securing critical infrastructures at software and interdependency … › publications › phd...
TRANSCRIPT
Securing Critical Infrastructures at
software and interdependency levels
George Stergiopoulos
November 2015
ii
Securing Critical Infrastructures
at software and interdependency levels
George Stergiopoulos
A dissertation submitted for the partial fulfillment
of a Ph.D. degree
November 2015
Department of Informatics
Athens University of Economics & Business
Athens, Greece
iii
Supervising Committee:
1. Dimitris Gritzalis, Professor, Athens University of Economics & Business (Chair)
2. Ioannis Mavridis, Associate Professor, University of Macedonia
3. Panagiotis Katsaros, Assistant Professor, Aristotle University of Thessaloniki
Examination Committee:
1. Dimitris Gritzalis, Professor, Athens University of Economics & Business
2. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business
3. Ioannis Mavridis, Associate Professor, University of Macedonia
4. Konstantinos Lambrinoudakis, Associate Professor, University of Piraeus
5. Panagiotis Katsaros, Assistant Professor, Aristotle University of Thessaloniki
6. Ioannis Marias, Assistant Professor, Athens University of Economics & Business
7. Panos Kotzanikolaou, Assistant Professor, University of Piraeus
iv
Securing Critical Infrastructures
at software and interdependency levels
Copyright © 2015
by
George Stergiopoulos
Department of Informatics
Athens University of Economics and Business
76 Patission Ave., Athens GR-10434, Greece
v
All rights reserved. No part of this manuscript may be reproduced or transmitted
in any form or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior written permission of the author.
"Η έγκριση διδακτορικής διατριβής υπό του Τμήματος Πληροφορικής του Οικονομικού
Πανεπιστημίου Αθηνών δεν υποδηλοί αποδοχή των γνωμών του συγγραφέως.”
(Ν. 5343/ 1932, άρθρο. 202)
vi
Acknowledgements
It is common that doctoral students overlook the acknowledgements section. Instead, they
focus their writing on the main content while trying to produce a robust and all around sound
text that will adequately depict their research efforts. Still, most fail to recognize that, without
the significant help of large group of people, these research efforts would have borne little to
no fruit. This is why, I will dedicate the following paragraphs to all those that helped me,
directly or indirectly, achieve my goal during my doctoral studies.
First and foremost, I would like to thank my Ph.D. supervisor Prof. Dimitris Gritzalis. His
role was twofold, that of an academic teacher and a personal research and business advisor.
Thus, he was influential to my research. Prof. Gritzalis guided me through my doctoral studies
and helped me mature both as a researcher and as a professional. I am grateful to be a part of
Prof. Dimitris Gritzalis’s Critical Infrastructure Protection group; a group, which, under Prof.
Gritzalis’s constant care and supervision, infused me with a wide variety of knowledge,
experience and understanding of both the academic, and the business sector. He is the person
who motivated my decision to focus on critical infrastructure protection and information
systems analysis for the past 5 years.
I also would like to thank Ass. Prof. Panagiotis Kotzanikolaou and Ass. Prof. Panagiotis
Katsaros for their excellent contribution and help during my doctoral studies. Their experience,
patience and guidance was of utmost importance and acted as a steady light that helped me
overcome multiple obstacles during my research efforts; both technical and theoretical. I would
also like to thank Bill Tsoumas who believed in me from the very start and altruistically helped
during my preliminary steps in research.
During my doctoral studies, I was blessed to have colleagues that supported me in many
ways. Thus, I would like to thank Dr. Marianthi Theoharidou and Dr. Bill Tsoumas for teaching
me how to write a paper. I was lucky enough to have Marianthi as my partner in some of my
research efforts. I am also grateful to Nikos Virvilis and Miltiadis Kandias for their friendship,
cooperation and support. Their help and guidance bore fruits and aided me to learn how to
manage my tasks and complete them flawlessly and on time. Last but not least, I would like to
thank certain people who I met during my doctoral studies and influenced my course of action.
I sincerely thank Alexios Mylonas, Nikos Tsalis, Vasilis Stavrou and Nick Bozovits for their
help, cooperation and friendship during all those years in the university. I would also be remiss
not to thank Vasilis Spyropoulos, Vasilis Zafeiris, Nantia Makrinioti and Tassos Venetis, for
their friendship and for the challenges that we faced together while working in the Information
Systems and Databases lab (ISLAB).
Partners and academic staff aside, I feel obliged to express my gratitude to other people that
influenced my research journey, supported and aided me when times were harsh and I felt that
I would never make it. People that are a part of who I am now, and, thus owe them a lot.
vii
Amongst many, I am deeply thankful to Violetta Sotiropoulou, Mihalis Maniatakos and George
Kourepis. Their friendship and support went the extra mile in mitigating anxiety, difficulties
and ill thoughts that occurred along the way. I am very grateful to have them by my side and
would like to thank them for helping me mature as a personality.
Finally, I feel obliged to express my deepest gratitude and love to my parents for their
unconditional, constant love and support; both psychological and economical. I thank them for
infusing me the ethics, qualities and understanding needed to succeed in life. For this reason,
this dissertation is dedicated to them.
Athens, 5th September 2015
viii
Dedication
To my parents:
“When I was a boy, my parents were so ignorant I could hardly stand to
have them around. But when I got to be thirty, I was astonished at how
much they have learned in just a few years”
ix
Abstract
A Critical infrastructure is the backbone of a nation's economy, security and health. It is
those infrastructures that provide power and water to homes, support the transportation and
communication systems people rely on. The criteria for determining what might be a critical
infrastructure, and which infrastructures thus qualify, have expanded over time (DHS, 2013).
A Critical infrastructure is defined as those assets, systems and networks, whether physical or
virtual, so vital to a country that their incapacitation or destruction would have a debilitating
effect on security, national economic security, national public health or safety, or any
combination thereof (DHS, 2013).
At the very least, a growing list of infrastructures in need of protection will require the
federal government to prioritize its efforts and try to minimize the impact on the nation’s critical
infrastructures of any future failure of any kind (e.g. terrorist attack or systems failure) while
taking into account what those impacts might be and the likelihood of their occurring (Motef
et al., 2003).
Considering all the above, it is made obvious that critical infrastructures, along with their
services and systems must be protected against all types of failures; both human-made and
natural phenomena. Critical infrastructures provide services needed for a nation to function
properly and support its citizens, such as the health care system, transportations,
communications etc. Even more, failures in these infrastructures can be triggered by attackers
in order to maim a nation and/or to increase revenues (e.g. theft, information leakage etc).
Up until now, research has focused in securing critical infrastructures by utilizing Risk
Assessment methodologies based on ISOs (like the ISO 27001), security audits and penetration
tests on its information systems. However, little progress has been made in securing
infrastructures from failures in other, interconnected infrastructures on which they depend to
work efficiently. Modern infrastructures are often depended on other infrastructures to function
properly. This necessity has led to the development of complex networks of interdepended
infrastructures. These dependency graphs of hide information about what will happen if a
failure occurs; in other words, they are as safe as their most critical path of interdependencies
and as exposed as their most dangerous node. In addition (and in a lower granularity level) high
level software applications nowadays are capable of controlling important machinery in critical
infrastructures from a distance. Even though it is common knowledge that software applications
are known to manifest flaws in their business logic implementation (either due to user or
programming errors), yet little to no effort has been made in finding a way to secure the
software assets that handle important machinery inside critical infrastructures from user error.
Logical flaws might lead to a serious critical infrastructure failure and even initiate cascading
effects between interconnected infrastructures.
x
In this context, the process of analyzing the security of a critical infrastructure appears to be
twofold: First and foremost, we must not only secure each infrastructure alone, but must also
be in a position to pinpoint potential cascading effects amongst depended critical infrastructures
and analyze what their impacts would be along with the likelihood of their occurring, same as
proposed for a single critical infrastructure in (DHS, 2013). At the same time, since software
has taken all the burden of controlling most parts of a CI, securing a critical infrastructure means
securing their information systems at a software level; i.e. to secure the application ecosystem
used to control a critical infrastructure by offering mechanisms that protect critical
infrastructures from software vulnerabilities yet to be dealt with.
This work approaches security in critical infrastructures by developing possible, practical
solutions for both aforementioned granularity levels of infrastructure protection. This work
differentiates from the mainstream security literature concerning the protection of critical
infrastructures, by (a) developing a combined multi-methodology able to pinpoint and assess
cascading failures amongst critical infrastructures, (b) by developing algorithms and strategies
that can be implemented for the detection of infrastructures that affect many other CI and
successful risk mitigation in interconnected infrastructures and (c) by developing a method for
the automatic detection of logical errors, race conditions and vulnerabilities in high-level
software used in CIs; specifically, in software able to remotely control machinery in critical
infrastructures. To the best of our knowledge, this is the first method able to detect logical errors
in diverse situations and diverse types of software. Although our initial target was to use the
aforementioned method in software handling machinery, the method can be used in a wider
basis to detect business logic errors in all types of software.
To raise the bar, this dissertation also presents two novel tools, PLATO and CIDA that are
manifestations of the proposed methods for securing a critical infrastructures in both analyzed
granularity levels. These tools perform automated analysis and do not require significant
technical expertise from users. Specifically, PLATO is a tool able to automatically detect some
types of logical errors in software. It, amongst other experiments, it was used to detect logical
errors in high-level capable of controlling infrastructure machinery remotely. Furthermore, a
macroscopic prediction model that identifies potential dangerous dependency chains between
critical infrastructures and the evolution of hazards over the course of time is proposed, coupled
with a graph theory analysis model able to pinpoint dangerous standalone Critical
infrastructures that greatly affect the overall stability of a graph of interconnected critical
infrastructures. These methods were implemented in CIDA, a tool that can model cascading
effect between infrastructures, analyze the evolution of hazards and, finally, pinpoint dangerous
Cis able to cause massive damage in multiple interconnected infrastructures; if a failure were
to manifest on them.
xi
As a case study, this work utilizes known real-world cascading failure scenarios and software
applications to test both developed tools. On the one hand, it explores whether – and under
which circumstances – logical errors that affect execution and cause failures can be detected in
source code (the PLATO too). On the other, it analyzes real-world cascading effect scenarios
like the California Blackout Scenario to test whether the interdependency analysis
methodologies can efficiently detect cascading failures and dangerous Cis.
This work provides evidence suggesting that more work is required for the protection of
critical infrastructures, while they use high-level software to control machinery and, at the same
time, are depended on other infrastructures also prone to failures.
This thesis interpolates material from three journal papers by the author and from various
conference papers (Stergiopoulos, 2012) (Stergiopoulos, 2013) (Stergiopoulos, 2014)
(Stergiopoulos, 2015). Chapter 3’s research core is based on (Vigna, 2011) and some of the
aforementioned publications coauthored with Ass. Prof. Panagiotis Katsaros and Prof. Dimitris
Gritzalis, respectively. Some material from each of these papers has also been incorporated into
this introductory Chapter. Meanwhile, Chapters 4 and 5 use material from (Kotzanikolaou, 2010)
(Kotzanikolaou, 2011) (Kotzanikolaou, 2012) (Kotzanikolaou, 2013) along with two of the
aforementioned journals (Stergiopoulos, 2015) (Stergiopoulos, 2015), coauthored with Ass. Prof.
Panagiotis Kotzanikolaou and Prof. Dimitris Gritzalis.
xii
(this page is intentionally left blank)
xiii
Extended abstract (in Greek)
Μια Κρίσιμη Υποδομή αποτελεί την ραχοκοκκαλιά της οικονομίας, της ασφάλειας και του
βιωτικού επίπεδου ενός έθνους. Είναι το είδος της υποδομής το οποίο παρέχει ενέργεια και νερό
στα σπίτια, υποστηρίζει τις μεταφορές και τα συστήματα επικοινωνίας στα οποία στηρίζεται η
κοινωνία. Τα κριτήρια που προσδιορίζουν πότε μια υποδομή θεωρείται χρήσιμη, έχουν
διευρυνθεί εν παρόδω χρόνω (DHS, 2013). Ως κρίσιμη υποδομή ορίζεται το σύνολο εκείνων των
αγαθών, των συστημάτων και των δικτύων, είτε φυσικών είτε εικονικών, τα οποία είναι τόσο
απαραίτητα για μια χώρα ώστε πιθανή μη-διαθεσιμότητά ή καταστροφή τους θα είχε τεράστιες
και εξουθενωτικές επιπτώσεις στην εθνική ασφάλεια, οικονομία, την δημόσια υγεία ή
οποιονδήποτε συνδυασμό αυτών (DHS, 2013).
Μια αυξανόμενη λίστα των υποδομών που χρήζουν προστασίας θα απαιτήσει από κάθε
ομοσπονδιακή κυβέρνηση να ιεραρχήσει τις προσπάθειές της και να προσπαθήσει να
ελαχιστοποιήσει τις επιπτώσεις από τυχόν μελλοντική αστοχία οποιουδήποτε είδους σε κρίσιμες
υποδομές της χώρας (π.χ. τρομοκρατική επίθεση ή αστοχία συστημάτων), ενώ, ταυτόχρονα,
λαμβάνοντας υπόψη το είδος αυτών των επιπτώσεων και την πιθανότητα εμφάνισης τους (Motef
et al., 2003).
Λαμβάνοντας υπόψη όλα τα ανωτέρω, είναι εμφανές πως οι κρίσιμες υποδομές μαζί με τις
υπηρεσίες και τα συστήματά τους, πρέπει να προστατεύονται επαρκώς ενάντια σε όλα τα είδη
αστοχιών ή ατυχημάτων, είτε πηγάζουν από ανθρώπινες πράξεις είτε από φυσικά φαινόμενα. Οι
κρίσιμες υποδομές παρέχουν υπηρεσίες αναγκαίες για ένα έθνος προκειμένου να λειτουργήσει
ορθά και να μπορεί να υποστηρίζει τις ανάγκες των πολιτών του, διαμέσου υπηρεσιών όπως το
σύστημα Υγείας, οι μεταφορές κτλ. Ακόμα περισσότερο αφού τέτοιου είδους αστοχίες μπορούν
να προξενηθούν από κακόβουλους επιτιθέμενους άλλων χωρών με σκοπο να πλήξουν το ίδιο το
έθνος και τα εισοδήματά του.
Μέχρι στιγμής, η δημοσιευμένη έρευνα έχει προσπαθεί να ασφαλίσει τις κρίσιμες υποδομές
μέσω διαδικασιών αξιολόγησης του ρίσκου και των απειλών που ενδεχομένως μπορούν να
πλήξουν μια κρίσιμη υποδομή. Μεθοδολογίες βασισμένες σε διεθνή πρότυπα ISO (όπως το ISO
27001) και αντίστοιχες αναλύσεις ασφάλειας, η οποίες προμηθεύουν τις κρίσιμες υποδομές με
σχέδια ασφάλειας και μέτρα προστασίας ικανά να θωρακίσουν τις υποδομές ενάντια σε πληθώρα
απειλών. Ωστόσο, ελάχιστη πρόοδος έχει γίνει όσων αφορά το θέμα της προστασίας των
υποδομών απέναντι σε αστοχίες που προέρχονται από το εξωτερικό της περιβάλλον,
συγκεκριμένα από άλλες υποδομές στις οποίες στηρίζεται μια υποδομή για να διασφαλίσει την
απρόσκοπτη λειτουργία της. Οι σύγχρονες κρίσιμες υποδομές συχνά εξαρτώνται από άλλες
υποδομές προκειμένου να παρέχουν τις υπηρεσίες τους ορθώς και δίχως διακοπές. Αυτή η
ανάγκη έχει οδηγήσει στην δημιουργία πολύπλοκων δικτύων από αλληλο-εξαρτώμενες
υποδομές. Αυτοί οι γράφοι αλληλο-εξαρτήσεων κρύβουν πληροφορία σχετικά με το τι θα
xiv
μπορούσε να συμβεί, αν μια αστοχία έβγαζε μια εκ των υποδομών εκτός λειτουργίας. Με άλλα
λόγια, αυτοί οι γράφοι κρίσιμων υποδομών είναι τόσο ασφαλείς όσο το πιο κρίσιμο μονοπάτι
αλληλοεξαρτήσεων που έχουν και είναι τόσο εκτεθειμένοι όσο ο πιο επικίνδυνος κόμβος-
υποδομή τους. Επίσης (και όσων αφορά ένα χαμηλότερο επίπεδο ανάλυσης της ασφάλειας
υποδομών), ελάχιστη πρόοδος έχει σημειωθεί και στην προστασία των υποδομών από το
ανθρώπινο λάθος, όταν υπαλληλοι χειρίζονται λογισμικό που ελέγχει μηχανήματα στα οποία
βασίζονται οι κρίσιμες υποδομές, ιδιαίτερα όταν αυτές οι λειτουργίες ελέγχονται
απομακρυσμένα. Παρόλο που αποτελεί κοινή γνώση το γεγονός πως το λογισμικό συχνά περιέχει
λογικά σφάλματα στην υλοποιημένη επιχειρησιακή του λογική, σφάλματα τα οποία εισάγονται
κατά την ανάπτυξή του, ωστόσο ελάχιστος χρόνος έρευνας έχει αφιερωθεί για την εύρεση ενός
τρόπου εντοπισμού αυτών των λαθών και διασφάλισης της απρόσκοπτης λειτουργίας του
λογισμικού, ιδιαίτερα λογισμικού που είναι υπεύθυνο σε μια κρίσιμη υποδομή για πληθώρα
υπηρεσιών. Τα λογικά σφάλματα μέσα σε τόσο σημαντικό λογισμικό μπορεί να οδηγήσουν σε
σημαντικότατες αστοχίες, ακόμα και να εκκινήσουν μια αλυσιδωτή αντίδραση αστοχιών μεταξύ
κρίσιμων υποδομών που διασυνδέονται.
Έχοντας αυτά υπόψη, η διαδικασία θωράκισης των κρίσιμων υποδομών από κινδύνους και
αστοχίες που ακόμα δεν έχουν διερευνηθεί καταλλήλως, διαφαίνεται πως είναι διμερής: Κατ'
αρχάς, θα πρέπει κάθε υποδομή να προστατευθεί όχι ως μια αυτοτελής οντότητα, αλλά
ταυτόχρονα και ως μέρος μιας αλυσίδας συνδεδεμένων κρίσιμων υποδομών. Οι υπεύθυνοι
ασφάλειας πρέπει να είναι σε θέση να εντοπίσουν τις πιθανές επιδράσεις αλυσιδωτών αστοχιών
μεταξύ αλληλο-εξαρτημένων κρίσιμων υποδομών και να αναλύσουν τις επιπτώσεις τους και την
πιθανότητα εμφάνισης τους, ακριβώς όπως επιχειρείται να αναλυθεί μια κρίσιμη υποδομή κατά
μόνας (DHS, 2013). Την ίδια στιγμή, ασφαλής κρίσιμη υποδομή θεωρείται κάθε υποδομή που
προστατεύει τα πληροφοριακά της συστήματα και σε επίπεδο λογισμικού, με άλλα λόγια η
προστασία το οικοσυστήματος προγραμμάτων που ελέγχουν μια κρίσιμη υποδομή μέσω
μηχανισμών για τον έλεγχο, την προστασία και την διαχείριση λογισμικού από ευπάθειες που
ίσως να μην έχουν εντοπιστεί.
Η παρούσα διπλωματική προσεγγίζει το θέμα της ασφάλειας των κρίσιμων υποδομών μέσω
της ανάπτυξης πρακτικών λύσεων για την αντιμετώπιση και των δύο προαναφερθέντων
κατηγοριών, σε όλα τα επίπεδα ανάλυσης. Η παρούσα δουλειά διαφοροποιείται από την
πεπατημένη βιβλιογραφία ασφάλειας που αφορά την προστασία των κρίσιμων υποδομών με τους
εξής τρόπους:
a) Αναπτύσσει μια συνδυαστική πολυ-μεθοδολογία ικανή να εντοπίζει και να αξιολογεί
διαδοχικές αστοχίες μεταξύ αλληλο-εξαρτώμενων κρίσιμων υποδομών,
xv
b) Αναπτύσσει αλγορίθμους και στρατηγικές που μπορούν να εφαρμοστούν πρακτικά
προκειμένου να μετριάσουν το ρίσκο πιθανών διαδοχικών αστοχιών ανάμεσα σε
αλληλο-εξαρτώμενες υποδομές,
c) Αναπτύσσει μια μεθοδολογία για τον αυτόματο εντοπισμό λογικών λαθών, συνθηκών
ανταγωνισμού και ευπαθειών που προέρχονται από λανθασμένη υλοποίηση
επιχειρησιακής λογικής μέσα στο λογισμικό και ενδεχομένως να μπορούν να
οδηγήσουν σε σοβαρότατες αστοχίες λογισμικού. Συγκεκριμένα, σε λογισμικό που
μπορεί να χειρίζεται μηχανήματα κρίσιμων υποδομών απομακρυσμένα. Απ’ όσο
γνωρίζουμε, πρόκειται για την πρώτη υλοποιημένη μέθοδο που είναι ικανή να
εντοπίζει λογικά σφάλματα που μπορούν να οδηγήσουν σε αστοχίες υλικού λόγω
λανθασμένης υλοποίησης της λειτουργικότητας. Και να μπορεί να το κάνει αυτό σε
διαφορετικά είδη λογισμικού. Παρόλο που ο πρωτεύων στόχος ήταν να
χρησιμοποιηθεί η παρούσα μεθοδολογία για την προστασία λογισμικού στις κρίσιμες
υποδομές, η μέθοδος αποδείχτηκε ότι μπορεί να χρησιμοποιηθεί σε μια πολύ ευρύτερη
βάση και σε μια πληθώρα εφαρμογών.
Προκειμένου να ανεβάσουμε ακόμα περισσότερο τον πήχη, η παρούσα διατριβή παρουσιάζει
επίσης δύο νέα εργαλεία, το PLATO και το CIDA που πρόκειται για υλοποιήσεις των
προαναφερθέντων προτεινόμενων μεθόδων για την προστασία των υποδομών ζωτικής σημασίας.
Τα εργαλεία αυτά εκτελούν αυτοματοποιημένη ανάλυση και δεν απαιτούν σημαντική
τεχνογνωσία από τους χρήστες τους. Συγκεκριμένα, το PLATO είναι ένα εργαλείο που μπορεί
να ανιχνεύσει αυτόματα ορισμένους τύπους λογικών σφαλμάτων λογισμικού. Μεταξύ άλλων
πειραμάτων, χρησιμοποιήθηκε για να ανιχνεύσει λογικά σφάλματα σε εφαρμογές ικανές να
ελέγχουν εξ αποστάσεως μηχανήματα σε κρίσιμες υποδομές. Επιπλέον, προτείνεται ένα
πανοπτικό μοντέλο πρόβλεψης ικανό να εντοπίζει εν δυνάμει επικίνδυνες αλυσίδες αλληλο-
εξαρτώμενων κρίσιμων υποδομών, αλλά και να προβλέπει την εξέλιξη των αστοχιών μέσα σε
αυτές εν παρόδω χρόνω. Το μοντέλο αυτό συμπληρώνεται με μία μεθοδολογία ανάλυσης γράφων
ώστε να είναι σε θέση να εντοπίσει επικίνδυνες κρίσιμες υποδομές μέσα σε ένα δίκτυο αλληλο-
εξαρτώμενων υποδομών, οι οποίες ενδεχομένως να επηρεάζουν σημαντικά τη συνολική
σταθερότητα του συστήματος. Αυτό το πολυ-μοντέλο υλοποιήθηκε μέσα σε ένα εργαλείο με το
όνομα CIDA, ένα εργαλείο που μπορεί να μοντελοποιήσει την καταλυτική δράση των αστοχιών
μεταξύ των υποδομών, να αναλύσει την εξέλιξη των αστοχιών και τις επιπτώσεις αυτών και,
τέλος, να εντοπίσει κρίσιμες υποδομές που είναι σε θέση, σε περίπτωση κατάρρευσής τους, να
προκαλέσουν μαζική καταστροφή σε πολλές διασυνδεδεμένες υποδομές ταυτόχρονα.
Τα κεφάλαια της παρούσας διατριβής συνοψίζονται ως εξής:
Το Κεφάλαιο 1 περιλαμβάνει την αφορμή της έρευνας, το σκοπό και τη μέθοδο εργασίας μας
καθώς και τη συνοπτική περιγραφή της ερευνητικής συνεισφοράς στο γνωστικό πεδίο.
xvi
Στο Κεφάλαιο 2 παρουσιάζεται το υπόβαθρο της διατριβής. Παρέχεται ο ορισμός των
κρίσιμων υποδομών, του λογισμικού, των ευπαθειών και των αστοχιών που υιοθετείται στα
πλαίσια της διατριβής. Έπειτα, παρατίθενται οι διαδικασίες ανάλυσης του κινδύνου στις κρίσιμες
υποδομές, τα μεθοδολογίες ανάλυσης ασφάλειας των κρίσιμων υποδομών όσο και του
λογισμικού αυτών. Το κεφάλαιο, επίσης, αναφέρει τις προκλήσεις που εισάγουν οι κρίσιμες
υποδομές στη διασφάλιση της ασφάλειας των πολιτών ενός έθνους.
Στο Κεφάλαιο 3 μελετάται ο αυτόματος εντοπισμός λογικών λαθών. Συγκεκριμένα,
προτείνεται μια μέθοδος, η οποία υλοποιείται και σε ένα εργαλείο με το όνομα PLATO, η οποία
μπορεί να εντοπίσει διάφορα είδη λογικών λαθών σε διάφορα είδη εφαρμογών, από απλές
εφαρμογές μέχρι εφαρμογές ικανές να ελέγχουν απομακρυσμένα μηχανήματα κρίσιμων
υποδομών. Εξετάζονται τρόποι ανάλυσης της λογικής του λογισμικού υπό την μορφή
μαθηματικών κατηγορημάτων και η χρήση αυτών για εντοπισμό λαθών που αλλιώς περνούν
απαρατήρητα από τεχνικές αναλύσεις και μελέτες πηγαίου κώδικα. Στο κεφάλαιο μελετάται
επίσης ο τρόπος εντοπισμός και η αξιολόγηση τέτοιων πιθανών σφαλμάτων προκειμένου να
προβλεφθούν πιθανά σφάλματα που μπορούν να οδηγήσουν σε σοβαρές αστοχίες λογισμικού και
υλικού.
Το Κεφάλαιο 4 περιλαμβάνει μεθοδολογίες ανάλυσης αλληλο-εξαρτήσεων μεταξύ κρίσιμων
υποδομών προκειμένου να προτείνει αποδοτικές τεχνικές μείωσης του ρίσκου και του κινδύνου
εμφάνισης αστοχιών στις κρίσιμες υποδομές. Εξερευνά τις συσχετίσεις και τις συνδέσεις
μεταξύ μονοπατιών που δημιουργούνται από αλληλο-εξαρτώμενες υποδομές, κάνοντας χρήση
της θεωρίας γράφων. Παρουσιάζεται πώς οι μετρικές θεωρίας γράφων μπορούν να
εφαρμοστούν για τον εντοπισμό και την αξιολόγηση εναλλακτικών στρατηγικών απομείωσης
ρίσκου μεταξύ των υποδομών. Τα ερευνητικά πειράματα που παρουσιάζονται βασίζονται πάνω
σε τυχαίους γράφους αλληλο-εξαρτώμενων υποδομών που προσομοιώνουν υπάρχουσες
κρίσιμες υποδομές και διασυνδέσεις αυτών, όπως αυτά δημοσιεύτηκαν σε πρόσφατες μελέτες.
Τέλος, χρησιμοποιώντας τα αποτελέσματα των προαναφερθέντων πειραμάτων, προτείνεται
ένας αλγόριθμος ιεράρχησης της σημαντικότητας κρίσιμων υποδομών μέσα σε ένα γράφο
αλληλο-εξαρτημένων υποδομών προκειμένου να εξεταστούν συγκεκριμένα μέτρα προστασίας
για μεγιστοποίηση της μείωσης του κινδύνου σε όλο το σύστημα εξαρτημένων υποδομών.
Στο Κεφάλαιο 5, μελετάται και επεκτείνεται μια μέθοδος ανάλυσης αλληλο-εξαρτήσεων
κρίσιμων υποδομών, προκειμένου να επιτευχθεί μια δυναμική αξιολόγηση διαδοχικών αστοχιών
μεταξύ υποδομών εν παρόδω χρόνω. Προτείνεται η χρήση διαφορετικών μαθηματικών μοντέλων
ανάπτυξης προκειμένου να αποδοθούν επαρκώς τα φαινόμενα αργής, γραμμικής και εκθετικής
εξέλιξης των αστοχιών στις κρίσιμες υποδομές, αλλά αντί να γίνεται χρήση απλών, στατικών
προβολών του κινδύνου, προτείνεται η «αντικειμενική» προσέγγιση της ασάφειας των
επιπτώσεων στις αστοχίες μέσω ενός εξελιγμένου μοντέλου ασαφούς λογικής το οποίο λαμβάνει
xvii
υπόψη του και τις γειτονικές εξαρτήσεις υποδομών και πιθανές αστοχίες αυτών. Τέλος,
παρουσιάζεται η υλοποίηση της ανωτέρω μεθοδολογίας στο εργαλείο CIDA και παρουσιάζονται
τα αποτελέσματα από την χρήση του εργαλείου σε ένα αληθινό σενάριο καταστροφής το οποίο
συνέβη στην Καλιφόρνια. Το κεφάλαιο κλείνει με την παρουσίαση των επιδόσεων του εργαλείου
στην πρόβλεψη των αστοχιών και των επιπτώσεων αυτής.
