To devise the impact of a potential risk by violated security goals, it is necessary to assess their worth, meaning that aspects such as injuries, financial losses, and legal infringements must be put in relation to each other. To this purpose, the security objec-tives of each instance are rated regarding their cybersecurity impact in a Cybersecurity Impact Level (CIL). While the levels can be defined for each organization individually, a scale ranging from level 0, no relevance, to level 4, very high relevance, as suggested in IEC 62443-4-2 [14] has proven to be well suited. The individual impact levels are assigned based on potential damage regardless of its cause. As a starting point, it is necessary to provide some initial ratings from historical values, expert opinions, ground truth, or similar, in order to systematically propagate them along the model. In the following, a description of the individual impact levels if provided.
Confidentiality Impact Level (CILConf): The impact of cases in which a confidential information is disclosed. This includes know-how, intellectual property, but also cryptographic keys.
Integrity Impact Level (CILInt): The impact of cases in which the integrity of the in-stance is compromised. This can be an altered component or function, as well as a manipulated connection or data.
Availability Impact Level (CILAva): The impact of cases in which the instance is un-available. This can be a broken component, function, connection, or unavailable data.
Authenticity Impact Level (CILAut): The impact of cases in which the authenticity of the instance is compromised. The relevance of CILAut depends on the nature of the overall system. A typical discussion that should be initially clarified is whether inauthentic instances can be valid data in terms of integrity. Usually, fake data such as spoofed instructions or manipulated values are relevant here. Besides, counterfeit components can cause damage in certain application environments.
Non-Repudiation Impact Level (CILNR): The impact of cases in which one party can successfully dispute to be the sender or editor of a data. The relevance of CILNR
depends on the nature of the overall system. It is particularly important for orders on virtual marketplaces and affects functions, data, and connections.
4.3 Impact Assessment 53
4.3.1 Impact Propagation
Looking at the dependency tree, CILs can be propagated up- and downwards through the model. Guides on creating such trees are provided by [29] and [83]. With the following propagation method, the CIL of all instances of the models is calculated iteratively.
Note that only a small set of initial data𝐷0 (for confidentiality) and sink-functions𝐹0 (for all other security objectives) must be rated manually in order to propagate the CIL through the remaining model. To cope with special cases, further manual assessments before or after propagation can also be reasonable. The process to evaluate the impact of the security objectives integrity, availability, authenticity, and non-repudiation for all instances, propagates upwards from the sink to the source. The only exception of this direction is the evaluation of the confidentiality-specific CILConf, which requires a manual rating of the sources𝐷0and propagation down to the sinks. An exemplary application of this process is shown in Section 7.3.1 as part of the use case evaluation in Chapter 7.
Top-Down Propagation Based on the initial assessed CILConf of a source and special instances, the confidentiality levels are propagated top-down from their initial manually rated source data. First, the CILConf of a function is evaluated to be the maximum CILConf of the source data𝐷0that are consumed by this function and, if applicable, an intrinsic value (e.g., a valuable sophisticated algorithm). Second, the CILConfof a connection is evaluated to be the maximum CILConfof data that are transferred through this connection. Third, the CILConfof a component is evaluated to be the maximum CILConf of functions that are hosted by this component. Fourth, the CILConfof previously unrated data is evaluated to be the CILConfof connections they are transmitted through, functions they are produced by, or components they are stored at, respectively.
Bottom-Up Propagation To determine the levels for the other security objectives, the bottom-up propagating objective relevance levels CILAva, CILInt, CILAut, and CILNR, are propagated from their initial manually rated sink functions𝐹0. Be CIL𝑋 the rating for a security objective 𝑋 from this enumeration. First, the CIL𝑋 of the data consumed by sink function𝐹0 is evaluated to be the max-imum CIL𝑋 of the function that consumes this data. Second, the CIL𝑋 of a connection is evaluated to be the maximum CIL𝑋 of data that are transferred
54 4 Model-based Security Risk Assessment through this connection. Third, the CIL𝑋 of a component is evaluated to be the maximum CIL𝑋 of functions that are hosted by this component. Fourth, the CIL𝑋
of previously unrated functions is evaluated to be the level of data they produce.
Cross-class Inheritance for Security Measures A special case of inheritance ap-plies to security measures that inherit the level of the instance they protect. Thereby, the class of the inherited security objective changes while its level remains, typi-cally towards integrity or availability of the security control (function). An example of such a security control is a sanitizing function, which lowers the confidential-ity level of a data by removing sensitive information. Thereby the integrconfidential-ity of the function inherits the confidentiality level of the unsanitized data for its own integrity, while the sanitized data can have a lower CILConf. Such relationships must be described in advance of further propagation.
4.3.2 Instance-specific Impact Aggregation
The output of the propagation process is a list of assessed security objectives, indicating the potential impact on violating the associated security goals. The aggregation of these levels per instance leads to an overall rating, comparable to the Safety Integrity Level (SIL) [142]. It creates comparability between impairments and thus indicates the appropriate attention and severity that should be given to the instance. In order to aggregate the overall effect of an instance, various situation-specific approaches can be applied. Intuitive approaches are to determine the maximum of its intrinsic CIL, as shown in Equation 4.1, to use a discrete aggregation matrix, or a classification scheme similar to the Automotive Safety Integrity Levels (ASIL) [143].
Impact= max(CILConf,CILAva,CILInt,CILAut,CILNR) (4.1)