The substation plays an important role in the electric grid and can transform voltage when distributing electricity, as well as serve other functions. The modern substation is a Cyber-Physical System, which inherently makes it complex and vulnerable to cybersecurity threats. Two methods for assessing cybersecurity are the use of threat models that give an overview of the potential threats of a system and attack graphs that can give details of potential paths of an attack. In this paper, we describe a parser for automatically creating threat models and attack graphs of a substation by using a threat modeling language for Substation Automation Systems and the configuration files of substations according to IEC 61850. By modeling attack scenarios and discussing the automatically generated attack graphs with experts in the industry, we were able to evaluate the threat modeling language and show how it can be used to generate accurate attack scenarios.

In the face of an evolving and increasingly complex threat landscape, organizations must adopt proactive approaches to assess and improve the resilience of their IT infrastructures against potential adversaries. Attack graphs are an effective tool to illustrate adversarial actions, but they often fail to capture the decision-making process of adversaries. To address this limitation, we map MITRE techniques to the attack steps in the attack graph and weight attempt probabilities at decision points according to the threat profile of the attacker. Considering a realistic, large IT infrastructure, we analyze how variations in attacker decision-making impact success rates, path diversity, the most frequent paths, and applied techniques. Our findings show that integrating attacker profiles into threat modeling can support accurate identification of the threat landscape and the optimization of defense strategies.

Two types of dynamics are important when modeling cyberattacks: how adversaries chain together techniques across systems and how they change the target systems. Attack graphs are prominent within research communities for automatically mapping and chaining together actions. Modeling adversary-driven system changes is comparatively unexplored, however. One reason could be that modeling adversarial change dynamics poses a blend of problems where the typical attack graph approaches could produce state-space explosions and infinite graphs. Therefore, this work presents the core modeling aspects of the Dynamic Meta Attack Language (DynaMAL), a project to lazily generate attack graphs by combining attack graph construction and simulation methods. DynaMAL lets users declare domain-specific modeling and attack graph generation languages. Then, the attack graphs are generated one step at a time based on the actions of an adversary agent. By only generating what is explicitly requested, DynaMAL can demonstrably change the system model as the attack graph grows while sidestepping typical state-space explosions and graph re-calculation problems. Shifting to a lazy generation process poses new challenges, however. Nevertheless, there is likely a point where lazy approaches will prevail when analyzing large and complex systems.

ICT infrastructures are getting increasingly complex, and defending them against cyber attacks is cumbersome. As cyber threats continue to increase and expert resources are limited, organizations must find more efficient ways to evaluate their resilience and take proactive measures. Threat modeling is an excellent method of assessing the resilience of ICT systems, for example, by building Attack Graphs that illustrate an adversary's attack vectors. Previously, the Meta Attack Language (MAL) was proposed, which serves as a framework to develop Domain Specific Languages (DSLs) and generate Attack Graphs for modeled infrastructures. coreLang is a MAL-based threat modeling language that utilizes Attack Graphs to enable attack simulations and security assessments. In this work, we present the first release version of coreLang in which MITRE ATT&CK tactics and techniques are mapped onto to serve as a validation and identify strengths and weaknesses to benefit the development cycle. Our validation showed that coreLang does cover 46% of all the techniques included in the matrix, while if we additionally exclude the tactics that are intrinsically not covered by coreLang and MAL, the coverage percentage increases to 64%.

The complexity of ICT infrastructures is continuously increasing, presenting a formidable challenge in safeguarding them against cyber attacks. In light of escalating cyber threats and limited availability of expert resources, organizations must explore more efficient approaches to assess their resilience and undertake proactive measures. Threat modeling is an effective approach for assessing the cyber resilience of ICT systems. One method is to utilize Attack Graphs, which visually represent the steps taken by adversaries during an attack. Previously, MAL (the Meta Attack Language) was proposed, which serves as a framework for developing Domain-Specific Languages (DSLs) and generating Attack Graphs for modeled infrastructures. coreLang is a MAL-based threat modeling language that utilizes such Attack Graphs to enable attack simulations and security assessments for the generic ICT domain. Developing domain-specific languages for threat modeling and attack simulations provides a powerful approach for conducting security assessments of infrastructures. However, ensuring the correctness of these modeling languages raises a separate research question. In this study we conduct an empirical experiment aiming to falsify such a domain-specific threat modeling language. The potential inability to falsify the language through our empirical testing would lead to its corroboration, strengthening our belief in its validity within the parameters of our study. The outcomes of this approach indicated that, on average, the assessments generated by attack simulations outperformed those of human experts. Additionally, both human experts and simulations exhibited significantly superior performance compared to random guessers in their assessments. While specific human experts occasionally achieved better assessments for particular questions in the experiments, the efficiency of simulation-generated assessments surpasses that of human domain experts.

Flexibility markets are crucial for balancing the decentralised and renewable-driven energy landscape. This paper presents a security evaluation of a flexibility market system using a threat modelling approach. A reference architecture for a typical flexibility market system is proposed, and attack graph-driven simulations are performed to analyse potential attack pathways where malicious actors might infiltrate the system and the vulnerabilities they might exploit. Key findings include the identification of high-risk areas, such as the Internet links between market actors. To mitigate these risks, the paper proposes and evaluates multiple protection scenarios in reducing the identified attack vectors. The findings underline the importance of multi-layered security strategies to safeguard flexibility markets from increasingly sophisticated cyber threats.

The substation automation system consists of many different complex assets and data flows. The system is also often externally connected to allow for remote management. The complexity and remote access to the substation automation system makes it vulnerable to cyber attacks. It also makes it difficult to assess the overall security of the system. One method of assessing the potential threats against a system is threat modeling. In this paper we create a language for producing threat models specifically for the substation automation systems. We focus on the method used to create the language where we review industry designs, build the language based on existing languages and consider attack scenarios from a literature study. Finally we present the language, model two different attack scenarios and generate attack graphs from the threat models.

Software bills of materials (SBOMs) promise to become the backbone of software supply chain hardening. We deep-dive into six tools and the SBOMs they produce for complex open source Java projects, revealing challenges regarding the accurate production and usage of SBOMs.

When protecting the Industrial Control Systems against cyber attacks, it is important to have as much information as possible to allocate defensive resources properly. In this paper we estimate the Time-To-Compromise of different Industrial Control Systems attack techniques by MITRE ATT&CK. The Time-To-Compromise is estimated using an equation that takes into consideration the vulnerability data that exists for a specific asset and category of vulnerability. The vulnerability data is derived from an Industrial Control Systems specific vulnerability dataset. As a result, we present the mapping of the attack techniques to assets and categories of vulnerability, which makes it possible to apply specific vulnerabilities to the technique. We also present the method of how to estimate the Time-To-Compromise of the techniques and finally the values of Time-To-Compromise. After mapping the attack techniques to assets and category of vulnerability we are able to estimate the Time-To-Compromise and discuss its trustworthiness.

Modern software applications are virtually never built entirely in-house. As a matter of fact, they reuse many third-party dependencies, which form the core of their software supply chain [1]. The large number of dependencies in an application has turned into a major challenge for both security and reliability. For example, to compromise a high-value application, malicious actors can choose to attack a less well-guarded dependency of the project [2]. Even when there is no malicious intent, bugs can propagate through the software supply chain and cause breakages in applications. Gathering accurate, upto- date information about all dependencies included in an application is, therefore, of vital importance.