search

CERTCC / SSVC

Stakeholder-Specific Vulnerability Categorization
https://certcc.github.io/SSVC/
Other
130 stars 32 forks source link

Tutorial/HowTo to model IEC 61508 risk class matrix #324

Open ahouseholder opened 1 year ago

ahouseholder commented 1 year ago

This is an extension to #311

While perusing the IEC 61508 wikipedia page, I noticed its hazard and risk analysis section has a very similar structure to the decision models we can create with SSVC.

Specifically, it defines two input sets (call them decision points), one outcome set (a risk class), and a policy that maps the input to the output.

Inputs

Categories of likelihood of occurrence

Category Definition Range (failures per year)
Frequent Many times in lifetime > 10−3
Probable Several times in lifetime 10−3 to 10−4
Occasional Once in lifetime 10−4 to 10−5
Remote Unlikely in lifetime 10−5 to 10−6
Improbable Very unlikely to occur 10−6 to 10−7
Incredible Cannot believe that it could occur < 10−7

Consequence categories

Category Definition
Catastrophic Multiple loss of life
Critical Loss of a single life
Marginal Major injuries to one or more persons
Negligible Minor injuries at worst

Outcome set

Category Definition
Class I Unacceptable in any circumstance
Class II Undesirable: tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained
Class III Tolerable if the cost of risk reduction would exceed the improvement
Class IV Acceptable as it stands, though it may need to be monitored

Policy

  Consequence
Likelihood Catastrophic Critical Marginal Negligible
Frequent I I I II
Probable I I II III
Occasional I II III III
Remote II III III IV
Improbable III III IV IV
Incredible IV IV IV IV

This seems like it would be a good example walk-through of how one could create a custom decision function to model this mapping. It might help folks who are more accustomed to safety analysis to start reasoning about how SSVC might fit into their vulnerability response process.

j--- commented 1 year ago

I get this intuition. However, there is a tension I have. Security flaws are not exploited stochastically, as safety issues are modeled in IEC 61508. Intelligence analysis handles this by capability / access / intent per actor group determine whether an impact is realized, not stochastics. So this is absolutely what we are modeling. However, we have substituted out the likelihood aspect with CAI. Automatable reflects capability and access, value density reflects intent, State of exploitation reflects capability and intent, system exposure reflects access, etc.

So I don't love bringing likelihood in (which is a familiar and intuitive concept) and then ripping it back out. That may cause more confusion than benefit. But also, I do agree that the IEC table could be represented as a decision tree and we could leverage that similarity. I just want to be careful we don't bring in more harmful baggage with the metaphor than positive connection. https://discovery.ucl.ac.uk/id/eprint/10046820/1/Demjaha-2018-metaphors-considered-harmful.pdf