risk management - home - people.unica.it
TRANSCRIPT
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic Engineering
Risk management
Giorgio Fumera
http://pralab.diee.unica.it
Real-world examplesof risk assessment
1
http://pralab.diee.unica.it
Introduction
• Standards, frameworks and guidelines (ISO, NIST, etc.) do not
define nor suggest specific risk assessment techniques
• Several techniques have been developed over the years for
different application scenarios:
– process industries
– financial institutions
– civil and environmental engineering
– computer security
– ...
• In practice, each organization may need to adapt one or more
of the existing techniques to its specific requirements
2
http://pralab.diee.unica.it
Introduction
Real-world examples of risk assessment are presented in the
following, in two different application fields:
– process industries: evaluating the risk related to safety events (e.g.,
explosions) due to mechanical failure or to cyber-attacks
– enterprises financial risk assessment, in the context of the enterprise
risk management (ERM) framework
3
http://pralab.diee.unica.it
Example 1
Risk assessment in process industries
Source:
H. Abdo, M. Kaouk, J.-M. Flaus, F. Masse, A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie – combining new version of attack tree with bowtie analysis, Computers & Security, Vol. 72,
Jan. 2018, pp. 175–195
Available from inside UNICA network at:
https://www.sciencedirect.com/science/article/pii/S0167404817301931
4
http://pralab.diee.unica.it
Safety and security risks
5
Safety(industry)
• accidental risks caused by component failures, human errors or any non-deliberatesource of hazard
• relatively rareevents
Security(information systems)
• deliberate risks originating from malicious attacks, accomplished physically or by cyber means
• common events
http://pralab.diee.unica.it
Industrial automation and control systems
6
Digital technology is widely used nowadays in process industries for
instrumentation and industrial automation: SCADA systems monitor
and control equipment that deals with critical and time-sensitive
materials or events.
Cyber-security risks can affect the safety of industrial systems.
Supervisory Control And
Data Acquisition
Manufactory Execution
System
Enterprise Resource
Planning
Programmable Logic
Controller
http://pralab.diee.unica.it
Risk analysis techniques
• Safety-related events (industry)
– fault tree analysis: indentifying the causes of an undesired event
– event tree analysis: indentifying the consequences of an undesired
event
– bowtie analysis: combines fault and event trees
All the above model can also be used to evaluate the likelihood of
undesired events
• Security-related events (attacks to information systems)
– attack tree analysis: describes the sequence of steps in order to
perform an attack
7
http://pralab.diee.unica.it
Safety risks: bowtie analysis
8
http://pralab.diee.unica.it
Security risks: attack scenario
9
http://pralab.diee.unica.it
Security risks: attack tree
10
Extended version of attack trees
proposed by Abdo et al. (2018)
http://pralab.diee.unica.it
Security risks: attack tree
11
Three kinds of security events:
Extended version of attack trees
proposed by Abdo et al. (2018)
http://pralab.diee.unica.it
Example of attack tree
12
WannaCry ransomware attack model
http://pralab.diee.unica.it
Combined bowtie-attack tree
13
Model proposed by Abdo et al. (2018) to analyze risks related to safety
events or to cyber attacks.
Main goal: estimating the likelihood of undesired events.
http://pralab.diee.unica.it
Likelihood evaluation of safety events
14
Qualitative scale
http://pralab.diee.unica.it
Likelihood evaluation of security events
15
http://pralab.diee.unica.it
Likelihood evaluation of security events
16
Qualitative scale
http://pralab.diee.unica.it
Overall likelihood evaluation
17
http://pralab.diee.unica.it
Minimal cut set
18
T
G
S B
Minimal cut set: smallest collections of
basic events whose simultaneousoccurrence leads to the occurrence of the
top event.
In the fault tree on the left:
• !, #• $, !
http://pralab.diee.unica.it
Example: likelihood of a minimal cut set
19
AND gates: min rule
http://pralab.diee.unica.it
Case study
20
Chemical reactor with its SCADA system
structure.
Two physical parameters under control:
• temperature• pressureComponents (valves, pumps, etc.)
are controlled by PLCs and supervised
by a SCADA system.
Main undesired event:
overheating and overpressureinside the reactor.
http://pralab.diee.unica.it
Case study
21Combined AT-BT of the scenario under study
http://pralab.diee.unica.it
Case study
22
AT for the goal: gain unauthorized access to SCADA
http://pralab.diee.unica.it
Case study
23
Example of min cut
http://pralab.diee.unica.it
Likelihood evaluation of a min cut
24
http://pralab.diee.unica.it
Example 2
Enterprise Risk Management field
Source:
P. Curtis, M. Carey. Risk assessment in practice. Committee of Sponsoring
Organizations (COSO) of the Treadway Commission, 2012
Available at: https://www.coso.org/Pages/guidance.aspx
25
http://pralab.diee.unica.it
The risk assessment process
26
http://pralab.diee.unica.it
Impact scale
27
http://pralab.diee.unica.it
Speed of onset scale
30
http://pralab.diee.unica.it
Qualitative vs quantitative evaluations
31
http://pralab.diee.unica.it
Risk hierarchies
34
http://pralab.diee.unica.it
Combined risk and opportunity map
35