Critical Information Infrastructure Security

In this paper we study cascading blackouts in power transmission networks due to spatially localized load anomalies. The term “spatially localized load anomalies” means that the overloaded nodes in the graph representing the power transmission network are concentrated in a small zone of the graph. Typically these anomalies are caused by extreme weather conditions localized in some parts of the region served by the power transmission network. We generalize a mathematical formulation of the cascading blackout problem introduced in [1] and later developed in [2]. This mathematical formulation of the blackout problem when the load of the network is perturbed randomly allows the study of the probability density functions of the measure of the size of the blackout generated and of the occupation of the network lines. The analysis presented shows that spatially localized load anomalies of a given “magnitude” can generate blackouts of larger size than the blackouts generated by a load anomaly of the same magnitude distributed proportionally on the entire network. Load anomalies of this last type have been studied in [1], [2]. The previous results are obtained studying the behaviour of the Italian high voltage power transmission network through some numerical experiments.

We derive a Kuramoto-like equation from the Cardell-Ilic distributed electrical generation network and use the resulting model to simulate the phase stability and the synchronization of a small electrical grid. It is well-known that a major problem for distributed generation is the frequency stability. This is a non linear problem and proper models for analysis are sorely lacking. In our model nodes are arranged in a regular lattice; the strength of their couplings are randomly chosen and allowed to vary as square waves. Although the system undergoes several synchronization losses, nevertheless it is able to quickly resynchronize. Moreover, we show that the synchronization rising-time follows a power-law.

Critical infrastructures are highly complex collections of people, processes, technologies, and information; they are also highly interdependent where disruptions to one infrastructure commonly cascade in scope and escalate in impact across other infrastructures. While it is unlikely that disruptions can be prevented with certainty, an effective practice of critical infrastructure analysis can reduce their frequency and/or lessen their impact. We contend that proper critical infrastructure analysis necessitates a

system of systems

approach. In this paper, we identify requirements for integrated modeling and simulation of critical infrastructures. We also present our integrated modeling and simulation framework based on a service-oriented architecture that enables system of systems analysis of such infrastructures.

Critical Infrastructures (CIs) and their protection play a very important role in modern societies. Today’s CIs are managed by sophisticated information systems. These information systems have special views on their respective CIs – but can frequently not manage dependencies with other systems adequately. For dependency analysis and management we need information taking the dependency aspects explicitly into account – in well defined relations to all other relevant kinds of information. This is the aim of the IRRIIS Information Model. It is a

semantic model

or

ontology

of CI dependencies.

This Information Model allows us to

integrate

information from different CIs – from real ones as in SCADA systems, or from simulations – in order to manage their interdependencies.

This paper gives an overview of the IRRIIS Information Model and the way it is used in the IRRIIS simulator SimCIP for the analysis of interdependent infrastructures. An example will be given to illustrate our approach.

The interdependencies between infrastructures may be the cause of serious problems in mission/safety critical systems. In the CRUTIAL project the interdependencies between the electricity infrastructure (EI) and the information infrastructure (II) responsible for its control, maintenance and management have been thoroughly studied; moreover countermeasures to substantially reduce the risk to interrupt the service have been developed in the project. The possible interdependencies have been investigated by means of model at different abstraction levels. In this paper, we present high level models describing the various interdependencies between the EI and the II infrastructures, then we illustrate on a simple scenario how these models can be detailed to allow the evaluation of some measures of dependability.

Electric Power Systems (EPS) are composed by two interdependent infrastructures: Electric Infrastructure (EI) and its Information-Technology based Control System (ITCS), which controls and manages EI. In this paper we address the interdependency analysis in EPS focusing on the cyber interdependencies between ITCS and EI, aiming to evaluate their impact on blackouts-related indicators. The obtained results contribute to better understand the EPS vulnerabilities, and are expected to provide useful guidelines towards enhanced design choices for EPS protection at architectural level.

Critical Interdependent Infrastructures are complex interdependent systems, that if damaged or disrupted can seriously compromise the welfare of our society. This research, part of the CRESCO project, faces the problem of interdependent critical infrastructures modeling and simulation proposing an agent-based solution. The approach we put forward, named Federated ABMS, relies on discrete agent-based modeling and simulation and federated simulation. Federated ABMS provides a formalism to model compound complex systems, composed of interacting systems, as federation of interacting agents and sector specific simulation models. This paper describes the formal model as well it outlines the steps that characterize the Federated ABMS methodology, here applied to a target system, composed of a communication network and of a power grid. Moreover we conclude the paper with a thorough discussion of implementation issues.

