JP7213626B2 - Security measure review tool - Google Patents

Description

The present application relates to a security countermeasure examination tool for examining security countermeasures against the threat of cyberattacks on an analysis target system.

In recent years, control devices, computers, and network devices, which are components of social infrastructure control systems, have evolved from the characteristics of conventional "proprietary protocols" and "systems isolated from the outside" to "general-purpose operating systems (OS)" and " It is changing to a characteristic such as "general-purpose protocol".
Along with this, benefits such as data collection and cooperation with other companies' products and systems have been obtained, such as improved convenience and efficiency. On the other hand, it also has the disadvantage of being exposed to the threat of cyberattacks, making security measures essential.

In view of this background, various techniques related to devices using tools, methods, and programs (hereinafter referred to as security countermeasure examination means) for supporting security countermeasure examination have been disclosed.
For example, in a device using conventional security measure study means in a social infrastructure control system, a risk analysis method (detailed risk analysis, baseline approach, etc.) is used for the purpose of extracting security measure study points. A security risk value inherent in the system is calculated, and priority is given to items that require security countermeasures equal to or greater than a preset threshold, and the items are mapped on the control system configuration (Patent Document 1).
The technology disclosed in this patent document 1 is referred to as prior art 1 .

In addition, in the equipment using the conventional security measure examination means in the information system, the risk analysis method is used for the state of the information system in operation, and from the candidate measures for reducing the risk, the information in operation There is a method that presents an optimal countermeasure method after considering various restrictions that occur in the system (Patent Document 2).
The technology described in this patent document 2 is referred to as conventional technology 2 .

In addition, we have modeled the procedures for unauthorized access to information systems, identified threats related to unauthorized access by using a security event transition model that is not influenced by information system structures, components, etc., and implemented effective measures against identified threats. There is one that presents countermeasures (Patent Document 3).
The technology described in Patent Document 3 is referred to as prior art 3.

Japanese Patent Application Laid-Open No. 2016-192176 (pages 7 to 11, FIG. 1) WO2008/004498 (pages 6-11, FIG. 1) Japanese Patent Application Laid-Open No. 2009-110177 (pages 6 to 8, FIG. 2)

Prior art 1 analyzes the risks inherent in social infrastructure control systems, assigns priorities to risks that require security measures according to the importance of tasks and the number of tasks, and maps them on a system configuration diagram. We have achieved that.
However, the evaluation items for prioritization of security measures in Prior Art 1 do not include viewpoints such as compliance with regulations, impact on existing devices, and cost of introducing security measures. There was a problem in

Further, according to Conventional Technique 2, determination of security measures for an information system is performed by a risk model for determining security risks and a plurality of proposed countermeasure generation units for reducing security risks based on the countermeasure models for determining countermeasures. and the countermeasure order determination policy for determining the countermeasures to be implemented, the risk value of the inherent risk is reduced within the allowable value.
The countermeasure priority determination policy of this technology can set the permissible value of the risk value of the cost, operational constraints, and target inherent risk, and can consider the operation of the system.
However, in the prior art 2, the security measures are considered by combining the countermeasure generation unit and the countermeasure order determination policy. There was a problem that I could not judge whether it was.
This is because they have not taken into account how attackers attack information systems and how security measures can be taken against such attacks.

Prior art 3 builds a security event transition model that is not influenced by information system structures, components, etc. by analyzing the procedures of unauthorized access to information systems, and identifies and cleans up each threat corresponding to each phase of an attack. We are considering the optimal security measures against the threats presented.
However, since no risk analysis has been performed, it is not possible to exhaustively extract the risks inherent in the analyzed system, and it is not possible to consider the optimal solution for security measures against cyberattacks other than threats related to unauthorized access. In addition, the analysis target model can only be applied to information systems that threaten unauthorized access.

