nach oben

2014 | Buch

Kapitel lesen Erstes Kapitel lesen

Critical Infrastructure Protection VIII

8th IFIP WG 11.10 International Conference, ICCIP 2014, Arlington, VA, USA, March 17-19, 2014, Revised Selected Papers

herausgegeben von: Jonathan Butts, Sujeet Shenoi

Verlag: Springer Berlin Heidelberg

Buchreihe : IFIP Advances in Information and Communication Technology

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten

Über dieses Buch

The information infrastructure - comprising computers, embedded devices, networks and software systems - is vital to day-to-day operations in every sector: information and telecommunications, banking and finance, energy, chemicals and hazardous materials, agriculture, food, water, public health, emergency services, transportation, postal and shipping, government and defense. Global business and industry, governments, indeed society itself, cannot function effectively if major components of the critical information infrastructure are degraded, disabled or destroyed. Critical Infrastructure Protection VIII describes original research results and innovative applications in the interdisciplinary field of critical infrastructure protection. Also, it highlights the importance of weaving science, technology and policy in crafting sophisticated, yet practical, solutions that will help secure information, computer and network assets in the various critical infrastructure sectors. Areas of coverage include: control systems security, infrastructure security, infrastructure modeling and simulation, risk and impact assessment, and advanced techniques. This book is the eighth volume in the annual series produced by the International Federation for Information Processing (IFIP) Working Group 11.10 on Critical Infrastructure Protection, an international community of scientists, engineers, practitioners and policy makers dedicated to advancing research, development and implementation efforts focused on infrastructure protection. The book contains a selection of seventeen edited papers from the 8th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, held at SRI International, Arlington, Virginia, DC, USA in the spring of 2014. Critical Infrastructure Protection VIII is an important resource for researchers, faculty members and graduate students, as well as for policy makers, practitioners and other individuals with interests in homeland security.

Inhaltsverzeichnis

Frontmatter

Control Systems Security

Frontmatter

Detecting Integrity Attacks on Industrial Control Systems

Abstract

Industrial control systems monitor and control critical infrastructure assets such as the electric power grid, oil and gas pipelines, transportation systems and water treatment and supply facilities. Attacks that impact the operations of these critical assets could have devastating consequences to society. The complexity and interconnectivity of industrial control systems have introduced vulnerabilities and attack surfaces that previously did not exist. The numerous communications paths and ingress and egress points, technological diversity and strict operating requirements provide myriad opportunities for a motivated adversary. This paper investigates the detection of integrity errors in industrial control systems by correlating state values from field devices. Specifically, it considers a formulation of the classic Byzantine Generals Problem in the context of industrial control systems. The results demonstrate that leveraging physical system properties allows the inference of system states to identify integrity compromises.

Chad Arnold, Jonathan Butts, Krishnaprasad Thirunarayan

Detecting Malicious Software Execution in Programmable Logic Controllers Using Power Fingerprinting

Abstract

Traditional cyber security mechanisms, such as network-based intrusion detection systems and signature-based antivirus software, have limited effectiveness in industrial control settings, rendering critical infrastructure assets vulnerable to cyber attacks. Even four years after the discovery of Stuxnet, security solutions that can directly monitor the execution of constrained platforms, such as programmable logic controllers, are not yet available. Power fingerprinting, which uses physical measurements from a side channel such as power consumption or electromagnetic emissions, is a promising new technique for detecting malicious software execution in critical systems. The technique can be used to directly monitor the execution of systems with constrained resources without the need to load third-party software artifacts on the platforms.

This paper demonstrates the feasibility of using power fingerprinting to directly monitor programmable logic controllers and detect malicious software execution. Experiments with a Siemens S7 programmable logic controller show that power fingerprinting can successfully monitor programmable logic controller execution and detect malware similar to Stuxnet. Indeed, power fingerprinting has the potential to dramatically transform industrial control system security by providing a unified intrusion detection solution for critical systems.

Carlos Aguayo Gonzalez, Alan Hinton

Timing of Cyber-Physical Attacks on Process Control Systems

Abstract

This paper introduces a new problem formulation for assessing the vulnerabilities of process control systems. In particular, it considers an adversary who has compromised sensor signals and has to decide on the best time to launch an attack. The task of selecting the best time to attack is formulated as an optimal stopping problem that the adversary has to solve in real time. The theory underlying the best choice problem is used to identify an optimal stopping criterion, and a low-pass filter is subsequently used to identify when the time series of a process variable has reached the state desired by the attacker (i.e., its peak). The complexities associated with the problem are also discussed, along with directions for future research.

