WO2024048040A1 - Security risk assessment assistance method and security risk assessment assistance system - Google Patents

Security risk assessment assistance method and security risk assessment assistance system Download PDF

Info

Publication number
WO2024048040A1
WO2024048040A1 PCT/JP2023/023584 JP2023023584W WO2024048040A1 WO 2024048040 A1 WO2024048040 A1 WO 2024048040A1 JP 2023023584 W JP2023023584 W JP 2023023584W WO 2024048040 A1 WO2024048040 A1 WO 2024048040A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
security risk
risk assessment
input
scenario
Prior art date
Application number
PCT/JP2023/023584
Other languages
French (fr)
Japanese (ja)
Inventor
浩通 遠藤
直樹 出口
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2024048040A1 publication Critical patent/WO2024048040A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to a security risk assessment support method and a security risk assessment support system.
  • a security risk assessment is performed in order to implement appropriate security measures for the system. It is important to accurately identify security threats to the target system and the series of effects caused by these threats through security risk assessment.
  • ⁇ Attack route information (21) includes information on an attack route that includes one or more attack steps including an attack source, an attack target, and an attack method.
  • the route information (21) is referenced to identify vulnerabilities used to attack the target in the attack step.
  • the vulnerability information DB (22) stores vulnerabilities and the presence or absence of attack demonstration code for the vulnerabilities.
  • the diagnostic evaluation generation means (12) refers to the vulnerability information DB (22), checks whether or not an attack demonstration code exists for the identified vulnerability, and performs the attack step. ⁇ generate a risk diagnosis assessment including the number of identified vulnerabilities and the presence or absence of proof-of-attack code.''
  • Preconditions such as threat sources and conditions for damage caused by attacks may differ depending on the domain, making it more difficult to cover threats for the entire system.
  • the present invention has been made in consideration of the above points, and it is an object of the present invention to provide a security risk assessment support method and a security risk assessment support system that can completely grasp threats to a target system.
  • one aspect of the present invention provides a security risk assessment support method executed by a security risk assessment support system, which is configured to receive input of configuration information regarding a target system including component devices.
  • an information input step ; an attack route searching step of searching for an attack route in which an attack on the target system passes through the component devices based on the configuration information; and searching the attack route in the order in which the attack passes through the component devices.
  • a functional model that expresses the configuration of the component devices from a functional perspective by generating attack scenarios side by side and determining which attack type corresponds to the form in which the operation of the component devices constituting the attack path is inhibited by the attack.
  • an attack scenario presentation step for presenting the attack scenario generated by the attack scenario generation step. shall be.
  • threats to a target system can be completely understood in a security risk assessment.
  • FIG. 3 is a diagram illustrating, in a functional model, a form in which the expected original operation of a component device is obstructed.
  • FIG. 3 is a diagram showing a correspondence table between combinations of movement elements and inhibition forms and attack methods.
  • FIG. 3 is a diagram illustrating occurrence event correspondence information indicating a correspondence relationship between an attack means and an event that may occur due to an attack.
  • FIG. 1 is a diagram showing the configuration of a security risk assessment support system. Flowchart showing risk assessment processing.
  • FIG. 1 is a diagram showing the configuration of a security risk assessment support system. Flowchart showing risk assessment processing.
  • FIG. 3 is a diagram showing the configuration of a system to be analyzed, a functional model of each component device that constitutes the system to be analyzed, and device configuration information.
  • FIG. 4 is a diagram showing a menu display and a configuration diagram display of a device configuration information input GUI.
  • FIG. 4 is a diagram for explaining inhibition forms and attack means estimation.
  • FIG. 3 is a diagram for explaining detailed information input processing.
  • various information will be explained in a table format, but the various information may be in a data format other than the table format.
  • various names such as “XX information”, “XX table”, “XX list”, and “XX queue” are interchangeable.
  • "XX information” may be called “XX table”.
  • expressions such as “identification information”, “identifier”, “name”, “ID”, and “number” are interchangeable.
  • FIG. 1 is a diagram showing the configuration of SuC10.
  • FIG. 2 is a diagram showing the configuration of the component equipment 100 of the SuC 10.
  • the SuC 10 is, for example, a control system, but is not limited to this, and may be an information processing system or other system.
  • the SuC 10 includes component devices 100a, 100b, 100c, and 100d.
  • the component devices 100 are interconnected inside the SuC 10. Further, each component device 100 has input I/Fs (interfaces) 101a, 101b, . . . and an output I/F (not shown), as shown in FIG.
  • the input I/F 101 is used for mutual connection of the component devices 100 and for connection of the SuC 10 with the outside.
  • the numbers of component devices 100 and input I/Fs 101 in this embodiment are merely examples. Further, the number of component devices 100 and input I/Fs 101 differs for each SuC 10.
  • attack means that may occur in an attack scenario are identified by "attack type” defined by the function of the component device 100 that is inhibited by the attack and the mode of inhibition of the function. The concept will be explained below.
  • FIG. 3 is a diagram for explaining the functional model M100 of the component device 100.
  • the functional model M100 is, for example, a control device such as a PLC (Programmable Logic Controller) or a processing device (computer). In the functional model M100, specific elements such as actually provided hardware are omitted.
  • the functional model M100 represents the configuration of the component device 100 from a functional perspective.
  • operational elements include “logic” M101 such as programs and control rules, "input” M102 given from sensors and users, “output” M103 output by the functional model M100, etc.
  • logic such as programs and control rules
  • input M102 given from sensors and users
  • output M103 output by the functional model M100
  • operational elements other than “logic,” “sensor,” “input,” and “output.”
  • logic logic
  • sensor input
  • output may be defined subdivided.
  • Attacks on component devices are considered to be when unintended operation elements such as logic and inputs are given to the component device, thereby inhibiting the expected original operation of the component device. be able to. "Unintended” means that various attributes of the operational element, such as data format, processing timing, and various values, violate or deviate from those specified in the operational specifications of the component device.
  • FIG. 4 is a functional model showing a form in which the expected original operation of the component device 100 is inhibited.
  • forms in which the original operation of the component device 100 is inhibited by the provision of an "unintended" operational element as described above include (a) invalid operational element input (invalid); It can be classified into three forms of inhibition: b) falsified input action element, and (c) input action element from an untrusted party (untrusted).
  • (a) shows a form of inhibition in which an unintended operating element ae1 is generated for some reason in the attacking component (component model M100A-a) and is given to the victim component (component model M100V-a). It is.
  • an unintended operating element ae3 is generated in a component (component model M100A-c) that is not allowed to be connected to the victim component (component model M100V-c) according to the specifications. , is a form of inhibition given to the component equipment on the victim side.
  • the data that is "input" in a PLC includes not only pure input values to the control logic (corresponding to the application layer in the so-called OSI model), but also data formats (also equivalent to the presentation layer), protocol headers (also the session layer, (equivalent to network layer, etc.). If each of these is unintended, it manifests as a different attack such as unintended control output, buffer overflow, or replay attack.
  • attack methods can be expanded by adding attributes to behavioral elements, such as allowing eavesdropping to be selected as an attack method when "input" is "unencrypted”. can.
  • FIG. 5 is a diagram showing attack means correspondence information 201 indicating the correspondence between combinations of operation elements (“logic” and “input”) and inhibition forms ((a) to (c) in FIG. 4) and attack means. .
  • the attack means correspondence information 201 shows "attack means 1" to "attack means 6" corresponding to each of the combinations of operation elements and inhibition forms shown in FIG.
  • the attack method correspondence information 201 includes operational elements handled by the input I/F 101 of the component device 100 and forms of obstruction to the connection between this input I/F and the component device 100 in the preceding stage ((a) to (c) above). This shows the types or outlines of attacks that can occur in combination with the above, and the types or outlines of events that can occur due to attacks.
  • the attack means correspondence information 201 is stored in the storage device 13 (FIG. 7) of the security risk assessment support system 1.
  • FIG. 6 is a diagram showing occurrence event correspondence information 202 indicating the correspondence between attack means and events that may occur due to the attack.
  • the occurrence event correspondence information 202 shows types or outlines of "events that may occur due to attacks” corresponding to each of the attack means 1 to 6 in FIG. 5. “Events that may occur due to an attack” include a score for each event that represents the degree of security risk caused to the target system due to the attack, for example, on a scale of 5 from 1 to 5. In FIG. 6, the numbers written in parentheses next to each event correspond to this score.
  • the event response information 202 is stored in the storage device 13 (FIG. 7) of the security risk assessment support system 1.
  • FIG. 7 is a diagram showing the configuration of the security risk assessment support system 1.
  • the security risk assessment support system 1 is realized by a computer executing a risk assessment support program.
  • the security risk assessment support system 1 is an on-premises or cloud system.
  • the security risk assessment support system 1 includes a processor 11, a memory 12, a storage device 13, a communication device 14, an input device 15, and an output device 16.
  • the processor 11, memory 12, storage device 13, communication device 14, input device 15, and output device 16 are interconnected via an internal communication line such as a bus.
  • the processor 11 controls the entire operation of the security risk assessment support system 1 as a computer.
  • the memory 12 is composed of, for example, a volatile semiconductor memory, and is used as a work memory of the processor 11.
  • the storage device 13 is an example of a computer-readable non-temporary storage medium, and is composed of a large-capacity nonvolatile storage device such as a hard disk device, an SSD (Solid State Drive), or a flash memory.
  • the storage device 13 includes device configuration information 200 (FIG. 9), attack method correspondence information 201 (FIG. 5), event correspondence information 202 (FIG. 6), detailed information 203 (FIG. 16), and detailed information 204 (FIG. 17). , and attack scenario information 205 (FIGS. 12 and 18).
  • the device configuration information 200, attack means correspondence information 201, occurrence event correspondence information 202, detailed information 203, detailed information 204, and attack scenario information 205 may be stored in the memory 12.
  • the storage device 13 stores various programs and data.
  • a program stored in the storage device 13 is loaded into the memory 12 when the security risk assessment support system 1 is activated or when necessary, and is executed by the processor 11.
  • the processor 11 realizes each functional unit of a device configuration information input unit 111, an attack path search unit 112, an attack scenario generation unit 113, and an attack scenario presentation unit 114.
  • the processing functions of the device configuration information input section 111, the attack route search section 112, the attack scenario generation section 113, and the attack scenario presentation section 114 will be described later with reference to the flowchart of FIG.
  • the program executed by the processor 11 may be recorded on a non-temporary recording medium, read from the non-temporary recording medium by a medium reading device, and loaded into the memory 12.
  • the executable program may be obtained from an external computer via a network and loaded into memory 12.
  • the communication device 14 is an interface device for the security risk assessment support system 1 as a computer to communicate with other computers.
  • the communication device 14 includes, for example, a NIC (Network Interface Card) such as a wired LAN (Local Area Network) or a wireless LAN.
  • NIC Network Interface Card
  • the input device 15 is comprised of a keyboard, a pointing device such as a mouse, a touch device, etc., and is used by the user to input various instructions and information to the security risk assessment support system 1.
  • the output device 16 includes, for example, a display device such as a liquid crystal display or an organic EL (Electro Luminescence) display, and an audio output device such as a speaker, and is used to present necessary information to the user when necessary.
  • FIG. 7 shows an example in which the security risk assessment support system 1 is implemented on one computer.
  • the present invention is not limited to this, and the security risk assessment support system 1 may be realized by distributing each processing function on a plurality of communicably connected computers.
  • FIG. 8 is a flowchart showing the risk assessment process.
  • the security risk assessment support system 1 executes risk assessment processing in response to a user instruction.
  • step S1 the device configuration information input unit 111 (FIG. 7) executes device configuration information input processing to receive the input of the device configuration of the SuC 10 by the user and create device configuration information 200.
  • FIG. 9 is a diagram showing the configuration of the SuC 10, a functional model M100 of each component device 100 that makes up the SuC 10, and device configuration information 200.
  • the "device ID”, “device name”, “number of inputs”, and "input I/F1" of each component 100 are determined.
  • Device configuration information 200 having items of "input I/F2" and "output destination” is created. "Input I/F1", “Input I/F2", etc.
  • configuration information of the component device 100 is input according to the functional model M100.
  • an attack scenario can be evaluated without detailed knowledge of the specifications or security vulnerabilities of the SuC 10 or the component device 100.
  • FIG. 10 is a diagram showing a menu display 300 and a configuration diagram display 310 of the device configuration information input GUI (Graphical User Interface) 16D1.
  • the device configuration information input unit 111 displays the device configuration information input GUI 16D1 on the display screen of the output device 16.
  • the device configuration information input GUI 16D1 includes a menu display 300 and a configuration diagram display 310.
  • the menu display 300 includes a component creation button 301, an input I/F creation button 302, an input/output relationship creation button 303, a delete button 304, and a setting button 305.
  • the component creation button 301 is a button for creating the SuC 10 and the component device 100 on the configuration diagram display 310. SuC 10 or component device 100 is created at the clicked position with component creation button 301 turned on. Further, the component device 100 is created inside the SuC 10 that is clicked with the component device creation button 301 turned on.
  • the input I/F creation button 302 is a button for creating the input I/F 101 of the component device 100 on the configuration diagram display 310. An input I/F 101 is created at the position clicked with the input I/F creation button 302 turned on.
  • the input/output relationship creation button 303 is a button for creating the input/output relationship 102 between the component devices 100. An input/output relationship 102 between the component devices 100 is created at the dragged (or swiped) position with the input/output relationship creation button 303 turned on.
  • the delete button 304 is a button for deleting the component device 100, input I/F 101, and input/output relationship 102 from the configuration diagram display 310.
  • the component device 100, input I/F 101, and input/output relationship 102 at the clicked position with the delete button 304 turned on are deleted.
  • the settings button 305 is a button for transitioning to an input screen that accepts input of various setting information of the device configuration information input GUI 16D1.
  • the user operates each button on the menu display 300 to display a configuration diagram display 310 of the SuC 10 having a component device 100, an input I/F 101, and an input/output relationship 102, as shown in FIG. 10, for example, with device configuration information. Create it in the input GUI 16D1.
  • Information about the component equipment 100, input I/F 101, and input/output relationship 102 of the ScU 10 for which the configuration diagram display 310 has been created in the equipment configuration information input GUI 16D1 is automatically reflected in the equipment configuration information 200 for each ScU 10.
  • FIG. 11 is a diagram showing an example of information input to the device configuration information input GUI 16D1.
  • a new ScU 10 is created on the configuration diagram display 310 of the equipment configuration information input GUI 16D1, a template of equipment configuration information 200 corresponding to the newly created ScU 10 is created.
  • a line of device configuration information 200 regarding the newly created input/output relationship 102 is created.
  • device configuration information 200 is displayed as a pop-up. It becomes possible to input each piece of information into the row corresponding to the component device 100c of the device configuration information 200 being displayed as a pop-up. Each piece of information is input to the row corresponding to the component device 100c of the device configuration information 200 in accordance with the device model (not shown) of the component device 100c.
  • the input I/F 101c-1 of the component device 100c is an "input” operation element
  • the "ID”, “name”, and “operation” of the "input I/F 1" corresponding to the input I/F 101c-1 are “101c-1", “input1”, and “input” are input to "Element”.
  • the input I/F 101c-2 of the component device 100c is an "input” operation element
  • the "ID”, "name”, and “operation element” of the "input I/F 2" corresponding to the input I/F 101c-2 are "101c-2", "input2", and "input” are input to.
  • the output of the component device 100c is input to the input I/F 101d-1 of the component device 100d. Therefore, "101d-1" is input to the "output destination" of the component device 100c.
  • the operation element of the input I/F 101d-2 of the component device 100d is "logic (maintenance)". Therefore, in the row of "Device ID" "100d” of the device configuration information 200 in FIG. ” is input. Further, the output of the component device 100d is output to the outside of the SuC 10. Therefore, "SYSOUT” is input to the "output destination" of the component device 100d.
  • the configuration diagram display 310 of the device configuration information input GUI 16D1 information on the input I/F 101 for which the input/output relationship 102 has been created is automatically reflected in the device configuration information 200.
  • the device configuration information corresponding to the component device 100c is displayed as a pop-up.
  • Input I/F 101d-1 is also stored in the "output destination" column of row 200.
  • the connection destination of the input I/F 101 is stored in the table of the device configuration information 200, it is reflected in the configuration diagram display 310 of the device configuration information input GUI 16D1.
  • step S2 the attack route search unit 112 executes an attack route search process based on the device configuration information 200 created in step S1. Based on the device configuration information 200 created in step S1, the attack path search unit 112 performs a search between the input I/F 101 connected to the outside of the SuC 10 and the output I/F (SYSOUT) connected to the outside of the SuC 10. By tracing the connections between existing component devices 100, candidates for attack routes in the SuC 10 are searched.
  • attack route 1 external ⁇ component device 100a ⁇ component device 100c ⁇ component device 100d ⁇ external
  • attack route 2 external ⁇ component device 100b ⁇ component device 100c ⁇ component device 100d ⁇ external
  • attack route 3 external ⁇ attack route 3: Component device 100d ⁇ external.
  • step S3 the attack scenario generation unit 113 executes an attack scenario generation process including estimating "attack means” and "events that may occur due to the attack” based on the result of the attack route search process in step S3. .
  • an attack scenario generation process including estimating "attack means” and "events that may occur due to the attack” based on the result of the attack route search process in step S3.
  • the attack scenario generation unit 113 generates attack scenario information 205 including attack scenarios AS1, AS1, and AS3 corresponding to each attack route.
  • FIG. 12 is a diagram showing the scenario information display GUI 16D2 that displays the attack scenario information 205.
  • the attack scenario information 205 includes "attack scenario ID”, “attack stage ID”, “attack source component ID”, “attack target component ID”, “attack target input I/F_ID”, “configuration device connection type”. It has items such as “Details”, “Predicted attack form”, “Attack method”, and "Events that may occur due to attack”.
  • the "attack scenario ID” is identification information of an attack scenario, and an ID is assigned to each attack route specified based on the device configuration information 200.
  • the "attack scenario IDs" of the attack scenarios created for each of the three attack routes identified above based on the device configuration information 200 are attack scenarios AS1, AS2, and AS3.
  • the attack scenario is a sequence of attack paths arranged in the order in which the attack passes through the component devices 100.
  • attack stage ID is identification information of each attack stage that constitutes each attack scenario.
  • FIG. 13 is a diagram for explaining the attack stage.
  • the attack scenario AS1 illustrated in FIG. 12 corresponds to an attack path 1 from the outside to the component device 100a to the component device 100c to the component device 100d to the outside. Therefore, in the attack scenario AS1, as shown in FIG. 13, attack stage AS1-1: external ⁇ component device 100a, attack stage AS1-2: component device 100a ⁇ component device 100c, attack stage AS1-3: component device 100c ⁇ component device Consists of three attack stages of 100d.
  • attack scenario AS2 and subsequent stages, which are the second stage the component device 100 that was attacked in the previous stage becomes a springboard for an attack on the component device 100 in the next stage due to malfunction due to the attack or malicious operation by the attacker. Become.
  • the attack scenario is generated by arranging the types of attacks predicted for each component device 100 in the order in which data passes through each component device 100.
  • attack source component ID and attack target component ID indicate the attack source and target component devices 100 in the attack path of the corresponding attack stage.
  • an external attacker becomes the direct attack source and the component device 100a becomes the attack target, so the “attack source component device ID” is “attacker (external)", The “attack target component device ID” becomes the component device 100a.
  • the component device 100a becomes the attack source and the component device 100c becomes the attack target, so the “attack source component ID” is the component device 100a, and the “attack target component ID” is the component device. It becomes 100c.
  • the component 100c becomes the attack source and the component 100d becomes the attack target, so the "attack source component ID” is the component 100c, and the “attack target component ID” is the component It becomes 100d.
  • attack target input I/F_ID indicates the input I/F 101 of the attack target component device 100 in the attack path of the corresponding attack stage.
  • the attack source destination is the input I/F 101a-1 of the component device 100a, so the "attack destination input I/F_ID" becomes the input I/F 101a-1.
  • the attack source target is the input I/F 101c-1 of the component device 100c, so the "attack target input I/F_ID” becomes the input I/F 101c-1.
  • the attack source destination is the input I/F 101d-1 of the component device 100d, so the "attack destination input I/F_ID" becomes the input I/F 101d-1.
  • Component connection configuration details is information stored based on detailed information 203 input through detailed information addition input processing (step S6 in FIG. 8), which will be described later. Immediately after step S3 is executed, the detailed information 203 has not been input, so "(not input)" is stored in the “configuration device connection form details".
  • the "predicted attack form” includes the items "target movement element” and "obstruction form”.
  • “Target action element” indicates the action element targeted by the corresponding attack stage.
  • FIG. 14 is a diagram for explaining the inhibition mode and attack method estimation.
  • the operation mode of the input I/F 101c-1 is "input”.
  • Which "obstruction mode” corresponds to the attack stage depends on the connection mode of the input I/F 101 of the component 100 that is the target of the attack stage, but if the "component device connection mode details" are not entered.
  • all forms of inhibition assumed for the "corresponding motion element” are stored. Therefore, from the attack method correspondence information 201 (FIG. 5), all the inhibition modes (a), (b), and (c) correspond to the "motion element” "input” of the attack stage AS1-2 in FIG. ) is reflected.
  • attack Means indicates an attack means corresponding to the combination of “Target Motion Element” and “Inhibition Form” in the attack means correspondence information 201 (FIG. 5).
  • the combination of “target operation element” “input” and “obstruction form” "(a)” of attack stage AS1-2 from component device 100a to component device 100c is supported in attack means correspondence information 201.
  • ⁇ Attack Means'' and ⁇ Attack Means 4'' are stored.
  • the corresponding “attack means” “attack means 5" is stored in the attack means correspondence information 201.
  • the corresponding “attack means” “attack means 6” is stored in the attack means correspondence information 201.
  • Events that may occur due to attacks indicate events, effects, etc. that are expected to occur due to each "attack method” that corresponds to each "attack method” in the event correspondence information 202 (FIG. 6).
  • “Events that may occur due to attacks” correspond to "Attack Means” and “Attack Means 4”
  • the corresponding “Events that may occur due to attacks” "Event 4 (5)” are reflected in the event correspondence information 202.
  • the corresponding to the "attack means” and “attack means 5" the corresponding “event 5 (4)", which is an "event that may occur due to an attack" is reflected in the occurrence event correspondence information 202.
  • the corresponding “event that may occur due to an attack” is reflected in the event correspondence information 202.
  • Events that may occur due to an attack is a score for each event that represents the degree of security risk caused to the target system due to the attack, for example, on a five-point scale from 1 to 5. This score allows you to intuitively understand the degree of security risk for each attack route. Furthermore, by summing up the scores for each attack scenario, the degree of security risk can be intuitively grasped for each attack scenario. Additionally, as a result of the security risk assessment, priority areas to be addressed can be selected based on the score.
  • step S4 the attack scenario presentation unit 114 presents the attack scenario generated in step S3 to the user.
  • the attack scenario presentation unit 114 outputs the attack scenario information 205 to the user via the scenario information display GUI 16D2 (FIG. 12) on the output device 16, as illustrated in FIG. 12, for example.
  • the attack methods included in the generated attack scenario are expressed in terms of the behavior model of the component devices and the form of inhibition, so if you are a user with knowledge of SuC, you may not have specialized knowledge of attack methods. However, you can get a rough idea of the risks posed by attack scenarios.
  • the attack scenario is transferred to countermeasure planning, information regarding the specific attack mechanism is required, so a step is required to refine the attack scenario in accordance with the user's wishes. The details will be explained below.
  • step S5 the attack scenario presentation unit 114 determines whether the user has made an input requesting the attack scenario to be detailed.
  • the attack scenario presentation unit 114 moves the process to step S6 when the user inputs a request to make the attack scenario more detailed (step S5 YES), and when the user does not input an input requesting the more detailed attack scenario (step S5), the attack scenario presentation unit 114 moves the process to step S6.
  • step S5NO the present risk assessment process ends.
  • step S5 the attack scenario presentation unit 114 does not limit to whether the user inputs a request to make the attack scenario more detailed; ) may be determined whether it is satisfied.
  • step S5 the attack scenario presentation unit 114 inputs to the user whether or not the detailedization of the attack scenario information 205 is necessary via the detailedization confirmation GUI 16D3 on the output device 16, as illustrated in FIG. 15, for example.
  • a detailedization confirmation GUI 16D3 is displayed as shown in FIG.
  • a detailed information input window 16D4 is displayed on the device configuration information input GUI 16D1, as shown in FIG. Steps S5-S7 are repeated as long as the user desires.
  • step S6 the device configuration information input unit 111 executes detailed information addition input processing.
  • the device configuration information input unit 111 inputs details for making the attack scenario information 205 detailed through a detailed information input window 16D4 displayed on the device configuration information input GUI 16D1 on the output device 16, as illustrated in FIG. 16, for example.
  • the information 203 is input by the user and accepted.
  • the detailed information 203 is information for each component device 100. As shown in FIG. 16, the detailed information 203 includes the "name” and “version” of the "installed OS”, the "name” and “version” of the “installed software”, the “connection type” and “additional attributes” of the "input I/F_ID”. ”. It is up to the user whether or not values corresponding to each of these items are actually stored.
  • connection type of "Input I/F_ID” indicates the connection standard of the corresponding input I/F 101, such as "Ethernet” (registered trademark, hereinafter the same), "RS-232C", "signal line”, etc. .
  • the "additional attribute" of the "input I/F_ID” is information including one or more attributes other than the connection standard of the corresponding input I/F 101, and includes, for example, "inside the casing" and “outside the casing” indicating the connection location.
  • the device configuration information input unit 111 stores detailed information 203 input by the user in the storage device 13 and reflects it in the attack scenario information 205.
  • step S7 the attack scenario generation unit 113 executes attack scenario detailing processing that includes estimating detailed attack methods and events that may occur due to the attack, based on the detailed information 203 input in step S6.
  • the attack scenario generation unit 113 first reflects the detailed information 203 input in step S6 in the attack scenario information 205.
  • FIG. 18 is a diagram showing detailed attack scenario information 205.
  • the "connection mode" and "additional attribute" of the detailed information 203 are stored in the "configuration device connection mode details" of the corresponding input I/F 101 in the attack scenario information 205.
  • the value of an item in the detailed information 203 may be stored as the value of a corresponding item in the attack scenario information 205.
  • the attack scenario generation unit 113 re-estimates the "obstruction form", "attack means”, and "events that may occur due to the attack” in the attack scenario information 205 that reflects the detailed information 203.
  • an inhibition form that cannot be realized is excluded by re-estimation. For example, if the component devices 100 are stored inside a housing, an attacker cannot directly access the inside of the housing, so the above-mentioned form of obstruction (b), which is modification of the connection between the component devices 100, or the reliability The above-mentioned form of inhibition (c) based on input from an incapable partner no longer occurs. Therefore, in the example shown in FIG.
  • attack stages AS1-2 and AS1-3 of attack scenario AS1, attack stages AS2-2 and AS2-3 of attack scenario AS2, and attack stage AS3-1 of attack scenario AS3 correspond to
  • the "inhibition form” is "(a)", “(b), (c)” is excluded from “(a), (b), (c)", and only "(a)” is left.
  • the "attack means” is refined based on the added “component device connection form details" by re-estimation.
  • the “attack means” of the attack scenario AS1 is detailed based on the detailed information 204.
  • FIG. 17 is a diagram showing detailed information 204 of attack methods and occurrence events.
  • the detailed information 204 indicates "detailed attack means” and “detailed events that may occur due to the attack” corresponding to the combination pattern of the values of the "attack means” and the items of the detailed information 203.
  • the "attack means" of the detailed information 204 is the attack means before being refined based on the detailed information 204.
  • "Detailed information” indicates a pattern that includes the value of one item or a combination of values of multiple items stored in the detailed information 204 (FIG. 17). This pattern excludes “detailed information” items for which no values are stored.
  • "Detailed attack method” is information specifically and in detail showing the attack method corresponding to the combination of "attack method” and "detailed information.”
  • the "attack method" corresponding to the attack stage AS1-1 of the attack scenario AS1 and the attack stage AS2-1 of the attack scenario AS2 is determined based on the detailed information 204 (FIG. 17).
  • “Attack Means 4,” “Attack Means 5,” and “Attack Means 6” are “Attack Means 4-1,” “Attack Means 5-3,” and “Attack Means,” respectively. It is detailed as 6-2”.
  • “events that may occur due to attacks” are detailed as “event 4-1 (3),” “event 5-3 (2),” and “event 6-2 (2),” respectively.
  • the numbers written in parentheses next to "events that may occur due to attacks” are scores for each event that represent the degree of security risk caused to the target system due to the attack, for example, on a five-point scale from 1 to 5.
  • attack means corresponding to the attack stages AS1-2 and AS1-3 of the attack scenario AS1 and the attack stages AS2-2 and AS2-3 of the attack scenario AS2 are determined based on the detailed information 204 as "obstruction mode”.
  • "Attack Means 4" is detailed as “Attack Means 4-2.”
  • “events that may occur due to attacks” are detailed as “event 4-2 (4).”
  • the "attack method” corresponding to the attack stage AS3-1 of the attack scenario AS3 is “attack method 4" and “attack method” for each of the “obstruction modes” (a) and (b).
  • "Means 5" are detailed as “Attack Means 4-3” and “Attack Means 5-1,” respectively.
  • “events that may occur due to attacks” are detailed as “event 4-3 (3)” and “event 5-1 (1),” respectively.
  • step S7 ends, the attack scenario generation unit 113 returns the process to step S5.
  • step S3 the user is first presented with an attack scenario expressed by attack methods roughly classified in step S3.
  • This rough attack classification is a so-called classification without omissions or duplications, and for those who are not security experts, it is easier to verify comprehensiveness than attack scenarios expressed using specific attack methods.
  • the user is required to input additional device information, and the attack scenario is repeatedly detailed and subdivided according to the user's requests. This enables a smooth transition to the process of identifying the specific technical content and selecting the necessary countermeasure technology.
  • an attack predicted based on the device configuration input by the user is expressed as an attack type defined by the operational elements in the device's operational model and its inhibition form, and presented to the user as an attack scenario. do. Since the entire set of possible attack methods is defined by the operational elements and the forms of inhibition, the attack types obtained by classifying them are guaranteed to be exhaustive. Additionally, unlike known attack vectors, this classification is based on the behavior of the device, so any user familiar with the system targeted for security risk assessment will be able to grasp an overview of the attack scenario even if they are not a security expert. It has the advantage of being easy to do.
  • ROM Read Only Memory
  • RAM Random Access Memory
  • flash memory hard disk, SSD, memory card, optical disk and similar storage devices, buses, networks and similar communication devices, and peripheral devices.
  • present invention may be realized by programs executed in combination, and the present invention can be realized in either embodiment.
  • the present invention is not limited to the above-described embodiments, and includes various modifications.
  • the above-described embodiments have been described in detail to explain the present invention in an easy-to-understand manner, and the present invention is not necessarily limited to having all the configurations described.
  • 1 Security risk assessment support system
  • 11 Processor
  • 13 Storage device
  • 16 Output device
  • 111 Device configuration information input section
  • 112 Attack route search section
  • 113 Attack scenario generation section
  • 114 Attack scenario presentation section
  • 200 Equipment configuration information
  • 201 Attack means correspondence information
  • 202 Occurrence event correspondence information
  • 203 Detailed information
  • 204 Detailed information
  • 205 Attack scenario information.