The present application discloses a technology for solving the above-mentioned problems, and provides a security measure review tool for analyzing the attack procedure of a cyber attack on an analysis target system and considering security measures corresponding to it. intended to provide

The security measure review tool disclosed in the present application uses a threat database that defines cyber threats and technical elements in the system, including data handled by the system to be analyzed, to calculate the risk value. A value calculation unit, a risk value determination processing unit that determines whether the risk value calculated by the risk value calculation unit exceeds a predetermined reference value, and a series of threats that are sequentially attacked. An attack scenario database that stores attack scenarios created by analysis, threat countermeasures that store threats to be attacked by the attack scenarios stored in the attack scenario database, and security measures for mitigating these threats in association with each other Corresponding database, for threats that generate a risk value exceeding the reference value, for each attack procedure of the corresponding attack scenario, the security countermeasures examination department that selects security countermeasures based on the threat countermeasure corresponding database, equipment that constitutes the system to be analyzed is provided with a facility database in which the degree of importance is defined in advance, and a facility attack scenario corresponding database in which facilities in the facility database are associated with attack scenarios in the attack scenario database related to this facility, and each database is stored in a storage device A risk value calculation unit, a risk value determination processing unit, and a security countermeasure examination unit are stored as software in a storage device and executed by a central processing unit, and the security countermeasure examination unit includes a facility attack scenario correspondence database and a facility database. Based on this, the importance of equipment related to the attack scenario is extracted, and a number of security measures are selected according to the importance of the equipment .

According to the security countermeasure review tool disclosed in the present application, it is possible to analyze the attack procedure of a cyber attack on an analysis target system and to consider security countermeasures corresponding thereto.

1 is a block diagram showing a schematic configuration of a control system security measure study tool according to a first embodiment; FIG. 4 is a flow chart showing the control operation of the control system security countermeasure study tool according to the first embodiment. FIG. 2 is a diagram showing the relationship between databases used for examining security countermeasures of the control system security countermeasure examination tool according to Embodiment 1; FIG. 4 is a diagram showing an example in which a plurality of threats of the control system security measure study tool according to Embodiment 1 can be mitigated with the same measure; 4 is a diagram showing an example of a DB of threats requiring countermeasures of the control system security countermeasure examination tool according to the first embodiment; FIG. FIG. 4 is a diagram showing an example of an attack scenario DB of the control system security countermeasure study tool according to Embodiment 1; 4 is a diagram showing an example of a countermeasure DB of the control system security countermeasure examination tool according to the first embodiment; FIG. FIG. 2 is a diagram showing an example of an attack procedure and countermeasures of the control system security countermeasure study tool according to Embodiment 1; FIG. 4 is a diagram showing an example of a measure priority rule of the control system security measure study tool according to Embodiment 1; 5 is a flow chart showing an example of a processing operation for prioritizing measures of the control system security measure study tool according to Embodiment 1. FIG. FIG. 9 is a block diagram showing a schematic configuration of a control system security countermeasure study tool according to Embodiment 2; FIG. 10 is a diagram showing the relationship between databases used for examining security measures of the security measure examination tool for control systems according to Embodiment 2; FIG. 12 is a block diagram showing a schematic configuration of a control system security measure review tool according to Embodiment 3; FIG. 11 is a flow chart showing an example of cyber attack scenario generation by a control system security countermeasure study tool according to Embodiment 3. FIG.

Embodiment 1.
Embodiment 1 will be described below with reference to the drawings.
FIG. 1 is a block diagram showing a schematic configuration of a control system security countermeasure study tool according to Embodiment 1. As shown in FIG.
In Fig. 1, security measure study tool 1 for control systems (security measure study tool) is a system that assumes cyberattacks based on threats inherent in control systems and studies security measures to deal with the assumed cyberattacks. is.

The system configuration of the control system security measure study tool 1 includes a CPU (Central Processing Unit) 15 (central processing unit) , an input/output device 16, a mouse/keyboard 17, a memory 30 (storage device) , a hard disk device 40 (storage device ) .
The control system security countermeasure study tool 1 includes a risk value automatic calculator 2 (risk value calculator), a risk value determination processor 3, and a security measure examiner, which are implemented in the memory 30 according to an operation command from the CPU 15. The functions of part 4 are performed.