Marina Krotofil, Alvaro Cardenas, Kishore Angrishi

Recovery of Structural Controllability for Control Systems

Abstract

Fundamental problems in control systems theory are controllability and observability, and designing control systems so that these properties are satisfied or approximated sufficiently. However, it is prudent to assume that an attacker will not only be able to subvert measurements but also control the system. Moreover, an advanced adversary with an understanding of the control system may seek to take over control of the entire system or parts thereof, or deny the legitimate operator this capability. The effectiveness of such attacks has been demonstrated in previous work. Indeed, these attacks cannot be ruled out given the likely existence of unknown vulnerabilities, increasing connectivity of nominally air-gapped systems and supply chain issues. The ability to rapidly recover control after an attack has been initiated and to detect an adversary’s presence is, therefore, critical. This paper focuses on the problem of structural controllability, which has recently attracted substantial attention through the equivalent problem of the power dominating set introduced in the context of electrical power network control. However, these problems are known to be \(\mathcal{NP}\)-hard with poor approximability. Given their relevance to many networks, especially power networks, this paper studies strategies for the efficient restoration of controllability following attacks and attacker-defender interactions in power-law networks.

Cristina Alcaraz, Stephen Wolthusen

Industrial Control System Traffic Data Sets for Intrusion Detection Research

Abstract

Supervisory control and data acquisition (SCADA) systems monitor and control physical processes associated with the critical infrastructure. Weaknesses in the application layer protocols, however, leave SCADA networks vulnerable to attack. In response, cyber security researchers have developed myriad intrusion detection systems. Researchers primarily rely on unique threat models and the corresponding network traffic data sets to train and validate their intrusion detection systems. This leads to a situation in which researchers cannot independently verify the results, cannot compare the effectiveness of different intrusion detection systems, and cannot adequately validate the ability of intrusion detection systems to detect various classes of attacks. Indeed, a common data set is needed that can be used by researchers to compare intrusion detection approaches and implementations. This paper describes four data sets, which include network traffic, process control and process measurement features from a set of 28 attacks against two laboratory-scale industrial control systems that use the MODBUS application layer protocol. The data sets, which are freely available, enable effective comparisons of intrusion detection solutions for SCADA systems.

Thomas Morris, Wei Gao

An Industrial Control System Testbed Based on Emulation, Physical Devices and Simulation

Abstract

This paper demonstrates the utility of an industrial control system testbed that incorporates a universal, realistic, measurable, controllable and reusable experimental platform for cyber security research and testing. The testbed has a layered architecture that leverages physical devices and emulation and simulation technologies. The testbed enables researchers to create experiments of varying levels of fidelity for vulnerability discovery, product evaluation and system certification. The utility of the testbed is demonstrated via a case study involving an industrial boiler control system.

Haihui Gao, Yong Peng, Zhonghua Dai, Ting Wang, Xuefeng Han, Hanjing Li

Infrastructure Security

Frontmatter

Evidence Theory for Cyber-Physical Systems

Abstract

Telecommunications networks are exposed to new vulnerabilities and threats due to interdependencies and links between the cyber and physical layers. Within the cyber-physical framework, data fusion methodologies such as evidence theory are useful for analyzing threats and faults. Unfortunately, the simple analysis of threats and faults can lead to contradictory situations that cannot be resolved by classical models.

Classical evidence theory extensions, such as the Dezert-Smarandache framework, are not well suited to large numbers of hypotheses due to their computational overhead. Therefore, a new approach is required to handle the complexity while minimizing the computational overhead. This paper proposes a hybrid knowledge model for evaluating the intersections among hypotheses. A hybrid frame of discernment is presented using a notional smart grid architecture that transforms the basic probability assignment values from the classical framework. Several analyses and simulations are conducted, with the goal of decreasing conflicts between two independent sources. A comparative analysis is performed using different frames of discernment and rules in order to identify the best knowledge model. Additionally, a computational time analysis is conducted.

Riccardo Santini, Chiara Foglietta, Stefano Panzieri

An Automated Dialog System for Conducting Security Interviews for Access Control

Abstract

Visa, border entry and security clearance interviews are critical homeland security activities that provide access privileges to the geographical United States or to classified information. The person conducting such an interview may not be an expert in the subject area or could be deceived by a manipulative interviewee, resulting in negative security consequences. This paper demonstrates how an interactive voice response system can be used to generate context-sensitive, yet randomized, dialogs that provide confidence in the trustworthiness of an interviewee based on his/her ability to answer questions. The system uses contextual reasoning and ontological inference to derive new facts dynamically. Item response theory is employed to create relevant questions based on social, environmental, relational and historical attributes related to interviewees who seek access to controlled areas or sensitive information.

