Abstract:
Cyber-Physical Systems (CPSs) are part of most critical infrastructures such as industrial automation and transportation systems. Security incidents targeting CPSs can have disruptive consequences on assets and people. Since prior incidents tend to re-occur, sharing knowledge about these incidents can potentially help organisations be more prepared to investigate future incidents, i.e. to be forensicready for future investigations of incidents.
In this thesis, we aim to support forensic readiness of CPSs. To this end, we propose a novel approach for representing and sharing security incidents knowledge between systems to assess organisations’ forensic readiness. We represent incident knowledge as incident patterns that capture incident characteristics (e.g., incident activities) that can manifest again. Incident patterns are a more abstract representation of incident instances and, thus, can be shared between systems. To support the approach, we provide two meta-models that represent, respectively, incidents and systems. The incident meta-model captures the characteristics of incidents, such as assets and activities. The system meta-model captures cyber and physical components and their interactions. We provide an automated technique to extract an incident pattern from a specific incident instance. To assess how incident patterns can manifest in systems, we propose an automated technique to instantiate incident patterns to specific systems. We propose a set of software tools to facilitate incident management in smart spaces (e.g., smart buildings). We provide a System Editor to represent smart buildings where incidents can occur. We also propose an Incident Editor to represent the activities of an incident and associated entities (e.g., location). We also propose an Incident Filter that allows viewing and prioritising the most relevant incident instantiations. To assess forensic readiness of CPSs, we propose an automated technique to assess availability of data sources that are required to observe and store data about events relevant to future investigations of incidents. We demonstrate the feasibility of our approach in the application domain of smart buildings using two substantive scenarios inspired by real-world systems and incidents.