Abstract

This security risk assessment assistance method includes: a configuration information input step in which input of configuration information regarding a target system configured so as to include component devices is received; and an attack route search step in which the configuration information is used as a basis to perform a search for attack routes in which an attack on the target system passes through the component devices. In addition, the security risk assessment assistance method includes an attack scenario generation step in which an attack scenario is generated by arranging attack routes by the order in which attacks pass through the component devices, it is estimated on the basis of a performance model in which the configuration of the component devices is represented from a functional perspective which attack types correspond to the form in which the operations of the component devices constituting the attack routes are obstructed by attacks, and the estimated attack types are reflected in the attack scenario. The security risk assessment assistance method also includes an attack scenario presentation step in which an attack scenario is presented.

Description

セキュリティリスクアセスメント支援方法及びセキュリティリスクアセスメント支援システムSecurity risk assessment support method and security risk assessment support system
 本発明は、セキュリティリスクアセスメント支援方法及びセキュリティリスクアセスメント支援システムに関する。 The present invention relates to a security risk assessment support method and a security risk assessment support system.
 情報システム(ITシステム)及び社会インフラや産業等の制御システム(OTシステム)を問わず、システムに対して適切なセキュリティ対策を実施するために、セキュリティリスクアセスメントが行われる。セキュリティリスクアセスメントによって、対象システムにおけるセキュリティ上の脅威や、この脅威によって発生する一連の影響を的確に特定することが重要である。 Regardless of whether it is an information system (IT system) or a control system (OT system) for social infrastructure or industry, a security risk assessment is performed in order to implement appropriate security measures for the system. It is important to accurately identify security threats to the target system and the series of effects caused by these threats through security risk assessment.
 セキュリティリスクアセスメントは、その結果が以降のセキュリティ対策の立案及び実装プロセスに大きく影響するため、客観的な基準によって実施するように試みられてきた。例えば特許文献1には、「攻撃経路情報(21)は、攻撃元と攻撃先と攻撃手法とを含む攻撃ステップを1以上含む攻撃経路の情報を含む。脆弱性特定手段(11)は、攻撃経路情報(21)を参照し、攻撃ステップにおいて攻撃先への攻撃に使用される脆弱性を特定する。脆弱性情報DB(22)は、脆弱性と、その脆弱性に対する攻撃実証コードの有無とを対応付けて記憶する。診断評価生成手段(12)は、脆弱性情報DB(22)を参照し、特定された脆弱性に対して攻撃実証コードが存在するか否かを調べ、攻撃ステップに対して、特定された脆弱性の数、及び攻撃実証コードの有無を含むリスク診断評価を生成する。」が開示されている。 Since the results of security risk assessments greatly influence the subsequent planning and implementation process of security measures, attempts have been made to conduct them using objective criteria. For example, Patent Document 1 states, ``Attack route information (21) includes information on an attack route that includes one or more attack steps including an attack source, an attack target, and an attack method. The route information (21) is referenced to identify vulnerabilities used to attack the target in the attack step.The vulnerability information DB (22) stores vulnerabilities and the presence or absence of attack demonstration code for the vulnerabilities. The diagnostic evaluation generation means (12) refers to the vulnerability information DB (22), checks whether or not an attack demonstration code exists for the identified vulnerability, and performs the attack step. ``generate a risk diagnosis assessment including the number of identified vulnerabilities and the presence or absence of proof-of-attack code.''
国際公開第2021/059471号International Publication No. 2021/059471
 ベンダがシステムを販売したり、運用者がシステムのセキュリティについて第三者認証を受けたりする場合には、セキュリティリスクアセスメントによって脅威が的確に特定され、かつ対策されていることの証明が求められる。特に、対象システムへの脅威が漏れなく特定されていること(網羅性)が重要であり、特定されない脅威が残っていれば、他の脅威へいかに厳重に対処していても適切な対策がとられていることを主張できない。 When a vendor sells a system or when an operator obtains third-party certification of system security, proof is required through a security risk assessment that threats have been accurately identified and countermeasures have been taken. In particular, it is important that all threats to the target system are identified (comprehensiveness); if unidentified threats remain, no matter how strictly other threats are dealt with, appropriate countermeasures will not be taken. cannot claim that it is
 しかし従来技術のセキュリティリスクアセスメントの手法では、攻撃シナリオ(特許文献1では攻撃経路上で発生する一連の攻撃ステップに相当)の構成要素として「不正操作」「データ改ざん」といった具体的な攻撃手段を用いている。そのため、セキュリティリスクアセスメントによって得られる攻撃シナリオを理解するためには具体的な攻撃手段についての知識が必要となる。また、従来技術で参照する攻撃手段は、既知の攻撃手段を積み上げたものに過ぎず、それらが存在しうる全ての攻撃手段を網羅したものであるかを判断することは、セキュリティの専門家でない者にとっては難しい。すなわち、具体的な攻撃手段で記述された攻撃シナリオは、対象システムへの脅威の網羅性を主張することが困難である。 However, in the conventional security risk assessment method, specific attack methods such as "unauthorized operation" and "data falsification" are considered as components of the attack scenario (corresponding to a series of attack steps that occur on the attack path in Patent Document 1). I am using it. Therefore, in order to understand attack scenarios obtained through security risk assessment, knowledge of specific attack methods is required. Furthermore, the attack methods referred to in the prior art are merely an accumulation of known attack methods, and it is not for security experts to judge whether they cover all possible attack methods. difficult for people. In other words, it is difficult to claim comprehensiveness of threats to the target system in attack scenarios described using specific attack methods.
 さらに、対象システムが複数のドメインで構成される場合(たとえば、複数の事業主体を持つ鉄道や道路のような広域インフラ、また、そうしたインフラとそれを活用するサービス事業のような構造)においては、ドメインごとに脅威源や攻撃による被害の発生条件といった前提条件が異なる場合があるため、システム全体としての脅威の網羅はより困難となる。 Furthermore, when the target system is composed of multiple domains (for example, wide-area infrastructure such as railways and roads with multiple business entities, or structures such as service businesses that utilize such infrastructure and it), Preconditions such as threat sources and conditions for damage caused by attacks may differ depending on the domain, making it more difficult to cover threats for the entire system.
 本発明は、以上の点を考慮してなされたもので、対象システムに対する脅威を漏れなく把握できるセキュリティリスクアセスメント支援方法及びセキュリティリスクアセスメント支援システムを提供することを目的とする。 The present invention has been made in consideration of the above points, and it is an object of the present invention to provide a security risk assessment support method and a security risk assessment support system that can completely grasp threats to a target system.
 上述した課題を解決するため、本発明の一態様では、セキュリティリスクアセスメント支援システムが実行するセキュリティリスクアセスメント支援方法であって、構成機器を含んで構成される対象システムに関する構成情報の入力を受け付ける構成情報入力ステップと、前記構成情報に基づいて、前記対象システムに対する攻撃が前記構成機器を経由する攻撃経路を探索する攻撃経路探索ステップと、前記攻撃が前記構成機器を経由する順序で前記攻撃経路を並べて攻撃シナリオを生成し、該攻撃によって該攻撃経路を構成する前記構成機器の動作が阻害される形態が何れの攻撃類型に該当するかを、該構成機器の構成を機能の観点で表す機能モデルに基づいて推定し、推定した該攻撃類型を該攻撃シナリオに反映させる攻撃シナリオ生成ステップと、前記攻撃シナリオ生成ステップによって生成された前記攻撃シナリオを提示する攻撃シナリオ提示ステップと、を有することを特徴とする。 In order to solve the above-mentioned problems, one aspect of the present invention provides a security risk assessment support method executed by a security risk assessment support system, which is configured to receive input of configuration information regarding a target system including component devices. an information input step; an attack route searching step of searching for an attack route in which an attack on the target system passes through the component devices based on the configuration information; and searching the attack route in the order in which the attack passes through the component devices. A functional model that expresses the configuration of the component devices from a functional perspective by generating attack scenarios side by side and determining which attack type corresponds to the form in which the operation of the component devices constituting the attack path is inhibited by the attack. and an attack scenario presentation step for presenting the attack scenario generated by the attack scenario generation step. shall be.
 本発明によれば、セキュリティリスクアセスメントにおいて、対象システムに対する脅威を漏れなく把握できる。 According to the present invention, threats to a target system can be completely understood in a security risk assessment.
分析対象システムの構成を示す図。A diagram showing the configuration of an analysis target system. 分析対象システムの構成機器の構成を示す図。The figure which shows the structure of the component equipment of the analysis target system. 構成機器の機能モデルを説明するための図。A diagram for explaining a functional model of component devices. 構成機器の期待されている本来の動作が阻害される形態を機能モデルで示す図。FIG. 3 is a diagram illustrating, in a functional model, a form in which the expected original operation of a component device is obstructed. 動作要素と阻害形態の組み合わせと、攻撃手段との対応表を示す図。FIG. 3 is a diagram showing a correspondence table between combinations of movement elements and inhibition forms and attack methods. 攻撃手段と、攻撃により発生しうる事象との対応関係を示す発生事象対応情報を示す図。FIG. 3 is a diagram illustrating occurrence event correspondence information indicating a correspondence relationship between an attack means and an event that may occur due to an attack. セキュリティリスクアセスメント支援システムの構成を示す図。FIG. 1 is a diagram showing the configuration of a security risk assessment support system. リスクアセスメント処理を示すフローチャート。Flowchart showing risk assessment processing. 分析対象システムの構成と、分析対象システムを構成する各構成機器の機能モデルと、機器構成情報とを示す図。FIG. 3 is a diagram showing the configuration of a system to be analyzed, a functional model of each component device that constitutes the system to be analyzed, and device configuration information. 機器構成情報入力GUIのメニュー表示及び構成図表示を示す図。FIG. 4 is a diagram showing a menu display and a configuration diagram display of a device configuration information input GUI. 機器構成情報入力GUIへの情報入力例を示す図。The figure which shows the example of information input to a device configuration information input GUI. 攻撃シナリオ情報を表示するシナリオ情報表示GUI16D2を示す図。The figure which shows scenario information display GUI16D2 which displays attack scenario information. 攻撃段階を説明するための図。A diagram for explaining attack stages. 阻害形態及び攻撃手段推定を説明するための図。FIG. 4 is a diagram for explaining inhibition forms and attack means estimation. 攻撃シナリオ情報の詳細化処理確認画面を示す図。The figure which shows the detail processing confirmation screen of attack scenario information. 詳細情報入力処理を説明するための図。FIG. 3 is a diagram for explaining detailed information input processing. 攻撃手段と発生事象の詳細化情報を示す図。A diagram showing detailed information on attack methods and occurrence events. 詳細化された攻撃シナリオ情報を示す図。A diagram showing detailed attack scenario information.
 以下、図面を参照して本願開示の技術に係る実施形態を説明する。実施形態は、図面も含めて本願を説明するための例示である。実施形態では、説明の明確化のため、適宜、省略及び簡略化がされている。特に限定しない限り、実施形態の各構成要素は単数でも複数でもよい。 Hereinafter, embodiments according to the technology disclosed in the present application will be described with reference to the drawings. The embodiments, including the drawings, are examples for explaining the present application. In the embodiments, omissions and simplifications are appropriately made for clarity of explanation. Unless otherwise limited, each component in the embodiments may be singular or plural.
 同一又は類似の構成要素には同一の符号を付与し、既出に対する後出の実施形態での説明は、省略されるか、差分を中心としてなされる場合がある。 Identical or similar components are given the same reference numerals, and explanations of the previously described components in the later embodiments may be omitted or may focus on differences.
 同一又は類似の構成要素が複数ある場合には、同一の符号に異なる添字を付して区別して説明する場合がある。また、これらの複数の構成要素を区別する必要がない場合には、添字を省略して説明する場合がある。 If there are multiple identical or similar components, different subscripts may be attached to the same reference numerals to distinguish them from each other. Furthermore, if there is no need to distinguish between these multiple components, the subscripts may be omitted from the description.
 以下の実施形態では、各種情報をテーブル形式で説明するが、各種情報はテーブル形式以外のデータ形式であってもよい。また、例えば、「XX情報」、「XXテーブル」、「XXリスト」、「XXキュー」等の各種呼称は、互換可能である。例えば「XX情報」は、「XXテーブル」と呼んでもよい。また、識別情報について説明する際に、「識別情報」、「識別子」、「名」、「ID」、「番号」等の表現は互換可能である。 In the following embodiments, various information will be explained in a table format, but the various information may be in a data format other than the table format. Furthermore, various names such as "XX information", "XX table", "XX list", and "XX queue" are interchangeable. For example, "XX information" may be called "XX table". Furthermore, when describing identification information, expressions such as "identification information", "identifier", "name", "ID", and "number" are interchangeable.
[実施形態]
(システム構成)
 先ず、リスクアセスメントの実行対象である分析対象システム(以下SuC:System under Consideration)を説明する。図1は、SuC10の構成を示す図である。図2は、SuC10の構成機器100の構成を示す図である。SuC10は、例えば制御システムであるが、これに限定されず、情報処理システムやその他のシステムでもよい。 [Embodiment]
(System configuration)
First, the system under consideration (hereinafter referred to as SuC), which is the target of risk assessment, will be explained. FIG. 1 is a diagram showing the configuration of SuC10. FIG. 2 is a diagram showing the configuration of the component equipment 100 of the SuC 10. The SuC 10 is, for example, a control system, but is not limited to this, and may be an information processing system or other system.
 SuC10は、構成機器100a,100b,100c,100dを含む。構成機器100は、SuC10の内部で相互に接続されている。また、各々の構成機器100は、図2のように、入力I/F(インタフェース)101a,101b,…と、出力I/F(不図示)とを有する。入力I/F101は、構成機器100の相互接続及びSuC10の外部との接続に用いられる。本実施形態における構成機器100及び入力I/F101の個数は、例示に過ぎない。また、構成機器100及び入力I/F101の個数は、SuC10毎に異なる。 The SuC 10 includes component devices 100a, 100b, 100c, and 100d. The component devices 100 are interconnected inside the SuC 10. Further, each component device 100 has input I/Fs (interfaces) 101a, 101b, . . . and an output I/F (not shown), as shown in FIG. The input I/F 101 is used for mutual connection of the component devices 100 and for connection of the SuC 10 with the outside. The numbers of component devices 100 and input I/Fs 101 in this embodiment are merely examples. Further, the number of component devices 100 and input I/Fs 101 differs for each SuC 10.
(攻撃類型の定義)
 本実施形態では、攻撃シナリオにおいて発生しうる攻撃手段を、攻撃によって阻害される構成機器100の機能と、機能の阻害形態と、によって定義される「攻撃類型」で識別する。以下その概念を説明する。 (Definition of attack types)
