Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top

2009 | Book

Information Risk Management and Resilience Read chapter Read first chapter

Critical Infrastructure Protection III

Third Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA, March 23-25, 2009, Revised Selected Papers

Editors: Charles Palmer, Sujeet Shenoi

Publisher: Springer Berlin Heidelberg

Book Series : IFIP Advances in Information and Communication Technology

Part of: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Login to get access
insite
SEARCH

About this book

The information infrastructure – comprising computers, embedded devices, networks and software systems – is vital to operations in every sector: inf- mation technology, telecommunications, energy, banking and ?nance, tra- portation systems, chemicals, agriculture and food, defense industrial base, public health and health care, national monuments and icons, drinking water and water treatment systems, commercial facilities, dams, emergency services, commercial nuclear reactors, materials and waste, postal and shipping, and government facilities. Global business and industry, governments, indeed - ciety itself, cannot function if major components of the critical information infrastructure are degraded, disabled or destroyed. This book, Critical Infrastructure Protection III, is the third volume in the annualseriesproducedbyIFIP WorkingGroup11.10onCriticalInfrastructure Protection, an active international community of scientists, engineers, prac- tioners and policy makers dedicated to advancing research, development and implementation e?orts related to critical infrastructure protection. The book presents original research results and innovative applications in the area of infrastructure protection. Also, it highlights the importance of weaving s- ence, technology and policy in crafting sophisticated, yet practical, solutions that will help secure information, computer and network assets in the various critical infrastructure sectors. This volume contains seventeen edited papers from the Third Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure P- tection, held at Dartmouth College, Hanover, New Hampshire, March 23–25, 2009. The papers were refereed by members of IFIP Working Group 11.10 and other internationally-recognized experts in critical infrastructure protection.

Table of Contents

Frontmatter

Risk Management

Frontmatter
Information Risk Management and Resilience
Abstract
Are the levels of information risk management efforts within and between firms correlated with the resilience of the firms to information disruptions? This paper examines the question by considering the results of field studies of information risk management practices at organizations and in supply chains. The organizations investigated differ greatly in the degree of coupling from a general and information risk management standpoint, as well as in the levels of internal awareness and activity regarding information risk management. The comparison of the levels of information risk management in the firms and their actual or inferred resilience indicates that a formal information risk management approach is not necessary for resilience in certain sectors.
Scott Dynes
Does the Liberalization of the European Railway Sector Increase Systemic Risk?
Abstract
Recent large-scale blackouts and other incidents have shown that failures in network industries can have serious economic and social consequences. A large body of literature covers critical infrastructures (and their protection), but most of it is confined to a relatively restricted number of sectors such as electricity and information and communications technology (ICT). In addition, much of the literature discusses systemic risk in complex networks from an engineering perspective with the goal of mitigating risk using quantitative techniques.
The railway sector is a critical infrastructure that shares a number of characteristics with electricity (e.g. interconnection), but it has received little attention when it comes to systemic risk. This paper analyzes the extent to which the liberalization of the railway system increases the sector’s systemic risk, a pressing question in the wake of the creation of a single European railway market. The paper also discusses the broader issue of the governance of systemic risk in the railway sector, especially since the mitigation of risk tends to be limited to risk management from a technical perspective while ignoring the institutional dimension.
Marc Laperrouza
Risk-Based Criticality Analysis
Abstract
Critical infrastructure protection requires the evaluation of the criticality of infrastructures and the prioritization of critical assets. However, criticality analysis is not yet standardized. This paper examines the relation between risk and criticality. It analyzes the similarities and differences in terms of scope, aims, impact, threats and vulnerabilities; and proposes a generic risk-based criticality analysis methodology. The paper also presents a detailed list of impact criteria for assessing the criticality level of infrastructures. Emphasis is placed on impact types that are society-centric and/or sector-centric, unlike traditional risk analysis methodologies that mainly consider the organization-centric impact.
Marianthi Theoharidou, Panayiotis Kotzanikolaou, Dimitris Gritzalis
Modeling and Managing Risk in Billing Infrastructures
Abstract
This paper discusses risk modeling and risk management in information and communications technology (ICT) systems for which the attack impact distribution is heavy tailed (e.g., power law distribution) and the average risk is unbounded. Systems with these properties include billing infrastructures used to charge customers for services they access. Attacks against billing infrastructures can be classified as peripheral attacks and backbone attacks. The goal of a peripheral attack is to tamper with user bills; a backbone attack seeks to seize control of the billing infrastructure. The probability distribution of the overall impact of an attack on a billing infrastructure also has a heavy-tailed curve. This implies that the probability of a massive impact cannot be ignored and that the average impact may be unbounded – thus, even the most expensive countermeasures would be cost effective. Consequently, the only strategy for managing risk is to increase the resilience of the infrastructure by employing redundant components.
Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra

Control Systems Security

Frontmatter
A Taxonomy of Attacks on the DNP3 Protocol
Abstract
Distributed Network Protocol (DNP3) is the predominant SCADA protocol in the energy sector – more than 75% of North American electric utilities currently use DNP3 for industrial control applications. This paper presents a taxonomy of attacks on the protocol. The attacks are classified based on targets (control center, outstation devices and network/communication paths) and threat categories (interception, interruption, modification and fabrication). To facilitate risk analysis and mitigation strategies, the attacks are associated with the specific DNP3 protocol layers they exploit. Also, the operational impact of the attacks is categorized in terms of three key SCADA objectives: process confi- dentiality, process awareness and process control. The attack taxonomy clarifies the nature and scope of the threats to DNP3 systems, and can provide insights into the relative costs and benefits of implementing mitigation strategies.
Samuel East, Jonathan Butts, Mauricio Papa, Sujeet Shenoi
Design and Implementation of a Secure Modbus Protocol
Abstract
The interconnectivity of modern and legacy supervisory control and data acquisition (SCADA) systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This paper describes a secure version of the Modbus SCADA protocol that incorporates integrity, authentication, non-repudiation and anti-replay mechanisms. Experimental results using a power plant testbed indicate that the augmented protocol provides good security functionality without significant overhead.
Igor Nai Fovino, Andrea Carcano, Marcelo Masera, Alberto Trombetta
Providing Situational Awareness for Pipeline Control Operations
Abstract
A SCADA system for a single 3,000-mile-long strand of oil or gas pipeline may employ several thousand field devices to measure process parameters and operate equipment. Because of the vital tasks performed by these sensors and actuators, pipeline operators need accurate and timely information about their status and integrity. This paper describes a realtime scanner that provides situational awareness about SCADA devices and control operations. The scanner, with the assistance of lightweight, distributed sensors, analyzes SCADA network traffic, verifies the operational status and integrity of field devices, and identifies anomalous activity. Experimental results obtained using real pipeline control traffic demonstrate the utility of the scanner in industrial settings.
Jonathan Butts, Hugo Kleinhans, Rodrigo Chandia, Mauricio Papa, Sujeet Shenoi
Enhancing the Safety, Security and Resilience of ICT and Scada Systems Using Action Research
Abstract
This paper discusses the results of a questionnaire-based survey used to assess the safety, security and resilience of information and communications technology (ICT) and supervisory control and data acquisition (SCADA) systems used in the Norwegian oil and gas industry. The survey identifies several challenges, including the involvement of professionals with different backgrounds and expertise, lack of common risk perceptions, inadequate testing and integration of ICT and SCADA systems, poor information sharing related to undesirable incidents and lack of resilience in the design of technical systems. Action research is proposed as a process for addressing these challenges in a systematic manner and helping enhance the safety, security and resilience of ICT and SCADA systems used in oil and gas operations.
Stig Johnsen, Torbjorn Skramstad, Janne Hagen
An Ontology for Identifying Cyber Intrusion Induced Faults in Process Control Systems
Abstract
This paper presents an ontological framework that permits formal representations of process control systems, including elements of the process being controlled and the control system itself. A fault diagnosis algorithm based on the ontological model is also presented. The algorithm can identify traditional process elements as well as control system elements (e.g., IP network and SCADA protocol) as fault sources. When these elements are identified as a likely fault source, the possibility exists that the process fault is induced by a cyber intrusion. A laboratory-scale distillation column is used to illustrate the model and the algorithm. Coupled with a well-defined statistical process model, this fault diagnosis approach provides cyber security enhanced fault diagnosis information to plant operators and can help identify that a cyber attack is underway before a major process failure is experienced.
Jeffrey Hieb, James Graham, Jian Guan
Using Physical Models for Anomaly Detection in Control Systems
Abstract
Supervisory control and data acquisition (SCADA) systems are increasingly used to operate critical infrastructure assets. However, the inclusion of advanced information technology and communications components and elaborate control strategies in SCADA systems increase the threat surface for external and subversion-type attacks. The problems are exacerbated by site-specific properties of SCADA environments that make subversion detection impractical; and by sensor noise and feedback characteristics that degrade conventional anomaly detection systems. Moreover, potential attack mechanisms are ill-defined and may include both physical and logical aspects.
This paper employs an explicit model of a SCADA system in order to reduce the uncertainty inherent in anomaly detection. Detection is enhanced by incorporating feedback loops in the model. The effectiveness of the approach is demonstrated using a model of a hydroelectric power plant for which several attack vectors are described.
Nils Svendsen, Stephen Wolthusen
Detecting Anomalies in Process Control Networks
Abstract
This paper presents the estimation-inspection algorithm, a statistical algorithm for anomaly detection in process control networks. The algorithm determines if the payload of a network packet that is about to be processed by a control system is normal or abnormal based on the effect that the packet will have on a variable stored in control system memory. The estimation part of the algorithm uses logistic regression integrated with maximum likelihood estimation in an inductive machine learning process to estimate a series of statistical parameters; these parameters are used in conjunction with logistic regression formulas to form a probability mass function for each variable stored in control system memory. The inspection part of the algorithm uses the probability mass functions to estimate the normalcy probability of a specific value that a network packet writes to a variable. Experimental results demonstrate that the algorithm is very effective at detecting anomalies in process control networks.
Julian Rrushi, Kyoung-Don Kang

