Risk Analysis of Water Grid Systems Using Threat Modeling

Critical infrastructure systems consist of physical and cyber assets that are essential to the operation of the economy and the government. As one of the most important critical infrastructures worldwide, the water sector has become vulnerable to new risks in the form of cyber threats that can severely impact public health, and are difficult to detect. A water grid system (WGS) plays an important role in guarding the business processes of the water sector against possible threats and risks. Threat modeling can be used to analyze threats to the WGS. It is applied to identify points of access to the assets and devices of the system, classify threats to them, assess the risks posed by them, and suggest mitigation measures. Each threat is classified based on its type according to the STRIDE methodology, and the results of the threat classification can be used to assess the level of risk by using the DREAD methodology. This yields a risk rating for each threat that can be used to devise mitigation measures to minimize the risk posed by it. Through the threat modeling stage, it is known that the high-risk threats on WGSs are tampering with a risk score of 14, denial of service threats with a risk score of 13, and repudiation threats with a risk score of 12. The results of the ranking are used to formulate recommendations in the form of mitigation controls against these threats.


Introduction
Cyberattacks on critical infrastructure are becoming a cause of increasing concern worldwide [1]. As part of such infrastructure, the water sector has become increasingly vulnerable due to the use of automated monitoring and control systems, such as the Supervisory Control and Data Acquisition System (SCADA). It is thus an easy target for attackers as most network devices of the infrastructure are often accessible to the public and lack sophisticated security features.
The integration of operational technology (OT) networks, Information Technology (IT) networks, and the standard design of industrial control systems (ICS) is ushering in the digital age of the industrial sector, including the water industry. The important OTs generated from its assets includes those for water storage, power generation, recreation, navigation, irrigation, electric damage mitigation due to floods, sediment control, and mine tailings impoundment. These assets provide a variety of economic, environmental, and social benefits, but this can be offset by the risk of the damage caused in the event of their failure.
Various kinds of cyberattacks have been reported in recent years that have targeted the water sector, including a water treatment facility in Florida [2], water facilities in Israeli [3], and a dam in New York [4]. Many countries have developed guidelines and cybersecurity programs in an effort to protect the water sector. However, a practical approach should be considered, as suggested by [5], because the integration of newly developed smart components into IT networks and legacy equipment in OT IOP Publishing doi: 10.1088/1742-6596/2261/1/012015 2 networks is a vulnerable combination that needs to be addressed whenever a component is added, updated, or removed [6].
Dam breaches or failures may have a significant impact on human infrastructure, and can result in many casualties. As the number of elements of the dam system increases, so does the total amount of communication that takes place. This leads to an increase in the number of potential weak points that attackers can exploit [6]. Hence, it is important to ensure appropriate management to reduce the risk posed [7].
The continuous monitoring of a water grid system (WGS) provides a steady stream of data to identify and rectify security-related shortcomings in the system. This can be used to identify the threats posed by and behaviors of attackers to anticipate when and how they may occur, and to prepare adequate countermeasures. This is achieved via an iterative process known as threat modeling; a systematic approach to design policies against various security threats and possible mitigation strategies. This should be the basis of assessing risk and designing security systems for computer and information systems [8]. Hence, prior to determining where the vulnerabilities exist and ensuring that the system is safe, an efficient threat model needs to be established for any given information system.
With regard to the WGS, a threat is any action or event that might result in a malfunction of the system and its services, such as component failure, that can jeopardize the confidentiality, integrity, and availability of the system. While defining security requirements, threats are analyzed based on their criticality and probability of occurrence, and solutions to them are provided based on either mitigating the threat or accepting its risk, as definitions of functionalities and requirements are constantly evolving.
The appropriate identification and rating of threats based on the above requirements define the functionality and services provided by the system and, thus, the appropriate selection of countermeasures that can minimize the potential of attackers to abuse the system. In this respect, threat modeling considers the system from an adversary's point of view to allow developers to predict possible attack targets and develop responses to queries about what the system is intended to protect against. Threat ratings allow security professionals to know where to start when the system requires corrections to identified vulnerabilities.
This study focuses on identifying threats using the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) threat model to identify potential threats, which are then rated using the DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability) risk rating model. The remainder of this paper is structured as follows: Section 2 provides an overview of cybersecurity and cyberattacks related to the water sector, and Section 3 describes the methodology used. Section 4 describes the proposed threat model and resulting attack probabilities, and Section 5 details the implications on security risks to the water sector, and offers the conclusions of this study.