Η διατριβή ολοκληρώνεται στο Κεφάλαιο 6 με τη σύνοψη και προτάσεις για μελλοντική
έρευνα.
xviii
Table of Contents
List of Figures .......................................................................................................... xxii
List of Tables ........................................................................................................... xxii
List of Acronyms ..................................................................................................... xxii
Chapter 1: Introduction ....................................................................................... 1
1.1 Research motivation ........................................................................................................ 1
1.1.1 Motivation for analyzing infrastructure interdependencies ...................................... 1
1.1.2 Motivation for analyzing high-level software ........................................................... 3
1.2 Research statement and approach .................................................................................... 4
1.3 Contributions ................................................................................................................... 5
1.3.1 Contributions in logical error detection and software system failures...................... 5
1.3.2 Contributions in infrastructure dependency analysis along with mitigation of
cascading and common-cause failures ............................................................................... 6
1.4 Dissertation outline ......................................................................................................... 8
Chapter 2: Background ...................................................................................... 11
2.1 Definitions of Critical Infrastructure ............................................................................. 11
2.2 Risk Analysis in all granularity levels ........................................................................... 13
A. Establish the Scope .................................................................................................. 13
B. Identify the Risks ..................................................................................................... 14
C. Analyze the Risks .................................................................................................... 15
D. Treat the Risks ......................................................................................................... 15
2.4 Threat model ................................................................................................................. 16
2.5 Summary ....................................................................................................................... 17
Chapter 3: Automatically detecting logical errors, race conditions and IT
infrastructure failures in software using dynamic invariant assertions and
symbolic execution .................................................................................................... 20
3.1 Introduction ................................................................................................................... 20
3.2 Related Work ................................................................................................................. 22
3.3 Analysis Building Blocks .............................................................................................. 23
3.3.1. Dynamic Invariants for profiling the behavior of the source code ........................ 23
3.3.2. Symbolic execution for verifying dynamic invariants ........................................... 24
3.3.3. Fuzzy Logic classification of detections ................................................................ 25
3.3.3.1. Severity ........................................................................................................... 26
3.3.3.2. Measuring Severity of execution paths using its Statistical Information
Gain ............................................................................................................................. 27
3.3.3.3. Reliability ....................................................................................................... 29
3.3.3.5. Risk: Combining Severity and Reliability ratings .......................................... 31
3.4 A method to detect logical errors in source code .......................................................... 32
3.4.1. The method’s workflow ......................................................................................... 33
xix
3.4.2. PLATO’s architecture ............................................................................................ 33
3.4.3. Classifying execution paths ................................................................................... 35
3.4.3.1 A Taxonomony of instructions for Severity calculations ............................ 35
3.4.3.2. Instructions for Reliability calculations .......................................................... 37
3.4.4. Symbolic execution and PLATO’s JPF listener .................................................... 37
3.5 Experimental results ................................................................................................ 38
3.5.1 An example AUT .................................................................................................... 38
3.5.2 Experiment 1: real-world airline test from the SIR Object Database .................. 39
3.5.3 Experiment 2: Manipulating remote SCADA RTUs (logical error CWE 840) ... 41
3.5.4 Experiment 3: Real-world injection test - NASA’s Apollo Lunar Lander 790
controller .......................................................................................................................... 45
3.6 Discussion and comparisons .................................................................................... 47
3.7 Advantages and Limitations .................................................................................... 48
3.8 Summary ....................................................................................................................... 48
Chapter 4: Risk Mitigation Strategies for Critical Infrastructures Based on
Graph Centrality Analysis ....................................................................................... 51
4.1 Introduction ................................................................................................................... 51
4.2 Building Blocks ............................................................................................................ 53
4.2.1. Multi-risk dependency analysis methodology ....................................................... 53
4.2.1.1. First-order dependency risk ............................................................................ 53
4.2.1.2. Extending to n-order dependency risk ............................................................ 53
4.2.2. Graph centrality metrics ......................................................................................... 54
4.2.3. Feature selection .................................................................................................. 54
4.3 Exploring Centrality Metrics in Dependency Risk Graphs ........................................... 55
4.3.1. Analysis of centrality metrics ................................................................................ 56
4.3.1.1. Degree centrality ............................................................................................. 56
4.3.1.2. Closeness centrality ........................................................................................ 56
4.3.1.3. Eccentricity centrality ..................................................................................... 57
4.3.1.4. Betweenness centrality ................................................................................ 57
4.3.1.5. Bonacich (Eigenvector) centrality .................................................................. 57
4.3.2. Applying feature selection to classify centrality metrics ....................................... 58
4.3.2.1. Results of feature selection for centrality metrics ........................................... 59
4.4 An Algorithm for Efficient Risk Mitigation Strategy.............................................. 60
4.4.1. Modeling feature selection results to algorithmic restrictions ............................... 60
4.4.1.1. Model Definition ............................................................................................ 61
4.4.1.2. Setup ............................................................................................................... 62
4.4.1.3. Using decision trees and Information Gain for node selection ....................... 62
4.4.1.4. Example: Traversing a decision tree using Information Gain splits ............... 63
4.5 Validation of the proposed algorithm ...................................................................... 64
xx
4.5.1. Efficiency analysis of the proposed mitigation strategy .................................. 65
4.5.1.1. Effect of the algorithm in the most critical path ............................................. 66
4.5.1.2. Effect of the algorithm in the top 20 risk paths .............................................. 66
4.5.1.3. Effect of the algorithm in the entire dependency risk graph ........................... 68
4.5.2. Comparing results with alternative mitigation strategies ....................................... 68
4.5.2.1. Using initiators from the most critical paths ................................................... 68
4.5.2.2. Using nodes with high Degree Centrality (sinkholes and outbound) ............. 69
4.5.2.3. Comparison results ......................................................................................... 69
4.5.3. Implementation details ........................................................................................... 69
4.6. Conclusions .................................................................................................................. 70
4.6.1. Advantages and Limitations of the proposed mitigation method .......................... 70
Chapter 5: Time-based Critical Infrastructure Dependency Analysis for
Large-Scale and Cross-Sectoral Failures................................................................ 72
5.1 Introduction ................................................................................................................... 72
5.1.1. Large-scale and cross-sectoral dependencies ......................................................... 73
5.2. Building Blocks ............................................................................................................ 73
5.2.1. Multi-risk dependency analysis methodology ....................................................... 73
5.2.1.1. First-order dependency risk ............................................................................ 74
5.2.1.2. Risk of n-order dependencies ......................................................................... 75
5.2.2 Fuzzy Logic ............................................................................................................ 76
5.3. A Method for Time-Based Analysis of Cascading and Common Cause Failures ........ 77
5.3.1. Modeling Time Analysis of Cascading Failures .................................................... 77
5.3.1.1. Model Definition ............................................................................................ 77
5.3.1.2. Setup ............................................................................................................... 79
5.3.1.3. Calculating Fuzzy Time-based Impact Values ............................................... 81
5.3.1.4. Time-related Multi-order Dependency Risk ................................................... 82
5.3.2. Combining cascading and common-cause failure risks ......................................... 83
5.4. Design and Implementation of the CIDA tool .............................................................. 84
5.4.1. The Neo4J graph database ..................................................................................... 84
5.4.2. Design of the Dependency Graph Analysis Tool................................................... 85
5.4.3. Modeling CIs & Dependencies .............................................................................. 86
5.5. Efficiency analysis........................................................................................................ 87
5.6. Analyzing Real-World Scenarios of Cascading Effects ............................................... 89
5.6.1. Case study: A real-world cascading blackout failure............................................. 89
5.6.2. A cascading-only dependency failure scenario ...................................................... 92
5.6.3. Combined common-cause and cascading scenarios .............................................. 94
5.7. Discussion and Comparison with Other Approaches .............................................. 94
5.7.1. Comparison with related methodologies and tools ................................................ 94
5.7.2. Advantages and Limitations .................................................................................. 97
xxi
Chapter 6: Conclusions....................................................................................... 99
6.1 Summary and discussion ............................................................................................... 99
6.2 Publications ................................................................................................................. 101
6.3 Future work ................................................................................................................. 103
6.4 Concluding remarks .................................................................................................... 104
Appendix .................................................................................................................. 107
A. Time-Based Analysis of cascading failures using the CIDA tool ................................ 107
A1. Tool libraries and development............................................................................... 107
A2. Fuzzy Logic IF THEN rules.................................................................................... 108
A3. Impact Time Tables ................................................................................................ 109
A3. Guide to installing the CIDA Eclipse project ......................................................... 117
References ................................................................................................................ 118
xxii
List of Figures Figure 1: ............................................................................................................................................. 32
Figure 2: ................................................................................................................................... .......... 34
Figure 3: ............................................................................................................................................. 37
Figure 4: ............................................................................................................................................. 38
Figure 5: ................................................................................................................................... .......... 39
Figure 6: ............................................................................................................................................. 40
Figure 7: ............................................................................................................................................. 40
Figure 8: ............................................................................................................................................. 40
Figure 9: ............................................................................................................................................. 42
Figure 10: ........................................................................................................................................... 43
Figure 11: ........................................................................................................................................... 43
Figure 12: ........................................................................................................................................... 46
Figure 13: ........................................................................................................................................... 66
Figure 14: ........................................................................................................................................... 67
Figure 15: ........................................................................................................................................... 68
Figure 16: ........................................................................................................................................... 78
Figure 17: ........................................................................................................................................... 87
Figure 18: ........................................................................................................................................... 89
Figure 19: ........................................................................................................................................... 90
Figure 20: ........................................................................................................................................... 91
Figure 21: ........................................................................................................................................... 92
Figure 22: ........................................................................................................................................... 93
List of Tables Table 1: ........................................................................................................................................... 11
Table 2: ........................................................................................................................................... 29
Table 3: ........................................................................................................................................... 31
Table 4: ........................................................................................................................................... 32
Table 5: ........................................................................................................................................... 36
Table 6: ........................................................................................................................................... 37
Table 7: ........................................................................................................................................... 45
Table 8: ........................................................................................................................................... 59
Table 9: ........................................................................................................................................... 59
Table 10: ......................................................................................................................................... 69
Table 11: ......................................................................................................................................... 75
Table 12: ......................................................................................................................................... 81
Table 13: ......................................................................................................................................... 91
List of Acronyms
CI Critical Infrastructure
AUT Application Under Test
xxiii
SUT Software Under Test
RTU Remote Terminal Unit
1
Chapter 1: Introduction
1.1 Research motivation
Most Critical Infrastructures (CIs) can be modeled as cyber-physical systems whose cyber
components control their underlying physical components. CIs are inherently complex systems
since they integrate heterogeneous platforms, proprietary systems, protocols and open
communication networks. In addition, Cis are usually interconnected and interdependent with
other CIs which may belong to different sectors (such as energy, ICT or transportation).
According to (Rinaldi, 2001) CIs may have physical, informational or logical dependencies
between them. Thus, a failure1 in one infrastructure may affect the operation of other Cis due
to their dependencies. In the case of geographical dependency, seemingly independent CIs may
be affected by a threat due to their physical proximity. The protection from such types of
dependency failures is an active and recent area of research, as shown by the numerous projects
on the topic, e.g. DIESIS (Usov, 2010) (Rome, 2009), I2Sim (Marti, 2008), CIPRNet (Critical
infrastructure resilience network, 2014). Dependency modeling, simulation and analysis
(MS&A) has been studied extensively, using various approaches.
Disruptions or outages in CIs are usually categorized as cascading, escalating, or common-
cause (Rinaldi, 2001).
• A cascading failure is defined as a failure in which a disruption in an infrastructure A
affects one or more components in another infrastructure, say B, which in turn leads to the
partial or total unavailability of B.
• An escalating failure is defined as a failure in which disruption in one infrastructure
exacerbates an independent disruption of another infrastructure, usually in the form of
increasing the severity or the time needed for recovering from the second failure.
• A common-cause failure occurs when two or more infrastructure networks are disrupted at
the same time: components within each network fail because of some common cause. This
occurs when two infrastructures are co-located (geographic interdependency) or if the root
cause of the failure is widespread (e.g. a natural or a man-made disaster).
1.1.1 Motivation for analyzing infrastructure interdependencies
Recently, several dependency analysis methodologies and tools have been proposed,
focusing either on the impact (Franchina, 2011), consequences (Robert, 2004) or on the risk
derived from CI dependencies (Utne, 2011) (Kjølle,2012) (Kotzanikolaou, 2011)
(Kotzanikolaou, 2013) (Kotzanikolaou, 2013) and their potential cascading effect.
2
Existing methodologies and tools are usually sector-specific, oriented to power distribution
(e.g. (Carreras, 2012)) or to water distribution networks (e.g. (Judi, 2007)). These tools are very
useful for low-level analysis of small-scale scenarios; for example to identify the critical
components within a power transmission network. However, they may fall short when high-
level analysis is needed in order to model large-scale, cross-sectoral scenarios. For example,
the identification of dependency paths of high economic or societal risk that affect different
sectors. In practice, the CI operators perform risk assessments at an organization-level and may
not have knowledge (or interest) on threats coming from other dependent CIs. Such knowledge
can be acquired, to some extent, by taking part in international table-top exercises (Luiijf,
2010). Even though the economic impact of a failure can be assessed by a CI operator
(organizational-wise), the overall impact (or risk) of a given CI failure on other dependent CIs
is not a tangible number, especially when dealing with multi-order dependencies.
The need for a high-level multi-sectoral risk assessment has been recognized by international
bodies and policies (The post 2015 Hyogo Framework for Action, 2015). A high-level risk
analysis allows the identification of complex cascade or common-cause risk paths and the
comparison of alternative mitigation strategies. Note that a multi-layer risk assessment is not
an alternative to organization-wide risk assessments, since these are prerequisite input for a
multi-risk analysis. Such analysis would require modeling and analyzing hundreds or even
thousands of CIs. If a time-based analysis is to be performed, then complexity is even higher.
Unfortunately the computation of the cumulative security risks and the identification of the
critical points of failure is NP-complete and thus suboptimal, yet usable dependency analysis
tools have to be developed.
Another issue is that existing risk mitigation methodologies are usually empirical, and they
focus on CIs which are possible initiators of cascading failure and usually belong to specific
sectors such as Energy and ICT. By studying actual large-scale failures, it is obvious that these
two sectors often initiate serious cascading effects amongst interdependent CIs (e.g. the famous
California blackout scenario or the recent New York blackout scenario of 2015). However, by
only focusing on some sectors and on potential initiators may not be suitable in every case. The
impact of each dependency should be taken into account together with the position of each CI
within a network of interdependent CIs.
The systematic identification of the most important nodes and the prioritization of nodes for
the application of security controls can therefore be a complex task. The need for a high-level
and efficient risk mitigation technique that takes into account multiple characteristics of the
interdependent CIs is a well-known fact (Critical infrastructure resilience network ,2014). An
optimal risk mitigation methodology would allow the detection of the smallest subset of CIs
Introduction
3
that have the highest effect on the overall risk reduction on a risk graph, even though the
candidate nodes might not initiate a critical path or may not even belong to the most critical
paths.
1.1.2 Motivation for analyzing high-level software
As already stated, securing critical infrastructures is a complicated problem requiring
multiple approaches in different granularity levels. This thesis tries to approach infrastructure
security from yet another approach: Securing high-level software that controls infrastructure
machinery from flaws and errors in its logic that can lead to critical failures in systems.
When industries started connecting critical infrastructure systems (like SCADA systems)
with the Internet, these control systems were exposed to various vulnerabilities and threats
(Krutz, 2005). Built as standalone, isolated control systems, they lacked the proper security
measures needed to support a robust and safe functionality over the Internet. For example, an
over-the-Internet, man-in-the-middle attack on a green diesel generator that led to a total
meltdown has been presented in the literature (Alcaraz, 2011).
Obviously, the consequences of maliciously operating SCADA systems can be devastating.
Modern implementations are using the internet and allow common programming languages
(such as Java) to send and receive data and commands through the central control unit to RTUs.
Such implementations include, amongst others, openSCADA (Openscada, 2014), MODBUS4J
(Krutz, 2005) (Chikuni, 2007) and JAMOD (Wimberger, 2004), which uses the MODBUS
protocol. The added complexity coupled with open-source components resulted in an increase
in software weaknesses, vulnerabilities and failures in these types of systems (Cardenas, 2008).
A number of logical threats have been registered in public databases (Chikuni, 2007). Source
code analysis of programs that remotely control RTUs opens a path to prevent software failures.
Such failures may lead to malfunction in individual controllers or infrastructures, or even
initiate cascading failure to dependent infrastructures. Yet, to our knowledge, no effort has been
made in detecting logical flaws in the functionality of software that controls RTUs; flaws due
to erroneous implementation of the intended functionality in source code. Research on
automated detection of software errors and vulnerabilities has mainly focused on static analysis
and software model checking techniques that are effective in detecting a priori specified errors
(e.g. Time Of Check - Time Of Use errors, null pointer dereferences etc.), bad coding patterns
and some types of exploitable vulnerabilities (e.g. unsanitized input data, buffer overflows etc.)
(Codepro 2015) (Ucdetector, 2015) (Pmd, 2015) (Hovemeyer, 2004) (Coverity, 2015)
(Pasareanu, 2004) (Java pathfinder tool, 2015). Yet, errors related to the intended program
functionality, which are broadly called logical errors, are not a priori known. In a code auditing
process, they cannot be analyzed as pattern-specific errors since they are rather application-
specific. At the level of the program’s execution flow, these errors will cause execution
4
diversions that manifest as unintended program behavior (Felmetsger, 2010). A typical example
is the following:
Example 1. Consider an RTU that controls the gas supply in an infrastructure, using coils; a
faulty implementation of business logic in software can lead the program execution to bypass
some pressure checks and allow sending the same “increase flow” command more times than
what the pipe system can handle, eventually making pressure reach critical levels. Automated
detection of such software behavior is a relatively uncharted territory.
Modern automated source code analysis techniques can be very successful in detecting a
priori defined defect patterns and security vulnerabilities. Yet, they cannot detect flaws that
manifest due to erroneous translation of the software’s functional requirements into the source
code. The automated detection of logical errors that are attributed to a faulty implementation of
applications’ functionality is a relatively uncharted territory. We propose a combination of
automated analyses for logical error detection. As a proof of concept, our method has been
implemented in a prototype tool called PLATO that can detect various types of logical errors.
1.2 Research statement and approach
Under the aforementioned circumstances, it is evident that critical infrastructures are
currently vulnerable and must be protected against failures originating both from
interdependencies with other CIs and from flawed critical, high-level software able to
manipulate their systems and machinery. More specifically, current risk mitigation approaches
deem adequate to analyze a critical infrastructure as a single entity rather as a node in a
complicated dependency graph. Also, they focus solely on security countermeasures against
technical and organizational issues and not on the software itself and its potential uses.
This is evident in many risk assessments. The measures proposed focus solely on one critical
infrastructure and its information system(s), while not taking into consideration neither CI
dependencies nor their custom software which sometimes is specifically developed to handle
an infrastructure’s machinery. Therefore, proposed countermeasures can only help mitigate risk
from specific types of attacks and failures. Our findings suggest that regardless of how strict a
risk assessment of a CI may be or how up-to-date its software is kept; it still leaves room for
many types of failures to manifest, originating from threats outside the CI itself whether it is a
different infrastructure or a software application.
In this thesis, steps are taken in order to (a) understand the interconnections between
infrastructures and the graphs they form (sometimes even across boarders in multiple nations)
and (b) understand logical flaws in software that can lead to system or machinery failures.
Moreover, it is noticed that the mainstream CI dependency analysis tools focus mainly on the
Introduction
5
‘nuts and bolts’ of both CI interdependency analysis while ignoring both the evolution of impact
from failures over time and the position of a CI inside the dependency risk graph where multiple
CI lie. On the lower granularity level, it is noticed that current state-of-the-art source code
analysis tools ignore user practices or the business logic implemented inside the source code
and rather focus on technical vulnerabilities and a priori known flaws (such as TOUCTOU or
buffer overflows). In this context, this thesis makes the following research statement:
The current state of critical infrastructure security fails to protect critical infrastructures
across nations, both from interdependencies with other infrastructures and from
programming errors inside their own critical software.
This thesis contains evidence that support this statement. Our findings suggest that is indeed
possible to mitigate risk in interconnected critical infrastructures both by analyzing their
dependencies inside a CI graph and by securing critical infrastructure software from logical
errors.
1.3 Contributions
This thesis makes the following contributions in two different areas that concern the security
of critical infrastructures.
1.3.1 Contributions in logical error detection and software system failures
The first area is that of detecting logical errors in software which may lead to system failures.
In this subject, this thesis made the following contributions:
We show how most types of information flow dependent logical errors can be detected
by classifying invariant violations and their corresponding execution paths. Detections are
classified in two different groups of sets as follows:
the Severity sets, quantifying the danger level of an execution path π (the
impact of an error, if it were to manifest on path π during execution). Severity is based
on an algorithm which uses Information Gain for classification from data mining.
the Reliability sets, quantifying a path π with an invariant violation based on
the size and complexity of the code traversed by path π.
We present PLATO, a prototype tool for the detection of logical errors, race conditions
and vulnerabilities in software applications able to perform various critical tasks. To the best
of our knowledge, PLATO is the first tool that can detect logical errors in diverse situations.
6
To test the range of errors that can be detected, we evaluate PLATO on three different
AUTs with different types of logical errors: (i) A multi-threaded airline control system for
selling airplane tickets, which is a real-world software that has been previously used in a
controlled experimentation with program analysis. (ii) A real-world software based on the
National Institute of Standards and Technology (Boland, 2012) that was intentionally designed
with logical errors leading to software vulnerabilities. This NIST-based software can handle
field sensors in a SCADA system and (iii) A controller from NASA’s Lunar Lander, where we
injected logically malformed data based on code metrics.
These diverse tests were chosen to show the flexibility of the proposed approach in detecting
logical errors in various situations. The fact that PLATO flagged all types of logical errors in
all tests serves as a proof of concept that our method is a viable solution for the automated
detection of logical errors.
1.3.2 Contributions in infrastructure dependency analysis along with mitigation of
cascading and common-cause failures
The second research area is that of analyzing the dependencies between interconnected
critical infrastructures, analyzing infrastructure graphs, pinpoint critical risk paths for cascading
failures along with dangerous CIs that greatly affect the entire web of interconnected
infrastructures and proposing mitigation strategies to lower the overall risk of failures in
interdepended CIs. In this part of our research endeavors, this thesis made the following
contributions:
We extend our recent work on CI dependency analysis (Kotzanikolaou, 2011)
(Kotzanikolaou, 2013) (Kotzanikolaou, 2013). We design and implement a Critical
Infrastructure Dependency Analysis tool (CIDA) (Stergiopoulos, 2014), which is based on risk
analysis and graph modelling. Our extensions are twofold:
a) We introduce time-based analysis models to study the evolution of dependency chains
during slow, linear or fast evolving cascading failures. Note that each dependency
may follow a different time model which is “fine-tuned” for each examined dependency
using fuzzy modelling.
b) We model concurrent cascading and common-cause failures, in order to effectively
analyze major failures.
In order to validate the applicability and efficiency of our approach, we stress-test our tool,
using random graphs of up to a thousand nodes (CIs) with randomly selected dependencies.
Our tests demonstrate the computational efficiency of CIDA for large-scale scenarios, under
reasonable parameters (i.e. maximum number of dependencies per node and maximum order
Introduction
7
of dependencies). As a proof of concept, we also run targeted tests based on data of real
cascading and common-cause failures.
CIDA is a proactive modelling and security dependency analysis tool for the analysis of
large-scale and cross-sectoral dependency scenarios. It allows risk assessors and CIP decision
makers to analyze complex dependency graphs and identify critical dependency chains before
an actual threat has occurred. Thus it can reveal underestimated dependency risks that need
further attention. Moreover, CIDA may also be used as an efficient tool for the assessment of
alternative risk mitigation strategies and therefore help increase CI resilience1.
Towards this direction, in this thesis we also explore the use of graph centrality metrics in
Dependency Risk Graphs, in order to effectively prioritize CIs when applying risk mitigation
controls. Our goal is to design, implement and evaluate the effectiveness of alternative risk
mitigation strategies. Each examined mitigation strategy is implemented algorithmically and it
is empirically evaluated through simulations. The ultimate goal is to identify the minimum
subset of CI nodes within a graph, whose risk treatment (application of security controls) would
result in the maximum risk reduction in the entire graph of interdependent CIs.
On pinpointing dangerous CIs in Dependency Risk Graphs and mitigating the risk failure,
this thesis extensions are threefold:
a) We run various data mining experiments to identify correlations between centrality metrics
and CI nodes that have high impact in a dependency risk graph;
b) We use the optimum centrality metrics, as identified in the previous step, in order to
develop and test various risk mitigation strategies that maximize risk reduction. Results
show that each mitigation strategy is most effective in achieving specific goals;
c) We take into consideration nodes with a high number of inbound (sinkholes) and outbound
connections and compare risk reduction results.
In order to validate the proposed mitigation strategies, we run experiments on hundreds of
random graphs with randomly selected dependencies. These tests demonstrate the efficiency of
the proposed risk mitigation strategies. All random graphs match criteria found in real-world
CI graphs of interconnected infrastructures.
The proposed mitigation strategies can be used as a proactive tool for the analysis of large-
scale dependency infrastructure interconnections and pinpoint underestimated infrastructures
that are critical to the overall risk of a dependency graph.
1 Resilience implies the ability to withstand accidental or deliberate threats or incidents
(Presidential Policy Directive, 2013). A resilience-oriented approach accepts that failures will occur;
thus CIs should implement controls that effectively absorb, adapt to or rapidly recover from disruptive
events (Francis, 2014).
8
1.4 Dissertation outline
The rest of the dissertation is organized as follows:
Chapter 2 presents background information, specifically the proposed definitions of terms
necessary to present the research of this thesis: Namely, it provides the definition of a critical
infrastructure, infrastructure dependency, the notion of failure in critical infrastructures along
with its definitions of impact and likelihood. In addition, definitions are given about the lower
granularity research in software systems. The following terms are defined: An Application
under Test, software flaw, logical error, business logic, static analysis, dynamic analysis and
invariants.
This chapter also includes a survey of the most common tools and frameworks currently
available both for software application code analysis and for modeling complex infrastructure
interdependencies. The chapter also presents the current state of academic work in critical
infrastructure dependency analysis and software application code analysis.
Chapter 3 presents the proposed methodology for detecting source code logical errors in
software that may lead to exploitable vulnerabilities that affect the stability of information
systems. It presents a complete methodology based on (Felmetsger, 2010), along with its
implementation in a tool named PLATO that identifies various types of logical errors in source
code and classifies them according to the way they influence an AUT and the position where
they manifest inside the source code. Preliminary results suggest that various types of logical
errors that lead to software vulnerabilities can be automatically detected using the presented
methodology. The chapter ends with a discussion on potential uses of the aforementioned
method and tool to areas beyond the protection of software that handles machinery in CIs. This
technique can provide possible alternatives to code auditing in the generic area of source code
analysis. Also, PLATO’s rankings of detections are discussed as potential findings that can be
combined with information from classic Risk Assessments to provide an impact estimation of
a specific subtype of failure in critical infrastructures; e.g. in CIs that use software to manipulate
machinery.
Chapter 4 includes a methodology developed for critical infrastructure dependency analysis
which uses dynamic time-based analysis models. The proposed methodology uses different
failure models and applies fuzzy logic to simulate realistic approximations of dynamic
cascading failures between infrastructures. We implemented the methodology in a tool called
CIDA which is able to simulate the effects of dynamic, large-scale and major disasters.
Preliminary results suggests that, given adequate input from Risk Assessments, CIDA is
capable of foretelling the most critical risk paths of interconnected infrastructures in various
Introduction
9
time points between the manifestation of a failure and critical time point; i.e. when it manifests
its highest impact on an infrastructure.
In Chapter 5, this thesis explores how graph centrality metrics can be applied to design and
to evaluate the effectiveness of risk mitigation strategies in dependency risk graphs made by
interdepended CIs, by pinpointing Critical Infrastructures of high dependency value amongst
interconnected infrastructures. The presented algorithm is able to explore the relation between
dependency risk paths using graph centrality characteristics and proposed critical
infrastructures in networks that are critical in the overall stability of the infrastructure web.
Preliminary results suggest that the proposed algorithm performs better than some well-known
techniques in pinpointing dangerous infrastructure links in interdepended CIs.
Chapter 6 concludes the dissertation with a summary, concluding remarks and future work.
10
(this page is intentionally left blank)
Background
11
Chapter 2: Background This chapter includes the definition of the term Critical Infrastructure, Risk and Risk analysis
that is adopted in this thesis for all granularity levels. It includes a risk management process for
every type of risk analysis process, as applied to various aspects of a critical infrastructure; both
in its information systems and its dependencies and overall threats. It continues with a
discussion of the security issues and currently proposed solutions for analyzing risk in CI’s
operating systems and presents some related literature on information systems and
infrastructure security. The chapter concludes with this thesis’s adopted threat model.
2.1 Definitions of Critical Infrastructure
This section reviews definitions used by governments in the context of national or regional
infrastructure protection programs and results are listed below (Gordon, 2008) (Emergency
management Australia, 2003) (Ministry of the Interior and Kindgom relations, 2008):
Table 1: National Definitions of Critical Infrastructure
Australia “Critical infrastructure is defined as those physical facilities, supply
chains, information technologies and communication networks which, if
destroyed, degraded or rendered unavailable for an extended period, would
significantly impact on the social or economic well-being of the nation, or
affect Australia’s ability to conduct national defence and ensure national
security.”
Canada “Canada’s critical infrastructure consists of those physical and
information technology facilities, networks, services and assets which, if
disrupted or destroyed, would have a serious impact on the health, safety,
security or economic well-being of Canadians or the effective functioning
of governments in Canada.”
Germany “Critical infrastructures are organisations and facilities of major
importance to the community whose failure or impairment would cause a
sustained shortage of supplies, significant disruptions to public order or
other dramatic consequences.”
Netherlands “Critical infrastructure refers to products, services and the accompanying
processes that, in the event of disruption or failure, could cause major social
12
disturbance. This could be in the form of tremendous casualties and severe
economic damage… ”
United
Kingdom
“The [Critical National Infrastructure] comprises those assets, services
and systems that support the economic, political and social life of the UK
whose importance is such that loss could: 1) cause large-scale loss of life;
2) have a serious impact on the national economy; 3) have other grave social
consequences for the community; or 3) be of immediate concern to the
national government.”
United
States
The general definition of critical infrastructure in the overall US critical
infrastructure plan is: "systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction of such systems
and assets would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those
matters." For investment policy purposes, this definition is narrower:
“systems and assets, whether physical or virtual, so vital to the United States
that the incapacity or destruction of such systems and assets would have a
debilitating impact on national security."
Table 1 above shows the definitions of critical infrastructure used in six (6) published critical
infrastructure protection plans or strategies. This review of definitions considers separately the
two words -“critical” and “infrastructure”- and then looks at the sectorial coverage of critical
infrastructure protection programs.
• Critical: In most countries‟ definitions, the word “critical” refers to infrastructure that
provides an essential support for economic and social well-being, for public safety and for the
functioning of key government responsibilities. For example, Canada’s definition of criticality
involves “serious impact on the health, safety, security, or economic well-being of Canadians
or the effective functioning of governments in Canada.” Germany refers to “significant
disruptions to public order or other dramatic consequences.” The Netherlands‟ critical
infrastructure policy refers to infrastructure whose disruption would cause “major social
disturbance”, “tremendous loss of life” and “economic damage”. Thus, the word “critical”
refers to infrastructure which, if disabled or destroyed, would result in catastrophic and far-
reaching damage.
• Infrastructure: The definitions of “infrastructure” used in official descriptions of critical
infrastructure tend to be broad. All 6 governments in Table 1 refer to physical infrastructure.
Background
13
Most also include intangible assets and/or to production or communications networks.
Australia, for example, refers to “physical facilities, supply chains, information technologies,
and communications networks.” Canada refers to “physical and information technology
facilities, networks, services and assets”. The United Kingdom refers to “assets, services and
systems”.
2.2 Risk Analysis in all granularity levels
Everyone takes and manages risks all the time, balancing potential rewards against uncertain
losses. Risk management remains nevertheless a very difficult process. It requires combining
the ‘‘hard’’ scientist’s approach, who treats risks as something that can be objectively
measured, with the view of the ‘‘social’’ scientist who argues that risk is a fuzzy concept and
the propensity to take risks is in part culturally constructed (CRAMM User guide, 2005).
Risk is the effect of uncertainty on objects (ISO/IEC, 2014). It is the chance of something
going wrong as a result of a hazard or a threat which has an impact on operations. Risks arise
out of uncertainty. A risk is measured in terms of its likelihood of happening and the
consequences if it should happen.
Risk management is the coordinated activity to direct and control an organization with regard
to risk (ISO/IEC, 2014). According to (CRAMM User guide, 2005) it is balancing the cost of
avoiding, reducing, transferring or accepting a risk with the consequences that can be expected
from taking the risk. The term risk management is used in a wide variety of disciplines, and
itself also combines concepts and techniques from a range of fields like statistics, economics,
operations research and decision theory.
Unfortunately, there are no standards for defining vulnerabilities and threat-sources,
assigning and combining impact and probability ratings, or introducing the impact of controls
in the field of information security related risk management. Recent standards and
recommendations on the management of information systems and organizing the protection of
information security within an organization widely recognize the importance of information
security related risk management.
According to (CRAMM User guide, 2005) Risk management processes typically include the
following four steps:
A. Establish the Scope
The first step in any risk management process consists in defining the scope of the risk
management process, in other words the information system that is the target of the evaluation,
its boundaries and environment. The characterization of the system must be as complete as
possible and most often includes the following elements:
14
• Hardware (e.g. servers, workstations, network equipment);
• Software (e.g. operating systems, system services, application software);
• Connectivity (internal and external);
• The information system’s mission;
• The information that is managed by the system and its requirements regarding
availability, integrity and confidentiality;
• Support staff and users; and
• Existing controls: technical controls (e.g. user identification and authentication
equipment, encryption hardware and software), management controls (e.g. security policy,
acceptable use policy), operational controls (e.g. backup and contingency operations, off-site
storage, user account creation and deletion procedures), physical security environment (e.g. site
security, data center policies), environmental security (e.g. controls for power, temperature,
humidity).
B. Identify the Risks
The second step of the risk management process consists in establishing a list of the risks to
which the information system is exposed.
First, based on the system and context description available at the end of the previous step,
the vulnerabilities that apply to the target of the evaluation are identified. A vulnerability is a
weakness of an asset or control that can be exploited by one or more threats (ISO/IEC, 2014).
It can be expressed as any flaw or weakness in the design of a system, in its implementation or
in the controls that are in place to protect it and that can result in damage when it is accidentally
triggered or intentionally exploited.
A threat-source is either the combination of the intent and the means to intentionally exploit
a vulnerability (e.g. a thief, a disgruntled employee) or a situation that may accidentally trigger
a vulnerability (e.g. an earthquake, a sloppy user) (CRAMM User guide, 2005). A threat is a
potential cause of an unwanted incident, which may result in harm to a system or organization
(ISO/IEC, 2014). It is the potential for a threat-source to accidentally trigger or intentionally
exploit vulnerability. When for a given vulnerability there is no threat-source that has the
technical ability or motivation to exploit it, there is no threat (CRAMM User guide, 2005).