In this embodiment, attack means that may occur in an attack scenario are identified by "attack type" defined by the function of the component device 100 that is inhibited by the attack and the mode of inhibition of the function. The concept will be explained below.
 図3は、構成機器100の機能モデルM100を説明するための図である。機能モデルM100は、例えばPLC(Programmable Logic Controller)といった制御機器や処理機器(コンピュータ)である。機能モデルM100では、実際に備えるハードウェアといった具体的な要素は省略される。機能モデルM100は、構成機器100の構成を機能の観点で表す。 FIG. 3 is a diagram for explaining the functional model M100 of the component device 100. The functional model M100 is, for example, a control device such as a PLC (Programmable Logic Controller) or a processing device (computer). In the functional model M100, specific elements such as actually provided hardware are omitted. The functional model M100 represents the configuration of the component device 100 from a functional perspective.
 機能モデルM100には、期待される動作を達成するため適切な「動作要素」が与えられる。本実施形態では、動作要素としてプログラムや制御ルールなどの「ロジック」M101や、センサやユーザから与えられる「インプット(input)」M102、機能モデルM100によって出力される「アウトプット(output)」M103などがある。機能モデルM100が表す構成機器の種別によっては、「ロジック」「センサ」「インプット」「アウトプット」以外の動作要素もあり得る。また、「ロジック」「センサ」「インプット」「アウトプット」を細分化して定義する場合もあり得る。 Appropriate "behavior elements" are given to the functional model M100 to achieve the expected behavior. In this embodiment, operational elements include "logic" M101 such as programs and control rules, "input" M102 given from sensors and users, "output" M103 output by the functional model M100, etc. There is. Depending on the type of component represented by the functional model M100, there may be operational elements other than "logic," "sensor," "input," and "output." Furthermore, "logic," "sensor," "input," and "output" may be defined subdivided.
 構成機器に対する攻撃は、ロジックやインプットなどの動作要素として本来は「意図しない」ものが構成機器に対して与えられることで、期待されている構成機器の本来の動作が阻害されること、と捉えることができる。「意図しない」とは、データフォーマットや処理タイミング、各種の値といった動作要素の様々な属性が、構成機器の動作仕様で規定されたものに反する、又は逸脱することを意味する。 Attacks on component devices are considered to be when unintended operation elements such as logic and inputs are given to the component device, thereby inhibiting the expected original operation of the component device. be able to. "Unintended" means that various attributes of the operational element, such as data format, processing timing, and various values, violate or deviate from those specified in the operational specifications of the component device.
 図4は、構成機器100の期待されている本来の動作が阻害される形態を機能モデルで示す図である。上述のような「意図しない」動作要素が与えられることで構成機器100の本来の動作が阻害される形態は、例えば図4に示すように、(a)不正な動作要素入力(invalid)、(b)入力動作要素の改変(falsified)、及び(c)信頼できない相手からの動作要素入力(untrusted)の3つの阻害形態に分類することができる。 FIG. 4 is a functional model showing a form in which the expected original operation of the component device 100 is inhibited. For example, as shown in FIG. 4, forms in which the original operation of the component device 100 is inhibited by the provision of an "unintended" operational element as described above include (a) invalid operational element input (invalid); It can be classified into three forms of inhibition: b) falsified input action element, and (c) input action element from an untrusted party (untrusted).
 (a)は、攻撃側の構成機器(構成機器モデルM100A-a)においてなんらかの理由で意図しない動作要素ae1が生成されて、被害側の構成機器(構成機器モデルM100V-a)に与えられる阻害形態である。 (a) shows a form of inhibition in which an unintended operating element ae1 is generated for some reason in the attacking component (component model M100A-a) and is given to the victim component (component model M100V-a). It is.
 (b)は、攻撃側の構成機器(構成機器モデルM100A-b)から被害側の構成機器(構成機器モデルM100V-b)に与えられる動作要素ae2が、何らかの理由により途中で意図しないものに改変される阻害形態である。 In (b), the operation element ae2 given from the attacker's component (component model M100A-b) to the victim's component (component model M100V-b) is changed to something unintended for some reason. This is the form of inhibition.
 (c)は、被害側の構成機器(構成機器モデルM100V-c)に接続されることが仕様上認められていない構成機器(構成機器モデルM100A-c)において意図しない動作要素ae3が生成されて、被害側の構成機器に与えられる阻害形態である。 In (c), an unintended operating element ae3 is generated in a component (component model M100A-c) that is not allowed to be connected to the victim component (component model M100V-c) according to the specifications. , is a form of inhibition given to the component equipment on the victim side.
 なお、上述の攻撃類型において、意図しない不正な動作要素入力がどのレイヤに相当するかによって、構成機器の動作の阻害形態が異なる。このため、従来の攻撃分類では、同一の不正な動作要素入力であっても、レイヤが異なることで、それぞれ異なる攻撃とみなされていた。しかし、本実施形態では、同一の不正な動作要素入力であれば、異なるレイヤでも包含して表現することができる。 Note that in the above-mentioned attack types, the form of inhibition of the operation of the component equipment differs depending on which layer the unintended and unauthorized operation element input corresponds to. For this reason, in conventional attack classification, even if the input of the same fraudulent action element is in different layers, it is considered to be a different attack. However, in this embodiment, the same invalid action element input can be included and expressed in different layers.
 例えば、PLCにおいて「インプット」にあたるデータは、制御ロジックに対する純粋な入力値(いわゆるOSIモデルではアプリケーション層に相当)だけでなく、データのフォーマット(同じくプレゼンテーション層に相当)、プロトコルヘッダ(同じくセッション層、ネットワーク層などに相当)などを含む場合がある。これらがそれぞれ意図しない内容であった場合には、意図しない制御出力、バッファオーバーフロー、リプレイ攻撃などの異なる攻撃として顕在化する。 For example, the data that is "input" in a PLC includes not only pure input values to the control logic (corresponding to the application layer in the so-called OSI model), but also data formats (also equivalent to the presentation layer), protocol headers (also the session layer, (equivalent to network layer, etc.). If each of these is unintended, it manifests as a different attack such as unintended control output, buffer overflow, or replay attack.
 また、例えば「インプット」が「暗号化されていない」場合に盗聴を攻撃手段として選択できるようにするなど、動作要素に属性を与える拡張を行うことで、攻撃手段の表現範囲を拡張することもできる。 In addition, the range of expression of attack methods can be expanded by adding attributes to behavioral elements, such as allowing eavesdropping to be selected as an attack method when "input" is "unencrypted". can.
 図5は、動作要素(「ロジック」「インプット」)と阻害形態(図4の(a)~(c))の組み合わせと、攻撃手段との対応を示す攻撃手段対応情報201を示す図である。攻撃手段対応情報201では、図4の動作要素と阻害形態の組み合わせのそれぞれに対応する“攻撃手段1”~“攻撃手段6”が示されている。攻撃手段対応情報201は、構成機器100の入力I/F101で扱う動作要素と、この入力I/Fとその前段の構成機器100との接続に対する阻害形態(上述の(a)~(c))との組み合わせで発生しうる攻撃の類型又は概要と、攻撃により発生しうる事象の類型又は概要を示す。攻撃手段対応情報201は、セキュリティリスクアセスメント支援システム1の記憶装置13(図7)に格納される。 FIG. 5 is a diagram showing attack means correspondence information 201 indicating the correspondence between combinations of operation elements (“logic” and “input”) and inhibition forms ((a) to (c) in FIG. 4) and attack means. . The attack means correspondence information 201 shows "attack means 1" to "attack means 6" corresponding to each of the combinations of operation elements and inhibition forms shown in FIG. The attack method correspondence information 201 includes operational elements handled by the input I/F 101 of the component device 100 and forms of obstruction to the connection between this input I/F and the component device 100 in the preceding stage ((a) to (c) above). This shows the types or outlines of attacks that can occur in combination with the above, and the types or outlines of events that can occur due to attacks. The attack means correspondence information 201 is stored in the storage device 13 (FIG. 7) of the security risk assessment support system 1.
 図6は、攻撃手段と、攻撃により発生しうる事象との対応関係を示す発生事象対応情報202を示す図である。発生事象対応情報202では、図5の攻撃手段1~6のそれぞれに対応する“攻撃により発生しうる事象”の類型又は概要が示されている。“攻撃により発生しうる事象”は、攻撃により対象システムに生じるセキュリティリスクの度合いの大きさを、例えば1~5の5段階で表す事象毎のスコアを含む。図6では、各事象に括弧書きで併記される数字がこのスコアに該当する。発生事象対応情報202は、セキュリティリスクアセスメント支援システム1の記憶装置13(図7)に格納される。 FIG. 6 is a diagram showing occurrence event correspondence information 202 indicating the correspondence between attack means and events that may occur due to the attack. The occurrence event correspondence information 202 shows types or outlines of "events that may occur due to attacks" corresponding to each of the attack means 1 to 6 in FIG. 5. “Events that may occur due to an attack” include a score for each event that represents the degree of security risk caused to the target system due to the attack, for example, on a scale of 5 from 1 to 5. In FIG. 6, the numbers written in parentheses next to each event correspond to this score. The event response information 202 is stored in the storage device 13 (FIG. 7) of the security risk assessment support system 1.
(セキュリティリスクアセスメント支援システムの構成)
 図7は、セキュリティリスクアセスメント支援システム1の構成を示す図である。セキュリティリスクアセスメント支援システム1は、コンピュータがリスクアセスメント支援プログラムを実行することで実現される。セキュリティリスクアセスメント支援システム1は、オンプレミス又はクラウド上のシステムである。 (Configuration of security risk assessment support system)
FIG. 7 is a diagram showing the configuration of the security risk assessment support system 1. The security risk assessment support system 1 is realized by a computer executing a risk assessment support program. The security risk assessment support system 1 is an on-premises or cloud system.
 セキュリティリスクアセスメント支援システム1は、プロセッサ11、メモリ12、記憶装置13、通信装置14、入力装置15、及び出力装置16を含んで構成される。プロセッサ11、メモリ12、記憶装置13、通信装置14、入力装置15、及び出力装置16は、バス等の内部通信線を介して相互に接続されている。 The security risk assessment support system 1 includes a processor 11, a memory 12, a storage device 13, a communication device 14, an input device 15, and an output device 16. The processor 11, memory 12, storage device 13, communication device 14, input device 15, and output device 16 are interconnected via an internal communication line such as a bus.
 プロセッサ11は、コンピュータとしてのセキュリティリスクアセスメント支援システム1の全体の動作制御を司る。メモリ12は、例えば揮発性の半導体メモリから構成され、プロセッサ11のワークメモリとして利用される。 The processor 11 controls the entire operation of the security risk assessment support system 1 as a computer. The memory 12 is composed of, for example, a volatile semiconductor memory, and is used as a work memory of the processor 11.
 記憶装置13は、コンピュータ読み取り可能な非一時的記憶媒体の一例であり、ハードディスク装置、SSD(Solid State Drive)、又はフラッシュメモリ等の大容量の不揮発性の記憶装置から構成される。記憶装置13は、機器構成情報200(図9)、攻撃手段対応情報201(図5)、発生事象対応情報202(図6)、詳細情報203(図16)、詳細化情報204(図17)、及び攻撃シナリオ情報205(図12、図18)を格納する。なお、機器構成情報200、攻撃手段対応情報201、発生事象対応情報202、詳細情報203、詳細化情報204、攻撃シナリオ情報205は、メモリ12に格納されてもよい。 The storage device 13 is an example of a computer-readable non-temporary storage medium, and is composed of a large-capacity nonvolatile storage device such as a hard disk device, an SSD (Solid State Drive), or a flash memory. The storage device 13 includes device configuration information 200 (FIG. 9), attack method correspondence information 201 (FIG. 5), event correspondence information 202 (FIG. 6), detailed information 203 (FIG. 16), and detailed information 204 (FIG. 17). , and attack scenario information 205 (FIGS. 12 and 18). Note that the device configuration information 200, attack means correspondence information 201, occurrence event correspondence information 202, detailed information 203, detailed information 204, and attack scenario information 205 may be stored in the memory 12.
 また、記憶装置13は、各種プログラムやデータを格納する。記憶装置13に格納されたプログラムがセキュリティリスクアセスメント支援システム1の起動時や必要時にメモリ12にロードされ、プロセッサ11によって実行される。これにより、プロセッサ11は、機器構成情報入力部111、攻撃経路探索部112、攻撃シナリオ生成部113、及び攻撃シナリオ提示部114の各機能部を実現する。機器構成情報入力部111、攻撃経路探索部112、攻撃シナリオ生成部113、及び攻撃シナリオ提示部114の処理機能は、図8のフローチャートを参照して後述する。 Additionally, the storage device 13 stores various programs and data. A program stored in the storage device 13 is loaded into the memory 12 when the security risk assessment support system 1 is activated or when necessary, and is executed by the processor 11. Thereby, the processor 11 realizes each functional unit of a device configuration information input unit 111, an attack path search unit 112, an attack scenario generation unit 113, and an attack scenario presentation unit 114. The processing functions of the device configuration information input section 111, the attack route search section 112, the attack scenario generation section 113, and the attack scenario presentation section 114 will be described later with reference to the flowchart of FIG.
 なお、プロセッサ11によって実行されるプログラムは、非一時的記録媒体に記録され、媒体読み取り装置によって非一時的記録媒体から読み出されて、メモリ12にロードされてもよい。または、実行可能プログラムは、ネットワークを介して外部のコンピュータから取得されて、メモリ12にロードされてもよい。 Note that the program executed by the processor 11 may be recorded on a non-temporary recording medium, read from the non-temporary recording medium by a medium reading device, and loaded into the memory 12. Alternatively, the executable program may be obtained from an external computer via a network and loaded into memory 12.
 通信装置14は、コンピュータとしてのセキュリティリスクアセスメント支援システム1が他のコンピュータと通信するためのインタフェース装置である。通信装置14は、例えば、有線LAN(Local Area Network)や無線LAN等のNIC(Network Interface Card)を含んで構成される。 The communication device 14 is an interface device for the security risk assessment support system 1 as a computer to communicate with other computers. The communication device 14 includes, for example, a NIC (Network Interface Card) such as a wired LAN (Local Area Network) or a wireless LAN.
 入力装置15は、キーボードや、マウス等のポインティングデバイス、タッチデバイス等から構成され、ユーザがセキュリティリスクアセスメント支援システム1に各種指示や情報を入力するために利用される。出力装置16は、例えば、液晶ディスプレイ又は有機EL(Electro Luminescence)ディスプレイ等の表示装置や、スピーカ等の音声出力装置から構成され、必要時に必要な情報をユーザに提示するために利用される。 The input device 15 is comprised of a keyboard, a pointing device such as a mouse, a touch device, etc., and is used by the user to input various instructions and information to the security risk assessment support system 1. The output device 16 includes, for example, a display device such as a liquid crystal display or an organic EL (Electro Luminescence) display, and an audio output device such as a speaker, and is used to present necessary information to the user when necessary.
 なお、図7では、1つのコンピュータ上でセキュリティリスクアセスメント支援システム1が実現される例を示す。しかし、これに限らず、セキュリティリスクアセスメント支援システム1は、通信可能に接続された複数のコンピュータ上に各処理機能を分散させて実現されてもよい。 Note that FIG. 7 shows an example in which the security risk assessment support system 1 is implemented on one computer. However, the present invention is not limited to this, and the security risk assessment support system 1 may be realized by distributing each processing function on a plurality of communicably connected computers.
