ETSI GS ISI 006 V1.1.1 (2019-02)

GROUP SPECIFICATION
Information Security Indicators (ISI);
An ISI-driven Measurement and
Event Management Architecture (IMA) and CSlang -
A common ISI Semantics Specification Language
Disclaimer
The present document has been produced and approved by the Information Security Indicators (ISI) ETSI Industry Specification
Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

2 ETSI GS ISI 006 V1.1.1 (2019-02)

Reference
DGS/ISI-006
Keywords
cyber-defence, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2019.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners. ®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
3 ETSI GS ISI 006 V1.1.1 (2019-02)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 5
Introduction . 5
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 8
3 Definition of terms, symbols and abbreviations . 9
3.1 Terms . 9
3.2 Symbols . 9
3.3 Abbreviations . 9
4 ISI Measurement Architecture - Models and Methods . 10
4.1 The Challenge of transforming ISIs into Knowledge about Incidents . 10
4.1.0 Introduction. 10
4.1.1 Providing Upfront Indicators . 11
4.1.2 The Human Factor . 12
4.1.3 Out-of-Interest Frequency . 12
4.1.4 Continuous Measurement and Excom Reporting . 12
4.2 The ISI Measurement Architecture (IMA) . 12
4.2.1 The ISI Enrichment Approach . 12
4.2.2 The IMA - Common Language Approach . 13
4.2.3 The IMA Event Model . 15
4.2.4 The IMA - Enrichment Model . 15
4.3 The PoC Use Cases . 16
4.3.1 The General Tooling Property . 16
4.3.2 PoC-GM, the Graph Manipulation (GM) Tool . 16
4.3.3 PoC-ML, the Machine-Learning (ML) Tool . 17
5 The Common ISI Semantics Specification Language . 17
5.1 Introduction into CSlang - A Common Language . 17
5.2 Data Property Specification Scheme . 18
5.3 Process Property Specification Scheme . 19
5.4 Data Object Model Specification Scheme . 20
5.5 ISI Measurement Specification Scheme . 22
Annex A (informative): Proof of Concepts (PoC) - Two Levels of Semantics. 26
A.1 Introduction . 26
Annex B (informative): Theories and Formal Methods - Basic Definitions . 27
B.1 Graph Theory . 27
B.2 Machine Learning . 27
B.3 Theory of Data . 28
Annex C (informative): Authors & Contributors . 29
Annex D (informative): Bibliography . 30
History . 31

ETSI
4 ETSI GS ISI 006 V1.1.1 (2019-02)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Information Security
Indicators (ISI).
The present document is included in a series of 9 ISI 00N specifications. These 9 specifications are the following (see
figure 0 summarizing how the various concept is involved in event detection and interactions between all parts):
• ETSI GS ISI 001-1 [1] addressing (together with its associated guide ETSI GS ISI 001-2 [2]) information
security indicators, meant to measure application and effectiveness of preventative measures.
• ETSI GS ISI 002 [3] addressing the underlying event classification model and the associated taxonomy.
• ETSI GS ISI 003 [i.1] addressing the key issue of assessing an organization's maturity level regarding overall
event detection (technology/process/ people) in order to weigh event detection results.
• ETSI GS ISI 004 [i.2] addressing demonstration through examples how to produce indicators and how to
detect the related events with various means and methods (with a classification of the main categories of use
cases/symptoms).
• ETSI GS ISI 005 [i.3] addressing ways to produce security events and to test the effectiveness of existing
detection means within organization (for major types of events), which is a more detailed and a more case by
case approach than ETSI GS ISI 003 one [i.1] and which can therefore complement it.
• ETSI GS ISI 006 (the present document) addressing another engineering part of the series,
complementing ETSI GS ISI 004 [i.2] and focusing on the design of a cybersecurity language to model
threat intelligence information and enable detection tools interoperability.
• ETSI GS ISI 007 [i.6] addressing comprehensive guidelines to build and operate a secured SOC, especially
regarding the architectural aspects, in a context where SOCs are often real control towers within organizations.
• ETSI GS ISI 008 [i.7] addressing and explaining how to make SIEM a whole approach which is truly
integrated within an overall organization-wide and not only IT-oriented cyber defence.
