Situational and risk-based consequence-focused incident management decision support models 

WP leader: Fionn Iversen, NORCE

This WP shall map the impact of response, and combinations thereof, on the consequences of attacks causing abnormal activity, as represented by the anomaly (BAD) patterns, for both previously known and for unknown threats. Situational awareness related parameters of the underlying CPS model, such as process information and state in process details, will be key to such analysis. For the petroleum drilling process, physics-based models developed at NORCE for diagnostics and automation of the drilling process [29] may be applied for this purpose.
Responses may typically be in the form of: (i) continued passive monitoring to gain more information (requiring evaluation at later point for subsequent action), (ii) Isolating or deactivating the attack where observed and possibly, (iiia) constraining / (iiib) deactivating the observed affected components, (iva). constraining / (ivb) deactivating possible linked affected components (but not observably so), etc., or a combination of the above. If deactivating components affects the ability to manage the process, then the process might be set in a default safe mode if possible, for dealing with the attack – alternatively switched off (meaning process downtime).
Here a stochastic framework may be applied, in which various cyber-attack scenarios, detection methods, possible responses and predicted system impacts are simulated for purposes of system optimization and as a means to quantify system reliability and response efficiency.
Based on the performed analysis and development, a decision support prototype application shall be built for providing decision support for both known and new unknown threats, accounting for risk to and prioritising uptime of the physical process.

Tasks:

• A5.1: Develop response alternatives for 5-10 of the anomaly (BAD) patterns from WP3.
• A5.2: Evaluate effect of the attack scenario response alternatives using the enhanced BAD models from WP4. This evaluation will be aided by an updated CPS model which includes the cause-consequence relationships from the WP4 models (weaving the causal and consequence events into the context hierarchy model).
• A5.3: Develop a decision support dashboard prototype based on the results from A5.1 and A5.2. This dashboard will be used as the basis for the case studies in WP6.