The paper describes methods and tools addressing self-healing and resilience of critical infrastructures, specifically power and information networks. Our case study is based on challenges addressed in the ongoing EU project INTEGRAL aiming at integrating DES/RES in cell-based virtual utilities. We propose two experimental environments, EXP II and INSPECT to support a structured approach in identifying, implementing and monitoring suitable self-healing mechanisms entailing an increasing system resilience in our systems. Our approach is based on own results from earlier EU projects and selected approaches from other international projects such as NSF GENI in the US and EU efforts such as SmartGrids and ARECI.

This paper identifies the most relevant security requirements for critical infrastructures (CIs), and according to these requirements, proposes an access control framework. The latter supports the CI security policy modeling and enforcement. Then, it proposes a runtime model checker for the interactions between the organizations forming the CIs, to verify their compliance with previously signed contracts. In this respect, not only our security framework handles secure local and remote accesses, but also audits and verifies the different interactions. In particular, remote accesses are controlled, every deviation from the signed contracts triggers an alarm, the concerned parties are notified, and audits can be used as evidence for sanctioning the party responsible for the deviation.

The INSPIRE project aims at enhancing the European potential in the field of security by ensuring the protection of critical information infrastructures through (a) the identification of their vulnerabilities and (b) the development of innovative techniques for securing networked process control systems. To increase the resilience of such systems INSPIRE will develop traffic engineering algorithms, diagnostic processes and self-reconfigurable architectures along with recovery techniques. Hence, the core idea of the INSPIRE project is to protect critical information infrastructures by appropriately configuring, managing, and securing the communication network which interconnects the distributed control systems. A working prototype will be implemented as a final demonstrator of selected scenarios. Controls/Communication Experts will support project partners in the validation and demonstration activities. INSPIRE will also contribute to standardization process in order to foster multi-operator interoperability and coordinated strategies for securing lifeline systems.

The increased interconnection and automation of critical infrastructures enlarges the complexity of the dependency structures and – as consequence – the danger of cascading effects, e.g. causing area-wide blackouts in power supply networks that are currently after deregulation operated closer to their limits. New tools or an intelligent combination of existing approaches are required to increase the survivability of critical infrastructures. Within the IRRIIS project the expert system CRIPS was developed based on network simulations realised with PSS®SINCAL, an established tool to support the analysis and planning of electrical power, gas, water or heat networks. CRIPS assesses the current situation in power supply networks analysing the simulation results of the physical network behaviour and recommends corresponding decisions.

This paper describes the interaction of the simulation tool PSS®SINCAL with the assessment and decision support tool CRIPS; a possible common use-case is outlined and benefits of this application are shown.

IRRIIS (“Integrated Risk Reduction of Information-based Infrastructure Systems”) is a European Integrated Project started in February 2006 within the 6

th

Framework Programme and ending in July 2009.

The aim of IRRIIS is to develop methodologies, models and tools for the analysis, simulation and improved management of dependent and interdependent Critical Infrastructures (CIs). Middleware Improved Technology (MIT) will provide new communication and information processing facilities in order to manage CI dependencies.

This paper will give an overview of the IRRIIS project to outline these methodologies, models, and tools. Scenarios of depending CIs developed in IRRIIS are used to validate our approach and to demonstrate the usefulness of our results.

Power grids have been widely acknowledged as complex networks (CN) since this theory emerged and received considerable attention recently. Many works have been performed to investigate the structural vulnerability of power grids from the topological point of view based on CN. However, most of them applied conceptions and measurements of CN directly to the analysis of power grids which have more specific features that can not be reflected in generic perspective. This paper proposes several most serious obstacles for applying CN to analysis of vulnerability for power grids. Based on the proposed solutions for these obstacles, specific concept of network performance to indicate power supply ability of the network will be defined. Furthermore, the proposed method will be investigated by a 34-bus test system in comparison with the result from general concept of efficiency in CN to indicate its effectiveness.

