A security metric for assessing the security level of critical infrastructures

The deep integration between the cyber and physical domains in complex systems make very challenging the security evaluation process, as security itself is more of a concept (i.e. a subjective property) than a quantifiable characteristic. Traditional security assessing mostly relies on the personal skills of security experts, often based on best practices and personal experience. The present work is aimed at defining a security metric allowing evaluators to assess the security level of complex Cyber-Physical Systems (CPSs), as Critical Infrastructures, in a holistic, consistent and repeatable way. To achieve this result, the mathematical framework provided by the Open Source Security Testing Methodology Manual (OSSTMM) is used as the backbone of the new security metric, since it allows to provide security indicators capturing, in a non-biased way, the security level of a system. Several concepts, as component Lifecycle, Vulnerability criticality and Damage Potential – Effort Ratio are embedded in the new security metric framework, developed in the scope of the H2020 project ATENA

Structural Vulnerability Analysis of Electric Power Distribution Grids

Power grid outages cause huge economical and societal costs. Disruptions in the power distribution grid are responsible for a significant fraction of electric power unavailability to customers. The impact of extreme weather conditions, continuously increasing demand, and the over-ageing of assets in the grid, deteriorates the safety of electric power delivery in the near future. It is this dependence on electric power that necessitates further research in the power distribution grid security assessment. Thus measures to analyze the robustness characteristics and to identify vulnerabilities as they exist in the grid are of utmost importance. This research investigates exactly those concepts- the vulnerability and robustness of power distribution grids from a topological point of view, and proposes a metric to quantify them with respect to assets in a distribution grid. Real-world data is used to demonstrate the applicability of the proposed metric as a tool to assess the criticality of assets in a distribution grid

Supply chains and energy security in a low carbon transition

This special edition to be published in Applied Energy brings together a range of papers that explore the complex, multi-dimensional and inter-related issues associated with the supply or value chains that make up energy systems and how a focus on them can bring new insights for energy security in a low carbon transition. Dealing with the trilemma of maintaining energy security, reducing greenhouse gas emissions and maintaining affordability for economies and end users are key issues for all countries, but there are synergies and trade-offs in simultaneously dealing with these different objectives. Currently, industrialised energy systems are dominated by supply chains based on fossil fuels and these, for the most part, have been effective in enabling energy security and affordability. However, they are increasingly struggling to do this, particularly in respect to efforts to tackle climate change, given that the energy sector is responsible for around two-thirds of the global greenhouse gas emissions [1]. A key challenge is therefore how to decarbonise energy systems, whilst also ensuring energy security and affordability. This special issue, through a focus on supply chains, particularly considers the interactions and relationships between energy security and decarbonisation. Energy security is a property of energy systems and their ability to withstand short-term shocks and longer-term stresses depends on other important system properties including resilience, robustness, flexibility and stability [2]. Energy systems are essentially a supply chain comprising of multiple and interrelated sub-chains based around different fuels, technologies, infrastructures, and actors, operating at different scales and locations – from extraction/imports and conversion through to end use [3]. These supply chains have become increasingly globalised and are influenced by the on-going shifts in global supply and demand. Thus the aim of this special issue is to explore and discuss how to enable the development of a secure and sustainable energy system through a better understanding of both existing and emerging low carbon energy supply chains as well as of new approaches to the design and management of energy systems. In part, because moving from a system dominated by fossil fuels to one based on low carbon creates a new set of risks and uncertainties for energy security as well as new opportunities. A large number of submissions from over 18 countries were received for this special edition and 16 papers were accepted after peer review. These address a variety of issues and we have chosen to discuss the findings under two key themes, although many of the papers cut across these: (1) Insights from, and for, supply chain analysis. (2) Insights for energy security and its management. We then provide in (3) a summary of insights and research gaps. Table 1 provides a snapshot of the areas covered by the papers showing: theme (s); empirical domains; and geographical coverage

Classifying Web Exploits with Topic Modeling

This short empirical paper investigates how well topic modeling and database meta-data characteristics can classify web and other proof-of-concept (PoC) exploits for publicly disclosed software vulnerabilities. By using a dataset comprised of over 36 thousand PoC exploits, near a 0.9 accuracy rate is obtained in the empirical experiment. Text mining and topic modeling are a significant boost factor behind this classification performance. In addition to these empirical results, the paper contributes to the research tradition of enhancing software vulnerability information with text mining, providing also a few scholarly observations about the potential for semi-automatic classification of exploits in the existing tracking infrastructures.Comment: Proceedings of the 2017 28th International Workshop on Database and Expert Systems Applications (DEXA). http://ieeexplore.ieee.org/abstract/document/8049693

Secure Cloud-Edge Deployments, with Trust

Assessing the security level of IoT applications to be deployed to heterogeneous Cloud-Edge infrastructures operated by different providers is a non-trivial task. In this article, we present a methodology that permits to express security requirements for IoT applications, as well as infrastructure security capabilities, in a simple and declarative manner, and to automatically obtain an explainable assessment of the security level of the possible application deployments. The methodology also considers the impact of trust relations among different stakeholders using or managing Cloud-Edge infrastructures. A lifelike example is used to showcase the prototyped implementation of the methodology

Multi-Layer Cyber-Physical Security and Resilience for Smart Grid

The smart grid is a large-scale complex system that integrates communication technologies with the physical layer operation of the energy systems. Security and resilience mechanisms by design are important to provide guarantee operations for the system. This chapter provides a layered perspective of the smart grid security and discusses game and decision theory as a tool to model the interactions among system components and the interaction between attackers and the system. We discuss game-theoretic applications and challenges in the design of cross-layer robust and resilient controller, secure network routing protocol at the data communication and networking layers, and the challenges of the information security at the management layer of the grid. The chapter will discuss the future directions of using game-theoretic tools in addressing multi-layer security issues in the smart grid.Comment: 16 page

Risk assessment methodologies for Critical Infrastructure Protection. Part I: A state of the art

Effective risk assessment methodologies are the cornerstone of a successful Critical Infrastructure Protection program. The extensive number of risk assessment methodologies for critical infrastructures clearly supports this argument. Risk assessment is indispensable in order to identify threats, assess vulnerabilities and evaluate the impact on assets, infrastructures or systems taking into account the probability of the occurrence of these threats. This is a critical element that differentiates a risk assessment from a typical impact assessment methodologyJRC.G.6-Security technology assessmen