The following information is stored in the hard disk device 40 (storage device).
The data flow 5 is information on the data flow of the system to be analyzed (including the control system). The information assets 6 are information assets handled by the system to be analyzed, such as plant data and control signals. The risk analysis result 7 is a risk analysis result such as a risk value for threats calculated from information in a threat DB (database) 14 (threat database), which will be described later.
A system configuration 8 is a diagram showing the system configuration of the system to be analyzed. The management information 9 is information on the results of analysis of the current management situation (locking management, etc.), and is information on devices, rooms, and people.
The countermeasure DB 10 (countermeasure database) stores countermeasures against threats (security countermeasures). The DB 11 of threats requiring countermeasures (threat countermeasure correspondence database) stores threats requiring consideration of countermeasures together with countermeasures against the threats. The attack scenario DB 12 (attack scenario database) stores an attack scenario against each threat and each step in which the attack scenario is developed. The countermeasure priority rule 13 (countermeasure priority rule database) stores the priority of countermeasures against threats. The threat DB 14 defines and stores each threat of cyber attack.

The risk value automatic calculation unit 2 analyzes the data flow 5 of the analysis target system stored in the hard disk device 40, the information assets 6 handled by the analysis target system, the system configuration 8 of the analysis target system, and the current management status ( The risk analysis result such as the risk value for the threat in the analysis target system is calculated from the management information 9 such as locking management and the information of the threat DB 14 .
Then, the calculation result is stored in the risk analysis result 7 on the hard disk device 40 .

The risk value determination processing unit 3 executes processing for determining an analysis result exceeding a reference value among the risk analysis results 7 stored on the hard disk device 40 .

The security countermeasure examination unit 4 uses the information of the risk analysis result 7 calculated by the risk value automatic calculation unit 2 as an input, and the security countermeasure examination unit 4 determines what type of cyberattack against the threat inherent in the analysis target system. We will analyze whether it is possible to assume
In addition, by referring to the countermeasure DB 10, the threat requiring countermeasure DB 11, the attack scenario DB 12, and the countermeasure priority order rule 13 stored on the hard disk device 40, threats that serve as stepping stones for cyberattacks and threats targeted by attackers are identified. Consider security measures to prevent this.

FIG. 3 is a diagram showing the relationship between databases used for examining security measures of the control system security measure examination tool according to the first embodiment.
In FIG. 3, the countermeasure DB 10 has a countermeasure name and countermeasure content for each countermeasure ID (identification). The countermeasure-needed threat DB 11 has a threat name, threat content, and countermeasure ID for each threat ID of a threat for which consideration of countermeasures is required. The attack scenario DB 12 has, for each scenario ID, the content of the attack scenario and the threat ID associated with this attack scenario.
The attack scenario DB 12 is associated with the threat requiring countermeasure DB 11 and the threat ID, and the threat requiring countermeasure DB 11 is associated with the countermeasure DB 10 and the countermeasure ID.
In the figure, FK represents a foreign key when referring to another DB.

FIG. 4 is a diagram showing an example in which a plurality of threats can be mitigated by the same countermeasure in the control system security countermeasure study tool according to the first embodiment.
FIG. 4 shows the details of multiple threats and the details of countermeasures for mitigating these threats. These contents are managed by the DB 11 of threats requiring countermeasures.
Examples of threats include threat A “data is stolen by unauthorized access to information in the device from an unauthorized terminal connected to the network”, threat B “data is falsified”, threat C “data is lost on the communication path of the network”. are eavesdropped”, and these threats A to C are the same countermeasure, “Encrypted communication using SSL (Secure Sockets Layer) / TLS (Transport Layer Security) communication (certificate)”. It shows that it is relaxed.

FIG. 5 is a diagram showing an example of a DB of threats requiring countermeasures of the control system security countermeasure examination tool according to the first embodiment.
FIG. 5 shows information managed by the DB of threats requiring countermeasures 11 in addition to the information shown in FIG. FIG. 5 shows the contents of the threat ID, threat name, threat content, and countermeasure ID.
In the threat requiring countermeasure DB 11, the threat ID that becomes the external key is uniquely assigned an ID number so that the content of the threat can be specified, and the same countermeasure ID is assigned to those that can mitigate the threat with the same countermeasure. Manage information.
For threats that cannot be mitigated by the same countermeasures, information is managed by uniquely assigning countermeasure IDs.