ETSI
5 ETSI GS ISI 006 V1.1.1 (2019-02)
Figure 0 summarizes the various concepts involved in event detection and the interactions between the specifications.
GS ISG ISI Series Summary Definition
Event
reaction
measures
Fake events
(Simulation)
Security
Event
Real Detected
prevention
detection
events events
measures measures
Residual risk
(event model-
centric vision)
Figure 0: Positioning the 9 GS ISI against the 3 main security measures
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
The present document proposes an ISI Measurement Architecture (IMA) for the management of security events
captured and contained by the ISI Data Lake (IDL) and which comprises raw data enriched by methods derived from
ML Algorithms of the AI domain.
By means of the IDL sets of raw data should be typed, categorized and enriched in a unique manner for which formal
Set and Graph Manipulation (S/G M) Theories and Techniques are applied. The ML-based classification mechanism
uses a-priori learned information of a so-called ISI-type matrix containing the tuple pairs of ISI query tuple and the
associated typed target tuple.
The dynamics of automation and control systems is modelled by dataspace with the basic operations of
publishing, subscribing, etc. in order to manage ISI events (i.e. formally events are graph edges of the intended
semantics) that occur in Industrial Automation and Control [i.9] or other Ultra Large-Scale Systems [i.20]. The ISI Data
Lake (IDL) functions as an asynchronous memory managing multiple security events at same time.
The compound IMA/IDL approach of the present document is based on theories of manipulation of sets and graphs
combined with ML algorithms where appropriate. The latter applies pattern recognition measures for the purpose of
enriching, i.e. filtering the raw ISI data representations of from the IDL.
The notation CSlang is given in an operational style that supports the definition of Abstract Data Types (ADT), ML
pattern matrices and ISI events. Since CSlang is intentionally not defined by a full formal grammar it is thus to be
considered as a semiformal approach. Nevertheless it is intended to provide basic schemes of comprehension that deal
with properties, e.g. the semantics of a concrete ISI Signature using types with variables, that are called sorts and
operations with constraints that define the constraints respectively the invariants (axioms) of a type.
ETSI
6 ETSI GS ISI 006 V1.1.1 (2019-02)
Cyber Security and Incident Event Management is an upcoming issue that is currently handled by several
Standardization Committees and Industrial Specification Groups working on ISI classification and Cyber Security
Evaluation. Other standardization activities such as Incident response management of the ISO/IEC SC27 have recently
started. By this and other issues of complex security and safety evaluation and incident responses a need of more
formality has been identified. Thus many project ToRs have raised the need to put more resources on approaches based
on formal semantics and ontologies. Consequently the present document proposes an advanced standard of a common
semantics specification approach that is able to fill the identified formality gap.

ETSI
7 ETSI GS ISI 006 V1.1.1 (2019-02)
1 Scope
The present document provides a common interaction semantics model called ISI Measurement Architecture (IMA)
based on formal approaches that are partially leaned from Set and Graph Theories, such as [i.8] and [i.16], etc. Graph
Theory is the semantics background to reason by simulation, using appropriate tools. Between both, i.e. a foreground
ontological specification and a background graph semantics pattern - a structure-preserving relationship should exist.
The given approach of the present document is meant among other things to support the incident reaction operation
analysis performed by the staff of SOCs, in order to decide reasonably on observed security events and related
measures. More specifically all stakeholders (CISOs, IT security managers, Designers, Programmers, etc.) get on hand a
Common ISI Semantics Specification Language (called CSlang) which enables stakeholders to communicate in a
common unique way to each other based on graph semantics. CSlang is designed to be a dialect of the Common
Logics(CL) defined by the ISO/IEC SC32 Committee on Data Interchange in the international standard IS 24707 that
share a uniform semantics based on Traditional First Order Logics with Equality (TFOL) according to [i.17] and [4].
The present document is structured as follows (after clauses 2 and 3 respectively dedicated to references and definition
of terms, symbols and abbreviations):
• Clause 4 describes models and methods of the ISI Measurement Architecture, including the challenge of
transforming ISIs into knowledge about incidents.
• Clause 5 invents advanced Common Logics (CL) concepts of the ISI Semantics Specification Language -
CSlang.
• Annex A presents the Proof of Concepts (PoC) by aligning ontology specifications to graph specifications of
the two levels of Semantics Approach.
• Annex B presents mathematical basic definitions of graph manipulation theory.