(リスクアセスメント処理)
 図8は、リスクアセスメント処理を示すフローチャートである。セキュリティリスクアセスメント支援システム1は、ユーザ指示を契機としてリスクアセスメント処理を実行する。 (Risk assessment processing)
FIG. 8 is a flowchart showing the risk assessment process. The security risk assessment support system 1 executes risk assessment processing in response to a user instruction.
 先ずステップS1では、機器構成情報入力部111(図7)は、ユーザによるSuC10の機器構成の入力を受け付けて機器構成情報200を作成する機器構成情報入力処理を実行する。 First, in step S1, the device configuration information input unit 111 (FIG. 7) executes device configuration information input processing to receive the input of the device configuration of the SuC 10 by the user and create device configuration information 200.
 図9~図11を参照してステップS1の機器構成情報入力処理を説明する。図9は、SuC10の構成と、SuC10を構成する各構成機器100の機能モデルM100と、機器構成情報200とを示す図である。図9に示すように、ステップS1では、SuC10を構成する各構成機器100の機能モデルM100に基づいて、各構成機器100の「機器ID」「機器名称」「入力数」「入力I/F1」「入力I/F2」・・・「出力先」の項目を持つ機器構成情報200が作成される。「入力I/F1」「入力I/F2」・・・には、各入力I/Fの「ID」「名称」と、該当の入力I/Fによって扱われる「動作要素」とが含まれる。機器構成情報入力処理では、構成機器100の構成情報を、機能モデルM100に従って入力させる。構成機器100の構成情報を、機能モデルM100に従って入力させることで、SuC10や構成機器100の仕様やセキュリティといった脆弱性の詳細知識がなくとも攻撃シナリオの評価ができる。 The device configuration information input process in step S1 will be described with reference to FIGS. 9 to 11. FIG. 9 is a diagram showing the configuration of the SuC 10, a functional model M100 of each component device 100 that makes up the SuC 10, and device configuration information 200. As shown in FIG. 9, in step S1, based on the functional model M100 of each component 100 constituting the SuC 10, the "device ID", "device name", "number of inputs", and "input I/F1" of each component 100 are determined. Device configuration information 200 having items of "input I/F2" and "output destination" is created. "Input I/F1", "Input I/F2", etc. include the "ID" and "name" of each input I/F, and the "operation element" handled by the corresponding input I/F. In the device configuration information input process, configuration information of the component device 100 is input according to the functional model M100. By inputting the configuration information of the component device 100 according to the functional model M100, an attack scenario can be evaluated without detailed knowledge of the specifications or security vulnerabilities of the SuC 10 or the component device 100.
 図10は、機器構成情報入力GUI(Graphical User Interface)16D1のメニュー表示300及び構成図表示310を示す図である。ステップS1では、機器構成情報入力部111は、出力装置16の表示画面に機器構成情報入力GUI16D1を表示する。機器構成情報入力GUI16D1は、メニュー表示300と、構成図表示310とを備える。メニュー表示300は、構成機器作成ボタン301、入力I/F作成ボタン302、入出力関係作成ボタン303、消去ボタン304、及び設定ボタン305を含む。 FIG. 10 is a diagram showing a menu display 300 and a configuration diagram display 310 of the device configuration information input GUI (Graphical User Interface) 16D1. In step S1, the device configuration information input unit 111 displays the device configuration information input GUI 16D1 on the display screen of the output device 16. The device configuration information input GUI 16D1 includes a menu display 300 and a configuration diagram display 310. The menu display 300 includes a component creation button 301, an input I/F creation button 302, an input/output relationship creation button 303, a delete button 304, and a setting button 305.
 構成機器作成ボタン301は、構成図表示310にSuC10及び構成機器100を作成するためのボタンである。構成機器作成ボタン301をオンにした状態でクリックされた位置にSuC10又は構成機器100が作成される。また、構成機器作成ボタン301をオンにした状態でクリックされたSuC10の内部に構成機器100が作成される。 The component creation button 301 is a button for creating the SuC 10 and the component device 100 on the configuration diagram display 310. SuC 10 or component device 100 is created at the clicked position with component creation button 301 turned on. Further, the component device 100 is created inside the SuC 10 that is clicked with the component device creation button 301 turned on.
 入力I/F作成ボタン302は、構成図表示310上の構成機器100の入力I/F101を作成するためのボタンである。入力I/F作成ボタン302をオンにした状態でクリックされた位置に入力I/F101が作成される。 The input I/F creation button 302 is a button for creating the input I/F 101 of the component device 100 on the configuration diagram display 310. An input I/F 101 is created at the position clicked with the input I/F creation button 302 turned on.
 入出力関係作成ボタン303は、構成機器100間の入出力関係102を作成するためのボタンである。入出力関係作成ボタン303をオンにした状態でドラッグ(またはスワイプ)された位置に構成機器100間の入出力関係102が作成される。 The input/output relationship creation button 303 is a button for creating the input/output relationship 102 between the component devices 100. An input/output relationship 102 between the component devices 100 is created at the dragged (or swiped) position with the input/output relationship creation button 303 turned on.
 消去ボタン304は、構成図表示310から、構成機器100、入力I/F101、及び入出力関係102を消去するためのボタンである。消去ボタン304をオンにした状態でクリックされた位置の構成機器100、入力I/F101、及び入出力関係102が消去される。 The delete button 304 is a button for deleting the component device 100, input I/F 101, and input/output relationship 102 from the configuration diagram display 310. The component device 100, input I/F 101, and input/output relationship 102 at the clicked position with the delete button 304 turned on are deleted.
 設定ボタン305は、機器構成情報入力GUI16D1の各種設定情報の入力を受け付ける入力画面に遷移するためのボタンである。 The settings button 305 is a button for transitioning to an input screen that accepts input of various setting information of the device configuration information input GUI 16D1.
 ユーザは、メニュー表示300の各ボタンを操作して、例えば図10に示すような、構成機器100、入力I/F101、及び入出力関係102を持ったSuC10の構成図表示310を、機器構成情報入力GUI16D1に作成する。機器構成情報入力GUI16D1に構成図表示310が作成されたScU10の構成機器100、入力I/F101、及び入出力関係102の情報は、ScU10毎の機器構成情報200に自動的に反映される。 The user operates each button on the menu display 300 to display a configuration diagram display 310 of the SuC 10 having a component device 100, an input I/F 101, and an input/output relationship 102, as shown in FIG. 10, for example, with device configuration information. Create it in the input GUI 16D1. Information about the component equipment 100, input I/F 101, and input/output relationship 102 of the ScU 10 for which the configuration diagram display 310 has been created in the equipment configuration information input GUI 16D1 is automatically reflected in the equipment configuration information 200 for each ScU 10.
 図11は、機器構成情報入力GUI16D1への情報入力例を示す図である。機器構成情報入力GUI16D1の構成図表示310上で、新規にScU10が作成されると、新規作成のScU10に対応する機器構成情報200のテンプレートが作成される。 FIG. 11 is a diagram showing an example of information input to the device configuration information input GUI 16D1. When a new ScU 10 is created on the configuration diagram display 310 of the equipment configuration information input GUI 16D1, a template of equipment configuration information 200 corresponding to the newly created ScU 10 is created.
 機器構成情報入力GUI16D1上の構成図表示310で、ScU10の内部に構成機器100が作成されると、新規作成の構成機器100に対応する機器構成情報200の行が作成される。機器構成情報入力GUI16D1の構成図表示310上で、構成機器100の内部に入力I/F101が作成されると、新規作成の入力I/F101に対応する機器構成情報200の「ID」「名称」「動作要素」の項目が作成される。機器構成情報200の「ID」「名称」「動作要素」の各項目の値は、ユーザによって入力される。 When a component device 100 is created inside the ScU 10 in the configuration diagram display 310 on the device configuration information input GUI 16D1, a row of device configuration information 200 corresponding to the newly created component device 100 is created. On the configuration diagram display 310 of the device configuration information input GUI 16D1, when the input I/F 101 is created inside the component device 100, the "ID" and "name" of the device configuration information 200 corresponding to the newly created input I/F 101 are displayed. An item of "behavior element" is created. The values of each item of "ID", "name", and "operation element" of the device configuration information 200 are input by the user.
 また、機器構成情報入力GUI16D1の構成図表示310上で、構成機器100の入出力関係102が新規作成されると、新規作成の入出力関係102に関する機器構成情報200の行が作成される。例えば図10に示すように、構成図表示310上の構成機器100cをダブルクリックすると、機器構成情報200がポップアップ表示される。ポップアップ表示中の機器構成情報200の構成機器100cに対応する行への各情報入力が可能になる。構成機器100cの機器モデル(不図示)に沿って、機器構成情報200の構成機器100cに対応する行への各情報が入力される。 Furthermore, when the input/output relationship 102 of the component device 100 is newly created on the configuration diagram display 310 of the device configuration information input GUI 16D1, a line of device configuration information 200 regarding the newly created input/output relationship 102 is created. For example, as shown in FIG. 10, when a component device 100c on a configuration diagram display 310 is double-clicked, device configuration information 200 is displayed as a pop-up. It becomes possible to input each piece of information into the row corresponding to the component device 100c of the device configuration information 200 being displayed as a pop-up. Each piece of information is input to the row corresponding to the component device 100c of the device configuration information 200 in accordance with the device model (not shown) of the component device 100c.
 具体的には、構成機器100cの入力I/F101c-1は“input”の動作要素であるため、入力I/F101c-1に対応する「入力I/F1」の「ID」「名称」「動作要素」に“101c-1”“input1”“input”が入力される。同様に、構成機器100cの入力I/F101c-2は“input”の動作要素であるため、入力I/F101c-2に対応する「入力I/F2」の「ID」「名称」「動作要素」に“101c-2”“input2”“input”が入力される。また、構成機器100cの出力は、構成機器100dの入力I/F101d-1に入力される。よって、構成機器100cの「出力先」には“101d-1”が入力される。 Specifically, since the input I/F 101c-1 of the component device 100c is an "input" operation element, the "ID", "name", and "operation" of the "input I/F 1" corresponding to the input I/F 101c-1 are "101c-1", "input1", and "input" are input to "Element". Similarly, since the input I/F 101c-2 of the component device 100c is an "input" operation element, the "ID", "name", and "operation element" of the "input I/F 2" corresponding to the input I/F 101c-2 are "101c-2", "input2", and "input" are input to. Furthermore, the output of the component device 100c is input to the input I/F 101d-1 of the component device 100d. Therefore, "101d-1" is input to the "output destination" of the component device 100c.
 なお、構成機器100dの入力I/F101d―2の動作要素は、“logic(メンテナンス(maintenance))”である。このため、図11の機器構成情報200の「機器ID」“100d”の行において、「入力I/F2」の「ID」「名称」「動作要素」に“101c-2”“maintenance”“logic”が入力される。また、構成機器100dの出力は、SuC10の外部への出力となる。よって、構成機器100dの「出力先」には“SYSOUT”が入力される。 Note that the operation element of the input I/F 101d-2 of the component device 100d is "logic (maintenance)". Therefore, in the row of "Device ID" "100d" of the device configuration information 200 in FIG. ” is input. Further, the output of the component device 100d is output to the outside of the SuC 10. Therefore, "SYSOUT" is input to the "output destination" of the component device 100d.
 また、機器構成情報入力GUI16D1の構成図表示310上で、入出力関係102が作成された入力I/F101の情報は、機器構成情報200に自動的に反映される。例えば、機器構成情報入力GUI16D1の構成図表示310上で、構成機器100cの出力先を、構成機器100dの入力I/F101d-1に接続した場合、構成機器100cに対応するポップアップ表示の機器構成情報200の行の「出力先」の欄にも、入力I/F101d-1が格納される。逆に、機器構成情報200の表中に入力I/F101の接続先が格納されると、機器構成情報入力GUI16D1の構成図表示310に反映される。 Additionally, on the configuration diagram display 310 of the device configuration information input GUI 16D1, information on the input I/F 101 for which the input/output relationship 102 has been created is automatically reflected in the device configuration information 200. For example, on the configuration diagram display 310 of the device configuration information input GUI 16D1, if the output destination of the component device 100c is connected to the input I/F 101d-1 of the component device 100d, the device configuration information corresponding to the component device 100c is displayed as a pop-up. Input I/F 101d-1 is also stored in the "output destination" column of row 200. Conversely, when the connection destination of the input I/F 101 is stored in the table of the device configuration information 200, it is reflected in the configuration diagram display 310 of the device configuration information input GUI 16D1.
 次にステップS2では、攻撃経路探索部112は、ステップS1で作成された機器構成情報200に基づく攻撃経路探索処理を実行する。攻撃経路探索部112は、ステップS1で作成された機器構成情報200に基づいて、SuC10の外部に接続する入力I/F101から、SuC10の外部に接続する出力I/F(SYSOUT)までの間に存在する構成機器100間の接続をたどることで、SuC10における攻撃経路の候補を探索する。 Next, in step S2, the attack route search unit 112 executes an attack route search process based on the device configuration information 200 created in step S1. Based on the device configuration information 200 created in step S1, the attack path search unit 112 performs a search between the input I/F 101 connected to the outside of the SuC 10 and the output I/F (SYSOUT) connected to the outside of the SuC 10. By tracing the connections between existing component devices 100, candidates for attack routes in the SuC 10 are searched.
 図9に示すSuC10及び機器構成情報200の例では、3通りの攻撃経路が特定される。すなわち、攻撃経路1:外部→構成機器100a→構成機器100c→構成機器100d→外部、攻撃経路2:外部→構成機器100b→構成機器100c→構成機器100d→外部、攻撃経路3:外部→攻撃経路3:構成機器100d→外部である。 In the example of the SuC 10 and device configuration information 200 shown in FIG. 9, three attack routes are identified. That is, attack route 1: external → component device 100a → component device 100c → component device 100d → external, attack route 2: external → component device 100b → component device 100c → component device 100d → external, attack route 3: external → attack route 3: Component device 100d→external.
 次にステップS3では、攻撃シナリオ生成部113は、ステップS3の攻撃経路探索処理の結果に基づいて、「攻撃手段」及び「攻撃により発生しうる事象」の推定を含む攻撃シナリオ生成処理を実行する。例えば図9に示す機器構成情報200に基づき上述の攻撃経路1~3の3通りの攻撃経路が特定されたとする。攻撃シナリオ生成部113は、それぞれの攻撃経路に対応する攻撃シナリオAS1,AS1,AS3を含む攻撃シナリオ情報205を生成する。 Next, in step S3, the attack scenario generation unit 113 executes an attack scenario generation process including estimating "attack means" and "events that may occur due to the attack" based on the result of the attack route search process in step S3. . For example, assume that the three attack routes 1 to 3 described above are identified based on the device configuration information 200 shown in FIG. The attack scenario generation unit 113 generates attack scenario information 205 including attack scenarios AS1, AS1, and AS3 corresponding to each attack route.
