Skip to main content
main-content

Über dieses Buch

This book constitutes the thoroughly refereed post-proceedings of the 8th International Workshop on Critical Information Infrastructures Security, CRITIS 2013, held in Amsterdam, The Netherlands, in September 2013. The 16 revised full papers and 4 short papers were thoroughly reviewed and selected from 57 submissions. The papers are structured in the following topical sections: new challenges, natural disasters, smart grids, threats and risk, and SCADA/ICS and sensors.

Inhaltsverzeichnis

Frontmatter

New Challenges

Security Challenges for Cooperative and Interconnected Mobility Systems

Software is becoming an important part of the innovation for vehicles. In addition, the systems in vehicles become interconnected and also get external connections, to the internet and Vehicular Ad hoc NETworks (VANETs). These trends form a combined security and safety threat, because recent research has demonstrated a large number of security gaps for in-vehicle systems and their external connections.
This overview paper presents attacker incentives and the most important security risks that are identified for the parts that make up a cooperative mobility system. For cooperative systems, the application data integrity must be validated to determine if values can be trusted. Furthermore, secure alternatives will be required for positioning, in order to be usable by safety critical systems. To create a secure in-vehicle system, it should be secure by design. In addition to the technical challenges, overarching cyber security dilemmas are addressed, such as stimulating the economy vs. improving security. We expect that the discussed risks will be a challenge for research, industry and authorities in the coming years.
Tjerk Bijlsma, Sander de Kievit, Jacco van de Sluis, Ellen van Nunen, Igor Passchier, Eric Luiijf

Study of In-Data Centre Backup Offices for Banks

Although there were no significant physical damages in Tokyo, as a result of the Tohoku Pacific Earthquake (known as the Great East Japan Earthquake in Japan) on 11th March 2011, a couple of thousand Automated Teller Machines (ATMs) were out of service for more than a week. Most banks’ critical operations were impacted due to the shortage of electrical power supply. The purpose of this study is to review those incidents from a banking operational point of view. The business continuity challenges have been analyzed and the resulting set of recommendations are discussed in this paper.
Yasutake Sayanagi

Protecting a Federated Database Infrastructure against Denial-of-Service Attacks

The need for combining various heterogeneous data sources into a uniformly accessible infrastructure has given rise to the development of federated database systems. Security aspects of such systems have been well-studied, but they have mostly concentrated on privacy and access control issues. In this paper, we take a closer look at the availability problems caused by the network failures, Denial-of-Service attacks, etc. We take the X-Road infrastructure developed in Estonia as the basis of our studies and propose several methods to improve its resilience. We discuss the usage of alternative communication channels, replication of critical databases and replacing the present critical central services with more flexible alternatives.
Arne Ansper, Ahto Buldas, Margus Freudenthal, Jan Willemson

Minimizing the Impact of In-band Jamming Attacks in WDM Optical Networks

This work presents an algorithm for the planning phase of wavelength division multiplexing (WDM) optical networks considering the impact of physical layer attacks. Since the signals in transparent WDM networks are transmitted all-optical, these networks are vulnerable against high-power jamming attacks. Due to crosstalk induced interactions among different connections, malicious high-power signals are spread in the network. To this end, it is necessary to plan an optical network in a way that the spread of an attack is minimized. In this work an Integer Linear Programming (ILP) formulation is proposed that addresses the problem of Routing and Wavelength Assignment (RWA) with the objective to minimize the propagation of the introduced high-power malicious signals. The physical layer attack propagation is modeled as interactions among connections through in-band channel crosstalk. Additionally, Linear Programming (LP) relaxation techniques are used to handle larger network instances.
Konstantinos Manousakis, Georgios Ellinas

Natural Disasters

The Role of Critical Infrastructures’ Interdependencies on the Impacts Caused by Natural Disasters

Recent natural disasters have highlighted society’s dependency on the correct functioning of critical infrastructures (CIs). The existing interdependencies among CIs complicate matters further, since a failure in a CI can spread through cascading effects to other infrastructures or sectors. Thus society’s welfare becomes severely affected, complicating emergency response and increasing the total impact of natural disasters. The aim of this paper is to illustrate the important role that affected CIs have on the overall impact of a natural disaster. We have developed a simulation model that represents a huge storm affecting the energy system, transport and food CIs on a small island. Through this simulation model we can show the effects associated with CIs and the effects of applying crisis management policies.
Ana Laugé, Josune Hernantes, Jose Mari Sarriegi

