Critical Information Infrastructures Security

Critical infrastructure systems (CIS) are complex large-scale systems which in turn require highly sophisticated supervisory control systems to ensure that high performance can be achieved and maintained under adverse conditions. The global CIS Real-Time Control (RTC) need of operating in adverse conditions involves, with a high probability, sensor and actuator malfunctions (faults). This problem calls for the use of an on-line Fault Detection and Isolation (FDI) system able to detect such faults. This paper proposes a FDI mechanism that extends the classical Boolean fault signature matrix concept taking into account several fault signal properties to isolate faults in CIS. To exemplify the proposed FDI scheme in CIS, the Barcelona drinking water network is used as a case study.

Cities face serious challenges that affect competitiveness, sustainability and their occupants’ safety & security. In response, investment is made in city infrastructure projects. Given the complexity of the systems architecture, and interactions between physical and cyber domains, this paper shows how a multi-disciplinary approach can be adopted to address the challenges. It introduces an analysis methodology for use by multi-disciplinary teams to allow the dependencies and interactions of cyber–physical systems in physical–cyber environments to be explored. The analysis methodology offers a systematic way to study the cyber–physical systems and identify safety, security or resilience issues that need to be addressed in the systems design or operation.

Infusion of Information Technology (IT) into Industrial Control System (ICS) applications has increased Critical Infrastructure Protection (CIP) challenges. A layered security strategy is addressed that exploits Physical (PHY) features to verify field device identity and infer normal-anomalous operating state using Distinct Native Attribute (DNA) features. The goal is inferential confirmation that Human Machine Interface (HMI) indicated conditions match the system’s true physical state. Feasibility is shown using Wired Signal DNA (WS-DNA) from Highway Addressable Remote Transducer (HART) enabled field devices. Results are based on experiments using an instrumented Process Control System (PCS) with smart field devices communicating via wired HART. Results are presented for two field devices operating at two different set-points and suggest that the WS-DNA technical approach is promising for inferring device physical state.

Sensor networks for the assessment of physical threats in critical infrastructure have the potential to provide continuous and reliable information on illegal activity over wide areas. In order to reach that potential, it is essential for the sensor network to operate efficiently by conducting processing and communication operations on a very limited power budget. In this work, it is shown that when sequentially assessing physical threats using a sensor network, the required processing and communication load is directly related to estimation uncertainty. It is, furthermore, shown that the processing and communications rate required for sequential estimation using a sensor network is much less than the rate required for processing and transmitting all data available at the nodes. This result can be used to reduce hardware cost and power requirements of the sensor network.

Transport is one of the most important economic sectors in Europe with its infrastructure being essential for the functioning of the entire society. Directive 2008/114/EC outlines the approach Member States are required to follow to identify, designate, and protect European Critical Infrastructures also in the transport sector. The paper illustrates a benchmarking methodology which could be used to assess security in terms of awareness, preparedness and maturity in operators belonging to transport sub-sectors. The final goal is to provide a relevant informative base, taking into consideration sub-sector differences useful to enhance awareness in security in the transport sector.

We propose a decentralised hierarchical multi-rate control scheme for the control of large-scale systems with state and input constraints. The large-scale system is partitioned into sub-systems each one of which is locally controlled by a stabilising linear controller which does not account for the prescribed constraints. A higher-layer controller commands reference signals at a lower uniform sampling frequency so as to enforce linear constraints on the process variables. Worst-case subsystem interactions are modeled and accounted for in a robust manner. By optimally constraining the magnitude and rate of variation of the reference signals to each lower-layer controller we prove that closed-loop stability is preserved and the fulfillment of the prescribed constraints is guaranteed. We apply the proposed methodology to Johansson’s quadraple-tank system and we compare it to a centralised control approach.