Modern society is witnessing a continuous growth in the complexity of the infrastructure networks which it relies upon. This raises significant concerns regarding safety, reliability and security. These concerns are not easily dealt with the classical risk assessment approaches. In this paper, the concept of centrality measures introduced in complexity science is used to identify the contribution of the elements of a network to the efficiency of its connection, accounting for the reliability of its elements. As an example of application, the centrality measures are computed for an electrical power transmission system of literature.

The pervasive aspect of the Internet increases the demand for tools that support both monitoring and auditing of security aspects in computer networks. Ideally, these tools should provide a clear and objective presentation of security data in such a way as to let network administrators detect or even predict network security breaches. However, most of these data are still presented only in raw text form, or through inadequate data presentation techniques. Our work tackles this problem by designing and developing a powerful tool that aims at integrating several information visualization techniques in an effective and expressive visualization. We have tested our tool in the context of network security, presenting two case studies that demonstrate important features such as scalability and detection of critical network security issues.

Scientists have been long investigating procedures, models and tools for the risk analysis in several domains, from economics to computer networks. This paper presents a quantitative method and a tool for the security risk assessment and management specifically tailored to the context of railway transportation systems, which are exposed to threats ranging from vandalism to terrorism. The method is based on a reference mathematical model and it is supported by a specifically developed tool. The tool allows for the management of data, including attributes of attack scenarios and effectiveness of protection mechanisms, and the computation of results, including risk and cost/benefit indices. The main focus is on the design of physical protection systems, but the analysis can be extended to logical threats as well. The cost/benefit analysis allows for the evaluation of the return on investment, which is a nowadays important issue to be addressed by risk analysts.

International studies have shown that information security for process control systems, in particular SCADA, is weak. As many critical infrastructure (CI) services depend on process control systems, any vulnerability in the protection of process control systems in CI may result in serious consequences for citizens and society. In order to understand their strengths and weaknesses, the drinking water sector in The Netherlands benchmarked the information security of their process control environments. Large differences in their security postures were found. Good Practices for SCADA security were developed based upon the study results. This paper will discuss the simple but effective approach taken to perform the benchmark, the way the results were reported to the drinking water companies, and the way in which the SCADA security good practices were developed. Figures shown in this paper are based on artificially constructed data since the study data contain company and national sensitive information.

This paper presents the results of our analysis about the influence of Information Technology (IT) malicious traffic on an IP-based automation environment. We utilized a traffic generator, called MACE (Malicious trAffic Composition Environment), to inject malicious traffic in a Modbus/TCP communication system and a sniffer to capture and analyze network traffic. The realized tests show that malicious traffic represents a serious risk to critical information infrastructures. We show that this kind of traffic can increase latency of Modbus/TCP communication and that, in some cases, can put Modbus/TCP devices out of communication.

Critical Infrastructures are nowadays exposed to new kind of threats. The cause of such threats is related to the large number of new vulnerabilities and architectural weaknesses introduced by the extensive use of ICT and Network technologies into such complex critical systems. Of particular interest are the set of vulnerabilities related to the class of communication protocols normally known as “SCADA” protocols, under which fall all the communication protocols used to remotely control the RTU devices of an industrial system. In this paper we present a proof of concept of the potential effects of a set of computer malware specifically designed and created in order to impact, by taking advantage of some vulnerabilities of the ModBUS protocol, on a typical Supervisory Control and Data Acquisition system.

The paper presents a set of control system scenarios implemented in two testbeds developed in the context of the European Project CRUTIAL - CRitical UTility InfrastructurAL Resilience. The selected scenarios refer to power control systems encompassing information and communication security of SCADA systems for grid teleoperation, impact of attacks on inter-operator communications in power emergency conditions, impact of intentional faults on the secondary and tertiary control in power grids with distributed generators. Two testbeds have been developed for assessing the effect of the attacks and prototyping resilient architectures.

Incident Response is the process of responding to and handling ICT security related incidents involving infrastructure and data. This has traditionally been a reactive approach, focusing mainly on technical issues. In this paper we present the Incident Response Management (IRMA) method, which combines traditional incident response with pro-active learning and socio-technical perspectives. The IRMA method is targeted at integrated operations within the oil and gas industry.