 図12は、攻撃シナリオ情報205を表示するシナリオ情報表示GUI16D2を示す図である。図12に示すように、攻撃シナリオ情報205は、「攻撃シナリオID」「攻撃段階ID」「攻撃元構成機器ID」「攻撃先構成機器ID」「攻撃先入力I/F_ID」「構成機器接続形態詳細」「予測される攻撃形態」「攻撃手段」「攻撃により発生しうる事象」の項目を有する。 FIG. 12 is a diagram showing the scenario information display GUI 16D2 that displays the attack scenario information 205. As shown in FIG. 12, the attack scenario information 205 includes "attack scenario ID", "attack stage ID", "attack source component ID", "attack target component ID", "attack target input I/F_ID", "configuration device connection type". It has items such as "Details", "Predicted attack form", "Attack method", and "Events that may occur due to attack".
 「攻撃シナリオID」は、攻撃シナリオの識別情報であり、機器構成情報200に基づき特定された攻撃経路毎にIDが割り振られる。図12の例では、機器構成情報200(図9)に基づき特定された上述の3つの攻撃経路毎に作成された攻撃シナリオの「攻撃シナリオID」が攻撃シナリオAS1,AS2,AS3である。攻撃シナリオは、攻撃が構成機器100を経由する順序で攻撃経路を並べたものである。 The "attack scenario ID" is identification information of an attack scenario, and an ID is assigned to each attack route specified based on the device configuration information 200. In the example of FIG. 12, the "attack scenario IDs" of the attack scenarios created for each of the three attack routes identified above based on the device configuration information 200 (FIG. 9) are attack scenarios AS1, AS2, and AS3. The attack scenario is a sequence of attack paths arranged in the order in which the attack passes through the component devices 100.
 「攻撃段階ID」は、各攻撃シナリオを構成するそれぞれの攻撃段階の識別情報である。図13は、攻撃段階を説明するための図である。図12に例示する攻撃シナリオAS1は、外部→構成機器100a→構成機器100c→構成機器100d→外部の攻撃経路1に対応する。よって攻撃シナリオAS1は、図13に示すように攻撃段階AS1-1:外部→構成機器100a、攻撃段階AS1-2:構成機器100a→構成機器100c、攻撃段階AS1-3:構成機器100c→構成機器100dの3つの攻撃段階からなる。第2段階である攻撃シナリオAS2以降では、前の段階で攻撃を受けた構成機器100が、攻撃による誤動作あるいは攻撃者による悪意ある操作によって、次の段階の構成機器100に対する攻撃を発生させる踏み台となる。 "Attack stage ID" is identification information of each attack stage that constitutes each attack scenario. FIG. 13 is a diagram for explaining the attack stage. The attack scenario AS1 illustrated in FIG. 12 corresponds to an attack path 1 from the outside to the component device 100a to the component device 100c to the component device 100d to the outside. Therefore, in the attack scenario AS1, as shown in FIG. 13, attack stage AS1-1: external → component device 100a, attack stage AS1-2: component device 100a → component device 100c, attack stage AS1-3: component device 100c → component device Consists of three attack stages of 100d. In attack scenario AS2 and subsequent stages, which are the second stage, the component device 100 that was attacked in the previous stage becomes a springboard for an attack on the component device 100 in the next stage due to malfunction due to the attack or malicious operation by the attacker. Become.
 なお、攻撃シナリオは、各構成機器100に対して予測される攻撃形態を、データが各構成機器100を経由する順序で並べて生成される。 Note that the attack scenario is generated by arranging the types of attacks predicted for each component device 100 in the order in which data passes through each component device 100.
 「攻撃元構成機器ID」「攻撃先構成機器ID」は、該当の攻撃段階の攻撃経路における攻撃元と攻撃先の構成機器100を示す。図13から分かるように、攻撃段階AS1-1では、外部の攻撃者が直接の攻撃元となり、構成機器100aが攻撃先となるので、「攻撃元構成機器ID」が“attacker(外部)”、「攻撃先構成機器ID」が構成機器100aとなる。同様に、攻撃段階AS1-2では、構成機器100aが攻撃元となり、構成機器100cが攻撃先となるので、「攻撃元構成機器ID」が構成機器100a、「攻撃先構成機器ID」が構成機器100cとなる。同様に、攻撃段階AS1-3では、構成機器100cが攻撃元となり、構成機器100dが攻撃先となるので、「攻撃元構成機器ID」が構成機器100c、「攻撃先構成機器ID」が構成機器100dとなる。 "Attack source component ID" and "attack target component ID" indicate the attack source and target component devices 100 in the attack path of the corresponding attack stage. As can be seen from FIG. 13, in the attack stage AS1-1, an external attacker becomes the direct attack source and the component device 100a becomes the attack target, so the "attack source component device ID" is "attacker (external)", The “attack target component device ID” becomes the component device 100a. Similarly, in the attack stage AS1-2, the component device 100a becomes the attack source and the component device 100c becomes the attack target, so the "attack source component ID" is the component device 100a, and the "attack target component ID" is the component device. It becomes 100c. Similarly, in the attack stage AS1-3, the component 100c becomes the attack source and the component 100d becomes the attack target, so the "attack source component ID" is the component 100c, and the "attack target component ID" is the component It becomes 100d.
 「攻撃先入力I/F_ID」は、該当の攻撃段階の攻撃経路における攻撃先の構成機器100の入力I/F101を示す。図13から分かるように、攻撃段階AS1-1では、攻撃元先が構成機器100aの入力I/F101a-1となるので、「攻撃先入力I/F_ID」が入力I/F101a-1となる。同様に、攻撃段階AS1-2では、攻撃元先が構成機器100cの入力I/F101c-1となるので、「攻撃先入力I/F_ID」が入力I/F101c-1となる。同様に、攻撃段階AS1-3では、攻撃元先が構成機器100dの入力I/F101d-1となるので、「攻撃先入力I/F_ID」が入力I/F101d-1となる。 "Attack target input I/F_ID" indicates the input I/F 101 of the attack target component device 100 in the attack path of the corresponding attack stage. As can be seen from FIG. 13, in the attack stage AS1-1, the attack source destination is the input I/F 101a-1 of the component device 100a, so the "attack destination input I/F_ID" becomes the input I/F 101a-1. Similarly, in the attack stage AS1-2, the attack source target is the input I/F 101c-1 of the component device 100c, so the "attack target input I/F_ID" becomes the input I/F 101c-1. Similarly, in the attack stage AS1-3, the attack source destination is the input I/F 101d-1 of the component device 100d, so the "attack destination input I/F_ID" becomes the input I/F 101d-1.
 「構成機器接続形態詳細」は、後述する詳細情報追加入力処理(図8のステップS6)によって入力される詳細情報203に基づき格納される情報である。「構成機器接続形態詳細」は、ステップS3が実行された直後では、詳細情報203が未入力であるので、“(未入力)”が格納されている。 "Component connection configuration details" is information stored based on detailed information 203 input through detailed information addition input processing (step S6 in FIG. 8), which will be described later. Immediately after step S3 is executed, the detailed information 203 has not been input, so "(not input)" is stored in the "configuration device connection form details".
 「予測される攻撃形態」は、「対象動作要素」「阻害形態」の項目を含む。「対象動作要素」は、該当の攻撃段階が対象とする動作要素を示す。図14は、阻害形態及び攻撃手段推定を説明するための図である。図14の例では、構成機器100a→構成機器100cの攻撃段階AS1-2において、入力I/F101c-1の動作形態が“input”である。攻撃段階に対して何れの「阻害形態」が該当するかは、該当の攻撃段階の対象の構成機器100の入力I/F101の接続形態に依存するが、「構成機器接続形態詳細」が未入力の場合、「対応動作要素」について想定される全ての阻害形態が格納される。よって攻撃手段対応情報201(図5)から、図12の攻撃段階AS1-2の「動作要素」“input”に対応する「阻害形態」に全ての阻害形態(a),(b),(c)が反映されている。 The "predicted attack form" includes the items "target movement element" and "obstruction form". “Target action element” indicates the action element targeted by the corresponding attack stage. FIG. 14 is a diagram for explaining the inhibition mode and attack method estimation. In the example of FIG. 14, in the attack stage AS1-2 from the component device 100a to the component device 100c, the operation mode of the input I/F 101c-1 is "input". Which "obstruction mode" corresponds to the attack stage depends on the connection mode of the input I/F 101 of the component 100 that is the target of the attack stage, but if the "component device connection mode details" are not entered. In the case of , all forms of inhibition assumed for the "corresponding motion element" are stored. Therefore, from the attack method correspondence information 201 (FIG. 5), all the inhibition modes (a), (b), and (c) correspond to the "motion element" "input" of the attack stage AS1-2 in FIG. ) is reflected.
 「攻撃手段」は、攻撃手段対応情報201(図5)において「対象動作要素」と「阻害形態」の組み合わせに対応する攻撃手段を示す。図14の例では、構成機器100a→構成機器100cの攻撃段階AS1-2の「対象動作要素」“input”と「阻害形態」“(a)”の組み合わせには、攻撃手段対応情報201において対応する「攻撃手段」“攻撃手段4”が格納されている。同様に、「対象動作要素」“input”と「阻害形態」“(b)”の組み合わせには、攻撃手段対応情報201において対応する「攻撃手段」“攻撃手段5”が格納されている。同様に、「対象動作要素」“input”と「阻害形態」“(c)”の組み合わせには、攻撃手段対応情報201において対応する「攻撃手段」“攻撃手段6”が格納されている。 "Attack Means" indicates an attack means corresponding to the combination of "Target Motion Element" and "Inhibition Form" in the attack means correspondence information 201 (FIG. 5). In the example of FIG. 14, the combination of "target operation element" "input" and "obstruction form" "(a)" of attack stage AS1-2 from component device 100a to component device 100c is supported in attack means correspondence information 201. ``Attack Means'' and ``Attack Means 4'' are stored. Similarly, for the combination of "target action element" "input" and "inhibition mode" "(b)", the corresponding "attack means" "attack means 5" is stored in the attack means correspondence information 201. Similarly, for the combination of “target action element” “input” and “inhibition form” “(c)”, the corresponding “attack means” “attack means 6” is stored in the attack means correspondence information 201.
 「攻撃により発生しうる事象」は、発生事象対応情報202(図6)において各「攻撃手段」に対応する、各「攻撃手段」によって発生が予想される事象や影響等を示す。「攻撃により発生しうる事象」では、「攻撃手段」“攻撃手段4”に対応して、発生事象対応情報202において対応する「攻撃により発生しうる事象」“事象4(5)”が反映されている。同様に、「攻撃手段」“攻撃手段5”に対応して、発生事象対応情報202において対応する「攻撃により発生しうる事象」“事象5(4)”が反映されている。同様に、「攻撃手段」“攻撃手段6”に対応して、発生事象対応情報202において対応する「攻撃により発生しうる事象」“事象6(5)”が反映されている。 "Events that may occur due to attacks" indicate events, effects, etc. that are expected to occur due to each "attack method" that corresponds to each "attack method" in the event correspondence information 202 (FIG. 6). "Events that may occur due to attacks" correspond to "Attack Means" and "Attack Means 4," and the corresponding "Events that may occur due to attacks" "Event 4 (5)" are reflected in the event correspondence information 202. ing. Similarly, corresponding to the "attack means" and "attack means 5", the corresponding "event 5 (4)", which is an "event that may occur due to an attack", is reflected in the occurrence event correspondence information 202. Similarly, corresponding to the "attack means" and "attack means 6," the corresponding "event that may occur due to an attack" "event 6 (5)" is reflected in the event correspondence information 202.
 “攻撃により発生しうる事象”に括弧書きで併記される数字は、攻撃により対象システムに生じるセキュリティリスクの度合いの大きさを、例えば1~5の5段階で表す事象毎のスコアである。このスコアによって、セキュリティリスクの度合いの大きさを攻撃経路毎に直感的に把握できる。また、攻撃シナリオ毎にスコアを合計することで、セキュリティリスクの度合いの大きさを攻撃シナリオ毎に直感的に把握できる。また、セキュリティリスクアセスメントの結果として、対策すべき重点箇所をスコアに基づいて選択できる。 The number written in parentheses next to "Events that may occur due to an attack" is a score for each event that represents the degree of security risk caused to the target system due to the attack, for example, on a five-point scale from 1 to 5. This score allows you to intuitively understand the degree of security risk for each attack route. Furthermore, by summing up the scores for each attack scenario, the degree of security risk can be intuitively grasped for each attack scenario. Additionally, as a result of the security risk assessment, priority areas to be addressed can be selected based on the score.
 次にステップS4では、攻撃シナリオ提示部114は、ステップS3で生成した攻撃シナリオをユーザに提示する。攻撃シナリオ提示部114は、例えば図12に例示するように、出力装置16上のシナリオ情報表示GUI16D2(図12)を介して攻撃シナリオ情報205をユーザに対して出力する。 Next, in step S4, the attack scenario presentation unit 114 presents the attack scenario generated in step S3 to the user. The attack scenario presentation unit 114 outputs the attack scenario information 205 to the user via the scenario information display GUI 16D2 (FIG. 12) on the output device 16, as illustrated in FIG. 12, for example.
 ここまでの段階では、生成された攻撃シナリオに含まれる攻撃手段は、構成機器の動作モデルと阻害形態で表現されるため、SuCに関する知見を持つユーザであれば、攻撃手段に関する専門知識がない場合でも、攻撃シナリオによってもたらされるリスクを大まかに把握できる。しかし、この後、攻撃シナリオから対策立案に引き継ぐにあたっては、具体的な攻撃のメカニズムに関する情報が必要となるため、ユーザの希望により、攻撃シナリオを詳細化する工程が必要となる。以下その詳細を説明する。 Up to this stage, the attack methods included in the generated attack scenario are expressed in terms of the behavior model of the component devices and the form of inhibition, so if you are a user with knowledge of SuC, you may not have specialized knowledge of attack methods. However, you can get a rough idea of the risks posed by attack scenarios. However, after this, when the attack scenario is transferred to countermeasure planning, information regarding the specific attack mechanism is required, so a step is required to refine the attack scenario in accordance with the user's wishes. The details will be explained below.
 次にステップS5では、攻撃シナリオ提示部114は、ユーザが攻撃シナリオの詳細化を求める入力を行ったかを判定する。攻撃シナリオ提示部114は、ユーザが攻撃シナリオの詳細化を求める入力を行った場合(ステップS5YES)にステップS6に処理を移し、ユーザが攻撃シナリオの詳細化を求める入力を行わなかった場合(ステップS5NO)に本リスクアセスメント処理を終了する。なお、ステップS5では、攻撃シナリオ提示部114は、ユーザが攻撃シナリオの詳細化を求める入力を行ったかに限らず、所定条件(例えば後述のステップS6で入力可能な詳細情報が全て入力された等)が充足されたかを判定してもよい。 Next, in step S5, the attack scenario presentation unit 114 determines whether the user has made an input requesting the attack scenario to be detailed. The attack scenario presentation unit 114 moves the process to step S6 when the user inputs a request to make the attack scenario more detailed (step S5 YES), and when the user does not input an input requesting the more detailed attack scenario (step S5), the attack scenario presentation unit 114 moves the process to step S6. S5NO), the present risk assessment process ends. In addition, in step S5, the attack scenario presentation unit 114 does not limit to whether the user inputs a request to make the attack scenario more detailed; ) may be determined whether it is satisfied.
 ステップS5では、攻撃シナリオ提示部114は、例えば図15に例示するように、出力装置16上の詳細化実施要否確認GUI16D3を介して攻撃シナリオ情報205の詳細化の実施要否をユーザに入力させる。攻撃シナリオ情報205において詳細化したい構成機器100の行がダブルクリックされると、図15に示すように、詳細化実施要否確認GUI16D3が表示される。詳細化実施要否確認GUI16D3の“はい(Y)”がクリックされると、図16に示すように、機器構成情報入力GUI16D1上に詳細情報入力ウィンドウ16D4が表示される。ユーザが希望する限り、ステップS5~S7が繰り返される。 In step S5, the attack scenario presentation unit 114 inputs to the user whether or not the detailedization of the attack scenario information 205 is necessary via the detailedization confirmation GUI 16D3 on the output device 16, as illustrated in FIG. 15, for example. let When the row of the component device 100 that is desired to be detailed in the attack scenario information 205 is double-clicked, a detailedization confirmation GUI 16D3 is displayed as shown in FIG. When "Yes (Y)" is clicked on the detailed implementation necessity confirmation GUI 16D3, a detailed information input window 16D4 is displayed on the device configuration information input GUI 16D1, as shown in FIG. Steps S5-S7 are repeated as long as the user desires.