This work describes a new open-source software platform, the dbpRisk software, for conducting simulation experiments in order to model the formation for disinfection by-product in drinking water distribution networks under various conditions and uncertainties. The goal is to identify the risk-level at each node location, contributing in the enhancement of consumer safety. The use of the dbpRisk software is demonstrated using a real water distribution network model from the Nicosia water transport network.

This paper focuses on water demand forecasting for predictive control of Drinking Water Networks (DWN) in the short term by using Gaussian Process (GP). For the predictive control strategy, system states in a finite horizon are generated by a DWN model and demands are regarded as system disturbances. The goal is to provide a demand estimation within a given confidence interval. For the sake of obtaining a desired forecasting performance, the forecasting process is carried out in two parts: the expected part is forecasted by Double-Seasonal Holt-Winters (DSHW) method and the stochastic part is forecasted by GP method. The mean value of water demand is firstly estimated by DSHW while GP provides estimations within a confidence interval. GP is applied with random inputs to propagate uncertainty at each step. Results of the application of the proposed approach to a real case study based on the Barcelona DWN have shown that the general goal has been successfully reached.

Presented herein is a methodology for the seismic and hydraulic assessment of the reliability of water distribution networks (WDN) based on general seismic assessment standards, as per the American Lifelines Alliance (ALA) guidelines, localized historical records of critical risk-of-failure metrics, and hydraulic simulations using adapted EPANET models. The proposed reliability assessment incorporates data of past non-seismic damage, the vulnerabilities of the network components against seismic loading, hydraulic modeling, and the topology of a WDN. The network reliability is assessed using Graph Theory and Monte Carlo simulation (MCS), coupled with a hydraulic analysis.

In this paper, a data validation and reconstruction methodology that can be applied to the sensors used for real-time monitoring in water networks is presented. On the one hand, a validation approach based on quality levels is described to detect potential invalid and missing data. On the other hand, the reconstruction strategy is based on a set of temporal and spatial models used to estimate missing/invalid data with the model estimation providing the best fit. A software tool implementing the proposed data validation and reconstruction methodology is also presented. Finally, results obtained applying the proposed methodology on raw data of flow meters gathered from a real water network are also included to illustrate the performance of the proposed approach.

In this paper we first introduce a testbed that is able to emulate the operation and common faults of a water supply system, as well as its interaction with a SCADA system. Then we implement an online fault detection algorithm based on a fault diagnosis architecture for nonlinear uncertain discrete-time systems, that we apply and test with the testbed. We finally present some experimental results illustrating the effectiveness of this approach.

Oil rig systems are frequently assumed to be isolated from external networks, securing them from malicious software attacks. Integrated operations and media and device mobility undermine this assumption. A successful attack on a drilling operation could be devastating in human, environmental, economic and reputational terms. Several threat sources can easily be identified. We therefore propose the use of Causal Bayesian Networks to analyse probable attack strategies on a managed pressure drilling (MPD) system, where the attacker aims to maximise impact, while minimising attribution. Our results can be used to inform company representatives and operators of likely risks and highlight requirements for the successful diagnosis and recovery of well control incidents stemming from cyber causes.

Errors in the values of network parameters stored in the control center may affect the important application of voltage stability monitoring. This paper investigates the effect of branch parameters errors to voltage stability monitoring, using the state vector obtained by the state estimator. In particular, the state vector is used for calculating a voltage stability index that indicates the most critical branch (the one that first reaches its active power transfer limit). The states of the power system are estimated under various scenarios of possible errors in the reactance of the critical branch and then are used for the calculation of the voltage stability index. The case studies are performed using the IEEE systems with 14 and 39 buses and it is shown that the calculated value of the stability index depends on the error in the branch parameters, the power system structure and the contingency leading to voltage instability.

