Skip to main content

Über dieses Buch

The information infrastructure---comprising computers, embedded devices, networks and software systems---is vital to day-to-day operations in every sector: information and telecommunications, banking and finance, energy, chemicals and hazardous materials, agriculture, food, water, public health, emergency services, transportation, postal and shipping, government and defense. Global business and industry, governments, indeed society itself, cannot function effectively if major components of the critical information infrastructure are degraded, disabled or destroyed.

Critical Infrastructure Protection describes original research results and innovative applications in the interdisciplinary field of critical infrastructure protection. Also, it highlights the importance of weaving science, technology and policy in crafting sophisticated, yet practical, solutions that will help secure information, computer and network assets in the various critical infrastructure sectors. Areas of coverage include: Themes and Issues, Control Systems Security, Cyber-Physical Systems Security, Infrastructure Security, Infrastructure Modeling and Simulation, Risk and Impact Assessment.

This book is the ninth volume in the annual series produced by the International Federation for Information Processing (IFIP) Working Group 11.10 on Critical Infrastructure Protection, an international community of scientists, engineers, practitioners and policy makers dedicated to advancing research, development and implementation efforts focused on infrastructure protection. The book contains a selection of nineteen edited papers from the Ninth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, held at SRI International, Arlington, Virginia, USA in the spring of 2015.

Critical Infrastructure Protection IX is an important resource for researchers, faculty members and graduate students, as well as for policy makers, practitioners and other individuals with interests in homeland security.

Mason Rice is an Assistant Professor of Computer Science at the Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio, USA.

Sujeet Shenoi is the F.P. Walter Professor of Computer Science and a Professor of Chemical Engineering at the University of Tulsa, Tulsa, Oklahoma, USA.





A Model for Characterizing Cyberpower

Cyberspace may well be the “great equalizer” where nation states and non-state actors can wield cyberpower and compete on relatively equal terms. Leveraging current views and uses of cyberpower, this chapter redefines cyberspace and introduces a three-dimensional model that expresses how cyberpower can be exercised. The model, which is divided into distinct layers, each with its own unique characteristics, offers a notion of distance through a view of cyberspace that introduces the concepts of near, mid and far space. Cyberpower is examined from the perspective of national security. A range of prominent cyber attacks are qualitatively assessed and compared within the context of the model.
Adrian Venables, Siraj Ahmed Shaikh, James Shuttleworth

Cyber Attacks and Political Events: The Case of the Occupy Central Campaign

Occupy Central was a Hong Kong civil disobedience campaign that began in September 2014 with the goal of forcing Mainland China to allow Hong Kong to implement genuine universal suffrage as demanded by Hong Kong residents. The campaign initially encouraged citizens to block the Central District, Hong Kong’s financial center. However, as the campaign evolved, large protests were organized all over Hong Kong.
While vigorous clashes occurred between Occupy Central protesters and police officers on the streets of Hong Kong, cyber attacks were launched quietly by supporters of both sides against each other’s assets. The cyber weapons included mobile applications with malware for surveillance, tools for launching distributed denial-of-service (DDoS) attacks and sophisticated phishing emails with advanced persistent threat functionality. This chapter presents information about cyber attacks related to the Occupy Central campaign and classifies the attacks based on their purpose, techniques, targets and propagation. Based on the attack classification and timeline, a framework is provided that helps predict attack patterns and behavior in order to prevent or mitigate attacks launched during similar political events.
Kam-Pui Chow, Ken Yau, Frankie Li

On the Sharing of Cyber Security Information

The sharing of cyber security information between organizations, both public and private, and across sectors and borders is required to increase situational awareness, reduce vulnerabilities, manage risk and enhance cyber resilience. However, the notion of information sharing often is a broad and multi-faceted concept. This chapter describes an analytic framework for sharing cyber security information. A decomposition of the information sharing needs with regard to information exchange elements is mapped to a grid whose vertical dimension spans the strategic/policy, tactical and operational/technical levels and whose horizontal dimension spans the incident response cycle. The framework facilitates organizational and legal discussions about the types of cyber security information that can be shared with other entities along with the terms and conditions of information sharing. Moreover, the framework helps identify important aspects that are missing in existing information exchange standards.
Eric Luiijf, Marieke Klaver



Modeling Message Sequences for Intrusion Detection in Industrial Control Systems

Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing “sequence-aware” intrusion detection systems.
Marco Caselli, Emmanuele Zambon, Jonathan Petit, Frank Kargl