 ステップS6では、機器構成情報入力部111は、詳細情報追加入力処理を実行する。機器構成情報入力部111は、例えば図16に例示するように、出力装置16上の機器構成情報入力GUI16D1に表示される詳細情報入力ウィンドウ16D4を介して攻撃シナリオ情報205を詳細化するための詳細情報203をユーザに入力させて受け付ける。 In step S6, the device configuration information input unit 111 executes detailed information addition input processing. The device configuration information input unit 111 inputs details for making the attack scenario information 205 detailed through a detailed information input window 16D4 displayed on the device configuration information input GUI 16D1 on the output device 16, as illustrated in FIG. 16, for example. The information 203 is input by the user and accepted.
 詳細情報203は、構成機器100毎の情報である。図16に示すように、詳細情報203は、「搭載OS」の「名称」「バージョン」、「搭載ソフトウェア」の「名称」「バージョン」、「入力I/F_ID」の「接続形態」「追加属性」の項目を有する。これらの各項目に対応する値が実際に格納されるか否かは、ユーザの任意である。 The detailed information 203 is information for each component device 100. As shown in FIG. 16, the detailed information 203 includes the "name" and "version" of the "installed OS", the "name" and "version" of the "installed software", the "connection type" and "additional attributes" of the "input I/F_ID". ”. It is up to the user whether or not values corresponding to each of these items are actually stored.
 「入力I/F_ID」の「接続形態」は、該当の入力I/F101の接続規格を示し、例えば“Ethernet”(登録商標、以下同様)、“RS-232C”、“信号線”等がある。「入力I/F_ID」の「追加属性」は、該当の入力I/F101の接続規格以外の1以上の属性を含む情報であり、例えば接続場所を示す“筐体内”“筐体外”がある。 "Connection type" of "Input I/F_ID" indicates the connection standard of the corresponding input I/F 101, such as "Ethernet" (registered trademark, hereinafter the same), "RS-232C", "signal line", etc. . The "additional attribute" of the "input I/F_ID" is information including one or more attributes other than the connection standard of the corresponding input I/F 101, and includes, for example, "inside the casing" and "outside the casing" indicating the connection location.
 機器構成情報入力部111は、ユーザによって入力された詳細情報203を記憶装置13に保存し、攻撃シナリオ情報205に反映させる。 The device configuration information input unit 111 stores detailed information 203 input by the user in the storage device 13 and reflects it in the attack scenario information 205.
 次にステップS7では、攻撃シナリオ生成部113は、ステップS6で入力された詳細情報203に基づいて、詳細な攻撃手段及び攻撃により発生しうる事象の推定を含む攻撃シナリオ詳細化処理を実行する。 Next, in step S7, the attack scenario generation unit 113 executes attack scenario detailing processing that includes estimating detailed attack methods and events that may occur due to the attack, based on the detailed information 203 input in step S6.
 攻撃シナリオ詳細化処理では、攻撃シナリオ生成部113は、先ず、ステップS6で入力された詳細情報203を攻撃シナリオ情報205に反映する。図18は、詳細化された攻撃シナリオ情報205を示す図である。図18に示す例では、詳細情報203の「接続形態」及び「追加属性」が、攻撃シナリオ情報205において対応する入力I/F101の「構成機器接続形態詳細」に格納されている。その他、図示は省略しているが、詳細情報203の項目の値が対応する攻撃シナリオ情報205の項目の値として格納されてもよい。 In the attack scenario detailing process, the attack scenario generation unit 113 first reflects the detailed information 203 input in step S6 in the attack scenario information 205. FIG. 18 is a diagram showing detailed attack scenario information 205. In the example shown in FIG. 18, the "connection mode" and "additional attribute" of the detailed information 203 are stored in the "configuration device connection mode details" of the corresponding input I/F 101 in the attack scenario information 205. In addition, although not shown, the value of an item in the detailed information 203 may be stored as the value of a corresponding item in the attack scenario information 205.
 次に攻撃シナリオ生成部113は、詳細情報203が反映された攻撃シナリオ情報205において「阻害形態」「攻撃手段」「攻撃により発生しうる事象」の再推定を実行する。「阻害形態」は、再推定によって、成立し得なくなる阻害形態が除外される。例えば、構成機器100が筐体内に格納されている場合には、攻撃者は筐体内に直接アクセスできないので、構成機器100間の接続上での改変である上述の(b)の阻害形態や、信頼できない相手からの入力に基づく上述の(c)の阻害形態は発生しえなくなる。このため、図18に示す例では、攻撃シナリオAS1の攻撃段階AS1-2,AS1-3、攻撃シナリオAS2の攻撃段階AS2-2,AS2-3、攻撃シナリオAS3の攻撃段階AS3-1に対応する「阻害形態」が“(a),(b),(c)”から“(b),(c)”が除外され“(a)”のみとなっている。 Next, the attack scenario generation unit 113 re-estimates the "obstruction form", "attack means", and "events that may occur due to the attack" in the attack scenario information 205 that reflects the detailed information 203. As for the "inhibition form," an inhibition form that cannot be realized is excluded by re-estimation. For example, if the component devices 100 are stored inside a housing, an attacker cannot directly access the inside of the housing, so the above-mentioned form of obstruction (b), which is modification of the connection between the component devices 100, or the reliability The above-mentioned form of inhibition (c) based on input from an incapable partner no longer occurs. Therefore, in the example shown in FIG. 18, attack stages AS1-2 and AS1-3 of attack scenario AS1, attack stages AS2-2 and AS2-3 of attack scenario AS2, and attack stage AS3-1 of attack scenario AS3 correspond to The "inhibition form" is "(a)", "(b), (c)" is excluded from "(a), (b), (c)", and only "(a)" is left.
 また、「攻撃手段」は、再推定によって、追加された「構成機器接続形態詳細」に基づいて詳細化される。例えば、図18に示す例では、攻撃シナリオAS1の「攻撃手段」が、詳細化情報204に基づいて詳細化されている。図17は、攻撃手段と発生事象の詳細化情報204を示す図である。詳細化情報204は、「攻撃手段」と詳細情報203の項目の値の組み合わせパターンに対応する「詳細な攻撃手段」と「攻撃により発生しうる詳細事象」を示す。 Additionally, the "attack means" is refined based on the added "component device connection form details" by re-estimation. For example, in the example shown in FIG. 18, the “attack means” of the attack scenario AS1 is detailed based on the detailed information 204. FIG. 17 is a diagram showing detailed information 204 of attack methods and occurrence events. The detailed information 204 indicates "detailed attack means" and "detailed events that may occur due to the attack" corresponding to the combination pattern of the values of the "attack means" and the items of the detailed information 203.
 詳細化情報204の「攻撃手段」は、詳細化情報204に基づき詳細化する前の攻撃手段である。「詳細情報」は、詳細化情報204(図17)に格納されている1つの項目の値又は複数の項目の値の組み合わせを含むパターンを示す。このパターンでは、値が格納されていない「詳細情報」の項目は除外される。「詳細な攻撃手段」は、「攻撃手段」と「詳細情報」の組み合わせに対応する攻撃手段を具体的かつ詳細に示す情報である。 The "attack means" of the detailed information 204 is the attack means before being refined based on the detailed information 204. "Detailed information" indicates a pattern that includes the value of one item or a combination of values of multiple items stored in the detailed information 204 (FIG. 17). This pattern excludes "detailed information" items for which no values are stored. "Detailed attack method" is information specifically and in detail showing the attack method corresponding to the combination of "attack method" and "detailed information."
 「攻撃により発生しうる詳細事象」は、「詳細な攻撃手段」に対応する攻撃により発生しうる事象であり、各事象を具体的かつ詳細に示す情報である。なお、異なる「詳細情報」の組み合わせに同一の「詳細な攻撃手段」と「攻撃に発生しうる詳細事象」が対応する場合もある。 "Detailed events that may occur due to attacks" are events that may occur due to attacks that correspond to "detailed attack methods," and are information that specifically and in detail indicate each event. Note that the same "detailed attack method" and "detailed event that may occur in an attack" may correspond to different combinations of "detailed information".
 具体的には、例えば、攻撃シナリオAS1の攻撃段階AS1-1、攻撃シナリオAS2の攻撃段階AS2-1に対応する「攻撃手段」が、詳細化情報204(図17)に基づいて、「阻害形態」(a),(b),(c)のそれぞれについて“攻撃手段4”“攻撃手段5”“攻撃手段6”が、それぞれ“攻撃手段4-1”“攻撃手段5-3”“攻撃手段6-2”と詳細化されている。また、「攻撃により発生しうる事象」がそれぞれ“事象4-1(3)”“事象5-3(2)”“事象6-2(2)”と詳細化されている。“攻撃により発生しうる事象”に括弧書きで併記される数字は、攻撃により対象システムに生じるセキュリティリスクの度合いの大きさを、例えば1~5の5段階で表す事象毎のスコアである。 Specifically, for example, the "attack method" corresponding to the attack stage AS1-1 of the attack scenario AS1 and the attack stage AS2-1 of the attack scenario AS2 is determined based on the detailed information 204 (FIG. 17). ” (a), (b), and (c), “Attack Means 4,” “Attack Means 5,” and “Attack Means 6” are “Attack Means 4-1,” “Attack Means 5-3,” and “Attack Means,” respectively. It is detailed as 6-2”. Furthermore, "events that may occur due to attacks" are detailed as "event 4-1 (3)," "event 5-3 (2)," and "event 6-2 (2)," respectively. The numbers written in parentheses next to "events that may occur due to attacks" are scores for each event that represent the degree of security risk caused to the target system due to the attack, for example, on a five-point scale from 1 to 5.
 同様に、攻撃シナリオAS1の攻撃段階AS1-2,AS1-3、攻撃シナリオAS2の攻撃段階AS2-2,AS2-3に対応する「攻撃手段」が、詳細化情報204に基づいて、「阻害形態」(a)について“攻撃手段4”が“攻撃手段4-2”と詳細化されている。また、「攻撃により発生しうる事象」が“事象4-2(4)”と詳細化されている。 Similarly, the "attack means" corresponding to the attack stages AS1-2 and AS1-3 of the attack scenario AS1 and the attack stages AS2-2 and AS2-3 of the attack scenario AS2 are determined based on the detailed information 204 as "obstruction mode". Regarding (a), "Attack Means 4" is detailed as "Attack Means 4-2." Furthermore, "events that may occur due to attacks" are detailed as "event 4-2 (4)."
 同様に、攻撃シナリオAS3の攻撃段階AS3-1に対応する「攻撃手段」が、詳細化情報204に基づいて、「阻害形態」(a),(b)のそれぞれについて“攻撃手段4”“攻撃手段5”がそれぞれ“攻撃手段4-3”“攻撃手段5-1”と詳細化されている。また、「攻撃により発生しうる事象」がそれぞれ“事象4-3(3)”“事象5-1(1)”と詳細化されている。 Similarly, based on the detailed information 204, the "attack method" corresponding to the attack stage AS3-1 of the attack scenario AS3 is "attack method 4" and "attack method" for each of the "obstruction modes" (a) and (b). "Means 5" are detailed as "Attack Means 4-3" and "Attack Means 5-1," respectively. Furthermore, "events that may occur due to attacks" are detailed as "event 4-3 (3)" and "event 5-1 (1)," respectively.
 ステップS7が終了すると、攻撃シナリオ生成部113は、ステップS5に処理を戻す。 When step S7 ends, the attack scenario generation unit 113 returns the process to step S5.
 以上説明したように、ユーザには最初は、ステップS3によって荒く分類された攻撃手段によって表現された攻撃シナリオが提示される。この荒い攻撃分類はいわゆる漏れ・重複のない分類であり、セキュリティの専門家でない者にとっては、具体的な攻撃手法で表現された攻撃シナリオよりも網羅性の検証が容易である。その後、対策を検討する必要のある攻撃シナリオに対しては、追加の機器情報をユーザに入力させ、攻撃シナリオの詳細化・細分化をユーザの要求に応じて繰り返し行うことで、対処すべき攻撃の具体的な技術的内容を特定し、必要な対策技術を選定する工程にスムーズに移行することが可能となる。 As explained above, the user is first presented with an attack scenario expressed by attack methods roughly classified in step S3. This rough attack classification is a so-called classification without omissions or duplications, and for those who are not security experts, it is easier to verify comprehensiveness than attack scenarios expressed using specific attack methods. After that, for attack scenarios that require consideration of countermeasures, the user is required to input additional device information, and the attack scenario is repeatedly detailed and subdivided according to the user's requests. This enables a smooth transition to the process of identifying the specific technical content and selecting the necessary countermeasure technology.
 本実施形態によれば、ユーザが入力した機器構成に基づいて予測される攻撃を、機器の動作モデルにおける動作要素と、その阻害形態によって定義された攻撃類型として表現し、攻撃シナリオとしてユーザに提示する。動作要素と阻害形態によって存在しうる攻撃手段の全体集合が定義されるため、それを分類して得られる攻撃類型は網羅的であることが保証される。また、このような分類は既知の攻撃手段と異なり、機器の動作に基づくため、セキュリティリスクアセスメントの対象システムに精通したユーザであれば、セキュリティの専門家以外であっても攻撃シナリオの概要を把握しやすいという利点がある。 According to the present embodiment, an attack predicted based on the device configuration input by the user is expressed as an attack type defined by the operational elements in the device's operational model and its inhibition form, and presented to the user as an attack scenario. do. Since the entire set of possible attack methods is defined by the operational elements and the forms of inhibition, the attack types obtained by classifying them are guaranteed to be exhaustive. Additionally, unlike known attack vectors, this classification is based on the behavior of the device, so any user familiar with the system targeted for security risk assessment will be able to grasp an overview of the attack scenario even if they are not a security expert. It has the advantage of being easy to do.
 なお、以上の説明において、構成に関して特段の断りがない機能や手段は、電気回路、電子回路、論理回路、及びそれらを内蔵した集積回路のほか、マイクロコンピュータ、プロセッサ、及びこれらに類する演算装置と、ROM(Read Only Memory)、RAM(Random Access Memory)、フラッシュメモリ、ハードディスク、SSD、メモリカード、光ディスク及びこれらに類する記憶装置と、バス、ネットワーク及びこれらに類する通信装置、及び周辺の諸装置の組み合わせによって実行されるプログラムによって実現してもよく、いずれの実現態様でも本発明は成立し得ることに留意されたい。 In addition, in the above description, functions and means that do not have any special mention regarding the configuration include electric circuits, electronic circuits, logic circuits, and integrated circuits incorporating them, as well as microcomputers, processors, and similar arithmetic devices. , ROM (Read Only Memory), RAM (Random Access Memory), flash memory, hard disk, SSD, memory card, optical disk and similar storage devices, buses, networks and similar communication devices, and peripheral devices. It should be noted that the present invention may be realized by programs executed in combination, and the present invention can be realized in either embodiment.
 また、本発明は上述の実施形態に限定されるものではなく、様々な変形例が含まれる。例えば、上述の実施形態は本発明を分かりやすく説明するために詳細に説明したものであり、必ずしも説明した全ての構成を備えるものに限定されるものではない。また、ある実施形態の構成の一部を他の実施形態の構成に置き換えることが可能であり、また、ある実施形態の構成に他の実施形態の構成を加えることも可能である。また、各実施形態の構成の一部について、他の構成の追加・削除・置換をすることが可能である。 Furthermore, the present invention is not limited to the above-described embodiments, and includes various modifications. For example, the above-described embodiments have been described in detail to explain the present invention in an easy-to-understand manner, and the present invention is not necessarily limited to having all the configurations described. Furthermore, it is possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Furthermore, it is possible to add, delete, or replace some of the configurations of each embodiment with other configurations.
 1:セキュリティリスクアセスメント支援システム、11:プロセッサ、13:記憶装置、16:出力装置、111:機器構成情報入力部、112:攻撃経路探索部、113:攻撃シナリオ生成部、114:攻撃シナリオ提示部、200:機器構成情報、201:攻撃手段対応情報、202:発生事象対応情報、203:詳細情報、204:詳細化情報、205:攻撃シナリオ情報。
  1: Security risk assessment support system, 11: Processor, 13: Storage device, 16: Output device, 111: Device configuration information input section, 112: Attack route search section, 113: Attack scenario generation section, 114: Attack scenario presentation section , 200: Equipment configuration information, 201: Attack means correspondence information, 202: Occurrence event correspondence information, 203: Detailed information, 204: Detailed information, 205: Attack scenario information.