• Annex C documents authors and contributors.
• Annex D documents applied bibliography of semantic.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference/.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI GS ISI 001-1: "Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of
operational indicators for organizations to use to benchmark their security posture".
[2] ETSI GS ISI 001-2: "Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to
select operational indicators based on the full set given in part 1".
[3] ETSI GS ISI 002: "Information Security Indicators (ISI); Event Model A security event
classification model and taxonomy".
[4] ISO/IEC 24707: "Information Technology - Common Logic - A Framework for a Family of
Logic-based Languages".
ETSI
8 ETSI GS ISI 006 V1.1.1 (2019-02)
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI GS ISI 003: "Information Security Indicators (ISI); Key Performance Security Indicators
(KPSI) to evaluate the maturity of security event detection".
[i.2] ETSI GS ISI 004: "Information Security Indicators (ISI); Guidelines for event detection
implementation".
[i.3] ETSI GS ISI 005: "Information Security Indicators (ISI); Guidelines for security event detection
testing and assessment of detection effectiveness".
[i.4] ISO 27035-2:2016: "Information technology - Security techniques - Information security incident
management -- Part 2: Guidelines to plan and prepare for incident response".
[i.5] Directive (EU) 2016/1148 of The European Parliament and of The Council of 6 July 2016
concerning measures for a high common level of security of network and information systems
across the Union.
NOTE: Available at https://eur-lex.europa.eu/legal-
content/EN/TXT/?toc=OJ:L:2016:194:TOC&uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG.
[i.6] ETSI GS ISI 007: "Information Security Indicators (ISI); Guidelines for building and operating a
secured Security Operations Center (SOC)".
[i.7] ETSI GS ISI 008: "Information Security Indicators (ISI); Description of an Overall Organization-
wide Security Information and Event Management (SIEM) Approach".
[i.8] Peter D.Mosses(Ed.): "CASL Reference Manual", LNCS2960 Springer.
[i.9] IEC 62443-series: "Security for industrial automation and control systems".
[i.10] ISO/IEC 19086-2: "Cloud computing -- Service level agreement (SLA) framework -- Part 2:
Metric model".
[i.11] OPC Foundation (07-19-2017): "OPC UA Companion Standard for Sercos".
NOTE: Available at https://opcfoundation.org.
[i.12] BSI.Bund: "Sicherheitsanalyse Open Platform Communications Unified Architecture (OPC UA)".
NOTE: Available at https://www.bsi.bund.de/DE/Publikationen/Studien/OPCUA/OPCUA_node.html.
[i.13] Wolfgang Ertel: "Grundkurs Künstliche Intelligenz - Computational Intelligence", 4. Auflage
2016, Springer Vieweg Verlag; ISBN 978-3-658-13548-5.
[i.14] Roberto Bruni, Andrea Corradini, Ugo Montanari, Universität Pisa, Italy: "Modelling a Service
and Session Calculus with Hierarchical Graph Transformation".
[i.15] Claudia Ermel, Jens Richter, Jan deMeer: "Regelgestützte Modellierung von Anwender-Szenarien
Kritischer Infrastrukturen für Analyse und Ausbildung" GI/ACM Regionalgruppe Berlin-
Brandenburg, 22-11-2013.
[i.16] J.M.Spivey: "The Z-Notation - A Reference Model", C.A.R. Hoare Series Editor, Prentice Hall
1989.
ETSI
9 ETSI GS ISI 006 V1.1.1 (2019-02)
[i.17] Jan de Meer et al.: "Introduction into Algebraic Specification based on the Language ACT ONE",
Computer Networks - International Journal of Distributed Informatique, Vol.23, No.5, North
Holland 1992.
[i.18] Axel Rennoch et al.: "Security Indicators Quick Reference Card".
NOTE: Available at
https://cdn1.scrvt.com/fokus/e492943d2f291a76/4905070bb7ea30262ddf855393d14e21/SQC_Download
_Etsi_isiQRC1.pdf.
[i.19] Dan Pilone: "UML2.0 - Taschenbibliothek", 2006 O'Reilly media.
[i.20] CMU SEI(June 2006) Pitsburg: "Ultra Large-scale Systems - The SW Challenge of the Future",
Bill Pollak Chief Editor, created in performance of FG Contract FA8721-05-C-003, Linda
Northorp ULS Study-lead.
