Attack scenario generator for industrial control system

Abstract

Attack scenarios are hypothetical or planned sequences of events that describe how an attacker might target a system, organization, or network. Their primary goal is to carry out malicious activity. Attack scenarios help in identifying potential threats and understanding the possible consequences of a successful attack. Security analysts traditionally create attack scenarios manually. They may use graphical security models such as attack graphs, trees, or frameworks such as cyber kill chain or a combination of these. Security analysts heavily rely on their knowledge and experience to carry out this manual approach. However, the manual approach is a challenge for complex systems, such as Industrial Control Systems (ICSs). Indeed, ICSs have various requirements coming from the plurality of structures, devices, protocols and application contexts. In addition, the threat landscape for ICSs is constantly evolving due to their increased use. The manual creation of an attack scenario for a given ICS against a given threat landscape might therefore be complex, error-prone and quickly outdated. The proposed novel general methodology can be effectively used by security analysts to define attack scenarios for ICSs. The proposed methodology gathers the raw data from vast sources to prepare the data and initiate the inferential analysis. Furthermore, it structures and creates the attack sequence to generate the scenario and then simulate the attack scenario. The method was first tested by manually analyzing a complex case study. Human analysts were relied upon to review previous reports and map them with ICS cyber kill chain to generate a scenario and identify the relationship between the attacks. Next, it was demonstrated that this method could be automated. Both a threat-based approach (by automating the cyber threat knowledge base to generate attack scenarios) and a system-based approach (by using the static system state to create attack scenarios) were used. These two approaches were combined in a new tool called the Attack Scenario Generator (ASG). The ASG can generate and optimize attack scenarios based on the cyber kill chain, and predict the techniques, software, and groups behind the attacks in just a few seconds with high accuracy. This saves time, effort, and assists ICS owners efficiently.