FIG. 6 is a diagram showing an example of an attack scenario DB of the control system security countermeasure study tool according to the first embodiment.
FIG. 6 shows information managed by the attack scenario DB 12 . It has information of scenario ID, attack content, and attack scenario. Here, in the attack scenario, attack steps (procedures) are indicated using threat IDs.
Threat A managed by the DB 11 of threats requiring countermeasures, such as "Data is stolen due to unauthorized access to information in the device from an unauthorized terminal connected to the network", what kind of attack procedure, what kind of time series, etc. is indicated using the Threat ID.

FIG. 7 is a diagram showing an example of a countermeasure DB of the control system security countermeasure examination tool according to the first embodiment.
7, the countermeasure DB 10 has a countermeasure name and countermeasure content for each countermeasure ID.
In this example, countermeasures against each step of an attack scenario using "threat A: Data is stolen due to unauthorized access to device internal information from an unauthorized terminal connected to the network" managed by the attack scenario DB 12 are shown. It is

FIG. 8 is a diagram showing an example of attack procedures and countermeasures of the control system security countermeasure study tool according to the first embodiment.
FIG. 8 shows effective countermeasures for mitigating each step of the attack scenario.
That is, items and details are shown for each attack step, and effective countermeasures are indicated by circles.

FIG. 9 is a diagram showing an example of a measure priority rule of the control system security measure study tool according to the first embodiment.
FIG. 9 shows the priority of security measures managed by the measure DB 10 . It indicates the order of priority to be implemented among the measures α, β, γ, δ, ε, etc., and is entered in advance by the analyst.
There are columns for priority, function (countermeasure), explanation (explanation of countermeasure), regulatory compliance, impact on existing equipment, construction cost, direct countermeasure, and score. however,
100 is assigned to compliance with regulations, and 0 is assigned to non-compliance.
The impact on existing equipment is 1 for maximum, 2 for large, 3 for medium, 4 for small, and 5 for minimum.
Construction costs are 1 for maximum, 2 for large, 3 for medium, 4 for small, and 5 for minimum.
For direct countermeasures, 0 indicates non-applicability and 5 indicates applicable.
Regarding the score, the higher the score value, the higher the priority.

Next, operation will be described.
The operation of the control system security countermeasure study tool 1 will be described with reference to FIG.
The data flow 5, system configuration 8, information assets 6, management information 9, and threat DB 14 recorded on the hard disk device 40 are input to the risk value automatic calculation unit 2 on the memory 30. FIG. The risk value automatic calculation unit 2 calculates the risk value of the threat inherent in the system to be analyzed. The result of calculation on the memory 30 is saved as the risk analysis result 7 on the hard disk device 40 .
The risk value determination processing unit 3 takes in the risk analysis result 7 (step S100).

The risk value determination processing unit 3 determines whether or not the risk value exceeds the reference value for the risk analysis result 7 (step S101). The reference value set by the risk value determination processing unit 3 may be changed between the minimum value of 1 and the maximum value of 9 by the analyst according to the system to be analyzed.

In step S101, if the risk exceeds the reference value, the content of the attack scenario, the threat ID, and the scenario ID for each threat against that risk are created in advance in the attack scenario DB 12 (step S102).

Next, the security countermeasure study unit 4 uses the threat ID stored in the attack scenario DB 12 created in step S102 as an external key to call the threat name, threat content, and countermeasure ID stored in the threat requiring countermeasure DB 11. .
Next, using the countermeasure ID as an external key, the countermeasure name and countermeasure content stored in the countermeasure DB 10 are called. Then, effective security countermeasures are applied to the threats that are the ultimate objectives of the attack scenario created in step S102 and the threats that serve as stepping stones for realizing the ultimate objectives (threats corresponding to each step of the attack scenario). (step S103).

Next, the security countermeasure examination unit 4 prioritizes which security countermeasures should be implemented first based on the candidate security countermeasures developed in step S103 and the countermeasure priority order rule 13 stored on the hard disk device 40. (Step S104).

