Algebraic Analysis of Attack Impacts and Countermeasures in Critical Infrastructures Thomas Richard McEvoy2 and Stephen D. Wolthusen1,2 1 Norwegian Information Security Laboratory, Department of Computer Science, Gjøvik University College, Norway 2 Information Security Group, Department of Mathematics, Royal Holloway, University of London, UK {T.R.McEvoy,stephen.wolthusen}@rhul.ac.uk Abstract. Critical infrastructure systems are distributed environments in which the mixture of technologies and interdependencies between physical and logical components lead to complex interactions. Calculating the possible impacts of attacks and the success of proposed countermeasures in such environments represents a severe problem. We propose a process algebraic technique as a means of affecting such calculations. Our approach allows us to demonstrate equivalence w.r.t. attack and defense strategies respectively. It also forms a basis for determining the efficiency and effectiveness of countermeasures. In comparison with other methods, such as attack/defense trees and attack graphs, our approach allows us to relax assumptions regarding the ordering of events by applying structural reasoning to outcomes and reducing the state space for the analysis. An obvious application is to risk management. 1 Introduction Critical infrastructure systems – for example, ICS (Industrial Control Systems) – are highly complex, distributed environments [1]. Calculating the effect of such attacks in such environments represents a severe problem. We propose a process algebraic approach to calculating such impacts and incorporating the effects of countermeasures. In comparison with other attack/defense modeling methods, our approach allows us to relax assumptions regarding the ordering of events and to reduce the state space to be explored. We use a formal adversary capability model [2] such that an adversary may overwrite a proper subset of system processes altering data flows in the system. We use an applied π-calculus to calculate how altered data flows impact on system goals. We also use this approach to rank (and show equivalence between) attacks and interventions, leading to a basis for measuring the efficiency and effectiveness of countermeasures with obvious applications for risk management and intrusion detection. Section 2 outlines related work. Section 3 defines our problem and outlines our approach. In section 4, we define our π-calculus variant. Section 5 sets out our B. Hämmerli, N. Kalstad Svendsen, and J. Lopez (Eds.): CRITIS 2012, LNCS 7722, pp. 168–179, 2013. c Springer-Verlag Berlin Heidelberg 2013  Algebraic Analysis of Attack Impacts and Countermeasures 169 adversary capability model. Section 6 provides the method for calculating impacts and impact reductions. Section 7 provides a simple example. We conclude and set out future research directions in section 8. 2 Related Work Attacks and countermeasures have been modeled using attack/defense trees [3,4,5]. These techniques impose a logical order of alternating attack and defense moves which counter each other. Game-theoretical approaches provide equivalent information. However, such approaches do not necessarily capture the (logical temporal) ordering of events or dependencies between sub-goals [3]. It is also possible to use attack graphs to model and calculate exposures to network attacks . However, on critical infrastructure networks, such techniques would be limited due to the requirement, in many cases, to use vulnerability scans to calculate attack reachability and creates limitations in scale and complexity for many such approaches [6,7]. Such approaches also appear to assume that the subversion of a critical host is a requirement for attack success, whereas we argue that in distributed control system the subversion of any host or network node may – due to the transitive effects of loss of data integrity, availability or confidentiality – turn out to be critical. Another approach – attack coordination graphs – addresses the issue of dealing with coordinated attacks and allow the generation of novel attacks, but again appears to ignore the possibilities offered by the transitive effects of attacks on information flows in the system [8]. Our approach is based on the formal adversary capability model and an associated applied π-calculus [9,2] used to define adversary actions algebraically. 3 Problem and Approach Assuming an adversary subverts a process in a critical system,the process will subsequently affect the information flow in the system. In a complex system, the outcomes may not be obvious. A single change may have multiple effects (and subsequent kinetic impacts on physical processes) – in particular, because such effects may be singular, distributed, transitive, or recursive in nature. The situation may be further complicated by the simultaneous occurrence of multiple attacks, not necessarily cooperating, or interventions by operators. To do this, we represent information flows algebraically using variable names to stand for data objects in our system. Names are sent and received between processes and hence travel from impact sources (where data subversion occurs) to impact sinks where the effect is realized. Given different attacks, different sets of names may lose different security characteristics. Hence we can rank impacts by imposing a partial order over sets and security characteristics. We can induce equivalence over impacts for different attacks and we can consider the efficiency and effectiveness of countermeasures. This information may subsequently be used by business managers or engineers expert in the system to determine business impacts or to plan defensive strategies.