ICT System Ontology for Cybersecurity Governance

The thesis work takes place in a new regulatory context: following the Decreto Legge No. 105 of 21 September 2019, in fact, the Italian government has established the Perimetro Nazionale di Sicurezza Cibernetica that identifies public administrations, public and private entities and operators on which the exercise of an essential function of the State depends. The new legislation requires them to comply with more stringent rules on the prevention and response to cyber attacks. On one hand, they are required to create and periodically update the list of networks, information systems and IT services they are responsible for, and on the other hand they are required to carry out analysis operations to identify potential criticalities and/or vulnerabilities (VAPT) in their ICT infrastructure. The purpose of the thesis is therefore to propose an ontology, a logical description of the components of a specific domain and the hierarchical relationships that bind them, that allows, on one hand a complete and detailed overview of the individual infrastructure, on the other hand the possibility, thanks to the knowledge base created, to provide the base and means to guide VAPT operations. Attempts to unify knowledge are already in place, such as the MITRE ATT&CK Framework, which collects the most common tactics to perform attacks and the techniques used to carry them out, and the MAEC language, which contains information on malware in a standardised language; there exist also repositories containing all the known vulnerabilities, the CVE, or the weaknesses that may become vulnerabilities, the CWE. Similarly, examples of ontologies in the cybersecurity field such as UCO, whose purpose is to create a cybersecurity knowledge base by combining information from different sources, and IoTSec, whose purpose is to provide a reference ontology in the IoT, are beginning to emerge. The starting point of the thesis is the ontology developed by the Agenzia per la Cibersicurezza Nazionale that is being used to comply with the laws regarding the Perimetro Nazionale di Sicurezza Cibernetica. The ontology has been analysed and compared with the other above-mentioned related works in order to understand its strengths and weaknesses and how to improve it to make it as exhaustive as possible. A new ontology, therefore, has been created describing the infrastructure in a more complete way, considering all the information and details required to describe an IT system, from the end point configuration in terms of hardware, software and protocols adopted, to the network infrastructure and external services used. This opens up the possibility to create a direct and automated interaction between the ontology and different sources of information about possible vulnerabilities (e.g. CVE) or attacks (e.g. ATT&CK Framework) in order to obtain a base to start and guide through the process of VAPT operations. The design of this automated interaction has been proposed as part of this thesis work.