Industrial Control System Fingerprinting and Anomaly Detection

Industrial control systems are cyber-physical systems that supervise and control physical processes in critical infrastructures such as electric grids, water and wastewater treatment plants, oil and natural gas pipelines, transportation systems and chemical plants and refineries. Leveraging the stable and persistent control flow communications patterns in industrial control systems, this chapter proposes an innovative control system fingerprinting methodology that analyzes industrial control protocols to capture normal behavior characteristics. The methodology can be used to identify specific physical processes and control system components in industrial facilities and detect abnormal behavior. An experimental testbed that incorporates real systems for the cyber domain and simulated systems for the physical domain is used to validate the methodology. The experimental results demonstrate that the fingerprinting methodology holds promise for detecting anomalies in industrial control systems and cyber-physical systems used in the critical infrastructure.
Yong Peng, Chong Xiang, Haihui Gao, Dongqing Chen, Wang Ren

Traffic-Locality-Based Creation of Flow Whitelists for SCADA Networks

The security of supervisory control and data acquisition (SCADA) networks has attracted considerable attention since the discovery of Stuxnet in 2010. Meanwhile, SCADA networks have become increasingly interconnected both locally and remotely. It is, therefore, necessary to develop effective network intrusion detection capabilities. Whitelist-based intrusion detection has become an attractive approach for SCADA networks. However, when analyzing network traffic in SCADA systems, general properties such as TCP handshaking and common ports are insufficient to create flow whitelists. To address the problem, this chapter proposes a methodology for locality-based creation of flow whitelists and conducts experiments to evaluate its effectiveness in seven SCADA systems. The experimental results demonstrate that the methodology generates effective whitelists for deployment in SCADA networks.
Seungoh Choi, Yeop Chang, Jeong-Han Yun, Woonyon Kim

A Symbolic Honeynet Framework for SCADA System Threat Intelligence

Current SCADA honeypot technologies present attackers with static or pseudo-random data, and are unlikely to entice attackers to use high value or zero-day attacks. This chapter presents a symbolic cyberphysical honeynet framework that addresses the problem, enhances the screening and coalescence of attack events for analysis, provides attack introspection down to the physics level of a SCADA system and enables forensic replays of attacks. The work extends honeynet methodologies with integrated physics simulation and anomaly detection utilizing a symbolic data flow model of system physics. Attacks that trigger anomalies in the physics of a system are captured and organized via a coalescing algorithm for efficient analysis. Experimental results are presented to demonstrate the effectiveness of the approach.
Owen Redwood, Joshua Lawrence, Mike Burmester

Enhancing a Virtual SCADA Laboratory Using Simulink

This chapter describes a virtual supervisory control and data acquisition (SCADA) security laboratory and the improvements made using Simulink. The laboratory was initially constructed using virtual devices written in Python that simulate industrial processes, emulate control system ladder logic functionality and utilize control system communications protocols. However, given the limitations of Python programs with regard to modeling industrial processes, an improved model was constructed using the Simulink modeling environment. Custom and commercially-available human-machine interfaces used in real-world SCADA environments were deployed in the new laboratory. In addition, various attacks were developed and implemented against the virtual SCADA system. The behavior of the improved laboratory and its earlier version are compared against the physical system after which both were modeled.
Zach Thornton, Thomas Morris

How Industrial Control System Security Training is Falling Short

Industrial control systems monitor and manage critical infrastructure assets. Every sector relies extensively on the proper operation of control systems and a major disruption could have devastating consequences to the economy and society. Protecting industrial control systems requires large numbers of well-trained security personnel to detect and respond to increasingly sophisticated cyber attacks. This chapter evaluates current government and industry training courses in the area of industrial control systems security. The results indicate that training is typically geared towards the basic or intermediate knowledge levels and that adequate advanced training programs are not readily available. A primary deficiency is the lack of robust training facilities that incorporate real critical infrastructure assets. Additionally, the curricula do not sufficiently incorporate the physical components and processes associated with industrial control systems. Indeed, there is a great need for training facilities that incorporate real-world industrial control systems and processes to provide trainees with a strong understanding of the effects that cyber-initiated actions have on physical processes. While major investments are required to create advanced curricula and training facilities, they will contribute significantly to the important task of protecting the critical infrastructure.
Jonathan Butts, Michael Glover



