future internet
Article
Cyber Security Threat Modeling for Supply Chain
Organizational Environments
Abel Yeboah-Ofori and Shareeful Islam *
School of Architecture Computing & Engineering, University of East London, London E16 2RD, UK;
u0118547@uel.ac.uk
* Correspondence: shareeful@uel.ac.uk; Tel.: +44-208-223-7273
Received: 26 December 2018; Accepted: 21 February 2019; Published: 5 March 2019
Abstract: Cyber security in a supply chain (SC) provides an organization the secure network facilities
to meet its overall business objectives. The integration of technologies has improved business
processes, increased production speed, and reduced distribution costs. However, the increased
interdependencies among various supply chain stakeholders have brought many challenges including
lack of third party audit mechanisms and cascading cyber threats. This has led to attacks such as
the manipulation of the design specifications, alterations, and manipulation during distribution.
The aim of this paper is to investigate and understand supply chain threats. In particular, the paper
contributes towards modeling and analyzing CSC attacks and cyber threat reporting among supply
chain stakeholders. We consider concepts such as goal, actor, attack, TTP, and threat actor relevant to
the supply chain, threat model, and requirements domain, and modeled the attack using the widely
known STIX threat model. The proposed model was analyzed using a running example of a smart
grid case study and an algorithm to model the attack. A discrete probability method for calculating
the conditional probabilities was used to determine the attack propagation and cascading effects, and
the results showed that our approach effectively analyzed the threats. We have recommended a list
of CSC controls to improve the overall security of the studied organization.
Keywords: cyber supply chain; cyber security; attack modeling; smart grid; threat intelligence;
threat actor
1. Introduction
A supply chain (SC) is a collection of different organizations that align their business processes,
goals, objectives, and some components of their systems to third party organizations, suppliers,
consumers and partners [1,2]. Cyber physical systems (CPS) are the integration of computation
and physical process that make a complete system, such as physical components, network systems,
embedded computers, software, and the linking together of devices and sensors for information
sharing [3]. The emergence of CPS, electronic transactions, third party vendors, and banking services
have evolved over time and brought many changes to how the organizations and industries operate.
CPS supply chains have also brought many challenges, such as lack of specific organizational threat
intelligence gatherings, failure to audit third party vendors, lack of security controls, and lack of (cyber
supply chain CSC )risk management. Cyber attacks could impact other supply chain partner systems
due to many reasons such as software errors, vulnerabilities in any SC partner [4]. Examples include
the Saudi Aramco electric-grid cyber attack in 2017, and the Ukraine power grid attack in 2015 [5].
These indicate that supply chain attacks are on the rise and require an attack model and threat analysis
to gather threat intelligence [6]. There are existing attack models, such as MITRE’s kill chain model [6]
that describe the actions an adversary could take to compromise and operate within an organization’s
overall communication network. Attack trees [7] provide a formal and methodical way of describing
Future Internet 2019, 11, 63; doi:10.3390/fi11030063
www.mdpi.com/journal/futureinternet
Future Internet 2019, 11, 63
2 of 25
the security of systems based on varying attacks. They use multilevel children within the attack tree,
with a single root node that uses different ways to achieve its goal using leaf nodes and Building
Security in Maturity Model (BSIMM) [8]. These works are important and contribute to the cyber threat
modeling knowledge domain. However, there is a limited focus on supply chain perspective, and
specifically on threats relating to inbound and outbound chain contexts that need adequate analyses to
ensure CSC security.
The main contributions of this paper are threefold. Firstly, we modeled and analyzed the cyber
threats of supply chains organizational context. We integrated concepts from threat intelligence, such as
threat, attack vector, TTP, and control, with concepts from the goal modeling languages, including actor,
goal, and requirement, and from supply chain context including inbound and outbound. Secondly,
we considered widely used industry practices such as the internet security control [9] and STIX threat
model [10] to analyze the threats in the supply chain context. Finally, we used a running example from
a smart grid system to analyze the proposed approach and demonstrate the applicability of the work.
The results showed that we had identified probable CSC threats, risks, and attacks, such as penetration
and manipulation that could impact the studied organizational goal. We ascertained the CSC attack
vector, and modeled attack patterns and gathered threat intelligence that provided an understanding
of adversaries’ motives, capabilities, actions, and intent. We have recommended security controls to
mitigate the CSC threats.
The rest of the paper is structured as follows: Section 2 presents an overview of related works in
the CSC security environment and the existing threat models, while Section 3 considers the need for
CSC threat modeling and presents the concepts for a proposed meta-model as well as a threat modeling
process and attack algorithms. Section 4 present the analytical and predictive research approach used
to implement the threat modeling theorem and evaluates it by following a running example of a case
study to model CSC attacks. Section 5 provides a discussion of the several observations identified in
the study. Finally, Section 6 presents a conclusion of the study and proposes future works.
2. Related Work
This section provides an overview of the related works on CSC security and smart grid attacks.
Supply chain security in CPS smart grid domains is widely integrated with other organizations and
requires extensive research.
2.1. CSC Security Environment
Supply chain security are mechanisms that are put in place to control, manage, and enhance
the supply chain system to ensure business continuity, protect products, and provide information
assurance. Forty-six cybersecurity attack incidents were reported in the energy sector in 2015, most of
which targeted the IT systems of utilities and vendors [11,12]. Woods and Bochman (2018) provides
an investigation of the operational practices of CSC and risk across the energy, electricity, gas, and
nuclear sectors [4]. The research focused on energy sector flaws due to software vulnerabilities such as
counterfeit, maliciously tainted, or unintentionally tainted software components that were built into
products during design or implementation phase. Here, the components are authorized, authentic,
and have passed validation. Wand and Lu (2013) presented a compressive survey of cybersecurity
issues for smart grids [13]. The authors specifically focused on reviewing and discussing security
requirements, network vulnerabilities and attack countermeasures, secure communications protocols,
and architectures in the smart grid. Sun et al. (2018) proposed a state of the art survey for the most
relevant cyber security studies in power systems [14]. The authors reviewed cyber security test
beds for research that demonstrated cyber security risks and constructed solutions to enhance the
security of smart grid technologies and industry practices and standards. However, the study did not
review CSC from a vendor perspective. Hymayed et al. (2017) identified smart grid vulnerabilities in
TCP/IP communication protocols due to protocol mis-configuration [3]. The authors’ supply chain
risk encompassed IT and Operational Technology (OT) suppliers and buyers as well as non-IT and
Future Internet 2019, 11, 63
3 of 25
non-OT partners. However, auditing from inbound and outbound supply chains was not discussed
from a specific organizational context.
