Distributed Online Risk Assessment in the National Cyberspace

Abstract

The paper presents a distributed approach to online cyber risk assessment across the country, taking into account cyber threats and vulnerabilities identified by local services operators. It consists in distributed, asynchronous calculations of possible failure scenarios. They are a solution of a set of nonlinear, nonsmooth equations with locally assessed risk activation functions as inputs. These functions indicate whether a given threat is expected in some future period. The convergence condition of the mentioned algorithm is given in the theorem form. At the end, a case study concerning a system consisting of four entities is presented.

1. Introduction

The COVID-19 pandemic, during which many people started to work, learn, and study from home, has shown how important distributed systems are. It concerns especially clouds, their stability and reliability [1]. Microsoft TEAMS, Google Meet, and Zoom saw a very big increase of new people signing into them [1]. The importance of digital services has increased rapidly. Unfortunately, in this time of crisis, cyber criminals have become hyperactive and have been constantly preying on the sensitive data of both individual users and organizations. Because of that, cyber security needs to be upgraded to protect users against rising cyber crimes [2,3].

The distributed nature of the system implies that the underlying security controls and monitoring facilities should be also distributed, with the ability to apply filtering to minimize the exchange of information concerning security with the central node [4].

An alternative is a hierarchical approach: coordinator–local units, or master–workers, where there exists an entity responsible for national-level risk assessment—the Operations Center (CNT) and local entities (LE)—essential services operators, presented in the previous papers [5,6]. In such a system, local units participating in the calculations do not exchange information related to the risk assessment process for the whole or a part of the system; rather, they send data to the CNT after making their assessments.

A hierarchical approach can be embarrassing when a large amount of information is transferred to the CNT and when there are problems with connectivity to part of the system as a result of an attacker’s success. Moreover, when the CNT serves only to gather the data, calculate some aggregated values, and broadcast the results, the question arises whether the coordination is really necessary.

Therefore, it appears that a peer-to-peer system, closely related to the network topology, where different units perform calculations and exchange information with the direct neighbors [7,8,9], seems to be more appropriate.

The literature on the different approaches to dynamic risk assessment in critical infrastructure, including core IT systems, is very broad [10,11]. However, the models used for online calculations of possible event scenarios, based e.g., on attack graphs [12,13,14,15], system dynamics [16], Bayesian networks [17], and Markov chains [18,19], assume centralized processing. Just recently, an interesting decentralized model based on fuzzy Bayesian Games, looking for a consensus via delegated proof of stake (DPoS) and proof of work (PoW) algorithms was presented [20]. However, it was designed for multimicrogrid systems and uses the adequate low-level information.

The model presented here is the next step to work out a practical mechanism which is [21] “scenario-based, where actors are gathered together to consider scenarios in the round; such scenarios describe risks as a narrative and label them by applying simple categories of likelihood and impact”. However, unlike in references [5,6], likelihood does not have to take values from the interval $[0, 1]$ (in some models it is more convenient to scale it to a different interval, e.g., $[0, 100]$) and it is assumed that the influence of the neighbouring nodes is limited. The equations presented here are a little similar to those of studies [22,23,24] but they are nonlinear with saturation functions. In this paper, first such a model is presented in a detailed way, then the theorem concerning the convergence of the proposed iterative algorithm is formulated and proved. Finally, a case study concerning a system built from a power plant, a hospital, a railway operator, and a data center shows a scenario, that is the course of possible events, after an attack on the power plant.

2. Distributed Calculation of Iterated Possible-Failure Scenarios

Let us consider a distributed peer-to-peer system, where the LEs work asynchronously and send information to the CNT when a stable result (convergence) from their calculations is obtained, of course repeating the procedure when the situation changes (Figure 1).