In this work we study the problem of airborne contaminant transportation in high-risk buildings using CFD methods. The main contribution of this work is the design and evaluation of two building case studies using CONTAM coupled with the CFD0 Editor: (i) a conceptual office building with a large conference room surrounded by four smaller offices and (ii) the Pefkios Georgiades amphitheater which is a real building housed at the Cyprus University of Technology in Lemesos. For both case studies, a large number of scenarios were performed involving the transportation of a dangerous contaminant from various locations inside the building and recommendations were provided as to the number and locations of sensors that would guarantee prompt detection to ensure the safety of the people. A comparison of CFD to multi-zone and a study regarding the total computational time of CFD with respect to the grid size were also performed.

Recent blackouts of major power systems (PSs) clearly demonstrate the topicality of the blackout problem when rapid multiple tripping of vital PS elements leads not only to PS collapse but also essentially affects the operation of other critical infrastructures. To prevent such situations special types of automation such as PS splitting and frequency control automation are employed. Taking into account the drawbacks of existing devices the new methods and technical solutions to increase sustainability to such events are discussed.

In this chapter, we study the consequences of an improvised nuclear detonation (IND) to the sub-transmission and distribution systems of Washington D.C. in the Eastern Interconnection (EI). We briefly discuss the geographical location of the blast and the interconnection of the power utility serving this area, with the neighboring power utilities. Analysis of the grid with respect to steady state stability as well as transient stability is performed to understand the impact of loss in load as a result of the blast. The steady state analysis alone does not offer a complete understanding of the loss of the neighboring substations. The transient stability analysis shows that for the simulated event, the system stabilizes approximately 7 s after the occurrence of the event. The stability of the system can be attributed to the fact that the drop in load was relatively small compared to the generation capacity of the EI.

Resilience is a dynamic multi-faceted term and complements other terms commonly used in risk analysis, e.g., reliability, availability, vulnerability, etc. The importance of fully understanding system resilience and identifying ways to enhance it, especially for infrastructure systems our daily life depends on, has been recognized not only by researchers, but also by public. During last decade, researchers have proposed different methods and frameworks to quantify/assess system resilience. However, they are tailored to specific disruptive hazards/events, or fail to properly include all the phases such as mitigation, adaptation and recovery. In this paper, an integrated metric for resilience quantification with capabilities of incorporating different performance measures is proposed, which can be used to quantify the performance of interdependent infrastructure systems in a more comprehensive way. The feasibility and applicability of the proposed metric will be tested using an electric power supply system as the exemplary system with the help of advanced modelling and simulation techniques. Furthermore, the discussion related to the effects of interdependencies among systems on their resilience capabilities is also included in this paper.

State estimation is an important procedure providing reliable quality information for control of electric power system (EPS). The paper focuses on the possible consequences of cyber attacks on the state estimation results. To measure the impact of cyber attacks on the state estimation results we introduce an index of cyber security which is determined on the basis of a set of characteristics that define the accuracy of the state estimation results. Since these characteristics are not deterministic the cyber security index is estimated by the method of fuzzy sets. The index of cyber security makes it possible to reveal the most vulnerable facilities in electric power system and develop a strategy for the improvement of their cyber security. The suggested strategy implies the use of PMU measurements coming from WAMS in addition to SCADA measurements.

Since meshed HVDC grids are discussed for offshore wind farms interconnection and onshore long distance transmission use, there is also a research focus on operation of such new type of grids. A major aspect is DC voltage control. Tests on a low voltage meshed HVDC mock-up system showed oscillatory behavior using state of research DC voltage control characteristics. This paper presents an analysis of influencing factors for these oscillations and proposes improvements for the DC voltage control characteristic, for the operation management and shows that converter parameters can invoke oscillations.

Critical information infrastructure protection is a complex and multifaceted problem domain and continues to become more so. Because it is impossible to prevent the occurrence of all incidents, the CIIP should be approached in terms of resilience. However, governments are facing a key challenge in the implementation of resilience: the need of cooperation with the private sector. How to organize the public-private cooperation is arduous but geopolitics provides the tools to under-stand this kind of complex relationship. In analyzing the French case, this paper aims to see PPP through a new pathos: as a risk-mitigating factor.

