Title: An architecture for HESTIA: high-level and extensible system for training and infrastructure risk assessment
Authors: Ananth A. Jillepalli; Daniel Conte De Leon; Yacine Chakhchoukh; Mohammad Ashrafuzzaman; Brian K. Johnson; Frederick T. Sheldon; Jim Alves-Foss; Predrag T. Tosic; Michael A. Haney
Addresses: Center for Secure and Dependable Systems, University of Idaho, Moscow, ID, USA; Department of Computer Science, University of Idaho, Moscow, ID, USA ' Center for Secure and Dependable Systems, University of Idaho, Moscow, ID, USA; Department of Computer Science, University of Idaho, Moscow, ID, USA ' Center for Secure and Dependable Systems, University of Idaho, Moscow, ID, USA; Department of Electrical and Computer Engineering, University of Idaho, Moscow, ID, USA ' Department of Computer Science, University of Idaho, Moscow, ID, USA ' Center for Secure and Dependable Systems, University of Idaho, Moscow, ID, USA; Department of Electrical and Computer Engineering, University of Idaho, Moscow, ID, USA ' Department of Computer Science, University of Idaho, Moscow, ID, USA ' Center for Secure and Dependable Systems, University of Idaho, Moscow, ID, USA; Department of Computer Science, University of Idaho, Moscow, ID, USA ' Department of Computer Science, University of Idaho, Moscow, ID, USA ' Center for Secure and Dependable Systems, University of Idaho, Moscow, ID, USA; Department of Computer Science, University of Idaho, Moscow, ID, USA; Center for Advanced Energy Studies, University of Idaho, Moscow, ID, USA
Abstract: Currently, preventing and mitigating cyber-attacks on cyber-physical control systems (CPCS) is a major challenge. A successful process for cyber-attack prevention and mitigation requires continuous vulnerability identification, threat modelling, risk assessment, hardening strategy design, and timely and correct implementation. These processes require a complete and detailed model of the CPCS plus knowledge of possible attacks and applicable defences. In this article, we describe the architecture of HESTIA: high-level and extensible system for training and infrastructure risk assessment. HESTIA is an iterative and adversarial-based modelling and risk assessment process and accompanying tool-set. We also describe the non-trivial design hurdles and concrete strategies for addressing these hurdles. Once fully developed, HESTIA will be able to: 1) completely specify a CPCS infrastructure; 2) check a specification for consistency; 3) identify applicable attacks and defences from a library; 4) enable the iterative execution of attack and hardening scenarios for training and risk-assessment and mitigation.
Keywords: cyber physical control system security; specification-based security; system hardening; security policy specification; critical infrastructure; consistency; applicability.
DOI: 10.1504/IJITCA.2018.092478
International Journal of Internet of Things and Cyber-Assurance, 2018 Vol.1 No.2, pp.173 - 193
Received: 31 Jan 2018
Accepted: 31 Jan 2018
Published online: 21 Jun 2018 *