Physical Resource Management and Access Mediation Within the Cloud Computing Paradigm

Cloud computing has seen a surge over the past decade as corporations and institutions have sought to leverage the economies-of-scale achievable through this new computing paradigm. However, the rapid adoptions of cloud computing technologies that implement the existing cloud computing paradigm threaten to undermine the long-term utility of the cloud model of computing. In this thesis we address how to accommodate the variety of access requirements and diverse hardware platforms of cloud computing users by developing extensions to the existing cloud computing paradigm that afford consumer-driven access requirements and integration of new physical hardware platforms

Operational Technology Preparedness:A Risk-Based Safety Approach to Scoping Security Tests for Cyber Incident Response and Recovery

Following the advent of Industry 4.0, there have been significant benefits to industrial process optimisation through increased interconnectivity and the integration of Information Technology (IT) and Operational Technology (OT). However, this has also led to an increased attack surface for cyber threat actors to target. A growing number of cyber attacks on industrial environments, including Critical National Infrastructure, has, subsequently, been observed. In response, government and standardisation organisations alike have invested considerable resources in improving the cyber security of these environments. This includes response and recovery, often used as a last line of defence against cyber attacks. However, due to the unique design philosophies of Industrial Control Systems (ICS), several challenges exist for effectively securing these systems against digital threats. Through an analysis of standards and guidelines, used for assessing and improving cyber incident response and recovery capabilities, and stakeholder engagement on the implementation of these in practice, this thesis first identifies the challenges that exist when it comes to preparing for cyber incidents targeting ICS/OT environments. In particular, risk management, which involves identifying, evaluating, and prioritising risks and finding solutions to minimise, monitor, and control these, was found to be essential for improving preparation for cyber incidents. Assurance techniques are used as part of risk management to generate evidence for making claims of assurances about security. Alongside this, adversary-centric security tests such as penetration tests are used to evaluate and improve cyber resilience and incident response capabilities by emulating the actions of malicious actors. However, despite the benefits that these provide, they are currently not implemented to their full potential due to the safety and operational risks that exist in ICS/OT environments. This thesis contributes to academic and industry knowledge by proposing a framework that incorporates methods for identifying and quantifying the safety and operational risks of conducting adversary-centric security tests within ICS/OT environments. In understanding the risks, these engagements can be scoped using precise constraints so as to maximise the depth of testing while minimising risk to safety and the operational process. The framework is then evaluated through a qualitative study involving industry experts, confirming the framework's validity for implementation in practice

Defending the SCADA Network Controlling the Electrical Grid from Advanced Persistent Threats