Literature Review
This section reviews work on cybersecurity in the water sector in general and provides an overview of the threat assessment model for WGSs.

Cybersecurity in the water sector
Safeguarding the water sector against cybersecurity threats is considered a national priority [1] because it is part of a country's critical infrastructure. The growing use of automated surveillance and control systems, such as SCADA, for water utilities, has increased cyber-vulnerabilities in the water system [9]. The operations of this infrastructure can be an easy target for an attacker as most network devices are often public facing and easily accessible in the absence of security features.
Most industrial sectors, including the water sector, are embracing the digital age through the integration of OT networks, IT networks, and the standard architecture of ICS. Such integration, however, poses considerable security risks [1] because most ICS devices and protocols are not intended to enable security features. In addition, as OT networks prioritize to availability and IT networks prioritize to confidentiality, combining the two can be difficult. The recovery option is difficult to IOP Publishing doi:10.1088/1742-6596/2261/1/012015 3 implement immediately along with critical and real-time business operations in OT because system operations are likely to be interrupted.
The interdependence of ICT equipment and other components makes it clear that the challenges posed by cybersecurity include IT-related dangers and physical threats [10]. Therefore, various mitigation efforts have been implemented to protect the water sector against threats to cybersecurity. For example, NIST highlighted in its guideline that it is critical to consider the influence of cyberthreats on the physical system, dependent systems, and the physical environment when establishing secure ICS [11]. Other ICS security activities should involve continually upgrading the security standards, protocols, and devices [1].

Modeling cyberattacks
Numerous warnings of cyberattacks on critical infrastructure, and the water sector in particular, have been issued, including those related to ransomware attacks, ICS tampering, valve and flow operations, and chemical treatment formulations [12]. A water utility was attacked in February 2021, and the cybercriminals were able to remotely control the system to modify the volume of water flow and the number of chemicals used to treat it [2]. Similar attacks were reported on Israeli water management facilities in 2020 [3].
In collaboration with Guidewire, the results of a hypothetical cyberattack on an American hydroelectric dam, simulated by global professional services firm AON, showed that such a cyberincident could cause economic losses of up to $56 billion for local businesses and communities [13]. Another attack on the computer system of a New York dam occurred in 2013, where a hacker allegedly affiliated with the Iranian government accessed confidential files containing usernames and passwords [4].
To protect dams against cyberattacks, the relevant authorities need to identify the specific threats, and may request assistance from cybersecurity experts to establish a suitable defense mechanism [14]. To improve the security of control systems for dams, the US Department of Homeland Security has outlined a cybersecurity program that includes the identification, assessment, risk management, and response and recovery of cyber-assets [15].
An approach has been proposed to address cyber-threats at different levels by incorporating risk assessment and threat modeling to develop security requirements [5]. To detect weaknesses in the security architecture of the dam, the authors of [6] performed a risk analysis of two configurations, namely, water contamination and the overflow of the water tank. In this study, we focus on threat modeling for WGS architecture.

Methodology
The proposed modeling methodology is shown in Figure 1, and follows proposals in [16][17][18]. It features (a) the identification of assets of the IoT device, (b) identification of access points to the device, (c) classification of threats, (d) rating of the identified threats, and (e) proposal of countermeasures to mitigate each threat.