Next, the security measure examination unit 4 determines which of the security measures prioritized in step S104 is to be adopted.
Cyber-attacks have become more sophisticated in recent years, and there is a high possibility that multiple steps of an attack scenario will be carried out. Therefore, security measures are selected so as to be able to deal with at least two attack steps (step S105).

If the risk value determined in step S101 is equal to or less than the reference value, it is recorded as an inherent risk in the risk analysis result 7 (step S106).
After either step S105 or step S106 is performed, the process ends.

Next, specific processing contents of the support method of the control system security countermeasure study tool 1 will be described with examples of threats.
FIG. 4 shows an example of threats having a risk value exceeding the reference value in step S101 and examples of countermeasures for mitigating these threats. These pieces of information are managed by the DB 11 of threats requiring countermeasures.
5 shows information managed by the DB 11 of threats requiring countermeasures in addition to the information shown in FIG. Needless to say, the DB of threats requiring countermeasures 11 may manage information other than that shown in FIG.

Next, description will be made with reference to FIG.
Examples of threats include threat A “data is stolen by unauthorized access to information in the device from an unauthorized terminal connected to the network”, threat B “data is falsified”, threat C “data is lost on the communication path of the network”. is wiretapped”, these threats A to C are mitigated by the same countermeasure, “implement encrypted communication using SSL/TLS communication (certificate)”.
For this reason, as shown in FIG. 5, the threat ID requiring countermeasure DB 11 uniquely assigns an ID number to the threat ID that becomes the external key so that the content of the threat can be identified, and the same countermeasure is used to mitigate the threat. The information numbered with the same countermeasure ID is managed in the countermeasure-required threat DB 11. FIG.
For threats that cannot be mitigated by the same countermeasures, information with a unique countermeasure ID is managed in the threat requiring countermeasure DB 11 .

Next, FIG. 6 will be described.
FIG. 6 develops an attack scenario for a threat that requires countermeasures because the risk value exceeds the reference value in step S101. In other words, what kind of attack procedures and what kinds of threats such as threat A managed by the DB 11 of threats requiring countermeasures, such as “Data is stolen by unauthorized access to information in the device from an unauthorized terminal connected to the network”? Whether or not it is implemented in chronological order is indicated using a threat ID, and this information is managed by the attack scenario DB 12 .

In the first embodiment, the analysis of the attack procedure is broadly based on the idea of the kill chain, which is a framework for defining the attack stage from the attacker's point of view and analyzing what needs to be done in response to it. It is divided into four categories (preparation, infiltration, transversal breach, and activity).
In order to achieve the objective of “Threat A: Data is stolen due to unauthorized access to device information from unauthorized terminals connected to the network,” multiple threats inherent in the system to be analyzed are used as stepping stones. attack.
Since this attack procedure uses multiple threats inherent in the attack method and the system to be analyzed, knowledge of the risk analysis results is required, and the analyst prepares management information as shown in FIG. 6 in advance in step S102. do.

Next, FIGS. 7 and 8 will be described.
The example in FIG. 7 shows countermeasures for each step of an attack scenario using "threat A: data is stolen due to unauthorized access to device internal information from an unauthorized terminal connected to the network" managed by the attack scenario DB 12. is shown.
The example of FIG. 7 is the result of deploying security countermeasures to each step of the attack scenario executed in step S103.
In order to obtain the information of FIG. 7, based on the threat ID, which is the external key of FIG. Further, the countermeasure name and countermeasure content (shown in FIG. 7) are obtained by referring to the countermeasure DB 10 that manages the security countermeasure content using the countermeasure ID as an external key.

The results of the above procedures are shown in FIG. 8, and the measures α, β, etc. marked with "○" are effective measures for mitigating each step of the attack scenario.

FIG. 9 summarizes the priority of security measures managed by the measure DB 10 .
The attack steps shown in Fig. 8 are classified into four categories: preparation, infiltration, cross-infringement, and activity. The ranking is shown in FIG. The order of priority is entered in advance by the analyst.