2.2. Threat Modeling
MITRE’s Adversary Attack, Techniques & Common Knowledge (ATT&CK) is an adversary
model and framework for describing the actions an adversary could take to compromise and operate
within an organizations network. MITRE’s Cyber Attack Lifecycle consists of seven phases, namely:
recon, weaponize, deliver, exploit, control, execute, and maintain. MITRE’s 11 tactic categories
within ATT&CK for organizations were derived from the latter stages of exploit, control, execute, and
maintain [6]. Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive
dictionary and classification taxonomy of known attacks that could be used by analysts, developers,
testers, and educators to advance community understanding and enhance defense. CAPEC ID438,
ID439, and ID3000 [15] list three key vulnerable spots through which adversaries can exploit CSC, and
these include modification during manufacturing, manipulations during distributions, and various
domain attacks. Within these are various compromises that could be initiated using malware or SQL
injection attacks. Common Weakness Enumeration (CWE) (2014) provides a mechanism for prioritizing
software weaknesses in a consistent, flexible, and open manner. CWE identifies weaknesses that are
exploitable in software, which the attacker can make function in a way that was never intended.
The approach allows an organization to prioritize the CWEs most relevant to the organization’s
business mission, goals, and objectives [12]. Structured Threat Information eXpression (STIX) uses
adversary Tactics, Techniques, and Procedures (TTP), cyber attack campaign, incidents, courses of
action, exploitation targets, threat actors, and other methods to provide a common mechanism for
adding structured cyber threat intelligence information across a range of use cases for improving
consistency, efficiency, interoperability, and overall situational awareness [10]. The OWASP Top 10
Most Critical Web Application Security Risks identifies the various web application security weakness,
attacks, threat agent, attack vectors, and impacts on organizations [16]. An integrated cyber security
risk management approach considering all aspects of critical infrastructure including vulnerabilities
and attack scenarios is proposed by [17]. The Diamond model is an intrusion analyses model that
describes how an adversary attacks a victim based on two key motivations. The model consists of
four components, namely: adversary, infrastructure, capability, and victim. It has associated features,
such as timestamp, phases, results, directions, methodology, and resources. In the event of an attack,
the model uses the timestamp to identify the phases [18]. Gai et al. (2017) proposed a maximum
attack strategy method of spoofing and jamming on the cognitive radio network, using optimal power
distribution in wireless smart grid networks. The method was effective for causing the DoS attack on
radio frequencies [19]. The authors further proposed a novel homomorphism encryption approach
to tackle both insider and outsider threats that can fully support blended arithmetic operations over
cipher texts [20]. A dynamic privacy protection model was proposed by [21] to address threats
relating to wireless communication. The aim of the model was to ensure data privacy within a scale
of communication without using conventional encryption methods. The Attack graph—or graph
tree—are conceptual diagrams used to analyze how a target can be attacked. The tree-like structure
has multilevel children with a single root used to detect vulnerabilities in the network for analyzing an
effective defense [22].
3. Threat Modeling for Supply Chain Contexts
This section presents the concepts for the proposed approach. Our work contributes towards
identifying and analyzing cyber threats for the CSC domain.
3.1. The Need for Cyber Supply Chain Threat Modeling
Modeling cyber attacks in an SC environment is a proactive way of creating an understanding
and awareness of an adversary’s modes of operations and TTPs. Supply chain security ensures
Future Internet 2019, 11, 63
4 of 25
business continuity for an organization as it is able to channel its business activities, such as processes,
information, people, and resources of the products and services, to external suppliers, distributors,
and individual customers. Increased interdependencies have brought about CSC threats, risks, attacks,
and vulnerabilities that adversaries could exploit. Therefore, modeling and analyzing these threats
can provide secure protection for a controlled supply chain system. The following are factors that are
influencing supply chain threats:
•
•
•
•
Evolution of the cyber supply chain threat landscape;
Integration of supply chain stakeholders on the cyber threat model;
Inability to determine cascading threat impacts on inbound and outbound supply chains;
Evolving threat landscapes affecting the supply chain organisation context
3.2. Conceptual View
As stated previously, we considered concepts from the supply chain, threat modeling, and goal
modeling domains. These concepts and their properties provided us with an in-depth understanding
of the threat actor’s intent, motives, and methods, which was needed to model attacks, analyze, and
derive threat intelligence.
Goal: A goal represents the strategic aim of an organization. Goals are realized by different factors
based on organizational objectives and business processes. Yu (1995) posits that a goal represents
a condition in the world that an actor would like to achieve [2]. To achieve a goal, an organization
must identify the various actors that will ensure the goal is attained or aborted. We considered both
organizational and security goals. An organizational goal is the objectives carried out to meet the
overall organizational strategy and vision, while security goals are control systems put in place to
prevent threats, risks, attacks, and compromises. Security goals emphasize more of the threat actor’s
goal, in which the aim is to attack or abort the main organizational goal. The security goal is to ensure
confidentiality, integrity, and availability for the overall supply chain systems, and its surrounding
context [17].
Actor: An actor describes an entity that has goals and intentions within the system or within
the organizational setting [2,23]. The actors are the employees, suppliers, and distributors, as well as
those with the potential to cause a threat to the supply chain system (which could be different from the
threat actor). Legitimate actors or system users are categorized as organization employees, or users
with permission to access or use the supply chain system. Actors can be recognized either by their
password, process, identity, or privileges. Suppliers are the various organizations on the supply chain
system, including distributors, third party vendors, and suppliers.
A threat actor (adversary or attacker) is characterized as a malicious actor representing a cyber
attack threat, with presumed intent and historically observed behavior [10]. For this study, we defined
a threat actor as an entity that can breach or compromise the supply chain system, such as a person,
user account, or process. Threat actors can be categorized as either intentional or unintentional, and
internal or external. The threat actor is linked to the attack, vulnerability, and TTP in a many-to-many
relationship. We identified threat actors through their capabilities, such as their intent, type of password
used, observed patterns, behavior, history, and motives.
Vulnerability: vulnerabilities are flaws or weakness that can be exploited by a threat actor or
a threat agent. In an SC system, a vulnerable can be identified from various sources, including the
software, network, website, user, process, application, and configuration, or from a third party vendor.
The adversary could insert a hard-coded password as the default administrative setup into the COTS
software and that could be a vulnerability when it is not changed after purchase.
Attack: An attack is any deliberate action or assault on the supply chain system with intent to
compromise its processes, procedures, and delivery of electronic products, information flows, and
services. A supply chain compromise attack is the manipulation of product delivery mechanisms prior
Future Internet 2019, 11, 63
5 of 25
to receipt by a final consumer [15]. Attack properties include type, pattern, perquisites, and vectors.
Attack pattern is an abstract mechanism for describing how a type of observed attack is executed [24].
Tactics, Techniques, and Procedures (TTP) is a representation of the behavior or modes of
operations of the adversary or threat actor [10]. TTP leverages specific adversary capabilities, behaviors,
and exploits it can use on victims. TTP could be used to gather cyber threat information about the
attack pattern, resources deployed, and exploits exhibited. TTP is relevant for identifying threat actors,
campaigns to provide CSC threat intelligence on adversary’s motives, intended effects, and impact on
an organization. For instance:
•
•
•
Tactics describe how threat actors operate during the various attack campaigns. This includes how
the adversary carries out reconnaissance for initial intelligence gathering, how the information is
gathered, and how the initial compromises were conducted. For instance, tactics may be to send a
spear phishing email to a group on the supply chain.