How do security departments relate to and manage information security controls in critical infrastructures (CI)? Our experience is that information security is usually seen as a technical problem with technical solutions. Researchers agree that there are more than just technical vulnerabilities. Vulnerabilities in processes and human fallibility creates a need for Formal and Informal controls in addition to Technical controls. These three controls are not independent, rather they are interdependent. They vary widely in implementation times and resource needs, making building security resources a challenging problem. We present a System Dynamics model which shows how security controls are interconnected and interdependent. The model is intended to aid security managers in CI to better understand information security management strategy, particularly the complexities involved in managing a socio-technical system where human, organisational and technical factors interact.

Disasters are characterised by their devastating effect on human lives and the society’s ability to function. Unfortunately, rescue operations and the possibility to re-establish a working society after such events is often hampered by the lack of functioning communication infrastructures. This paper describes the challenges ahead in creating new communication networks to support post-disaster operations, and sets them in the context of the current issues in protection of critical infrastructures. The analysis reveals that while there are some common concerns there are also fundamental differences. The paper serves as an overview of some promising research directions and pointers to existing works in these areas.

The modeling of dependencies in complex infrastructure systems is still a very difficult task. Many methodologies have been proposed, but a number of challenges still remain, including the definition of the right level of abstraction, the presence of different views on the same critical infrastructure and how to adequately represent the temporal evolution of systems. We propose a modeling methodology where dependencies are described in terms of the service offered by the critical infrastructure and its components. The model provides a clear separation between services and the underlying organizational and technical elements, which may change in time. The model uses the Service Modeling Language proposed by the W3 consortium for describing critical infrastructure in terms of interdependent services nodes including constraints, behavior, information flows, relations, rules and other features. Each service node is characterized by its technological, organizational and process components. The model is then applied to a real case of an ICT system for users authentication.

A method for modeling graded security is presented and its application in the form of a hybrid expert system is described. The expert system enables a user to select security measures in a rational way based on the Pareto optimality computation using the dynamic programming for finding points of Pareto optimality curve. The expert system provides a rapid and fair security solution for a class of known information systems at a high comfort level.

Critical infrastructures are usually controlled by software entities. To monitor the well-function of these entities, a solution based in the use of mobile agents is proposed. Some proposals to detect modifications of mobile agents, as digital signature of code, exist but they are oriented to protect software against modification or to verify that an agent have been executed correctly. The aim of our proposal is to guarantee that the software is being executed correctly by a non trusted host. The way proposed to achieve this objective is by the improvement of the Self-Validating Branch-Based Software Watermarking by Myles

et al.

. The proposed modification is the incorporation of an external element called

sentinel

which controls branch targets. This technique applied in mobile agents can guarantee the correct operation of an agent or, at least, can detect suspicious behaviours of a malicious host during the execution of the agent instead of detecting when the execution of the agent have finished.

Research into critical infrastructure (CI) interdependencies is still immature. Such interdependencies have important consequences for crisis management. Owing to the complexity of this problem, computer modelling and simulation is perhaps the most efficient research approach. We present five facts that should be taken into account when modelling these interdependencies: 1) CIs are interdependent elements of a complex system. 2) Ever increasing interdependencies create new complexity. 3) Crises in CI are dynamically complex. 4) There is a need for a long term perspective. 5) Knowledge about CI is fragmented. These facts significantly condition the tools and methodologies to be used for modelling interdependencies, as well as the training and communication tools to transfer insights to crisis managers and policymakers. We analyze several modelling methodologies for applicability to CIs interdependencies problem.

One type of threat consistently identified as a key challenge for Critical Infrastructure Protection (CIP) is that of cascading effects caused by dependencies and interdependencies across different critical infrastructures (CI) and their services. This paper draws on a hitherto untapped data source on infrastructure dependencies: a daily maintained database containing over 2375 serious incidents in different CI all over the world as reported by news media. In this paper we analyse this data to discover patterns in CI failures in Europe like cascades, dependencies, and interdependencies. Some analysis results indicate that less sectors than many dependency models suggest drive cascading outages and that cascading effects due to interdependencies are hardly reported.

As far as we know there is not a definition of dependency in a formal setting: to fill this gap we propose in this paper a state based formalism called (network of)

Dependent Automata

, that consider dependencies as central elements. When used for modelling interdependencies in critical infrastructures, each infrastructure is modelled as a Dependent Automaton, that accounts for local behaviour and for dependencies from and to other infrastructures, while the whole system is obtained by composition of the automata of the infrastructures considered.