Next, an example of a processing operation for prioritizing countermeasures will be described with reference to FIG. 10 .
Note that the rule described here is just an example, and a method that does not weight the conformity to regulations, or a method that does not set the maximum and minimum values of each evaluation item in five stages, but a three-stage method, etc., may be used for determination.

First, it is determined whether or not the product conforms to the regulations shown in FIG. 9 (step S201).
In step S201, if there is a discrepancy with the security measures complying with regulations, the sum of the evaluation points of the evaluation items of the impact on the existing equipment, the construction cost, and the direct countermeasures shown in FIG. 9 is calculated (step S202).

In step S201, if the security measure matches regulations, it is determined that the security measure is to be implemented (step S203).
The total values calculated according to the evaluation items in step S202 are sorted in descending order (step S204).

In the determination of security measures in step S105 in FIG. 2, the determination of which of the measures to which the prioritization rules are applied has become increasingly sophisticated in recent years, and multiple attack steps in an attack scenario are required. Be prepared for at least two attack steps, as they are likely to be implemented.
For this reason, countermeasures α and β are selected against “threat A: data is stolen due to unauthorized access to device internal information from an unauthorized terminal connected to the network” in FIG.

In the first embodiment, the control system security countermeasure study tool calculates the risk value for threats based on not only the unique control system but also the control system to be analyzed, and sets the allowable value (reference value). A security measure selected from a plurality of security measures can be presented against a threat with a risk value that exceeds.
In addition, by making the reference value of the allowable risk a variable parameter, it is possible to select threats for which security measures are to be taken.
In addition, cyber-attacks on control systems are becoming more sophisticated, and there is a high possibility that they will be carried out using multiple attack procedures. can be considered.

Furthermore, when considering actual operation in the study of security measures, it is possible to add, delete, or change items other than the items studied in Embodiment 1, and to set the stages of the evaluation index variably to 3 stages, 5 stages, etc. Therefore, it is possible to consider security measures while weighting according to actual operation.
In addition, by using the security measure review tool for control systems, it is possible to analyze the review of security measures without depending on the skill and knowledge of the analyst, and it is possible to improve the efficiency of the analysis work. effective.

Embodiment 2.
Embodiment 2 will be described below with reference to the drawings.
FIG. 11 is a block diagram showing a schematic configuration of a control system security measure study tool according to the second embodiment.
11, reference numerals 1 to 17, 30 and 40 are the same as those in FIG. In FIG. 11, the hard disk device 40 is provided with an equipment DB 18 (equipment database) and an equipment attack scenario correspondence DB 19 (equipment attack scenario correspondence database). As an example, the facility DB 18 stores, for each device ID, the device name, the device type, and the device importance, which is the importance according to the information asset handled by the device. As an example, the facility attack scenario correspondence DB 19 stores, for each scenario ID, the scenario name and the device ID of the facility related to this attack scenario.

FIG. 12 is a diagram showing the relationship between databases used for examining security measures of the control system security measure examination tool according to the second embodiment.
In FIG. 12, reference numerals 10-12 are the same as those in FIG. The facility DB 18 stores the device name, device type, and device importance for each device ID, and the facility attack scenario correspondence DB 19 stores the scenario name and the device ID of the facility related to this attack scenario for each scenario ID. there is
The facility attack scenario correspondence DB 19 is linked to the attack scenario DB 12 by the scenario ID, and linked to the facility DB 18 by the device ID.

In the second embodiment, when security countermeasures are selected, corresponding attack scenarios are changed according to the device type and device importance of the facility.
In the second embodiment, a facility DB 18 and a facility attack scenario response DB 19 are added to the hard disk device 40 of the control system security countermeasure study tool 1 .

Next, operation will be described.
The processing of the control system security countermeasure study tool 1 according to the second embodiment will be described with reference to FIG.
In Embodiment 2, each step other than step S105 is the same as the processing in FIG. 2, so step S105 will be described below.

In step S105, when determining security measures, the scenario name and device ID managed by the equipment attack scenario correspondence DB 19 are referred to using the scenario ID of the attack scenario DB 12 as an external key. Further, by using the device ID as an external key, the device name and device type managed by the facility DB 18 and the device importance corresponding to the information assets handled by the device are referred to.

