Modelling language for cyber security incident handling for critical infrastructures

Cyber security incident handling is a consistent methodology with which to ensure overall business continuity. However, specifically handling incidents for critical information infrastructures is challenging owing to the inherent complexity and evolving nature of the threat. Despite the number of contributions made to cyber incident handling, there is little evidence of literature that focuses on modelling activities that will enhance developers’ abilities to model incident handling processes and activities according to different views. Modelling languages of this nature should integrate essential concepts and a descriptive implementation process in order to enable developers to analyse, represent and reason about the crucial incident handling efforts required to support critical information infrastructures. The aim of this paper is, as part of the CyberSANE EU project, to develop a Cyber Incident Handling Modelling Language (CIHML) that focuses explicitly on modelling incident handling in the context of a critical information infrastructure. The work is innovative in its approach because it consolidates concepts from various domains such as security requirements, forensics, threat intelligence, critical infrastructures and cyber incident handling. The approach will allow the phases of the incident handling lifecycle to be modelled from three different views (critical information infrastructures, threat and risk analysis, and incident response). An implementation process is also proposed, which will serve as a comprehensive guide for developers in order to create these modelling views. Finally, CIHML is evaluated using a real-life scenario from the CyberSANE project to demonstrate its applicability. The incident observed had a severe impact on the overall business continuity of the context studied. The results obtained from the study show that CIHML can help critical information infrastructure operators to identify, evaluate, represent and model cyber incidents in critical information systems, in addition to providing the support required to determine the response strategies needed in order to mitigate these cyber-attacks.