NOTE: Available at https://insights.sei.cmu.edu/saturn/ultra-large-scale-systems/.
[i.21] Zohar Manna et al.: "The Logical Basis for Computer Programming - Vol. 1: Deductive
Reasoning", 1985 Addison Wesley Publishing Inc.
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the terms given in ETSI GS ISI 001-2 [2] and the following apply:
Abstract Data Type (ADT): specification of multiple sets of data, their properties and relationships among each other,
in terms of sorts, operations and equations
Common Logics (CL): logic framework comprising syntax, higher order constructions and relations of a first-order
modelling theory
dataspace: structuring of the raw data space, called ISI Data Lake (IDL) by 'n-tuples', allowing processes to
publish and subscribe upon
ISI Measurement Architecture (IMA): approach to enrich big dat sets, (i.e. ADTs) using methods from Graph Theory
or Artificial Intelligence
OPC UA: M2M-communication-based Unified Architecture of the OPC Foundation
semantics: formal representation of system properties that provides formal reasoning on a mathematical level
occasionally executable by modeling tools
3.2 Symbols
For the purposes of the present document, the symbols given in ETSI GS ISI 001-2 [2] apply.
3.3 Abbreviations
For the purposes of the present document, the abbreviations given in ETSI GS ISI 001-2 [2] and the following apply:
ADT Abstract Data Type
CL Common Logics
NOTE: See ISO/IEC 24707 [4].
CV Continuous Variable
CSlang Common ISI Semantics Specification Language
DOM Data Object Model
ETSI
10 ETSI GS ISI 006 V1.1.1 (2019-02)
GM Graph Manipulation (Tool/Theory)
HMI Human-Machine Interface
NOTE: See IEC 62443 [i.9].
IACS Industrial Automation and Control Systems
IDL ISI Data Lake
IEX Incident coming from EXternal sites
IMA ISI Measurement Architecture
ISI Information Security Indicators
ML Machine Learning (Tool)
SCADA Supervisory Control And Data Acquisition
SLA Service Level Agreement
NOTE: ISO/IEC 19086-2 [i.10] SLA Framework - p2 Metric Model.
(TM)
STIX Structured Threat Information eXpression
NOTE: STIX 2.0 Draft http://stixproject.github.io/stix2.0/.
UUT Unit Under Test
NOTE: IEEE AutomaticTestMark-upLanguage.
XML eXtensible Markup Language
4 ISI Measurement Architecture - Models and Methods
4.1 The Challenge of transforming ISIs into Knowledge about
Incidents
4.1.0 Introduction
The present document invents an advanced ISI Measurement Architecture (IMA) by a Big Data respectively ISI
enrichment scheme. The process of Big Data Enrichment is intended to be supported by semantics-based tools from the
shelf such as Machine Learning (ML), Graph Manipulation (GM), Ontology Specification (OS), Data Object (DO)
Modelling, etc.
Firstly it is required to have a way of defining semantics for reasoning on ISIs and secondly, it is required to simulate
designed ISI/IMA models. In case of IMA a compositional approach of Graph Manipulation together with Set Theories
(i.e. Abstract Data Types) have been chosen to provide a semantics platform to represent distinctive IMA models.
A given formal model is set into relationship to an Industrial Automation and Control System (IACS) model that uses
ontologies. If the relationship can be designed such that it is structure-preserving it is called a homomorphism.
Checking homomorphism means to prove structural relationship between a given IACS ontological model with respect
to its GM-based executable semantics model.
The anticipated Communication Model of IMA is based on an data space i.e. a kind of platform that manages
ISI Events such as incidents, measurements, data logging but also attacks and failures, etc. that are handled according to
the principles of a publish-subscribe communication paradigm applicable to all components that exchange
data.
ETSI
11 ETSI GS ISI 006 V1.1.1 (2019-02)
In figure 1 the 'Knowledge Pyramid' respectively 'Knowledge Graph', is shown, of how to transform flat raw ISI related
data into expert knowledge on security incidents. This approach is based on a so-called Type Graph (see next
paragraph) that models e.g. an ISI Enrichment/Classification Process based on machine learning methods. When the
so-called learning matrix - comprising typical pairs of queried and targeted incident patterns - has been sufficiently
trained, it can be applied to the continuous classification process of unknown/untrained input patterns from an observed
Industrial Automation and Control System (IACS). The unknown patterns stem from the basic entity nodes of the raw
data level of the type graph in figure 1.
