicecase,thismightverydifferentforothertypesofwaterobjects.
Using threatmodeling, threats of different types and philosophies could be identified. Some usesexternal information and showed that many attacks are penetrating through the differentcountermeasures of the organization, while some uses internal information andmarks vulnerablecomponents.However,neithershowedhistoryofattacksassuch.Themostdominantstrategies intheICSsectoristhe“securitybyobscurity”strategyandscholarsarguethatthisstrategyhasbecomeobsolete.However,wehaveseenthatarefewcybersecurity issues inpractice.Thiscould indicatetwothings:wecannotdetect themyet,or theobscurity strategyworkswellenough.Whether thelatter is based on there is not enough “interests” to attack it, or too expensive or too detailedknowledgeisneeded,doesnotmatter.Securitybyobscurityseemstoprevail,still.However,asthesecurity landscape progress, the security strategies need to progress as well. While traditionally,obscuritystrategiesarethegoldenstandard.Thisstrategyshouldnotbesodominantanymore,butratheritshouldbeoneofthestrategies.Forpractitioners,thiscouldmeanswitchingfrom“obscuritybydefault”to“obscurityaslastresort”.
6. Conclusion and recommendations Wehavesummarizedeightthreatmodelingtechniquesandproposedthreekeydimensionsthatareusefulinselectingtheappropriatetechniquesforthreatmodelinginthewatersector.Theseare:Theattackers-defendersperspective, the information contextand theunitof analysis.Wehave shownthat the first two dimensions helped in selecting the appropriate threatmodeling techniques in atheoreticalwayandthelatterdimensioninapracticalway.Wehavealsoshownthatthesametwodimensionscanbevaluableinassessingtheaddedvalueforthreatmodelingtechniquesingeneral.We have substantiated this claim by means of a single case study in the water sector and byproposing four frames of threat modeling techniques for analysts. Several discussion points areraisedandthesecouldbeconsideredtobefurtherresearchgoals,theseareverifyingandexpandingonthelistofthreatmodelingdimensionsandexpandingonthefourframesofthreatmodeling.
Acknowledgements Many thanks for Saba Chockalingam, for supervisingme and being a coach through the academicwriting process. I also want to thank Hellen Havinga, for playing such a supportive role atRijkswaterstaatforthedataacquisitionandprovidinginsightsfrombothapracticalpointofview,butalsoscientificpointofview.
References
Page31of31
Chen, T. M., Sanchez-Aarnoutse, J. C., & Buford, J. (2011). Petri net modeling of cyber-physicalattacksonsmartgrid.IEEETransactionsonSmartGrid,2(4),741-749.
Chen,Y.,Boehm,B.,&Sheppard,L.(2007,January).Valuedrivensecuritythreatmodelingbasedonattack path analysis. InSystem Sciences, 2007. HICSS 2007. 40th Annual Hawaii InternationalConferenceon(pp.280a-280a).IEEE.
Byres, E. J., Franz, M., & Miller, D. (2004, December). The use of attack trees in assessingvulnerabilities in SCADA systems. InProceedings of the international infrastructure survivabilityworkshop.
Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: towards socio-organizationalperspectives.InformationSystemsJournal,11(2),127-153.
Havinga,H.N.J.,&Sessink,O.D.T.(2014).RiskReductionOverview.InInternationalConferenceonAvailability,Reliability,andSecurity(pp.239-249).SpringerInternationalPublishing.
Hong,J.,Liu,C.C.,&Govindarasu,M.(2014).Integratedanomalydetectionforcybersecurityofthesubstations.IEEETransactionsonSmartGrid,5(4),1643-1653.
Howard, M., & Lipner, S. (2006).The Threat-Modeling Process. The security developmentlifecycle(Vol.8),105-124.Redmond:MicrosoftPress.
Johnstone,M.N.(2010).ThreatmodellingwithSTRIDEandUML.InProceedingsofthe8thAustralianInformationSecurityManagementConference
Kordy,B.,Piètre-Cambacédès,L.,&Schweitzer,P.(2014).DAG-basedattackanddefensemodeling:Don’tmisstheforestfortheattacktrees.Computersciencereview,13,1-38.
Leder, F., Werner, T., & Martini, P. (2009). Proactive botnet countermeasures: an offensiveapproach.TheVirtualBattlefield:PerspectivesonCyberWarfare,3,211-225.
Morley,K.M.(2015).CybersecurityintheWaterSector.AmericanWaterWorksAssociation
Morikawa, I.,&Yamaoka,Y. (2011,September).Threat treetemplates toeasedifficulties in threatmodeling.InNetwork-BasedInformationSystems(NBiS),201114thInternationalConferenceon(pp.673-678).IEEE.
Reber, A. S. (1989). Implicit learning and tacit knowledge.Journal of experimental psychology:General,118(3),219.
Saini,V.,Duan,Q.,&Paruchuri,V.(2008).Threatmodelingusingattacktrees.JournalofComputingSciencesinColleges,23(4),124-131.
Shostack,A.(2014).ElevationofPrivilege:DrawingDevelopersintoThreatModeling.In2014USENIXSummitonGaming,Games,andGamificationinSecurityEducation(3GSE14).
Xu, D., & Nygard, K. E. (2006). Threat-driven modeling and verification of secure software usingaspect-orientedPetrinets.IEEETransactionsonSoftwareEngineering,32(4),265.