Techniques are the strategies used by the adversary to facilitate the initial compromises such as
tools, skills, and capabilities deployed. This includes how the adversary establishes control,
maneuvers within the supply chain system infrastructures, and exfiltrates data, as well as how to
obfuscate through the system. The adversary conceals the email contents in such a way that is not
obvious to detect.
Procedures are the set of tactics and techniques put together to perform an attack. Procedures
may vary depending on the threat actor goal, purpose, and nature of the attack. A procedure
includes carrying out reconnaissance on the victim’s systems to identify vulnerable spots, gather
information, access rights, and control mechanisms to determine what could be exploited.
Inbound and outbound supply threats: The inbound and outbound supply chains are the
organizational systems that integrate with third party companies, suppliers, and distributors to
achieve the organizational goal [24]. The inbound suppliers include the external organization and
third party vendors who have remote access to the CSC system and who provide electric power
transmission [25,26]. The threat actor could penetrate the inbound supplier’s system and manipulate
data, or alter the organizations that provide the electronic products and payment services. The third
party vendors purchase the electric power directly and resell it to the consumer. The outbound supply
chain environment is the organization that provides distributed electric power to other organizations,
individuals, and third party vendors. The threat actor could initiate malware or SQL injection attacks
during distribution, causing a misconfiguration of the supply chain system.
CSC requirement: Requirements are the constraints and expectations needed to ensure that
the system supports the stakeholders and business needs. The requirement concept includes
properties such as organizational requirements, business requirements, systems requirements, user
requirements, and operational requirements [10,23]. The organizational requirements contain concepts
that specify the overall organizational environment and how the software will integrate with the
security constraints to achieve the goal.
Risks: Risk is the potential negative impact from an attack. The probabilities of attacks being
initiated from the vendor systems are high, as they represent a single point of failure. Supply chain
risk is the potential for an adversary to sabotage the supply chain, maliciously introduce unwanted
functions, or subvert the design, product, or integrity of the system [17,27]. CSC risk can be categorized
as IT, non-IT, management, or government. IT risks are technical and operational, while non-IT risks
represent organizations, products and services, environmental factors, and natural disasters. Supply
chain risks are cascading risks, as an attack on one party may affect others as the organizations that are
involved in the integration and process chains also increase [28].
Controls: Controls are security strategies and measures that are formulated and implemented
to ensure that the organizational goal and objectives are achieved, and that risks are mitigated with
minimal threat or no threat at all. CSC security controls are managerial, operational, and technical
safeguards or countermeasures employed within an organizational information system to protect
Future Internet 2019, 11, 63
6 of 25
the confidentiality, integrity, and availability of the systems and their information [29]. Due to the
invincible nature of cyber attacks, the organization should establish a collaborative mechanism with
all stakeholders on the supply chain to protect and secure the supply chain systems.
Cyber incident reports: Incident report systems provide CSC attack victims the platform to report
Future Internet 2019, 11, x FOR PEER REVIEW
6 of 24
attacks and threats that have occurred, including their impact and the degree of severity. The purpose
is purpose
to gatherisand
analyze
threat
information
that can assist
and stakeholders
to achieveto
to gather
and
analyze
threat information
that organizations
can assist organizations
and stakeholders
their
security
goals.
Properties
for
cyber
incident
reports
include
type,
date,
source,
and
impact.
achieve their security goals. Properties for cyber incident reports include type, date, source,
and
They
could
serve
as
notification
platforms
and
disseminators
of
threat
information
for
training
and
impact. They could serve as notification platforms and disseminators of threat information for
awareness
among
third party
collaborators,
developers,
anddevelopers,
security experts.
training and
awareness
among
third partysoftware
collaborators,
software
and security experts.
Threat
information
sharing:
Cyber
threat
information
sharing
is
Threat information sharing: Cyber threat information sharing isa aplatform
platformthat
thatprovides
providesthe
the
information
necessary
to
assist
an
organization
in
identifying,
assessing,
monitoring,
and
responding
information necessary to assist an organization in identifying, assessing, monitoring, and
toresponding
cyber threats
There
are [30].
rulesThere
that govern
andthat
protect
information
sharing,
such as information
to[30].
cyber
threats
are rules
govern
and protect
information
sharing, such
sensitivity
and
privacy,
sharing
designations,
and
tracking
procedures
[30,31].
as information sensitivity and privacy, sharing designations, and tracking procedures [30,31].
The
concepts
their
relationships.
Themeta-model
meta-modelshown
shownininFigure
Figure1 1depicts
depictsthe
the
conceptsand
and
their
relationships.AAthreat
threatactor
actor
may
want
to
attack
the
system
and
exploit
vulnerable
spots
using
TTP
methods
to
manipulate
the CSC
may want to attack the system and exploit vulnerable spots using TTP methods to manipulate
the
system.
CSC
requirements
are
used
to
ensure
the
security
goal,
and
constraints
are
achieved
to
meet
CSC system. CSC requirements are used to ensure the security goal, and constraints are achieved to
the
organizational
goal. The
attack
entity entity
is linked
to the to
threat
actor, actor,
TTP, risks,
and threat,
as theas
meet
the organizational
goal.
The attack
is linked
the threat
TTP, risks,
and threat,
properties
determine
the
nature
of
attacks
and
probable
threats.
The
CSC
requirements,
risk,
controls,
the properties determine the nature of attacks and probable threats. The CSC requirements, risk,
and
cyber incident
report
couldreport
have an
effect
on the
goal as well asgoal
the inbound
and
controls,
and cyber
incident
could
have
an organizational
effect on the organizational
as well as
the
outbound
supply
chains.
This
interrelationship
provides
evidence
of
the
degree
of
threat
or
cascading
inbound and outbound supply chains. This interrelationship provides evidence of the degree of
effect
of or
how
a particular
risk
the CSC.
The likelihood
ofCSC.
an attack
becoming aofprobable
threat
cascading
effect
of could
how aimpact
particular
risk could
impact the
The likelihood
an attack
threat
is
determined
by
the
threat
intelligence
gathered.
becoming a probable threat is determined by the threat intelligence gathered.
