RISK BY CONTEXT (RBC): New methods for assessing and prioritizing cyber risks in dynamic and complex systems

By Mirko Ross;

Current cybersecurity risk detection systems in complex networked OT (Operational Technology) systems focus predominantly on situational assessments based on: Detection of participants in the system (ID, asset management, scan for known vulnerabilities (CVE) and mapping of participants and detected vulnerabilities to actively exploited attack paths. In the best case, the result is a list of detected vulnerabilities in the overall system and their assignment to assets and weighting according to CVVS (Common Vulnerability Scoring System).

However, in complex networked systems with several hundred to a thousand participants, such a list of CVEs related to assets can easily grow to a confusing length comprising hundreds of thousands of references.  Particularly in the case of OT (Operational Technology) assets, vulnerabilities cannot be closed in practice without major hurdles for a variety of reasons. These include: missing information on installed firmware, limitation of software maintenance windows, sluggish patch supply, and insufficient over-the-air update connectivity.

CVVS-based prioritization of cybersecurity vulnerabilities here inevitably leads to perception and resource problems in planning and executing risk mitigation measures. As a result, measures and resources are implemented in the wrong places and vulnerabilities are often underestimated or not detected in participants with high operational risks. Especially in dynamic and complex OT systems, this results in a permanent attack surface with sufficient options for attackers to create a high operational damage picture.

To solve this problem, asvin proposes “Risk by Context“, a novel method for identifying and prioritizing risks in OT systems. This method thereby relates operational factors and cybersecurity factors (context) and enables a weighting of risks via mathematical methods for the evaluation of topological contexts. The method also allows unknown cybersecurity risks (e.g., zero-day exploits, firmware states) to be included in the risk assessment, extending the risk consideration beyond the horizon of known CVEs and attack paths. In addition, risk states can be simulated in a complex system, for example, to predict the risk impact of adding or removing participants.

With the Risk by Context method, asvin makes a significant contribution to the optimization of Cyber Threat Intelligence and Situational Awareness. Furthermore, the method opens up an accountable (trustworthy) introduction of new security metrics and enables forecasts on the (predictive) impact of cyber attacks on command and control systems. Through an optimized preparation of risks, the use of resources (personnel and material) can be optimized in risk minimization.  This is a significant new contribution to increasing resilience in command and control systems.