The anticipated ETSI GS ISI 006 (the present document) notation CSlang - a Common (ISI Semantics) Specification
Language (as defined in clause 5) offers semantic, static, dynamic and data typing specification and modelling
concepts. Static system properties are architectural design properties that are modelled by a so-called Type Graph
representing architectural relations among components, devices, processes, stakeholders including humans. Dynamic
system properties are behavioural design properties and are modelled by a so-called Event Graph representing
communication relationships among data sources and targets that are interconnected by an 'ether' which is the so-called
ISI Data Lake (IDL) that captures data representations as data.
Finally strong Abstract Data Typing is achieved by means of a many-sorted Algebra comprising data sets (SORTS),
operations and functions (OPNS) on these sorts, typed variables, and conditional equations (EQNS). A conditional
equation is the algebraic specification equivalent of a system event that comprises an event head node and an event tail
node, i.e. a pair of ordered nodes that is represented by an directed edge of the graph.

Figure 1: Type Graph representing the Knowledge Pyramid
4.1.1 Providing Upfront Indicators
To be efficient, a SOC of an IACSystem, will need appropriate Security Detection Solutions deployed in the right place
in the Customer infrastructure, including the Cloud. In order to select the right Security Detection Solutions, the CISO
needs to have a good understanding of its environment and to be able to quickly identify the types of security threats he
needs to fight. By helping customers to identify upfront (see figure 1) types of incidents they are likely to face and map
this with the catalogue of measures that will be relevant to cover these incidents, CISOs have a strong opportunity to
quickly demonstrate, e.g. by means of the suggested tool box in the present document, the right decision to be taken.
ETSI
12 ETSI GS ISI 006 V1.1.1 (2019-02)
4.1.2 The Human Factor
As mentioned in clause 4.1.0, whatever are the detection means and the security objectives, security events and security
incidents can be managed by different solutions. But at the very end, the final qualification is still achieved by humans
at the top of the knowledge pyramid of figure 1. This view provides human analysts with the capability to adjust ISI
data classifications based on their own expertise and their knowledge of their customer environment. As a result, ISI
generated in a specific customer context through specific services might not be relevant to another customer even if he
is exposed to the same threats.
4.1.3 Out-of-Interest Frequency
For CISOs, security is a daily concern. Usually indicators managed by the SOC teams is on a monthly basis, i.e. CISOs
will have less opportunity to monitor trends on real time basis and to take the right decisions in the right time. There is a
need to look at managing Indicators more frequently which should also help SOC teams in identifying potential issues
in the Real-Time (RT) detection capability. The latter is achieved by running GM Model in parallel to the SCADA
which transforms any critical system state into a graph type and event model.
4.1.4 Continuous Measurement and Excom Reporting
Whether it is for justifying investigations or to check efficiency of security measures, CISOs have to regularly report
using specific indicators. While ETSI GS ISI 001-1 [1] and ETSI GS ISI 001-2 [2] contain probably not the types of
indicators that can directly be used for Excom reports, nevertheless they are the basement of any incident measurements
of a company. Tangible data and a consistent approach are therefore required to produce ISIs mitigating the human
factor and the RT issue.
4.2 The ISI Measurement Architecture (IMA)
4.2.1 The ISI Enrichment Approach
The following business requirements are drivers of the present document:
1) ISIs are to be used for benchmarking customers systems in a way using comparable inputs whatever is the
type of customer system and whatever are the existing security detection solutions deployed in this, e.g. IACS
infrastructure.
2) ISIs are to be managed and structured semantically based on a formal model with raw data enhancement
strategies, using a standardized formal language, like CSlang (of clause 5) of the present document.
3) ISIs are to be classified using Machine Learning (ML) classification schemes which are embedded into a
formal model.
The present document enables CISOs to produce classified indicators extending the ETSI GS ISI 001-1 [1] and ETSI
GS ISI 001-2 [2] description scheme. The extension is achieved by referring to all raw security data published into the
ISI Data Lake (IDL) of an IACSystem. By investigating into classified indicators of the IDL - the result may provide
trends - i.e. simulations by the present document tool box can drive CISOs' decisions (what solutions CISOs should
look at in priority? How can security detection solution more efficient to better detect, etc.). CISOs' decision support is
achieved by the Graph Manipulation (GM) Capability in the present document tool box functioning as a model
simulator allowing the simulation of possible impact predictions or forensic back-tracking to possible causes of
observed incidents.