CSC
Requirements
Goal
Actor
1*
1*
Organizational 1*
Goal
Security Goal
•
Has
•
User
•
•
Suppliers
Internal
Access Right
•
•
•
•
•
•
External Org
Vendor
1*
Cause
1*
1*
exploits
Type
1*
Pattern
Prerequisite
Vector
1*
Vulnerability
1*
1*
Expose
Risk
1*
Support
•
•
•
•
Type
Probability
Likelihood
Impact
1*
Support
1*
Cyber Incident
Report
1*
1*
1*
Inbound
Supplier
1*
1*
exploits
1*
Violates
1*
Threat
1*
1*
1*
Organization
Business
User
System
Operational
inform
Has
1*
•
•
•
•
•
1*
Use
1*
•
•
•
1* •
1*
Exploits
Tactics
Techniques
Procedures
Attack
1*
Uses
1*
1*
Pose
Capability
Motive
Intents
Resource
TTP
•
•
•
1*
Threat Actor
Supports
•
Information 1*
inform •
Sharing
1* •
•
•
Control
1*
Inform
Type
Date
1*
Threat Actor
Resource
Impact
•
•
•
•
•
Directive
Preventive
Detective
Corrective
Recovery
1*
Outbound
Supplier
Protects
Figure 1. The meta-model.
3.3. Threat Modeling Process
Figure 1. The meta-model.
3.3.The
Threat
Modelingprocess
Processinvolves a systematic approach to identify the organization’s supply chain
underlying
system, internal infrastructures, business processes, attack context, and relevant controls. The process
The underlying process involves a systematic approach to identify the organization’s supply
consists of four main phases, as shown in Figure 2.
chain system, internal infrastructures, business processes, attack context, and relevant controls. The
process consists of four main phases, as shown in Figure 2.
Phase 1: Determining organization objectives
The aim of this phase is to identify the overall organizational CSC environment including goals
and requirements. It includes three activities which are briefly mention below:
• Activity 1: Identifying the organizational supply chain environment
This activity identifies CSC systems and the external organization, suppliers, distributors,
and third party vendors on the inbound and outbound supply chains. The purpose is to
identify the vendor’s software, hardware, and network design process and policies. This
•
Activity 2. Define the approach to achieving the goal
This activity identifies necessary actions required to achieve the organizational goals. The
organizational goal is to provide safe and reliable service to consumers, while the security
Future Internet
11,ensure
63
7 of 25
goal2019,
is to
that the supply chain system is secure, reliable, for the overall to achieve
business continuity and information assurance.
•
Phase 1
Determining
Organ ization
Objectives
•
•
Threat Modelling Process
Phase 2
Phase 3
Attack Process
Attack Probability
and Cascading
Effects
•
•
•
•
Reconnaissance
Experiment
Exploit
Command & Control
•
Cyber Supply Chain
Attack
Malware Threat
Propagation
How Virus Cascade
Randomly
Spear Phishing Email
Attack
•
•
•
Phase 4
Phase 5
Threat Modelling
Controls
Id entifying
Organizational
Supply Chain
Environment
Define approach to
achieving goal
Captu re the CSC
Requirements
•
•
•
•
•
•
Observable
Indicator
Campaign
Th reat Acto r
TTP
Exploit
•
•
•
•
•
Directive
Preventive
Directive
Corrective
Recovery
Assist in
deciding the
overall
organizational
CSC system
Assist to
understand how
threat actor
deploys attacks
on CSC and
TTPs
Assist to
understand
threat
propagation
methods and
Impact
Supports
Implementation
in line with
Standards and
Policies
Supports CSC
Implementation
in line with
Standards and
Policies
Figure
Figure 2.
2. CSC
CSC threat
threat modeling
modeling process.
process.
• Activity
Capture theorganization
CSC requirements
Phase 1: 3.
Determining
objectives
This
activity
involves
capturing
thethe
overall
requirement
on environment
the inbound including
and outbound
The aim
of this
phase is
to identify
overallCSC
organizational
CSC
goals
supply
chains to Itensure
thethree
security
goalwhich
and are
constraints.
The requirements
ensure proper
and requirements.
includes
activities
briefly mention
below:
integration and interfacing with vendors. Here, the systems development life cycle (SDLC) concepts
• used
Activity
1: Identifying
the organizational supply chain environment This activity identifies CSC
are
to capture
the requirements.
systems
and
the
external
Phase 2. Attack Process organization, suppliers, distributors, and third party vendors on the
inbound
andprocess
outbound
supply the
chains.
The purpose
is to identify
the the
vendor’s
software,
hardware,
The
attack
identifies
activities
of a threat
actor and
TTP used
to deploy
the
and
network
andactivities
policies.asThis
informs
strategicmay
management
whether
the
attack.
The
phase design
involvesprocess
complex
all the
stakeholders
have different
system
organizational
goals
are
achievable,
repeatable,
and
measurable.
components, requirements, processes, and infrastructures. The attack pattern may be determined
•
Activity
Define the approach
achieving
the goal
necessary
actions
based
on each2.stakeholder’s
businesstogoal,
objectives,
andThis
the activity
size of identifies
the business.
The activities
required
to
achieve
the
organizational
goals.
The
organizational
goal
is
to
provide
safe
and
reliable
include:
service to1.consumers,
while the security goal is to ensure that the supply chain system is secure,
Activity
Attack Steps
reliable,
for
the
overall
achieve
business
continuity and system,
information
In this phase the threattoactor
explores
the organizational
and assurance.
the supply inbound and
•
Activity
3. Capture
CSC requirements
involves capturing the overall CSC
outbound
chains,
as shownthe
in Figure
3. The attackThis
stepsactivity
are as follows:
requirement on the inbound and outbound supply chains to ensure the security goal and
Step 1. Reconnaissance: The adversary carries out research online and uses other social
constraints. The requirements ensure proper integration and interfacing with vendors. Here, the
engineering methods to gather information such as:
systems development life cycle (SDLC) concepts are used to capture the requirements.
• What infrastructure is the organization using: topology, IPs, software, or configurations;
Phase 2. Attack Process
• Profile of the organization, business applications, third party vendors, and other
The attack process identifies the activities of a threat actor and the TTP used to deploy the attack.
organizations;
The phase involves complex activities as all the stakeholders may have different system components,
• Is the supply chain a corporate and public network system (e.g., virtual private network
requirements, processes, and infrastructures. The attack pattern may be determined based on each
VPN);
stakeholder’s business goal, objectives, and the size of the business. The activities include:
Activity 1. Attack Steps
In this phase the threat actor explores the organizational system, and the supply inbound and
outbound chains, as shown in Figure 3. The attack steps are as follows:
attack goal. The threat actor penetrates the workstations of the internal users, gains access into the
system resources and the supply chain environment, and manipulates the organization's products.
Step 4. Command and control: The adversary uses remote access and Advance Persistent
Threat (APT) techniques to establish control of the CSC system, at which point they are able to
Future Internet
2019, 11,
63
of 25
monitor
business
processes
and activities, and to manipulate the system, exfiltrate information,8and
obfuscate.
Threat Actor
Step 1
Carries out
Reconnaissance
Reconnaissance
Gather Information
Step 2
Rootkit/RAT
Experiment
Step 3
Organization
Spear Phishing
Network
Infrastruture
Application
Processes
Supply Chain
Attack
Remote Access Trojn
/ SQL Injection
Server
Spear Phishing /
Redirect Script
Attack
Webserver
Manipulate
Manipulate
Products
Manipulate
Step 4
Command & Control
Command & Control
Figure 3. Adversary attack steps.
