A Manual for the Cyber Security Modeling Language Hannes Holm, Mathias Ekstedt, Teodor Sommestad, Matus Korman Department of Industrial Information and Control Systems, Royal Institute of Technology, 100 44 Stockholm, Sweden
Abstract The Cyber Security Modeling Language (CySeMoL) is an attack graph tool that can be used to estimate the cyber security of enterprise architectures. CySeMoL includes theory on how attacks and defenses relate quantitatively; thus, users must only model their assets and how these are connected in order to enable calculations. This report functions as a manual to facilitate practical usage and understanding of CySeMoL. Keywords: Cyber security, security metrics, attack graphs, SCADA systems 1. Introduction Information Technology (IT) is today a cornerstone of next to all business as IT applications handle everything from management of critical data to control of physical processes such as the power grid. Considerable effort is thus spent by both researchers and practitioners to preserve IT systems in a reliable and predictable state. This is however a difficult topic to manage as a modern IT architecture typically is composed of a large number of systems, processes and individuals connected to form a complex system-of-systems (hereafter refered to simply as system). Threats towards the state of the system arise from errors made both during the development and the maintenance of employed IT. The presence of individuals determined to exploit these errors to conduct unauthorized activity in the system adds another layer to the complexity of the problem. To estimate the vulnerability of a system, an enormous amount of factors need be considered. It is not sufficient to address all vulnerabilities within it there is also a need to understand how these vulnerabilities relate. Email address:
[email protected] (Mathias Ekstedt)
Date of revision
November 15, 2013
Consequently, it is a difficult task for enterprise decision makers to effectively manage the cyber security of their system. A common means of estimating the cyber security of their system in practice is to consult experts, e.g., network penetration testers. While consulting experts certainly is valuable, resulting estimates come with three significant delimitations: they are only valid for 1) the time that they were carried out, 2) the parts of the enterprise architecture that were studied by the expert, and 3) the competence of the consulted expert. These delimitations are especially problematic given the dynamic nature of enterprise IT systems and the lack of resources available for analyses. Enterprise decision makers are thus in need of tools that can help estimate the cyber security of their system in an easy-to-understand fashion. While there are various tools available for this purpose, most suffer from being either too vague, and thus ultimately subjective [1] (e.g., Common Criteria [2], OCTAVE [3], CORAS [4] and the model by Breu et al. [5]), or too limited in terms of scope (e.g., MulVAL [6, 7], NetSPA [8] or TVA-tool [9]). With the shortcomings of existing tools in mind, researchers at the department of Industrial information and Control Systems (ICS) at the Royal Institute of Technology (KTH) in Stockholm, Sweden, developed a new tool denoted the Cyber Security Modeling Language (CySeMoL) [10]. CySeMoL is a modeling framework and calculation engine for estimating the cyber security of enterprise-level system architectures [10]. CySeMoL includes theory on how attacks and defenses relate quantitatively; thus, security expertise is not required from its users. Users must only model their system architecture (e.g., services, operating systems, networks, and personnel) and specify their characteristics (e.g., if an operating system has a host firewall enabled) in order to enable calculations. The purpose of this report is to describe the content of CySeMoL. In other words, it functions as a manual to facilitate practical usage and understanding of CySeMoL. The remainder of this repor