Identification of assets
The most crucial step in threat modeling is asset identification because they are the main targets of attacks. Attackers refer to persons or processes that threaten the asset from the system or the environment in which it is used. An asset is any valuable component of a system that is owned by the organization that interests attackers. Assets in the environment may evolve dynamically and require security controls to suit the conditions that are not usually expected in the design phase [19]. The assets of WGSs include various interconnected systems, numerous hardware and software components, networks, cabling, power source, power outlets, and different kinds of users interacting with the system.

Identification of access points of device
Access points are the assorted interfaces threat posing attackers, whereby the attackers may utilize to obtain unauthorized asset privileges. Examples of access points in systems include hardware ports, login screens and user interfaces, open sockets, and configuration files. When an access point has been identified, trust boundaries for it within the system can be defined, and are used to indicate places where the level of trust fluctuates [20]. Trust levels stipulate the quantity of trust necessary to access a given part of the system. For example, a network may constitute a trust boundary such that anyone may access the web via the network, but not anyone outside the corporation can have access to the corporate network.

Classification of threats
Threats may result from the activities of legitimate users of a system (insiders), who are authenticated and authorized to use the services provided by the system, or from the activities of unauthorized users (outsiders). Threats often originate from weaknesses in design, implementation, or configuration, and are a cause for concern to any or all who use information management systems. The knowledge gathered from the detection of access points can help identify potential threats due to them. Threat classification is performed by using the STRIDE methodology, as shown in Figure 2.

Rating of identified threats
Following the identification of threats using the STRIDE model, the DREAD risk assessment model is used to assess, analyze, and find the probability of risks by rating each threat. By using the DREAD model, a risk rating is assigned to a given threat by asking the questions shown in Figure 3. Once the threat has been assessed through the assignment of a rating to each item (high, medium, and low) with corresponding values of 3, 2, 1, and 0, the overall risk rating is then obtained by adding the ratings of all items, calculating the average of all five DREAD categories, and comparing the averages. Values from 12 to 15 are considered high, those from 8 to 11 are medium, and values from 5 to 7 are low.

Proposing countermeasures to mitigate threats
The risk ratings are used by development teams to make informed decisions on prioritizing fixes to software, identifying security controls for an application, and tackling potential threats in a timely manner according to their severity and impact. This leads to a secure environment that uses resources more effectively to avoid potential hazards.

WGS system architecture
WGSs are composed of water supply pumps, reservoir tanks, pipes, and valves. These systems have a range of elements, including water pressure sensors, water quality sensors, water level sensors, programmable logic controllers, and SCADA. These elements enable the automated operation of the system. The total amount of communication increases with the number of elements, and this leads to more weaknesses that attackers can exploit.
The main task of the WGS is to deliver the requisite volumes of clean water. If an element of the cyber-physical system or the WGS is accessible to attackers, this may compromise the overall process. Attacks can vary from data misuse, false alarms, and halted water delivery to tank overflows and even water contamination, depending on the attacker's intention.
The analysis in this paper is based on a reference architecture of the WGS shown in Figure 4. The trust zone of components is first identified within Layer 0, and then in Layers 1, 2, and 3 respectively. Trust zones at the control center in the environment of Layer 4 include SCADA and a monitoring system. Layer 5 contains two zones: one that covers the OT and a second dealing with the application server.
Layer 0 refers to the water field or devices of the plant used to generate analog data and send them to other layers while receiving commands from other devices from other layers to ensure the safety and stability of the entire plant. For example, the pump provides sufficient pressure to overcome the operating pressure of the system to move the fluid at the required flow rate. Physical access to this layer should be controlled and monitored using appropriate security measures to prevent intruders from accessing the water plant. Multiple security measures can slow down anyone who tries to harm the water facility, where this may provide more time to detect a problem and respond to it.
Layer 1 consists of devices that receive and process information from those of Layer 0, and act as a control component of the overall system. If the restriction on physical access is not appropriately applied, the integrity of Layer 1 devices may be compromised as the information processed in Layer 1 is sent back to devices in Layer 0. As most controllers are equipped with remote connectivity, it is important for the operators and supervisors to understand how cyber-threats associated with the IT network can affect their OT network.
In Layer 2, a human-machine interface (HMI) serves as a graphical user interface that allows interaction between the human operator and the controller hardware. It can display status information and historical data gathered by devices in the ICS environment. It is also used to conduct system status checks, and to respond to alarms or any other issues that arise during the water treatment process.
Layer 3 separates human-to-human from machine-to-machine communications, where only authorized communications are permitted between the upper and lower layers. The gateway transports to the switch and then to another layer. This part is labeled a machine-to-machine (M2M) layer that features interactions among various devices and machines connected to the Internet and to one another. Layer 4 is known as SCADA, and is the foundation of the water system infrastructure. The components of SCADA consist of heterogeneous devices, such as intelligent electronic devices, programmable logic controllers, remote terminal units, control servers, and routing and security devices. These components focus on data collected from lower layers for analysis, visualization, and monitoring. SCADA devices communicate with one another under various communication protocols, physical media, and security-related properties. The failure of or attacks on such networks can make the data IOP Publishing doi:10.1088/1742-6596/2261/1/012015 7 unavailable or allow attackers to inject false data into the system, leading to incorrect system estimations and control decisions that can cause critical damage.
Layer 5 provides a physical and logical separation between water ICS and the enterprise network. It comprises a virtual private network solution that establishes a secure tunnel that allows for unidirectional data flow, such as from the OT to the IT zone.

