Critical Infrastructure Security and Resilience

This chapter discusses new societal risk due to the fast information and communication as well as operational technology changes which are not yet fully taken into account by governmental policymakers and regulators. Internet-of-things, cloud computing, mass consumer markets and embedded operational technologies are some of the areas outlined in this chapter which may be the cause for serious disruptions of critical infrastructures, critical information infrastructures, essential services, and the undisturbed functioning of the society. Current national protection approaches mainly focus on the classical telecommunication sector and the stove-piped critical sectors such as energy, health, transport, etcetera. This chapter argues that a change of mind and actions are needed to properly govern the new cyber risk before serious incidents occur and that such a new approach is urgently needed to make the societies at large more resilient.

The protection of critical infrastructures at a national level is not a trivial task. In involves various steps such as the indentation, the prioritization and the protection of those infrastructures and services that are vital for the wellbeing of the society. Although some sectors, subsectors and services seem to be very important for all countries, others may differ in their significance based on the specific economic, environmental and social characteristics of each country. In this chapter we review existing methodologies and national strategies for critical infrastructure protection. We examine methodologies for identifying and assessing critical sectors and services, relying on top-down and bottom-up administrative approaches. We examine common practices that have been applied in various countries to identify critical infrastructures and to establish national protection plans. Finally, we describe a set of goals that are commonly found in different methodologies and best practices for critical infrastructure protection.

Until recently, infrastructure owners and operators only had to worry about local acts of nature and the occasional vandal to maintain their services to a prescribed standard. All that changed with the 1995 Tokyo Subway Attacks and 9/11 which ushered in the unprecedented threat of domestic catastrophic destruction by non-state actors. Now infrastructure owners and operators find themselves under almost constant global cyber attack, the consequences of which could be catastrophic. Critical infrastructure protection has been a core mission of the Department of Homeland Security since its foundation in 2002. This chapter examines the work of the Department to protect the nation’s critical infrastructure, and efforts to develop a uniform risk analysis to guide its strategic planning and facilitate cost-benefit-analysis of mitigation measures on the part of infrastructure owners and operators.

In last decades, thanks to the large diffusion of Information and communications technologies, the cooperation of distributed systems has been facilitated with the aim to provide new services. One of the common aspect of this kind of systems is the presence of a network able to ensure the connectivity among the elements of the network. The connectivity is a fundamental prerequisite also in the context of critical infrastructures (CIs), which are defined as a specific kind of infrastructures able to provide the essential services that underpin the society and serve as the backbone of our nation’s economy, security, and health (i.e. transportation systems, gas and water distribution systems, financial services, etc). Due to their relevance, the identification of vulnerabilities in this kind of systems is a mandatory task in order to design adequate and effective defense strategies. To this end, in this chapter some of the most common methods for networks vulnerabilities identification are illustrated and compared in order to stress common aspects and differences.

This chapter addresses the challenges associated with assessing and improving the resilience of interdependent critical infrastructure systems under potential disruptive events. A specific set of analytical tools are introduced based on quantitative models of infrastructure systems operation and their functional interdependencies. Specifically, the game-theoretic attacker-defender and defender-attacker-defender modeling techniques are applied to assessing the resilience of interdependent CI systems under worst-case disruptions, and advising policymakers on making pre-disruption decisions for improving the resilience of interdependent infrastructures. A case of interdependent power and gas systems is presented to show the proposed model and highlight the significance of protecting interdependent CIs.

Critical infrastructures such as the power grid and the communication network form a complex interdependent system where the failure of a small set of entities can trigger a cascading event resulting in the failure of a much larger set of entities. Recognizing the need for a deeper understanding of the interdependence between such critical infrastructures, in the last few years several interdependency models have been proposed and analyzed. However, most of these models are over-simplified and fail to capture the complex interdependencies that may exist in such networks. The more recently proposed Implicative Interdependency Model (IIM) overcomes the limitations of existing models and is able to capture complex relationships that may exist between entities of heterogeneous interdependent networks. In this chapter we outline some of the problems studied using this model and present a detailed study of the Smallest Pseudo Target Set Identification Problem in the IIM setting. We divide the problem into four classes, and show that it is solvable in polynomial time for one class, and is NP-complete for others. We provide an approximation algorithm for the second class, and for the most general class, we provide an optimal solution using an Integer Linear Program, and a heuristic solution. We evaluate the efficacy of our heuristic using power and communication network data of Maricopa County, Arizona. The experiments show that our heuristic almost always produces near optimal results.

Many modern critical infrastructures manifest reciprocal dependencies at various levels and on a time-evolving scale. Network theory has been exploited in the last decades to achieve a better understanding of topologies, correlations and propagation paths in case of perturbations. The discipline is providing interesting insights into aspects such as fragility and robustness of different network layouts against various types of threats, despite the difficulties arising in the modeling of the associated processes and entity relationships. Indeed, the evolution of infrastructures is not, in general, the straightforward outcome of a comprehensive a priori design. Rather, factors such as societal priorities, technical and budgetary constraints, critical events and the quest for better and cost-effective services induce a continuous change, while new kinds of interdependencies emerge. As a consequence, mapping emerging behavior can constitute a challenge and promote the development of innovative approaches to analysis and management. Among them, stress tests are entering the stage in order to assess networked infrastructures and reveal the associated operational boundaries and risk exposures. In this chapter, we first overview key developments of network science and its applications to primary infrastructure sectors. Secondly, we address the implementation of network-theoretical concepts in actions related to resilience enhancement, referring in particular to the case of stress tests in the banking sector. Finally, a discussion on the relevance of those concepts to critical infrastructure governance is provided.

