Assessing the risk of complex ICT systems

ICT systems are becoming increasingly complex and dynamic. They mostly include a large number of heterogeneous and interconnected assets (both physically and logically), which may be in turn exposed to multiple security flaws and vulnerabilities. Moreover, dynamicity is becoming paramount in modern ICT systems, since new assets and device configurations may be constantly added, updated, and removed from the system, leading to new security flaws that were not even existing at design time. From a risk assessment perspective, this adds new challenges to the defenders, as they are required to maintain risks within an acceptable range, while the system itself may be constantly evolving, sometimes in an unpredictable way. This paper introduces a new risk assessment framework that is aimed to address these specific challenges and that advances the state of the art along two distinct directions. First, we introduce the risk assessment graphs (RAGs), which provide a model and formalism that enable to characterize the system and its encountered risks. Nodes in the RAG represent each asset and its associated vulnerability, while edges represent the risk propagation between two adjacent nodes. Risk propagations in the graph are determined through two different metrics, namely the accessibility and potentiality, both formulated as a function of time and respectively capture the topology of the system and its risk exposure, as well as the way they evolve over time. Second, we introduce a quantitative risk assessment approach that leverages the RAGs in order to compute all possible attack paths in the system and to further infer their induced risks. Our approach achieves both flexibility and generality requirements and applies to a wide set of applications. In this paper, we demonstrate its usage in the context of a software-defined networking (SDN) testbed, and we conduct multiple experiments to evaluate the efficiency and scalability of our solution.