Analysis of Severe Space Weather on Critical Infrastructures

Space threats pose nontrivial issues to the safety of the population and to the correct functioning of critical infrastructures. In this paper we analyze the most significant threats posed by solar wind in terms of impact due to both direct consequences on satellite and critical infrastructure so as the subsequent domino effects. To this end we provide a model based on the CISIA platform with a case study related to the area of Rome, Italy.
Francesco Gaetano, Gabriele Oliva, Stefano Panzieri, Claudio Romani, Roberto Setola

Smart Grids

A Plug and Play, Approximation-Based, Selective Load Shedding Mechanism for the Future Electrical Grid

As soon as a load disturbance occurs in a power system, such as the unexpected outage of a generation unit or the introduction of a big load, the electric frequency declines from its nominal value. This is a highly unwanted situation that limits machine and other power system auxiliaries life time. Contemporary power systems employ conventional load shedding practices as a last resort, in order to achieve frequency stability. However, these practices, which are determined a priori, are very conservative and result in over-shedding. In this paper, an intelligent load shedding scheme that combines approximation-based feedback linearization and load disturbance adaptive bounding is presented. The proposed scheme provides the minimum amount of load that should be shed in order to maintain the power system stability. It prevents over-shedding practices as a result of conventional load shedding that the proposed scheme is compared with. Furthermore, the mechanism under consideration provides smooth and seamless load restoration, preventing oscillations between shedding and restoration. It is robust to functional approximation errors, measurement noise and sudden load disturbances.
Yiannis Tofis, Yiasoumis Yiasemi, Elias Kyriakides

A Framework for Risk Analysis in Smart Grid

Perspective Based Approach
Smart Grids have great potential for the management of energy consumption. However, moving from a traditional grid to a smart grid introduces significant new risk to the energy sector that were not present in the power grids that operated in isolation. The data that is generated in the smart metering systems can possibly harm its stakeholders. Hence it is important to protect all the stakeholders by providing effective controls to the vulnerable elements in the smart metering system. This highlights the necessity to conduct a risk analysis to evaluate the harms, threats and vulnerabilities that are introduced into this critical infrastructure by modernization. Currently there are numerous risk analysis methodologies available; there are many differences among them, and hence selecting an appropriate one is challenging. Risk that technical experts perceive to be minor often elicits strong public concerns. Consequently during risk analysis, different perspectives need to be considered. This article reports on an extensive analysis of risk management frameworks, which resulted in a framework specifically targeted at smart grid and smart metering systems. Perspective of risk analysis is a key element in this framework.
Rani Yesudas, Roger Clarke

Physical Attestation of Cyber Processes in the Smart Grid

Cyber-physical system security must consider events in both the cyber and physical layers. This paper proves that a cyber process in the smart grid can lie about its physical behavior and remain undetected by its peers. To avoid this scenario, physical attestation is introduced as a distributed mechanism to validate the behavior of a cyber process using physical measurements. A physical attestation protocol is developed for the smart grid, and the protocol is proven to expose malicious cyber behavior. Through the use of physical attestation, the behavior of cyber processes in cyber-physical systems can be verified.
Thomas Roth, Bruce McMillin

Threats and Risk

QSec: Supporting Security Decisions on an IT Infrastructure

A global vulnerability of an IT infrastructure is a set of vulnerabilities in its nodes that enables a sequence of attacks where an agent acquires the privileges that each attack requires as a result of the previous attacks in the sequence. This paper presents QSec, a tool to support decision on the infrastructure security that queries a database with information on global vulnerabilities and the corresponding attack sequences. QSec can return information on, among others, global vulnerabilities, the corresponding attack sequences and the infrastructure nodes that are the target of a sequence. This information is fundamental to evaluate in more details the security of the infrastructure and to support decisions on vulnerabilities to be removed.
Fabrizio Baiardi, Federico Tonelli, Fabio Corò, Luca Guidi

Structural Controllability of Networks for Non-interactive Adversarial Vertex Removal