Mohammad Ababneh, Malek Athamnah, Duminda Wijesekera, Paulo Costa

A Survey of Critical Infrastructure Security

Abstract

Traditionally, securing against environmental threats was the main focus of critical infrastructure protection. However, the emergence of cyber attacks has changed the focus – infrastructures are facing a different danger that has life-threatening consequences and the risk of significant economic losses. Clearly, conventional security techniques are struggling to keep up with the volume of innovative and emerging attacks. Fresh and adaptive infrastructure security solutions are required. This paper discusses critical infrastructures and the digital threats they face, and provides insights into current and future infrastructure security strategies.

William Hurst, Madjid Merabti, Paul Fergus

Infrastructure Modeling and Simulation

Frontmatter

A System Dynamics Framework for Modeling Critical Infrastructure Resilience

Abstract

In recent years, awareness of the potential consequences associated with a major disruption to the critical infrastructure has grown among public and private entities. Indeed, traditional and emerging threats endanger service continuity and, by extension, the normal functioning of modern society. This paper presents an approach for modeling the effects of critical infrastructure failures as a result of unexpected events. The transportation, energy and telecommunications infrastructures are modeled using a system dynamics approach. The work constitutes a component of the CRISADMIN Project that is focused on developing a tool to evaluate the impacts of critical events. The ultimate objective of the project is to provide decision makers with a sophisticated tool to help them mitigate negative effects in emergency situations. The prototype tool described in this paper leverages case studies of terrorist attacks and floods that have occurred in Europe.

Simona Cavallini, Cristina d’Alessandro, Margherita Volpe, Stefano Armenia, Camillo Carlini, Elisabeth Brein, Pierluigi Assogna

Reinforcement Learning Using Monte Carlo Policy Estimation for Disaster Mitigation

Abstract

Urban communities rely heavily on the system of interconnected critical infrastructures. The interdependencies in these complex systems give rise to vulnerabilities that must be considered in disaster mitigation planning. Only then will it be possible to address and mitigate major critical infrastructure disruptions in a timely manner.

This paper describes an intelligent decision making system that optimizes the allocation of resources following an infrastructure disruption. The novelty of the approach arises from the application of Monte Carlo estimation for policy evaluation in reinforcement learning to draw on experiential knowledge gained from a massive number of simulations. This method enables a learning agent to explore and exploit the available trajectories, which lead to an optimum goal in a reasonable amount of time. The specific goal of the case study described in this paper is to maximize the number of patients discharged from two hospitals in the aftermath of an infrastructure disruption by intelligently utilizing the available resources. The results demonstrate that a learning agent, through interactions with an environment of simulated catastrophic scenarios, is capable of making informed decisions in a timely manner.

Mohammed Talat Khouj, Sarbjit Sarkaria, Cesar Lopez, Jose Marti

Accuracy of Service Area Estimation Methods Used for Critical Infrastructure Recovery

Abstract

Electric power, water, natural gas and other utilities are served to consumers via functional sources such as electric power substations, pumps and pipes. Understanding the impact of service outages is vital to decision making in response and recovery efforts. Often, data pertaining to the source-sink relationships between service points and consumers is sensitive or proprietary, and is, therefore, unavailable to external entities. As a result, during emergencies, decision makers often rely on estimates of service areas produced by various methods. This paper, which focuses on electric power, assesses the accuracy of four methods for estimating power substation service areas, namely the standard and weighted versions of Thiessen polygon and cellular automata approaches. Substation locations and their power outputs are used as inputs to the service area calculation methods. Reference data is used to evaluate the accuracy in approximating a power distribution network in a mid-sized U.S. city. Service area estimation methods are surveyed and their performance is evaluated empirically. The results indicate that the performance of the approaches depends on the type of analysis employed. When the desired analysis includes aggregate economic or population predictions, the weighted version of the cellular automata approach has the best performance. However, when the desired analysis involves facility-specific predictions, the weighted Thiessen polygon approach tends to perform the best.

Okan Pala, David Wilson, Russell Bent, Steve Linger, James Arnold

Risk and Impact Assessment

Frontmatter

A Decision Support Tool for a Unified Homeland Security Strategy

Abstract

This paper describes an asset vulnerability model decision support tool (AVM-DST) that is designed to guide strategic investments in critical infrastructure protection. AVM-DST is predicated on previous research on an alternative risk methodology for assessing the current infrastructure protection status, evaluating future protective improvement measures and justifying national investments. AVM-DST is a web-based application that works within the U.S. Department of Homeland Security Risk Management Framework and enables decision makers to view infrastructure assets risk profiles that highlight various features of interest, select protective improvement measures within a given budget based on defined investment strategies or other criteria, and evaluate protective purchases against varying probabilities of attack over a given period of time. In addition to reviewing the concepts and formulations underlying the application, this paper describes the AVM-DST capabilities, functions, features, architecture and performance.