RÉSUMÉ Les civilisations modernes sont dépendantes des technologies de l'information et des communications. Par ce fait, elles requièrent une alimentation constante en électricité pour assurer leur prospérité. Un siècle de travaux acharnés par des ingénieurs en électronique de puissance permet de garantir la fiabilité des réseaux électriques. Un des outils pour arriver à cette fin est une augmentation de l'automatisation et du contrôle à distance des réseaux électriques. Cette technologie permet aux contrôleurs qui opèrent le réseau électrique d'ajuster automatiquement des paramètres opérationnels pour faire face aux contraintes extérieures au fur et à mesure que ces contraintes évoluent. Par exemple, une augmentation de la demande suite à une vague de froid va automatiquement entraîner une augmentation de l'approvisionnement par l'envoi de commandes à distance pour ouvrir les vannes à la centrale hydroélectrique et faire tourner les turbines plus rapidement. Ceci garanti que le réseau électrique fonctionne toujours à pleine capacité et livre l'énergie électrique avec fiabilité, sans égard aux conditions externes. Paradoxalement, les gains offerts par les systèmes automatisés ont introduit un risque jusqu'alors inconnu à la fiabilité du réseau électrique : les cyber attaques. Pour permettre l'automatisation, les opérateurs de réseaux électriques se sont tournés vers la technologie d'acquisition de données et de supervision, mieux connu sous le nom de système SCADA. De nos jours, la technologie SCADA se base sur du matériel et des logiciels commerciaux comme les communications TCP/IP via Ethernet ou comme le système d'exploitation Windows. Ceci permet aux entités malicieuses de faire usage de leur savoir concernant les techniques offensives qu'ils ont développé pour attaquer les systèmes traditionnels faisant usage de ces technologies. La majorité de ces entités sont des menaces diffuses cherchant principalement à acquérir de la capacité de stockage servant à héberger du contenu illégal, du temps machine pour envoyer du spam ou des mots de passe pour permettre la fraude. Cet objectif est plus facile à atteindre en attaquant des ordinateurs personnels plutôt que des machines d'un réseau SCADA. Toutefois, certains acteurs ciblent délibérément les réseaux SCADA puisque ceux-ci ont le potentiel de causer des dégâts dans le monde physique. Ces acteurs recherchent agressivement les vulnérabilités et persévèrent dans leurs attaques, même face à une amélioration de la capacité défensive du réseau. Ces acteurs se font affubler le qualificatif de menaces persistantes avancées ou APTs. À cause de cette volonté de cibler un réseau spécifique, il est plus difficile de détourner ces attaquants vers d'autres victimes. Si nous souhaitons empêcher ces APTs de s'attaquer aux réseaux SCADA qui contrôlent l'infrastructure critique, nous devons élaborer une stratégie qui ne repose pas sur la réduction complète des vulnérabilités. Un bon nombre de contraintes opérationnelles, comme le mode d'opération 24/7 qui rend la tenue de périodes de maintenance difficile, garantissent qu'il y aura toujours au moins une vulnérabilité potentiellement exploitable par un attaquant. Dans ce contexte, l'objectif de ce projet de recherche est d'aider les opérateurs de réseaux électriques à défendre leur réseau SCADA contre les menaces persistantes avancées. Pour atteindre cet objectif, nous visons à mieux comprendre comment le comportement des menaces persistantes avancées se manifeste dans un réseau SCADA et à développer, en se basant sur des preuves expérimentales, de nouveaux outils et techniques pour se défendre contre les comportements attendus. En analysant les travaux antérieurs, on reconnaît que la vraie nature d'un réseau SCADA est de servir de boucle de contrôle pour le réseau électrique. Une conséquence directe est que tout attaquant qui obtient accès au réseau SCADA peut altérer l'état du réseau électrique à sa guise. Si un APT voudrait poursuivre ce but, la recherche actuelle en sécurité des réseau SCADA ne parviendrait pas à prévenir cette attaque puisqu'elle n'est pas orientée vers stopper les attaquants hautement qualifiés. Ceci rend les réseaux SCADA invitants pour les états engagés dans une compétition agressive. Malgré cela, aucun cyber incident majeur causant des dégâts physiques n'est répertorié à ce jour. En se basant sur cette observation, nous avons développé un modèle d'attaque pour le comportement d'un APT dans un réseau SCADA qui n'implique pas nécessairement des dommages massifs dans le monde physique. Ainsi, nous avons introduit le scénario d'attaque par trou d'aiguilles, notre première contribution majeure, dans lequel un attaquant cause de petits dégâts qui s'accumulent sur une longue période pour éviter d'être détecté. À partir de ce scénario, nous avons développé une stratégie consistant à augmenter la capacité de surveillance, c'est-à-dire de renforcer la puissance de la détection, pour prévenir l'utilisation de ce scénario d'attaque par les APTs. En se basant sur notre intuition que la détection d'intrusion par anomalie sera particulièrement efficace dans le contexte hautement régulier d'un réseau SCADA, l'utilisation de cette technique est favorisée. Pour tester les capacités de notre détecteur, nous devons adresser le problème du manque d'infrastructures expérimentales adaptées à la recherche en sécurité des réseaux SCADA. Une revue de la littérature montre que les approches expérimentales courantes ne sont pas appropriées pour générer des données réseau avec une haute fidélité. Pour résoudre ce problème, nous avons introduit le concept du Carré de sable ICS, notre deuxième contribution majeure, qui utilise une approche hybride combinant la haute fidélité des résultats de l'émulation et le facteur d'échelle et le faible coût de la simulation pour créer un montage expérimental capable de produire des données réseau de haute fidélité, adaptées à l'usage expérimental. Finalement, nous avons été en mesure de tester une implémentation d'un système de détection d'intrusion par anomalies, notre troisième contribution majeure, en utilisant le Carré de sable ICS. En utilisant des caractéristiques simples, il est possible de détecter du trafic de commandement et contrôle dans un réseau SCADA, ce qui force les attaquant à utiliser pour leurs opérations routinières de maintenance de complexes canaux cachés dont la bande passante est limitée. Ceci atteste de la validité de notre intuition selon laquelle la détection par anomalie est particulièrement efficace dans les réseaux SCADA, revitalisant par le fait même une technique de défense qui a longtemps été délaissée à cause de sa piètre performance dans les réseaux corporatifs typiques. La somme de ces contributions représente une amélioration significative de l'état de la défense des réseaux SCADA contre les menaces persistantes avancées, incluant les menaces en provenance des services de renseignement étatiques. Ceci contribue à une augmentation de la fiabilité des infrastructure critiques, et des réseaux électriques en particulier, face à un intérêt grandissant de la part des cyber attaquants.