The problem of controllability of networks arises in a number of different domains, including in critical infrastructure systems where control must be maintained continuously. Recent work by Liu et al.has renewed interest in the seminal work by Lin on structural controllability, providing a graph-theoretical interpretation. This allows the identification of driver nodes capable of forcing the system into a desired state, which implies an obvious target for attackers wishing to disrupt the network control. Several methods for identifying driver nodes exist, but require undesirable computational complexity. In this paper, we therefore investigate the ability to regain or maintain controllability in the presence of adversaries able to remove vertices and implicit edges of the controllability graph. For this we rely on the Power Dominating Set (PDS) formulation for identifying the control structure and study different attack strategies for multiple network models. As the construction of a PDS for a given graph is not unique, we further investigate different strategies for PDS construction, and provide a simulative evaluation.
Cristina Alcaraz, Estefanía Etchevés Miciolino, Stephen Wolthusen

Real Time Threat Prediction, Identification and Mitigation for Critical Infrastructure Protection Using Semantics, Event Processing and Sequential Analysis

Seamless and faultless operational conditions of multi stakeholder Critical Infrastructures (CIs) are of high importance for today’s societies on a global scale. Due to their population impact, attacks against their interconnected components can create serious damages and performance degradation which eventually can result in a societal crisis. Therefore it is crucial to effectively and timely protect these high performance - critical systems against any type of malicious cyber-physical intrusions. This can be realized by protecting CIs against threat consequences or by blocking threats to take place at an early stage and preventing further escalation or predicting threat occurrences and have the ability to rapidly react by eliminating its roots. In this paper a novel architecture is proposed in which these three ways of confronting with cyber – physical threats are combined using a novel semantics based risk methodology that relies on real time behavioral analysis. The final prototype provides the CI operator with a decision tool (DST) that imprints the proposed approach and which is capable of alerting on new unknown threats, generate suggestions of the required counter-actions and alert of probable threat existence. The implemented architecture has been tested and validated in a proof of concept scenario of an airport CI with simulated monitoring data.
Dimitris Kostopoulos, Vasilis Tsoulkas, George Leventakis, Prokopios Drogkaris, Vasiliki Politopoulou

Determining Risks from Advanced Multi-step Attacks to Critical Information Infrastructures

Industrial Control Systems (ICS) monitor and control industrial processes, and enable automation in industry facilities. Many of these facilities are regarded as Critical Infrastructures (CIs). Due to the increasing use of Commercial-Off-The-Shelf (COTS) IT products and connectivity offerings, CIs have become an attractive target for cyber-attacks. A successful attack could have significant consequences. An important step in securing Critical Information Infrastructures (CIIs) against cyber-attacks is risk analysis – understanding security risks, based on a systematic analysis of information on vulnerabilities, cyber threats, and the impacts related to the targeted system. Existing risk analysis approaches have various limitations, such as scalability and practicability problems. In contrast to previous work, we propose a practical and vulnerability-centric risk analysis approach for determining security risks associated with advanced, multi-step cyber-attacks. In order to examine multi-step attacks that exploit chains of vulnerabilities, we map vulnerabilities into preconditions and effects, and use rule-based reasoning for identifying advanced attacks and their path through a CII.
Zhendong Ma, Paul Smith

SCADA/ICS and Sensors

On the Feasibility of Device Fingerprinting in Industrial Control Systems

As Industrial Control Systems (ICS) and standard IT networks are becoming one heterogeneous entity, there has been an increasing effort in adjusting common security tools and methodologies to fit the industrial environment. Fingerprinting of industrial devices is still an unexplored research field. In this paper we provide an overview of standard device fingerprinting techniques and an assessment on the application feasibility in ICS infrastructures. We identify challenges that fingerprinting has to face and mechanisms to be used to obtain reliable results. Finally, we provide guidelines for implementing reliable ICS fingerprinters.
Marco Caselli, Dina Hadžiosmanović, Emmanuele Zambon, Frank Kargl

Bridging Dolev-Yao Adversaries and Control Systems with Time-Sensitive Channels

Defining security objectives for industrial control scenarios is a challenging task due to the subtle interactions between system components and because security goals are often far from obvious. Moreover, there is a persistent gap between formal models for channels and adversaries (usually, transition systems) and models for control systems (differential or recurrent equations). To bind these two realms, we translate control systems into transition systems by means of an abstraction with variable time granularity and compose them with a channel model that is controlled by Dolev-Yao adversaries. This opens the road for automatic reasoning about the formal model of a control system using model checkers in a context where the communication channel is tampered with. We address a security objective that has so far largely eluded in models, namely freshness, which is highly relevant for control systems. Beyond the traditional resilience to replay attacks, we point out several flavours of freshness which are often overlooked, e.g., ordering and bounded lifespan. We formalize these notions and show that their absence can lead to attacks that subvert the control system. Finally, we build a proof-of-concept implementation that we use to determine attacks on a simple model which clearly shows that real-world scenarios are within reach.
Bogdan Groza, Marius Minea