Likewise, when there is no vulnerability present for which a given threat-source has the
necessary skills, time and budget, this threat source poses no threat.
Each threat is after that matched with the list of controls that were identified in the first phase,
and that mitigate the likelihood of a vulnerability being exercised or reduce the impact of such
Background
15
an adverse event when it occurs. The resulting tuple (threat, threat-source, list of relevant
controls) defines the risk that will be assessed and treated in the subsequent steps.
C. Analyze the Risks
In this step, the risks that were identified, are to be analyzed in more detail, so that the minor,
acceptable risks can be separated from the major risks which must absolutely be eliminated or
reduced. This involves deriving for each risk an overall likelihood rating that indicates the
probability that the vulnerability may be exercised by the corresponding threat-source. The
second element in risk assessment is trying to rate the adverse impact of the vulnerability when
it were to be exercised. This rating will be based on an evaluation of the loss or degradation of
integrity, availability, and confidentiality of the information that is threatened by the
vulnerability.
When determining the probability and impact of a threat, the existing controls that reduce
the likelihood or impact and their adequacy have to be taken into account. The combination of
probability and impact will finally be translated into a single level of risk to the information
system, for instance using a risk-level matrix.
D. Treat the Risks
Risks can be handled in a number of ways (CRAMM User guide, 2005):
• Risk Avoidance: means simply not performing the activity that carries the risk.
Unfortunately this also typically means losing out on the potential gain that performing the
activity might have produced.
• Risk Reduction: involves approaches that reduce the probability of the vulnerability
being triggered or reduce the impact when the vulnerability is triggered. Reducing a risk most
often involves putting in place controls.
• Risk Transfer: means passing the risk on to another party that is willing to accept the
risk, typically by contract or by hedging. Insurance is an example of risk transfer using
contracts.
• Risk Retention: means accepting the loss when it occurs. Risk retention is a viable
strategy for small-impact risks where the cost of insuring against the risk would be greater over
time than the total losses sustained. Also, all risks that are not avoided nor transferred, and that
one does not can or wish to reduce any further, automatically fall under this category. This
includes risks that are so large or catastrophic that they either cannot be insured against or the
premiums would be infeasible.
The combination of methods used to handle each of the risks that were identified, analyzed
and treated, leads to a risk management plan that must then be implemented. Risk management
can be performed once for a given system, for instance before it comes in operation, and then
16
periodically updated during the lifetime of the system. The back coupling is in this case not
permanent but rather periodically triggered. Risks management can however also be conceived
as a continuous process and influence decision-making at all instances through the life of the
system.
2.4 Threat model
This section briefly introduces the threat model for critical infrastructures, which includes
usage and threat details. Unless stated differently, the following chapters and the presented
methods always refer to or are based on an input point of the following model. This means that
the scope of this thesis focuses specifically on two points of entry for the model, as depicted
above while analyzing the scope of risk analysis: Software and (external) connectivity. The
methods presented in the following chapters, thus, try to cope with inherent and unresolved
security issues on these two elements.
Users. In this work users are considered to be average users, i.e. not security nor technical
experts. Regarding their practices it is assumed that these users:
a) Use software to manipulate various types of functionality (e.g. infrastructure machinery,
ticketing systems etc.),
b) Utilize software only within the boundaries of their given rights,
c) Do not intentionally try to sabotage, misuse or break software or hardware under their
supervision,
The later, is in accordance with the expectations for a user without a security mindset and
without advanced technical skills.
Threats. This work focuses on two types of threats, following the corresponding elements
of risk analysis; (i) threats relevant to the (mis)use of software applications by average users
and (ii) threats manifesting due to external interdependencies between critical infrastructures.
This work also focuses on the cascading failures through software malfunction threat, since as
discussed earlier, the use of software to control machinery in critical infrastructures can create
the conditions necessary for cascading failures to manifest. The decision to focus on these
threats is validated both by subsequent industrial incidents and relevant academic publications,
depicting the dangers of software misuse in IT systems and also the danger of interconnecting
multiple infrastructures.
The modeling and analysis of interdependencies between critical infrastructure elements is a
relatively new and very important field of study (Pederson, 2006). Much effort is currently
Background
17
being spent to develop models that accurately simulate critical infrastructure behavior and
identify interdependencies and vulnerabilities. The results of these simulations are used by
private companies, government agencies, military, and communities to plan for expansion,
reduce costs, enhance redundancy, improve traffic flow, and to prepare for and respond to
emergencies.
Modern infrastructures are often depended on other infrastructures to function properly. This
necessity has led to the development of complex networks of interdepended infrastructures.
These dependency graphs of hide information about what will happen if a failure occurs; in
other words, they are as safe as their most critical path of interdependencies and as exposed as
their most dangerous node. For example, as far as the dangers of interdepended infrastructures
is concerned, Rinaldi, Peerenboom and Kelly in (Rinaldi et al., 2001) provide a visual
presentation of the well-known electric failure scenario of California which is a characteristic,
real-case example of a multi-order dependency between CIs. The electric power disruptions in
California caused cross-sectoral cascading effects, as power disruptions affected natural gas
production, operation of petroleum product pipelines transporting gasoline and jet fuel along
with the operation of massive water pumps for crop irrigation.
Concerning software and its dangers in Critical Infrastructure information systems, one
should look no further than the incident with the security worm, Stuxnet. The Stuxnet incident
was a typical example of software being able to misuse functionality in machinery and manifest
catastrophic failures across multiple infrastructures. Many Critical Infrastructures use Remote
Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) as control locations, in
order to handle the machinery and functionality of an infrastructure (e.g. valves, sensors,
breakers, etc.). Thus, a failure on any one of them may affect the operation of the entire
infrastructure and start a cascading event, where multiple CIs fail due to their dependencies.
When industries connected SCADA systems with the Internet, these control systems were
exposed to various vulnerabilities and threats (Krutz, 2005). Built as stand‐ alone, isolated
control systems, they lacked the proper security measures needed to support a robust and safe
functionality over the Internet. For example, an over-the-Internet, man-in-the-middle attack on
a green diesel generator that led to a total meltdown has been presented in the literature
(Alcaraz, 2011).
2.5 Summary
This chapter presented a definition of the terms Risk, Risk analysis, Critical Infrastructure
and infrastructure threats w.r.t. their type. It also included a risk analysis methodology, which
includes the basic concepts for identifying threats and input vectors for failure manifestation.
18
Furthermore, the installation of the majority of the proposed security controls requires advanced
technical skills from the users. Finally, the chapter ends with a discussion of the thesis’ threat
model.
Background
19
(this page is intentionally left blank)
20
Chapter 3: Automatically detecting logical errors,
race conditions and IT infrastructure failures in
software using dynamic invariant assertions and
symbolic execution
3.1 Introduction
The proliferation The sum of all functional requirements of an application reflect the intended
program behavior; that is, what the programmer wants his code to do and what not to do. During
software development, functional requirements are translated into source code. A software error
or fault is the difference between a computed, observed, or measured value and the true,
specified or theoretically correct value or condition inside the software code (peng, 1993). A
software vulnerability is the characteristics and degree of the fatal software-failure occurrence
caused by an error (Kimura, 2006).
Research on automated detection of software errors and vulnerabilities has mainly focused
on static analysis and software model checking techniques that are effective in detecting a priori
specified errors (e.g. Time Of Check - Time Of Use errors, null pointer dereferences etc.), bad
coding patterns and some types of exploitable vulnerabilities (e.g. unsanitized input data, buffer
overflows etc.) (Codepro 2015) (Ucdetector, 2015) (Pmd, 2015) (Hovemeyer, 2004) (Coverity,
2015) (Pasareanu, 2004) (Java pathfinder tool, 2015). Yet, errors related to the intended
program functionality, which are broadly called logical errors, are not a priori known. In a code
auditing process, they cannot be analyzed as pattern-specific errors since they are rather
application-specific. At the level of the program’s execution flow, these errors will cause
execution diversions that manifest as unintended program behaviour (Felmetsger, 2010). A
typical example is the following from (Felmetsger, 2010): ”a web store application allows,
using coupons, to obtain a one-time-discount-per-coupon on certain items; a faulty
implementation can lead to using the same coupon multiple times, thus eventually zeroing the
price (e.g. by pressing the ”BACK” button, then the ”FORWARD” one and re-entering a
coupon code in the form)”.
Since logical errors in an Application under Test (AUT) are essentially execution
deviations from its intended functionality, their automated detection needs to be based on
some model of the AUT’s operational logic. Such a model can be inferred in the form of
likely invariants from the dynamic analysis of official executions of the AUT’s functionality
(i.e. execution of scenarios). Dynamic invariants are properties that are likely true at a certain
point or points of the program and, in effect, reveal information about the goal behaviour,
Mitigation of web threats
21
the particular implementation and the environment (inputs) under which the program runs
(Ernst, 2007). The method to detect logical errors proposed in this article evaluates inferred
dynamic invariants in the form of assertions using multiple symbolic executions of an AUT,
in an effort to detect various types of logical errors. Analysis of assertions of automatically
inferred dynamic invariants cannot be neither sound, nor complete, and a proper post-
processing is necessary, in order to derive a usable result. We note that we do not propose
such an approach as an alternative to the mainstream static analysis techniques, which in any
case target a different type of errors and they cannot detect logical errors.
Our method for the automated detection of logical errors has been implemented in a
prototype tool called PLATO and consists of the following steps:
1. For an AUT, a representation of its operational behavior is generated in the form of
dynamic invariants. These invariants are collected by dynamic analysis of the AUT using
the Daikon tool (Ernst, 2007).
2. Through a source code analysis of the AUT and its Abstract Syntax Tree we gather: (i)
instructions that play a key role in multiple software vulnerabilities (as they are classified
in (CWE, 2015); and (ii) execution path branching points.
3. Dynamic invariants from step 1 are filtered using the information from step 2. PLATO
keeps only the invariants related to variables that affect the execution flow or are used in
“dangerous” instructions from those mentioned in step 2. These invariants are then
instrumented as assertions into the AUT’s source code.
PLATO then relies on custom-made extensions of the Java PathFinder (JPF) tool (Pasareanu
2004) (JPF, 2015) to verify the asserted invariants through the AUT’s symbolic execution. JPF
symbolically executes the AUT covering multiple execution paths. The traversed paths must
adequately cover all intended functionality to be tested: if an assertion is found that is satisfied
in an execution path, while it is simultaneously violated in another path with the same prefix,
then a possible logical error is flagged.
A wide range of errors that are classified as logical (as seen in (CWE, 2015)) are detected by
flagging suspicious invariants this way. For example, invariant violations on variables involved
in race conditions allow PLATO to detect race violations between threads.
PLATO ranks detections (i.e flagged assertions) using a classification approach that
combines the output from steps 3 and 4. Ranking helps differentiate the danger level of
detections and can aid in mitigating the problem of possible false positives. Each detection and
the corresponding execution path are ranked using two fuzzy membership classifiers, namely
Severity and Reliability. Severity ranking is based on a classification technique called
Information Gain. Reliability is based on a software analysis technique called Computational
Density. PLATO’s Fuzzy Logic system for ranking the overall Risk of detections combines
22
output from these two classifiers using linguistic variables and outputs an informative
classification rank.
The described analysis framework is based on a method that was first proposed in
(Felmetsger, 2010) and then extended in (Stergiopoulos, 2012) (Stergiopoulos, 2013)
(Stergiopoulos, 2014), but only basic concepts from those works are kept. In PLATO, dynamic
invariants are evaluated using different techniques and the tool is now capable of analyzing the
full range of instrumented invariants. The fuzzy logic classification technique from
(Stergiopoulos, 2012) (Stergiopoulos, 2013) (Stergiopoulos, 2014) is still used, but its present
version is comprised of two new formal classifiers, which are introduced in place of the
previously used empirical rules.
Finally, the chapter concludes with a discussion of the results in Section 3.7 and a summary
in Section 3.8.
3.2 Related Work
Recent developments in debugging techniques also focus on the detection of logical errors,
but they do not aim to a fully automated program analysis. Delta debugging (Zeller, 2002) is a
state-altering technique that systematically narrows the difference between the states of a failed
program run from the states of a failure-free run, down to a small set of variables. The intuition
is that any difference between the two execution paths could be the failure cause. Predicate
switching is a variant of delta debugging (Zhang, 2006) that alters predicate truth values during
of a program execution. Given a failing execution, the goal is to find the predicate that, if
switched from false to true or the opposite, it causes the program to execute successfully. A
limitation of state-altering techniques is that they do not address the problem of semantic
consistency; there is no guarantee that by altering a state the new execution path will still be a
valid program run (Baah). A second limitation is the usability of this technique, since the
program has to re-run after every single state alternation. In our approach for detecting logical
errors, state alternation is avoided through the use of dynamic invariants along with a one-time
symbolic execution of the AUT.
Another class of techniques to detect logical errors is based on program slicing. In (Weiser,
1981), the authors introduce such a technique for debugging programs. A drawback is that the
slice set often contains too many program entities and in some cases the whole program. In
(Zhang, 2006), a technique is proposed using a threshold to prune the backward slice computed
for a particular program entity. By pruning the backward slice, the size of the computed slice
set is reduced. Slicing techniques do not reflect the strength of dependencies between the
program entities and how likely is for each of them to be the cause of a failure. Moreover, they
Mitigation of web threats
23
only compute program entities that are associated with failures and they do not detect which
program entities cause those failures (Baah). Finally, these techniques do not provide any
information for how to start searching for the fault.
In (Doupe, 2011), the authors focus exclusively on the detection of specific flaws found in
web applications, whereas in (Balzarotti, 2007) web applications are analyzed for multi-module
vulnerabilities using a combination of analysis techniques. However, both works do not address
the problem of profiling the source code behavior or 145 detecting logical errors per se.
Certain types of logical errors in web applications can be detected with the approach
discussed in (Felmetsger, 2010). A set of likely invariants that characterize the execution of the
AUTs is inferred using the Daikon tool (Ernst, 2007) (Daikon tool, 2015). The Daikon results
are then used in JPF (Pasareanu, 2004) (Java pathfinder, 2015) to model check the behavior of
the AUT over symbolic input. However, it is not shown how the proposed approach scales to
larger, standalone applications.
Variants of our method were presented in (Stergiopoulos, 2012) and (Stergiopoulos, 2014).
In (Stergiopoulos, 2012), we specifically targeted logical errors in GUI applications. We
described a preliminary deployment of a Fuzzy Logic ranking system to mitigate the possibility
of false positives and we applied the method on lab test-beds. In (Stergiopoulos, 2013), the
Fuzzy Logic ranking system was formally defined and further developed. In this work, the
method that we first proposed in (Stergiopoulos, 2012) (Stergiopoulos, 2013) (Stergiopoulos,
2014), is evolved to a more complete and effective approach with the capacity to be applied to
real-world, complex applications, instead of test-beds and simple GUI AUTs.
3.3 Analysis Building Blocks
In this section, the main building blocks of PLATO’s methodology are described, namely:
(i) how the behaviour of an AUT is modeled using likely dynamic invariants, (ii) how the
obtained likely invariants are verified through symbolically executing the AUT and (iii) how
the results are classified using fuzzy logic to measure the impact and the size/complexity of the
affected code, for each detection.
3.3.1. Dynamic Invariants for profiling the behavior of the source code
The functionality of an AUT is captured in the form of dynamic invariants, generated by the
Daikon tool (Ernst, 2007) (Daikon invariant manual, 2015). These invariants are logical rules
for variables (e.g. p!=null or var=="string") that hold true at certain point(s) of a
program in all monitored executions.
The generated dynamic invariants can reflect the intended functionality of the AUT, if they
are derived from monitored executions of representative use-case scenarios. Existing
24
functionality restrictions and prerequisites also have to be taken into account while using
Daikon.
The validity of the inferred dynamic invariants (i.e. the inferred program behaviour) is tested
against as many execution paths of the AUT as possible, using symbolic execution of the AUT.
Intuitively, if there is an execution path, which violates a (combination of) dynamic invariant(s),
then a logical error may exist, which affects the variable(s) referred in the invariant.
3.3.2. Symbolic execution for verifying dynamic invariants
PLATO converts the likely invariants into Java assertions and instruments them into the
source code. For example, let us consider that the invariant ”p != null” holds true when
the execution flow enters a method. In this case, PLATO creates the assertion [assert (p
!= null);] and instruments it at the beginning of that method, just before any other
instruction.
Likely dynamic invariants are instrumented according to two filtering criteria: invariants
concerning variables which affect the execution flow and invariants related to instructions
which are tied to known application vulnerabilities (Marin, 2008) (Harold, 2006). For the
former, we particularly focus on the conditional expressions in branches and loops. The latter
is implemented by using a taxonomy that classifies source code instructions according to their
danger level. This taxonomy is embedded in PLATO and is based on the taxonomies presented
in (Martin, 2006), the Oracle’s Java Taxonomy (Gosling, 2014) (Java Platform, 2015) and
reports from code audits (Hovemeyer, 2004). More information on this taxonomy is provided
in Section 4.3.1, which covers technical details.
Daikon’s invariants are then cross-checked with a set of finite execution paths and their
variable valuations for each tested path. For this purpose, PLATO obviously needs execution
paths that adequately cover the functionality of the AUT.
We introduce here formal definitions for the profiling of a program’s behavior and we discuss
how they are related to the implementation of PLATO. An imperative program P = (X, L, ℓ0,
T) defines (Jhala, 2009) a set X of typed variables, a set L of control locations, an initial location
ℓ0 ∈ L, and a set T of transitions. Each transition τ ∈ T is a tuple (ℓ,ρ,ℓ′), where ℓ,ℓ′ ∈ L are control
locations, and ρ is a constraint over free variables defined in X ∪X′, with X representing the
program’s state variables at control location ℓ and X′ the state variables at control location ℓ’.
The set L of control locations is comprised of the source code points which control the
execution flow or are critical to program functionality, i.e. all conditional expressions in
branches and loops along with instructions that manipulate user input data. This is in line with
NIST’s recommendation [31], which states that the impact of a source code point in a program’s
Mitigation of web threats
25
execution may be captured by: (i) the program’s entry points and variables with user data, called
Input Vectors (ii) the Branch Conditions (e.g. conditionals used, for example, in if-statements)
and (iii) program points where instructions use variables with user data (Sinks).
The state of P is a valuation of the variables in X at some control location during the program
execution. The set of all possible states for P is denoted by u.X. We shall represent sets of states
using constraints. For a constraint ρ over X ∪ X′ and a pair of states (s, s′) ∈ u.X × u.X′, we write
(s, s′) |= ρ if the variables valuations in X and X′ satisfy the constraint ρ. We focus on AUTs with
an explicitly defined initial state that assigns values to all variables in X. A finite computation
of the program P is any sequence (ℓ0, s0),(ℓ1, s1),...,(ℓk, sk) ∈ (L×u.X), where ℓ0 is the initial
location, s0 is the initial state, and for each i ∈ {0,...,k1}, there is a transition (ℓi,ρ, ℓi+1) ∈ T such
that (si, si+1) |= ρ. A location ℓ is reachable if there exists a state s, such that (ℓ, s) appears in
some computation. An execution path or, simply, path of the program P is any sequence π =
(ℓ0, ρ0, ℓ1), (ℓ1, ρ1, ℓ2),...,(ℓk−1, ρk−1, ℓk) of transitions.
PLATO monitors program states and invariant assertions in execution paths by implementing
a state listener called PlatoListener inside the JPF tool. Our listener keeps a log of all the
program’s constraints ρi (assertions) along with their valuations for the first execution path and
for the rest of them, while the program’s execution branches due to JPF’s backtracking to
previous states, in order to execute different transitions.
Definition 1. A logical error manifests if there are execution paths πi and πj with the same
prefix, such that for some k ≥ 0 the transition (ℓk, ρk, ℓk+1) results in states (ℓk+1, si),(ℓk+1, sj) with
si = sj and for the dynamic invariant rk, (si−1, si) |= rk in πi and (sj−1, sj) |= rk in πj, i.e. rk is satisfied
in πi and is violated in πj.
So, for each dynamic invariant rk, PlatoListener relies on JPF’s symbolic execution to
gather all execution paths that evaluate the dynamic invariant. Then, for each path with some
state sj such that (sj−1 ,sj) |= rk, PLATO compares it with other paths with the same prefix such
that si = sj and (si−1, si) |= rk.
3.3.3. Fuzzy Logic classification of detections
The criterion introduced in Definition 1 can only indicate a logical error and it cannot be
used by itself to safely characterize any detection. First, the dynamic analysis is neither sound
nor complete and it is rather unwise to assume that upon detection, a logical error is located at
the program point, where an invariant was violated. The exact localization of the error
inevitably depends on the intervention of human ingenuity, as opposed to its manifestation,
which is automatically detected. Moreover, it is not true that all the logical errors can divert the
programs’ execution to exploitable states and that they have comparable impact on the
26
functionality of an AUT. Motivated by these facts, we recognize the need to assess invariant
assertion violations based on various characteristics and their position within the source code.
Similarly to a code auditor’s reasoning upon detection of a flaw in the AUT’s functionality,
PLATO classifies the found detections using a fuzzy set theory approach combined with two
advanced classification functions. For each detection, the result is a quantitative truth value
ranging from 0 to 1, which measures the error’s impact on the AUT’s execution. A quantitative
truth value corresponds to a membership percentage in a fuzzy set (Perfilieva, 1999) with the
selected fuzzy sets describing different levels of impact (danger). As an example, a logical error
that doesn’t affect critical functionality and does not divert the AUT’s execution will not be
characterized as a high impact detection, whilst a logical error in an if-statement of a user
authentication module that can lead to exploitable behaviour should, therefore, be classified as
extremely dangerous. Thus, every assertion violation along with the corresponding execution
path are classified into two different groups of sets:
the Severity sets, which quantify the danger level of the execution path, i.e. the impact
that an exploitable error would have, if it would be manifested on that path;
the Reliability sets, which quantify the overall reliability of an execution path based on
the size and the complexity of the code traversed in it (a code metric is used named
Cyclomatic Density).
With this fuzzy logic approach, we also aim to confront two inherent problems in automated
logical error detection: the large data sets of the processed AUT execution paths and the
possible false positives. Regarding the first mentioned problem, PLATO helps the code auditor
to focus only to those path transitions that appear having high ratings in the classification
system. Regarding the false positives, we note that error detections cannot be validated against
predefined error patterns. PLATO’s ratings are therefore used to implement criteria that take
into account the possibility of a true logical error in some transition. The following subsections
will help clarify how this takes place.
3.3.3.1. Severity
For an execution path π, Severity(π) measures π’s membership degree in a Severity fuzzy set
that reflects how dangerous is a flaw if it were to manifest in path π, i.e. its relative impact.
Execution path π is weighted based on how its transitions and corresponding code instructions
affect the program’s execution: if there are transitions in the path that are known to manifest
exploitable behaviour, then π is considered dangerous and is assigned higher Severity ranks.
Definition 2. Given the execution path π, we define
Mitigation of web threats
27
Severity(π) = ν ∈ [1,5]
to measure the severity of π on a Likert-type scale from 1 to 5.
Likert scales are a convenient way to quantify facts (Albaum, 1997) that, in our case, refer
to a program’s flow. If an exploitable behaviour were to manifest in an execution path, the
scale-range captures the intensity of its impact in the program’s control flow. In order to weight
paths, Severity is based on the Statistical Information Gain, a measure used to classify execution
paths in one out of five Severity categories that are ranked from one to five. Categories are then
grouped into Fuzzy Logic sets using labels: high severity (4-5), medium (3) or low (1 or 2).
3.3.3.2. Measuring Severity of execution paths using its Statistical Information Gain
When a code auditor inspects a program, he traces execution paths with specific
characteristics trying to find flaws in them. In most cases, the traced paths include: (i) the
program’s input vectors, (ii) branch conditions with variable checks and (iii) sinks, i.e.
instructions that should only use sanitized data.
Our Severity classification approach is based on the Expected Information Gain (aka
Expected Entropy Loss) statistical measure (Abramson, 1964) that has been successful in
feature selection for information retrieval (Etzkorn, 1997). Feature selection is used to improve
the effectiveness and efficiency during classification, since it removes non-informative terms
according to corpus statistics (Yang, 1997). The Information Gain has been used before by
Glover et al. (Glover, 2001) and Ugurel et al. (Ugurel, 2002) for classifying source code. Here,
we use it to classify execution paths and their corresponding source code instructions into
danger levels.
To measure the Expected Information Gain of an execution path, we need characteristics
(features) to look for. PLATO uses a taxonomy of dangerous source code instructions. These
instructions are tied to known vulnerability types (Martin, 2008) (National Vulnerability
database, 2015). The taxonomy is divided into 5 subsets of instructions that act as Feature Sets
to classify execution paths. Each subset’s source code instructions are considered to have the
same impact level (i.e. they are known to be involved in similar types of vulnerabilities). Each
set is characterized by a number on the Likert scale (1 to 5) depicting the danger level of its
code instructions: Set 1 contains the least dangerous instructions while Set 5 contains the most
dangerous source code instructions, known to be involved in many critical vulnerabilities. For
example, the exec() instruction is known to be tied to OS injection vulnerabilities (Martin,
2008). Therefore exec() is grouped in Set 5 of the taxonomy.
Severity ratings are applied by classifying each execution path into one of these five Severity
feature sets, which correspond to specific impact levels. For each execution path, every Feature
28
Set gets its own Information Gain measurement. High information gain values for a specific
feature set means that this set is an effective discriminator of an execution path (Ugurel, 2002).
Thus, feature set measurements act as execution path classifiers: they rank paths into different
danger levels. The feature set with the highest Expected Information Gain classifies the
execution path in the danger level category that it represents.
In the following paragraphs, we provide a brief description of this theory (Abramson, 1964).
Let Pr(C) be the probability of a transition in the path that indicates that the path is considered
dangerous. Pr(C) is quantified as the ratio of the dangerous instructions over the total number
of instructions in the path. Let f be the event that a specific instruction exists in the path. We
also denote by C and 𝑓 the negations of C and f.
The prior entropy e is the probability distribution that expresses how certain we are that an
execution path is considered dangerous, before feature f is taken into account:
𝑒 = −𝑃𝑟(𝐶)𝑙𝑔𝑃𝑟(𝐶) − 𝑃𝑟(C)𝑙𝑔𝑃𝑟(C) (1)
where lg is the binary logarithm (logarithm to the base 2). The posterior entropy, when
feature f has been detected in the path is
𝑒𝑓 = −𝑃𝑟(𝐶|𝑓)𝑙𝑔𝑃𝑟(𝐶|𝑓) − 𝑃𝑟(C|𝑓)𝑙𝑔𝑃𝑟(C|𝑓) (2)
whereas the posterior entropy, when the feature is absent is
𝑒�� = −𝑃𝑟(𝐶|𝑓)𝑙𝑔𝑃𝑟(𝐶|𝑓) − 𝑃𝑟(C|𝑓)𝑙𝑔𝑃𝑟(C|𝑓) (3)
Thus, the expected overall posterior entropy (EOPE) is given by
𝐸𝑂𝑃𝐸 = 𝑒𝑓𝑃𝑟(𝑓) + 𝑒��𝑃𝑟(𝑓) (4)
and the expected Information Gain (EIG) for a given feature f is
𝐸𝐼𝐺 = 𝑒 − 𝑒𝑓𝑃𝑟(𝑓) − 𝑒��𝑃𝑟(𝑓) (5)
The Expected Information Gain is always non-negative and higher scores indicate more
discriminatory features. The higher the EIG for a given feature set of instructions f, the more
certain we are that this set f best describes the execution path.
Similarly to (Ugurel, 2002), EIG is calculated based on ratios between path instructions
considered dangerous (e.g. execution instructions like exec()) and the total number of
instructions in the transitions of each execution path. A taxonomy of Java instructions is the
base of instructions acting as feature sets (corresponding to the event f in the above equations).
Example instructions of the taxonomy and their classification into Feature Sets is given in Table
Mitigation of web threats
29
2 below, where some dangerous instructions are shown together with the feature set they belong
to. More technical details on the taxonomy are given in Section 4.3.1, whereas for a complete
list of all instructions, the reader can access the link at the end of the article.
Severity (π) basically tells us which feature set best characterizes a path π; the one that
exhibits the highest overall EIG. Since each feature set f is tied to a specific impact (danger)
level, then this level also indicates the danger level of the corresponding execution path.
Rank Example of classified methods Feature Set (Category level)
Low javax.servlet.http.Cookie Set 1 (Level 1)
Low java.lang.reflection.Field Set 2 (Level 2)
Medium java.io.PipedInputStream Set 3 (Level 3)
High java.io.FileInputStream Set 4 (Level 4)
High java.sql.ResultSet::getString Set 5 (Level 5)
Table 2: Severity classification examples
3.3.3.3. Reliability
As a measuring function, Reliability is used to classify execution paths into Reliability sets.
It quantifies how reliable an execution path is by computing the likelihood that an exploitable
behavior is manifested in a variable usage.
Definition 3. Given the execution path π, with a set of state variables, we define Reliability as
Reliability(π) = ν ∈ [1,5]
to measure the reliability of π on a Likert scale from 1 to 5.
Similarly to the Severity function, our fuzzy logic system classifies execution paths in
categories: high severity (4-5), medium (3) or low (1 or 2).
3.3.3.4. Measuring code Reliability with Cyclomatic Density
The inherent risk or risk build-up of an AUT is connected to its source code’s complexity
(Chhabra, 2014). A broadly accepted measure is the well-known Cyclomatic Complexity (Bray,
1997) that measures the maximum number of linearly independent circuits in a program’s
control flow graph (Gill, 1991). The original McCabe metric is defined as
V (G) = e − n + 2
30
where V(G) is the cyclomatic complexity of the flow graph G of a program, e is the number of
edges and n is the number of nodes in the graph. McCabe showed that V(G) can be computed
by applying the following steps [43]:
1. increment by one for every IF, CASE or other alternate execution construct;
2. increment by one for every DO, DO-WHILE or other repetitive construct;
3. add two less than the number of logical alternatives in a CASE;
4. add one for each logical operator (AND, OR) in an IF.
However, Cyclomatic Complexity does not take into consideration the size of the analyzed
code. Research conducted in the Software Assurance Technology Center of NASA has showed
that the most effective evaluation of the inherent risk of an AUT should be based on a
combination of the (cyclomatic) complexity and the code’s size (Rosenberg). Modules with
both a high complexity and a large size tend to have the lowest reliability. Modules with smaller
size and high complexity are also a reliability risk, because they feature very terse code, which
is difficult to change or to be modified.
To this end, PLATO implements heuristics that assign Reliability ratings to execution paths
through a cyclomatic density analysis. The proposed method is based on McCabe’s algorithm
and the computation of the Cyclomatic Density for each execution path. The Cyclomatic
Density is the ratio of the Cyclomatic Complexity to the logical lines-of-code, which measures
the number of executable “statements” in the path (some statements are excluded like for
example a variable assignment) (Using code quality metrics, 2015). This ratio represents the
normalized complexity of the source code of an execution path π and it is considered a
statistically significant single-value predictor of code’s maintainability (Using code quality
metrics, 2015). The higher the Cyclomatic density value, the denser the logic. Related research
(Using code quality metrics, 2015) (Rosenberg) proposes that Cyclomatic Density values for
the code to be simple and comprehensible should be in the range of .14 to .42.
Each path is assigned a density value. The higher the value, the more complex the logic of
the traversed code is and therefore more likely to have logical errors lurking in its instructions
[44, 45]. Table 3 depicts the classification categories for execution paths that can be applied
using the Reliability classification function.