Micro-grids (MG) enable autonomous operation of remote or islanded power networks such as critical infrastructure assets, but also the integration of Distributed Energy Resources (DER) into power distribution networks coupled to a transmission system, enhancing robustness of and reducing strain on the power network. Micro-grid control technology relies heavily on networked or distributed control techniques which are exposed to cyber-security threats than conventional power networks. Consequences of security violations could manifest as loss of electrical power to critical loads or dangerous operating states; given the severity of the risks every effort should be taken to reduce exposure to vulnerabilities. This chapter reviews common MG architectures and selected system elements feeding into a structured high-level security analysis based on the Systems Theoretic Process Analysis for Security (STPA-Sec) framework to generate causal scenarios for security violations in MGs and, accordingly, to identify the priority areas for future security research in the MG domain.

Industrial Controllers (e.g., Programmable Logical Controllers – PLCs, and Remote Terminal Units – RTUs) have been specialized to deliver robust control strategies. However, little has been done towards the integration of security strategies within their application-layer. This chapter investigates the integration of security solutions within the industrial control system’s “edge” devices – the Industrial Controller (IC). As a specific case study it demonstrates the implementation of a simple anomaly detection engine traditional in control applications. The approach shows that the scheduling rate of control applications is significantly affected by various events, such as a change in the number of network packets, configuration interventions, etc. Implementations realized on a Phoenix Contact ILC 350-PN controller demonstrate the feasibility and applicability of the proposed methodology.

Increasingly, the society is witnessing how today’s industry is adapting the new technologies and communication protocols to offer more optimal and reliable services to end-users, with support for inter-domain communication belonging to diverse critical infrastructures. As a consequence of this technological revolution, interconnection mechanisms are required to offer transparency in the connections and protection in the different application domains, without this implying a significant degradation of the control requirements. Therefore, this book chapter presents a reference architecture for Industry 4.0 where the interconnection core is mainly concentrated in the Policy Decision Points (PDP), which can be deployed in high volume data processing and storage technologies such as cloud and fog servers. Each PDP authorizes actions in the field/plant according to a set of factors (entities, context and risks) computed through the existing access control measures, such as RBAC+ABAC+Risk-BAC (Role/Attribute/Risk-Based Access Control, respectively), to establish coordinated and constrained accesses in extreme situations. Part of these actions also includes proactive risk assessment measures to respond to anomalies or intrusive threats in time.

Many organizations still rely on traditional methods to protect themselves against various cyber threats. This is effective when they deal with traditional threats, but it is less effective when it comes to Advanced Persistent Threat (APT) actors. APT attacks are carried by highly skilled (possibly state-sponsored) cyber criminal groups who have potentially unlimited time and resources.

This paper analyzes three specific APT groups targeting critical national infrastructure of western countries, namely: APT28, Red October, and Regin. Cyber Kill Chain (CKC) was used as the reference model to analyze these APT groups activities. We create a Defense Triage Process (DTP) as a novel combination of the Diamond Model of Intrusion Analysis, CKC, and 7D Model, to triage the attack vectors and potential targets for these three APT groups.

A comparative summary of these APT groups is presented, based on their attack impact and deployed technical mechanism. This paper also highlights the type of organization and vulnerabilities that are attractive to these APT groups and proposes mitigation actions.

Civil aviation is the safest transport mode in the world and probably also the most interconnected system of information and communication technology. Cyber-attacks are increasing in quantity and persistence, so the consequences of a successful malicious cyber-attack on civil aviation operations could be severe nowadays. New technologies, extension of connectivity and their integration in the aviation industry, especially in the field of Air Traffic Management (ATM), increase the risk to these critical assets. This chapter examines cyber security challenges and interoperability in ATM systems. We propose an extended threat model for analyzing possible targets and risks involved. We also introduce and analyze cyber resilience aspects in the aviation context and the need for holistic strategy of defense, prevention and response. Under the resilience umbrella, all actors should work on collaborative, risk-based framework to address security threats and increase the aviation systems resilience against future attacks.

In March 2018, the U.S. DHS and the FBI issued a joint critical alert (TA18-074A) of an ongoing campaign by Russian threat actors targeting U.S. government entities and critical infrastructure sectors. The campaign targets critical infrastructure organizations mainly in the energy sector and uses, among other techniques, Open Source Intelligence (OSINT) to extract information. In an effort to understand the extent and quality of information that can be collected with OSINT, we shadow the threat actors and explore publicly available resources that can generate intelligence pertinent to power systems worldwide. We undertake a case study of a real, large-scale power system, where we leverage OSINT resources to construct the power system model, validate it, and finally process it for identifying its critical locations. Our goal is to demonstrate the feasibility of conducting elaborate studies leveraging public resources, and inform power system stakeholders in assessing the risks of releasing critical information to the public.

Information disclosure leads to serious exploits, disruption or damage of critical operations and privacy breaches, both in Critical Infrastructures (CIs) and Industrial Control Systems (ICS) and in traditional IT systems. Side channel attacks in computer security refer to attacks on data confidentiality through information gained from the physical implementation of a system, rather an attack on the algorithm or software itself. Depending on the source and the type of information leakage, certain general types of side channel attacks have been established: power, electromagnetic, cache, timing, sensor-based, acoustic and memory analysis attacks. Given the sensitive nature of ICS and the vast amount of information stored on IT systems, consequences of side channel attacks can be quite significant. In this paper, we present an extensive survey on side channel attacks that can be implemented either on ICS or traditional systems often used in Critical Infrastructure environments. Presented taxonomies try to take into consideration all major publications of the last decade and present them using three different classification systems to provide an objective form of multi-level taxonomy and a potentially profitable statistical approach. We conclude by discussing open issues and challenges in this context and outline possible future research directions.