WGS threat modeling
In general, threat modeling aims to identify threats and vulnerabilities within IT-related system architectures. Furthermore, it helps implement security and privacy from design into practice. In this study, the Microsoft Threat Modeling Tool is used because it is one of the most commonly used methods in research on threat modeling. It works based on data flow diagrams that describe data stores, processes, and communication lines, and provides information on threats based on the STRIDE model. In the model itself, different trust zones are identified according to layers. Figure 5 shows the threat model based on the architecture in Figure 4. The threat model system comprises a data flow diagram of the architecture. Modeling the architecture and threats obtained from the risk assessment yielded 154 threats. They were classified according to STRIDE as shown in Table  1. The threats identified by the model were used to identify the security-related countermeasures and outline the procedures required to avoid them. The threats showed how various attacks might be carried out through the exploitation of particular system vulnerabilities. For the assessment, we relied only on the threats shown in Table 2.
Once the threats had been identified using the STRIDE model, the DREAD risk assessment model was used to classify the risks posed by them, by qualifying, analyzing, and prioritizing them. Using the DREAD model, the threats were ranked in terms of their potential for damage, the reproducibility of the attack, the ease of exploitation by malicious individuals, the affected users, and the way that loopholes in the system may be exploited. A summary of the risk assessment is presented in Table 3.

Proposing Countermeasures
Once the risk value of each threat is known, mitigation controls can be drawn up to reduce the risk of each. This threat rating can also be used to compile a list of mitigations against threats according to the highest risk-related priorities. Based on the threat rating data in Table 3, mitigation methods can be developed according to the classification of threats. The list of threat assessments can be organized in accordance with the levels of risk so that threats that pose a high risk can be prioritized. Table 4 presents an example of the countermeasures proposed to mitigate the threats described in Tables 2 and 3.

Conclusion
Threat modeling on WGSs aims to predict cyberattacks that may occur on the system and provides measures to mitigate such threats. The STRIDE methodology is used to identify and classify threats on the system, and the risk of each threat is then assessed using the DREAD risk rating model. The results of this ranking provide information on three categories of threats that pose a high risk to the monitoring and controlling systems of dams: tampering, denial of service, and repudiation. The main focus of preventive measures as an effort to minimize risks on the WGS is to exercise mitigation controls in these three categories. Further research in threat modeling in a similar environment may combine risk calculations using other risk assessment tools for comparison.