Rank Example of classified methods Category
Low Cycl. Complexity Density <= 0.1 1
Mitigation of web threats
31
Low Cycl. Complexity Density >0.1 &&
Cycl. Complexity Density <= 0.2 2
Medium Cycl. Complexity Density >0.2 &&
Cycl. Complexity Density <= 0.3 3
High Cycl. Complexity Density >0.3 &&
Cycl. Complexity Density <= 0.4 4
High Cycl. Complexity Density >0.4 5
Table 3: Reliability categories based on Cyclomatic Density values
3.3.3.5. Risk: Combining Severity and Reliability ratings
According to OWASP, the standard risk formulation is an operation over the likelihood and
the impact of a finding (Martin, 2008):
Risk = Likelihood ∗ Impact
We adopt this notion of risk to enhance the logical error classification approach. For each
execution path π, an estimate of the associated risk is computed by combining Severity(π) and
Reliability(π). We opt for an aggregation function that allows taking into account membership
degrees in a Fuzzy Logic system (Foundation of fuzzy logic, 2015):
Definition 4. Given an AUT and an execution path π of a program P function, Risk(π) is the
aggregation
Risk(π) = aggreg(Severity(π),Reliability(π))
with a fuzzy set valuation
Risk(π) = {Severity(π)} ∩ {Reliability(π)}
Aggregation operations combine several fuzzy sets to produce a single fuzzy set. Risk ratings
have the following interpretation: for two execution paths π1 and π2, if Risk(π1) > Risk(π2), then
π1 is more dangerous than π2, in terms of the likelihood of these paths to divert execution to
non-intended states and to cause an unintended program behaviour. The risk of each execution
path is plotted separately, thus producing a numerical and a fuzzy result. By aggregating the
two membership sets (Severity and Reliability), a new membership set is produced. The
aggregated Risk membership value of an execution path in Risk sets is calculated using Fuzzy
Logic’s IF-THEN rules. An example is given in Figure 1.
32
Figure 1: Example of a Fuzzy Logic rule
PLATO then applies defuzzification (Leekwijck, 1999) on the aggregated Risk output using
the Center of Gravity technique: a single value is computed from the two fuzzy sets and their
corresponding membership degrees, i.e. the involvedness of each fuzzy set presented in Likert
values. In order to aid the end user, Severity and Reliability values are grouped into the same 3
sets as those in the Severity and Vulnerability scales (Low, Medium, High), with an
approximate width of each group of (5/3) = around 1,5 (final ranges: Low in [0, 2], Medium in
(2, 3.5] and High in (3.5, 5]). Figure 1 provides an example of how Risk is calculated using
Fuzzy Logic linguistic rules. Table 4 shows the fuzzy logic output for Risk, based on the
aggregation of Severity and Reliability.
Risk, Severity and Reliability ratings are supplementary to invariant violations and do not
provide the basic mechanism for logical error detection; they just provide a more clear view for
the code auditor. Also, high Severity rankings have more weight than Reliability rankings:
rightmost maximum values are taken into account during aggregation of sets that assign more
weight on Severity values. Rightmost maximum is found to have closer-to-the-truth ranking
results since Severity ratings take into consideration instructions in path transitions whilst
Reliability ratings provide only a generic view of the execution path’s overall complexity.
Severity /
Reliability Low Medium High
Low Low Low Medium
Medium Low Medium High
High Medium High High
Table 4: Severity x Reliability = R - Risk sets
The Fuzzy Logic system has been implemented using the jFuzzyLogic library (Cingolani,
2012). The technical details for the implementation of a fuzzy logic system in Java can be found
in (Cingolani, 2012), (Stergiopoulos, 2012) and (Stergiopoulos, 2013).
3.4 A method to detect logical errors in source code
Mitigation of web threats
33
3.4.1. The method’s workflow
The analysis building blocks described in section 3 and implemented in PLATO are part of
our workflow for logical error detection with the following steps:
1. Use case scenarios. We assume the existence of a test suite with use case scenarios that
exercises the functionality of the AUT. The selected use-case scenarios must cover the
intended AUT’s functionality to a sufficient degree. This can be quantified by appropriate
coverage metrics.
2. For each use-case scenario, a dynamic analysis with the Daikon tool is performed. A set
of inferred dynamic invariants is obtained that characterize the functionality of the AUT
based on the executed use case scenarios. 3. Daikon invariants are loaded in PLATO and
are processed as follows:
The inferred dynamic invariants are filtered by PLATO, in order to use only
those referring to high-risk transitions, i.e. (i) instructions that affect the
program’s execution flow, and (ii) instructions that are connected to the
manifestation of an exploitable behavior (e.g. for executing OS commands
with user input).
PLATO instruments the AUT code with the critical dynamic invariants,
which are embedded into the code as Java assertions (Martin, 2008).
3. The instrumented source code is symbolically executed in NASA’s JPF tool with our
PlatoListener extension. A sufficiently large number of feasible execution paths has
to be covered, far more than the initial use case scenarios covering the intended
functionality. JPF relies on the PlatoListener in order to check for existing assertion
violations and then flags the invariants satisfying the criterion of Definition 1.
4. PLATO gathers PlatoListener detections and classifies each of them into Severity and
Reliability levels. A Risk value is then computed using Fuzzy Logic. The more suspicious
an invariant violation and its corresponding execution path is, the higher it scores in the
Risk scale.
PLATO accepts input from Daikon (step 2) and automates the analysis of the source in step
3. Finally, the PlatoListener is used in step 4 for monitoring JPF’s symbolic execution.
3.4.2. PLATO’s architecture
PLATO consists of components that implement the analysis building block presented in
Section 3. Figure 2 shows the input–output dependencies between these components:
34
Figure 2: PLATO’s processing flowchart
1. The components in orange implement PLATO’s source code analysis, which is based on
the Java compiler to generate the Abstract Syntax Tree (AST) for the AUT. Compiler
methods such as visitIf() and visitMethodInvocation() were overridden, for the analysis of
branch conditions and variable sanitization checks. Finally, information for every single
method invocation, variable assignment and declaration is provided. The following sample
output shows the AST meta-data gathered for the variable sig3 in a class named
Subsystem114:
DECLARE :: 12 :: double :: sig 3 :: 0 :: Main22 :: Subsystem114.java
2. The components in green implement PLATO’s filtering and verification of inferred
dynamic invariants against program states (ℓ,s) at certain code locations that are gathered
from the AUT symbolic execution. The PlatoListener monitors the AUT’s symbolic
execution within JPF.
3. The components in grey implement PLATO’s fuzzy logic system that combines all
information gathered from (1) and (2), and assesses the Risk of execution paths, based on
Mitigation of web threats
35
their position and the analysis findings. Information Gain (Severity) and Cyclomatic
Density (Reliability) computations are performed in this step and the Risk level of each
execution path is calculated by aggregating their output. The Fuzzy Logic system has been
implemented using the jFuzzyLogic library.
3.4.3. Classifying execution paths
Following Oracle’s JAVA API and the related documentation in (Harold, 2006; Gosling,
2014; Java platform, 2015), three categories of Java instructions are proposed for the
classification of execution paths with respect to their Severity and Reliability values. Severity
ranking is based on (i) Input Vector instructions and (ii) potentially exploitable methods (sinks).
Reliability ranking is based on (iii) Control Flow instructions.
3.4.3.1 A Taxonomony of instructions for Severity calculations
About 159 Java methods were reviewed and then grouped into sets depicting danger levels.
These sets are used as features in the Information Gain algorithm to compute the Severity rating
of execution paths. The classified instructions were gathered from NIST’s Software Assurance
Reference Dataset suites (SARD) (Boland, 2012), a set of known security flaws together with
source code test-beds.
Five sets (feature sets) are proposed, corresponding to five danger levels from 1 to 5. The
taxonomy was based on rankings of bugs and vulnerabilities recorded in NIST’s National
Vulnerability Database (NVD, 2015), the U.S. government repository of standards based
vulnerability management data. NVD provides scores that represent the innate characteristics
of each vulnerability using the CVSS scoring system, which is an open and standardized
method for rating IT vulnerabilities.
Thus, each instruction in the taxonomy is assigned to the feature set representing the
appropriate danger level. The correct feature set is inferred based on the CVSS scores in the
NVD repository. This was implemented using the following algorithm:
1. For each instruction, we checked the lowest and highest ratings of NVD vulnerabilities that
use this instruction 2.
2. The characteristics of the identified vulnerabilities are then inputted in the CVSS 3.0
scoring calculator 3, in order to calculate the lowest and highest possible vulnerability
scores.
2 bugs were gathered from the NVD repository:
https://web.nvd.nist.gov/view/vuln/searchadvanced 3 https://www.first.org/cvss/calculator/3.0
36
3. Each instruction was then ranked in the feature set corresponding to the result of previous
step. Instructions with score 7 or above were grouped in Set 5. Instructions with score 6 to
7 in Set 4, those with score 5 to 6 in Set 3, those with score 4 to 5 in Set 2 and those with
score 1 to 4 in Set 1.
Example: The java.lang.Runtime.exec() instruction (Java platform, 2015) is widely-known
to be used in many OS command injection exploits. NVD vulnerabilities recorded 550 using
this instruction have an impact rating ranging from 6.5 up to 10 out of 10. Using the
characteristics of these records, the CVSS scoring calculator outputted a rating of high (7) to
very high (10). This was expected, because exec() is often used to execute code with application
level privileges. Thus, the exec instructions was classified in PLATO’s taxonomy in the very
high (5/5) danger level category.
The types of Java instructions that are included in PLATO’s taxonomy are now presented.
Tables 4 and 5 provide examples for each instruction type. For the full taxonomy, the reader
can access the link at the end of this article.
• Input Vector Methods
Java has numerous methods and classes that accept data from users, streams or files (Java
platform, 2015). Most of them concern byte, character and stream input/output. PLATO takes
into account 69 instructions, one of which is shown in the example shown in Table 5.
Based on (Harold, 2006) and common programming experience, monitoring these
instructions seems to be an adequate way for tracing user input inside Java applications and this
is the reason for using them to create the feature sets for Severity calculations.
java.io.BufferedReader java.io.BufferedInputStream
java.io.ByteArrayInputStream java.io.DataInputStream
java.lang.System javax.servlet.http.
java.io.ObjectInputStream java.io.StringReader
Table 5: Example group - Input Vector Methods taxonomy
• Exploitable Methods (sinks)
Some methods are known to be targeted in exploits. These are the Java instructions that act
as information flow sinks. PLATO takes into account 90 methods gathered from the SARD
sets, which are known to be exploitable. An example is provided in Table 6.
Mitigation of web threats
37
java.lang.Runtime java.net.URLClassLoader
java.lang.System java.sql.Statement
javax.servlet.http.HttpServlet javax.script
java.io. File java.net.Socket
Table 6: Example group - Sink methods taxonomy
3.4.3.2. Instructions for Reliability calculations
Computing the Cyclomatic Density of a source code is tied to the number of execution-
branch statements inside the code. Thus, Reliability calculations take into consideration Java
instructions that affect the program’s control flow.
• Control Flow Instructions
Boolean expressions determine the control flow (Harold, 2006; Fletsmeger, 2010). Such
expressions are found in the statements shown in Figure 3.
All instructions from the mentioned types were gathered from the official Java
documentation (Harold, 2006; Java platform, 2015) and are used for the computations of the
Cyclomatic Density algorithm of Section 3.3.4.
Figure 3: Example types of instructions included in PLATO’s taxonomy
3.4.4. Symbolic execution and PLATO’s JPF listener
PlatoListener is the listener extension implemented in JPF to provide data and
execution paths to PLATO. It monitors all execution transitions, looking for
AssertionViolation instruction invocations. Upon detection of one such invocation,
PlatoListener saves the execution path leading to the assertion violation and compares it
with all other saved execution paths in search of the criterion introduced in Definition 1. For
every such detection, the values of the assertion variables are stored, along with the Java Class
file and references to transitions executed prior to the violated assertion.
38
3.5 Experimental results
Our approach on logical error detection was validated in experiments with both real-world
open-source and “artificially made” applications, namely: (1) real-world software artifacts from
the SIR Object Database (Rothermel, 2006) that are used to support controlled experimentation
on program analysis, (2) a test based on a suite by NIST (Boland, 2012) with logic flaws leading
to exploit manifestation, which is found in a real-world application handing field sensors in a
SCADA system, (3) a real-world controller from NASA’s Lunar Lander, in which a logical
error was injected.
First, we provide a motivating example, in order to introduce our experimentation approach
to validate PLATO’s effectiveness.
3.5.1 An example AUT
We consider an AUT with documented functionality. We will present each step of the
method, as it would be implemented on an example AUT. The steps would be the following:
1. Extracting programmed behaviour in the form of dynamic invariants. Daikon’s
dynamic analysis is used to infer dynamic invariants based on AUT’s executions for use-
case scenarios from the AUT’s business logic documentation. Monitored executions will
have to sufficiently cover all intended functionality, such that the extracted programmed
behavior matches the AUT’s intended behavior (Flegmetser, 2010; Stergiopoulos, 2012).
Example 1: Daikon observes the values of the variables while executing the program and
reports, invariants about that hold true throughout all AUT executions. A dynamic
invariant from Daikon on one of our tests is:
Figure 4: PLATO’s processing flowchart
The dynamic invariant of Fig. 4 shows that, upon invocation of method exec(), the value
of the variable TopLevelChartcount is equal to ’2’.
2. Analyzing source code – Invariant filtering and instrumentation. Invariant rules are
filtered and only those that refer to control locations or to paths with specific error-prone
instructions (high Severity) are kept. Key points in the source code for invariant filtering
are detected by PLATO’s parser that returns the AUT’s AST. Invariants are then parsed
Mitigation of web threats
39
by their method type, variable or class type. Chosen invariants are then instrumented
inside the AUT’s source code as Java assertions.
Example 2. The dynamic invariant in Figure 4 is transformed into a Java assertion and is
then in the source code at the point indicated by Daikon (i.e. the beginning of
Waitforstablerate100000203exec()).
assert this.TopLevelChartcount == 2.0;
3. Monitoring execution paths and program states. JPF executes the instrumented source
code and PlatoListener stores any assertion violations encountered along with the
corresponding execution paths and states backtracked, into structures. In our example, we
recall from Figure 4 that the invariant this.TopLevelChartcount == 2.0 must be true each
time the execution enters the method Wait_for_stable_rate_100000203_exec(). An
example JPF-PlatoListener output is shown in Figure 5.
Figure 5: PLATO’s processing flowchart
Example 3. Let us assume that Fig. 5 shows a path/transition at the beginning of the
Waitforstablerate100000203exec() method. The invariant refers to a variable used in an
IF-Statement and it is therefore chosen for further analysis by PLATO’s filtering system.
It must be true every time the execution enters the rjc.Chart.Waitforstable
rate100000203exec() method. However, it is clear from the memory read in Fig. 5, that
the invariant is violated, because TopLevelChartCount is equal to 1. It is thus clear that
this path violates the corresponding dynamic invariant. An execution path with the same
prefix was found to have TopLevelChartcount = 2. This contradiction is flagged as a
possible logical error.
4. Classifying violations of dynamic invariants.
Example 4. The assertion in Example 2 was found to be both enforced and violated in two
execution paths with the same prefix. The information gain along the path to the invariant
is then computed and the path is classified to Severity and Reliability ranks. These
calculations ultimately assigned a Risk rating of 3.5 out of 5 (High Risk) in this detection.
3.5.2 Experiment 1: real-world airline test from the SIR Object Database
The Software-artifact Infrastructure Repository (SIR) (Rothermel, 2006) is a repository of
software artifacts that supports controlled experimentation with program analysis and software
testing techniques (Do, 2005; Wright, 2010).
40
Our method was tested against a real-world AUT from the SIR repository, which exhibits
the characteristics of a multithreaded activity requiring arbitration. The AUT was a multi-
threaded Java program for an airline to sell tickets.
The logical error. The logical error manifested in this example leads to a race condition
causing the airline application to sell more tickets than the available airplane seats. Each time
the program sells a ticket, it checks if the agents had previously sold all the seats. If yes, the
program stops the processing of additional transactions. Variable StopSales indicates that
all the available tickets were sold and that issuing new tickets should be stopped. The logical
error manifests when StopSales is updated by selling posts and, at the time, more tickets are
sold by the running threads (agents). The AUT’s code is shown in Figures 6 and 7.
Figure 6: SIR AUT example code able to create i threads (agents) which sell tickets
Figure 7: Code: Make sale & check if limit was reached (update ”StopSales”)
Figure 8: Airline sales: No of inferred invariants, chosen assertions and violations
Mitigation of web threats
41
PLATO’s analysis for this test returned the results shown in Figure 8. We now present in
detail the results obtained in the different steps of our workflow:
Step 1-2. There is only one function point to test. Daikon inferred the following invariant
amongst others:
NumOfSeatsSold <= this.MaximumCapacity
Step 3. Dynamic invariants were instrumented in the source code and the software was
symbolically executed in JPF. An assertion violation was detected for the method runBug():
two executions were found where the mentioned invariant was enforced and violated
respectively, thus implying a possible logical error.
Step 4. Our method classified the path in which the invariant assertion was violated with a
Severity = 5 score and a Reliability = 3, thus yielding a total Risk value of 4.5.
3.5.3 Experiment 2: Manipulating remote SCADA RTUs (logical error CWE 840)
This experiment involved a type of logical error included in NIST’s Juliet Test Suite (Boland,
2012) for evaluating static program analyzers and exploit detectors. The Juliet Test Suite is a
collection of over 81.000 synthetic C/C++ and Java programs with a priori known flaws. The
suite’s Java tests contain cases of 112 different CWE vulnerabilities. For our tests, we focus on
the type of vulnerabilities inside the collection that are classified as business logic
vulnerabilities (NIST’s broader CWE-840 group): Vulnerabilities that depend on logical errors
made by the programmer.
Tests selected from the collection are applications which include two methods: A bad()
method in which the logical error manifests and a good() method that implements a safe way
of coding; i.e. a true negative. Since the Juliet Test Case is a synthetic test suite, we mark results
as true positive, if there is an appropriate warning pinpointing the flawed (bad) method in the
code, or false positive if there is the tool flags the non-flawed (good) part of the source code.
This is common practice in such tests (Okun, 2013).
The AUT used in this case study is a real-world application software built on top of the
chosen synthetic test from NIST’s Juliet Test Suite. The developed software is able to handle
Remote Test Unit machinery (RTU) through SCADA systems in a sample critical
infrastructure. Specifically, it can be used to open and close gas pipes according to pressure
measurements and can be used to control pressure valves through an RTU unit and using its
communication protocol.
To communicate and control SCADA systems, the AUT uses a java library for
communicating with SCADA equipment named JAMOD (W. D., 2015). JAMOD applies the
MODBUS protocol to connect software interfaces with RTUs in SCADA systems, using
42
registers that manipulate control circuits (coils, holding registers etc.). The code found in Figure
9 and Figure 10 are sample parts of the AUT’s source code. Using this code, the AUT can be
used with real RTUSs, like the L75 RTU unit. The L75 RTU unit is an RTU that provides
remote control actuation of quarter-turn valves and other rotary devices. It should be noted that,
here, this RTU is not responsible for failure realizations; the flaw manifests in the code
controlling the RTU.
Tests in this experiment were carried out using a MODBUS simulator named MOD RSSIM
(PLCsimulator, 2014) since acquiring a fully operational SCADA control was not feasible. For
our needs, we used the PLCSimulator, originally created to allow testing of Texas Instruments
500 MODBUS RTU serial driver without the need for physical equipment. It supports
MODBUS over TCP, so this makes it ideal for testing purposes.
Figure 9: High-level code able to manipulate a gas shaft in an L75 RTU unit
Software-to-RTU command code – A realistic example. Let Coil 1 be the valve shaft
motion control circuit. A write data command with message ”FF00” either starts or continues
valve movement (if already moving). A write data command with message ”0000” will stop
valve movement. Other data values will return an exception response. Using this, the
hexadecimal version of the MODBUS command able to control and open gas pipes using the
function ”Write Coil” on bus 5 would be: 05, 05, 00, 00, FF, 00, 8D, BE.
The application tested in this case study works as follows: Each time an ”open” (FF00)
command is deployed, the application checks an RTU sensor to see if it can increase pipe
pressure by opening one more valve without reaching the pressure limits. If pressure levels are
too high, the AUT will send a ”close” (0000) command and will not open another pipe. If
pressure remains high, the AUT can send a second ”close” command to reduce pressure. Figure
9 above depicts the high-level instructions of the AUT that are used in the source code to control
the flow of a valve, using the aforementioned commands. When variable stopFlow is false,
an ”open valve” request is sent, otherwise a ”close valve”.
Mitigation of web threats
43
The logical error that manifests in this AUT is a real-world error taken from (Boland, 2012)
and also classified in NIST’s vulnerability database (CWE, 2015).
The logical error: The control system must not utilize more than a specific amount of gas
pipes, otherwise high pressure could cause a rupture, leaks, even a failure to the entire
distribution system. Each time the program sends a request to open a valve, it must check if the
pressure in pipes has reached a maximum or not. If true, it should stop the flow. Variable
”stopFlow” controls this functionality. Inside the AUT’s source code, the logical error
manifests at the part where the boolean variable StopFlow is updated. The software checks a
pressure sensor to see if it should allow further increase in gas pressure or not. This check
should take place each time a valve shaft is ordered to open. Yet, a higher number of pipes than
the allowed maximum can be opened, by bypassing the aforementioned pressure check using
alternate execution routes. This happens due to sensitive information that remains unclear in
objects (i.e. there is a sequence of actions where variable StopFlow is not updated properly).
To better understand this execution deviation, refer to Fig. 10. Due to an erroneous
initialization of variable checked, the control-flow statement at line 6 (if(checked) can be
bypassed if two consecutive ”increase flow” instructions are sent within 3 to 4 seconds (i.e.
before connection resets).
Figure 10: Source code example - Checks imposed to handle pressure limits
We deployed the method presented in Section 5 on this AUT and analyzed execution of the
aforementioned hypothetical scenario for handling pressure in pipes. Figure 11 depicts the
invariant violations and overall statistics of the experiment.
44
Figure 11: CWE 840-RTU: No of inferred invariants, chosen assertions and violations
The results for each step were the following (only output concerning the flaw is presented
due to space limitations):
Step 1. Functionality in this example has two flows currently available:
Exec choice(1), Exec choice(2).
Exec choice(2), Exec choice(1), Exec choice(2).
Step 2. Dynamic analysis of flows yielded 40 dynamic invariants for the selected
functionality. Amongst them, the following invariant refers to a hidden logical error:
Bug.readRegisterPressure():::ENTER
this.checked == false
meaning that, upon entering execution of method readRegisterPressure(), variable checked
should always be FALSE.
Step 3. Dynamic invariants where instrumented inside the source code in their corresponding
points and the software was executed symbolically. An assertion violation was detected for
method readRegisterPressure(): Two executions were found in which the variable checked had
a TRUE and FALSE value respectively, thus violating the invariant assertion from Step 2 and
implying a logical error.
Step 4. Our tool classified this invariant with Severity = 5 (due to source code instructions
manipulating SCADA commands; namely .sendRequest() and WriteSingleRegister) and
Reliability = 2, thus yielding a total Risk value of ˜3.5 (High Risk) for the specific dynamic
invariant and its variable.
Mitigation of web threats
45
3.5.4 Experiment 3: Real-world injection test - NASA’s Apollo Lunar Lander 790
controller
To further validate PLATO’s effectiveness, we also performed a third experiment in which
we injected two faults into a real-world application; namely, NASA’s RJC application, an
application developed to handle NASA’s equipment. A malformed Java object was created that
was initialized with an invalid value. The result of injecting the object in the code was a change
in the AUT execution flow from its intended path to an erroneous one based on the malformed
values, thus causing a logical error in some executions.
Our approach was based on recent results from research on fault injection, which show that
the key issue when injecting software faults is fault representativeness (Natella, 2013): there is
a strong relationship between fault representativeness and fault locations, rather than between
fault representativeness and the various types of faults injected. To pinpoint source code
methods into RJC with relatively high representativeness, we used common software
engineering metrics:
Fault-load representativeness can be achieved by looking at the following metrics: Lines of
Code and Cyclomatic Complexity which represent respectively the number of statements and
the number of paths in a component (Natella, 2013). The Average methods per Class counts
the number of methods defined per type in all Class objects. If this metric scores high, it benefits
these experiments since method invocation paths will be more complex and, therefore, likely
more error-prone. This metric synergizes well with Cyclomatic Complexity in the RJC
experiments. With the above mentioned metrics, we detected methods in RJC that have high
representativeness and then we injected logic errors in them. For our analysis, we used the tool
CodePro Analytix from Google. More specifically, we evaluated the system behavior when one
of its components is faulty and not the behavior of the faulty component itself. We did not
consider additional metrics, as metrics tend to correlate with each other. On the other hand, the
used metrics suffice in order to detect key points in the source code for fault injection (Natella,
2013).
Lines of
Code
Cyclomatic
Complexity
Average
methods
per Type
Rjc.Chart.java 10,48 3,31 29
Rjc.Chart 1.java 13,68 3,31 29
Rjc.Chart 2.java 13,68 3,31 29
Rjc.Reaction Jet Control0.java 99,50 7,50 2
46
Rjc.Reaction Jet Control1.java 85,50 7,50 2
Table 7: Highest metric scores for NASA’s RJC
As we can see in the table above, these five classes have the highest ratings in RJC source
code. ReactionJetControl classes have the highest Lines of Code and Complexity
values. Yet, their average methods per type are significantly low. Also, they have no execution-
defining branch statements inside their code able to diverge the execution of RJC. To this end,
we decided to inject the faulty values of an object controlling an injected control-flow statement
(IF-statement) in the rjc.Chart.Wait_for_stable_ rate_100000203_exec()
method of Chart.java.
Figure 12: RJC Fault injection: No of inferred invariants, chosen assertions and violations
JPF provided the needed method to PLATO in order to cross-check the Daikon-generated
dynamic invariant assertions. As we can see in Fig. 12, 6539 execution paths satisfied the
invariant ”TopLevelChartcount == 2” while 1 injected path violated it.
PLATO went through all the steps of the algorithm: RJC had only one functionality to test
in its source code (Step 1). PLATO detected the dynamic invariants, instrumented the code
with the most critical ones, executed RJC symbolically and detected an assertion violation for
both of the two fault injections (Steps 2 and 3). PLATO’s Fuzzy Logic system classified the
logical error with the following ratings: Severity = 2, Reliability = 1. This is good since this
logical error in the control-flow was injected, meaning that it is irrelevant with the surrounding
code. PLATO detected that this execution path contained no high Severity instructions nor was
”unReliable” enough (very few control flow locations), thus ranked the detection with low
Mitigation of web threats
47
Reliability too. The low overall Risk output produced (Low Risk values around 1.7) suggested
that this detection could be of minor significance; as it indeed was.
A total of 6,240 control flow locations (such as if-statements) were gathered and analyzed
from symbolic execution. Also, 515,854 method invocations and variable Store and Invoke
instructions were processed. The injected paths had 8,064 comparisons. Before injection, all
8,064 paths were found satisfying the rule. As mentioned earlier, after injection, three paths
were found having different states (variable Top-LevelChartcount had different values while
entering and exiting method exec()). Both injected faults were discovered and 850 all possible
deviated execution paths were detected.
3.6 Discussion and comparisons
Comparison with related methodologies and tools
Flaws in source code can be distinguished into many different types and categories. The
CWE vulnerability taxonomy (Martin, 2008), which is co-sponsored by the office of Cyber-
Security and Communications at the U.S. Department of Homeland Security, includes multiple
categories of logic vulnerabilities that can manifest in AUT source code (e.g. CWE-840, CWE-
438 etc.). Our method can be seen as a hybrid. It shares some characteristics with common
static analyzers that look for bugs (such as execution path analysis, AST trees etc.); PLATO
essentially utilizes an entire model checker (JPF) which extends and uses for its own purposes.
Yet, the method is also partially dynamic. It is based on live executions of source code and the
need to have a complete and sound observation of the entire AUT functionality, if it is to
produce dynamic invariants that reflect the AUT’s business logic.
The biggest contribution is differentiation: Most static analysis tools are pattern-specific; for
example FindBugs and other similar tools have shown a rather high detection rate when it
comes to pattern-specific, a priori known flaws (Rutar, 2004), but none is able to detect logical
errors due to erroneous implementation. Since PLATO’s method essentially implements a
higher-level source code analysis, it can be easily combined with such tools that detect flaws at
a purely pattern-specific, source code level. Ideally, PLATO could receive input from these
tools to use as classifiers for its Reliability fuzzy logic function, in an effort to increase the
reliability of its detections. Other approaches (like JPF) allow for the detection of race
conditions, bottlenecks and errors using model checking but still fall short in the detection of
logical errors. For these tools, the best-case scenario is that they may be able to detect some
flaws that may result from logical errors (e.g. race conditions), albeit using a completely
different detection method. Yet, they will miss other flaws or vulnerabilities that stem from
logical errors. Our method detects a superset of this type of errors.
48
3.7 Advantages and Limitations
One of our method’s limitations is the need for input data from live execution of AUTs, while
Daikon infers the likely dynamic invariants. This is an inherent problem in all empirical
methods, since empirical approaches rely on repetitive observations to form rules. Our method
does not model the business logic of AUTs using formal methods, but is rather depended on
the soundness of the likely dynamic invariants provided by Daikon and the various executions
of the AUT. PLATO assumes that it can detect and evaluate the impact of logical errors based
on these properties.
Although empirical methods are often criticized for the lack of sound foundations in software
engineering, it is obvious that, in order for a tool to detect flaws in the logic of applications, it
needs somehow to model knowledge that reflects the intended functionality of each AUT.
Business logic artifacts such as OWL, XBRL etc. fail to adequately describe the full extent of
the practical implementation of an algorithm behind an AUT’s functionality. It is difficult to
use them to automatically parse full sets of logical rules effectively. Also, more often than not,
their use is not widespread amongst developers and even those who do use models like OWL
and XBRL, often fail to follow a common strategy that can be easily analyzed by a parser. This
makes it difficult for a tool to use these kind of artifacts as input to describe the intended
functionality of an AUT. Yet, at the current stage of development, Daikon has repeatedly
proven to be a mature tool for inferring dynamic invariants (Ernst, 2007). Also (provided that
it is executed in the correct manner and that it covers the entire functionality of an AUT)
Daikon’s output does reflect the AUT’s intended functionality, since its dynamic invariants are
properties that were true over the observed executions. PLATO’s results enforce this notion.
The second limitation of this method is the need for targeted AUT functionality analysis. If
PLATO were to examine AUTs of thousands of source code lines in entirety, problems would
arise, mostly due to JPF’s inability to handle large, complex applications and also due to state
explosion. Breaking down large applications to separate functionalities and test each one on
that granularity level can mitigate this.
3.8 Summary
The detection of logical errors in the source code of applications is a tedious and difficult
process, which requires experience and time. Logical errors and, generally, flaws inside the
source code implementation of the business logic of an application can lead to serious
vulnerabilities that can cause failures in important machinery of various critical infrastructures.
Based on the above notion and our tests using PLATO, we drew some significant conclusions:
Mitigation of web threats
49
• PLATO can indeed detect logical errors in applications using reasonable limits in the size
and complexity of AUTs, something no other tool can claim at the time this article was written.
• Results have shown that this method goes beyond logical error detection and can provide
valid detections of other types of flaws that can cause failures in Critical Infrastructures. The
unexpected detection of race conditions in one of our experiments, although it was an
unintended side effect, proved this to be the case. As shown in previous results, limiting a
variables value in an airplane ticket store not only led to a logical error that was essentially a
race condition flaw, but also to a logical vulnerability that could lead the airline to sell more
tickets that its seats.
• Logical errors must be detected using productive reasoning and not inductive because
logical errors can manifest in widely different contexts. For example, a race condition can lead
to a logical vulnerability and is indeed a subtype of logical programming errors, but it can also
lead to other types of errors (null pointer exception, division by zero etc.) or even to no errors
at all. So, detecting known types of errors (like race conditions) and using inductive reasoning
to classify them as logical vulnerabilities is not a reliable classification tactic. Instead, PLATO’s
deductive approach, not only detects various different types of logical errors but can also
provide an insight on the impact of each error, which is context-specific.
• Since results showed that this method can detect a wide variety of errors, it is now possible
to compare different detection methods, output convincing arguments concerning the detection
rates and provide new methods to detect common flaws that might be less resource-intensive.
We consider this for our future work.
50
(this page is intentionally left blank)
Conclusions
51
Chapter 4: Risk Mitigation Strategies for Critical
Infrastructures Based on Graph Centrality
Analysis
4.1 Introduction
Unlike (Inter)dependencies between Critical Infrastructures (CIs) is a key factor for Critical
Infrastructure Protection, since CI dependencies may allow a seemingly isolated on a single CI,
to cascade on multiple CIs. One way to analyze CI dependencies is by using Dependency Risk
Graphs, i.e. graphs in which the nodes represent (modules of) CIs and their directed edges
represent the potential risk that the destination node may suffer due to its dependency from the
source node, in case of a failure being realized at the source CI. In our previous work
(Kotzanikolaou, 2013; Kotzanikolaou, 2013; Kotzanikolaou, 2013; Theocharidou, 2013;
Theocharidou, 2011), we have proposed a risk based methodology that can be used to assess
the cumulative risk of dependency risk paths, i.e. of chains of CI nodes which are
(inter)connected due to their dependencies. Our methodology uses as input the existing risk
assessment results from each CI operator and, based on the 1st-order dependencies between the
CI nodes, it assesses the potential risk values of all the n-order dependency risk chains. By
computing and sorting all the dependency risk paths, the assessor may identify the most critical
dependency chains, by identifying all potential dependency risk paths with a cumulative risk
above a predefined threshold.