Assume that the scenarios are calculated in a way similar to weather forecasts, that is they may be determined on different horizons and they are updated repetitively at times $t_c,c=0,1,2,3,\dots$ with a given frequency, e.g., for every 15 min, half an hour, etc. The calculations of these scenarios are performed before every $t_c$, that is at the end of the interval $(t_{c-1},t_c)$. Assume also that an LE delivers a service s. The set of all services considered by us will be denoted by S. At a given time $t_k^s\in (t_{c-1},t_c)$, while analyzing the risk of its malfunctioning, the s-th LE considers a future time interval $T^s$, which is composed of a number of subintervals $T_p^s$, $p=1,\dots ,P^s$, that is:

$$T^s=T_1^s\cup T_2^s\cup \cdots \cup T_{P^s}^s$$

(1)

For each of these intervals, let us denote with $L^s(p,t_k^s)$ the likelihood of a failure of a service s estimated at time $t_k^s<t_c$. The possible failure scenario (PFS) of the service s estimated at time $t_k^s$ is defined as $L^s\left(t_k^s\right)=(L^s(p,t_k^s);p=1,\dots ,P^s)$. We assume, of course, that every local entity, using its risk assessment method, which takes into account its current cyber-security situation and PFSs of the neighbouring LEs influencing its functioning, is able to determine its own PFS.

Intervals $T_p^s$ can have different lengths related to the different reaction times of various services. For example, for $P^s=4$, $T_1^s$ may refer to a short nearest-future period in which the service s may be affected by current threats. The next, longer, intervals $T_2^s,T_3^s$ (mid term) and $T_4^s$ (long term) (Figure 2) may concern both the threats and reactions on them.

PFSs of essential services will deliver the most important information, and may be used, e.g., for analysis, graphical threat presentation, and, in cases when it is possible to determine numerical cost values for PFSs, for the optimization of different safety measures that may be applied during the incident.

3. LE Working Mode

Now, consider the risk assessment at the local unit level. Suppose that the s-th LE information system has multiple vulnerabilities $v\in V^s$, exploited by a number of cyber threats $m\in M^s$, where $V^s$ is the set of vulnerabilities, and $M^s$ is the set of cyber threats affecting the service s. The vulnerability $v\in V^s$ is exploited with an impact factor $I_v^s$ on the likelihood of the failure/degradation of the service provided by LE. These impacts may be expressed with appropriate numbers attached, e.g., [25]: low (0, 0.1), medium (0.1, 0.5), and high (0.5, 1). For each threat $m\in M^s$, it is possible to assign a likelihood $L_{vm}^s$ that this threat may exploit vulnerability $v\in V^s$, and to define the risk activation function as:

$$R_m^s\left(p\right)=\left\{\begin{array}{cc}1\hfill & \mathrm{when} \mathrm{threat} m \mathrm{is} \mathrm{expected}\hfill \\ \hfill & \mathrm{to} \mathrm{be} \mathrm{present} \mathrm{within} T_p^s\hfill \\ 0\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(2)

Moreover, except these local cyber threats, it may be that the external services influencing s-th LE can also be temporarily disrupted or substantially degraded. Let us denote the set of those entities by $U^s$ and the impact of the failure of the service u on the service s by $J_u^s$. It is assumed that all compromised services can work in the safe mode, which implies that their likelihood of failure is restricted to ${\overline{L}}^u,u\in U^s$.

Summing up, the likelihood that the service s will fail in the subinterval $T_p^s$, issued at time $t_{k+1}^s>t_k^s$, such that $t_{k+1}^s<t_c$, can be be calculated as follows:

$$L^s(p,t_{k+1}^s)=\sum _{v\in V^s}{I}_v^s\sum _{m\in M^s}{L}_{vm}^s{R}_m^s\left(p\right)$$

$$+\sum _{u\in U^s}{J}_u^{s}min\left({\overline{L}}^u,L^u\left(r_u^s\left(p\right),{\tau }_u^s\left(t_k^s\right)\right)\right)$$

(3)

where $p=1,\dots ,P^s$. The argument $r_u^s\left(p\right)$, indicates the subinterval of $T^u$ relevant for the estimation of $L^s(p,t_{k+1}^s)$, the argument ${\tau }_u^s\left(t_k^s\right)<t_k^s$ is the time from which the image of PFS of the service u possessed by the $s-th$ LE at time $t_k^s$ comes [7].

Iterations of the algorithm (3) are performed until convergence, which can be detected, e.g., by one of the protocol-free algorithms [26] or by the classical graph algorithm based on the acknowledgment messages [7]. During the iterations, it may happen that the information available at a LE level changes due to, for example, new incidents. This will affect the iterative process and the results until achieving a new stable forecast.

