[en] Critical Infrastructures are known for their complexity and the strong interdependencies between the various components.
As a result, cascading effects can have devastating consequences, while foreseeing the overall impact of a particular incident is not straight-forward at all and goes beyond performing a simple risk analysis.
This work presents a graph-based approach for conducting dynamic risk analyses, which are programmatically generated from a threat model and an inventory of assets.
In contrast to traditional risk analyses, they can be kept automatically up-to-date and show the risk currently faced by a system in real-time.
The concepts are applied to and validated in the context of the smart grid infrastructure currently being deployed in Luxembourg.
Disciplines :
Computer science
Author, co-author :
Muller, Steve ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC)
Le Traon, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Gombault, Sylvain; Telecom Bretagne, France
Bonnin, Jean-Marie; Telecom Bretagne, France
Hoffmann, Paul; Luxmetering G.I.E., Luxembourg
External co-authors :
yes
Language :
English
Title :
Dynamic Risk Analyses and Dependency-Aware Root Cause Model for Critical Infrastructures
Publication date :
2016
Event name :
The 11th International Conference on Critical Information Infrastructures Security
Event organizer :
Springer
Event date :
from 10-10-2016 to 12-10-2016
Audience :
International
Main work title :
International Conference on Critical Information Infrastructures Security
Publisher :
Springer International Publishing
ISBN/EAN :
978-3-319-71368-7
Pages :
163-175
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
Funders :
10239425, FNR, Fonds National de la Recherche Luxembourg
Rinaldi, S.M.: Modeling and simulating critical infrastructures and their interdependencies. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences, p.8. IEEE (2004)
International Organization for Standardization: ISO/IEC 27019 (2013)
Bundesamt für Sicherheit in der Informationstechnik (BSI): IT-Grundschutz (2005)
Aubigny, M., Harpes, C., Castrucci, M.: Risk ontology and service quality descriptor shared among interdependent critical infrastructures. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 157-160. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21694-7_14
Foglietta, C., Panzieri, S., Macone, D., Liberati, F., Simeoni, A.: Detection and impact of cyber attacks in a critical infrastructures scenario: the CockpitCI approach. Int. J. Syst. Syst. Eng. 4(3-4), 211-221 (2013)
Suh, B., Han, I.: The IS risk analysis based on a business model. Inf. Manag. 41(2), 149-158 (2003)
Tong, X., Ban, X.: A hierarchical information system risk evaluation method based on asset dependence chain. Int. J. Secur. Appl. 8(6), 81-88 (2014)
Breier, J.: Asset valuation method for dependent entities. J. Internet Serv. Inf. Secur. (JISIS) 4(3), 72-81 (2014)
Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M., Lykou, G., Gritzalis, D.: Time-based critical infrastructure dependency analysis for large-scale and crosssectoral failures. Int. J. Crit. Infrastruct. Prot. 12, 46-60 (2016)
Baiardi, F., Sgandurra, D.: Assessing ICT risk through a Monte Carlo method. Environ. Syst. Decis. 33(4), 486-499 (2013)
Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283-296. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70567-3_22
Homer, J., Ou, X., Schmidt, D.: A sound and practical approach to quantifying security risk in enterprise networks. Kansas State University Techn. Report (2009)
Pearl, J.: Causality: Models, Reasoning, and Inference. Cambridge University Press, New York (2000)
Muller, S., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M.: Efficiently computing the likelihoods of cyclically interdependent risk scenarios. Comput. Secur. 64, 59-68 (2017)
Klein, R.: Information modelling and simulation in large dependent critical infrastructures - an overview on the european integrated project IRRIIS. In: Setola, R., Geretshuber, S. (eds.) CRITIS 2008. LNCS, vol. 5508, pp. 131-143. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03552-4_12
Grochocki, D., Huh, J.H., Berthier, R., Bobba, R., Sanders, W.H., Cárdenas, A.A., Jetcheva, J.G.: AMI threats, intrusion detection requirements and deployment recommendations. In: 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm), pp. 395-400. IEEE (2012)
ENISA: Communication network interdependencies in smart grids (2016)