Abstract
Critical Infrastructures are known for their complexity and the strong interdependencies between the various components. As a result, cascading effects can have devastating consequences, while foreseeing the overall impact of a particular incident is not straight-forward at all and goes beyond performing a simple risk analysis. This work presents a graph-based approach for conducting dynamic risk analyses, which are programmatically generated from a threat model and an inventory of assets. In contrast to traditional risk analyses, they can be kept automatically up-to-date and show the risk currently faced by a system in real-time. The concepts are applied to and validated in the context of the smart grid infrastructure currently being deployed in Luxembourg.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
From a probability theoretic point of view, \(\mathcal {L}\) is an expected value (a frequency, in fact) and not a probability. Formally, \(\mathcal {L}(\alpha )=\sum _r \mathbb {E}\big [\mathcal {L}(r) \cdot \mathbbm {1}[{r \;\text {causes}\; \alpha }]\big ]\), where \(\mathcal {L}(r)\) is a non-probabilistic constant, for the probability space only includes edges, not nodes.
- 2.
GraphViz is an open-source graph visualization software. For more information on the dot language, see http://graphviz.org/content/dot-language.
- 3.
References
Rinaldi, S.M.: Modeling and simulating critical infrastructures and their interdependencies. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences, p. 8. IEEE (2004)
International Organization for Standardization: ISO/IEC 27019 (2013)
Bundesamt für Sicherheit in der Informationstechnik (BSI): IT-Grundschutz (2005)
Aubigny, M., Harpes, C., Castrucci, M.: Risk ontology and service quality descriptor shared among interdependent critical infrastructures. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 157–160. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21694-7_14
Foglietta, C., Panzieri, S., Macone, D., Liberati, F., Simeoni, A.: Detection and impact of cyber attacks in a critical infrastructures scenario: the CockpitCI approach. Int. J. Syst. Syst. Eng. 4(3–4), 211–221 (2013)
Suh, B., Han, I.: The IS risk analysis based on a business model. Inf. Manag. 41(2), 149–158 (2003)
Tong, X., Ban, X.: A hierarchical information system risk evaluation method based on asset dependence chain. Int. J. Secur. Appl. 8(6), 81–88 (2014)
Breier, J.: Asset valuation method for dependent entities. J. Internet Serv. Inf. Secur. (JISIS) 4(3), 72–81 (2014)
Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M., Lykou, G., Gritzalis, D.: Time-based critical infrastructure dependency analysis for large-scale and cross-sectoral failures. Int. J. Crit. Infrastruct. Prot. 12, 46–60 (2016)
Baiardi, F., Sgandurra, D.: Assessing ICT risk through a Monte Carlo method. Environ. Syst. Decis. 33(4), 486–499 (2013)
Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70567-3_22
Homer, J., Ou, X., Schmidt, D.: A sound and practical approach to quantifying security risk in enterprise networks. Kansas State University Techn. Report (2009)
Pearl, J.: Causality: Models, Reasoning, and Inference. Cambridge University Press, New York (2000)
Muller, S., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M.: Efficiently computing the likelihoods of cyclically interdependent risk scenarios. Comput. Secur. 64, 59–68 (2017)
Klein, R.: Information modelling and simulation in large dependent critical infrastructures – an overview on the european integrated project IRRIIS. In: Setola, R., Geretshuber, S. (eds.) CRITIS 2008. LNCS, vol. 5508, pp. 131–143. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03552-4_12
Grochocki, D., Huh, J.H., Berthier, R., Bobba, R., Sanders, W.H., Cárdenas, A.A., Jetcheva, J.G.: AMI threats, intrusion detection requirements and deployment recommendations. In: 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm), pp. 395–400. IEEE (2012)
ENISA: Communication network interdependencies in smart grids (2016)
Acknowledgements
This work was supported by the Fonds National de la Recherche, Luxembourg (project reference 10239425) and was carried out in the framework of the H2020 project ‘ATENA’ (reference 700581), partially funded by the EU.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Muller, S., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, JM., Hoffmann, P. (2017). Dynamic Risk Analyses and Dependency-Aware Root Cause Model for Critical Infrastructures. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2016. Lecture Notes in Computer Science(), vol 10242. Springer, Cham. https://doi.org/10.1007/978-3-319-71368-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-71368-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71367-0
Online ISBN: 978-3-319-71368-7
eBook Packages: Computer ScienceComputer Science (R0)