4. Convergence of the Algorithm

Let us analyze the conditions under which the algorithm (3) converges.

In fact, the first sum in (3) is constant in subsequent iterations, hence we may write this algorithm in the following way:

$$x:=F\left(x\right)$$

(4)

where $x\in {\mathbb{R}}^n$ is the vector of all variables $L^s(p,t),p=1,\dots ,P^s,s\in S$ for some t and for $i=1,\dots ,n$

$$F_i\left(x\right)=b_i+\sum _{j\ne i}{a}_{ij}min({\overline{x}}_j,x_j)$$

(5)

Hence, in general, the algorithm (3) has the following form:

$$x_i:=F_i\left(x\right)=$$

$$b_i+\sum _{j\ne i}{a}_{ij}min({\overline{x}}_j,x_j),i=1,\dots ,n$$

(6)

The $F\left(x\right)$ mapping is nonsmooth, so we cannot use the convergence formula on the nonlinear mappings from reference [7], based on the properties of the Jacobian matrix. Instead, we derive a sufficient convergence condition using a general theory of convergence for asynchronous iterative algorithms [7,8,9].

The basic theory says that a sufficient condition for the (4) algorithm to converge when implemented totally asynchronously is that the mapping $F:{\mathbb{R}}^n\mapsto {\mathbb{R}}^n$ is contractive in the maximum norm [7], i.e.,:

$${\parallel F\left(x\right)-F\left(y\right)\parallel }_{\infty }<{\parallel x-y\parallel }_{\infty }\forall x,y\in {\mathbb{R}}^n,x\ne y$$

(7)

Theorem 1.

We consider a mapping $F:{\mathbb{R}}^n\mapsto {\mathbb{R}}^n$ with the coordinate functions defined as:

$$F_i\left(x\right)=b_i+\sum _{j\ne i}{a}_{ij}min({\overline{x}}_j,x_j),i=1,\dots ,n$$

(8)

where the coefficients $a_{ij}$ are non-negative and such that:

$$\sum _{j\ne i}{a}_{ij}<1,i=1,\dots ,n$$

(9)

The mapping F is a contraction in the maximum norm.

Proof. 

Consider two arbitrary vectors $x,y\in {\mathbb{R}}^n$ and define as $i^{*}=i^{*}(x,y)$ an index of the coordinate determining the value of the maximum norm of $x-y$, that is:

$${\parallel x-y\parallel }_{\infty }=\underset{i=1,\dots ,n}{max}|x_i-y_i|=|x_{i^{*}}-y_{i^{*}}|$$

(10)

Due to the definition (8) of functions $F_i$ and the assumption that all coefficients $a_{ij}$ are non-negative, we will get for the mapping F:

$${\parallel F\left(x\right)-F\left(y\right)\parallel }_{\infty }$$

$$=\underset{i=1,\dots ,n}{max}\left|\sum _{j\ne i}{a}_{ij}\left[min({\overline{x}}_j,x_j)-min({\overline{x}}_j,y_j)\right]\right|$$

$$\le \underset{i=1,\dots ,n}{max}\sum _{j\ne i}{a}_{ij}|min({\overline{x}}_j,x_j)-min({\overline{x}}_j,y_j)|$$

(11)

Let us analyze deeper the term:

$$|min({\overline{x}}_j,x_j)-min({\overline{x}}_j,y_j)|$$

(12)

There are four combinations to analyze:

• $x_j<{\overline{x}}_j\wedge y_j<{\overline{x}}_j$
  We have here:

  $$|min({\overline{x}}_j,x_j)-min({\overline{x}}_j,y_j)|=|x_j-y_j|$$
• $x_j\ge {\overline{x}}_j\wedge y_j<{\overline{x}}_j$
  We have here:

  $$|min({\overline{x}}_j,x_j)-min({\overline{x}}_j,y_j)|=|{\overline{x}}_j-y_j|$$

  $$={\overline{x}}_j-y_j\le x_j-y_j\le |x_j-y_j|$$
• $x_j<{\overline{x}}_j\wedge y_j\ge {\overline{x}}_j$
  We have here:

  $$|min({\overline{x}}_j,x_j)-min({\overline{x}}_j,y_j)|=|x_j-{\overline{x}}_j|$$

  $$={\overline{x}}_j-x_j\le y_j-x_j\le |y_j-x_j|=|x_j-y_j|$$
• $x_j\ge {\overline{x}}_j\wedge y_j\ge {\overline{x}}_j$
  We have here:

  $$|min({\overline{x}}_j,x_j)-min({\overline{x}}_j,y_j)|=|{\overline{x}}_j-{\overline{x}}_j|=0$$

  $$\le |x_j-y_j|$$

Thus, for all these cases there will be:

$$|min({\overline{x}}_j,x_j)-min({\overline{x}}_j,y_j)|\le |x_j-y_j|$$

(13)

Taking this, (10), and the assumption (9) into account in the assessment (11), it means that:

$${\parallel F\left(x\right)-F\left(y\right)\parallel }_{\infty }\le \underset{i=1,\dots ,n}{max}\sum _{j\ne i}{a}_{ij}|x_j-y_j|$$

$$\le \underset{i=1,\dots ,n}{max}\sum _{j\ne i}{a}_{ij}|x_{i^{*}}-y_{i^{*}}|$$

$$=|x_{i^{*}}-y_{i^{*}}|\underset{i=1,\dots ,n}{max}\sum _{j\ne i}{a}_{ij}<|x_{i^{*}}-y_{i^{*}}|={\parallel x-y\parallel }_{\infty }$$

(14)

This means that F is a contractive mapping in the maximum norm. □

5. An Illustrative Example

To illustrate the ideas which were introduced above, let us consider an example of a system consisting of four service providers:

• Power company responsible for both a local power plant and the distribution grid (E);
• Railway transport company (T);
• Hospital (H);
• Data center (D).

All the services depend on electricity provided by the power company. In the case of a break in the energy supply, the hospital for few hours may use its own electricity generator and the data center has a UPS system, which holds its work for several dozen minutes. Except energy, some of the hospital and transport services depend also on access to the data center. The facility generating the electricity of the power plant is assumed to be coal fired and depends on the railway transport.

The graph of services and connections between them is presented in Figure 3.

Each local entity has its own information system that may be vulnerable and subject to various cyber threats, leading to the deterioration—in the extreme case to the safe mode level—of the service provided by this entity to its clients and to other entities. For example, the corruption of the control system of the power plant or the energy distribution network will lead to power outages in towns and in the countryside in the area served by the power company, including the hospital, the transport company, and the data center.

In all cases of the entities considered in the example, it is assumed that the Formula (3) is used to compute the possible service failure scenarios. The first term in (3), related to locally assessed threats, is aggregated to a given number:

$$R^s\left(p\right)=\sum _{v\in V^s}{I}_v^s\sum _{m\in M^s}{L}_{vm}^s{R}_m^s\left(p\right)$$

(15)

Let us assume that one night at 4 a.m. cyber criminals started a DDOS attack on the IT system controlling the power plant. The abnormally growing traffic was noticed by the operator of the computer network of the company. His predicted scenario of the attack is presented in Figure 4. Namely, he suspects that such a situation may last longer, and if so, the risk factor will rise after the next half an hour from the current normal $R^E\left(1\right)=0.05$ to a pre-alarm level $R^E\left(2\right)=0.2$ until 6 a.m., and then to the alarm level $R^E\left(3\right)=0.3$ until the end of the night shift at 8 a.m. At 8 a.m. the full IT staff will start their work and they will be gradually taking full control over the system and the local risk factors will decrease to $R^E\left(4\right)=0.12,R^E\left(5\right)=0.08,R^E\left(6\right)=0.05$.