The aim of the article is modelling of the decision-making, in which Precautionary Principle (PP) is applied. Decisions are often made under time constraints, in lack of proper information, preferences or knowledge (IPK). Since application of PP usually bears additional costs, it should be applied only when more efficient risk management policies are unavailable. Presented d-m framework based on the IPK conceptualization allows identification of PP application criteria and models PP as a decisional rule, which is usually applied when the potential threat is recognized, while the risk is not computational, or its assessment is not economically motivated. The proposed model uses the TOGA (Top-down Object-based Goal-oriented Approach) methodology as a modelling tool.

A Critical Infrastructure Protection (CIP) program requires the capability of forecasting how a potential threat originating in some geographical location propagates in an heterogeneous environment. We propose an approach to the disaster propagation analysis based on interacting Markovian Agents. For the sake of illustration, the paper discusses the propagation of a seismic wave and presents an analysis tool, where starting from an arbitrarily chosen geographical map of the region of interest, and fixing the epicenter of the seismic phenomenon, the speed and intensity of the wave are computed and directly displayed on the map.

This paper explores the possibility of using multiformalism techniques for critical infrastructure modeling and proposes a general scheme for intra and inter infrastructure models. Multiformalism approaches allow modelers to adapt the choice of formal languages to the nature, complexity and abstraction layer of the subsystems to be modeled. Another advantage is the possibility of reusing existing (and validated) dependability models and solvers. Complexity and heterogeneity are managed through modularity, and composition allows for representing structural or functional dependencies.

Crisis management benefits tremendously from simulation, especially during the planning and testing. At the same time an often overlooked aspect of crisis management is the key role of telecommunication. This paper describes the work done at NASK with the goal of implementing a simulator of the consequences of threats to the ICT (Information and Communication Technology) infrastructure, as a part of a large simulation environment for crisis management in a large urban area (specifically the Warsaw agglomeration).

One widely perceived yet poorly understood phenomenon in the practice of critical infrastructure protection is that of blind spots. These are certain aspects of the interrelationships among different critical infrastructure systems (CI systems) that could trigger catastrophe across CI systems but are concealed from planners, and discovered only in the aftermath of a crisis. In this paper, we discuss the sources of blind spots, and explore the feasibility of various techniques to help reveal blind spots.

This paper formulates the security problem in critical water infrastructure systems for diagnosing quality faults. The proposed scheme is based on the discretized equations of advection and reaction of contaminant concentrations in pipes and tanks, expressed in a state-space form. Faults are signals affecting the states, and their impact is measured based on certain epidemiological dynamics. A multi-objective optimization problem is formulated for minimizing various risk-related objectives.

This paper describes a security platform as a complex system of holonic communities, that are hierarchically organized, but self-reconfigurable when some of them are detached or cannot otherwise operate. Furthermore, every possible subset of holons may work autonomously, while maintaining self-conscience of its own mission, action lines and goals. Each holonic unit, either elementary or composite, retains some capabilities for sensing (perception), transmissive apparatus (communication), computational processes (elaboration), authentication/authorization (information security), support for data exchange (visualization & interaction), actuators (mission), ambient representation (geometric reasoning), knowledge representation (logic reasoning), situation representation and forecasting (simulation), intelligent feedback (command & control). The higher the organizational level of the holonic unit, the more complex and sophisticated each of its characteristic features.

Industry worldwide depends on

I

nformation and

C

ommunication

T

echnology (ICT). Through large-scale blackouts of the public electricity supply telephone services and Internet connections are massively reduced in their functions, leading to cascading effects. Following analysis of selected, typical failure situations counter-measures to re-establish the public electricity supply in Austria to consumers are identified. This can serve also as an example for other countries. Based on the existing public electricity supply system, a sensitivity analysis both in power and in the ICT sector for the mobile and the fixed network is carried out. As a new possible solution ”smart grid” or ”microgrids” and the controlled operation of decentralized stable islands are investigated.

The recent dramatic experiences caused by natural or man-made disasters make mandatory to understand and manage the mutual dependency of those infrastructures that, if disrupted or destroyed, would seriously compromise our quality of life. Although many models have been developed to study particular contexts and single infrastructure sectors, a global strategy to represent and manage the complex issue of infrastructure dependency has not been deployed yet. This paper presents an heuristic approach that can be applied, on several different scales, to select Critical Infrastructures and to model dependencies, thus paving the way for cascading effects prevention and governance.