Although the identification of the most important dependency chains is an important step
towards efficient risk mitigation, there are still open problems. A simple mitigation strategy
would be to apply security controls at the root node of each critical dependency chain. However,
this may not always be a cost effective strategy, since there are cases of nodes whose effect is
not properly measured. For example, consider the case where a small subset of nodes (not
necessarily being roots of the critical chains) exists that affects a large number of critical
dependency paths. Decreasing the probability of failure in these nodes by selectively applying
to them security controls, may have a greater overall benefit in risk reduction. Another example
is when nodes of high “importance” exist outside the most critical dependency paths; for
example, nodes that may concurrently affect many other nodes which belong to the set of the
most critical paths, or nodes that do affect the overall dependency risk of the entire
structure/graph.
Motivation. Existing risk mitigation methodologies are usually empirical, and they focus on
CIs which are possible initiators of cascading failure and usually belong to specific sectors such
52
as Energy and ICT. By studying actual large-scale failures, it is obvious that these two sectors
often initiate serious cascading effects amongst interdependent CIs (e.g. the famous California
blackout scenario or the recent New York blackout scenario of 2015). However, by only
focusing on some sectors and on potential initiators may not be suitable in every case. The
impact of each dependency should be taken into account together with the position of each CI
within a network of interdependent CIs.
The systematic identification of the most important nodes and the prioritization of nodes for
the application of security controls can therefore be a complex task. The need for a high-level
and efficient risk mitigation technique, which takes into account multiple characteristics of the
interdependent CIs, is a well-known fact (Kotzanikolaou, 2011). An optimal risk mitigation
methodology would allow the detection of the smallest subset of CIs that have the highest effect
on the overall risk reduction on a risk graph, even though the candidate nodes might not initiate
a critical path or may not even belong to the most critical paths. Contribution. Towards this
direction, in this paper we explore the use of graph centrality metrics in Dependency Risk
Graphs, in order to effectively prioritize CIs when applying risk mitigation controls. Our goal
is to design, implement and evaluate the effectiveness of alternative risk mitigation strategies.
Each examined mitigation strategy is implemented algorithmically and it is empirically
evaluated through simulations. The ultimate goal is to identify the minimum subset of CI nodes
within a graph, whose risk treatment (application of security controls) would result in the
maximum risk reduction in the entire graph of interdependent CIs. Our extensions are threefold:
(a) We run various data mining experiments to identify correlations between centrality metrics
and CI nodes that have high impact in a dependency risk graph; (b) We use the optimum
centrality metrics, as identified in the previous step, in order to develop and test various risk
mitigation strategies that maximize risk reduction. Results show that each mitigation strategy
is most effective in achieving specific goals; (c) We take into consideration nodes with a high
number of inbound (sinkholes) and outbound connections and compare risk reduction results.
In order to validate the proposed mitigation strategies, we run experiments on hundreds of
random graphs with randomly selected dependencies. These tests demonstrate the efficiency of
the proposed risk mitigation strategies. All random graphs match criteria found in real-world
CI graphs of interconnected infrastructures. The proposed mitigation strategies can be used as
a proactive tool for the analysis of large-scale dependency infrastructure interconnections and
pinpoint underestimated infrastructures that are critical to the overall risk of a dependency
graph.
Conclusions
53
4.2 Building Blocks
Our methodology will be based on three main building blocks: (i) dependency risk graphs
and multi-risk dependency analysis methodology, in order to model cascading failures; (ii)
graph centrality analysis over dependency risk graphs and (iii) feature selection techniques in
order to evaluate the effect of various centrality metrics in risk mitigation. We briefly describe
these building blocks.
4.2.1. Multi-risk dependency analysis methodology
Dependency can be defined as “the one-directional reliance of an asset, system, network, or
collection thereof –within or across sectors– on an input, interaction, or other requirement from
other sources in order to function properly” (U.S. Department of Homeland Security, 2013).
Our work extends the dependency risk methodology of [1, 2] used for the analysis of multi-
order cascading failures.
4.2.1.1. First-order dependency risk
In (Kotzanikolaou, 2013; Kotzanikolaou, 2013) initially the 1st-order dependencies between
CIs, as identified and are then extended to model the n-order relations. Each dependency from
a node CIi to a node CIj has been assigned1 an impact value, denoted as Ii,j and the likelihood
Li,j of a disruption being realized. The product of the last two values defines the dependency
risk Ri,j caused to the infrastructure CIj due to its dependency on CIi. Dependencies are
visualized through graphs G = (N, E), where N is the set of nodes (or infrastructures or
components) and E is the set of edges (or dependencies). The graph is directional and the
destination CI is receiving a risk from the source CI due to its dependency.
4.2.1.2. Extending to n-order dependency risk
Let ℂ𝕀 = (CI1, ... CIm) be the set of all the examined infrastructures. The algorithm examines
each CI as a potential root of a cascading effect. Let CIY0 denote a critical infrastructure
examined as the root of a dependency chain and CIY0 → CIY1 → ... → CIYn denote a chain of
length n. Then the algorithm computes, for each examined chain, the cumulative Dependency
Risk of the n-order dependency chain as:
𝐷𝑅𝑌0,…,𝑌𝑛 = ∑ 𝑅𝑌0,…,𝑌𝑖
𝑛
𝑖=1
≡ ∑ (∏ 𝐿𝑌𝑗−1,𝑌𝑗
𝑖
𝑗=1
) ∗ 𝐼𝑌𝑖−1,𝑌𝑖
𝑛
𝑖=1
Informally, equation 1 computes the dependency risk contributed by each affected node in
the chain, due to a failure realized in the source node. The computation of the risk is based on
54
a risk matrix that combines the likelihood 105 and the incoming impact values of each vertex
in the chain. Interested readers are referred to (Kotzanikolaou, 2013) for a detailed analysis.
4.2.2. Graph centrality metrics
Graph centrality analysis attempts to quantify the position of a node in relation to the other
nodes in a graph. In other words, graph centrality metrics 110 are used to estimate the relative
“importance” of a node within a graph. Various centrality metrics are used, each of them
measuring a different characteristic:
Degree centrality measures the number of edges attached to each node. Given a node u,
degree centrality is defined as: Cd(u) = deg(u), where deg(u) is the total number of its
outgoing and ingoing edges.
Closeness centrality quantifies the intuitive “central” or “peripheral” placement of a node
in a two dimensional region, based on geodesic distances. It is defined as: 𝐶𝐶(u) =
∑ 𝛿 (𝑢, 𝑣)∀v∈V (G) , where δ(u,v) is defined as the average shortest path between the
examined node u and any other node in the graph.
Betweenness centrality measures the number of paths a node participates in, and is defined
as: 𝐶𝑏(u) = ∑ 𝛿𝑖𝑗(𝑢)u≠ i ≠ j ∈ V , where 𝛿𝑖𝑗(u) = 𝜎𝑖𝑗(𝑢)
𝜎𝑖𝑗. Here, σij(u) denotes the
number of geodesic distances rom i to j where node u is present and σij the number of
geodesic distances from i to j.
Bonacich (Eigenvector) centrality (Bonacich, 1987) attempts to measure the influence of
a node in a network as: 𝑐𝑖(𝛼, 𝛽) = ∑ (𝑎 − 𝛽𝑐𝑖)𝑅𝑖𝑗 𝑗 , where α is a scaling j factor, β reflects
the extent to which centrality is weighted, R is the node adjacency matrix, I is the identity
matrix and l is a matrix of ones. An adjacency matrix is a N×N matrix with values of 1 if
there is an edge between two nodes and 0 otherwise.
Eccentricity centrality is similar to closeness centrality. Essentially, it is the greatest
distance in all shortest-paths between u and any other vertex (geodesic distance).
4.2.3. Feature selection
Feature selection (also called variable selection or attribute selection) is used in data mining
for the automatic selection of attributes in a data set that are 6 most relevant to a predictive
modeling problem. Feature selection is critical for the effective analysis of characteristics in
datasets, since data-sets frequently contain “redundant” information that is not necessary to
Conclusions
55
build a predictive model (Microsoft, 2015). It increases both effectiveness and efficiency, since
it removes non-informative terms according to corpus statistics (Yang, 1997).
In our case, we will explore centrality metrics as potential features in a dependency risk
graph. Our predictive model is to detect which features (i.e. centrality metrics) are able to
characterize nodes that mostly affect the cumulative risk of dependency paths. This model will
identify which centrality metrics are the most useful (i.e. provide the most information) about
whether a CI node greatly affects the overall risk on a graph or not. The various centrality types
are ranked lower if they are common in both the so-called positive set (nodes that have a high
affect on the risk) and the negative set (nodes with low impact on risk paths). The features are
ranked higher, if they are effective discriminators for a class. Our feature selection tests will
use two well-known selection techniques, namely Information Gain and Gain Ratio.
Information Gain (Abramson, 1963) is a statistical measure that has been successfully
applied for feature selection in information retrieval. Authors in (Glover, 2001; Ugurel, 2002)
used this algorithm for feature selection before training a binary classifier. This technique will
be used to classify high centrality metrics in nodes, in an effort to distinguish, which centrality
metrics tend to appear often in nodes that greatly affect the cumulative risk of graphs. Gain
Ratio is a variation of the Information Gain algorithm. The difference is that the Information
Gain measure prefers to select attributes having a large number of values (Karegowda, 2010).
Gain Ratio overcomes this bias by taking into consideration the statistical appearance of a
feature in both negatives and positive sets (i.e. if a specific Centrality metric is detected in
dangerous CI nodes scarcely but is never found in safe nodes, it will have a rather low
information gain rank but a very high gain ratio one). We use this technique to pinpoint
(combinations of) Centrality metrics that might scarcely appear in graphs, yet significantly
affect the cumulative risk in paths when present.
4.3 Exploring Centrality Metrics in Dependency Risk Graphs
We will explore the effect of centrality metrics on the “importance” of nodes in dependency
risk graphs. Recall that in such graphs the edges denote directed risk relations between nodes,
and not topological connections. Intuitively, nodes with high centrality measures are expected
to have a high effect in the overall dependency risk. The question that needs to be answered is
which centrality metrics have the higher effect in Risk propagation. Then, the nodes that are
exhibiting the highest values of these centrality metrics will be good candidates for the
implementation of risk mitigation controls. An algorithm capable of identifying these nodes
will be able to design a cost-effective risk mitigation strategy.
56
4.3.1. Analysis of centrality metrics
We will examine each centrality metric in dependency risk graphs, in order to analyze its
effect to the overall risk.
4.3.1.1. Degree centrality
A node with high degree centrality is a node with many dependencies. Since the edges in risk
graphs are directional, the degree centrality should be examined for two different cases (Luiijf,
2009):
Inbound degree centrality, i.e. the number of edges ending to a node. A high inbound degree
centrality would indicate nodes known as cascading resulting nodes.
Outbound degree centrality, i.e. the number of edges starting from a node. This is an
indication of a cascading initiating node.
Nodes with high inbound degree centrality in a risk graph are natural “sink-hole” points of
incoming dependency risk. Nodes with high outbound degree centrality seem to be suitable
nodes to examine, when prioritizing mitigation controls. Indeed, if proper mitigation controls
are applied to such nodes, then multiple cumulative dependency risk chains will simultaneously
be reduced.
Such a strategy could be a much more cost-effective alternative, from a mitigation strategy
aiming at applying controls to particular high-risk edges or high-risk paths. Obviously, it is not
certain that applying one or more security controls to a node with high outbound degree
centrality, will positively affect many (or all) outgoing dependencies chains using this node.
However, a mitigation strategy would benefit if it were to initially examine such possible
security controls.
4.3.1.2. Closeness centrality
Nodes with high closeness centrality are nodes that have “short” average distances from most
nodes in a graph. In the case of a dependency risk graph, nodes with high closeness are nodes
that tend to be part of many dependency chains; sometimes might even initiate them. Since
cascading effects tend to affect relative short chains (empirical evidence indicates that cascades
rarely propagate deeply (Eeten, 2011), intuitively, nodes with high closeness centrality will
have a bigger effect in the overall risk of the dependency chains, than nodes with low closeness
centrality. To formalize this, consider equation 1 used to compute the cumulative risk of a
dependency chain: the closer a node is to the initiator of a cascading event, the more effect will
have on the cumulative dependency risk since the likelihood of its outgoing dependency will
affects all the partial risk values of the following dependencies (edges).
Conclusions
57
A more effective way to exploit closeness centrality in mitigation decisions is to compute the
closeness of every node with respect to the subset of the most “important” initiator nodes.
Regardless of the underlying methodology, the risk assessors will already have an a priori
knowledge / intuition of the most important nodes for cascading failure scenarios. For example,
empirical results show that energy and ICT nodes are the most common cascade initiators
(Eeten, 2011). In addition, nodes with high outgoing degree centrality will probably be nodes
that participate in multiple dependency risk chains. Thus it is possible to first identify the subset
of the most important nodes for cascading failures and then compute the closeness of all others
in relation with this subset of nodes, as a secondary criterion for mitigation prioritization.
4.3.1.3. Eccentricity centrality
Similar to closeness centrality, this is a measure of the centrality of a node in a graph which
is based on having a small maximum distance from a node to every other reachable node. Here,
small maximum distances are the greatest distances detected in all shortest-paths between v and
any other vertex (geodesic distance). If the eccentricity of a CI node is high, then all other CI
nodes are in proximity.
4.3.1.4. Betweenness centrality
In a dependency risk graph, a node with high Betweenness centrality will lie on a high
proportion of dependency risk paths. This means that even though such nodes may not be
initiating nodes of a cascading failure (high outbound centrality) or may not belong to a path
with high cumulative dependency risk, they tend to “contribute” to multiple risk paths and thus
play an important role to the overall risk. Applying mitigation measures to such nodes (in the
form of security controls) will probably decrease the dependency risk of multiple chains
simultaneously.
Comparing closeness centrality with Betweenness centrality, it seems that closeness should
precede Betweenness as a mitigation criterion. Although nodes that are between multiple paths
will eventually affect multiple chains, it is possible that a node lies in multiple paths but it tends
to be at the end of the chain and practically not affecting the cumulative dependency risk chain
(recall that nodes with high-order dependency are rarely affected).
4.3.1.5. Bonacich (Eigenvector) centrality
A node with high Bonacich (Bonacich, 1987) (eigenvector) centrality is a node that is
adjacent to nodes with very high or very low influence, depending on whether variable β is β >
0 or β < 0. In a risk dependency graph, we are interested in nodes with high eigenvector
centrality where β > 0, since these nodes are connected to other nodes which also have high
connectivity. This is an interesting measure for CI risk graphs, as such nodes not only can cause
cascading failures to more nodes, but they can cause multiple cascade chains of high risk. On
the contrary, a less connected node means that it shares fewer dependencies with other nodes.
58
Only specific nodes in the graph affect it. This means that applying mitigation measures to such
a node may not affect significantly the overall risk. On the contrary, if one applies mitigation
controls to the node with high Eigenvector centrality (when β > 0), this means that the most
powerful (or critical) is modified and this, in turn, affects several other important nodes.
4.3.2. Applying feature selection to classify centrality metrics
In order to validate our intuitive analysis of centrality metrics in dependency risk graphs,
described in section 4.3.1, we will use a data mining technique named feature selection to
empirically study possible relations between the risk level of nodes in dependency paths (as
assessed using the aforementioned methodology from (Kotzanikolaou, 2011)) and the various
centrality metrics for nodes. This experiment will show how often nodes concurrently appear
in; (a) the set of the most critical paths (i.e., the paths with the highest cumulative dependency
risk value) and (b) to sets of nodes with the highest centrality values in a dependency risk graph.
For our experiments, we simulated graphs that were randomized based on restrictions
proposed in recent empirical studies (Luiijf, 2009; Eeten, 2011), in order to resemble CI
dependencies based on real data. In particular:
Occasional tight coupling. Some node relationships in the dependency risk graph are
selected to have high impact values. To achieve this, in our experiments randomization
applies random risk values with relatively high lower and upper likelihood and impact
bounds.
Interactive complexity. In reality, dependencies between CIs have high interactive
complexity. Informally, this implies that we cannot foresee all the ways “things can go
wrong”. In our experiments, we constructed random graphs of 50 nodes with high
complexity; the critical paths up to 4th-order dependencies have possible combinations
ranging from 230,300 to 2,118,760 chains.
Number of dependencies. We randomly simulated CI nodes having from 1 to 7 connections
(dependencies).
Path length. Critical paths of length 3 to 4 hops are used.
Number of initiators. More than 60% of the nodes in the graph act as initiators.
Connectivity of initiators. In our experiments, the initiators tend to have higher connectivity
than the other nodes.
In our experiments we used the Weka4 tool (version 3.6). All experiments were conducted
using the available implementation of the Information Gain and Gain Ratio Feature selection
algorithms in Weka4, using the program’s “Attribute Selection Ranker” to rank output results.
4 http://www.cs.waikato.ac.nz/ml/weka/
Conclusions
59
4.3.2.1. Results of feature selection for centrality metrics
We analyzed a dataset of 32,950 nodes extracted from about 700 graphs containing about
774,015,270 paths. Dependency graphs were created with the aforementioned restrictions.
Feature selection algorithms were used to detect correlations between high centrality metrics
and CI nodes that greatly affect the overall risk.
Weka’s output rankings provide insight on how high centrality features characterize
dangerous nodes that affect the risk in top critical paths. Detailed output values for each test are
presented in Table 8 and 9. Table 1 depicts the output from the Information Gain algorithm
whereas Table 9 provides the Gain Ratio output:
Table 8. Weka’s output ranking using the Information Gain algorithm
Table 9. Weka’s output ranking using the Gain Ratio algorithm
Tests are divided into two sets: Inbound tests and Outbound tests. The difference between
the two is that Inbound tests use Inbound Degree Centrality measures whereas Outbound tests
compute everything using Outbound Degree Centrality measures. Results from Weka provided
valuable information as to how nodes with high centrality values affect dependency risk graphs:
1. The amount of critical paths that had at least one node with high centrality measurements,
is very high: An average of 74,4% of the most critical path in all graphs contained a node
with at least one high centrality metric. This percentage seemed to increase dramatically
to 99.9% for the top 10% of most critical paths, which leads to the conclusion that, the
top 10% of paths frequently pass through the same nodes as the top 1% of paths. If we
analyze even larger sample sets (more than 10% of critical paths) almost all nodes with
high centrality are part of some critical path.
60
2. Gain ratio showed that CI nodes with high centrality measures in all types of centralities
rarely appear in graphs but, when they do appear, they definitely affect the cumulative
risk of critical paths. CI nodes that have high measures in all centrality metrics are of high
importance.
3. Nodes with high Closeness centrality seem to be the best candidates for detecting
important CI nodes. Yet, results clearly show that all centrality types seem to be useful
indicators of important CI nodes (information gain is above 20% for all features). Thus,
all centrality metrics must be taken into account in each graph.
4. Nodes with high Closeness and/or Degree centrality, both outbound and inbound
(sinkholes), tend to mitigate high amounts of risk. An average of 49,6% of all dangerous
nodes tested had a high Closeness centrality and an average of 45% had a high Degree
centrality value.
5. Risk mitigation is highly depended on the graph itself. For example, in graphs that contain
nodes acting like single points of failure, high centrality values are excellent indicators of
important CI nodes. If however we examine graphs in which, for example, all nodes have
equal degree, the identification of nodes for risk mitigation is often less successful.
Luckily, CI dependency nodes tend to have specific structural characteristics.
4.4 An Algorithm for Efficient Risk Mitigation Strategy
We have concluded from the previous experiment that, even if nodes with high centrality are
only a fraction of the nodes in the most critical risk paths, yet, they do affect all critical paths
greatly. Also, feature analysis results suggest that all Centrality measures can play an important
role, depending on the graph analyzed. Thus, it seems essential for a risk mitigation strategy
not only to take into consideration which Centrality measures provide the best results (like high
Closeness measures) but also to consider the diversities of each graph and adapt accordingly
by choosing the correct combination of Centrality metrics to pinpoint nodes for applying risk
mitigation controls.
We incorporate these results from the previous feature selection analysis Section 4.3.2), in
order to design a node selection algorithm for efficient risk mitigation. The proposed algorithm
is heuristic and recursively chooses the best set of nodes, by limiting its selection options, until
it reaches a set of selected nodes of a predefined size.
4.4.1. Modeling feature selection results to algorithmic restrictions
Recall from Section 4.3.2 that the two most important conclusions support that: (i) Nodes
with high centrality measures in all types of centrality metrics always affect the total risk of a
graph; (ii) Nodes with high Closeness and high Betweenness centrality seem to have a greater
Conclusions
61
impact than the other metrics; (iii) If a node concurrently has high centrality values for more
centrality metrics, it tends to have a higher affect on the risk graph. To model these observations
into a dynamic node selection algorithm for risk mitigation, we implemented the following
steps:
1. Model Definition: Define the subsets of nodes which exhibit the highest centrality values
for each centrality metric, as well as their Information Gain over the entire node set.
2. Setup: Pre-compute all centrality measures for each node in a graph. Using these centrality
measures, generate all high centrality subsets. These subsets will act as features for feature
selection. In addition, pre-compute all dependency risk paths of the graph and sort them
according to their weight (total cumulative risk value of each path).
3. Use decision trees and Information Gain for node selection: Define the Information Gain
method and its use in splitting node sets.
4. Traverse a decision tree using Information Gain splits: Traverse a decision tree to select
the optimal subset of nodes for applying risk mitigation controls.
4.4.1.1. Model Definition
Let CA denote the subset of the top X% of nodes with the highest centrality measurements
from all centrality sets; CE denote the subset of the top X% of nodes with the highest
Eccentricity, CC denote the subset of the top X% of nodes with the highest Closeness centrality;
CI denote the subset of the top 380 X% of nodes with the highest Inbound Degree centrality
(sinkholes); CB denote the subset of the top X% of nodes with the highest Betweenness
centrality and finally CEg denote the subset of the top X% of nodes with the highest EigenVector
centrality.
Let N denote the set of all nodes in the risk graph. Let D ⊂ N denote the subset of nodes that
participate in the top 20 most critical risk paths of the graph. Finally, let IGx(N) denote the
information gain when choosing subset Cx as a feature of the node set N. For example, IGB(N)
denotes the information gain when using high Betweenness centrality as a feature of set N.
Information Gain values are calculated for each centrality feature subset separately. The high
centrality subset Cx with the highest Information Gain over N, is considered to affect at most
the risk graph, in comparison with the other high centrality subsets.
Example: In a Dependency Risk Graph, there exist nodes that act as initiators of cascading
events in the three most critical paths (i.e., critical paths with the highest cumulative
dependency risk value). Yet nodes exist that, even though they have smaller influence on the
top three most critical paths, they affect the overall risk of the entire Dependency Risk Graph
more than the aforementioned initiators. Our risk mitigation algorithm will be able to suggest
62
these nodes over the three initiator nodes, using the Information Gain output from all high
centrality node subsets.
4.4.1.2. Setup
The centrality measures of each node are pre-computed, along with all the dependency risk
paths of the graph. For each Centrality measure, the algorithm uses the precomputed centrality
values and creates subsets CE,CC,CI,CB and CEg. Then, the algorithm computes all risk paths
in the graph and sorts them according their total accumulated risk. All output will be used as
input to the risk mitigation algorithm to choose the most effective nodes for risk mitigation
using countermeasures.
4.4.1.3. Using decision trees and Information Gain for node selection
A decision can be made (and, practically, a decision tree can be traversed) by creating a split
over the head set N of CI nodes and create smaller subsets (graph leaves). In a Dependency
Risk Graph, the algorithm chooses the specific centrality node subset with the highest impact
on the graph. Then, it outputs a new subset that is the intersection of the chosen subset with the
original set. This process is repeated on each derived subset in a recursive manner called
recursive partitioning. The recursion is completed when the Information Gain calculation at a
specific point in the decision tree produces the same Information Gain values for the target
subset of nodes, or when splitting no longer adds information to the predictions.
The algorithm in 4.4.1.3 is used to define a sequence of high centrality subsets that act as
features. The risk mitigation algorithm investigates this sequence to rapidly narrow down the
group of CI nodes with the highest impact in the Dependency Risk Graph. This feature selection
increases both effectiveness and efficiency, since it removes non-informative CI nodes
according to corpus statistics (Yang, 1997).
Conclusions
63
4.4.1.4. Example: Traversing a decision tree using Information Gain splits
The above algorithm aims to choose nodes with the highest impact on a Dependency Risk
Graph. The above risk mitigation strategy can be simplified into the following sentence: Always
choose the subset of nodes with the highest Information Gain from each step in the decision-
64
tree. Let us assume to have a Dependency Risk Graph with all centrality measures calculated
and all high centrality subsets defined. Thus the algorithm 4.1.3 would run as follows:
1. Step 1: We need to find which centrality feature produces the most Information Gain
against the root set D ⊂ N of nodes. The information gain is calculated for all four high
Centrality subsets (features):
IGC(D) = 0.246 // Gain of Closeness subset over D
IGB(D) = 0.029 // Gain of Betweeness subset over D
IGS(D) = 0.051 // Gain of Sinkholes subset over D
IGEg(D) = 0.151 // Gain of Eigenvector subset over D
IGE(D) = 0.048 // Gain of Eccentricity subset over D
The Closeness high centrality subset provides the highest Information Gain; therefore it is
used as the decision attribute in the root set D. From here on, D′ is the subset D∩CC of nodes
and N becomes the N ∩CC subset.
2. Step 2: The next question is “what feature should be tested at the second branch?” Since
we have used CC at the root, we only decide on the remaining four centrality subsets:
Betweenness, Sinkholes, Eigenvector and Eccentricity.
IGB(D) = 0.246
IGEg(D) = 0.029
IGS(D) = 0.051
IGE(D) = 0.000
In this step, the Betweenness subset shows the highest Information Gain; therefore, it is
used as the decision node. From here on D′ is the subset D ∩ CB of nodes and N
′ becomes
the N ∩ CB subset.
3. Step 3 to Step N: This process goes on until all nodes are classified and D remains with
three nodes, or if the algorithm runs out of Centrality attributes.
4.5 Validation of the proposed algorithm
We empirically study the efficiency of the risk mitigation algorithm presented in Section 4.4.
We run 2000 random experiments; in each experiment the graph was produced based on the
limitations described in Section 4.3.2 and each graph contained up to 50 nodes.
Conclusions
65
4.5.1. Efficiency analysis of the proposed mitigation strategy
We know now from previous results that centrality measures can indeed characterize
important CI nodes that greatly affect the overall risk in a dependency risk graph. To evaluate
the effectiveness of the proposed risk mitigation strategy we need to emulate the
implementation of mitigation controls in the nodes identified as important (dangerous) nodes
by the algorithm presented in Section 4.4. In practice, examples of controls can be the repair
prioritization of nodes (which node to send a repair crew first), the increase of asset redundancy
on a node, or any other control that may reduce the likelihood or the consequence of a failure.
In our experiments, we emulate the implementation of mitigation controls to a node CIi, by
reducing the values Li,j that define the likelihood to cascade a failure experienced at node CIi
to another node CIj, ∀ node CIj that depends on node CIi. All likelihood values Li,j of all the
dependencies that originate from CIi were reduced by 20%. To measure the result of applying
risk mitigation controls on each selected subset of nodes, we calculated the dependency risk
values in the same graph, before and after the implementation of risk mitigation and we
calculated the risk reduction achieved in each case.
We measured the efficiency of the proposed risk mitigation algorithm by calculating the
percentage of risk reduction in graphs using the aforementioned emulation of mitigation
controls. The effect on three risk metrics was examined using the proposed algorithm 4.4.1.3
from Section 4.4: (i) risk reduction achieved in the most critical path, (ii) risk reduction in the
total sum of the risk of the top 20 paths of the highest cumulative dependency risk and (iii) risk
reduction in the total sum of the entire risk from all graph paths. Only acyclic paths were taken
into consideration to reduce overlapping: For example, if a high-risk path was cyclic, its acyclic
part would most likely appear as a high risk path too. Thus, we avoided calculating cyclic paths
in our experiments.
Mitigation controls were implemented on three (3) out of the fifty (50) CI nodes in each
experiment (6% of the nodes in the entire graph).
66
4.5.1.1. Effect of the algorithm in the most critical path
Figure 13. Risk reduction in the most critical path
Using the proposed algorithm from Section 4.4 to select CI nodes for implementing
mitigation controls, we achieved a average risk reduction of 12.1%. The highest risk reduction
achieved in all experiments was 43.7%; almost half the risk of the most critical path was
mitigated. The risk mitigation achieved was the highest achieved in all different mitigation
strategies tested. A more thorough comparison of the results can be found in the following
section 4.5.2.
As it is shown in Figure 13 in about 25% of the times (498 out of the 2000 tests) there is no
risk reduction to the most critical path. This however is not a primary concern, since our goal
is to reduce the overall risk of the dependency risk graph and not necessarily on nodes of the
most critical path that are easy to identify. We note however that when mitigate controls were
applied on nodes belonging to the most critical path, the algorithm achieved better risk
reduction results than alternative well-known mitigation strategies, such as the implementation
of mitigation controls on the initiator of the most critical path.
4.5.1.2. Effect of the algorithm in the top 20 risk paths
In Figure 14, we see that the highest risk reduction achieved in the sum of all the risk values
derived from the top 20 critical paths, was 37.5%. The average risk reduction achieved in graphs
using the proposed algorithm was 9.8%. In addition, we see that, in 2000 experiments, only 12
graphs had a structure that prohibited our algorithm from achieving any risk reduction in the
Conclusions
67
top 20 paths; 99.6% of the algorithm’s applications achieved some risk mitigation and the
47.3% of applications achieved high-risk reduction (10% or more).
Figure 14. Risk reduction in the top 20 most critical paths
These are interesting results: The top 20 most critical paths are comprised of 1000 nodes in
each experiment. Even though paths share CI nodes, being able to choose only 3 out of 50 nodes
for risk mitigation in 20 paths is far more complex than choosing the correct nodes only in the
most critical path comprised of 5 nodes. Again, the proposed algorithm had the best
performance out of the three different mitigation strategies tested.
In addition, by monitoring the algorithm’s execution and CI node choices, we validated some
preliminary results from Feature Analysis: The risk mitigation algorithm was mostly choosing
CI nodes with high centrality measures in all centrality metrics (i.e. the intersection of all high
centrality sets for all centrality metrics). Besides aggregating all centrality metrics, the second
most frequent combination of centrality types was nodes with high Degree centrality (e.g.
sinkholes) and Closeness centrality.
68
4.5.1.3. Effect of the algorithm in the entire dependency risk graph
Figure 15. Risk reduction in the complete set of paths
Last but not least, we analyzed the efficiency of the proposed algorithm when trying to
reduce risk in the entire risk graph; not only on the top 20 paths. Here, we tested risk mitigation
using the proposed node selection algorithm on the sum of all paths in dependency graphs. The
results from 2000 experiments are shown in Figure 15. We see that the highest risk reduction
achieved was 12.2%, with an average risk reduction of 7.5% in all experiments. Interestingly,
in 86.4% of the tests, the risk reduction achieved was between 5% and 10% with an average of
around 8.7%. With such low dispersion of results, statistical probability suggests that the
proposed algorithm’s output shows strong signs of uniformity and homogeneity. Again, the
proposed algorithm had the best performance out of the three different mitigation strategies
tested.
4.5.2. Comparing results with alternative mitigation strategies
After presenting results of the proposed algorithm, we will now compare our proposed risk
mitigation algorithm with alternate mitigation mechanisms to evaluate its performance. Two
alternate mitigation mechanisms for choosing CI nodes were used, both well-known and
frequently proposed scenarios.
4.5.2.1. Using initiators from the most critical paths
The first strategy is based on the idea that initiators are critical points of failure in dependency
risk chains. The first alternate mitigation strategy chooses to implement mitigation controls on
CI nodes that are the initiators of critical dependency paths. Thus, in our experiments, three (3)
Conclusions
69
out of the fifty (50) CI nodes are chosen (6% of the nodes in the entire graph) that act as
initiators of the corresponding top 3 most critical paths.
