Formalizing an Automated, Adversary-aware Risk Assessment Process for Critical Infrastructure

Abstract

Cyber-attack attempts against critical infrastructure have been increasing in recent years. In the event of a successful cyber-attack on critical infrastructure, the potential for wide-spread loss of access to a critical resource, like electricity, is high. Automated and adversary-aware risk assessment approaches may be useful in defending the nation’s critical infrastructure. In previous publications, one such approach, HESTIA, was presented. HESTIA stands for High-level, Extensible System for Training and Infrastructure risk Assessment, which is a semi-automatic, adversarial- and specification-based risk assessment system. HESTIA takes a system specification and subjects it to specifications of attack and hardening scenarios to generate a new specification, which can be used for risk assessment of the system. This paper formalizes a part of HESTIA process. We also discuss about HESTIA’s planned utilization.