# Incidents Are Meant for Learning, Not Repeating: Sharing Knowledge About   Security Incidents in Cyber-Physical Systems

**Authors:** Faeq Alrimawi, Liliana Pasquale, Deepak Mehta, Nobukazu Yoshioka,, Bashar Nuseibeh

arXiv: 1907.00199 · 2019-07-02

## TL;DR

This paper introduces a novel method for representing and sharing knowledge about security incidents in cyber-physical systems, enabling organizations to learn from past incidents and prevent future ones.

## Contribution

It proposes incident pattern representation and automated techniques for extracting and instantiating these patterns across different CPSs, enhancing security knowledge sharing.

## Key findings

- Effective incident pattern extraction demonstrated in smart building scenarios.
- Approach shows scalability and correctness in real-world inspired scenarios.
- Facilitates secure sharing of incident knowledge without revealing sensitive info.

## Abstract

Cyber-physical systems (CPSs) are part of most critical infrastructures such as industrial automation and transportation systems. Thus, security incidents targeting CPSs can have disruptive consequences to assets and people. As prior incidents tend to re-occur, sharing knowledge about these incidents can help organizations be more prepared to prevent, mitigate or investigate future incidents. This paper proposes a novel approach to enable representation and sharing of knowledge about CPS incidents across different organizations. To support sharing, we represent incident knowledge (incident patterns) capturing incident characteristics that can manifest again, such as incident activities or vulnerabilities exploited by offenders. Incident patterns are a more abstract representation of specific incident instances and, thus, are general enough to be applicable to various systems - different than the one in which the incident occurred. They can also avoid disclosing potentially sensitive information about an organization's assets and resources. We provide an automated technique to extract an incident pattern from a specific incident instance. To understand how an incident pattern can manifest again in other cyber-physical systems, we also provide an automated technique to instantiate incident patterns to specific systems. We demonstrate the feasibility of our approach in the application domain of smart buildings. We evaluate correctness, scalability, and performance using two substantive scenarios inspired by real-world systems and incidents.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1907.00199/full.md

## Figures

14 figures with captions in the complete paper: https://tomesphere.com/paper/1907.00199/full.md

## References

28 references — full list in the complete paper: https://tomesphere.com/paper/1907.00199/full.md

---
Source: https://tomesphere.com/paper/1907.00199