4.5.2.2. Using nodes with high Degree Centrality (sinkholes and outbound)
The second strategy focuses on the common idea amongst auditors that CI nodes with high
inbound and outbound Degree Centrality (i.e. nodes with a high amount of incoming and/or
outgoing connections) affect dependency risk paths a lot. For this reason, the second mitigation
strategy chooses nodes the top 6% of nodes with the highest inbound and outbound Degree
Centrality measures to apply mitigation controls.
4.5.2.3. Comparison results
Table 10. Comparison of results from all mitigation strategies
Strategies Information Gain Top Initiators Top Sinkholes
Risk Metrics
Most critical path 43.7% (max)
12.1% (avg) 38.4% (max)
11.8% (avg) 34.5% (max)
10.3% (avg)
Top 20 critical paths 37.5% (max) 9.8% (avg)
28.7% (max) 10.0% (avg)
29.8% (max)
7.3% (avg)
Entire graph 12.2% (max)
7.5% (avg) 10.1% (max)
5.3% (avg) 10.8% (max)
6.7% (avg)
Table 10 shows the results from all mitigation strategies. Output marked in red exhibits the
highest values achieved. Clearly, in our tests, the proposed decision making algorithm using
Information Gain had a clear advantage over the rest as far as pure numbers are concerned.
Using the top initiators mechanism scored a higher average in reducing risk at the top 20 most
critical paths, albeit only marginally.
4.5.3. Implementation details
We briefly describe the technical aspects of the executed tests; platforms, technologies and
algorithm implementations. All the tests were performed on an Intel Core i-7 processor
@2.7GHz with 4 cores and 16 GB of RAM. In order to test the proposed risk mitigation
strategies, we developed an automatic Dependency Risk Graph generator in Java. The
application is able to randomly create risk graphs and, then, run the mitigation algorithms on
the developed models. Finally, it provides information on the percentage of risk reduction
achieved using each of the mitigation mechanisms.
We selected Neo4J as a technology to implement our dependency analysis modeling tool,
due to its adaptability, scalability and efficiency (Juili, 2013; Shao, 2012). Neo4J builds upon
the property graph model; nodes may have various labels and each label can serve as an
informational entity. The nodes are connected via directed, typed relationships. Both nodes and
relationships hold arbitrary properties (key-value pairs). Using the Neo4J technology, the
70
developed framework can represent complex graphs of thousands of dependent CIs through a
weighted, directed graph. The developed application is stand-alone: It builds a random
Dependency Risk Graph using the aforementioned restrictions to imitate real-world CI
dependencies. It then pre-calculates all necessary graph data and executes the selected risk
mitigation algorithm. When finished, it outputs a percentage of the risk reduction achieved in
the current experiment/graph.
4.6. Conclusions
In this paper, we extended our previous method on dependency risk graph analysis, using
graph centrality measures as additional criteria for the evaluation of alternative risk mitigation
strategies. We used feature selection algorithms and confirmed that the most critical paths in
dependency risk graphs tend to involve nodes with high centrality measures. Since various
centrality metrics exist, we performed multiple tests in order to define which measures and
combinations are the most Our results showed that aggregating all centrality sets to identify
nodes with high overall centrality provides an optimal mitigation strategy. However, by
comparing the different centrality metrics, we showed that nodes with high Closeness and high
Degree centrality measures seem to have the highest impact on the overall risk of a graph.
Still, simply choosing nodes from these sets is not always a viable choice, as there exist
dependency graphs where no nodes exist in specific high centrality sets or there may be
contextual reasons that inhibit the application of controls in these nodes. For this reason, we
developed a risk mitigation algorithm that uses a decision tree built from subsets of nodes with
high centrality measures for each centrality metric. The Information Gain algorithm is used to
traverse the tree and choose subsets of high centrality nodes that best characterize each graph
under test. Thus, the algorithm is able to dynamically pinpoint the optimal subset of nodes with
high centrality features, for overall risk mitigation.
4.6.1. Advantages and Limitations of the proposed mitigation method
Although the proposed mitigation algorithm achieved the highest maximum risk mitigation
when compared with well-known mitigation strategies, our experiments showed that there are
cases where the algorithm will not select nodes belonging to the most critical path set. This can
be considered as a potential limitation, and at the same time, a desired characteristic. On one
hand, the proposed algorithm will not always reduce the risk of the most critical path. Note
however that if this is required, it can be trivially achieved by selecting the initiator of the most
critical path. On the other hand, the proposed algorithm outperforms all its competitors, since
it searches for nodes that have a great effect at the overall risk and not for a subset of critical
Conclusions
71
paths. This is the main advantage of the proposed algorithm; it can be used to identify CI nodes,
which may not appear in the top critical path(s), but they greatly affect the overall risk of a
dependency graph. While the exhaustive computation of the complete set of dependency risk
paths may provide useful information and reveal underestimated CI nodes, assessors may also
use the algorithm to examine particularly complex scenarios were manually selecting nodes for
implementing mitigation controls might be very time consuming and/or impractical.
A limitation of this approach is the need for input data from risk assessments performed at
the each CIs. This is an inherent problem of all empirical risk approaches, since they analyze
dependencies based on previous incidents. Sector coordinators or regulators may collect data
concerning a specific sector (such as ICT or energy). National CIP authorities or CERTs may
be able to collect such information.
72
Chapter 5: Time-based Critical Infrastructure
Dependency Analysis for Large-Scale and Cross-
Sectoral Failures
5.1 Introduction
Most Critical Infrastructures (CIs) can be modeled as cyber-physical systems whose cyber
components control their underlying physical components. CIs are inherently complex systems
since they integrate heterogeneous platforms, proprietary systems, protocols and open
communication networks. In addition, CIs are usually interconnected and interdependent with
other CIs that may belong to different sectors (such as energy, ICT or transportation).
According to (Rinaldi, 2001) CIs may have physical, informational or logical dependencies
between them. Thus, a failure5 in one infrastructure may affect the operation of other CIs due
to their dependencies. In the case of geographical dependency, seemingly independent CIs may
be affected by a threat due to their physical proximity. The protection from such types of
dependency failures is an active and recent area of research, as shown by the numerous projects
on the topic, e.g. DIESIS (Usov, 2010; Rome, 2009), I2Sim (Marti, 2008), CIPRNet (Critical
Infrastructure Resilience, 2014). Dependency modeling, simulation and analysis (MS&A) has
been studied extensively, using various approaches. A recent publication (Ouyang, 2014)
overviews existing approaches and categorizes them in the following broad categories: (a)
empirical, (b) agent-based, (c) system dynamics based, (d) economic theory based, (e) network
based approaches, and others.
Disruptions or outages in CIs are usually categorized as cascading, escalating, or common-
cause (Rinaldi, 2001).
A cascading failure is defined as a failure in which a disruption in an infrastructure A
affects one or more components in another infrastructure, say B, which in turn leads to
the partial or total unavailability of B.
An escalating failure is defined as a failure in which disruption in one infrastructure
exacerbates an independent disruption of another infrastructure, usually in the form of
increasing the severity or the time needed for recovering from the second failure.
5 Failures in CI operation are meant in a broad sense including accidental failure, natural disasters
and deliberate cyber threats (Kozik, 2013).
Conclusions
73
A common-cause failure occurs when two or more infrastructure networks are disrupted
at the same time: components within each network fail because of some common cause.
This occurs when two infrastructures are co-located (geographic interdependency) or if
the root cause of the failure is widespread (e.g. a natural or a man-made disaster).
5.1.1. Large-scale and cross-sectoral dependencies
Known examples of large-scale failures caused due to CI dependencies are often related to
power transmission networks, such as the 2003 major blackouts in the US, Canada and Europe
(Andersson, 2005). The cascading process of a failure has been studied and modeled in the past
(Buldyrev, 2010; Panzieri, 2008; Vespignani, 2010; Zhou; Duenas, 2009; Zio; 2011). Although
there is a lack of available statistical data for such failures, recent efforts (Eeten, 2011), have
produced failure statistics based on empirical data reported to the media. One of the key
findings is that large-scale CI cascading dependencies occur more frequently than expected.
However, the effects do not often cascade deeply, i.e. nodes that are 4 or 5 hops away in a
dependency chain are rarely affected. Another key finding is that even though most reported
initiators of cascading effects are CIs belonging to the ICT and the Energy Sector, most of the
times the cascading effects are cross-sectoral, i.e. CIs of multiple sectors are affected. This
seems reasonable since the source infrastructures (ICT and Energy sector CIs) usually offer
vital services to many other CIs of different sectors, thus creating multiple direct (or 1st-order)
dependencies.
5.2. Building Blocks
This section briefly describes the two main building blocks used in the proposed
methodology: (a) the underlying multi-risk dependency analysis methodology for cascading
failures and (b) fuzzy modelling, which is used to for the time-based analysis of dependencies.
These blocks along with the proposed methodology were used to develop and test the tool
developed for the purposes of this dissertation, named CIDA (the Critical Infrastructure
Dependency Analysis tool)
5.2.1. Multi-risk dependency analysis methodology
In our previous work, a multi-risk dependency analysis method is presented (Kotzanikolaou,
2011; Kotzanikolaou, 2013; Kotzanikolaou, 2013) which makes use of the combined results of
existing organization-level risk assessments, already performed by the CI operators, in order to
assess the risk of n-order dependencies. To visualize the relationships (dependencies) between
CIs, we use directed graphs.
74
5.2.1.1. First-order dependency risk
Dependency can be defined as “the one-directional reliance of an asset, system, network, or
collection thereof –within or across sectors– on an input, interaction, or other requirement from
other sources in order to function properly” (NIPP, 2013). In our approach, dependencies are
visualized through graphs G = (N, E), where N is the set of nodes (infrastructures or
components) and E is the set of edges (or dependencies). The graph is directional marking
dependencies from one CI to another. An edge from node CIi → CIj denotes a risk relation,
deriving from the dependency of the infrastructure CIj from a service provided by infrastructure
CIi. To quantify this relation, we use estimations that quantify the resulting impact (Ii,j) and the
likelihood (Li,j) of a disruption being realized. The product of the last two values is defined as
the dependency risk Ri,j caused to infrastructure CIj due to its dependency on infrastructure CIi.
The numerical value in each edge refers to the level of the cascade-resulting risk for the receiver
due to the dependency. This risk is depicted using a risk scale [1..9], where 9 indicates the most
severe risk. All parameters (Li,j , Ii,j and Ri,j ) are defined in order to assess the risk of the 1st-
order dependencies. The main input of this method is provided by operators and refers to
obvious, upstream dependencies as mentioned above.
Example. The following case describes how our method can be used to model multiple 1st-
order dependencies. The cause of the mini telecommunication blackout in Rome in 2004
Kroger, 2010) was a flood in a major telecommunication service node in Rome due to a broken
pipe that provided water to the air conditioning plant. This caused several circuits to fail
including the main power supply. Alternative power generators failed to start due to the
presence of water and the batteries of electronic equipment soon followed. In order to perform
repairs, the air conditioning plant had to be shut down, which led to overheating of several
Telco node devices. This disruption in a main Italian Telecom infrastructure (node A) caused
problems and delays in different infrastructures (depicted in Table 11, based on the description
of (Kroger, 2010). These include the Fiumicino airport (node B) (closure of check-in, ticketing
and baggage services and transfers), the ANSI print agency (node C), post offices (node D),
banks (node E) as well as the ACEA power distribution (node F) and the communication
network (node G - both between landlines and between landlines and mobiles). In this example,
the airport operator (CIB) has a dependency risk RA,B from the infrastructure CIA. This risk
value refers to the likelihood of the disruption in the telecom node to cascade to the airport
(LA,B ), as well as the societal impact IA,B caused to the airport in the case of such a failure
been realized at the source of the 1-st order dependency, i.e. CIA.
Conclusions
75
5.2.1.2. Risk of n-order dependencies
Using the 1st-order dependencies as described above, we can proceed in assessing potential
n-order cascading risks based on a recursive algorithm (Kotzanikolaou, 2013). Let CI =
(CI1,...CIm) be the set of all the examined infrastructures. CIY0 → CIY1 →...→CIYn denotes a
chain of connected infrastructures of length n. The algorithm examines each CI as a potential
root of a cascading effect (denoted as CIY0 ) and then computes the Dependency Risk DR
exhibited by CIYn due to its n-order dependency.
Table 11. Example: Mini Telco blackout 1st-order dependencies
Let CIY0 → CIY1 → ... → CIYn be a chain of dependencies, LY0,...,Yn be the likelihood of the
n-order cascading effect and IYn−1,Yn be the impact of the CIYn−1 →CIYn dependency. The
cascading risk exhibited by CIYn due to the n-order dependency is computed as:
The cumulative Dependency Risk should consider the overall risk exhibited by all CIs within
the sub-chains of the n-order dependency. Let CIY0 →CIY1 → ...→CIYn be a chain of
dependencies of length n. The cumulative Dependency Risk, denoted as DRY0 ,Y1 ,...,Yn , is
defined as the overall risk produced by an n-order dependency, computed by the following
equation:
76
Equation 2 computes the overall dependency risk as a sum of dependency risks from each
affected node in the chain, due to a failure realized in the source node of the dependency chain.
Risk computation is based on a risk matrix that combines the likelihood and the incoming
impact values of each vertex in the chain.
Moreover, in several cases, the likelihood values are not easy to estimate or may not be
available. This means that while a dependency can be identified between two nodes, the
probability for a failure to propagate between two nodes is either unknown or certain (likelihood
= 1). In both cases, we can follow a simplified version of equation 2, shown in equation 3, that
follows the assumption that if a node fails, the dependent nodes will also fail (likelihood=1).
The n-order dependency risk is then calculated as the cumulative impacts on the affected nodes
in the dependency chain.
5.2.2 Fuzzy Logic
The multi-risk methodology described above is static in time, since equations 1 - 3 are based
on the maximum expected impact of each dependency. The values produced by these equations
assume that: (a) each dependency chain will always produce its worst case impact (and risk)
and (b) all dependencies will exhibit the same impact growth rate. However, in reality neither
all CI nodes of a chain will escalate to their maximum consequences nor will they experience
the same impact growth rate over the time. For this reason, we will extend our multi-risk
methodology to incorporate a dynamic, time-based analysis and to also assess scenarios of
partial failures. To model this behaviour, we will incorporate fuzzy set theory. We briefly
describe the basic concepts that we will integrate in our time-based analysis described in
Section 5.3.
In contrast to classical set theory, fuzzy logic is an attempt to find approximations of vague
groupings, in order to project more objective evaluations of values that are difficult to compute
(Perfilieva, 1999). Fuzzy logic variables provide a truth-value that ranges in [0, 1] for a possible
outcome. Basically, this truth-value corresponds to a membership percentage in a set. Our goal
is to approximate the time evolution of a cascading failure using fuzzy approximations of
impact evolution for various growth models, similarly to a real failure. For example, an incident
might at first have a slow cascading effect to other dependent CIs and as time goes by, failure
to restore its operation might lead to catastrophic effects.
Conclusions
77
5.3. A Method for Time-Based Analysis of Cascading and Common Cause
Failures
First, we extend the static dependency analysis methodology of (Kotzanikolaou, 2011) to a
dynamic time-based analysis model. We use different cascading failure growth models and we
apply fuzzy logic, in order to simulate realistic approximations of dynamic cascading failures.
In addition, we model combined cascading and common cause failures to simulate the effects
of dynamic, large-scale and major disasters.
5.3.1. Modeling Time Analysis of Cascading Failures
Recall from Section 2.1 that Ii,j, Li,j denote the impact (in a Likert scale) and likelihood (%)
of a failure experienced in the dependency CIi →CIj. These values are derived from assessments
performed at an organizational level by the CI operator. As in most static-based risk assessment
methodologies, the impact value Ii,j refers to the maximum expected impact (worst-case
scenario approach) regardless of the time it will take for maximum impact to fully realize after
a failure. To model the dynamic time-based analysis, we use the following steps:
1. Model Definition: Define different failure growth rates.
2. Setup: Using the growth rates, pre-compute all possible expected time-based impact
values.
3. Calculate fuzzy time-based impact values: For a given Dependency Risk Graph, use the
pre-computed expected time-based impact values as input to the fuzzy model, to output
the fuzzy approximation of the time-based impact for each dependency.
4. Assess time-related dependency risks: For each dependency chain, output the time-
based Cumulative Dependency Risk using the fuzzy time-based impact values.
These steps are described in detail in the subsections that follow.
5.3.1.1. Model Definition
Let Ti,j denote the time period that the dependency CIi →CIj will exhibit its maximum
expected impact Ii,j and let Gi,j denote the expected growth of the dependency failure, e.g. slow,
linear or fast evolution of the expected consequences, after the failure.
The values of Ti,j and Gi,j are provided by the risk assessors of each CI along with the values
Ii,j and Li,j . Finally, let t denote an examined time period after a failure. In the rest of this
Section and if there is no ambiguity, we will omit the dependency indices for simplicity reasons,
i.e. we will use I,T,G, instead of Ii,j, Ti,j, Gi,j.
The definition sets for all the above values are Likert scales defined as:
78
I ∈ [1..9], 1 is the lowest and 9 the highest impact.
T, t∈[1..10]. More specifically, we adopt a granular timescale, which uses the following
unavailability time periods: 1 = 15min, 2 = 1hour, 3 = 3h, 4=12h, 5=24h, 6=48h,
7=1week, 8=2w, 9=4w and 10=more (> 4w).
G ∈ [1..3], where 1 represents a slow, 2 a linear and 3 a fast growth (evolution) of a
failure experienced in the examined dependency.
Definition 1. Let C Ii → C Ij be the examined dependency with maximum expected impact I,
experienced at time period T after a failure and let G be the growth evolution of the failure.
The expected time related impact of the dependency, experienced at time t is defined as:
Obviously, I(t) = I for t ≥ T if no mitigation controls are taken at the nodes. Using equation
4, each dependency chain can be modeled with the most appropriate evolution growth and a
different model is used for each value G. Fast cascading effects are considered to escalate
logarithmically (fast short term growth that stabilizes to the maximum expected impact). Linear
cascading effects are considered to escalate following a typical linear equation. Slow cascading
effects follow an exponential growth rate, which starts with low initial values and escalates on
the last steps of the time scale. Figure 16 presents a comparison of the different growth rates,
for the same T and I.
Figure 16. Example of the expected impact evolution for different growth rates, for I = 9 and T =
4weeks
Conclusions
79
Example: In a Dependency Risk Graph, the dependencies of CIs connected with a nuclear
power facility are modeled with very high impact (I = 9) experienced at a relative short time
period (T = 3h) with a fast evolution (G = 3). In the same graph, the edges starting from another
typical energy provider are modeled with impact 5 experienced at 48h after the failure and with
a linear evolution (G = 2). Our model will be able to project the evolution of the dependency
risk paths for all time periods, using all different models.
5.3.1.2. Setup
The growth rates modeled by equation 4 are used to pre-compute all possible values for I(t),
for all possible combinations of I,T,G (see Algorithm 1).
The output of this algorithm will be used as input to a fuzzy logic ranking system, to assess
more realistic evolutions of potential failures. The fuzzy logic classification system uses the
following membership sets:
1. The impact set: partitions the [1..9] impact scale to groups Very Low, Low, Medium,
High and Very High as: {VL={1}, L={2,3}, M={4,5}, H={6,7}, VH={8,9}}.
2. The time set: partitions the [1..10] time scale to groups Early, Medium, Late and Very
Late periods as: {E={1,2,3}, M={4,5,6}, La={7,8}, VLa={9,10}}.
In order to support the fuzzy mechanism (described in Section 3.1.3), the output of Algorithm
2 (as depicted below) is stored in pre-computed tables6. These provide the expected time related
impact values for all possible G and T.
6 All tables are available at the tool’s Wiki: https://github.com/geostergiop/CIDA/wiki/ and in
Appendix A.
80
Algorithm 1. Calculation of all possible I(t) values
An example is shown in Table 12 below, which describes all possible time-based impact
values Ii,j (t), assuming a fast evolving failure (G = 3), experiencing the worst-case impact at
time T = 12h, depicted by the yellow horizontal line. Each column’s worst-case impact value
is appointed to cells in that row (T = 12h) and obviously to all rows below that one, since in
this scenario the worst-case impact has already been realized at that time. The time-based
impact values for all the rows above this (T =15min up to T = 3h) are calculated by applying
an inverse growth rate on the cell values in the T = 12h row, using equation 4 for G=3. Notice
that the impact and time values have been grouped according to the fuzzy impact and time
membership sets respectively. For example, in Table 6, the fuzzy impact membership set ‘Low’
Conclusions
81
contains impact values from 1 up to 3. All the values have been produced by applying the fast
(logarithmic) growth scale and the time T = 12h as the expected time of occupancy of the worst-
case impact value. The output of the algorithm is computed during the setup and it is stored in
30 tables: for each of the three growth rates G, we need to pre-compute and store one table for
each of the ten possible T values.
Table 12. An example of a pre-computed table describing the expected time related impact values for
fast evolving failures (G = 3) exhibiting their worst impact at T = 12 hours
5.3.1.3. Calculating Fuzzy Time-based Impact Values
By using the pre-computed tables with all expected time-based impact values I(t), it is now
possible to assess the fuzzy estimation of the time-related impact values, for a given
Dependency Risk Graph.
For each dependency, we use the growth rate G and the expected time T of the worst-case
impact value I, to select the corresponding table from the database. Then, fuzzy sets for all
impact membership sets (Very Low, Low, Medium, High, Very High) are generated, using the
corresponding columns of the selected table. These fuzzy sets along with linguistic IF-THEN
rules are used to calculate the fuzzy value of the expected time-based impact value. Rules are
usually expressed in the form: ”IF variable IS property THEN action”. All IF-THEN rules are
invoked; using the constructed membership sets as linguistic variables to determine an output
result, the fuzzy time-based impact value, denoted as:
𝐹𝑢𝑧𝑧𝑦( 𝐼, 𝐺, 𝑇, 𝑡) = ℐ(𝑡) (5)
The calculation of ℐ(𝑡) is computed as follows. Initially a processing stage invokes the
appropriate IF-THEN rules 7 and generates a result for each rule. Then these results are
combined to output a set of truth values. Each IF-THEN result is, essentially, a membership
function and truth value controlling the output set, i.e. the linguistic variables impact and time.
The final stage in order to get a single quantitative value from the fuzzy output of the
7 See Appendix A for a more thorough presentation of the IF-THEN rules used.
82
membership values is “defuzzification”, in which all IF-THEN output results are combined to
give a single fuzzy time-based impact value for each time point in the time scale. We use the
RightMostMembership defuzzification technique (Leekwijck, 1999), which outputs the most-
right (i.e. highest) impact values, since this is coherent with risk-based standards that tend to
favor worst-case scenarios.
The output fuzzy time-base impact values ℐ(𝑡) are considered more objective
approximations of the expected impact at a given time, since instead of simply using the
appropriate pre-computed expected time-based impact I(t), the fuzzy values also consider their
neighboring values. Thus they tend to be closer to real-world scenarios. In short, each
dependency has its own expected growth but it will also be affected by the growth of its near
dependencies.
Example: An examined dependency has input data G=3 and T =12h, thus the fuzzy
mechanism will select Table 2. The group Low of the fuzzy impact set (columns 3 and 4)
contains only values 1, 2, 3. By using the aforementioned mechanism, the fuzzy membership
set Low has membership percentages defined as: Low = {(1, 0.05) (2, 0.55) (3, 0.4)} where the
second value is each couple is the membership percentage of the corresponding impact value.
The subset of the rules used to calculate the Low output set of the values ℐ(𝑡) are the following:
17: IF Impact IS Low AND Time IS Early THEN Fuzzy Impact is Very Low;
18: IF Impact IS Low AND Time IS Medium THEN Fuzzy Impact is Medium;
19: IF Impact IS Low AND Time IS Late THEN Fuzzy Impact is High;
20: IF Impact IS Low AND Time IS Very Late THEN Fuzzy Impact is High;
Let us calculate the fuzzy impact for I = 2. The fuzzy set mostly characterized by that value
is the Low set. Let us also assume that the worst-case scenario for this example is at T = 12h.
Based on Table 2, this time belongs to the Medium time fuzzy set. Thus, using rule 18, CIDA’s
setup process will choose to output a Medium fuzzy time-based impact value. Last but not
least, the tool will now use the aforementioned RightMostMembership defuzzification
technique on all these sets to discrete the time-based impact value.
5.3.1.4. Time-related Multi-order Dependency Risk
The static model described in Section 5.2.1 can be now extended to provide multiple
estimations of the evolutions of the dependency risk, by replacing the static impact value Ii,j,
with the dynamic fuzzy time-related impact values ℐ(𝑡) described above. These values are used
to extend equations 2 and 3 to calculate the n-order dependency RY0 ,...,Yn and cumulative Risk
DRY0 ,...,Yn of a risk graph for each point on the time-scale as:
Conclusions
83
𝐷𝑅𝑌0,…,𝑌𝑛(𝑡) = ∑ 𝑅𝑌0,…,𝑌𝑛
= ∑ (∏ 𝐿𝑌𝑗−1,𝑌𝑗
𝑖𝑗=1 ) ∗ ℐ𝑌𝑖−1,𝑌𝑖
(𝑡)𝑛𝑖=1
𝑛𝑖=1 (6)
or, if likelihood assessments are omitted:
𝐷𝑅𝑌0,…,𝑌𝑛(𝑡) = ∑ 𝑅𝑌0,…,𝑌𝑛
= ∑ ℐ𝑌𝑖−1,𝑌𝑖(𝑡)𝑛
𝑖=1𝑛𝑖=1 (7)
Obviously, equations 6 and 7 will produce ten different values, one for each different
examined value of t. Examples of test scenarios are given in Section 5.6.
5.3.2. Combining cascading and common-cause failure risks
The Dependency Risk assessed by equations (6) or (7), assumes a single initiating event
(disruption) at a single CI that results in cascading disruptions. It does not cover common-cause
failures which simultaneously affect several, seemingly independent CIs. Such events can cause
multiple cascading chains, i.e. impact is introduced to multiple nodes in the graph
simultaneously. Thus, we extend the model to also capture failures that are at the same time
common-cause and cascading failures. A variety of incidents can serve as initiating events of
such cases: An accident or a natural disaster, or it can be a human-initiated attack. For example,
a common-cause initiating event may concurrently affect CIs –not been identified as directly
dependent to each other– due to physical proximity (e.g. a flood) or due to social parameters
(e.g. a national strike).
Let Le be the likelihood of an event (threat) e. In the case of natural disasters, the value of Le
can be assessed based on statistics of previous incidents, prognostics and the presence of
vulnerabilities, whereas the likelihood of adversarial attacks is more complex. In that case, the
motivation and the attack skills of the adversary, as well as his perceived impact of the attack,
affect likelihood. For this reason, the use of expert opinion is commonly applied, coupled with
a worst-case approach, to achieve a maximum valuation of risk.
We first use equation 6 (or its simplified impact-only version of equation 7) to evaluate all
possible n-order dependency risks. Let ℂ𝕀 be the set of all the examined CIs. The combined
Common-cause Risk, CR(CIY0 , e) of all possible chains of cascading events C IY0 → C IY1 →
C IYn , initiated by a common-cause failure event e, for each possible source infrastructure CIY0
∈ ℂ𝕀 can be computed as the sum of all the possible risk chains DRY0 ,...,Yn , ∀ Y0 ∈ ℂ𝕀,
multiplied by the likelihood Le of each examined event e:
𝐶𝑅(ℂ𝕀, 𝑒) = 𝐿𝑒 ∗ ∑ 𝐷𝑅𝑌0,…,𝑌𝑛(𝑡)∀ 𝑌0 ∈ ℂ𝕀 (8)
Every CI (node) that is affected by a common-cause event e is examined as a possible root
of a dependency chain (as CIY0 ). For each CIY0 , the cumulative dependency risk DR is
computed by applying equation (6) or the simplified version (7). Examples of the combined
Common-cause Risk evaluation are provided in section 5.6.3.
84
5.4. Design and Implementation of the CIDA tool
In this section we describe the building blocks used for the design and implementation of the
Critical Infrastructure Dependency Analysis (CIDA) tool (Stergiopoulos, 2014), which extends
and implements the dependency analysis methodology described in section 5.3.
5.4.1. The Neo4J graph database
We chose a graph database model as the main building block for the development of CIDA.
Graph databases are defined as storage systems that provide index-free adjacency. Graph
database technology is an effective tool for modeling data, in comparison with relational
databases and querying languages, in cases where the relationship between elements is the
driving force for the design of the data model (Vicknair, 2010; Shao, 2012). In a graph database,
every element (or node) only needs to know the nodes with which it is connected (i.e. its edges).
This allows graph database systems to utilize graph theory in order to efficiently examine the
connections and degree of nodes’ connectivity. In addition, the edge utility allows a graph
database to find results in associative data sets. Graph databases can scale more naturally to
large data sets or to datasets with frequently changing or on-the-fly schemas (Vicknair, 2010).
We examined various graph databases and we selected the Neo4J framework to implement
our dependency analysis-modeling tool, due to its adaptability, scalability and efficiency.
According to recent empirical studies (Shao, 2012; Jouili, 2013; Batra, 2012)), Neo4J
outperforms other systems in load time for thousands of elements, as well as in the time needed
to compute the total paths and detect the shortest path. On the other hand, Neo4J shows inferior
performance when used in highly volatile network topologies (i.e. graphs with frequent changes
in nodes and edges), in comparison to other graph model approaches (e.g. DEX, Titan-
Cassandra). This however does not affect our model, since CI dependencies are not subject to
frequent changes in their connectivity.
Neo4J builds upon the property graph model; nodes may have various labels and each label
can serve as an informational entity. The nodes are connected via directed, typed relationships.
Both nodes and relationships hold arbitrary properties (key-value pairs). Although there is no
rigid schema, the node-labels and the relationship-types can provide to the nodes as much meta-
information as necessary for the node attributes required by a specific schema. When importing
data into a graph database, the relationships are treated with as much value as the database
records themselves (Vicknair, 2010).
Neo4j deploys a single server instance that can handle a graph of billions of nodes and
relationships. If data throughput exceeds a limit, the graph database can be distributed among
Conclusions
85
multiple servers thus providing a scalable configuration with high availability. In addition,
Neo4J’s listeners are capable to capture useful signals (notices) that objects broadcast in
response to possible events, such as a change of a property value or a user interaction. As
explained in Section 5, these two graph functions are the most important factors affecting the
computation time for the analysis of dependent and interconnected CIs.
During development, the Blueprints technology was also used: a property graph model
interface, which provides implementations to support the Neo4J graph database.
5.4.2. Design of the Dependency Graph Analysis Tool
We developed CIDA, a graph-based Critical Infrastructures Dependency Analysis tool that
implements the methodology described in section 5.3, in order to dynamically analyze the risk
of CI dependency chains, for cascading and/or common-cause failures. CIDA is able to
compute the security risk and/or the impact evolution of the dependencies over the time. CIDA
can graphically represent complex graphs of thousands of dependent CIs through a weighted,
directed graph. The weight of each connection (edge) between two CIs, is the (maximum)
estimated dependency risk value deriving from the dependency between two infrastructures. In
order to make the computation of the risk dependency paths more efficient, we need to set a
maximum depth limit of the examined dependencies. Based on recent empirical research results
(Eeten, 2011), cascading effects rarely affect CIs beyond 5th-order dependencies and thus we
use this as an upper limit to the order of dependencies that are evaluated.
The tool takes as input (either from a spreadsheet or using a graphical interface) the nodes
and the edges of the graph. For each edge CIi →CIj the following input is required for a static
analysis: the estimated likelihood Lij and the (maximum) expected impact Iij. For a dynamic
time-based analysis, the expected time Tij of the maximum impact and the expected growth rate
Gij for the dependency are also required. For a given input dependency graph, CIDA outputs
the following:
1. A table of all existing dependency paths, up to a given maximum dependency order (5-
th order by default).
2. For a static analysis (based only on Lij , Iij ) and for each dependency path, it computes
the Cumulative Dependency Risk using equation 2.
3. For a dynamic analysis (additionally using the time related input Tij , Gij ) it computes
the expected Cumulative Dependency Risk for various time frames, using the formula
of equation 6.
