Automating the assessment of ICT risk

We present a pair of tools to assess the risk of an ICT system through a scenario-based method. In each scenario, rational threat agents compose attacks against the system to reach some predefined goal. The first tool builds a description of the target system by automatically discovering and classifying the vulnerabilities in its components and the attacks they enable. Starting from this description and from the one of the agents, the other tool applies a Monte Carlo method to simulate step by step each agent and its attacks. By collecting samples on the agent attacks, the number of times they reach a goal and the corresponding impact this tool returns a database to compute statistics to support the assessment. After describing both tools, we exemplify their adoption in the assessment of an industrial control system that supervises a power production plant.