Claims (15)

  1.  セキュリティリスクアセスメント支援システムが実行するセキュリティリスクアセスメント支援方法であって、
     構成機器を含んで構成される対象システムに関する構成情報の入力を受け付ける構成情報入力ステップと、
     前記構成情報に基づいて、前記対象システムに対する攻撃が前記構成機器を経由する攻撃経路を探索する攻撃経路探索ステップと、
     前記攻撃が前記構成機器を経由する順序で前記攻撃経路を並べて攻撃シナリオを生成し、該攻撃によって該攻撃経路を構成する前記構成機器の動作が阻害される形態が何れの攻撃類型に該当するかを、該構成機器の構成を機能の観点で表す機能モデルに基づいて推定し、推定した該攻撃類型を該攻撃シナリオに反映させる攻撃シナリオ生成ステップと、
     前記攻撃シナリオ生成ステップによって生成された前記攻撃シナリオを提示する攻撃シナリオ提示ステップと、
     を有することを特徴とするセキュリティリスクアセスメント支援方法。     A security risk assessment support method executed by a security risk assessment support system, the method comprising:
    a configuration information input step of accepting input of configuration information regarding a target system configured including component devices;
    an attack route searching step of searching for an attack route through which an attack on the target system passes through the component devices, based on the configuration information;
    Generate an attack scenario by arranging the attack paths in the order in which the attack passes through the component devices, and determine which attack type corresponds to a mode in which the operation of the component devices constituting the attack path is obstructed by the attack. an attack scenario generation step of estimating the configuration of the component device based on a functional model representing the configuration from a functional perspective and reflecting the estimated attack type in the attack scenario;
    an attack scenario presentation step of presenting the attack scenario generated by the attack scenario generation step;
    A security risk assessment support method comprising:
  2.  請求項1に記載のセキュリティリスクアセスメント支援方法であって、
     前記構成情報入力ステップでは、
     前記構成情報を、前記機能モデルに従って入力させる、ことを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 1, comprising:
    In the configuration information input step,
    A security risk assessment support method, comprising inputting the configuration information according to the functional model.
  3.  請求項1に記載のセキュリティリスクアセスメント支援方法であって、
     前記機能モデルは、前記構成機器の動作要素の種別を含む、ことを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 1, comprising:
    The security risk assessment support method is characterized in that the functional model includes a type of operational element of the component device.
  4.  請求項1に記載のセキュリティリスクアセスメント支援方法であって、
     前記攻撃シナリオ生成ステップでは、
     推定された前記攻撃類型によって前記構成機器で発生しうる事象の類型を推定し、推定した該事象の類型を前記攻撃シナリオに反映させる、ことを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 1, comprising:
    In the attack scenario generation step,
    A security risk assessment support method characterized by estimating a type of event that may occur in the component device based on the estimated attack type, and reflecting the estimated event type in the attack scenario.
  5.  請求項4に記載のセキュリティリスクアセスメント支援方法であって、
     前記事象の類型は、前記攻撃により前記対象システムに生じるセキュリティリスクの度合いを示す前記事象の類型毎のスコアを含む、ことを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 4,
    The security risk assessment support method is characterized in that the type of event includes a score for each type of event indicating the degree of security risk caused to the target system by the attack.
  6.  請求項1に記載のセキュリティリスクアセスメント支援方法であって、
     前記構成情報の詳細情報の追加入力を受け付ける詳細情報追加入力ステップと、
     前記詳細情報追加入力ステップによって受け付けられた前記詳細情報に基づいて、前記攻撃類型と比較して詳細な攻撃手段を推定し、前記攻撃シナリオ生成ステップによって生成された前記攻撃シナリオの前記攻撃類型を、推定した該詳細な攻撃手段で更新する攻撃シナリオ詳細化ステップと、
     を有する、ことを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 1, comprising:
    a detailed information additional input step of accepting additional input of detailed information of the configuration information;
    Based on the detailed information received in the detailed information addition input step, estimate a detailed attack method by comparing with the attack type, and generate the attack type of the attack scenario generated in the attack scenario generation step. an attack scenario detailing step of updating with the estimated detailed attack method;
    A security risk assessment support method characterized by having the following.
  7.  請求項6に記載のセキュリティリスクアセスメント支援方法であって、
     前記攻撃シナリオ詳細化ステップでは、
     前記詳細情報に基づいて、前記攻撃によって前記攻撃経路を構成する前記構成機器の動作が阻害される形態が該当し得ない前記攻撃類型を前記攻撃シナリオから除外する、ことを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 6,
    In the attack scenario detailing step,
    A security risk assessment characterized in that, based on the detailed information, the attack type in which the operation of the component devices constituting the attack route is not applicable is excluded from the attack scenario. How to help.
  8.  請求項6に記載のセキュリティリスクアセスメント支援方法であって、
     前記攻撃シナリオ詳細化ステップでは、
     前記詳細な攻撃手段によって前記構成機器で発生しうる詳細な事象を推定し、推定した該詳細な事象を前記攻撃シナリオに反映させる、ことを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 6,
    In the attack scenario detailing step,
    A security risk assessment support method characterized by estimating a detailed event that may occur in the component device using the detailed attack means, and reflecting the estimated detailed event in the attack scenario.
  9.  請求項8に記載のセキュリティリスクアセスメント支援方法であって、
     前記詳細な事象は、前記攻撃により前記対象システムに生じるセキュリティリスクの度合いを示す前記詳細な事象毎のスコアを含む、ことを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 8,
    A security risk assessment support method, wherein the detailed event includes a score for each detailed event indicating the degree of security risk caused to the target system by the attack.
  10.  請求項6に記載のセキュリティリスクアセスメント支援方法であって、
     所定条件が充足されるまで、前記詳細情報追加入力ステップと、前記攻撃シナリオ詳細化ステップと、繰り返し実行することを特徴とするセキュリティリスクアセスメント支援方法。     The security risk assessment support method according to claim 6,
    A security risk assessment support method characterized in that the detailed information addition input step and the attack scenario detailing step are repeatedly executed until a predetermined condition is satisfied.
  11.  構成機器を含んで構成される対象システムに関するセキュリティリスクアセスメントを実行するセキュリティリスクアセスメント支援システムであって、
     前記構成情報の入力を受け付ける構成情報入力部と、
     前記構成情報に基づいて、前記対象システムに対する攻撃が前記構成機器を経由する攻撃経路を探索する攻撃経路探索部と、
     前記攻撃が前記構成機器を経由する順序で前記攻撃経路を並べて攻撃シナリオを生成し、該攻撃によって該攻撃経路を構成する前記構成機器の動作が阻害される形態が何れの攻撃類型に該当するかを、該構成機器の構成を機能の観点で表す機能モデルに基づいて推定し、推定した該攻撃類型を該攻撃シナリオに反映させる攻撃シナリオ生成部と、
     前記攻撃シナリオ生成部によって生成された前記攻撃シナリオを提示する攻撃シナリオ提示部と、
     を有することを特徴とするセキュリティリスクアセスメント支援システム。     A security risk assessment support system that executes a security risk assessment regarding a target system including component devices, the system comprising:
    a configuration information input unit that receives input of the configuration information;
    an attack route search unit that searches for an attack route through which an attack on the target system passes through the component devices, based on the configuration information;
    Generate an attack scenario by arranging the attack paths in the order in which the attack passes through the component devices, and determine which attack type corresponds to a mode in which the operation of the component devices constituting the attack path is obstructed by the attack. an attack scenario generation unit that estimates the configuration of the component device based on a functional model representing the configuration from a functional perspective and reflects the estimated attack type in the attack scenario;
    an attack scenario presentation unit that presents the attack scenario generated by the attack scenario generation unit;
    A security risk assessment support system characterized by having.
  12.  請求項11に記載のセキュリティリスクアセスメント支援システムであって、
     前記攻撃シナリオ生成部は、
     推定された前記攻撃類型によって前記構成機器で発生しうる事象の類型を推定し、推定した該事象の類型を前記攻撃シナリオに反映させる、ことを特徴とするセキュリティリスクアセスメント支援システム。     The security risk assessment support system according to claim 11,
    The attack scenario generation unit includes:
    A security risk assessment support system characterized by estimating a type of event that may occur in the component device based on the estimated attack type, and reflecting the estimated event type in the attack scenario.
  13.  請求項11に記載のセキュリティリスクアセスメント支援システムであって、
     前記構成情報入力部は、前記構成情報の詳細情報の追加入力を受け付け、
     前記攻撃シナリオ生成部は、
     前記構成情報入力部によって受け付けられた前記詳細情報に基づいて、前記攻撃類型と比較して詳細な攻撃手段を推定し、前記攻撃シナリオ生成部によって生成された前記攻撃シナリオの前記攻撃類型を、推定した該詳細な攻撃手段で更新する、ことを特徴とするセキュリティリスクアセスメント支援システム。     The security risk assessment support system according to claim 11,
    The configuration information input unit receives additional input of detailed information of the configuration information,
    The attack scenario generation unit includes:
    Based on the detailed information received by the configuration information input unit, estimate a detailed attack method by comparing with the attack type, and estimate the attack type of the attack scenario generated by the attack scenario generation unit. 1. A security risk assessment support system, characterized in that the security risk assessment support system is updated with the detailed attack method.
  14.  請求項13に記載のセキュリティリスクアセスメント支援システムであって、
     前記攻撃シナリオ生成部は、
     前記詳細情報に基づいて、前記攻撃によって前記攻撃経路を構成する前記構成機器の動作が阻害される形態が該当し得ない前記攻撃類型を前記攻撃シナリオから除外する、ことを特徴とするセキュリティリスクアセスメント支援システム。     The security risk assessment support system according to claim 13,
    The attack scenario generation unit includes:
    A security risk assessment characterized in that, based on the detailed information, the attack type in which the operation of the component devices constituting the attack route is not applicable is excluded from the attack scenario. support system.
  15.  請求項13に記載のセキュリティリスクアセスメント支援システムであって、
     前記攻撃シナリオ生成部は、
     前記詳細な攻撃手段によって前記構成機器で発生しうる詳細な事象を推定し、推定した該詳細な事象を前記攻撃シナリオに反映させる、ことを特徴とするセキュリティリスクアセスメント支援システム。
          The security risk assessment support system according to claim 13,
    The attack scenario generation unit includes:
    A security risk assessment support system characterized by estimating a detailed event that may occur in the component device using the detailed attack means, and reflecting the estimated detailed event in the attack scenario.
PCT/JP2023/023584 2022-09-02 2023-06-26 Security risk assessment assistance method and security risk assessment assistance system WO2024048040A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2022-139719 2022-09-02
JP2022139719A JP2024035327A (en) 2022-09-02 2022-09-02 Security risk assessment support method and security risk assessment support system

