ubi:risk Dynamic and Near-Real-Time Cyber-Physical Security Risk Assessment and Management Framework compliant to ISO/IEC 27001
Despite the advancement of risk assessment methodologies for Critical Information Infrastructures most risk assessment frameworks do not adequately address the various cascading effects that are associated with security incidents occurring from interacting entities. This gap is very critical, given that Critical Information Infrastructures are characterized by significant interdependencies at multiple levels (infrastructural, national/intra-sectorial), taking under consideration the extremely high degree of dynamicity. Thus, the main goal of the ubi:risk solution is the alleviation of the above-mentioned gap, through the introduction, specification and validation of a set of multi-dependency approaches to risk assessment, introducing a new paradigm in the area of cyber and physical security of Critical Information Infrastructures, through the production and sharing of the knowledge associated with the identification and assessment of cascading effects in the global supply chain, with a view to predicting potential problems, as well as minimizing the consequences of diverge security incidents.
ubi:risk constitutes a framework and software platform that has been design to assist organizations of any size and type to perform dynamically, continuously and near-real-time cyber-physical security risk assessment in compliance to the ISO/IEC 27001 standard on information security management, addressing the various possible cascading effects that are associated with security incidents occurring from interacting entities and assets. As risk assessment is a complex and data-rich process, ubi:risk enables the organizations to define, graphically represent and document all cyber-physical assets of them within the scope of the security risk assessment process, as well as to specify the dependencies among several assets and link each asset with (multiple) predefined threats and vulnerabilities, denoting their likelihood and resulting impacts, together with details of the assets ownership and their confidentiality classification. Having the outlined the organization’s assets structure accompanied with their threats and vulnerabilities, a continuous risk assessment process initiates highlighting the cyber-physical risks of the organization’s infrastructure and proposing countermeasures though the instantiation of predefined security policies (derived from widely adopted international standards, such as the ISO 27001) to mitigate the identified risks – taking into consideration (near-real-time continuous risk assessment) any changes on the organization’s assets structure and any updates on the threats’ cascading models and effects, which the organization may dynamically introduce in the security risk assessment process (dynamic asset management).
ubi:risk is built aiming at the following objectives:
- identification, documentation and modelling of the key dependencies of all entities interacting with the Critical Information Infrastructures;
- incorporation of effective algorithms for capturing multi-order dependencies between Critical Information Infrastructures and third parties’ infrastructures and supply chain actors (e.g. comprising the business operation of the given use case);
- incorporation of predictive mechanisms that assess the potential impact of security incidents on Critical Information Infrastructures, given their interdependencies;
- provision of techniques and respective tools for identifying the critical path of the inter-dependencies across global supply chains (in the context of the given business use case); and
- provision of ICT tools for visualizing interdependencies, critical paths, criticality levels and probabilities based on the risk assessment techniques and mechanisms introduced.