If the importance of the device is high, the number of countermeasures corresponding to each step of the attack scenario is changed from 2 to 3, and "Threat A: Data is stolen due to unauthorized access to information in the device from an unauthorized terminal connected to the network. , countermeasures α, β, and γ are selected.
On the other hand, if the importance of equipment is low, the number of countermeasures corresponding to each step of the attack scenario is changed from 2 to 1. Data is stolen", countermeasure α is selected.

According to the second embodiment, in addition to the system configuration of the first embodiment, by adding the facility DB 18 and the facility attack scenario response DB 19, the device type and the device importance corresponding to the information assets handled by the device can be determined. It is possible to have a configuration that can be referred to, and in addition to the effects described in the first embodiment, it is possible to change the implementation content of security measures according to the degree of importance of the device.

Embodiment 3.
Embodiment 3 will be described below with reference to the drawings.
FIG. 13 is a block diagram showing a schematic configuration of a control system security measure study tool according to the third embodiment.
13, reference numerals 1 to 19, 30 and 40 are the same as those in FIG. In FIG. 13, the hard disk device 40 is provided with a cyber-attack scenario generation AI (artificial intelligence) 20 that creates an attack scenario against each threat.

Embodiment 3 utilizes artificial intelligence AI to generate attack steps when analyzing attack procedures.
In Embodiment 3, a cyber-attack scenario generation AI 20 is added to the hard disk device 40 of the security countermeasure study tool 1 for control systems.

Next, processing of the control system security countermeasure study tool 1 according to the third embodiment will be described with reference to FIGS. 2 and 14. FIG.
The processing of the control system security measure study tool 1 of Embodiment 3 is the same as that shown in FIG. 2 except for step S102, and the description thereof is omitted.
The process of step S102 in FIG. 2 is a process of creating, in the attack scenario DB 12 in advance, the attack scenario, threat ID, and scenario ID of each threat against the risk when the risk exceeds the reference value.
In the third embodiment, the processing of step S102 of FIG. 2 is performed by the cyber attack scenario generation AI 20 as shown in the flowchart of FIG.

First, the attack scenario shown in FIG. 6 is taught to the cyber attack scenario generation AI 20 (step S300). In this teaching, attack scenarios are learned by deep learning using neural networks.

Next, public information (Internet, literature, etc.) is checked to see if there is a cyber attack other than the attack scenario that has been taught, and if there is, reinforcement learning of the cyber attack scenario is performed (step S301).
Based on these pieces of information, the cyber attack scenario generation AI 20 generates attack scenarios for each threat (step S302).

Steps S303 to S309 are performed until the process of assigning threat IDs to threats that serve as stepping stones for attack scenarios generated in step S302 and attack scenarios that serve as targets for attackers is completed. Repeat the process up to
Specific processing contents are as follows.
The threat DB 14 is referred to for each step of the attack scenario of each threat generated by the cyber attack scenario generation AI 20 (step S304). Next, it is determined whether or not the threat exists on the threat DB 14 (step S305).

As a result of determination in step S305, if each step of the attack scenario of each threat exists in the threat DB 14, a threat ID is assigned to the attack scenario generated by the cyber attack scenario generation AI 20 (step S306 ).
On the other hand, if the threat does not exist in the threat DB 14, the cyberattack scenario generation AI 20 assigns a new threat ID (step S307). Next, the newly assigned threat ID is assigned to the attack scenario generated by the cyber attack scenario generation AI 20 (step S308).
Finally, attack scenarios are described in chronological order with threat IDs (step S310).

Since the cyberattack scenario generation AI 20 cannot refer to the security countermeasures against the threat of the newly numbered threat ID from the countermeasure DB 10, the analyst adds the contents of the security countermeasure against the threat of the newly numbered threat ID to the countermeasure DB 10. do.

In the third embodiment, the content of security countermeasures against the threat of the threat ID newly assigned by the cyberattack scenario generation AI 20 is reflected in the countermeasure DB 10 .
Similarly, an AI for security countermeasures may be created in the same manner as the cyber attack scenario generation AI 20 described above. That is, the security countermeasure against the threat ID newly assigned by the cyberattack scenario generation AI 20 may be generated by a newly created AI for security countermeasure.