Runtime Integrity for Cyber-Physical Infrastructures

Cyber-physical systems integrate cyber capabilities (e.g., communications and computing) with physical devices (e.g., sensors, actuators and control processing units). Many of these systems support safety-critical applications such as electric power grids, water distribution systems and transportation systems. Failures of these systems can cause irreparable damage to equipment and injury or death to humans. While most of the efforts to protect the systems have focused on reliability, there are urgent concerns regarding malicious attacks. Trusted computing is a security paradigm that enables platforms to enforce the integrity of execution targets (code and data). However, protection under this paradigm is restricted to static threats.
This chapter proposes a dynamic framework that addresses runtime integrity threats that target software programs in cyber-physical systems. It is well known that the attack surface of a multi-functional program (Swiss-army knife) can be much larger than the sum of the surfaces of its single-function components (e.g., the composition of programs that are secure in isolation is not necessarily secure). The proposed framework addresses this issue using calibration techniques that constrain the functionality of programs to the strict specifications of the cyber-physical application, thus steering execution flow away from the attack surface. Integrity is assured by verifying the calibration, while the burden of validation rests with system designers. The effectiveness of the approach is demonstrated by presenting a prototype for call integrity.
Jonathan Jenkins, Mike Burmester

Security Challenges of Additive Manufacturing with Metals and Alloys

Cyber-physical systems are under constant and increasing attacks as components of the critical infrastructure. Additive manufacturing systems are a new class of cyber-physical systems that produce threedimensional objects layer by layer. Agencies and companies such as NASA, the European Space Agency, General Electric and SpaceX have explored a broad range of application areas for additive manufacturing, including creating functional parts of safety-critical systems such as jet engines. The range of application areas and dependence on computerization makes additive manufacturing an attractive target for attackers.
This chapter focuses on attacks that seek to change the physical properties of additive-manufactured components. Such attacks can weaken, damage or destroy manufactured components and, in scenarios where weak or damaged components are used in safety-critical systems, potentially endanger human lives. Attacks intended to damage additive manufacturing equipment and additive manufacturing environments are also discussed.
Mark Yampolskiy, Lena Schutzle, Uday Vaidya, Alec Yasinsac

Using Information Flow Methods to Secure Cyber-Physical Systems

The problems involved in securing cyber-physical systems are well known to the critical infrastructure protection community. However, the diversity of cyber-physical systems means that the methods used to analyze system security must often be reinvented. The issues of securing the physical assets of a system, the electronics that control the system and the interfaces between the cyber and physical components of the system require a number of security tools. Of particular interest is preventing an attacker from exploiting nondeducibility-secure information flows to hide an attack or the source of an attack. This potentially enables the attacker to interrupt system availability.
This chapter presents an algorithm that formalizes the steps taken to design and test the security of a cyber-physical system. The algorithm leverages information flow security techniques to secure physical assets, cyber assets and the boundaries between security domains.
Gerry Howser



Evaluating ITU-T G.9959 Based Wireless Systems Used in Critical Infrastructure Assets

ITU-T G.9959 wireless connectivity is increasingly incorporated in the critical infrastructure. However, evaluating the robustness and security of commercially-available products based on this standard is challenging due to the closed-source nature of the transceiver and application designs. Given that ITU-T G.9959 transceivers are being used in smart grids, building security systems and safety sensors, the development of reliable, open-source tools would enhance the ability to monitor and secure ITU-T G.9959 networks. This chapter discusses the ITU-T G.9959 wireless standard and research on ITU-T G.9959 network security. An open-source, software-defined radio implementation of an ITU-T G.9959 protocol sniffer is used to explore several passive reconnaissance techniques and deduce the properties of active network devices. The experimental results show that some properties are observable regardless of whether or not encryption is used. In particular, the acknowledgment response times vary due to differences in vendor firmware implementations.
Christopher Badenhop, Jonathan Fuller, Joseph Hall, Benjamin Ramsey, Mason Rice

Implementing Cyber Security Requirements and Mechanisms in Microgrids

A microgrid is a collection of distributed energy resources, storage and loads under common coordination and control that provides a single functional interface to enable its management as a single unit. Microgrids provide several advantages such as power quality control, uninterrupted power supply and integration of renewable resources. However, microgrids are increasingly connected to the Internet for remote control and management, which makes them susceptible to cyber attacks. To address this issue, several pilot deployments have implemented bolt-on security mechanisms, typically focused on securing the protocols used in microgrids. Unfortunately, these solutions are inadequate because they fail to address some important cyber security requirements.
This chapter describes the μGridSec methodology, which is intended to provide comprehensive cyber security solutions for microgrid deployments. First, cyber security requirements are derived from relevant industry standards and by studying pilot microgrid deployments. Next, the μGridSec methodology is applied to ensure that appropriate mechanisms are applied to microgrid architectures to meet the cyber security requirements. Finally, a high-level threat model for a representative microgrid architecture is used to identify security threats and demonstrate how μGridSec can address the threats.
Apurva Mohan, Himanshu Khurana