ETSI
13 ETSI GS ISI 006 V1.1.1 (2019-02)

Figure 2: ISI Enrichment Process of the IMA (Data Lake)
In the following clauses the different views, called models, on the IMA are presented. These views explain the usability
of the IMA with respect to the following modelling goals:
a) Common Language Concept, provides all necessary tools to express stakeholder roles, system use cases and
activities, activity attributes, relationships (undirected graph edges) and associations (directed graph edges),
Abstract Data Types with Variables (as part of graph vertices), etc.
b) Event Model, where an ISI-related event is modelled as an ordered pair of graph vertices and each vertex may
contain typed system variables; the vertex in the system view usually represents a component; the data
comprised by the event is a typed data.
c) System Model, where the technical, security, privacy and safety issues and relationships among system
components according the related industrial system standards of the IEC 62443 [i.9] are to be taken into
account. For representation purposes ontologies comprising a certain universe of discourse are being applied
which describes the context of ISI data application.
d) Enrichment Model, where AI /ML methods are used to enrich 'similar' data items into Abstract Data Types
(classes) according to learned categorization information, i.e. a learning matrix used by Neural Networks.
4.2.2 The IMA - Common Language Approach
CSlang - Common (ISI Semantics) Specification Language is an approach for ISI Semantics Analysis of industrial
automation and control processes providing Big Data Enrichment. CSlang is a semiformal approach developed to
provide semantics to Industrial Automation and Control Systems (IACSystem definition according to IEC 62443 [i.9])
for the purpose of proving interoperability among heterogeneous machines, factories and humans.
CSlang is called semiformal because the language is not entirely based on formal grammars. CSlang allows the
integration of existing Formal Description Techniques and Tools from the shelf such as the Graph Manipulation Tools,
Model Checkers, Matlab, SCADA, AutomationML, WSDL, etc. provided there is a definition of an appropriate
relationship between the formal semantics model and the technical IACS model. The latter model is represented by an
ontology.
To represent semantics of a Specifications in CSlang the Graph Manipulation Theory has been chosen. The semantics of
st
any specification is represented on two levels of semantics, i.e. the 1 level of semantics representing applied Best
nd
Practices that are occasionally supported by tools such as 'SCADA''AutomationML', STIX, etc. and the 2 level of
semantics that represents the formal Graph Manipulation Model being structural equivalent to the best practice
'SCADA' model, for example.
ETSI
14 ETSI GS ISI 006 V1.1.1 (2019-02)
It is important to notice that all tools referred to can be taken from the shelf which allows everybody without
sophisticated skills to check and prove the following system capabilities and properties:
1) Safe and efficient Security Information Event Management operating on data of the so-called ISI
Data Lake, respectively the Communication Ether, offering a common platform to all communicating IACS
components and stakeholders.
2) Robust Machine Learning Processes (e.g. Associative Memory Mapping) to classify/evaluate raw ISI (big)
data.
3) Available strong Abstract Data Typing describing complex composite ISI data and variables by
means of many-sorted term algebras.
4) Evaluation of Graph Manipulation Semantics to analyse, synthesize and predict IACS model behaviour.
Abstract Data Types (ADT) - mathematically spoken Algebras - build one of the formal language fundamentals of
CSlang. The current approach of industrial component specification of OPC UA - Open Platform Communication
Unified Architecture [i.11] and [i.12] is - formally seen - an ADT; hence OPC UA components are implemented as an
ADT in CSlang.
ADTs comprise data sets, called SORTS to capture typed data; Relations between sorts, called OPNS are used to
generate or derive data; and rules, called EQNS, that constrain the classification of data of a certain SORT. (Notice that
there is not a clear distinction between sorts and types). However usually a sort denotes to a set characterized by
certain properties, whereas a type obeys one or more sets and may have relationships between these sets. Thus a data
type has the semantics of a multi-sorted algebra whereas a sort has the properties of a set of comparable elements.