An Indoor Contaminant Sensor Placement Toolbox for Critical Infrastructure Buildings

In this work, we address the problem of airborne contaminant sensor placement in high-risk buildings where critical infrastructures are managed and operated, making them possible locations for terrorist attacks (such as governmental buildings and ministries, utilities, airports and hospitals). A new software is presented based on the “Matlab-CONTAM Toolbox” and the CONTAM multi-zone simulation software, to construct multiple scenarios of contamination events and to solve the multi-objective sensor placement problem for minimizing the average and maximum impact risk with respect to the contaminant mass inhaled impact metric. The use of the software is demonstrated in a case-study using the Holmes’s House benchmark. The Toolbox is released under an open-source license at https://github.com/KIOS-Research/ matlab-contam-toolbox .
Demetrios G. Eliades, Michalis P. Michaelides, Marinos Christodoulou, Marios Kyriakou, Christos G. Panayiotou, Marios M. Polycarpou

Short Papers

Optimization Models in a Smart Tool for the Railway Infrastructure Protection

In this paper we describe a smart tool, developed for the European project METRIP (MEthodological Tool for Railway Infrastructure Protection) based on optimal covering integer programming models to be used in designing the security system for a Railway Infrastructure. Two models are presented and tested on a railway station scheme. The results highlight the role that the optimization models can fulfill in the design of an effective security system.
Antonio Sforza, Claudio Sterle, Pasquale D’amore, Annarita Tedesco, Francesca De Cillis, Roberto Setola

Towards Automatic Critical Infrastructure Protection through Machine Learning

Critical Infrastructure Protection (CIP) faces increasing challenges in number and in sophistication, which makes vital to provide new forms of protection to face every day’s threats. In order to make such protection holistic, covering all the needs of the systems from the point of view of security, prevention aspects and situational awareness should be considered. Researchers and Institutions stress the need of providing intelligent and automatic solutions for protection, calling our attention to the need of providing Intrusion Detection Systems (IDS) with intelligent active reaction capabilities. In this paper, we support the need of automating the processes implicated in the IDS solutions of the critical infrastructures and theorize that the introduction of Machine Learning (ML) techniques in IDS will be helpful for implementing automatic adaptable solutions capable of adjusting to new situations and timely reacting in the face of threats and anomalies. To this end, we study the different levels of automation that the IDS can implement, and outline a methodology to endow critical scenarios with preventive automation. Finally, we analyze current solutions presented in the literature and contrast them against the proposed methodology.
Lorena Cazorla, Cristina Alcaraz, Javier Lopez

Using NATO Labelling to Support Controlled Information Sharing between Partners

Protection of critical infrastructure requires collaboration between various stakeholders, including military, governmental and private organizations. The stakeholders are typically located in different information security domains or even different countries. We present a content labelling solution developed by NATO for the purpose of enabling information sharing between different communities of interest and coalition participants in NATO operations. We believe that the same solution can be used to support the enforcement of fine-grained access control for the protection of critical infrastructures. The focus of this paper is on the binding of sensitivity-marking metadata (i.e. ‘labelling’) to data objects, and the application of granular access control to labelled data objects. We provide an example of how access control can be efficiently enforced on portions of an XML document while preserving the essential parts of the XML structure of the document.
Sander Oudkerk, Konrad Wrona

A Framework for Privacy Protection and Usage Control of Personal Data in a Smart City Scenario

In this paper we address trust and privacy protection issues related to identity and personal data provided by citizens in a smart city environment. Our proposed solution combines identity management, trust negotiation, and usage control. We demonstrate our solution in a case study of a smart city during a crisis situation.
Gianmarco Baldini, Ioannis Kounelis, Igor Nai Fovino, Ricardo Neisse

Backmatter

Weitere Informationen

Premium Partner

    Bildnachweise