"Taking a Systems Approach to Cybersecurity"

A new study conducted by researchers at the International Institute for Applied Systems Analysis (IIASA) proposes a framework that takes a more holistic approach to cybersecurity. They also proposed a model that explicitly represents multiple dimensions of the potential effects of successful cyberattacks. Critical infrastructure such as electric power grids are growing in sophistication, meaning they are also becoming increasingly more reliant on digital networks and smart sensors to operate. This reliance has made such critical infrastructure more vulnerable to cyberattacks that can disable systems, disrupt operations, or enable attackers to remotely control affected systems. The impacts of successful attacks on critical cyber-physical systems are also multidimensional, so they can incur losses for operators of the compromised system, result in economic losses for other parties relying on their services, present environmental hazards, and more. According to the new study, the multidimensional impacts of cyberattacks call for a tool capable of distinguishing between the different dimensions of cyber risks. The tool should also enable the design of security measures that can most efficiently use limited resources. The researchers wanted to determine whether it is possible to find vulnerabilities that could open ways for several attack scenarios to proceed if exploited. They also wanted to find out if it is possible to use this knowledge to simultaneously deploy countermeasures to protect a system from several threats. One common way in which cyber threats are managed involves conducting an analysis of individual attack scenarios through risk matrices, prioritizing the scenarios based on their perceived urgency, and addressing them in order until all the available cybersecurity resources are spent. However, the team pointed out that this approach could lead to suboptimal resource allocations since the potential synergies between different attack scenarios and among available security measures are not considered. Existing assessment frameworks and cybersecurity models assume the perspective of the system's operator and support their cost-benefit analysis, but this approach is inadequate in the context of security of critical infrastructure, where the potential impacts of cyberattacks are multidimensional and may affect multiple stakeholders. Therefore, the researchers propose a quantitative framework that features a more holistic picture of the cybersecurity landscape, encompassing multiple attack scenarios. To do this, they developed a Bayesian network model that represents the cybersecurity landscape of a system. This article continues to discuss the framework and model proposed by the researchers to support a holistic approach to cybersecurity. 

IIASA reports "Taking a Systems Approach to Cybersecurity"