Towards a Layered Architectural View for Security Analysis in SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems support and control the operation of many critical infrastructures that our society depend on, such as power grids. Since SCADA systems become a target for cyber attacks and the potential impact of a successful attack could lead to disastrous consequences in the physical world, ensuring the security of these systems is of vital importance. A fundamental prerequisite to securing a SCADA system is a clear understanding and a consistent view of its architecture. However, because of the complexity and scale of SCADA systems, this is challenging to acquire. In this paper, we propose a layered architectural view for SCADA systems, which aims at building a common ground among stakeholders and supporting the implementation of security analysis. In order to manage the complexity and scale, we define four interrelated architectural layers, and uses the concept of viewpoints to focus on a subset of the system. We indicate the applicability of our approach in the context of SCADA system security analysis.Comment: 7 pages, 4 figure

Tool-Based Attack Graph Estimation and Scenario Analysis for Software Architectures

With the increase of connected systems and the ongoing digitalization of various aspects of our life, the security demands for software increase. Software architects should design a secure and resistant system. One solution can be the identification of attack paths or the usage of an access control policy analysis. However, due to the system complexity identifying an attack path or analyzing access control policies is hard. Current attack path calculation approaches, often only focus on the network topology and do not consider the more fine-grained information a software architecture can provide, such as the components or deployment. In addition, the impact of access control policies for a given scenario is unclear. We developed an open-source attack propagation tool, which can calculate an attack graph based on the software architecture. This tool could help software architects to identify potential critical attack paths. Additionally, we extended the used access control metamodel to support a scenario-based access control analysis

Pollution-resilient peer-to-peer video streaming with Band Codes

Band Codes (BC) have been recently proposed as a solution for controlled-complexity random Network Coding (NC) in mobile applications, where energy consumption is a major concern. In this paper, we investigate the potential of BC in a peer-to-peer video streaming scenario where malicious and honest nodes coexists. Malicious nodes launch the so called pollution attack by randomly modifying the content of the coded packets they forward to downstream nodes, preventing honest nodes from correctly recovering the video stream. Whereas in much of the related literature this type of attack is addressed by identifying and isolating the malicious nodes, in this work we propose to address it by adaptively adjusting the coding scheme so to introduce resilience against pollution propagation. We experimentally show the impact of a pollution attack in a defenseless system and in a system where the coding parameters of BC are adaptively modulated following the discovery of polluted packets in the network. We observe that just by tuning the coding parameters, it is possible to reduce the impact of a pollution attack and restore the quality of the video communication

Interspecific variation, habitat complexity and ovipositional responses modulate the efficacy of cyclopoid copepods in disease vector control

The use of predatory biological control agents can form an effective component in the management of vectors of parasitic diseases and arboviruses. However, we require predictive methods to assess the efficacies of potential biocontrol agents under relevant environmental contexts. Here, we applied functional responses (FRs) and reproductive effort as a proxy of numerical responses (NRs) to compare the Relative Control Potential (RCP) of three cyclopoid copepods, Macrocyclops albidus, M. fuscus and Megacyclops viridis towards larvae of the mosquito Culex quinquefasciatus. The effects of habitat complexity on such predatory impacts were examined, as well as ovipositional responses of C. quinquefasciatus to copepod cues in pairwise choice tests. All three copepod species demonstrated a population destabilising Type II FR. M. albidus demonstrated the shortest handling time and highest maximum feeding rate, whilst M. fuscus exhibited the highest attack rate. The integration of reproductive effort estimations in the new RCP metric identifies M. albidus as a very promising biocontrol agent. Habitat complexity did not impact the FR form or maximum feeding rate of M. albidus, indicating that potentially population destabilising effects are robust to habitat variations; however, attack rates of M. albidus were reduced in the presence of such complexity. C. quinquefasciatus avoided ovipositing where M. albidus was physically present, however it did not avoid chemical cues alone. C. quinquefasciatus continued to avoid M. albidus during oviposition when both the treatment and control water were dyed; however, when an undyed, predator-free control was paired with dyed, predator-treated water, positive selectivity towards the treatment water was stimulated. We thus demonstrate the marked predatory potential of cyclopoid copepods, utilising our new RCP metric, and advocate their feasibility in biological control programmes targeting container-style habitats. We also show that behavioural responses of target organisms and environmental context should be considered to maximise agent efficacy