A Cyber Security Architecture for Microgrid Deployments

Microgrids enable the aggregation of various types of generating and non-generating sources as a unified control unit. Microgrid control networks are connected to external networks - SCADA networks for demand-response applications, enterprise networks and the Internet for remote monitoring and control. These external connections expose microgrids to serious threats from cyber attacks. This is a major concern for microgrids at sensitive installations such as military bases and hospitals. One of the challenges in protecting microgrids is that control networks require very low latency. Cryptographic protection, which adds additional latency to communications, is unacceptable in real-time control, especially with regard to synchronization and stability. Also, a complex network at a microgrid site with interconnected control and SCADA networks makes the process of acquiring security certifications (e.g., DIACAP) extremely difficult. To address these challenges, this chapter presents the SNAPE cyber security architecture, which segregates communications networks needed for fast, real-time control from networks used for external control signals and monitoring, thereby drastically reducing the attack surface of a microgrid control network. Network segregation is achieved by hardware devices that provide strong cryptographic separation. The segregation isolates control networks so that they can use lightweight cryptography to meet the low latency requirements. The novel approach minimizes the cyber security certification burden by reducing the scope of certification to a subset of a microgrid network.
Apurva Mohan, Gregory Brainard, Himanshu Khurana, Scott Fischer



Allocation and Scheduling of Firefighting Units in Large Petrochemical Complexes

Fire incidents in large petrochemical complexes such as oil refineries cause heavy losses. Due to the strong interdependencies that exist among units in these industrial complexes, planning an efficient response is a challenging task for firefighters. The task is even more challenging during multiple-fire incidents. This chapter describes a firefighting decision support system that helps conduct efficient responses to fire incidents. The decision support system optimizes the allocation of firefighting units in multiple-fire incidents with the objective of minimizing the economic impact. In particular, the system considers infrastructure interdependencies in estimating the damage associated with a given fire scenario, calculates the resulting economic losses and determines the optimal assignment of available firefighters. The decision support system can be used before an incident for training and planning, during an incident for decision support or after an incident for evaluating suppression strategies.
Khaled Alutaibi, Abdullah Alsubaie, Jose Marti

Situational Awareness Using Distributed Data Fusion with Evidence Discounting

Data fusion provides a means for combining pieces of information from various sources and sensors. This chapter presents a data fusion methodology for interdependent critical infrastructures that leverages a distributed algorithm that allows the sharing of the possible causes of faults or threats affecting the infrastructures, thereby enhancing situational awareness. Depending on the degree of coupling, the algorithm modulates the information content provided by each infrastructure using a data fusion technique called evidence discounting. The methodology is applied to a case study involving a group of dependent critical infrastructures. Simulation results demonstrate that the methodology is resilient to temporary faults in the critical infrastructure communications layer.
Antonio Di Pietro, Stefano Panzieri, Andrea Gasparri



Using Centrality Measures in Dependency Risk Graphs for Efficient Risk Mitigation

One way to model cascading critical infrastructure failures is through dependency risk graphs. These graphs help assess the expected risk of critical infrastructure dependency chains. This research extends an existing dependency risk analysis methodology towards risk management. The relationship between dependency risk paths and graph centrality measures is explored in order to identify nodes that significantly impact the overall dependency risk. Experimental results using random graphs to simulate common critical infrastructure dependency characteristics are presented. Based on the experimental findings, an algorithm is proposed for efficient risk mitigation. The algorithm can be used to define priorities in selecting nodes for the application of mitigation controls.
George Stergiopoulos, Marianthi Theocharidou, Panayiotis Kotzanikolaou, Dimitris Gritzalis

Assessing Cyber Risk Using the CISIApro Simulator

Dependencies and interdependencies between critical infrastructures are difficult to identify and model because their effects appear infrequently with unpredictable consequences. The addition of cyber attacks in this context makes the analysis even more complex. Integrating the consequences of cyber attacks and interdependencies requires detailed knowledge about both concepts at a common level of abstraction.
CISIApro is a critical infrastructure simulator that was created to evaluate the consequences of faults and failures in interdependent infrastructures. This chapter demonstrates the use of CISIApro to evaluate the effects of cyber attacks on physical equipment and infrastructure services. A complex environment involving three interconnected infrastructures is considered: a medium voltage power grid managed by a control center over a SCADA network that is interconnected with a general-purpose telecommunications network. The functionality of the simulator is showcased by subjecting the interconnected infrastructures to an ARP spoofing attack and worm infection. The simulation demonstrates the utility of CISIApro in supporting decision making by electric grid operators, in particular, helping choose between alternative fault isolation and system restoration procedures.
Chiara Foglietta, Cosimo Palazzo, Riccardo Santini, Stefano Panzieri
Weitere Informationen

Premium Partner