A holistic approach to security can be introduced by using a model that binds security measures with costs and security metrics. We describe exercises based on the graded security model, and supported by an expert system that are used for training both general managers and security experts. Trainees have to solve a number of problems under conditions that correspond to a realistic critical information infrastructure security planning situation, with the level of details depending on the expertise of trainees.

Critical infrastructures must be better protected against challenges to their data communications in the face of increasing numbers of emerging challenges, complexity and society’s demand and intolerance of failures. In this paper, we present a set of challenges and their characteristics by reviewing reported incidents. Using domain specific attributes we discuss how these could be mitigated. We advocate the adoption of the latest programmable networking approaches in critical infrastructure networks and we present our proposed modular architecture with configurable monitoring and security components. Lastly, we show results from a network challenge simulation which highlights the benefits of our approach in providing rapid, precise and effective challenge detection and mitigation.

The security stress is a synthetic evaluation of how an ICT infrastructure resists to attacks. We define the security stress and show how it is approximated through the Haruspex suite. Then, we show how it supports the comparison of three versions of an industrial control system. Haruspex is a suite of tools that apply a Monte Carlo method and support a scenario-based assessment where in each scenario intelligent agents compose attacks to reach some predefined goals.

In this paper we report recent results on modelling the impact of cyber-attacks on the resilience of complex industrial systems. We use a hybrid model of the system under study, in which both accidental network failures and the malicious behaviour of an Adversary are modelled stochastically, while the consequences of failures and attacks are modelled in detail using deterministic models. This modelling approach is demonstrated on a complex case study - a reference power transmission network (NORDIC 32), enhanced with a detailed model of the computer and communication network used for monitoring, protection and control compliant with the international standard IEC 61850. We studied the resilience of the modelled system under different scenarios: (i) a base-line scenario in which the modelled system operates in the presence of accidental failures without cyber-attacks; (ii) several different scenarios of cyberattacks. We discuss the usefulness of the modelling approach, of the findings, and outline directions for further work.

The security of critical infrastructures has gained a lot of attention in the past few years with the growth of cyberthreats and the diversity of cyberattacks. Although traditional IDS update frequently their databases of known attacks, new complex attacks are generated everyday to circumvent security systems and to make their detection nearly impossible. This paper outlines the importance of one-class classification algorithms in detecting malicious cyberattacks in critical infrastructures. The role of machine learning algorithms is complementary to IDS and firewalls, and the objective of this work is to detect intentional intrusions once they have already bypassed these security systems. Two approaches are investigated, Support Vector Data Description and Kernel Principal Component Analysis. The impact of the metric in kernels is investigated, and a heuristic for choosing the bandwidth parameter is proposed. Tests are conducted on real data with several types of cyberattacks.

Decentralized Critical infrastructure management systems will play a key role in reducing costs and improving the quality of service of industrial processes, such as electricity production. In this paper, we focus on the security issues on the communication channel between the main entities of a smart grid, like generators, consumers and transmission/distribution operators and the energy market. We simulate the energy (spot) market auctions and the power grid network, but we emulate the ICT information part which is the focus of our work. We set in motion a well-known attack, Denial-of-Service (DoS), in Cyber-Physical systems and we are able to identify the consequences not only in power distribution network but also in financial area.

The tendency in cyber attacks has evolved from ones immediately causing abnormal operations to advanced attacks after information extraction by traffic sniffing. In particular, the unchanging characteristics of CIS networks are more susceptible to advanced attacks through information extraction. In this paper, we suggest the concept of an obfuscation method for CIS network traffic to interfere with information extraction. We investigated the characteristics of CIS traffic as found from real data. Based on our observations, we propose a method of creating fake communication to make the best use of surplus network bandwidth. We show that our method can vary the characteristics of a CIS network to prevent information extraction by sniffing.

