Ley Modelo en materia de Conciliación Internacional

In this section, we present the results of our simulations and discuss the insights garnered from the results, identifying areas in the system that require additional defenses. Table 2.5 shows the resulting metrics for each adversary profile (with the exception of the Privi- legedInsider).

Attack Paths From the simulation results, we find that all adversaries, except the access control staff, can achieve the TrainStop goal by damaging or controlling devices in the rooms. The TempCtrlOff goal is achievable by all the adversaries except the power, signals, and access control staff, whose access to the system is more specialized or limited. Similarly, the LockExits goal is achievable by all adversaries except the power and signals staff. Finally, the TrainCollision goal is achievable only by the station operator, server, and signals staff, because the attack requires specific control of the signals server.

We can see from the simulation results that although the building access control system allows staff to move only into rooms within their job roles, staff are still capable of affecting

Table 2.5: Calculated metrics for each adversary profile. The different possible attack steps (excluding actions that represent physical consequences) are listed.

Cost Detect

Attack Path Length

Attack Steps Goals

Outsider 12 or 13 3 or 4 7–16

Damage: PB 2, 4, or 5, Temp Control, Power System, Signals Server

TrainStop TempCtrlOff

LockExits

Cleaner 12 or 13 1 7–16

Damage: PB 2, 4, or 5, Temp Control, Power System, Signals Server

TrainStop TempCtrlOff LockExits Station Op 12 or 13 0 or 1 7–16 Damage: PB 2, 4, or 5, Temp Control, Power System, Signals Server

Login: Host ControlSoftware: PLC RemoteControl: Power System, Temp Control,

Signals Server TrainStop TempCtrlOff LockExits TrainCollision Env Ctrl 5 or 10 0 or 1 8–15 Damage: PB 2, Temp Control DirectControl: PB 2, Temp Control TrainStop TempCtrlOff Server 11 or 13 0 7–9 DirectControl: PB 3 Login: PLC RemoteControl: Power

System, Temp Control, Signals Server TrainStop TempCtrlOff LockExits TrainCollision Power 6 or 11 0 or 1 7–9 Damage: PB 4, Power System DirectControl: PB 4, Power System TrainStop Signals 6 or 11 0 or 1 7–9 Damage: PB 5, Signals Server DirectControl: PB 5, Signals Server TrainStop TrainCollision Access Ctrl 6 or 11 0 or 1 7–9 Damage: PB 3 DirectControl: BAC Server LockExits

devices in different rooms to achieve their goals. In particular, the environment control staff can cut power to the track despite not having access to the power room or the server

room that controls the device logic. That attack path could easily have been missed by a human analyst who did not consider the physical consequences of changing a device’s temperature. Thus, it is important not to overlook noncritical staff members or assume that a malicious action will remain contained within a room. The effects of a noncritical staff member’s actions, however, take much longer to propagate through the system than those of other adversaries, so the practitioner has more time to catch the attack before the adversary’s goal is achieved. Thus, it is crucial to implement detection mechanisms that monitor changes in physical processes.

Attack Steps We find from our simulation results that the Damage action is the most commonly used action by all the adversary profiles and often targets powerboards. Since the outsider, cleaner, and station operators have physical access to all rooms, they can perform the Damage action on the appropriate device to achieve any goal. Thus, the cost to damage equipment, specifically powerboards, should be increased via additional physical guards. We also note that none of the insiders were detected unless they physically damaged equipment. Having a staff member escort a cleaner through the premises reduces the chance that the cleaner will be able to perform malicious actions. However, that would not be enough to detect malicious maintenance staff or station operators, so a specialized detection mechanism is needed to distinguish between malicious actions and normal actions. In particular, we need to monitor physical movements, host logins, and actions performed using the control software.

Adversary Stealth During an adversary’s decision-making process, he or she may have a choice of several attack paths. An adversary chooses one of the attack paths based on his or her preference of either minimizing the cost of the attack path or reducing the risk of being detected by a defender. We want to investigate which attack paths (which correspond to use of different access cards) an adversary will take, given differing levels of stealthiness.

In particular, we want to investigate the deterrent effect on attackers of putting in place an intrusion detector for malicious physical movement. We model the detector as a fixed detection probability (0.5) for the Move attack step. In other words, the attacker has a 50% chance of being detected each time he or she moves into a space that requires a card swipe (loggedAccess).

We represent the adversary’s stealthiness with a preference weight (which is then used in the decision-making process). A weight of 0 implies that the adversary does not mind being detected; a higher weight implies that the adversary cares more about remaining undetected. We vary the preference weight from 0 to 10 and observe which access cards the

PrivilegedInsider uses to achieve the TrainCollision goal.3

The simulation results show that for weights between 0 and 8, the adversary uses the signals staff member card to access the signaling room. If the weight is above 8, the station operator staff member card is used to access the PSC.

That shows that the stealthiest adversaries, i.e., those with higher weights, will use a station operator’s access card to enter the station. Since the probability that the adversary will be detected increases with the number of physical movements he or she takes, a stealthy adversary will opt to take the shorter paths through a station, at the cost of an increased amount of effort needed to conduct the attack. System practitioners should thus focus their efforts on detecting the subsequent actions of that adversary that include logging into the hosts and using the control software to perform actions.

Summary In conclusion, the adversaries that pose the biggest threat to the system in terms of shorter time (or path length) to achieve goals and lower detection probability are the server staff and station operators. When considered in combination, the outsider together with the access control staff may also pose a problem, since the access control staff member is able to grant access to the station. Our results also show that the inclusion of a detector for malicious physical movement causes an adversary to adjust strategies by choosing shorter paths through a building at the cost of increased effort in executing the attack.