According to the third embodiment, in addition to the system configuration of the second embodiment, by adding a cyber attack scenario generation AI 20, the generation of attack scenarios that has been performed by analysts so far is performed by AI. be able to.
As a result, in addition to the effects described in the first and second embodiments, it is possible to automate generation of attack scenarios regardless of the ability of the analyst.
In addition, by adopting a configuration that considers attack scenarios using AI, it is possible to consider security measures against cyberattacks that have not yet materialized.

In the above description, the case of considering security measures for a control system was described, but it goes without saying that the present invention can also be applied to other information systems.

While this disclosure describes various exemplary embodiments and examples, various features, aspects, and functions described in one or more of the embodiments may vary from particular embodiment to embodiment. The embodiments are applicable singly or in various combinations without being limited to the application.
Accordingly, numerous variations not illustrated are envisioned within the scope of the technology disclosed herein. For example, modification, addition or omission of at least one component, extraction of at least one component, and combination with components of other embodiments shall be included.

1 security measure examination tool for control system, 2 risk value automatic calculation part,
3 risk value determination processing unit, 4 security countermeasure examination unit, 5 data flow,
6 information assets, 7 risk analysis results, 8 system configuration, 9 management information, 10 countermeasure DB,
11 threat requiring countermeasure DB, 12 attack scenario DB, 13 countermeasure priority order rule,
14 threat DB, 15 CPU, 16 input/output device, 17 mouse/keyboard,
18 facility DB, 19 facility attack scenario correspondence DB,
20 cyber attack scenario generation AI, 30 memory, 40 hard disk device

Claims (2)

A threat database that defines cyber threats,
A risk value calculation unit that calculates a risk value for the above threat using technical elements in the system including data handled by the system to be analyzed;
a risk value determination processing unit that determines whether the risk value calculated by the risk value calculation unit exceeds a predetermined reference value;
An attack scenario database that stores attack scenarios created by analyzing the attack procedures of cyber attacks that sequentially attack the series of threats;
a threat countermeasure correspondence database in which threats to be attacked by attack scenarios stored in the attack scenario database and security countermeasures for mitigating the threats are associated and stored;
Security Measures Examination Department , which selects security measures based on the threat countermeasure correspondence database for each attack procedure of corresponding attack scenarios for threats that generate risk values exceeding the above- mentioned standard values;
A facility database that defines the degree of importance in advance for the facilities that make up the analysis target system,
and a facility attack scenario correspondence database that associates the facility of this facility database with the attack scenario of the attack scenario database related to this facility ,
Each of the above databases is stored in a storage device,
The risk value calculation unit, the risk value determination processing unit, and the security measure examination unit are stored as software in the storage device and executed by a central processing unit ,
The security measure examination department extracts the importance of the equipment related to the attack scenario based on the equipment attack scenario correspondence database and the equipment database, and implements the number of security measures according to the importance of the equipment. A security countermeasure examination tool characterized by selecting . A threat database that defines cyber threats,
An attack scenario database that stores attack scenarios created by analyzing the attack procedures of cyber attacks that sequentially attack the series of threats;
a threat countermeasure correspondence database in which threats to be attacked by attack scenarios stored in the attack scenario database and security countermeasures for mitigating the threats are associated and stored;
A facility database in which the degree of importance is defined in advance for the facilities that make up the system to be analyzed,
A facility attack scenario correspondence database that associates the facility of the facility database with the attack scenario of the attack scenario database related to this facility,
and with respect to the above threats, a security countermeasure examination department that selects security countermeasures based on the above threat countermeasure correspondence database for each attack procedure of the corresponding attack scenario,
Each of the above databases is stored in a storage device,
The security countermeasure study unit is stored as software in the storage device, is executed by the central processing unit, and extracts the importance of the equipment related to the attack scenario based on the equipment attack scenario correspondence database and the equipment database. and selecting the number of security measures according to the importance of the facility.

Images