Security is a major concern in the smart grid technology extensively relying on Information and Communication Technologies (ICT). New emerging attacks show the inadequacy of the conventional defense tools that provision isolated uncooperative services to individual grid components ignoring their real-time dependency and interaction. In this article, we present a smart grid layering model and a matching multi-layer security framework, CyNetPhy, towards enabling cross-layer security of the grid.CyNetPhy tightly integrates and coordinates between a set of interrelated, and highly cooperative real-time defense solutions designed to address the grid security concerns. We advance a high-level overview of CyNetPhy and present an attack scenario against the smart grid supported by a qualitative analysis of the resolution motivating the need to a cross-layer security framework such as CyNetPhy.

In this paper we study the case of Critical Infrastructures (CIs), and especially power grid systems, which nowadays rely on computers and the Internet for their operation. We propose a combinatorial method for automatic detection and classification of faults and cyber-attacks, when there is limited data from the power grid nodes due to cyber implications. We design an experimental platform consisting of a power grid simulator and a cyber network emulator in order to demonstrate the efficiency of the proposed method.

Large-scale distributed control systems such as those encountered in electric power networks or industrial control systems must be assumed to be vulnerable to attacks in which adversaries can take over control over at least part of the control network by compromising a subset of nodes. In this paper we study structural controllability properties of the control graph in LTI systems, addressing the question of how to efficiently re-construct a control graph as far as possible in the presence of such compromised nodes.We study the case of sparse Erdős-Rényi Graphs with directed control edges and seek to provide an approximation of an efficient reconstructed control graph by minimising control graph diameter. As the underlying Power Dominating Set problem does not permit efficient re-computation, we propose to reduce the average-case complexity of the recovery algorithm by re-using remaining fragments of the original, efficient control graph where possible and identifying previously un-used edges to re-join these fragments to a complete control graph, validating that all constraints are satisfied in the process. Whilst the worst-case complexity is not improved, we obtain an enhanced average-case complexity that offers a substantial improvement where sufficiently many fragments of the original control graph remain, as would be the case where an adversary can only take over regions of the network and thereby control graph.

A crucial feature in implementing the next generation of smart grids is how to introduce self-healing capabilities allowing to ensure a high quality of service to the users. We show how distributed communication protocols can enrich complex networks with self-healing capabilities; an obvious field of applications are infrastructural networks. In particular, we consider the case where the presence of redundant links allows to recover the connectivity of the system. We then analyse the interplay between redundancies and topology in improving the resilience of networked infrastructures to multiple failures; in particular, we measure the fraction of nodes still served for increasing levels of network damages. Hence, we consider healing performances respect to different network topologies (planar, small-world, scale-free) corresponding to various degree of realism. We find that the most balanced strategy to enhances networks’ resilience to multiple failures while avoiding large economic expenses is to introduce a finite fraction of long-range connections.

It is getting harder for operators to secure their Critical Infrastructures (CRITIS). The reasons are a higher complexity and vulnerability of infrastructures in combination with the pressure of being cost-effective, as well as the availability of more evolving attack techniques. New and sophisticated Advanced Persistent Threats cannot be detected using common security measures like signature-based detection. New techniques for detection in CRITIS are necessary. As one part of a comprehensive detection framework for CRITIS we introduce PRoCeeD – Process secuRity by using Causal Data. Our approach combines methodologies from control theory, distributed computing and automata theory. The goal is to create a mathematical model of the nodes, i.e. Programmable Logic Controller or other control systems. Furthermore this is done in an automated fashion using existing information like the Source Code, input and output values like network traffic and process variables and data models. The generated model can be simulated in conjunction with on-line data of a running process to predict probable process states. A combination of this prediction with an anomaly detection framework can reveal attacks, misuses or errors that cannot be detected using common security measures.