Richard White, Aaron Burkhart, Edward Chow, Logan Maynard

Assessing the Impact of Cyber Attacks on Wireless Sensor Nodes That Monitor Interdependent Physical Systems

Abstract

This paper describes a next-generation security information and event management (SIEM) platform that performs real-time impact assessment of cyber attacks that target monitoring and control systems in interdependent critical infrastructures. To assess the effects of cyber attacks on the services provided by critical infrastructures, the platform combines security analysis with simulations produced by the Infrastructure Interdependencies Simulator (i2Sim). The approach is based on the mixed holistic reductionist (MHR) methodology that models the relationships between functional components of critical infrastructures and the provided services. The effectiveness of the approach is demonstrated using a scenario involving a dam that feeds a hydroelectric power plant. The scenario considers an attack on a legacy SCADA system and wireless sensor network that reduces electricity production and degrades the services provided by the interdependent systems. The results demonstrate that the attack is detected in a timely manner, risk assessment is performed effectively and service level variations can be predicted. The paper also shows how the impact of attacks on services can be estimated when limits are imposed on information sharing.

Valerio Formicola, Antonio Di Pietro, Abdullah Alsubaie, Salvatore D’Antonio, Jose Marti

Assessing Potential Casualties in Critical Events

Abstract

This paper describes an approach for assessing potential casualties due to events that adversely impact critical infrastructure sectors. The approach employs the consequence calculation model (CMM) to integrate quantitative data and qualitative information in evaluating the socio-economic impacts of sector failures. This is important because a critical event that affects social and economic activities may also cause injuries and fatalities. Upon engaging a structured method for gathering information about potential casualties, the consequence calculation model may be applied to failure trees constructed using various approaches. The analysis of failure trees enables decision makers to implement effective strategies for reducing casualties due to critical events.

Simona Cavallini, Fabio Bisogni, Marco Bardoscia, Roberto Bellotti

Advanced Techniques

Frontmatter

Evaluation of Format- Preserving Encryption Algorithms for Critical Infrastructure Protection

Abstract

Legacy critical infrastructure systems lack secure communications capabilities that can protect against modern threats. In particular, operational requirements such as message format and interoperability prevent the adoption of standard encryption algorithms. Three new algorithms recommended by the National Institute of Standards and Technology (NIST) for format-preserving encryption could potentially support the encryption of legacy protocols in critical infrastructure assets. The three algorithms, FF1, FF2 and FF3, provide the ability to encrypt arbitrarily-formatted data without padding or truncation, which is a critical requirement for interoperability in legacy systems. This paper presents an evaluation of the three algorithms with respect to entropy and operational latency when implemented on a Xilinx Virtex-6 (XC6VLX240T) FPGA. While the three algorithms inherit the security characteristics of the underlying Advanced Encryption Standard (AES) cipher, they exhibit some important differences in their performance characteristics.

Richard Agbeyibor, Jonathan Butts, Michael Grimaila, Robert Mills

Asynchronous Binary Byzantine Consensus over Graphs with Power-Law Degree Sequence

Abstract

Consensus problems are of great interest in distributed systems research, especially in the presence of Byzantine faults. While asynchronous message passing is an interesting network model, Fischer, et al. [17] have shown that deterministic algorithms do not exist even for single faults, requiring the use of randomization as proposed by Ben-Or [6].

While most approaches implicitly assume full connectivity, the case of non-complete graphs is particularly interesting when studying the feasibility and efficiency of consensus problems. This topic has received limited scrutiny despite the fact that non-complete graph structures are ubiquitous in many networks that require low overall latency and reliable signaling (e.g., electrical power networks). One of the core benefits of such an approach is the ability to rely on redundant sensors in large networks for detecting faults and adversarial actions without impacting real-time behavior. It is, therefore, critical to minimize the message complexity in consensus algorithms.

This paper studies the existence and efficiency of randomized asynchronous binary Byzantine consensus for graphs in the \(G(n,\vec{d})\) configuration model with a power-law degree sequence. The main contribution is an algorithm that explicitly utilizes the network structure to gain efficiency over a simple randomized algorithm while allowing the identification of possible additional edges in the graph to satisfy redundancy requirements.

Goitom Weldehawaryat, Stephen Wolthusen

Titel: Critical Infrastructure Protection VIII
herausgegeben von: Jonathan Butts
Sujeet Shenoi
Verlag: Springer Berlin Heidelberg
Electronic ISBN: 978-3-662-45355-1
Print ISBN: 978-3-662-45354-4
DOI: https://doi.org/10.1007/978-3-662-45355-1