Attack-Surface Metrics, OSSTMM and Common Criteria Based Approach to “Composable Security” in Complex Systems

In recent studies on Complex Systems and Systems-of-Systems theory, a huge effort has been put to cope with behavioral problems, i.e. the possibility of controlling a desired overall or end-to-end behavior by acting on the individual elements that constitute the system itself. This problem is particularly important in the “SMART” environments, where the huge number of devices, their significant computational capabilities as well as their tight interconnection produce a complex architecture for which it is difficult to predict (and control) a desired behavior; furthermore, if the scenario is allowed to dynamically evolve through the modification of both topology and subsystems composition, then the control problem becomes a real challenge. In this perspective, the purpose of this paper is to cope with a specific class of control problems in complex systems, the “composability of security functionalities”, recently introduced by the European Funded research through the pSHIELD and nSHIELD projects (ARTEMIS-JU programme). In a nutshell, the objective of this research is to define a control framework that, given a target security level for a specific application scenario, is able to i) discover the system elements, ii) quantify the security level of each element as well as its contribution to the security of the overall system, and iii) compute the control action to be applied on such elements to reach the security target. The main innovations proposed by the authors are: i) the definition of a comprehensive methodology to quantify the security of a generic system independently from the technology and the environment and ii) the integration of the derived metrics into a closed-loop scheme that allows real-time control of the system. The solution described in this work moves from the proof-of-concepts performed in the early phase of the pSHIELD research and enrich es it through an innovative metric with a sound foundation, able to potentially cope with any kind of pplication scenarios (railways, automotive, manufacturing, ...)

Safety and security in the light of complexity. Uncertainty & qualification of systems analysis

International audienceThere exists a field of epistemology or philosophy of complexity using contemporary scientific developments for questioning our relationship with reality, knowledge and science developments. This field is extremely stimulating and points at ways of thinking about safety science and risk management in general. This paper will elaborate on and present how the epistemology of complexity - focusing in particular in the challenge of articulating disciplines - offers concepts for tackling accident investigation and auditing of complex sociotechnical systems for at least two purposes worth discussing in light of complexity: safety and security. The discussion will be based on the presentation of Morin's "complex thought", and case studies presented in previous papers which develop these ideas but also from past and current research (since 2000) for the environmental French ministry as well as consulting works for the industry currently carried out by INERIS. This paper will therefore specifically address the issue of modelling (describing, explaining, interpreting, predicting) complex systems for safety and security purposes

Marine fisheries and future ocean conflict

Conflict over marine fishery resources is a growing security concern. Experts expect that global changes in our climate, food systems and oceans may spark or exacerbate resource conflicts. An initial scan of 803 relevant papers and subsequent intensive review of 31 fisheries conflict studies, focused on subnational and international conflicts, suggests that four substantial scientific gaps need addressing to improve our understanding of the nature and drivers of fisheries conflict. First, fisheries conflict and levels of conflict intensity are not precisely defined. Second, complex adaptive systems thinking is underutilized but has the potential to produce more realistic causal models of fishery conflict. Third, comparative large‐scale data and suitably integrative methodologies are lacking, underscoring the need for a standardized and comparable database of fisheries conflict cases to aid extrapolation beyond single case‐studies. Fourth, there is room for a more widespread application of higher order concepts and associated terminology. Importantly, the four gaps highlight the homogenized nature of current methodological and theoretical approaches to understanding fishery conflict, which potentially presents us with an oversimplified understanding of these conflicts. A more nuanced understanding of the complex and dynamic nature of fishery conflict and its causes is not only scientifically critical, but increasingly relevant for policymakers and practitioners in this turbulent world

Towards Applying Cryptographic Security Models to Real-World Systems

The cryptographic methodology of formal security analysis usually works in three steps: choosing a security model, describing a system and its intended security properties, and creating a formal proof of security. For basic cryptographic primitives and simple protocols this is a well understood process and is performed regularly. For more complex systems, as they are in use in real-world settings it is rarely applied, however. In practice, this often leads to missing or incomplete descriptions of the security properties and requirements of such systems, which in turn can lead to insecure implementations and consequent security breaches. One of the main reasons for the lack of application of formal models in practice is that they are particularly difficult to use and to adapt to new use cases. With this work, we therefore aim to investigate how cryptographic security models can be used to argue about the security of real-world systems. To this end, we perform case studies of three important types of real-world systems: data outsourcing, computer networks and electronic payment. First, we give a unified framework to express and analyze the security of data outsourcing schemes. Within this framework, we define three privacy objectives: \emph{data privacy}, \emph{query privacy}, and \emph{result privacy}. We show that data privacy and query privacy are independent concepts, while result privacy is consequential to them. We then extend our framework to allow the modeling of \emph{integrity} for the specific use case of file systems. To validate our model, we show that existing security notions can be expressed within our framework and we prove the security of CryFS---a cryptographic cloud file system. Second, we introduce a model, based on the Universal Composability (UC) framework, in which computer networks and their security properties can be described We extend it to incorporate time, which cannot be expressed in the basic UC framework, and give formal tools to facilitate its application. For validation, we use this model to argue about the security of architectures of multiple firewalls in the presence of an active adversary. We show that a parallel composition of firewalls exhibits strictly better security properties than other variants. Finally, we introduce a formal model for the security of electronic payment protocols within the UC framework. Using this model, we prove a set of necessary requirements for secure electronic payment. Based on these findings, we discuss the security of current payment protocols and find that most are insecure. We then give a simple payment protocol inspired by chipTAN and photoTAN and prove its security within our model. We conclude that cryptographic security models can indeed be used to describe the security of real-world systems. They are, however, difficult to apply and always need to be adapted to the specific use case

