Being in charge of a company’s cyber security can be a real challenge, especially when the company in question provides critical infrastructures and you have to withstand all the pressure that comes with the function. The CYBERWIZ project comes as a relief, tracking down vulnerabilities within complex systems-of-systems and recommending countermeasures.

Digital Economy

Security

The more we rely on IT infrastructures, the scarier a cyberattack scenario becomes. Energy distribution systems and other critical infrastructures are, of course, protected from cyberattacks. But as the number of such attacks increases and ICT architectures grow into a spider-web like system-of-systems, it becomes almost impossible for people in charge of cyber security to have an overview of all vulnerabilities and their dependencies. This is the context in which the CYBERWIZ project was born, as Frank Schlottke, coordinator of the project and CEO of Applied Security GmbH, explains: “Being an expert in cybersecurity is increasingly out of reach, as companies manage large architectures with systems of systems. The actual vulnerabilities lie in the details. Understanding how such vulnerabilities relate in these complicated systems of systems is central to making the right decisions, and to make things worse, companies’ security experts are typically swamped with work.” To lend them a hand, CYBERWIZ developed securiCAD – a tool providing an overview of relationships and interpendencies between systems, pointing at areas to address and investments to pursue, and helping to manage cybersecurity as architectures are being built or modified. SecuriCAD is essentially a cyber threat modelling and risk management tool. It will take care of important tasks such as modeling IT-Infrastructure, simulation of risk use cases, result reports supporting decision making, all in an automated manner. The point is to boost company organisation with automated expert capabilities and proactive risk management. Concretely, the system provides a vulnerability “heat map” for each system configuration, allowing for a user-friendly and visual comparison of the different alternatives at hand. It generates a list of vulnerable assets, tells cyber security experts how likely they are to be attacked, lists the types of attacks that could take place, and recommends counter-measures that could prevent this from happening. “The system will automatically simulate cyberattacks, reveal all conceivable attack paths, and define the probability and the time it would take for the cyberattack to succeed. Once the recommended countermeasures have been implemented, the before/after situation will be compared and improvements will be tracked over time,” says Schlottke. SecuriCAD was tested in realistic conditions and confirmed to work exactly as expected. “We’ve had very good results and feedback from our pilot customer who were astonished by how fast we got results in their complex environment,” Schlottke explains. “We could identify additional risks and gaps in their security architecture, and use the feedback to improve the user interface and the “look-and-feel” of the tool so it as to meet the requirements not only of technical people, but also of business-focused ones.” Unlike state-of-the-art methods such as penetration tests, securiCAD leaves the IT-infrastructure of the client completely untouched during analysis and evaluation processes, which means that business can run without disruption and interruption. “This saves much time and manpower, so much in fact that we decided to allow the user to run proactive tests that will forecast the effects of possible changes in IT-infrastructure. This way, you can invest your unspent IT-security budget in the areas that will bring you the biggest benefit,” Schlottke concludes.

Keywords

CYBERWIZ, securiCAD, critical infrastructure, cyber security, cyberattack, security threat, vulnerability, IT