Extending the capabilities of Dependency Modelling for Risk Identification in an ICS environment
2023-02-11 , Track 2 - Foxhunter

Dependency modelling (DM) is a standardised approach proposed by the Open standard Institute as a methodology to manage risk and build trust between inter-dependent enterprises . This approach aligns with the National Cyber Security Centre (NCSC)’s advocacy of system-driven risk analysis. measures risk as the degree of uncertainty - uncertainty that a system will be at a required (desired) state. DM is expressed as the probability of achieving the desired state of a goal and how it is impacted by things beyond the control, predictability or understanding of the system/process owner. These probabilities of events (nodes) change when the probabilities of some other events change. However, there exist limitations in the current expressions of DM that hinder its complete adaptation for risk identification in a complex environment such as ICS. This research investigates how the capability of DM could be extended to address the identified limitations and proposes additional variables to address phenomena that are unique to ICS environments. The proposed extension is built into a system-driven, ICS dependency modeller, and we present an illustrative example using a scenario of a generic ICS environment. We reflect that the proposed technique supports an improvement in the initial user data input in the identification of areas of risk at the enterprise, business process, and technology levels.


Dependency modelling (DM) is a standardised approach proposed by the Open standard Institute as a methodology to manage risk and build trust between inter-dependent enterprises . This approach aligns with the National Cyber Security Centre (NCSC)’s advocacy of system-driven risk analysis. measures risk as the degree of uncertainty - uncertainty that a system will be at a required (desired) state. DM is expressed as the probability of achieving the desired state of a goal and how it is impacted by things beyond the control, predictability or understanding of the system/process owner. These probabilities of events (nodes) change when the probabilities of some other events change. However, there exist limitations in the current expressions of DM that hinder its complete adaptation for risk identification in a complex environment such as ICS. This research investigates how the capability of DM could be extended to address the identified limitations and proposes additional variables to address phenomena that are unique to ICS environments. The proposed extension is built into a system-driven, ICS dependency modeller, and we present an illustrative example using a scenario of a generic ICS environment. We reflect that the proposed technique supports an improvement in the initial user data input in the identification of areas of risk at the enterprise, business process, and technology levels.