Dealing with abnormalities and deviations to enhance resilience in engineering Assets: A critical review from human factors and decision-making perspectives under complex operational contexts

With the growing scale of industrial demands, complexities, and uncertainties around asset engineering and operations due to advanced technology utilization, digitalization, sustainability, new operating models, etc., the sensitive role of abnormalities and deviations towards human safety, systems security, reliability and resilience of engineering assets and industrial systems are becoming even more significant for modern industrial sectors as well as societies in general. In these contexts, the abilities of operators to capture and sense-make early signals that emerge from engineering assets and systems need more attention since it enables them to enhance critical situation awareness (SA) during complex operations. This calls for proactive solutions that can integrate core data with operator knowledge using suitable logical approaches, particularly in a period where there is growing recognition that asset data can provide strong support for engineering and operational decisions in demanding contexts. Based on an ongoing research project, this paper sheds light on abnormalities and deviations; two specific attributes that should be better understood. The purpose is to explore how to capitalize them at very early sense-making stages to enhance situation awareness and thus resilience of dynamic and complex engineering assets and systems. Through a critical review of the current state of knowledge, together with industrial observations, this paper studies these core concepts in detail with due attention to the critical need of so-called priory contextual knowledge and hybrid contextual decision solutions. This R&D work explores proactive possibilities to mitigate inherent potentials for unwanted events and incidents to enhance resilience in the era of digital twins and cyber-physical systems, where complex technologies and operational demands generate new conditions for asset performance.publishedVersio

Aggregating Evidence in Climate Science: Consilience, Robustness and the Wisdom of Multiple Models

The goal of this dissertation is to contribute to the epistemology of science by addressing a set of related questions arising from current discussions in the philosophy and science of climate change: (1) Given the imperfection of computer models, how do they provide information about large and complex target systems? (2) What is the relationship between consilient reasoning and robust evidential support in the production of scientific knowledge? (3) Does taking the mean of a set of model outputs provide epistemic advantages over using the output of a single ‘best model’? Synthesizing research in philosophy and science, the thesis analyzes connections among consilient inductions, robustness analysis, and the aggregation of various sources of evidence, including computer simulations, by investigating case studies of climate change that exemplify the strength of consilient reasoning and the security of robust evidential support. It also explains the rationale and epistemic conditions for improving estimates by averaging multiple estimates, comparing a simple case of averaging estimates to practices in multi-model ensemble studies. I argue: (A) the concepts of consilience and robustness account for the strength and security of inferences that rely on imperfect computer modelling methods, (B) consilient reasoning is conducive to attaining robust evidential support, and (C) an analogy can explain why averaging the outputs of multiple models can improve estimates of a target system, given that conditions of model independence, skill and unequal weighting are taken into account

Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science

e-Science projects face a difficult challenge in providing access to valuable computational resources, data and software to large communities of distributed users. Oil the one hand, the raison d'etre of the projects is to encourage members of their research communities to use the resources provided. Oil the other hand, the threats to these resources from online attacks require robust and effective Security to mitigate the risks faced. This raises two issues: ensuring that (I) the security mechanisms put in place are usable by the different users of the system, and (2) the security of the overall system satisfies the security needs of all its different stakeholders. A failure to address either of these issues call seriously jeopardise the success of e-Science projects.The aim of this paper is to firstly provide a detailed understanding of how these challenges call present themselves in practice in the development of e-Science applications. Secondly, this paper examines the steps that projects can undertake to ensure that security requirements are correctly identified, and security measures are usable by the intended research community. The research presented in this paper is based Oil four case studies of c-Science projects. Security design traditionally uses expert analysis of risks to the technology and deploys appropriate countermeasures to deal with them. However, these case studies highlight the importance of involving all stakeholders in the process of identifying security needs and designing secure and usable systems.For each case study, transcripts of the security analysis and design sessions were analysed to gain insight into the issues and factors that surround the design of usable security. The analysis concludes with a model explaining the relationships between the most important factors identified. This includes a detailed examination of the roles of responsibility, motivation and communication of stakeholders in the ongoing process of designing usable secure socio-technical systems such as e-Science. (C) 2007 Elsevier Ltd. All rights reserved