Step 1. Reconnaissance: The adversary carries out research online and uses other social
engineering methods to gather information such as:
•
•
•
•
What infrastructure is the organization using: topology, IPs, software, or configurations;
Profile of the organization, business applications, third party vendors, and other organizations;
Is the supply chain a corporate and public network system (e.g., virtual private network VPN);
What type of attack can be initiated (e.g., malware, redirect script, injection, and phishing)? For
instance, the adversary could use passive attack tools such as Nmap or Kali Linux.
Step 2. Experiment: The adversary uses various attack methods (TTP) and tools to penetrate and
gain control of the victim’s systems to try and explore vulnerable spots. For instance:
•
•
The adversary creates an executable malware remotely;
The adversary inserts a remote access Trojan (RAT), and the malware is installed and executed
when a user downloads or opens it through a spear phishing email.
Future Internet 2019, 11, 63
9 of 25
Step 3. Exploit: At this stage, the threat actor gains control of the systems and determines the
attack goal. The threat actor penetrates the workstations of the internal users, gains access into the
system resources and the supply chain environment, and manipulates the organization’s products.
Step 4. Command and control: The adversary uses remote access and Advance Persistent Threat
(APT) techniques to establish control of the CSC system, at which point they are able to monitor
business processes and activities, and to manipulate the system, exfiltrate information, and obfuscate.
Phase 3. Attack probability and cascading effects
The probability of a cyber attack on a CSC can be initiated in many ways. A threat actor requires
full control of a compromised system in order to be able to remotely control malware propagation.
Activity 1. Cyber supply chain attack propagation
Cyber attack propagation changes as the supply chain application processes and operational
technologies change. Therefore, it could prove difficult to use any purely quantitative method to
formulate attack scenarios at this moment. Since the scenarios are specific to an organizational context,
we considered subjective judgments to determine the estimated probability of a successful supply
chain attack by using different attack scenarios. The variables that influenced the probability of a
malware propagation attack were as follows:
•
•
•
Penetration: We assumed that the threat actor could penetrate the vulnerable spots on the inbound
and outbound chain in all the scenarios.
Manipulation: This stage is where the threat actor gains access into the supply chain system and
can manipulate data. Threat actor motives and intents were determined by the manipulation.
Severity of attack: The severity of an attack is determined by the extent to which a threat has
propagated to the supply chain system. The severity of the attack and the cascading effect are
used to determine the the required controls to mitigate the attacks. We categorized the attacks as
low, medium, or high in all the scenarios we considered, as there were penetrations available to
the threat actor that corresponded to the level of propagation on the targeted supply chain system.
We considered Common Vulnerability Scoring System (CVSS) [32] concepts to determine the
severity of attacks as low, medium or high malware propagation. The level of penetration and the
severity of the attack determines the probability of a successful random distribution. The propagation
was determined using a discrete probability scale of 0–100%. The degree of severity of each
manipulation was calculated in percentages as low (≤15%), medium (16 to 59%), or high (above 60%).
Let,
P: Penetration
M: Manipulation
Pa : Probability of attack
AT: Number of attacks
S: Scenario
n: total numbers of scenarios
Si : attack frequency
Pg: level of propagation
Sa: severity of attack or impact level
Pacc = (access/scenario)
P(scenario) = 1/n, where n: number of scenarios.
ai = P(access/scenario), where i: index
We determined the level of penetration and the extent of manipulation by the percentage score
used (Table 5). The formulae for calculating the conditional probabilities were as follows:
n
Pacc =
∑P
i =1
a
s
!
. P ( Si )
(1)
Future Internet 2019, 11, 63
10 of 25
Table 5 provide a list of attacks on the vulnerable spots that attackers can penetrate, the extent of
manipulation and the percentage of each attack probability. Thus, we calculated the estimated expected
value for the probability of attack success as:
1
n
Pacc =
n
∑ ai
(2)
i =1
The goal of the threat actor is twofold: penetration and manipulation. We assumed there were
8 vulnerable spots and 10 targeted devices (AT1–AT10) on the CSC system (Figure 4). The threat
actor’s motive is to acquire a higher level return value by penetrating the command center workstation,
and to maintain command and control using advanced persistent threat methods. Our objective
was to determine the likelihood of an attack, its level of propagation and the cascading effects.
Inputs contained a group of scenarios. We simulated attack scenarios using propagation methods.
The initialization worked by repeatedly scanning input probabilities to determine the most and least
values, then put them together to fill the vulnerability column. Inputs consisted of the following
parameters: For each attack manner using a level of propagation Pg of Si, we considered penetration
(P) and the attack (AT) to determine the propagation. The output results will produce a cascading
effect on the CSC systems. For further clarification, we used concepts from [19] for the penetration
and manipulation attacks. Table 5 illustrates the method and a recursive formula to create the
cascading effects.
Future Internet 2019, 11, x FOR PEER REVIEW
16 of 24
Organizational Office
Command Center
Workstation
Tier 1
SCADA Network
SCADA Servers
P6
AT2
Modem
Switchboard
SCADA Servers
Wifi
AT3
IED
Server
IED
Firewall
Communication Network
Threat
Actor 4
Sub Station
Threat Actor 2
P5
Router
Firewall
WAN
Modem
AT4
IED
IED
Workstation
AT5
P3
IED
AT10
Tier 2
P2
CSC Vendors Systems
IED
AT6
IED
External Organizations
Third Party Vendors
AT1
Remote Access
Router
P1
Threat Actor 1
Switchboard
Router
Modem
Employees
Tier 3
AT7
CMS
Server
workstation
AT8
Laptop
Firewall
Threat Actor 3
HEMS
Printer
P4
Work station
Modem
workstation
Wifi
Workstation
AT9
Handheld Device
Figure
Figure4.4.Structure
Structureof
ofsmart
smartgrid
gridCSC
CSCand
andpotential
potentialsecurity
securitythreats.
threats.
Activity1.2.Determine
Malware threat
propagation
Activity
attacks
on the CSC
InThreat
a software
compromised
attack, we
identified
the from
attackan
was
through
manipulation
A
Actor
may be an internal
employer
orwhether
may come
external
source.
Several
during distribution
or during
manufacturing.
used
TTP to
malware
attacks
can be initiated
on the
CSC by the We
threat
actor.
Asdetermine
indicatedthe
in actual
figuresources
4, (P) of
represents
and whetherand
the(AT)
course
of the attack
on the organization CSC was initiated through malware installed
Penetration
represents
Attack.
or a malware-executed program. Malware installed virus is one way that malicious code can be
Tier 1: smart grid integrates with SCADA system servers and uses a switchboard to establish WAN
inserted into the computer.
communication with the IED units.
Tier 2: uses IEDs to connect with AMI and demand response applications.