Publications (1)

Publication Number Publication Date
WO2024048040A1 true WO2024048040A1 (en) 2024-03-07

Family

ID=90099419

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/023584 WO2024048040A1 (en) 2022-09-02 2023-06-26 Security risk assessment assistance method and security risk assessment assistance system

Country Status (2)

Country Link
JP (1) JP2024035327A (en)
WO (1) WO2024048040A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2022076159A (en) * 2020-11-09 2022-05-19 株式会社日立製作所 Cyber attack scenario generation method, and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2022076159A (en) * 2020-11-09 2022-05-19 株式会社日立製作所 Cyber attack scenario generation method, and device

Also Published As

Publication number Publication date
JP2024035327A (en) 2024-03-14

Similar Documents

Publication Publication Date Title
US11683333B1 (en) Cybersecurity and threat assessment platform for computing environments
US10691505B2 (en) Software bot conflict-resolution service agent
US11036867B2 (en) Advanced rule analyzer to identify similarities in security rules, deduplicate rules, and generate new rules
RU2514140C1 (en) System and method for improving quality of detecting malicious objects using rules and priorities
Ivanova et al. Transforming graphical system models to graphical attack models
US10291644B1 (en) System and method for prioritizing endpoints and detecting potential routes to high value assets
JP2018077607A (en) Security rule evaluation device and security rule evaluation system
US20240114043A1 (en) Protecting computer assets from malicious attacks
US11233742B2 (en) Network policy architecture
Kriaa et al. A new safety and security risk analysis framework for industrial control systems
US11070575B2 (en) Verifying accuracy of ML pipelines using third party co-ordination
JPWO2020137847A1 (en) Attack tree generator, attack tree generator and attack tree generator
WO2024048040A1 (en) Security risk assessment assistance method and security risk assessment assistance system
JP6632777B2 (en) Security design apparatus, security design method, and security design program
TWI804386B (en) Compliance risk management for data in computing systems
JP7424395B2 (en) Analytical systems, methods and programs
Kotenko et al. Analyzing network security using malefactor action graphs
JP2015153257A (en) Access controller, information sharing system, program, and access control method
US20220237303A1 (en) Attack graph processing device, method, and program
JP2021529366A (en) Security of the server that provides the remote application
JP7405162B2 (en) Analytical systems, methods and programs
WO2023181219A1 (en) Analysis device, analysis method, and non-transitory computer-readable medium
US11811896B1 (en) Pre-fetch engine with security access controls for mesh data network
WO2024018589A1 (en) Policy management device, policy management method, and non-transitory computer-readable medium
US11843626B2 (en) Connected component-based collaborative filtering in recommendation intrusion detection systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23859810

Country of ref document: EP

Kind code of ref document: A1