Now, starting from the power company (E), we assume the following timing and formulas defining the relevant scenarios:

$$\begin{array}{cc}\hfill L^E\left(p\right),p=1,2,\dots ,6;& \end{array}$$

$$T^E=[0, 30)\cup [30, 120)\cup [120, 240)\cup [240, 300)$$

$$\cup [300, 600)\cup [600, 900]\min$$

$$L^E(p,t_{k+1}^E)=R^E\left(p\right)+0.3·min\left(0.5,L^T(p-1,{\tau }_T^E\left(t_k^E\right))\right)$$

$$=\left\{\begin{array}{cc}0.05,\hfill & p=1\hfill \\ 0.2,\hfill & p=2\hfill \\ 0.3,\hfill & p=3\hfill \\ 0.12,\hfill & p=4\hfill \\ 0.08,\hfill & p=5\hfill \\ 0.05,\hfill & p=6\hfill \end{array}\right.+0.3·min\left(0.5,L^T(p-1,{\tau }_T^E\left(t_k^E\right))\right)$$

The expressions for likelihoods and possible failure scenarios for the transport company (T) will be as follows:

$$\begin{array}{cc}\hfill L^T\left(p\right),p=1,2,\dots ,6;& \end{array}$$

$$T^T=[0, 45)\cup [45, 135)\cup [135, 270)\cup [270, 390)$$

$$\cup [390, 690)\cup [690, 900]\min$$

$$L^T(p,t_{k+1}^T)=0.06+0.7·min(0.4,L^E(p,{\tau }_E^T\left(t_k^T\right)))$$

$$+0.25·min(0.5,L^D(p-1,{\tau }_D^T\left(t_k^T\right)))$$

The likelihoods and scenarios for the data center (D) are defined as:

$$\begin{array}{cc}\hfill L^D\left(p\right),p=1,2,\dots ,6;& \end{array}$$

$$T^D=[0,60)\cup [60, 150)\cup [150, 330)\cup [330, 490)$$

$$\cup [490, 720)\cup [720, 900]\min$$

$$L^D(p,t_{k+1}^D)=0.08+0.2·min(0.4,L^E(p-1,{\tau }_E^D\left(t_k^D\right))),$$

And, finally, for the hospital (H), the likelihoods and scenarios are specified as:

$$\begin{array}{cc}\hfill L^H\left(p\right),p=1,2,\dots ,6;& \end{array}$$

$$T^H=[0, 90)\cup [90, 180)\cup [180, 360)\cup [360, 540)$$

$$\cup [540, 750)\cup [750, 900]\min$$

$$L^H(p,t_{k+1}^H)=0.07+0.2·min(0.4,L^E(p-1,{\tau }_E^H\left(t_k^H\right)))$$

$$+0.15·min(0.5,L^D(p-1,{\tau }_D^H\left(t_k^H\right))).$$

Despite the overall time horizon being 15 h for all local units, the duration of time subintervals varies between the different entities.

The results of the computations are presented in Figure 5. The simulation shows that the rise of the risk of failure in the delivery of electricity results at about 4:30 a.m. in an almost immediate (more precisely, after 15 min) jump growth of the likelihood of failure of the railway transport system, and a little later we can see a similar, but smaller, effect for the data center (after an hour from the beginning of the incident, that is time “0”), and for the hospital (after 1.5 h from time “0”). Fortunately, when the day shift IT staff arrive to work at 8 a.m. (4 h from the beginning of the attack) this risk is attenuated, and this implies the decrease of the likelihood of failure, first of the power plant and then, in the same order as for the degradation, of the other services.

6. Conclusions

In the paper a distributed, predictive, online scheme for national-level risk assessments was proposed. In this scheme, local entities, delivering different important services, repetitively prepare their own assessments, taking into account the temporal dependencies of their services on local cyber threats and services provided by other entities. The iterative, asynchronously convergent algorithm, which calculates the local scenarios, takes into account interdependencies between different services as a linear combination of local and external components. Due to the restriction on the influence function of the external components, the resulting mapping is nonlinear and nonsmooth. It was proved that when the sum of the weights of the external units is less than one, this mapping is a contraction in the maximum norm and the algorithm is convergent. It was confirmed in a numerical case study concerning a system consisting of four entities. Particular attention was paid to the scenario of the external attack on one of the units. This scenario, that is its risk assessment, may depend on local decisions, e.g., the number of staff working in different hours. If this dependence can be described formally, the presented model with slight modifications can be used also for optimization and planning purposes. This will be the subject of future works. The deployment of these distributed, asynchronous mechanisms will speed up the development of decisions to protect the network from attacks and reduce their negative impacts on society and the economy.