The axiomatic approach of an ADT is an abstraction from any kind of language-dependent data representation. The
axioms of an ADT can easily be derived from considering the data type properties, e.g. take a Boolean data type with
non-canonical expressions; thus by applying the axioms of a model, it should be ensured that two or more expressions
of a term equation never can be calculated to the contradiction (true==false); otherwise the checked model has a defect.
A combined ADT/GM approach compared to the OPC UA approach offers in a similar way the definition of operations
of various data types and attributes that specify subscription properties like access conditions, access tracking
conditions (e.g. graph manipulation sequences) etc., but also publication properties for alarming, state change of
certain data types or system situations. Since the UPC UA model is event-based whose data to be published or
subscribed are defined as an data comprising:
>.
Notice in the expression above, a blank marks the separator between descriptive elements of the .
It should also be said that all elements of the event sample from above should all be typed. Thus the following ADT
specification should proceed any event publication/subscription:
SPEC ISI_Data-Tuple_Sample IS
SORTS EVENT-ID, TIME-STAMPS, SEVERITY-LEVELS, DATA-ENTRY1,…,n; ….
OPNS …; EQNS …; ENDSPEC
The sorts above should contain all constants and generated values which are applied in the event sample. The defined
sorts can also have variables.
It is further worth to be noticed that UPC UA calls this event data type specification to be 'a node' similar to the node of
a CSlang graph that is called a vertex. However graph theory is semantically more powerful since it allows to combine
2 nodes or 2 vertices to be related to each other by an ordering represented as a directed or undirected edge. Whereas an
undirected edge represents the static architectural properties and a directed edge represents the dynamic event properties
of the modelled behaviour. In that way, a directed edge symbolizes the 'flow of energy' i.e. the 'information that flows'
from one node to the subsequent one. Hence tracking can easily be modelled and recorded. That allows for example, the
modelling of dynamically changing information issued by events, e.g. weather conditions having impact on the state of
a smart grid, i.e. the amount of energy being generated under volatile conditions and at same time the energy being
consumed under almost static conditions, to be controlled during a period of time, like a day.
ETSI
15 ETSI GS ISI 006 V1.1.1 (2019-02)
4.2.3 The IMA Event Model
An IACSystem comprises three basic components which are connected to each other by signalling paths and by
flow-of-resources paths. Flows of resources are modelled as streams that may comprise physical things such as
containers, energy, liquids, wind, sun irradiation, etc., but also data package flows. Flows of resources supply the
system assets, e.g. an industrial production system, with any kind of required energy or goods. With respect to security
and safety the assets should be kept under permanent control in order to avoid destruction, loss or malfunctioning.
The signalling and resource flow paths both are characterized by events that indicate a change of state, i.e. information
is generated. To issue information has an addressee and thus has a direction which is marked by arcs, respectively edges
of an Event Graph which is an extension of the Type Graph. Notice an edge modelling an event occurrence is defined
of a directed pair of nodes, i.e. from the issuing (head) node to the target (tail) node.
ISI data capturing could comprise big data flows of instances of certain CSlang Abstract Data Types (ADT). Data
capturing may last for long or short periods of time and usually occur in smart applications, like finance, logistics,
manufacturing, smart cities, interconnected things, etc. Streams of data packages of a distinct type are modelled as
flows of discrete data records represented as that are published to the IDL. So, from an event management
point of view, it is to be distinguished on handling a full stream as an event or just a single data package.
For certain Control and Monitoring task - it would make sense not to compile massive data type sets first and then to
put massive computing power for analysing purposes - but to check (in Real Time) for significant changes in the
observed flow of data or resources. A single change of state in the flow of data may provide characteristic information
about a component's behaviour, bad or good. The learned information about should be captured instead of collecting
massive data sets itself. Clearly it is information derived from events subscribed at the IDL; i.e. the collection of meta-
data derived from an observed CSlang Continuous Variable (see clause 5).
4.2.4 The IMA - Enrichment Model
The ISI Measurement Architecture (IMA) underlying communication ether is denominated to as the ISI Data Lake
(IDL). The IDL is organized as an hierarchical model managing data items/instances represented as . Thus
the IDL is understood as a repository for all being published or subscribed during life-time of a system.
The publisher, i.e. the component which generates measurement data does not need to send them to distinctive receivers
but simply publishes them as data into the IDL. Since al
...