Minimum Sparsity of Unobservable Power Network Attacks

Physical security of power networks under power injection attacks that alter generation and loads is studied. The system operator employs Phasor Measurement Units (PMUs) for detecting such attacks, while attackers devise attacks that are unobservable by such PMU networks. It is shown that, given the PMU locations, the solution to finding the sparsest unobservable attacks has a simple form with probability one, namely, $\kappa(G^M) + 1$, where $\kappa(G^M)$ is defined as the vulnerable vertex connectivity of an augmented graph. The constructive proof allows one to find the entire set of the sparsest unobservable attacks in polynomial time. Furthermore, a notion of the potential impact of unobservable attacks is introduced. With optimized PMU deployment, the sparsest unobservable attacks and their potential impact as functions of the number of PMUs are evaluated numerically for the IEEE 30, 57, 118 and 300-bus systems and the Polish 2383, 2737 and 3012-bus systems. It is observed that, as more PMUs are added, the maximum potential impact among all the sparsest unobservable attacks drops quickly until it reaches the minimum sparsity.Comment: submitted to IEEE Transactions on Automatic Contro

Attack-Surface Metrics, OSSTMM and Common Criteria Based Approach to “Composable Security” in Complex Systems

In recent studies on Complex Systems and Systems-of-Systems theory, a huge effort has been put to cope with behavioral problems, i.e. the possibility of controlling a desired overall or end-to-end behavior by acting on the individual elements that constitute the system itself. This problem is particularly important in the “SMART” environments, where the huge number of devices, their significant computational capabilities as well as their tight interconnection produce a complex architecture for which it is difficult to predict (and control) a desired behavior; furthermore, if the scenario is allowed to dynamically evolve through the modification of both topology and subsystems composition, then the control problem becomes a real challenge. In this perspective, the purpose of this paper is to cope with a specific class of control problems in complex systems, the “composability of security functionalities”, recently introduced by the European Funded research through the pSHIELD and nSHIELD projects (ARTEMIS-JU programme). In a nutshell, the objective of this research is to define a control framework that, given a target security level for a specific application scenario, is able to i) discover the system elements, ii) quantify the security level of each element as well as its contribution to the security of the overall system, and iii) compute the control action to be applied on such elements to reach the security target. The main innovations proposed by the authors are: i) the definition of a comprehensive methodology to quantify the security of a generic system independently from the technology and the environment and ii) the integration of the derived metrics into a closed-loop scheme that allows real-time control of the system. The solution described in this work moves from the proof-of-concepts performed in the early phase of the pSHIELD research and enrich es it through an innovative metric with a sound foundation, able to potentially cope with any kind of pplication scenarios (railways, automotive, manufacturing, ...)

The Impact of Stealthy Attacks on Smart Grid Performance: Tradeoffs and Implications

The smart grid is envisioned to significantly enhance the efficiency of energy consumption, by utilizing two-way communication channels between consumers and operators. For example, operators can opportunistically leverage the delay tolerance of energy demands in order to balance the energy load over time, and hence, reduce the total operational cost. This opportunity, however, comes with security threats, as the grid becomes more vulnerable to cyber-attacks. In this paper, we study the impact of such malicious cyber-attacks on the energy efficiency of the grid in a simplified setup. More precisely, we consider a simple model where the energy demands of the smart grid consumers are intercepted and altered by an active attacker before they arrive at the operator, who is equipped with limited intrusion detection capabilities. We formulate the resulting optimization problems faced by the operator and the attacker and propose several scheduling and attack strategies for both parties. Interestingly, our results show that, as opposed to facilitating cost reduction in the smart grid, increasing the delay tolerance of the energy demands potentially allows the attacker to force increased costs on the system. This highlights the need for carefully constructed and robust intrusion detection mechanisms at the operator.Comment: Technical report - this work was accepted to IEEE Transactions on Control of Network Systems, 2016. arXiv admin note: substantial text overlap with arXiv:1209.176