4. The dependency paths can be sorted based on their cumulative Dependency Risk value
and can also be presented in a graphical form. If the assessor has set a maximum risk
threshold, then CIDA also highlights all the paths exhibiting a value higher than the risk
86
threshold. The paths can be exported to several forms, such as a spreadsheet or an XML
file for further analysis.
5. In addition, CIDA graphically highlights the path exhibiting the maximum cumulative
Dependency Risk path, using a modified version of the Dijkstra algorithm. The
algorithm uses negative weights (risk values) to compute the maximum weighted path.
Based on the assessor’s preferences, CIDA can compute either cyclic paths (if feedback
effects are to be considered) or acyclic paths (if feedback effects are excluded). In cases where
the likelihood values are not available, CIDA can proceed using only the impact values and
equations 3 and 7 can be used for a static or dynamic analysis of dependency impact paths
respectively. Obviously, impact estimations will be higher than risk estimations, as they
represent worst- case scenarios that take for granted that if a node fails, then all the following
nodes will experience a total failure.
5.4.3. Modeling CIs & Dependencies
In CIDA, each node may represent a CI or an “autonomous” sub-component of a CI (e.g. a
power generation sub-station in the case of a power operator), depending on the required level
of analysis. Each node in a graph supports the following attributes:
Name: A unique name for the node.
CI operator: The CI owner, responsible for the proper operation of this node. If the
analysis is performed in a unit-level, then one operator may be responsible for several
nodes.
CI sector: The sector of the CI operator. For example Energy or ICT sector.
CI sub-sector: The specific sub-sector that the operator of the CI belongs to. For example
Electricity production or Telecom operator.
Node Location: (Location latitude and longitude) Used to capture geographical
dependencies between CIs and evaluate potential threats concurrently affecting several
nodes.
maxPath: A Boolean that simple indicates if the node belongs to the maximum risk path.
CIDA supports 17 different CI sectors, including communications, energy, transportation,
water systems and all the recognized CI sectors, based on the reports of (Presidential Policy
Directive, 2013) and (Commission of the European Communities, 2005). It also allows
modeling all types of dependencies. While logical, informational and physical dependencies
may be defined in Service Level Agreements (SLAs) and, thus, are easier to identify,
geographical dependencies may be missed. CIDA can automatically identify geographical
Conclusions
87
dependencies, based on the location provided for each node. This enables CIDA to study threat
scenarios within a specific geographical region and thus to assess geographical dependencies.
Based on the appropriate formulas described in section 5.3, CIDA computes the risk for each
individual dependency path. Then the risk values are then stored in the Neo4J graph, which is
implemented as a weighted, directed graph.
Figure 17. Calculating a dependency risk graph for a test scenario with 100 nodes
It then creates a visualization interface using the JUNG2 graph visualization library,
supported by Blueprints and Neo4J.
An example of a graph output is shown in figure 17. Each node represents a CI and the weight
of each edge is the estimated dependency risk value that derives from the dependency between
two nodes. The type of the dependency is also depicted. Red edges and nodes indicate the
maximum cascading risk path. The complete set of paths and the relative risk values are
exported to a spreadsheet, for further analysis. Examples of complete input and output sets are
provided in Section 5.6.
5.5. Efficiency analysis
We empirically study the efficiency of the CIDA dependency analysis tool presented in
section 5.4 using granular random scenarios as test cases, containing from 10 up to 1000 nodes.
All the tests were performed on an Intel Core i-7 processor @2.7GHz with 4 cores and 16 GB
of RAM. For each scenario, we examined two different cases with different degrees of
connectivity. In the low connectivity case, each node is randomly connected with at least 1 and
at most 3, other nodes. In the high connectivity case, each node is randomly connected with at
least 4 and at most 5 other nodes. For each case, we multiplied the execution time by a factor
88
of 10, to estimate the execution time for dynamic analysis, since for time-based analysis all the
computations are repeated for each examined time frame.
In real-world scenarios the majority of nodes are expected to have a connectivity degree ≤ 3,
while only a small portion of nodes is expected to experience a high degree of connectivity (e.g.
major electrical production sub-stations or key Telco node) (Eeten, 2011). Thus it is reasonable
to expect that in a real-world scenario the average connectivity degree of all the nodes will be
between these values and the expected execution time will be between these setups (for the
same number of nodes).
Each test was repeated 10 times and the mean execution time was considered. The execution
time includes the calculation of all the dependency risk paths up to 5th-order dependencies, and
the time required to short the paths according to the execution time and compute the maximum
dependency risk path. Again, since the cascading effects rarely affect nodes at a distance greater
that 4 hops away from the source of the event, the computation of up to the 5th-order
dependencies suffices to cover the majority of the cases (Eeten, 2011). As expected, the
computation time of the complete set of existing dependency risk paths increases exponentially
with the number of nodes (see figure 18). Also, the connectivity degree seems to significantly
affect the execution time. For example, in the scenario of 1000 nodes it takes about 20 min in
the case of low connected nodes (1-3 edges per node), while it requires more than 332 min for
higher connectivity (4 − 5 edges per node).
Since the maximum path problem is NP-complete, it is obvious that CIDA cannot provide a
complete theoretical solution. However, with reasonable limitations in system parameters such
as the maximum number of nodes, the degree of node connectivity and the degree of the
dependency order, CIDA can efficiently provide useful results for large-scale and cross-
sectorial realistic scenarios.
Conclusions
89
Figure 18. Execution time vs number of nodes
5.6. Analyzing Real-World Scenarios of Cascading Effects
To demonstrate the applicability of CIDA, we run scenarios based on a known real-world
case of cascading effects. Although our tests are based on a real case, the impact, likelihood
and time-related input assigned to each dependency do not rely on actual risk assessment
results, since such assessments are not publicly available, but they are based on our subjective
assumptions for demonstration purposes.
5.6.1. Case study: A real-world cascading blackout failure
We run a scenario consisting of 9 nodes, based on the well-known electricity blackout
scenario of California (Rinaldi ,2001). The scenario was selected because it is a well-
documented case, which exhibits several complex cross-sectorial and multi-order cascading
dependencies. The initiating event in this scenario is the failure of an electric power sub-station
(node A –see figure 19).
90
Figure 19. Dependencies of the California blackout scenario
This event triggered the following 1st-order dependencies: the disruption to a natural gas
production infrastructure (node B), the disruption to the operation of petroleum pipelines (node
E) transporting jet fuel within neighbor states, and problems in the operation of massive water
pump units (node H).
As depicted in figure 19, the disruption to gas production (node B) directly impacted gas
supplies for steam injection units (node C, – 2nd-order dependency). The steam injection units
affected the operation of heavy oil recovery units (node D, – 3rd-order dependency), further
exacerbating power problems to node A (feedback loop). Similarly, the disruption of product
petroleum pipelines (node E) caused inventories to build up at refineries and draw down at the
product terminals (2nd-order dependency), including several major California airports (node
F). The reduction of jet fuel stocks at the airports caused several major airline operators (node
G) to consider contingency plans (3rd-order dependencies). Finally, the disruption of the water
pump units (node H) affected crop irrigation at crop fields (node I, –3rd-order dependency).
For our case study, we used as input the values shown in table 3. For each dependency, we
provide a Likelihood and a maximum expected Impact estimation. We also provide the
expected time that the maximum impact will manifest, as well as estimation for the growth rate
of the failure evolution.
Note that the input data of the 1st-order dependencies can be fed to CIDA either through a
spreadsheet, as the one shown in table 13, or they can be graphically added/modified (an
example is shown in figure 20). Based on the data input, CIDA will compute the complete set
of all the dependency risk paths in a time-axis, for each dependency chain of order ≤ 5, using
the formula of equation 6.
Conclusions
91
Table 13. Assumed input values for the examined blackout scenario.
CIi CIj Li,j Ii,j Ti,j Gi,j
A B 0.9 8 24h fast B C 0.65 6 48h linear C D 0.7 6 48h slow D A 0.15 3 2w slow A H 0.8 6 12h fast H I 0.65 7 48h linear A E 0.9 8 12h fast E F 0.7 5 24h slow F G 0.25 8 1w slow
Figure 20. Using the graphical interface to input data for nodes (CIs) and connections (edges)
CIDA will output a graphical representation of the examined Dependency Risk Graph, as
shown in figure 21. In this case, the graph of the 9 examined nodes produces 38 chains of order
between 2 and 5 and of potential risk value between 1.5 and 13.17. The nodes and edges
indicated with red color show the maximum Cumulative Dependency Risk path.
92
Figure 21. The Dependency Risk Graph of the examined blackout scenario
5.6.2. A cascading-only dependency failure scenario
After CIDA has evaluated all the Dependency Risk paths, it is now possible for the assessor
to efficiently examine several scenarios. One scenario is to analyze and compare all possible
cascading effects. CIDA produces a list of all dependency paths, sorted by their Cumulative
Dependency Risk value. This may help the assessor to identify all the potential dependency
risks that are above a threshold value. For example, figure 22 below shows the subset of the
dependency risk paths that exhibit a cumulative risk above 5, regardless of the time required to
reach this threshold. It also shows the risk values of the maximum risk path for all the examined
time periods, as well as the maximum risk level for the rest paths at the time of occurrence.
Conclusions
93
Figure 22. Dependency risk paths with Cumulative Dependency Risk above a risk threshold equal to
5. The assessor may project different paths by using a different threshold
The threshold parameter is chosen by the assessor and may assist the decision makers in
implementing the most effective risk mitigation strategies. From the above figure it is easy to
see that the four dependency paths with the highest risk value, surpass the threshold only within
1 hour after an initial failure and they all start at node A. Thus a cost-effective mitigation
strategy would start by applying mitigation controls at node A with fast response time, which
would substantially decrease the overall dependency risk. If mitigation techniques at node A
are considered too expensive, an alternative strategy would be to reduce the likelihood of
cascade to the most important 2nd-order dependencies of node A (nodes B and E).
A second result of the analysis is that, although path (A-B-C-D) exhibits the highest risk for
almost all examined time frames, still we can see from the graph that path (A-E-F-G) is the
most critical path around 12 hours after a cascading failure. This is due to the fact that although
both dependencies A-B and A-E have a fast growth, the second dependency is expected to have
the fastest convergence to its maximum impact (TAE =12h). Recall that our methodology can
model different Tij and Gij for each dependency.
A third result can be derived by comparing the evolution of sub-paths exhibiting high risk.
For example, note that although the path (A-B-C-D) is the highest risk path, its sub-path (A-B-
C) already exhibits impact higher than the threshold within 1 hour. Thus it is necessary to
implement mitigation controls at the first or second order dependency.
Finally, for the rest of the dependency paths (A-H-I, B-C-D-A-E-F and C-D- A-E-F-G) it is
safe to consider mitigation controls with a slower response time, since they have relatively low
risk, even for long time frames. Note that the last two paths include the chain (A-E-F) as sub-
94
path thus mitigation controls implemented at (A-E-F) will concurrently reduce the risk of 4 out
of the 7 most critical paths.
5.6.3. Combined common-cause and cascading scenarios
Another scenario is to analyze all the cascading effects that may potentially be triggered by
a common-cause failure. For each examined node, CIDA computes the sum of the dependency
risks of all the existing distinct paths8 originating from it. In the examined case, node A is (as
expected) by far the most critical node for common-cause failures, having a sum of distinct risk
paths equal to 33.22 (paths A-B-C-D, A-E-F-G and A-H-I). In a common cause scenario, at
least two nodes are directly affected by the initiating event, which serves as the common cause
for the failures. Therefore, for each affected node, we would calculate the sum of distinct risk
paths and then these values would be weighted with the likelihood value Le for the initiating
event e (failure or attack) that may be realized at these source nodes. The combined risk (for
each possible initiating event e at each directly affected node) is computed using the formula
of equation 8.
Note that the complete set of the dependency chain risks has already been computed as an
output of the CIDA tool. Thus the evaluation of the possible common-cause failures will be
based on “ready to use” risk chains. The assessor is able to add initiating events and likelihood
values for every node, reflecting the probability that the examined event will cause a failure to
the node or not. The examined initiating events e and likelihood values Le are selected by the
assessor based on expert opinions and possible statistical data. Obviously it is reasonable to
first examine nodes that exhibit the higher sum of risk values (before they are weighted with
Le).
5.7. Discussion and Comparison with Other Approaches
5.7.1. Comparison with related methodologies and tools
Modeling and simulation approaches are distinguished as (a) empirical, (b) agent based, (c)
system dynamics based, (d) economic theory based, (e) network (topology or flow) and (f)
others (hierarchical holographic modeling, high level architecture based method, petri-net
based method, dynamic control system theory based, Bayesian network based, etc.) (Ouyang,
8 In order to avoid repetition of the same risk chain, only distinct paths are considered.
Conclusions
95
2014) 9. Our method can be categorized as a hybrid one, having characteristics of empirical
methods (as a risk based approach) and network based methods (as a graph modeling tool).
Empirical methods have been criticized for the lack of the required statistical data needed to
assess the likelihood of potential events. While probability data may be difficult to collect for
various CIs, efforts have already been made for specific sectors. For example, studies of
blackouts allow the identification of critical power lines (or groups of power lines) for a given
network model (Carreras, 2012). This provides a technique for identifying critical clusters of
lines that are likely to trigger or propagate cascade effects, due to vulnerabilities of their power
lines.
Our approach also inherits from network-based methods as it combines a method for
discovering dependency risk paths with an automated modeling and analysis tool. It allows the
dependencies of the connected infrastructures to be depicted in a graph and critical paths to be
identified. Such flow-based, network approaches exist in the literature. They either model the
flow of products or services between CIs in a uniform model (Lee, 2007; Svendsen, 2007;
Svendsen, 2007) or they combine different sector-based flow models (Ouyang, 2011; Rosato,
2008).
Regarding the level of analysis, CIDA does not model infrastructures on a component level,
and for this reason it has similarities with the empirical Leontief input-output models used for
high-level multi-sectorial risk assessment (Haimes, 2001; Santos, 2004; Santos, 2006; Setola,
2009). These approaches measure the dependencies among CI sectors by economic
relationships. The approach described in (Setola, 2009) considers domain expert opinion and
uses fuzzy logic to assess the impact induced by direct and higher-order dependencies between
CIs. These models assume that the CI operators (or the expert(s) conducting the assessment)
will provide input data regarding the impact values for resource outages of various durations
on each CI. Both CIDA and (Setola, 2009) use fuzzy logic. The approach of (Setola, 2009) uses
it to minimize the uncertainty and ambiguity associated with the subjective information
obtained from domain experts. On the other hand, CIDA combines fuzzy logic with various
time growth models. Each dependency may follow a different growth rate and fuzzy logic is
used in order to objectify the evolution of each dependency, taking into consideration the state
of other near dependencies. This allows CIDA to output results both for various time frames
(this is also available in (Setola, 2009)) and for alternative growth rates of the failure. Moreover,
CIDA is based on a dependency risk graph to model dependencies, which are not limited to
economic dependencies.
9 Another taxonomy of dependency models contains six broad categories (Zio, 2011; Kroger,
2011): (a) aggregate supply and demand tools, (b) dynamic simulations, (c) agent-based models, (d)
physics-based models, (e) population mobility models and (f) Leontief input-output models
96
The approaches of (Haimes, 2001; Santos, 2004; Santos, 2006) use the input-output
inoperability model to assess the dependencies between the various sectors of an economy and
forecasting the effect on one segment of a change in another one, due to a disruptive event. Our
approach is not a purely economical one. Another important variation is that CIDA allows
alterative graphs to be created to analyze the dependencies that occur in abnormal operating
conditions; in contrast, the input to the approaches of (Haimes, 2001; Santos, 2004; Santos,
2006) only measure dependency in normal economic operations. Moreover, CIDA can perform
time-based analysis, which offers different risk results according to the time frame studied and
the rate that the impact evolves in each node. Regarding the input data required for the analysis,
the above approaches use aggregated economic data on a sector basis, while CIDA’s input
consist of risk assessment data provided by the CI operator, i.e. per each infrastructure.
Another economic based approach is the NISAC tool N-ABLE, which is a large-scale
microeconomic simulation tool that models the complex supply-chain, spatial market
dynamics, and CI interdependencies of businesses in the U.S. economy. N-ABLE has been
designed in particular to model how U.S. businesses can adapt to and recover from disruptive
events (Ehlen, 2005). Our tool is not specifically engineered to model the economic impact on
a microeconomic level.
The CIP/DSS (Critical Infrastructure Protection/Decision Support System) (Bush, 2005;
Conrad, 2006) enables decision makers to determine what consequences might be expected
from disruptions to infrastructure, explore the mechanisms behind these consequences, and
evaluate mitigation controls for a particular risk. CIP/DSS assesses uncertainties in threats,
vulnerabilities, and the consequences of terrorist acts and natural disasters at a national and
metropolitan scale. It models interdependencies for all U.S. identified critical infrastructures
and key resources and calculates the impact that cascade into these interdependent
infrastructures and into the national economy. Our tool could benefit by the CIP/DSS
representation of mitigation alternatives, in order to formalize more the selection of mitigation
strategies.
Based on our analysis, CIDA can efficiently compute the risk of all the dependency risk
paths, using reasonable limits for the length of the dependency order. However when examining
large-scale scenarios of hundreds of nodes, the execution time may not be feasible for real-time
analysis and response. The tool CIPR/Sim is such a real-time analysis tool, which imports real-
time data from numerous existing analysis modules, including RTDS (Real Time Digital
Simulator) for electric grid analysis, QualNet for telecommunications analysis, and PC Tide for
wind speed and flood surge analysis.
Conclusions
97
5.7.2. Advantages and Limitations
CIDA is a modeling and analysis tool focusing on the study of large-scale dependency
scenarios for proactive analysis. The primary goal of CIDA is to help risk assessors and CIP
decision makers to assess dependency risks proactively, before an initiating threat has been
realized. By analyzing the complete set of the potential dependency paths, the risk assessors
may project all the cascading effects that may potentially be realized and thus flag dependency
risks above a threshold that need further attention.
In addition, CIDA can be used to run specific scenarios, which may be of particular interest
for the risk assessors. While the exhaustive computation of the complete set of dependency risk
paths may provide useful information and reveal “hidden” dependency risks, the assessors may
also use CIDA to specifically examine particular realistic scenarios. For example the risk
assessors may use CIDA to examine “what-if” scenarios that only consider initiating security
events affecting one (or some) nodes. Such a scenario may include the study of a major physical
disaster, initially affecting all the nodes within a geographical range. This can be easily
implemented, since the attributes of each node in CIDA may also include the geographical
location coordinates. Thus it is possible to assess scenarios of common-cause failures to
targeted nodes and examine cascading effects based on geographical dependencies (in such a
case, the most usual type of the corresponding 1st-order dependencies will be geographical).
CIDA may also be used as an efficient tool for the proactive assessment of risk mitigation
controls and therefore, increasing resilience. Based on real input data, it is feasible to examine
hundreds of variant scenarios, even past incidents. The risk assessors may efficiently run slight
variations of dependency graphs, with different weights or even different dependencies, in order
to simulate the implementation of alternative risk mitigation controls. For example, if a
particular path has been identified by the exhaustive computation as a path of a dependency
risk above the maximum risk threshold, CIDA can be used to project the effect of implementing
redundancy security controls to decrease the dependency impact to a targeted edge; or the effect
of completely substitute an edge (if security controls that completely remove a dependency
were implemented), in order to optimize the topology of the interdependent CIs. Both examples
increase the absorbing capacity of nodes or of the network of CIs and, thus, increase overall
resilience.
CIDA can also be used in order to identify and target key nodes, in order to make them more
resistant to failures or improve their restorative capabilities, and which are the alternative
resilience parameters that could be improved. In this way it will be possible to evaluate the
benefit of various alternative and/or complementary mitigation controls, and output convincing
arguments concerning the expected benefit of possible mitigation strategies. Note that using
additional computing resources can parallelize the study of such scenarios.
98
A limitation of our approach is the need for input data of prior risk assessments, performed
by the examined CIs. This is an inherent problem of all the empirical risk approaches, since
empirical risk-based approaches analyze dependencies based on previous incidents (historical
incident or disaster data) coupled with expert opinion in an effort to identify alternative
measures to minimize the dependency risk (Utne, 2011; Kjolle, 2012). It is highly unlikely for
a single CI operator to have access to real data of other CIs. Thus the methodology can only be
applied at a higher layer. For example sector coordinators or regulators may collect data
concerning a specific sector (such as ICT or energy). National CIP authorities or CERTs may
be able to collect such information. Also note that input data can be gradually added in the
CIDA database in order to gradually construct large-scale scenarios. Moreover, it is also
possible to use such a tool based only on the expected impact of dependent CIs, and ignoring
the likelihood parameter, which is generally more difficult to collect (Franchina, 2011). We
plan to enrich CIDA 6in its next version with available statistical data for potential initiating
events and their likelihood of occurrence, for key sectors such as Energy and ICT, in order to
further assist risk assessors in evaluating combined common-case and cascading failures.
The entire CIDA project (both the stress test implementation along with the full GUI CIDA
tool can be found at: https://github.com/geostergiop/CIDA.
Conclusions
99
Chapter 6: Conclusions
6.1 Summary and discussion
This dissertation provides evidence suggesting that more work is required for the protection
of Critical Infrastructures, both in aspects of software security through user interaction and that
of external threats affecting CIs due to their dependencies.
Firstly, on a smaller granularity level, research findings suggest not only that automatic
analysis of source code for detecting logical errors is indeed feasible (contrary to popular
belief), but also that it can be used to detect software threats inside information systems and
predict possible infrastructure failures due to their manifestation. This way, a partial risk
estimation of the IT systems concerning an infrastructure can be provided. This research’s
potential impact is even, since academic literature has revealed that smartphone apps violate
the principle of least privilege and also suffer from privilege escalation vulnerabilities.
As discussed in §4, users’ actions can lead to vulnerabilities that, contrary to a priori known
faults, stem from a discrete sequence of valid actions. Moreover, experience has shown that
these types of faults cannot be detected through normal means, due to their high correlation
with the application in which they manifest. Therefore, advances in this field not only help
analyze risk and predict software faults that can lead to failures inside the IT systems of CIs,
but can also help develop a umbrella-like approach for automatically detecting these types of
errors in all software applications.
Experiments also showed that, by using the same methodology, different types of logical
errors could be detected in a wide variety of situations and functionality. The methodology
seems able to detect existing logical vulnerabilities regardless of the type of functionality
implemented inside an application and, also, regardless of the types of machinery handled by
them. Thus, it seems possible to apply this methodology to cover instances of software threats
in known risk assessment methodologies (see §4).
Secondly, critical infrastructures are exposed to external threats that originate from other
infrastructures, which CIs rely on (e.g. a communications infrastructure possibly relies on a
power plant for energy in order to provide its services). Impact of external threats on multiple
CIs is considerable since: (i) related case studies (like the California Blackout Scenario) suggest
that failures in interconnected infrastructures can create a series of cascading failures that may
impact an entire nation in multiple sectors, (ii) CIs heavily depend on each other and (iii)
researchers still have much ground to be covered in order to analyze the risk and propose
solution for these types of failures.
The methodology presented in §5 of this dissertation extends the dependency risk
methodology of Kotzanikolaou et al. (Kotzanikolaou, 2011) (Kotzanikolaou, 2013) by
engaging graph centrality measures to cope with the aforementioned issues concerning
100
infrastructure dependencies. The centrality measures are used as additional criteria to identify
critical infrastructure nodes in a dependency risk graph that significantly affect the critical risk
paths in the graph and are, therefore, good candidates for applying mitigation controls. The
results of the feature selection algorithms confirm that the most critical paths in a dependency
risk graph tend to involve nodes with high centrality values. However, several centrality metrics
are available and they contribute to node selection and overall risk mitigation in various
degrees. For this reason, numerous simulation experiments were conducted to determine the
best metrics and combinations of metrics. Experimental results demonstrate that aggregating
all the centrality sets to identify nodes with high overall centrality values yields a good, and
intuitively appealing, mitigation strategy. Another result is that critical infrastructure nodes
with high closeness and degree centrality values appear to have the highest impact on the overall
risk of a dependency risk graph. If the focus is on mitigating the cumulative risk of a percentage
of the top critical paths in a dependency risk graph, then, in almost every case tested, the
information gain approach proposed in this dissertation is more efficient than manually
choosing nodes. This result holds for all three mitigation mechanisms evaluated in this research.
The single biggest advantage of the proposed risk mitigation algorithm is that it can identify
critical infrastructure nodes that may not be in the top critical path, but still significantly affect
the overall risk in a dependency graph. To our knowledge, this is the first viable implemented
methodology able to pinpoint points-of-failure in a web of interconnected CIs.
Finally, our study shed light on the aspects concerning the evolution of failures across
interconnected CIs. Empirical methods have been criticized for the lack of the required
statistical data needed to assess the likelihood of potential events. While probability data may
be difficult to collect for various CIs, efforts have already been made for specific sectors. For
example, Carreras et al. (Carreras, 2012) demonstrate statistical studies of blackouts which
allow the identification of critical power lines (or groups of power lines) for a given network
model. This provides a technique for identifying critical clusters of lines that are likely to trigger
or propagate cascade effects, due to vulnerabilities of their power lines. The approach presented
in the final chapter of this dissertation also inherits from network-based methods as it combines
a method for discovering dependency risk paths with an automated modeling and analysis tool.
It allows the dependencies of the connected infrastructures to be depicted in a graph and critical
paths to be identified. The tool presented in the final chapter of this dissertation, CIDA, is a
modeling and analysis tool focusing on the study of large-scale dependency scenarios for
proactive analysis. The primary goal of CIDA is to help risk assessors and CIP decision makers
to assess dependency risks proactively, before an initiating threat has been realized. By
analyzing the complete set of the potential dependency paths, the risk assessors may project all
Conclusions
101
the cascading effects that may potentially be realized and thus flag dependency risks above a
threshold that need further attention.
In addition, CIDA can be used to run specific scenarios that may be of particular interest for
the risk assessors. It can provide useful information and reveal “hidden” dependency risks, and
also specifically examine particular realistic scenarios. For example the risk assessors may use
CIDA to examine “what-if” scenarios that only consider initiating security events affecting one
(or some) nodes. CIDA may also be used as an efficient tool for the proactive assessment of
risk mitigation controls and therefore, increasing resilience. Based on real input data, it is
feasible to examine hundreds of variant scenarios, even past incidents.
6.2 Publications
Our contribution is published in peer-reviewed journals, conferences and book chapters,
namely:
Publications in peer-reviewed, academic journals:
j1. George Stergiopoulos., Panayiotis Kotzanikolaou, Marianthi Theoharidou, Dimitris
Gritzalis, "Risk mitigation strategies for Critical Infrastructures based on graph centrality
analysis", International Journal of Critical Infrastructure Protection, Elsevier, July 2015.
j2. George Stergiopoulos, Panayiotis Katsaros, Dimitris Gritzalis “Detecting logical errors and
race conditions in software using dynamic invariant assertions and symbolic execution”
Submitted to Journal of Information and Software Technology (JoIST), Elsevier, in July
2015.
j3. George Stergiopoulos., Panayiotis Kotzanikolaou, Marianthi Theoharidou, Dimitris
Gritzalis, "Time-based Critical Infrastructure Dependency Analysis for Large-Scale and
Cross-Sectoral Failures" Submitted to International Journal of Critical Infrastructure
Protection, Elsevier, in June 2015.
Publications in peer-reviewed, international conferences:
c1. George Stergiopoulos., Panayiotis Kotzanikolaou, Marianthi Theoharidou, Dimitris
Gritzalis, “Using centrality metrics in CI dependency risk graphs for efficient risk
mitigation”, in Proc. of the 9th IFIP International Conference on Critical Infrastructure
Protection (CIP-2015), Springer, USA, March 2015.
c2. George Stergiopoulos, Panagiotis Petsanas, Panagiotis Katsaros, Dimitris Gritzalis,
“Automated exploit detection using path profiling: The disposition should matter, not the
position”, in Proc. of the 12th International Conference on Security and Cryptography
(SECRYPT-2015), pp. 100-111, ScitePress, France, July 2015 .
c3. George Stergiopoulos, Marianthi Theoharidou, Dimitris Gritzalis, "Using logical error
detection in Remote-Terminal Units to predict initiating events of Critical Infrastructures
102
failures", in Proc. of the 3rd International Conference on Human Aspects of Information
Security, Privacy and Trust (HCI-2015), Springer, USA, August 2015
c4. George Stergiopoulos, Panagiotis Katsaros, Dimitris Gritzalis, “Automated detection of
logical errors in programs”, in Proc. of the 9th International Conference on Risks and
Security of Internet and Systems (CRiSIS-2014), Springer, August 2014
c5. George Stergiopoulos, Panagiotis Katsaros, Dimitris Gritzalis, “Source code profiling and
classification for automated detection of logical errors”, in Proc. of the 3rd International
Seminar on Program Verification, Automated Debugging and Symbolic Computation
(PAS-2014), Austria, July 2014
c6. George Stergiopoulos, Vasilis Tsoumas, Dimitris Gritzalis, "On Business Logic
Vulnerabilities Hunting: The APP_LogGIC Framework", in Proc. of the 7th International
Conference on Network and System Security (NSS 2013), pp. 236-249, Springer (LNCS
7873), June 2013.
c7. George Stergiopoulos, Bill Tsoumas, Dimitris Gritzalis, “Hunting application-level logical
errors”, in Proc. of the 4th International Symposium on Engineering Secure Software and
Systems (ESSOS-2012), pp. 135-142, Springer (LNCS 7159), February 2012.
Publications in peer-reviewed book chapters:
b1. George Stergiopoulos, Marianthi Theoharidou, Panagiotis Kotzanikolaou, Dimitris
Gritzalis, "Using centrality measures in dependency risk graphs for efficient risk
mitigation", in Critical Infrastructure Protection IX, Shenoi S. (Ed.), pp. 25-40, Springer,
2015.
As a PhD candidate Mr. Stergiopoulos was involved in other research in the field of
Information Security and authored or co-authored the following three peer-reviewed conference
papers, i.e.:
c8. Stergiopoulos G., Kandias M., Gritzalis D., "Approaching Encryption through Complex
Number Logarithms" (position paper), in Proc. of the 10th International Conference on
Security and Cryptography (SECRYPT-2013), pp. 574-579, Samarati P., et al. (Eds.),
Iceland, July 2013
c9. Faily S., Stergiopoulos G., Katos V., Gritzalis D., "Water, water, everywhere: Nuances for
a Water Industry Critical Infrastructure specification exemplar", in Proc. of the 10th
International Conference on Critical Infrastructures Security (CRITIS-2015), Germany,
October 2015 (to appear).
Conclusions
103
c10. Gritzalis D., Stavrou V., Kandias M., Stergiopoulos G., “Insider Threat: Εnhancing BPM
through Social Media”, in Proc. of the 6th IFIP International Conference on New
Technologies, Mobility and Security (NMTS-2014), Springer, UAE, April 2014.
6.3 Future work
Critical Infrastructures are the backbone of any nation. Securing them is a tedious and
complex process. While considerable effort has been made towards this goal, even more after
various events that had global consequences like the Stuxnet attack, the California Blackout
Scenario etc., still much work needs to be done towards effectively securing CIs from all types
of threats. As discussed in §1 and §2, new attack vectors emerge as CIs become more and more
interconnected and technology advances. This fact introduces challenges in critical
infrastructure and information systems security; challenges that carry along opportunities for
further research.
Firstly, as discussed in §4, the technology behind automatically detecting logical errors is
still in an early stage. Future work can focus on extending the class of application logic
vulnerabilities that can identified. In addition, we plan to extend this methodology to deal with
diverse programming languages and business logic constructs. This will require creating input
models of the functionality in multiple software applications. We plan to extend this work to
involve semantic constructs such as XBRL or OWL semantic constructs. This effort will allow
us to apply PLATO to a larger set of applications, since modeling complex constructs of
functionality into mathematical equations will allow a complex modelling of source code
functionality using dynamic analysis.
As a result, future work can explore any differences logical errors and the types of flaws that
they produce, thus effectively mapping potential failures and threats in Critical infrastructures
into specific software functionality. For example, future work can examine whether programs
sending PLC instructions through MODBUS protocols rely on specific security restrictions to
avoid potential failures due to human-error or not, involving analysis of the initial PLC
firmware and the controls applied on it.