Cascading failures are a challenging issue in Critical Infrastructure Protection (CIP) and related modelling, simulation and analysis (MS & A) activities. Critical Infrastructures (CIs) are complex systems of ever increasing complexity. A single failure may be propagated and amplified resulting in serious disruptions of some societal vital services. A dynamic model describing cascading random failures that occur following Poisson Stochastic Process (PSP) is proposed. The proposed model considers only independent failures. Additional R & D effort is necessary before extending the model to dependent failures.

Interest in security assessment and penetration testing techniques has steadily increased. Likewise, security of industrial control systems (ICS) has become more and more important. Very few methodologies directly target ICS and none of them generalizes the concept of “critical infrastructures pentesting”. Existing methodologies and tools cannot be applied directly to critical infrastructures (CIs) due to safety and availability requirements. Moreover, there is no clear understanding on the specific output that CI operators need from such an assessment. We propose a new methodology tailored to support security testing in ICS/CI environments. By analyzing security assessments and penetration testing methodologies proposed for other domains and interviewing stakeholders to identify existing best practices adopted in industry, deriving related issues and collecting proposals for possible solutions we propose a new security assessment and penetration testing methodology for critical infrastructure.

This work proposes a mechanism able to automatically categorize different types of faults occurring in critical infrastructures and especially water distribution networks. The mechanism models the relationship exhibited among the sensor datastreams based on the assumption that its pattern alters depending on the fault type. The first phase includes linear time invariant modeling which outputs a parameters vector. At the second phase the evolution of the parameter vectors is captured via hidden Markov modeling. The methodology is applied on data coming from the water distribution network of the city of Barcelona. The corpus contains a vast amount of data representative of nine network states. The nominal is included for enabling fault detection. The achieved classification rates are quite encouraging and the system is practical.

This paper aims at exploring a novel approach for indoor localisation by exploiting data fusion. Specifically, personnel localisation in rescue scenarios is addressed: the key idea is to increase the situation awareness of rescuers. A pedestrian dead reckoning algorithm based on waist mounted inertial sensors is designed to cope with different human activities. The drifting estimate is re-calibrated by using information gathered from the environment. The outcomes of experimental trials performed in a real scenario are reported.

Natural hazards might damage elements of Critical Infrastructures and produce perturbations on the delivered services. In addition, (inter)dependency phenomena interconnecting infrastructures, may amplify impacts through cascading effects. In this paper, we present a Decision Support System (DSS) aiming at predicting the possible effects of natural hazards on the services provided by critical infrastructures. The system employs modeling and simulation techniques to forecast the effects of natural hazards on critical infrastructures services.

A number of models have been proposed to analyze interdependent networks in recent years. However most of the models are unable to capture the complex interdependencies between such networks. To overcome the limitations, we have recently proposed a new model. Utilizing this model, we provide techniques for progressive recovery from failure. The goal of the progressive recovery problem is to maximize the system utility over the entire duration of the recovery process. We show that the problem can be solved in polynomial time in some special cases, whereas for some others, the problem is NP-complete. We provide two approximation algorithms with performance bounds of 2 and 4 respectively. We provide an optimal solution utilizing Integer Linear Programming and a heuristic. We evaluate the efficacy of our heuristic with both synthetic and real data collected from Phoenix metropolitan area. The experiments show that our heuristic almost always produces near optimal solution.

Finding a balance between functional and non-functional requirements and resources in embedded systems has always been a challenge. What brings this challenge into a sharper focus is that embedded devices are increasingly deployed in many networked applications, some of which will form the backbone of the critical information infrastructures on which we all depend. The Security-Enhanced Embedded system Development (SEED) process has proposed a set of tools that a bridge the two islands of expertise, the engineers specialised in embedded systems development and the security experts. This paper identifies a gap in the tool chain that links the identification of assets to be protected to the associated security risks seen from different stakeholder perspectives. The needed tool support for systematic prioritisation of identified assets, and the selection of security building blocks at design stage based on a risk picture of different stakeholders, are characterised. The ideas are illustrated in a smart metering infrastructure scenario.