----------ABSTRACT Modern civilization, with its dependency on information technology, require a steady supply of electrical power to prosper. A century of relentless work by power engineers has ensured that the power grid is reliable. One of tools they used to achieve that goal is increased automation and remote control of the electrical grid. This technology allows the controllers supervising the power grid to automatically adjust operational parameters to meet external constraints as they evolve. A new surge in demand from a cold night will trigger an automated increase in supply. Remote control commands will be sent to open sluice gates at the hydroelectric plant to make turbines spin faster and generate more power. This ensures the electric grid always functions at peak efficiency and reliably deliver power no matter what the external conditions are. Paradoxically, the gains provided by the automated systems invited a previously unknown risk to the reliability of power delivery: cyber attacks. In order to achieve automation, utility operators have turned to Supervisory Control and Data Acquisition, or SCADA, technology. In this era, SCADA technology is built on top of commercial off the shelf hardware and software such as TCP/IP over Ethernet networks and Windows operating system. This enables malicious entities to leverage their pre-existing knowledge of offensive techniques known to work on these platform to attack the SCADA networks controlling critical infrastructure. Of those entities, the majority are unfocused attackers searching for commodity assets such as storage capacity to store illegal materials, processing power to send spam or credentials to enable fraud. However, some actors are deliberatively targeting the SCADA networks for their ability to cause damage in the physical realm. These actors aggressively search for vulnerabilities and are stubborn in the face of an increase in defensive measures and are dubbed advanced persistent threats, or APTs. As such, it is more difficult to turn them away. If we want to prevent these advanced persistent threats from preying on the SCADA networks controlling our critical infrastructure, we need to devise a defense that does not rely on completely removing vulnerabilities. A number of operational constraints, such as the need to operate 24/7 precluding the opening of maintenance windows, ensure that there will always be a vulnerability that can be exploited by an attacker. In that light, the goal of this research project is to is to help power grid operators defend their SCADA networks against advanced persistent threats. To achieve that goal we aim to better understand how the behaviour of advanced persistent threats will manifest itself in a SCADA network and to develop, based on evidence derived from experiments, new tools and techniques to defeat the expected behaviour. By analyzing prior work, we recognize that the true nature of SCADA networks is to serve as a basic control loop for the electric grid. A direct consequence is that any attacker gaining access to the SCADA network could send the grid into any state he wishes. We also showed that, should advanced persistent threats attempt to pursue this goal, current research in SCADA security would not provide significant help, not being focused on preventing the exploitation of SCADA network by skilled attackers. This makes SCADA networks attractive to nation states engaged in aggressively competitive behaviour. However, no evidence of major cyber incidents causing physical damage is forthcoming. From that observation, we developed an attacker model for advanced persistent threat behaviour in SCADA networks that did not necessarily involve causing massive physical damage. So, we introduced the pinprick attack scenario, our first major contribution, in which an attacker causes small amounts of damage that accumulate over time in order to stay under the radar. From this scenario, we developed a strategy of increasing the capability of surveillance, or boosting the radar so to speak, in order to prevent advanced persistent threats from using this scenario. The use of anomaly-based intrusion detection was favored based on our intuition that it would prove very effective in the highly regimented context of SCADA networks. To test the capability of our detector, we needed to address the lack of experimental infrastructure suitable for network security. However, a study of the literature shows that current experimental approaches are not appropriate to generate high fidelity network data. To solve this problem, we introduced the ICS sandbox concept, our second major contribution, that used a hybrid approach combining the high fidelity results of emulation and the scalability and cost reduction of simulation to create an experimental setup able to produce high fidelity network data sets for experimentation. Finally, we were able to test an implementation of anomaly-based intrusion detection, our third major contribution, using the ICS sandbox. Using only simple features, it was possible to detect command and control traffic in a SCADA network and push attackers to use complex covert channels with limited bandwidth to perform their routine maintenance operations. This attests to the validity of our intuition that anomaly-based detection is particularly effective in SCADA network, revivifying a defensive technique that suffers from poor performance in typical corporate networks. The sum of these contributions represent a significant improvement in the defense of SCADA networks against advanced persistent threats, including threats from nation state sponsored intelligence agencies. This contributes to the increased reliability of critical infrastructure, and of the electrical grid in particular, in the face of an increasing interest by cyber attackers

EMPIRICAL STUDIES BASED ON HONEYPOTS FOR CHARACTERIZING ATTACKERS BEHAVIOR

The cybersecurity community has made substantial efforts to understand and mitigate security flaws in information systems. Oftentimes when a compromise is discovered, it is difficult to identify the actions performed by an attacker. In this study, we explore the compromise phase, i.e., when an attacker exploits the host he/she gained access to using a vulnerability exposed by an information system. More specifically, we look at the main actions performed during the compromise and the factors deterring the attackers from exploiting the compromised systems. Because of the lack of security datasets on compromised systems, we need to deploy systems to more adequately study attackers and the different techniques they employ to compromise computer. Security researchers employ target computers, called honeypots, that are not used by normal or authorized users. In this study we first describe the distributed honeypot network architecture deployed at the University of Maryland and the different honeypot-based experiments enabling the data collection required to conduct the studies on attackers' behavior. In a first experiment we explore the attackers' skill levels and the purpose of the malicious software installed on the honeypots. We determined the relative skill levels of the attackers and classified the different software installed. We then focused on the crimes committed by the attackers, i.e., the attacks launched from the honeypots by the attackers. We defined the different computer crimes observed (e.g., brute-force attacks and denial of service attacks) and their characteristics (whether they were coordinated and/or destructive). We looked at the impact of computer resources restrictions on the crimes and then, at the deterrent effect of warning and surveillance. Lastly, we used different metrics related to the attack sessions to investigate the impact of surveillance on the attackers based on their country of origin. During attacks, we found that attackers mainly installed IRC-based bot tools and sometimes shared their honeypot access. From the analysis on crimes, it appears that deterrence does not work; we showed attackers seem to favor certain computer resources. Lastly, we observed that the presence of surveillance had no significant impact on the attack sessions, however surveillance altered the behavior originating from a few countries

ICT aspects of power systems and their security

This report provides a deep description of four complex Attack Scenarios that have as final goal to produce damage to the Electric Power Transmission System. The details about protocols used, vulnerabilities, devices etc. have been for obvious reasons hidden, and the ones presented have to be understood as mere (even if realistic) simplified versions of possible power systems.JRC.DG.G.6-Security technology assessmen

Anomalous behaviour detection for cyber defence in modern industrial control systems

A thesis submitted in partial fulfilment of the requirements of the University of Wolverhampton for the degree of Doctor of Philosophy.The fusion of pervasive internet connectivity and emerging technologies in smart cities creates fragile cyber-physical-natural ecosystems. Industrial Control Systems (ICS) are intrinsic parts of smart cities and critical to modern societies. Not designed for interconnectivity or security, disruptor technologies enable ubiquitous computing in modern ICS. Aided by artificial intelligence and the industrial internet of things they transform the ICS environment towards better automation, process control and monitoring. However, investigations reveal that leveraging disruptive technologies in ICS creates security challenges exposing critical infrastructure to sophisticated threat actors including increasingly hostile, well-organised cybercrimes and Advanced Persistent Threats. Besides external factors, the prevalence of insider threats includes malicious intent, accidental hazards and professional errors. The sensing capabilities create opportunities to capture various data types. Apart from operational use, this data combined with artificial intelligence can be innovatively utilised to model anomalous behaviour as part of defence-in-depth strategies. As such, this research aims to investigate and develop a security mechanism to improve cyber defence in ICS. Firstly, this thesis contributes a Systematic Literature Review (SLR), which helps analyse frameworks and systems that address CPS’ cyber resilience and digital forensic incident response in smart cities. The SLR uncovers emerging themes and concludes several key findings. For example, the chronological analysis reveals key influencing factors, whereas the data source analysis points to a lack of real CPS datasets with prevalent utilisation of software and infrastructure-based simulations. Further in-depth analysis shows that cross-sector proposals or applications to improve digital forensics focusing on cyber resilience are addressed by a small number of research studies in some smart sectors. Next, this research introduces a novel super learner ensemble anomaly detection and cyber risk quantification framework to profile anomalous behaviour in ICS and derive a cyber risk score. The proposed framework and associated learning models are experimentally validated. The produced results are promising and achieve an overall F1-score of 99.13%, and an anomalous recall score of 99% detecting anomalies lasting only 17 seconds ranging from 0.5% to 89% of the dataset. Further, a one-class classification model is developed, leveraging stream rebalancing followed by adaptive machine learning algorithms and drift detection methods. The model is experimentally validated producing promising results including an overall Matthews Correlation Coefficient (MCC) score of 0.999 and the Cohen’s Kappa (K) score of 0.9986 on limited variable single-type anomalous behaviour per data stream. Wide data streams achieve an MCC score of 0.981 and a K score of 0.9808 in the prevalence of multiple types of anomalous instances. Additionally, the thesis scrutinises the applicability of the learning models to support digital forensic readiness. The research study presents the concept of digital witness and digital chain of custody in ICS. Following that, a use case integrating blockchain technologies into the design of ICS to support digital forensic readiness is discussed. In conclusion, the contributions of this research thesis help towards developing the next generation of state-of-the-art methods for anomalous behaviour detection in ICS defence-in-depth

Propagation, Detection and Containment of Mobile Malware.

Today's enterprise systems and networks are frequent targets of malicious attacks, such as worms, viruses, spyware and intrusions that can disrupt, or even disable critical services. Recent trends suggest that by combining spyware as a malicious payload with worms as a delivery mechanism, malicious programs can potentially be used for industrial espionage and identity theft. The problem is compounded further by the increasing convergence of wired, wireless and cellular networks, since virus writers can now write malware that can crossover from one network segment to another, exploiting services and vulnerabilities specific to each network. This dissertation makes four primary contributions. First, it builds more accurate malware propagation models for emerging hybrid malware (i.e., malware that use multiple propagation vectors such as Bluetooth, Email, Peer-to-Peer, Instant Messaging, etc.), addressing key propagation factors such as heterogeneity of nodes, services and user mobility within the network. Second, it develops a proactive containment framework based on group-behavior of hosts against such malicious agents in an enterprise setting. The majority of today's anti-virus solutions are reactive, i.e., these are activated only after a malicious activity has been detected at a node in the network. In contrast, proactive containment has the potential of closing the vulnerable services ahead of infection, and thereby halting the spread of the malware. Third, we study (1) the current-generation mobile viruses and worms that target SMS/MMS messaging and Bluetooth on handsets, and the corresponding exploits, and (2) their potential impact in a large SMS provider network using real-life SMS network data. Finally, we propose a new behavioral approach for detecting emerging malware targeting mobile handsets. Our approach is based on the concept of generalized behavioral patterns instead of traditional signature-based detection. The signature-based methods are not scalable for deployment in mobile devices due to limited resources available on today's typical handsets. Further, we demonstrate that the behavioral approach not only has a compact footprint, but also can detect new classes of malware that combine some features from existing classes of malware.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/60849/1/abose_1.pd

Network intrusion prevention in the evolved packet core utilising software defined networks and network function virtualisation

Mobile Networks (MNs) are fundamental infrastructures in modern life. As traffic volumes rise and subscriber needs are expanding, MNOs need to adapt in order to keep up with the demand. This has led to MNOs virtualising the Core Network (CN) by utilising Software Defined Networking (SDN) and Network Functions Virtualisation(NFV). The security and reliability of the MN are under higher levels of scrutiny as more traffic and subscribers make use of the MN. As MNs become more popular so do they become more enticing for malicious actors as targets for attacks. The virtualisation of the CN has led to new security issues being introduced such as unused network paths being created for attackers to exploit. This research aims to utilise SDN and NFV to mitigate this issue by only allowing for critical network paths to be traversable in a virtualised CN without triggering alerts and node quarantines. The CN of a MN controls/manages all network traffic flows through the mobile network from User Equipment (UE) to a backhaul network (e.g., the Internet). Flows are streams of data that make use of a network path between two or more nodes within a network. Security has mostly been focussed on defending the perimeter of the CN to prevent unwanted access to the internals of the CN, as well as preventing the UE of subscribers from getting compromised. This perimeter only focus has led to the High Value Assets (HVAs) of the CN being vulnerable to attacks from malicious actors that have gained access to the internal nodes of a CN. Vulnerabilities still exist in the system that could allow for the attacker to compromise a node within the CN. If an attacker were to gain access to a node within the CN then they would be able to manoeuvre throughout the network undetected and unhindered along any and every network path with an HVA being their most likely goal. Therefore a Network Intruder Prevention System (NIPS) is proposed that will limit the paths that are allowed within the CN and detects whenever an attempt is made to traverse a non critical network path. This will greatly increase the probability of an attacker being detected. The NIPS will leverage off of two new network architectures in order to protect the CN’s HVAs. First SDN is leveraged to gain a holistic view of network traffic flows within the CN. SDN allows for network control functions to integrate with a logically centralised controller. The controller also allows for programmatic management of the network which proves to be crucial in detecting, containing and responding to security threats internal to a network. Second is NFV which allows for specific network functions within the CN to be virtualised. With the ability to virtualise the specific nodes within the CN comes the chance to programmatically deploy network functions with the specific goal of security once an anomaly is detected within the network. NFV is selected for this research due to its ability to quickly deploy false instances of the target of a network attack, therefore allowing for comprehensive containment. SDN and NFV create a better environment in which attackers attempting to target a HVA can be mitigated. A SDN based NIPS is proposed that applies strict control rules to the network traffic flows allowed between nodes in the CN. During normal functionality of the CN, only flows that make use of critical network paths are required. If a flow is requested from the SDN controller that is determined to be malicious, then the SDN application is designed to automatically deploy a virtualised decoy version of the intended target, by means of NFV. The controller is then able to redirect malicious flows away from their intended target towards the decoy, effectively quarantining the compromised node therefore mitigating the attacks damage. It is shown that a NIPS with the described functionality would detect, contain and respond to the attackers attempting lateral movement

Wide-Area Situation Awareness based on a Secure Interconnection between Cyber-Physical Control Systems

Posteriormente, examinamos e identificamos los requisitos especiales que limitan el diseño y la operación de una arquitectura de interoperabilidad segura para los SSC (particularmente los SCCF) del smart grid. Nos enfocamos en modelar requisitos no funcionales que dan forma a esta infraestructura, siguiendo la metodología NFR para extraer requisitos esenciales, técnicas para la satisfacción de los requisitos y métricas para nuestro modelo arquitectural. Estudiamos los servicios necesarios para la interoperabilidad segura de los SSC del SG revisando en profundidad los mecanismos de seguridad, desde los servicios básicos hasta los procedimientos avanzados capaces de hacer frente a las amenazas sofisticadas contra los sistemas de control, como son los sistemas de detección, protección y respuesta ante intrusiones. Nuestro análisis se divide en diferentes áreas: prevención, consciencia y reacción, y restauración; las cuales general un modelo de seguridad robusto para la protección de los sistemas críticos. Proporcionamos el diseño para un modelo arquitectural para la interoperabilidad segura y la interconexión de los SCCF del smart grid. Este escenario contempla la interconectividad de una federación de proveedores de energía del SG, que interactúan a través de la plataforma de interoperabilidad segura para gestionar y controlar sus infraestructuras de forma cooperativa. La plataforma tiene en cuenta las características inherentes y los nuevos servicios y tecnologías que acompañan al movimiento de la Industria 4.0. Por último, presentamos una prueba de concepto de nuestro modelo arquitectural, el cual ayuda a validar el diseño propuesto a través de experimentaciones. Creamos un conjunto de casos de validación que prueban algunas de las funcionalidades principales ofrecidas por la arquitectura diseñada para la interoperabilidad segura, proporcionando información sobre su rendimiento y capacidades.Las infraestructuras críticas (IICC) modernas son vastos sistemas altamente complejos, que precisan del uso de las tecnologías de la información para gestionar, controlar y monitorizar el funcionamiento de estas infraestructuras. Debido a sus funciones esenciales, la protección y seguridad de las infraestructuras críticas y, por tanto, de sus sistemas de control, se ha convertido en una tarea prioritaria para las diversas instituciones gubernamentales y académicas a nivel mundial. La interoperabilidad de las IICC, en especial de sus sistemas de control (SSC), se convierte en una característica clave para que estos sistemas sean capaces de coordinarse y realizar tareas de control y seguridad de forma cooperativa. El objetivo de esta tesis se centra, por tanto, en proporcionar herramientas para la interoperabilidad segura de los diferentes SSC, especialmente los sistemas de control ciber-físicos (SCCF), de forma que se potencie la intercomunicación y coordinación entre ellos para crear un entorno en el que las diversas infraestructuras puedan realizar tareas de control y seguridad cooperativas, creando una plataforma de interoperabilidad segura capaz de dar servicio a diversas IICC, en un entorno de consciencia situacional (del inglés situational awareness) de alto espectro o área (wide-area). Para ello, en primer lugar, revisamos las amenazas de carácter más sofisticado que amenazan la operación de los sistemas críticos, particularmente enfocándonos en los ciberataques camuflados (del inglés stealth) que amenazan los sistemas de control de infraestructuras críticas como el smart grid. Enfocamos nuestra investigación al análisis y comprensión de este nuevo tipo de ataques que aparece contra los sistemas críticos, y a las posibles contramedidas y herramientas para mitigar los efectos de estos ataques