1. No category

Why 2 times 2 ain`t necessarily 4 – at least not in IT security risk

Prof. Dr. Jens Braband
Why 2 times 2 ain’t necessarily 4 – at least
not in IT security risk assessment?
© Siemens AG 2016 – All rights reserved.
siemens.com
Prelude
It ain't necessarily so
It ain't necessarily so
The t'ings dat yo' li'ble
To read in de Bible,
It ain't necessarily so.
Sung by Sportin’ Life,
Drug Dealer
Von Ealmagro - Eigenes Werk, GFDL,
https://commons.wikimedia.org/w/index.php?curid=6368328
By Source, Fair use,
https://en.wikipedia.org/w/index.php?curid=2214592
© Siemens AG 2016 – All rights reserved.
Page 2
2016-11-11
Mobility Division
Introduction
2x2=4
Von Eigenes Werk - Eigenes Werk, GFDL, https://commons.wikimedia.org/w/index.php
© Siemens AG 2016 – All rights reserved.
Page 3
2016-11-11
Mobility Division
Some additional thoughts
2 apples times 2 pears = 4 fruits?
Rank 2 times Rank 2 =????????
© Siemens AG 2016 – All rights reserved.
Page 4
2016-11-11
Mobility Division
Basic approach for IT security risk assessment
from IEC 62443
1.
Breakdown of the system into zones and conduits so that
•
the IT security requirements are coordinated in zones or conduits
•
each object is allocated to a zone or conduit
2.
Assessment of the risk for each zone or conduit and each fundamental
requirement (FR)
• identification and authentication control (IAC)
• use control (UC)
• system integrity (SI)
• data confidentiality (DC)
• restricted data flow (RDF)
• timely response to events (TRE)
• resource availability (RA)
3.
Determine Security Level (SL) for each zone or conduit for each FR
© Siemens AG 2016 – All rights reserved.
Page 5
2016-11-11
Mobility Division
Security-Level (SL) based on IEC 62443
Safety
Hacker
Organisation
Cyberwar
© Siemens AG 2016 – All rights reserved.
Page 6
2016-11-11
Mobility Division
What’s the problem?
IEC 62443-3-2:2015 proposal for the determination of the target security level
What’s wrong with that?
© Siemens AG 2016 – All rights reserved.
Page 7
2016-11-11
Mobility Division
Analysis
1. SL is by definition a seven-dimensional vector e. g. (1,2,1,4,3,3,3), not a
single scalar
2. Setting all FR for a zone or conduit to the same scalar value is not reasonable
3. For safety-related systems SL 0 is not reasonable, as all safety-related
systems have to cope with operator errors or forseeable misuse
4. It is not justified why 4 is taken as a threshold. Why not take 5?
5. The type of the parameters is ordinal. So only a ranking of values is implied.
How is multiplication defined semantically for ordinal or rank scales?
6. For ordinal values we could have used the decriptors A, B, C, D and E. What
does BxC mean or CxD/4?
© Siemens AG 2016 – All rights reserved.
Page 8
2016-11-11
Mobility Division
How can we rescue the concept?
The problem of ordinal scales is well known from semi-quantitative risk analysis,
e. g. risk priority numbers (RPN) from IEC 60812.
Usually two criteria have to be fulfilled
1) Scenarios with similar risks should lead to the same RPN.
2) Scenarios with the same RPN should have similar risk
Unfortunately these criteria can‘t be fulfilled by multiplication.
© Siemens AG 2016 – All rights reserved.
Page 9
2016-11-11
Mobility Division
OK. Let’s add the numbers…
• Multiplication is continued summation...
• How is summation defined for ordinal numbers?
• But summation is easier to justify. If R=L x I then the ordinal numbers can be
interpreted of the logs of the original values (order of magnitude) and logs add
• But what about proper calibration?
• And how do we get SL from that?
© Siemens AG 2016 – All rights reserved.
Page 10
2016-11-11
Mobility Division
New approach
1) Start with an educated guess of SL-T vector for a zone or conduit, say SL0
2) Perform a threat and risk analysis (TRA) assuming that all requirements for
SL0 are fulfilled.
3) Change the SL for the FR that relate to the not acceptable risk giving SL0.
Perform the TRA again.
Repeat these steps until SLn with acceptable risks is reached. Similar as in
numerical bisection aka regula falsi.
© Siemens AG 2016 – All rights reserved.
Page 11
2016-11-11
Mobility Division
Summary
We have discussed a new approach for SL determination from draft IEC
62443-3-2. The major new results are:
• The approach is seriously flawed
• The tolerable risk is not justified
• The derived SL does not fit to the definition of SL
• The multiplication of ordinal numbers is not defined
An alternative approach that overcomes these problems was sketched.
I'm preachin' dis sermon to show,
It ain't nece-ain't nece
Ain't nece-ain't nece
Ain't necessarily ... so !
© Siemens AG 2016 – All rights reserved.
Page 12
2016-11-11
Mobility Division

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz