Extending The Capabilities Of Dependency Modelling For Risk ID. In An ICS Environment - Ayo Rotibi

um good morning and thank you for making our time to hear me speak my name is I believe nothing will go wrong you know why we're here and um not going to reclaim on like being the most intelligent in the room but in this less 10 minutes [Music] so I am a PhD student in California and I'm coming to the end of my research basically and I what I'm going to share with you this one is what my research is all about [Music] question we want to talk about dependency modeling and if it works so dependency modeling is not new it's been around for a while and we are trying to take it so we engineer it and essentially we want to extend it which is why I have the X a photo shoot so what does the premiere simulator does you have they go you have an idea and you will have a business so when you are designing the system when you're designing the business when you're designing the goal said this is my goal and this goal depends on this and this depends on that so let us call it process so we are building it rather than building it from the bottom off we're building it from top to bottom I have a goal this goal depends on this processes of this event or this I guess and then this other idea depends on these ideas it is standard that is supported by the open Group so you won't imagine that if it is extended it should be popular everyone ought to be using it because what this does for you is that it gives you an overview you know an overarching view of what your what your business is what your process is although I am focusing on Industrial control systems but this is applicable to be got small anywhere where you have processes depend on others to be able to achieve a goal you can talk dependency but there is one thing about dependency models it is so easy for me now I want to use this okay it is so easy for me to say this process um leave these two processes to to be able to achieve the goal these processes is three make this work even so dependency modeling dependency modeling the way we know each other it will allow me you know to trace this bank so what I have in green and red is that this is 100 this red is simply telling me that by releasing of probability I may not be able to get hundred percent maybe because I don't have control over it maybe I can get 70 in terms of what is going to be able to produce but when I put these two together ah I'm getting something less you know but that is that is how it propagates you know from the bottom to the top what it doesn't give me is that if I want to compare this process and this process if they fail so if the audience to turn to red and all this you turn to Red what will be the impact on the goal dependency modeling doesn't allow me to do that at the moment and that is what we are looking to extend but why are we even interested in this [Music] everyone in this room we know about this the colonial Pipeline and the GBS attack these are in great attack will cost 11 million for them to be able to get back into business the other one cost five million dollars as a matter of fact the CTO of uh of JBS what he said was that oh you know what we have everything under control they were attacked on a Tuesday on Wednesday evening he said you know we have everything another control 11 days after the adults and then it paid 11 million yet they had everything on that control simply because that's somewhere which does not need to Target oh you know the big server you just need to Target a process that is critical in the business and if that process is taken away everything is taken away and be careful of colonial pipeline what was taken away the billing so they could produce they could stop so much petro and fuel but they couldn't ship them because there was nobody to be so they are not the big servers there are the industrial control systems or the building system took them out and the interesting part of it is that 82 percent increase in ransomware attack alone between 2020. this 2020 and 2021 as a matter of fact if you look here inside the Twitter industrial and Engineering manufacturing and Technology okay so even if I take technology away and I focus on these two which is why we are interested in industrial Control Systems so I've got this this is the reason why we are doing this and for us to do this we have looked at industrial control I mean dependency modeling as a very good tool that will allow management not just the techie people you know those that sit at the at the um uh in the server room at the back end you know to say oh you know we have this we have this threat we have that you know because French will always determine your response but what dependency model it does for you is to make you ready I say this is what I know I have this is the place where I know I have my weakness so we have decided to improve on the dependency modeling building a a system a technique that we take dependency modeling extending it in such a way that first I mean we identify two main limitations one being that you know when you are asking people to complete the dependency modeling they give you a percentage the probability that something we want but most of the time you subjective so we try to balance it out you know by providing an Evidence evidential data that will um balance out the subjectivity nature of the probability information that is provided and then we get a posterior probability when we normalize it then we can have we can build the system model and the sensitivity and then beyond that we are using this network you know um to be able to generate a conditional probability distribution and what conditional probability distribution then does is that it takes every event and says you know if you take this event on its own you can actually write a story about it and with that I we are able to see if I go back here um if I go back if I go back here with with that's what we're doing it is then possible what I said earlier on to take this process and this process I say if I zero this and they all turn red what will be the impact on the goal dependency modeling does not offer us that at the present time so you can you can say let me pick three let me pick this that and that you know if I pick three of them and I crush them you know on my system you don't have it to go anywhere what will be the impact on the goal you know you can see that you know visually you know by using risk which is the which is the system that we have built over over the years and this is the kind of results you know that we that we get to produce um so here in the in this place we're saying you know if one of them crashes it is 99 oh sorry uh I came 99 as foreign than item 50 6 for example however when you come here you see 56 appearing so many times more than 99 maybe we need to pay more attention on 56 than 90 the lx1 because when you are combining 56 with some others you know it has it is disappearing so many times and then when you come here 76 is appearing so many times you know when I have three combine a three combined events together dependency model does not give you that and that is the kind of thing that we have been looking at and we are tested with we tested with some data and that is why we have uh this um so essentially because my time is up um we are looking to provide an improved method you know to make dependency modeling more acceptable so that more people will be able to use it um to understand the risk that is within their organization without necessarily having to wait for the friendly attacker without necessarily having to wait for the um for government who is looking at compliance to come and tell you you know you have District within your business um where you know what risk you have you can then address it and say you know we need to address this we need to address that you know over that you can prioritize you know how you want to and we are doing that by using extended version Network thank you very much [Applause]