Quantitative analysis of attack-fault trees via Markov decision processes

TL;DR

This paper introduces a lightweight, efficient method using Markov decision processes to analyze the trade-off between safety and security in attack-fault trees, enabling Pareto front computation for risk assessment.

Contribution

It presents a novel approach combining safety and security analysis to efficiently compute Pareto fronts in attack-fault trees, improving over existing automaton-based methods.

Findings

Faster and more lightweight analysis compared to automaton approach

Successfully applied to cyberattack case study on oil pipeline

Enables comprehensive safety-security interplay assessment

Abstract

Adequate risk assessment of safety critical systems needs to take both safety and security into account, as well as their interaction. A prominent methodology for modeling safety and security are attack-fault trees (AFTs), which combine the well-established fault tree and attack tree methodologies for safety and security, respectively. AFTs can be used for quantitative analysis as well, capturing the interplay between safety and security metrics. However, existing approaches are based on modeling the AFT as a priced-timed automaton. This allows for a wide range of analyses, but Pareto analsis is still lacking, and analyses that exist are computationally expensive. In this paper, we combine safety and security analysis techniques to introduce a novel method to find the Pareto front between the metrics reliability (safety) and attack cost (security) using Markov decision processes. This gives us the full interplay between safety and security while being considerably more lightweight and faster than the automaton approach. We validate our approach on a case study of cyberattacks on an oil pipe line.