In §5 this dissertation proposed risk mitigation mechanisms and ways to pinpoint dangerous
CI nodes in risk dependency graphs. These mitigation algorithms are rather restrictive since
they do not taker into consideration potential geographical or national restrictions that might
apply on various CI nodes in a given dependency graph. An obvious direction of future work
is to mount a GIS framework utilizing latitude and longtitude details for all given CIs and
outsource information gathering on these matters on various available tools like Google Maps.
Another possible direction of research is the examination of the possibility that the use
dependency analysis in critical infrastructures augments threat analysis in risk assessments.
Currently, risk assessment methodologies scarcely take into consideration external threats due
104
to interdependencies. Utilizing the proposed methodologies during Risk Assessment may
augment the threat model of each assessment and help pinpoint new threats and potential
instabilities.
Moreover, the analysis of the cascading failures amongst interdepended critical
infrastructures in §6 does not take into consideration formal risk assessment output or ISO
standards. An obvious direction for future work is to analyze and include results from risk
assessment reports into these security models for analyzing webs of interconnected CIs.
Similarly, future work can include a dynamic implementation of CIs that enter the dependency
graph and being able to recalibrate impact assessment on-the-fly.
Future work can also implement a risk rank and corresponding output from the proposed
methodology (§6) that can reference to specific security controls tied to external CI threats; like
proposing specific ISO-certified countermeasures for specific types of threats (e.g CIDA could
propose the utilization of extra UPS and alternate power support for a given CI if there is a
high-impact-high-evolution external threat from a power plant to the aforementioned
infrastructure). Future research should also focus on aspects that have not been measured in our
experiments and remain yet unclear. For instance, clarifying the differences between different
types of interconnections between CIs, and the effect these have on cascading failures.
Overall, results in this dissertation provide evidence that critical infrastrcutures require multi-
level protection against threats that stem from multiple input vector and in various granularity
levels. Developing methodologies to protect CIs both in software-level interaction of users with
machines and also on the uncharted area of external interdependencies seems to be of utmost
importance. In this context, it would be prudent to extend the common body of knowledge for
the security domain (e.g. the one described in (Theoharidou and Gritzalis, 2007; Gritzalis et al.,
2005)) to include the aforementioned aspects of security (such as impact of authorization
decisions via software interations, unique attacks, adoption of security controls, etc.).
6.4 Concluding remarks
(Inter)dependencies between critical infrastructures are a key factor in critical infrastructure
protection because they may allow a failure that is seemingly isolated in one critical
infrastructure to cascade to multiple critical infrastructures. The protection of such
infrastructures is crucial, as CIs constantly merge with a person’s everyday life and support all
aspects of a nation. This work explored the current state of protection of CIs in two different
granularity levels; that of software-based logical vulnerabilities and of interdependencies
between infrastructures.
Conclusions
105
This thesis utilized the lessons learned while studying the interdependencies between critical
infrastructures together with analyzing software for the sole purpose of finding a way to secure
it against initiating serious failures in infrastructure systems. It presented how logical
vulnerabilities in software can - and under which circumstances- be detected using automated
analysis. On the broader scale, it introduced risk mitigation mechanisms for use in complex
infrastructure dependency risk graphs and developed a tool able to predict, analyze and
visualize the impact of cascading failures between multiple critical infrastructures.
106
(this page is intentionally left blank)
Appendix
107
Appendix
A. Time-Based Analysis of cascading failures using the CIDA tool
A1. Tool libraries and development
This wiki is used as a reference to documentation and data used by CIDA. It is intended for
users trying to work and understand the methodology behind CIDA. The CIDA tool utilizes (i)
the Blueprints collection and, especially, the Neo4J graph library as a technology to realize its
dependency analysis modeling methodology, and (ii) the jFuzzyLogic Java library to implement
its fuzzy logic control system.
Neo4J builds upon the property graph model; nodes may have various labels and each label
can serve as an informational entity. The nodes are connected via directed, typed relationships.
The Blueprints collection can be found here: https://github.com/tinkerpop/blueprints/wiki.
The Neo4J project can be found here: http://neo4j.com/developer/get-started/.
jFuzzyLogic implements Fuzzy Control Language (FCL) which standardizes programming
fuzzy logic systems and reduces programming times by removing the need to perform to boiler
plate programming tasks. The jFuzzyLogic can be found here:
http://jfuzzylogic.sourceforge.net/html/index.html.
Appendix
108
A2. Fuzzy Logic IF THEN rules
Fuzzy sets along with linguistic IF-THEN rules are used to calculate the fuzzy value of the
expected time-based impact value. Rules are usually expressed in the form: IF variable IS property
THEN action.
Initially a processing stage invokes the appropriate IF-THEN rules and generates a result for
each rule. Then these results are combined to output a set of truth values. Each IF-THEN result is,
essentially, a membership function and truth value controlling the output set, i.e. the linguistic
variables impact and time.
Membership sets are dynamically created for each Critical Infrastructure during CIDA's
analysis. Yet, the IF-THEN rules used by CIDA to combine fuzzy sets and calculate output are
the following:
RULEBLOCK No1
// Use 'min' for 'and' (also implicit use 'max'
// for 'or' to fulfill DeMorgan's Law)
AND : MIN;
// Use 'min' activation method
ACT : MIN;
// Use 'max' accumulation method
ACCU : MAX;
`RULE 1 : IF Impact IS Very_High AND Time IS Early THEN Impact_T
is Medium;`
`RULE 2 : IF Impact IS Very_High AND Time IS Medium THEN Impact_T
is High;`
`RULE 3 : IF Impact IS Very_High AND Time IS Late THEN Impact_T
is Very_High;`
`RULE 4 : IF Impact IS Very_High AND Time IS Very_Late THEN
Impact_T is Very_High;`
`RULE 5 : IF Impact IS High AND Time IS Early THEN Impact_T is
Medium;`
`RULE 6 : IF Impact IS High AND Time IS Medium THEN Impact_T is
Medium;`
`RULE 7 : IF Impact IS High AND Time IS Late THEN Impact_T is
High;`
Appendix
109
`RULE 8 : IF Impact IS High AND Time IS Very_Late THEN Impact_T
is High;`
`RULE 9 : IF Impact IS Medium AND Time IS Early THEN Impact_T is
Low;`
`RULE 10 : IF Impact IS Medium AND Time IS Medium THEN Impact_T
is Medium;`
`RULE 11 : IF Impact IS Medium AND Time IS Late THEN Impact_T is
Medium;`
`RULE 12 : IF Impact IS Medium AND Time IS Very_Late THEN Impact_T
is Medium;`
`RULE 13 : IF Impact IS Low AND Time IS Early THEN Impact_T is
Very_Low;`
`RULE 14 : IF Impact IS Low AND Time IS Medium THEN Impact_T is
Very_Low;`
`RULE 15 : IF Impact IS Low AND Time IS Late THEN Impact_T is
Low;`
`RULE 16 : IF Impact IS Low AND Time IS Very_Late THEN Impact_T
is Low;`
`RULE 17 : IF Impact IS Very_Low AND Time IS Early THEN Impact_T
is Very_Low;`
`RULE 18 : IF Impact IS Very_Low AND Time IS Medium THEN Impact_T
is Very_Low;`
`RULE 19 : IF Impact IS Very_Low AND Time IS Late THEN Impact_T
is Very_Low;`
`RULE 20 : IF Impact IS Very_Low AND Time IS Very_Late THEN
Impact_T is Very_Low;`
END_RULEBLOCK
A3. Impact Time Tables
Three growth rates (linear, logarithmic and exponential) are used by CIDA to model the
evolution of impact, when a failure manifests itself in an infrastructure. These rates are used to
Appendix
110
pre-compute all possible values of impact I(t) in specific points t on CIDA's time scale (in min):
T = {15, 60, 180, 720, 1440, 2880, 10080, 20160, 40320, 60480 }.
The yellow line depicts the time point when the worst-case impact I will manifest (maximum
impact value).
Tables below reference all possible combinations of impact, time point and growth rate of a
failure in a Critical Infrastructure (I,T,G). They are used as input to a fuzzy logic ranking system,
to group impact and time values in fuzzy membership sets. Tables are provided below:
Exponential Tables
Appendix
111
Appendix
112
Linear Tables
Appendix
113
Appendix
114
Appendix
115
Logarithmic Tables
Appendix
116
Appendix
117
A3. Guide to installing the CIDA Eclipse project
The CIDA project is using Maven to install libraries and extension, along with those found
under the \lib folder. Make sure your Eclipse instance has Maven support installed. Follow these
steps to import a project to your computer:
1. Create a workspace folder for eclipse (if you don't have one).
2. Clone a project folder to your destination system:
3. The GUI CIDA tool (CIPTIMEFL) or
4. the Random Graph Stress Analyzer (CIP2014)
5. Transfer the folder under your \workspace Eclipse folder.
6. Select File > Import.
7. Select General > Existing project into workspace.
8. Select the project folder (under select root folder).
9. Say Finish.
References
118
References
1. Department of Homeland Security (DHS), What Is Critical Infrastructure?, October 2013,
http://www.dhs.gov/what-critical-infrastructure
2. Moteff, John, Claudia Copeland, and John Fischer. "Critical infrastructures: what makes an
infrastructure critical?." Library of Congress Washington DC Congressional Research Service,
2003.
3. Abel W. Agents, trojans and tags: The next generation of investigators. International Review of
Law, Computers & Technology 2009;23(1-2):99–108.
4. W. W. Peng, D. R. Wallace, Software error analysis, NIST Special Publication 500 (1993) 209.
5. M. Kimura, Software vulnerability: definition, modelling, and practical evaluation for e-mail
transfer software, International journal of pressure vessels and piping 83 (4) (2006) 256–261.
6. Codepro (2015). URL https://developers.google.com/java-dev-tools/codepro/doc/
7. Ucdetector (2015). URL http://www.ucdetector.org/
8. Pmd (2015).URL http://pmd.sourceforge.net/
9. Hovemeyer, W. Pugh, Finding bugs is easy, ACM Sigplan Notices 39 (12) (2004) 92–106.
10. Coverity save audit tool (2015). URL http://www.coverity.com
11. The java pathfinder tool (2015). URL http://babelfish.arc.nasa.gov/trac/jpf/
12. M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, C. Xiao, The
daikon system for dynamic detection of likely invariants, Science of Computer Programming 69
(1) (2007) 35–45.
13. G. Stergiopoulos, B. Tsoumas, D. Gritzalis, Hunting application-level logical errors, in:
Engineering Secure Software and Systems, Springer, 2012, pp. 135–142.
14. C. S. P as areanu, W. Visser, Verification of java programs using symbolic execution and invariant
generation, in: Model Checking Software, Springer, 2004, pp. 164–181.
15. V. Felmetsger, L. Cavedon, C. Kruegel, G. Vigna, Toward automated detection of logic
vulnerabilities in web applications, in: USENIX Security Symposium, 2010, pp. 143–160.
16. CWE, The common weakness enumeration (cwe) community (2015). URL https://cwe.mitre.org/
17. G. Stergiopoulos, B. Tsoumas, D. Gritzalis, On business logic vulnerabilities hunting: The
APP_Loggic framework, in: Network and System Security, Springer, 2013, pp. 236–249.
18. G. Stergiopoulos, P. Katsaros, D. Gritzalis, Automated detection of logical errors in programs, in:
Proc. of the 9th International Conference on Risks & Security of Internet and Systems, 2014.
19. T. Boland, P. E. Black, Juliet 1.1 c/c++ and java test suite, Computer (10) (2012) 88–90.
20. The post 2015 Hyogo Framework for Action: Managing risks to achieve resilience achieve
resilience, European Commission, Brussels, 2014, COM(2014) 216 final.
21. A. Zeller, Isolating cause-effect chains from computer programs, in: Proceedings of the 10th ACM
SIGSOFT symposium on Foundations of software engineering, ACM, 2002, pp. 1–10.
22. X. Zhang, N. Gupta, R. Gupta, Locating faults through automated predicate switching, in:
Proceedings of the 28th international conference on Software engineering, ACM, 2006, pp. 272–
281.
23. M. Weiser, Program slicing, in: Proceedings of the 5th international conference on Software
engineering, IEEE Press, 1981, pp. 439–449.
24. X. Zhang, N. Gupta, R. Gupta, Pruning dynamic slices with confidence, in: ACM SIGPLAN
Notices, Vol. 41, ACM, 2006, pp. 169–180.
25. A. Doupe, B. Boe, C. Kruegel, G. Vigna, Fear the ear: discovering and mitigating execution after
redirect vulnerabilities, in: Proceedings of the 18th ACM conference on Computer and
communications security, ACM, 2011, pp. 251–262.
26. D. Balzarotti, M. Cova, V. V. Felmetsger, G. Vigna, Multi-module vulnerability analysis of web-
based applications, in: Proceedings of the 14th ACM conference on Computer and
communications security, ACM, 2007, pp. 25–35.
27. The daikon invariant detector manual (2015). URL http://groups.csail.mit.edu/pag/daikon/
References
119
28. R. A. Martin, S. Barnum, Common weakness enumeration (CWE) status update, ACM SIGAda
Ada Letters 28 (1) (2008) 88–91.
29. G. K. Baah, Statistical causal analysis for fault localization.
30. E. R. Harold, Java I/O, ” O’Reilly Media, Inc.”, 2006.
31. E. Gosling, B. Joy, G. L. Steele Jr, G. Bracha, A. Buckley, The Java Language Specification,
Pearson Education, 2014.
32. Java platform, standard edition 7 api specification (2015). URL
http://docs.oracle.com/javase/7/docs/api/
33. G. Stoneburner, A. Goguen, A. Feringa, Risk management guide for information technology
systems, Nist special publication 800 (30) (2002) 800–30.
34. E. Perfilieva, J. Moˇckoˇr, Mathematical principles of fuzzy logic, Springer Science & Business
Media, 1999.
35. G. Albaum, The likert scale revisited, Journal-Market research society 39 (1997) 331–348.
36. N. A. Abramson, Introduction to Information Theory and Coding, McGraw Hill, 1964.
37. H. Etzkorn, C. G. Davis, Automatically identifying reusable oo legacy code, Computer 30 (10)
(1997) 66–71.
38. Y. Yang, J. O. Pedersen, A comparative study on feature selection in text categorization, in: ICML,
Vol. 97, 1997, pp. 412–420.
39. E. J. Glover, G. W. Flake, S. Lawrence, W. P. Birmingham, A. Kruger, C. L. Giles, D. M. Pennock,
Improving category specific web search by learning query modifications, in: Applications and the
Internet, 2001. Proceedings. 2001 Symposium on, IEEE, 2001, pp. 23–32.
40. S. Ugurel, R. Krovetz, C. L. Giles, What’s the code?: automatic classification of source code
archives, in: Proceedings of the eighth ACM SIGKDD international conference on Knowledge
discovery and data mining, ACM, 2002, pp. 632–638.
41. NVD, National vulnerability database, [online] http://nvd.nist.gov (2015). URL
http://nvd.nist.gov
42. R. Jhala, R. Majumdar, Software model checking, ACM Comput. Surv. 41 (4) (2009) 21:1–21:54.
doi:10.1145/1592434.1592438. URL http://doi.acm.org/10.1145/1592434.1592438
43. P. Chhabra, L. Bansal, An effective implementation of improved halstead metrics for software
parameters analysis (2014).
44. E. Bray, K. Brune, D. A. Fisher, J. Foreman, M. Gerken, C4 software technology reference guide-
a prototype., Tech. rep., DTIC Document (1997).
45. G. K. Gill, C. F. Kemerer, Cyclomatic complexity density and software maintenance productivity,
Software Engineering, IEEE Transactions on 17 (12) (1991) 1284–1288.
46. W. J. Hansen, Measurement of program complexity by the pair:(cyclomatic number, operator
count), ACM SIGPLan Notices 13 (3) (1978) 29–33.
47. E. Rosenberg, T. Hammer, Metrics for quality assurance and risk assessment, Proc. Eleventh
International Software Quality Week, San Francisco, CA.
48. Using code quality metrics in management of outsourced development and maintenance (2015).
URL http://www.mccabe.com/pdf/McCabeCodeQualityMetrics-OutsourcedDev.pdf
49. Foundations of fuzzy logic, fuzzy operators (2015). URL
www.mathworks.com/help/toolbox/fuzzy/bp78l6_-1.html
50. W. Van Leekwijck, E. E. Kerre, Defuzzification: criteria and classification, Fuzzy sets and
systems 108 (2) (1999) 159–178.
51. P. Cingolani, J. Alcala-Fdez, jfuzzylogic: a robust and flexible fuzzy- logic inference system
language implementation., in: FUZZ-IEEE, Citeseer, 2012, pp. 1–8.
52. H. K. Wright, M. Kim, D. E. Perry, Validity concerns in software engineering research, in:
Proceedings of the FSE/SDP workshop on Future of software engineering research, ACM, 2010,
pp. 411–414.
53. NSA, On Analyzing Static Analysis Tools, National Security Agency, 2011.
54. NSA,Static Analysis Tool Study-Methodology, National Security Agency, 2012.
55. G. Rothermel, S. Elbaum, A. Kinneer, H. Do, Software-artifact infrastructure repository (2006).
References
120
56. H. Do, S. Elbaum, G. Rothermel, Supporting controlled experimentation with testing techniques:
An infrastructure and its potential impact, Empirical Software Engineering 10 (4) (2005) 405–
435.
57. V. Okun, A. Delaitre, P. E. Black, Report on the static analysis tool exposition (sate) iv, NIST
Special Publication 500 (2013) 297.
58. W. D., Jamod java modbus implementation, http://jamod.sourceforge.net/ (2015). URL
http://jamod.sourceforge.net/
59. Flowserve l75 series electric actuator, fcd lmaim7502-00, http://jamod.sourceforge.net/ (July
2005). URL http://jamod.sourceforge.net/
60. PLCSimulator, Modbus plc simulator, http://www.plcsimulator.org/ (2014). URL
http://www.plcsimulator.org/
61. R. Natella, D. Cotroneo, J. A. Duraes, H. S. Madeira, On fault representativeness of software fault
injection, Software Engineering, IEEE Transactions on 39 (1) (2013) 80–96.
62. N. Rutar, C. B. Almazan, J. S. Foster, A comparison of bug finding tools for java, in: Software
Reliability Engineering, 2004. ISSRE 2004. 15th International Symposium on, IEEE, 2004, pp.
245–256.
63. Krutz, R.: Securing SCADA Systems. Wiley, Indianapolis (2005)
64. Alcaraz,C. ,Lopez,J. ,Zhou,J. ,Roman,R.: Secure SCADA framework for the protection of energy
control systems. Concurrency Comput. Pract. Experience 23(12), 1414–1430 (2011)
65. P. Kotzanikolaou, M. Theoharidou, D. Gritzalis, Cascading effects of common-cause failures in
critical infrastructures, in: J. Butts, S. Shenoi (Eds.), Critical Infrastructure Protection, Vol. 417
of IFIP Advances in Information and Communication Technology, Springer, 2013, pp. 171–182.
66. P. Kotzanikolaou, M. Theoharidou, D. Gritzalis, Assessing n-order dependencies between critical
infrastructures, IJCIS 9 (1/2) (2013) 93–110.
67. P. Kotzanikolaou, M. Theoharidou, D. Gritzalis, Interdependencies between critical
infrastructures: Analyzing the risk of cascading effects, in: Critical Information Infrastructure
Security, Springer, 2013, pp. 104–115.
68. M. Theoharidou, P. Kotzanikolaou, D. Gritzalis, Risk assessment methodology for interdependent
critical infrastructures, International Journal of Risk Assessment and Management 15 (2) (2011)
128–148.
69. M. Theoharidou, P. Kotzanikolaou, D. Gritzalis, A multi-layer criticality assessment methodology
based on interdependencies, Computers & Security 29 (6) (2010) 643–658.
70. The post 2015 Hyogo Framework for Action: Managing risks to achieve resilience achieve
resilience, European Commission, Brussels, 2014, COM(2014) 216 final.
71. NIPP 2013: Partnering for Critical Infrastructure Security and Resilience, Dept. of Homeland
Security, 2013.
72. P. Bonacich, Power and centrality: A family of measures, American journal of sociology (1987)
1170–1182.
73. Microsoft, Msdn article (2015). URL https://msdn.microsoft.com/en-us/library/ms175382.aspx
74. Y. Yang, J. Pederson, A comparative study on feature selection in text categorization, in:
Fourteenth International Conference on Machine Learning (ICML’97), 1997, pp. 412–420.
75. N. Abramson, Information Theory and Coding, McGraw-Hil, 1963.
76. E. J. Glover, G. W. Flake, S. Lawrence, W. P. Birmingham, A. Kruger, L. C. Giles, D. M. Pennoek,
Improving category specific web search by learning query modification, in: Symposium on
Applications and the Internet (SAINT), 2001 IEEE, 2001, pp. 23–31.
77. E. Ugurel, R. Krovetz, C. L. Giles, D. M. Pennock, E. J. Glover, H. Zha, What’s the code?:
automatic classification of source code archives, in: SIGKDD international conference on
Knowledge discovery and data mining (ACM KDD), 8th ACM, 2002, pp. 632–638.
78. G. Karegowda, A. Manjunath, M. Jayaram, Comparative study of attribute selection using gain
ratio and correlation based feature selection, International Journal of Information Technology and
Knowledge Management 2 (2) (2010) 271–277.
References
121
79. E. Luiijf, A. Nieuwenhuijs, M. Klaver, M. van Eeten, E. Cruz, Empirical findings on critical
infrastructure dependencies in Europe, in: Critical Information Infrastructure Security, Springer,
2009, pp. 302–310.
80. P. Bonacich, Power and centrality: A family of measures, American journal of sociology (1987)
1170–1182.
81. E. Jouili, V. Vansteenberghe, An empirical comparison of graph databases, in: Social Computing
(SocialCom), 2013 International Conference on, 2013, pp. 708–715.
doi:10.1109/SocialCom.2013.106. URL
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6693403
82. B. Shao, H. Wang, Y. Xiao, Managing and mining large graphs: systems and implementations, in:
Proceedings of the 2012 ACM SIGMOD International Conference on Management of Data, ACM,
2012, pp. 589–592.
83. Rinaldi, J. Peerenboom, T. Kelly, Identifying, understanding, and analyzing critical infrastructure
interdependencies, IEEE Control Systems Magazine 21 (6) (2001).
84. R. Kozik, M. Choras, Current cyber security threats and challenges in critical infrastructures
protection, in: Informatics and Applications (ICIA),2013 Second International Conference on,
2013, pp. 93–97.
85. Usov, C. Beyel, E. Rome, U. Beyer, E. Castorini, P. Palazzari, A. Tofani, The DIESIS approach
to semantically interoperable federated critical infrastructure simulation, in: Advances in System
Simulation (SIMUL), 2010 Second International Conference on, IEEE, 2010, pp. 121–128.
86. E. Rome, S. Bologna, E. Gelenbe, E. H. Luiijf, V. Masucci, DIESIS: an interoperable european
federated simulation network for critical infrastructures, in: Proceedings of the 2009 SISO
European Simulation Interoperability Workshop, Society for Modeling & Simulation
International, 2009, pp. 139–146.
87. J. R. Marti, J. A. Hollman, C. Ventura, J. Jatskevich, Dynamic recovery of critical infrastructures:
real-time temporal coordination, International Journal of Critical Infrastructures 4 (1) (2008) 17–
31.
88. Critical infrastructure preparedness and resilience research network (2014). URL
http://www.ciprnet.eu/
89. M. Ouyang, Review on modeling and simulation of interdependent critical infrastructure systems,
Rel. Eng. & Sys. Safety 121 (2014) 43–60.
90. G. Andersson, P. Donalek, R. Farmer, N. Hatziargyriou, I. Kamwa, P. Kundur, N. Martins, J.
Paserba, P. Pourbeik, J. Sanchez-Gasca, R. Schulz, A. Stankovic, C. Taylor, V. Vittal, Causes of
the 2003 major grid blackouts in North America and Europe, and recommended means to improve
system dynamic performance, IEEE Transactions on Power Systems 20 (4) (2005) 1922–1928.
91. S. V. Buldyrev, R. Parshani, G. Paul, H. E. Stanley, S. Havlin, Catastrophic cascade of failures in
interdependent networks, Nature 464 (2010) 10251028.
92. S. Panzieri, R. Setola, Failures propagation in critical interdependent infrastructures, International
Journal of Modelling, Identification and Control 3 (1) (2008) 69–78.
93. A. Vespignani, Complex networks: The fragility of interdependenc, Nature 464 (2010) 984985.
94. D. Zhou, A. Bashan, Y. Berezin, R. Cohen, S. Havlin, On the dynamics of cascading failures in
interdependent networks, arXiv preprint arXiv:1211.2330.
95. L. Duenas-Osorio, S. M. Vemuru, Cascading failures in complex infrastructure systems, Structural
safety 31 (2) (2009) 157–167.
96. E. Zio, G. Sansavini, Modeling interdependent network systems for identifying cascade-safe
operating margins, Reliability, IEEE Transactions on 60 (1) (2011) 94–101.
97. M. Van Eeten, A. Nieuwenhuijs, E. Luiijf, M. Klaver, E. Cruz, The state and the threat of
cascading failure across critical infrastructures: the implications of empirical evidence from media
incident reports, Public Administration 89 (2) (2011) 381–400.
98. L. Franchina, M. Carbonelli, L. Gratta, M. Crisci, An impact-based approach for the analysis of
cascading effects in critical infrastructures, International journal of critical infrastructures 7 (1)
(2011) 73–90.
References
122
99. B. Robert, A method for the study of cascading effects within lifeline networks, International
journal of critical infrastructures 1 (1) (2004) 86–99.
100. B. Utne, P. Hokstad, J. Vatn, A method for risk modeling of interdependencies in critical
infrastructures, Reliability Engineering & System Safety 96 (6) (2011) 671–678.
101. G. H. Kjølle, I. B. Utne, O. Gjerde, Risk analysis of critical infrastructures emphasizing electricity
supply and interdependencies, Reliability Engineering & System Safety 105 (2012) 80–89.
102. P. Kotzanikolaou, M. Theoharidou, D. Gritzalis, Interdependencies between critical
infrastructures: Analyzing the risk of cascading effects, in: S. Bologna, B. Hammerli, D. Gritzalis,
S. Wolthusen (Eds.), CRITIS, Vol. 6983 of Lecture Notes in Computer Science, Springer, 2011,
pp. 104– 115.
103. B. Carreras, D. Newman, I. Dobson, Determining the vulnerabilities of the power transmission
system, in: System Science (HICSS), 2012 45th Hawaii International Conference on, 2012, pp.
2044–2053. doi:10.1109/HICSS.2012.208.
104. D. Judi, A. Kalyanapu, S. Burian, B. Daniel, T. McPherson, Wide-area flood inundation and
infrastructure risk assessment simulation framework, in: Proceedings of the Second IASTED
International Conference on Water Resources Management, 2007.
105. H. Luiijf, D. Stolk, An international tabletop exercise on critical infrastructure protection: the
lessons identified, International journal of critical infrastructures 6 (3) (2010) 293–303.
106. G. Stergiopoulos, P. Kotzanikolaou, M. Theocharidou, D. Gritzalis, CIDA: Critical Infrastructure
Dependency Analysis tool, September 2014). URL https://github.com/geostergiop/CIDA
107. Presidential Policy Directive - Critical Infrastructure Security and Resilience (PPD-21), The
White House, 2013.
108. R. Francis, B. Bekera, A metric and frameworks for resilience analysis of engineered and
infrastructure systems, Rel. Eng. & Sys. Safety 121 (2014) 90–103.
109. W. Kroger, Emerging risks related to large-scale engineered systems, Tech. rep., International
Risk Governance Council (2010).
110. C. Vicknair, M. Macias, Z. Zhao, X. Nan, Y. Chen, D. Wilkins, A comparison of a graph database
and a relational database: a data provenance perspective, in: Proceedings of the 48th annual
Southeast regional conference, ACM, 2010, p. 42.
111. Neo4J graph database (2014). URL http://www.neo4j.org/
112. S. Batra, C. Tyagi, Comparative analysis of relational and graph databases, International Journal
of Soft Computing and Engineering (IJSCE) 2 (2) (2012) 509–512.
113. Green Paper on a european programme for critical infrastructure protection, Commission of the
European Communities, 2005, COM(2005) 576 final.
114. W. Kroger, E. Zio, Vulnerable systems, Springer, 2011.
115. E. E. Lee, J. E. Mitchell, W. A. Wallace, Restoration of services in interdependent infrastructure
systems: A network flows approach, Systems, Man, and Cybernetics, Part C: Applications and
Reviews, IEEE Transactions on 37 (6) (2007) 1303–1317.
116. N. K. Svendsen, S. D. Wolthusen, Connectivity models of interdependency in mixed-type critical
infrastructure networks, Information Security Technical Report 12 (1) (2007) 44–55.
117. N. K. Svendsen, S. D. Wolthusen, Analysis and statistical properties of critical infrastructure
interdependency multi-flow models, in: Information Assurance and Security Workshop, 2007.
IAW’07. IEEE SMC, IEEE, 2007, pp. 247–254.
118. M. Ouyang, L. Duenas-Osorio, An approach to design interface topologies across interdependent
urban infrastructure systems, Reliability Engineering & System Safety 96 (11) (2011) 1462–1473.
119. E. Rosato, L. Issacharoff, F. Tiriticco, S. Meloni, S. Porcellinis, R. Setola, Modelling
interdependent infrastructures using interacting dynamical models, International Journal of
Critical Infrastructures 4 (1) (2008) 63–79.
120. J. Talsma, B. P. BECKER, Q. Gao, E. RUIJGH, Coupling of multiple channel flow models with
openmi, in: 10th International Conference on Hydro-informatics HIC, 2012.
References
123
121. C. Siaterlis, B. Genge, M. Hohenadel, EPIC: A testbed for scientifically rigorous cyber-physical
security experimentation, IEEE Transactions on Emerging Topics in Computing 1 (2) (2013) 319–
330. doi:10.1109/TETC.2013.2287188.
122. Y. Y. Haimes, P. Jiang, Leontief-based model of risk in complex interconnected infrastructures,
Journal of Infrastructure systems 7 (1) (2001) 1–12.
123. J. R. Santos, Y. Y. Haimes, Modeling the demand reduction input-output (i-o) inoperability due
to terrorism of interconnected infrastructures*, Risk Analysis 24 (6) (2004) 1437–1451.
124. J. R. Santos, Inoperability input-output modeling of disruptions to interdependent economic
systems, Systems Engineering 9 (1) (2006) 20–34.
125. R. Setola, S. De Porcellinis, M. Sforna, Critical infrastructure dependency assessment using the
input–output inoperability model, International Journal of Critical Infrastructure Protection 2 (4)
(2009) 170–178.
126. M. A. Ehlen, A. J. Scholand, Modeling interdependencies between power and economic sectors
using the n-able agent-based model, in: Proceedings of the IEEE power engineering society
general meeting, 2005, pp. 2842– 2846.
127. B. Bush, L. Dauelsberg, R. LeClaire, D. Powell, S. Deland, M. Samsa, Critical infrastructure
protection decision support system (cip/dss) project overview, in: Proceedings of the 23rd
international conference of the system dynamics society, 2005, pp. 17–21.
128. S. H. Conrad, R. J. LeClaire, G. P. O’Reilly, H. Uzunalioglu, Critical naional infrastructure
reliability modeling and analysis, Bell Labs Technical Journal 11 (3) (2006) 57–71.
129. S. Walsh, S. Cherry, L. Roybal, Critical infrastructure modeling: An approach to characterizing
interdependencies of complex networks & control systems, in: Human System Interactions, 2009.
HSI ’09. 2nd Conference on, 2009, pp. 637–641. doi:10.1109/HSI.2009.5091052.
130. Gordon K., Dion M., Protection of Critical Infrastructures and the role of Investment Policies
relating to national security, OECD, May 2008.
131. Emergency Management Australia, Critical Infrastructure Emergency Risk Management and
Assurance Handbook, January 2003.
132. Ministry of the Interior and Kingdom Relations, National Risk Assessment Method Guide 2008,
National Security Programme, The Netherlands, June 2008.
133. Insight Consulting, CRAMM User Guide, Issue 5.1 July 2005.
134. ISO/IEC, Information technology — Security techniques — Information security management
systems — Overview and vocabulary ISO/ IEC 27000:2014.
135. P. Pederson, D. Dudenhoeffer, M. Permann and S. Hartley, “Critical Infrastructure
Interdependency Modeling: A Survey of U.S. and International Research”, Idaho National
Laboratory, August 2006