IEEE Access (Jan 2022)

A Formal Model and Verification for HESTIA: An Automated, Adversary-Aware Risk Assessment Process for Cyber Infrastructure

  • Ananth A. Jillepalli,
  • Daniel Conte De Leon,
  • Jim Alves-Foss,
  • Clinton L. Jeffery,
  • Frederick T. Sheldon

DOI
https://doi.org/10.1109/ACCESS.2022.3197195
Journal volume & issue
Vol. 10
pp. 83755 – 83792

Abstract

Read online

Due to the characteristics and connectivity of today’s critical infrastructure systems, cyber-attacks on these systems are currently difficult to prevent in an efficient and sustainable manner. Prevention and mitigation strategies need accurate identification and evaluation of: system vulnerabilities, potential threats and attacks, and applicable hardening measures. Furthermore, the ability to prioritize hardening measures based on accurate assessments of risk is needed. In addition, the consideration of the availability, applicability, and cost of potential mitigation strategies is also needed. To address this challenge we created HESTIA: High-level and Extensible System for Training and Infrastructure risk Assessment. In this article we present a formal model of the HESTIA system. We then also present a formal verification of the HESTIA semantic model.

Keywords