Tier 3: uses LAN to integrate with the CMS and uses the IED to communicate.
The threat actor uses various attack vectors to gather knowledge about the smart grid system
topology, configurations, protocols, and operational parameters. Table 3 represents a breakdown of
how the threat actors penetrate the systems. We use:
•
•
•
Penetration (P) to represent how the adversary attacks the system (P1–P6);
Attack (AT) to represent the devices that were under attack (AT1–AT10);
Steps (ST) to represent the steps the threat actor followed to attack (ST1–ST4).
Future Internet 2019, 11, 63
11 of 25
Algorithm 1 Cascading Effect Algorithm
Input: Propagation Attack Scenarios
Output: Penetration Effects
Initialization
1.
2.
3.
Multiply each probability Pa by n.
Create array Scenarios and Probability, each of size n
For m = 1 to n − 1:
1.
2.
3.
4.
5.
6.
4.
5.
6.
Find the probability P satisfying Pacc ≤ 1
Find a probability P (with i 6= s) satisfying Pacc ≥ 1
Set Probability [i] = Pi
Set Scenario [i] = Si
Remove P from list of initial probabilities
Set Pa = Pa – (1 – pi )
Let i be the last probability remaining, which must have a weighted Sa + 1.
Set Probability [i] = 1.
If, else /“Cascading Effect”/ 1: Pa 1 do 3:
for P * Pa * Si do 4:
Si do 5:
if AT = Pa *P+M*Si = >1 then 6:
Pg + S1 = Sa 7:
end if 8:
end for 9:
applying algorithm 1
10:
end for
Return Table (Contains the attack methods)
for M in
11: End for 12:
Generation
1.
2.
3.
4.
Generate a scenario from an n-sided attack; call the side i.
Propagate attack that comes up with a probability P[i].
If the scenario comes up “P” return i.
Otherwise, return scenario [i].
Pseudocode
Start,
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Multiply each probability by the number of scenarios
Create array of scenarios and probability, for each of the number of scenarios
For manipulation equals 1 to number of scenarios equal 1:
Find the probability P satisfying access divided the scenario that is less or equal 1.
Find the probability P (with index less or equal to scenario) satisfying access divided scenario that is more or equal 1
Set probability index
Set scenario to index
Set probability of attack to equal minus 1. /”Remove probability from list of initial probabilities”/
Let index be the last with weighted index severity of attack or impact level.
If else /”Cascading Effects”/
Let Probability of attack (Pa) be more than attack frequency (Si )
For attack frequency, if index is more than 1, do (indicate)
Multiply the number of penetration P, probability of attack and attack frequency
For manipulation in number of attack frequency, do (indicate)
If the number of attacks is equal to probability of attacks, multiplied by penetration, plus manipulation, times attack
frequency, are greater than 1?
Then calculate
Level of propagation and attack frequency is equal to severity of attack or impact level
End
Future Internet 2019, 11, 63
12 of 25
Activity 3. Probability distribution and manipulation for random attacks
The probability of penetrating a web server on a supply chain system can be very challenging.
The TTP that the threat actor deploys is basically to create a real message that prevents the spam filters
from detecting it and that could generate wrong probabilities. The probability formula for malware
executable emails using spear phishing is:
P=
Psc (1 − r − )
v
(3)
Let:
P: probability
Ps : probability of a malware spear phishing penetrating the mail server
C: the number of clicks on the malware
r − : the average detection rate of an antivirus program installed on third party vendor system
1 − r − : probability of the malware avoiding detection
V: total number of views of a malicious message
We used Scenario 3 in Section 5 to calculate the probability distribution.
Phase 4. Threat modeling using STIX
In this phase, we used the STIX visualization (STIXviz) tool to model the attack process. The STIX
tool uses eight constructs such as adversary attack, cyber attack campaign, incidents, exploit targets,
threat actors and TTP to generate a structured cyber threat model [14]. However, for our model, we
adopted some of the constructs to model the activities, such as observable, indicators, campaign,
threat actor, and TTP, to describe the interrelations and actions an attack may take to penetrate and
manipulate the CSC system.
Activity 1. Observable: These are the base constructs that are used to determine the measurable
events pertinent to the operations of computers and the network. [7] These includes technical and
non-technical. We identified all the CSC infrastructures as listed in Phase 1: Activity 1. These included
the network systems, Supervisory Control and Data Acquisition (SCADA), Remote Terminal Unit
(RTU), Communication devices, and many more.
Activity 2. Indicators: Indicators are parameters that express the nature of the attack and whether
it is imminent, in progress, or has already occurred [24]. We used CSC threat activities, adversary
behaviors, risky events, or state of the incident to determine what could serve as an indicator.
Activity 3. Campaign: The campaign explains the instances of the threat actor pursuing intent,
as observed through sets of incidents and TTP. The intended effect of the threat actor penetrating a
supply chain and manipulating the distribution and delivery channels could be a malware attack that
is being delivered through spear phishing, or rootkit installation attack, as explained in Phase 3.
Activity 4. Threat Actor: The threat actor construct identifies the attacker based on the campaign
activities. Threat Actors are characterized as malicious actors representing a threat including presumed
intent and historically observed behaviors [31].
Activity 5. TTP: TTPs consist of the specific threat actor behaviors exhibited in an attack. The
campaign, indicators, and threat actor activities determine the TTP that are deployed on the supply
chain system as explained in activity 2, 3 and 4. TTP leverages on resources such as tools, capabilities,
and personnel to penetrate and manipulate system.
Activity 6. Exploit target: Exploit targets are the vulnerable spots on the supply chain
infrastructures such as software, network system, or configurations that are targets for exploitation by
the TTP of a threat actor.
Phase 5. Controls: To incorporate controls into a supply chain system, we used knowledge of
actual attacks that have occurred in the past. To ensure proper security controls, the organization must
form a strategic team to identify, investigate, review, and evaluate the supply chain system processes
and applications. We identified the following controls:
Future Internet 2019, 11, 63
•
•
•
•
•
13 of 25
Directive controls are more strategic, where risks are identified and assigned to specific inbound
and outbound supply chain requirements.
Preventive controls are policies implemented on associated risk probabilities that are intended to
preclude actions violating policy or increasing third party risk. This includes supply chain risk
assessments and audits.
Detective controls use attack indicators to identify practices, processes, and tools that identify
and possibly react to security violations. These include firewalls, Intrusion Detection Systems
(IDS), and Intrusion Prevention Systems (IPS) configurations.
Corrective controls involve measures such as courses of actions and CSC risk management
designed to react to detections of an incident in order to reduce or eliminate the opportunity for
the unwanted event to recur.
Recovery controls are mechanisms put in place to restore a system to its original state once
an incident has occurred and resulted in compromising integrity or availability. These include
countermeasures, backups, segmentation, and incidence response strategy.
