Cyber vulnerability assessment tool threat assessment heuristic

12273,368

18/510913

November 16, 2023

A Cyber Vulnerability Assessment Tool (CVAST) and CVAST Threat Assessment Heuristic (CVAST THRASH) capable of automated modeling of cyber physical systems, assessment of the nature of cyber risks thereto, and output of such cyber risk assessments are provided.

The United States of America, as represented by the Secretary of the Navy (Arlington, VA, US)

The United States of America, as represented by the Secretary of the Navy (Arlington, VA, US)

1. A computer system capable of implementing a Cyber Vulnerability Assessment Tool (CVAST) for conducting and outputting a cyber risk assessment of a Cyber Physical System (CPS), comprising: a CPS Information Extraction System for extracting information from a data source; a CPS Semantic Model for modeling relationships across a plurality of domains; an Attack Graph Algorithm for analyzing a path from an entry point to a target using an electrical circuit analogy; a Chain of Impacts Algorithm for evaluating a chain of cyber threat impacts; a CPS Criticality Algorithm for evaluating a criticality of a system, a subsystem, or a component; a THRASH Cyber Risk Algorithm for evaluating the cyber risk at component and system levels of the CPS.

2. The CVAST of claim 1 , further comprising a Cyber-Risk Information Database for storing the information extracted by the CPS Information Extraction System in accordance with a plurality of ontologies provided by the CPS Semantic Model.

3. The CVAST of claim 1 wherein the relationships modeled by the CPS Semantic Model derive from the domains comprising the engineering, information technology, cybersecurity, and mission domains.

4. The CVAST of claim 3 , wherein the CPS Semantic Model provides a plurality of ontologies linking components and systems of a CPS across the domains.

5. The CVAST of claim 1 , wherein the CPS is one operating in the group consisting of power grids, manufacturing plants, nuclear power plants, utility companies, and aviation systems.

6. The CVAST of claim 1 , wherein the CPS is Naval Control System (NCS).

7. The CVAST of claim 6 , wherein the CPS Semantic Model provides ontologies that support automated reasoning and computational analysis, in the form of semantic decompositions of CPS elements, the CPS elements comprising at least one of: missions of Naval vessel platform vessels; a Universal Naval Task List; NCS systems for submarines, surface ships, and airframes; lower level functioning systems; and physical security systems.

8. The CVAST of claim 7 , wherein the CPS Semantic Model further comprises ontologies that support automated reasoning and computational analysis, in the form of semantic decompositions of types of adversaries which target NCS, and motivations of adversaries who target NCS.

9. The CVAST of claim 1 , wherein the risk assessment is a heat map.

10. A risk assessment produced by the CVAST of claim 1 .

8272061 September 2012 Lotem et al.
11444974 September 2022 Shakhzadyan
11863578 January 2024 Speck
2018/0288085 October 2018 Hailpern
2018/0337939 November 2018 Agarwal
2019/0222597 July 2019 Crabtree
2021/0133331 May 2021 Lipkis et al.
2021/0273965 September 2021 Pi
2021/0288995 September 2021 Attar et al.
2022/0172146 June 2022 Zillner
2710985 January 2020
WO-2020183012 September 2020
WO-2020189668 September 2020

P. Mell, K. Scarfone, and S. Romanosky, “A Complete Guide to the Common Vulnerability Scoring System Version 2.0,” Jun. 2007; available at www.first.org/cvss/v2/guide. cited by applicant
Open Web Application Security Project (OWASP), “OWASP Risk Rating Methodology,” OWASP, Sep. 13, 2015; available archived at web.archive.org/web/20160218160854/https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology. cited by applicant

edspgr.12273368