Infrastructure Security

Frontmatter
Nondeducibility-Based Analysis of Cyber-Physical Systems
Abstract
Controlling information flow in a cyber-physical system (CPS) is challenging because cyber domain decisions and actions manifest themselves as visible changes in the physical domain. This paper presents a nondeducibility-based observability analysis for CPSs. In many CPSs, the capacity of a low-level (LL) observer to deduce high-level (HL) actions ranges from limited to none. However, a collaborative set of observers strategically located in a network may be able to deduce all the HL actions. This paper models a distributed power electronics control device network using a simple DC circuit in order to understand the effect of multiple observers in a CPS. The analysis reveals that the number of observers required to deduce all the HL actions in a system increases linearly with the number of configurable units. A simple definition of nondeducibility based on the uniqueness of low-level projections is also presented. This definition is used to show that a system with two security domain levels could be considered “nondeducibility secure” if no unique LL projections exist.
Thoshitha Gamage, Bruce McMillin
Stack-Based Buffer Overflows in Harvard Class Embedded Systems
Abstract
Many embedded devices used to control critical infrastructure assets are based on the Harvard architecture. This architecture separates data and program memory into independent address spaces, unlike the von Neumann architecture, which uses a single address space for data and program code. Buffer overflow attacks in desktop and server platforms based on the von Neumann model have been studied extensively. However, buffer overflows in Harvard architectures have only just begun to receive attention. This paper demonstrates that stack-based buffer overflow vulnerabilities exist in embedded devices based on the Harvard architecture and that the vulnerabilities are easily exploited. The paper shows how the reversal in the direction of stack growth simplifies attacks by providing easier access to critical execution controls. Also, the paper examines defense techniques used in server and desktop systems and discusses their applicability to Harvard class machines.
Kristopher Watts, Paul Oman
Secure Cross-Domain Train Scheduling
Abstract
Track configurations at cross-domain interchange points, train performance characteristics and cross-domain authentication often produce significant train delays that can impact large segments of a railroad network. This paper presents a model that captures the behavior of trains and the track infrastructure. The model enables railroad signal engineers to quickly estimate the required trust management system performance that will support safe, secure and efficient railroad operations.
Mark Hartong, Rajni Goel, Duminda Wijesekera

Infrastructure Modeling and Simulation

Frontmatter
A Holistic-Reductionistic Approach for Modeling Interdependencies
Abstract
Modeling and analyzing critical infrastructures and their interdependencies are essential to discovering hidden vulnerabilities and threats. Several current approaches engage a holistic perspective and rely on abstract models; others incorporate a reductionistic perspective and focus on inter-domain and intra-domain interactions among elementary components. This paper proposes a mixed approach in which holism and reductionism coexist. A critical infrastructure is expressed at different, albeit interrelated, levels of abstraction, and intermediate entities that provide specific aggregate resources or services are introduced.
Stefano De Porcellinis, Gabriele Oliva, Stefano Panzieri, Roberto Setola
Ontology-Based Critical Infrastructure Modeling and Simulation
Abstract
This paper describes a knowledge-based system (KBS) designed to support a federated environment for simulating critical infrastructure models. A federation of simulators is essentially a “system of systems,” where each simulator represents an entity that operates independently with its own behavior and purpose. The interactions among the components of the federated system of systems exhibit critical infrastructure vulnerabilities as emergent behavior; these vulnerabilities cannot be analyzed and simulated by considering the behavior of each system component individually. The KBS, which is based on ontologies and rules, provides a semantic foundation for the federated simulation environment and enables the dynamic binding of different critical infrastructure models. The KBS-based simulation environment can be used to identify latent critical infrastructure interdependencies and to test assumptions about interdependencies.
Vincenzo Masucci, Francesco Adinolfi, Paolo Servillo, Giovanni Dipoppa, Alberto Tofani
A Framework for Modeling Interdependencies in Japan’s Critical Infrastructures
Abstract
This paper discusses Japanese efforts related to critical infrastructure protection, including several case studies to clarify the risk components and countermeasures. An interdependency modeling framework that combines the inoperability input-output model (IIM) for economic interdependencies and Bayesian networks for operational dependencies is presented. Also, the paper provides new multidimensional measures for interpreting interdependency modeling results.
Zaw Zaw Aung, Kenji Watanabe
Metadata
Title
Critical Infrastructure Protection III
Editors
Charles Palmer
Sujeet Shenoi
Copyright Year
2009
Publisher
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-04798-5
Print ISBN
978-3-642-04797-8
DOI
https://doi.org/10.1007/978-3-642-04798-5

Premium Partner

    Image Credits