4. Evaluation
In this section, we follow a running example of a smart grid case study to model CSC attacks that
are able to determine the applicability of the threat model empirically. We confirmed the viability of
the resources, the questionnaires used to generate the study context, and the methods used to gather
the data. We investigated the case study and analyze the data gathered to determine the results.
4.1. Data Gathering
For the study, we adopted the analytical and predictive research approach to implement and
evaluate the approach. The rationale for the adoption of analytical research is to look for causal
relationships amongst the data we collected and attempt to measure them using probability distribution
methods. Then, based on qualitative and quantitative analysis, the predictive method was applied to
determine whether a specific phenomenon was likely to appear in a similar situation [33]. Considering
the invincible nature of cyber attacks and the cascading effects that the attacks could have on a CSC
system, we adopt both qualitative and quantitative approaches in our research methods. Both primary
and secondary data were collected. We had meetings and discussions with senior management about
the purpose and scope of the study, then we had a follow-up meeting and interviews with middle
managers who had expertise inside and outside of the organization under study. Data from the
secondary source were collected from the organization’s websites and other online resources.
4.2. Running Example of a Case Study
The Electricity Corporation of Ghana (ECG) distributes electric power to the southern part of
Ghana. ECG provides electricity to about 3.1 million domestic and business customers. ECG core
business processes include distribution, setting up a new connection, network operations, maintenance,
metering, and billing. It ensures the electric power chain distribution of Ghana with over 70% market
share and the largest power distributor in Ghana [34]. ECG is responsible for the distribution of power
in the six administrative southern regions in Ghana. The ECG organizational goal is to provide safe
and reliable high-quality electric service to consumers in the regions by improving system reliability,
improving customer service delivery, reducing system losses, improving operational efficiency, and
improving organizational culture. The ECG distribution network system infrastructure must be able
to accommodate new connections and support the distribution of electric power to homes, businesses,
and third party companies. Recently, the government introduced a rural electrification program
requiring the ECG to include new connections. However, the ECG had difficulty meeting the fast
developing customer base, the increasing demand on its network operations, maintenance, metering,
Future Internet 2019, 11, 63
14 of 25
and billing systems. It became imperative that ECG deploy a system to speed up fault identification
and restoration, cyber security, reliability, and tolerance.
4.3. Smart Grid Electric Power Infrastructure
To meet the challenges above, the ECG recently commissioned and installed an all-automated
SCADA system that was required for the modification of its existing network. The electricity
distribution network infrastructure uses mesh topologies and SCADA systems as the main
infrastructure supporting the CPS smart grid system.
4.3.1. Application Infrastructures and Core Business Systems
The application infrastructures and the network communications system provide business
operation, processes, communication protocols, and support the distributed control systems (DCS)
and SCADA system. The third party vendor uses Microsoft operating system software and a browser
that connects their systems to the ECG server remotely using public service IPs for the prepaid services.
The ECG’s core business is electric power distribution, and the organizational network infrastructure
and business systems are categorized in Table 1.
Table 1. Electricity Corporation of Ghana (ECG) core businesses systems.
Network Infrastructure
Application Systems
People/User
Controls
Smart Grid Architecture
Mesh Topology
Content Management System/CRM
HEMS
Mobile Devices/Advanced Metering
Integration
Prepaid
Postpaid System
Staff
Suppliers
Security/Audit
Best Practices & Guidelines
Vendors
ISO 27001-2 ISMS
SCADA Systems
UHF Radio
Sub Station
Distributors
Policies
4.3.2. Electric Power Distribution Challenges
The ECG electric distribution system has suffered lots of setbacks over the past decade, including
voltage surges, software errors, and network interruptions. These challenges are some of the factors
that have led to the introduction of prepaid meters or smart meters in Ghana. Prepaid metering or
smart metering is the means of paying for electricity before its consumption. However, this has also
introduced software errors into the system in recent times, such as prepaid card errors and prepaid
meter tampering.
4.3.3. The ECG Supply Chain Organizational Environment
There are seven public institutions involved in the Ghana power sector [33], as well as about two
public–private sectors. There are third party organizations contracted by the ECG that supply the
digital meters the vending machines. The prepaid system operates via a public–private partnership
that is all integrated into the supply chain.
4.4. Study Goal
The goal of this paper is to investigate and understand the cyber security threat in the SC
environment of the study context. In particular, we aim to model threats, and to analyze the threats
and the associated risks and cascading effects. The hypothesis below will determine the extent of
the compromises.
Hypothesis 1: To what extent, can the threat actor penetrate the ECG CSC system on the inbound and outbound
supply chains?
Hypothesis 2: To what extent can the threat actor manipulate the data on the supply chain system and the
delivery mechanisms?
Future Internet 2019, 11, 63
15 of 25
4.5. The Process
We used the processes and conceptual approaches in Table 2 to support our study.
Table 2. Mapping the case study with the meta-model concept.
Concepts
Properties
Descriptions
Goal
Organizational goal
Distribute electric power to customers
Generate utility bills,
Receive payments
Provide vendors remote access to CSC Secure systems
Actors
Security goal
Users
Suppliers
Threat actor
Requirements
Organizational requirement,
Supply Chain System
user categories, ID, stakeholders,
description, acceptance criteria
Inbound
Employees: internal and external
Suppliers
Distributors
A person, user account, or processes that can be
identified by the intent, motives, and capabilities of an
attacker
Specify high level organizational environment overall
and integrate with the security constraints to achieve
the organizational goal
Organizations
Financial institutions
Third party vendors
Individual consumers
Services providers
Outbound
Organizations
Stakeholders
Power transmission company
Sub-stations
Vulnerability
Router, firewall, wifi Remote
services: remote login, remote
command execution
Dynamic, host configuration
protocol, (DHCP) server logs
Attack
Attack goal
Attack pattern
Attack prerequisites
Attack vectors
TTPs
Threat
Indicators
CSC Source and destination, Timestamp,
Domain name,
TCP/UDP port number, media,
MAC address
IP Address
Compromise system of:
Malware, spyware, injection
Information on vulnerabilities
Mechanisms to deploy attack
Tactic, Technique, & Procedure
Determines vulnerabilities, flaws, and loopholes that
can be exploited by a threat actor or a threat agent
Specific observable patterns
SCS threat activities
Adversary behaviors
Risky events
State of an incident
Phase 1. Attacks on ECG smart grid infrastructure
We consider a smart grid communication path and security application using concepts from the
IEC 61850 Smart Grid Interoperability Guide [35] and NIST Smart Grid Interoperability Standards [36]
with its three-tiered hierarchical structure interconnected with intelligent electronic devices (IED). Tier
1 covers the transmission and distributions domains, using high-bandwidth communication media
such as WiMAX and Fiber on a wireless area network (WAN). The IED monitors and control the
electric power transmission to the distribution system using the pharos monitoring unit (PMU) for
measuring instantaneous bus voltage, line current, and frequency. The command center integrates with
the SCADA system servers and uses a switchboard to establish communication with the IED units [13].
