Pioneering a holistic approach to cyber security
Large corporations, public services such as hospitals and utilities such as energy suppliers rely on increasingly complex network systems in order to run efficiently and seamlessly. Such reliance however makes them susceptible to cyber hacking, which can cost companies millions in down time and damage to reputation, and in the case of compromised public services, can even put lives at risk. ‘The fact that nine out of ten software security failures are caused by software defects represents a key vulnerability that hackers can exploit,’ explains Juergen Grossmann from Fraunhofer in Germany, who was in charge of standardisation issues in the RASEN project. ‘Protecting large networked systems, like the ones run by major companies, means understanding all the potential underlying security risks. A key problem however is that system complexity can make assessments and testing extremely challenging.’ Holistic approaches to cyber security The RASEN project has sought to address this by treating security risk assessments and security testing more holistically. Until now, both have been treated as distinct areas. ‘While industry is demanding more integrated approaches in order to cope with security, no standard currently exists that sufficiently emphasises the need to systematically integrate security risk assessments and security testing,’ says Grossmann. ‘So we aimed to find ways to better support companies and organisations eager to undertake comprehensive risk analysis of large scale and networked systems.’ The RASEN project began by conducting a systematic composition of security assessment results. This allows individual parts of an ICT system to be analysed separately before a global assessment is made from the individual results. Secondly, the team combined high-level security risk assessments with low-level security testing. ‘With this approach, risk assessments can be used to derive security test cases, and security test results can be used to verify or update the risk assessments,’ explains Grossmann. ‘Furthermore, these methods cover security risk assessments from different perspectives. Legal risk assessments for example address security threats in a legal context, while security risk assessments deal with threat probability and estimated consequences.’ Results for the real world The results of the RASEN project have now been translated into a toolbox to help companies and organisations combine security risk assessments and testing. The idea is to make the project’s methodology as operational and practical as possible. The RASEN method, along with some of the tools, are now downloadable from the project website, while the project’s RACOMAT tool allows users to combine component-based security risk assessment with security testing. Testing can be integrated seamlessly into the incident simulations the tool uses for its compositional risk analysis. ‘Our methods are repeatable, which means that continuous assessment through rapid reassessment will help to maintain the validity of results even as the target system or its environment changes and evolves,’ says Grossmann. ‘For example, our RACOMAT tool accesses libraries containing risk analysis artefacts like attack patterns and security test patterns, offering a high level of reusability. Much of the process can be done automatically.’ The RASEN project has also laid the ground for several new research projects - Fraunhofer is involved in the PREVENT project for example – and contributed towards the formulation of new industry standards. ‘Several standardisation documents (e.g. ETSI EG 203251 and ETSI TR 101 583) have been adopted by the European Telecommunications Standards Institute and forwarded to international standardisation bodies,’ says Grossmann. ‘These documents reflect the project’s results in the area of security risk assessment.’
Keywords
RASEN, cyber security, toolbox, public services, hacking, vulnerability, networked systems, standardisation, threat, RACOMAT