Tier 2 provides a gateway for the Wireless Area Network (WAN) technologies and communication
Future Internet 2019, 11, 63
16 of 25
utilities to have access to the customers’ premises for the advanced meter infrastructure (AMI) and
demand response applications. It uses a collection of Intelligence Electronic Devices (IED) units to
collect the various Phasor Measuring Units (PMUs). Tier 3 integrates the local area network with the
customer management systems (CMS) and uses the IED to communicate with the smart meter, which
aggregates sensor information from various home appliance devices. We present the attack modeling
concepts and steps in Figure 4.
Activity 1. Determine attacks on the CSC
A Threat Actor may be an internal employer or may come from an external source. Several attacks
can be initiated on the CSC by the threat actor. As indicated in Figure 4, (P) represents Penetration and
(AT) represents Attack.
Tier 1: smart grid integrates with SCADA system servers and uses a switchboard to establish WAN
communication with the IED units.
Tier 2: uses IEDs to connect with AMI and demand response applications.
Tier 3: uses LAN to integrate with the CMS and uses the IED to communicate.
The threat actor uses various attack vectors to gather knowledge about the smart grid system
topology, configurations, protocols, and operational parameters. Table 3 represents a breakdown of
how the threat actors penetrate the systems. We use:
•
•
•
Penetration (P) to represent how the adversary attacks the system (P1–P6);
Attack (AT) to represent the devices that were under attack (AT1–AT10);
Steps (ST) to represent the steps the threat actor followed to attack (ST1–ST4).
Table 3. Smart grid SCS and potential security threats.
Attack Vector Type
External
Penetrating
Internal
Attacking
Devices under cyber
attack
CSC System Target
Position
Steps
CSC WAN/firewall
CSC vendor remote access
IED-supported
communication
Workstation, CMS, HEMS
Command center firewall
Organizational LAN firewall
Command center SCADA
Firewall
CSC vendors
IEDs
CMS
HEMS
Handheld devices
Vendor devices
P1
P2
ST1
ST2
P3
ST3
P4
P5
ST4
ST4
AT4
ST4
P6
AT1–AT4
AT5
AT6
AT7
AT8
AT9
AT 10
Activity 2: Determine attack vectors
Here we discuss the attack vectors from Table 3, and follow the attack step in Section 4, to explain
the attack vectors using the case study.
•
•
•
•
•
•
P1. Threat actor penetrates the system from a remote source through the firewall refer Step 1.
P2. Threat actor gains remote access through Vendor Systems refer Step 2.
P3. Threat actor exploits the IED that supports the communication systems refer Step 3.
P4. Threat actor manipulates the workstations, server, and handheld devices refer Step 4.
P5. Threat actor penetrates the command center firewall refer Step 4.
P6. Threat actor gains access into the command center and takes controls of the SCADA servers,
manipulating, exfiltrating, and obfuscating.
Future Internet 2019, 11, 63
•
17 of 25
AT1. The internal threat actor uses social engineering, ID theft, and administrative privileges to
gain access through the LAN firewall to manipulate the system refer Step 4.
Activity 3: Detect devices under cyber attack
•
•
•
•
AT1–AT4. Indicates that the firewall devices affected are under cyber attack.
AT5. CSC vendor systems are under attack.
AT6. IEDs are under attacks.
AT7. CMS server is under attack.
AT8. No funding body have any role in the design of the study; in the collection, analyses, or
interpretation of data; in the writing of the manuscript, or in the decision to publish the results”.
•
•
•
(HEMS) server is under attack.
AT9. Handheld devices are under attack.
A10. Vendor devices are under attack.
Phase 2: Attack scenarios
An attack scenario is used to determine the vulnerable spots and where penetrations occurred
between the variables, as listed in Table 4.
Table 4. Probability and threat indicators.
Scenario
Vulnerable Spots
Penetration
Manipulation%
Probability
Threat Indicators
1
2
3
4
5
6
7
8
Firewall
IDS/IPS
Vendor
Network
IP
Database
Software
Website
Y
Y
Y
Y
Y
Y
Y
Y
70
60
80
40
55
75
75
90
High
High
High
Medium
Medium
High
High
High
Wrong Firewall
Configuration
Audit
Sub-netting
Segmentation
Sanitizations
Reprogram
SSL/TLS
Scenario 1. Remote attack on the CSC system
The organization security team found that an adversary had intruded in the CSC system.
The threat actor had compromised the workstation of the CMS that interfaced with suppliers,
distributors, and third party vendors. The organization’s electronic products had been altered for
some time. The CMS generated inaccurate customer electricity consumptions, which compromised
the amount the customers were paying for their utility bills, their online payments, and third party
vendor systems. The organization used two types of payment systems, the prepaid system and
postpaid system, that were all integrated into the CMS and HEMS. Using the formula for calculating
conditional probabilities and Activity 1 and Table 4, we determined the vulnerable spots, the severities
of manipulation in percentages, and threat indicators.
Scenario 2: Spear phishing email attack
A spear phishing email was sent to the organizational web server and it was noticed that the
malware had infected 200 staff email addresses, with 160 that had their data corrupted, 27 that were
detected by the spam filter, and 205 that were not detected. The number of users that clicked on the
attachment was 220. The number of clicks on the malware attached message divided by the total
number of viewers of that message represents the probability of opening the infected email. Following
the formula in Phase 3 Activity 3, we used discrete probability to calculate the probability of emails
that were infected on the supply chain as follows:
P=
PsC (1 − r − )
v
Future Internet 2019, 11, 63
18 of 25
Results:
P = Ps∗C(1−r− )/v
Pa = 200∗(220−27)/205
Therefore, P = 188.29 (the probability of an opened and infected email)
Activity 4. Probability theorem
Probability (P) is the likelihood that an attack or event will happen. For the study, we identified
10 types of attacks that could be initiated on the supply chain system. These attacks were spyware,
ransomware, RAT, spear phishing, SQL injection, XSS, DoS, redirect script, cross site request forgery,
session hijacking, and hard-coded passwords. To pick an attack such as malware or SQL injection
from a scenario of 10 attacks where spyware, ransomware, RAT, and spear phishing attacks were all
classified as malware was 1/10.
For a scenario where the second attack is conditional on the first (e.g., manipulation is dependent
on penetration), we used the formula:
P(A or B) = P(A) + P(B) − P(A and B)
P(A + B) = P(A) ∗ P(B/A) Where {B/A is ‘B given A’}
Bayesian Probability Theorem
We used Bayes’ theorem to explain the dependent probability. Bayes’ theorem could be used
calculate the probability that manipulation would occur and cause a cascading effect on the supply
chain based on some pieces of evidence that were present. For a scenario where the second attack is
conditional on the first, (manipulation is dependent on penetration) we determined that if, for instance,
an organization had 370 manipulations out of 796 penetrations within a given period in a supply chain
environment, then in simple terms the probability is 370/796 = 0.046 (
Purchase answer to see full
attachment