Power network and smart grids analysis from a graph theoretic perspective

The growing size and complexity of power systems has given raise to the use of complex network theory in their modelling, analysis, and synthesis. Though most of the previous studies in this area have focused on distributed control through well established protocols like synchronization and consensus, recently, a few fundamental concepts from graph theory have also been applied, for example in symmetry-based cluster synchronization. Among the existing notions of graph theory, graph symmetry is the focus of this proposal. However, there are other development around some concepts from complex network theory such as graph clustering in the study. In spite of the widespread applications of symmetry concepts in many real world complex networks, one can rarely find an article exploiting the symmetry in power systems. In addition, no study has been conducted in analysing controllability and robustness for a power network employing graph symmetry. It has been verified that graph symmetry promotes robustness but impedes controllability. A largely absent work, even in other fields outside power systems, is the simultaneous investigation of the symmetry effect on controllability and robustness. The thesis can be divided into two section. The first section, including Chapters 2-3, establishes the major theoretical development around the applications of graph symmetry in power networks. A few important topics in power systems and smart grids such as controllability and robustness are addressed using the symmetry concept. These topics are directed toward solving specific problems in complex power networks. The controllability analysis will lead to new algorithms elaborating current controllability benchmarks such as the maximum matching and the minimum dominant set. The resulting algorithms will optimize the number of required driver nodes indicated as FACTS devices in power networks. The second topic, robustness, will be tackled by the symmetry analysis of the network to investigate three aspects of network robustness: robustness of controllability, disturbance decoupling, and fault tolerance against failure in a network element. In the second section, including Chapters 4-8, in addition to theoretical development, a few novel applications are proposed for the theoretical development proposed in both sections one and two. In Chapter 4, an application for the proposed approaches is introduced and developed. The placement of flexible AC transmission systems (FACTS) is investigated where the cybersecurity of the associated data exchange under the wide area power networks is also considered. A new notion of security, i.e. moderated-k-symmetry, is introduced to leverage on the symmetry characteristics of the network to obscure the network data from the adversary perspective. In chapters 5-8, the use of graph theory, and in particular, graph symmetry and centrality, are adapted for the complex network of charging stations. In Chapter 5, the placement and sizing of charging stations (CSs) of the network of electric vehicles are addressed by proposing a novel complex network model of the charging stations. The problems of placement and sizing are then reformulated in a control framework and the impact of symmetry on the number and locations of charging stations is also investigated. These results are developed in Chapters 6-7 to robust placement and sizing of charging stations for the Tesla network of Sydney where the problem of extending the capacity having a set of pre-existing CSs are addressed. The role of centrality in placement of CSs is investigated in Chapter 8. Finally, concluding remarks and future works are presented in Chapter 9

A qualititative approach to HCI research

Whilst science has a strong reliance on quantitative and experimental methods, there are many complex, socially based phenomena in HCI that cannot be easily quantified or experimentally manipulated or, for that matter, ethically researched with experiments. For example, the role of privacy in HCI is not obviously reduced to numbers and it would not be appropriate to limit a person's privacy in the name of research. In addition, technology is rapidly changing – just think of developments in mobile devices, tangible interfaces and so on – making it harder to abstract technology from the context of use if we are to study it effectively. Developments such as mediated social networking and the dispersal of technologies in ubiquitous computing also loosen the connection between technologies and work tasks that were the traditional cornerstone of HCI. Instead, complex interactions between technologies and ways of life are coming to the fore. Consequently, we frequently find that we do not know what the real HCI issues are before we start our research. This makes it hard, if not actually impossible, to define the variables necessary to do quantitative research, (see Chapter 2). Within HCI, there is also the recognition that the focus on tasks is not enough to design and implement an effective system. There is also a growing need to understand how usability issues are subjectively and collectively experienced and perceived by different user groups (Pace, 2004; Razavim and Iverson, 2006). This means identifying the users' emotional and social drives and perspectives; their motivations, expectations, trust, identity, social norms and so on. It also means relating these concepts to work practices, communities and organisational social structures as well as organisational, economic and political drivers. These issues are increasingly needed in the design, development and implementation of systems to be understood both in isolation and as a part of the whole. HCI researchers are therefore turning to more qualitative methods in order to deliver the research results that HCI needs.With qualitative research, the emphasis is not on measuring and producing numbers but instead on understanding the qualities of a particular technology and how people use it in their lives, how they think about it and how they feel about it. There are many varied approaches to qualitative research within the social sciences depending on what is being studied, how it can be studied and what the goals of the research are.Within HCI, though, grounded theory has been found to provide good insights that address well the issues raised above (Pace, 2004; Adams, Blandford and Lunt, 2005; Razavim and Iverson, 2006). The purpose of this chapter is to give an overview of how grounded theory works as a method. Quantitative research methods adopt measuring instruments and experimental manipulations that can be repeated by any researcher (at least in principle) and every effort is made to reduce the influence of the researcher on the researched, which is regarded as a source of bias or error. In contrast, in qualitative research, where the goal is understanding rather than measuring and manipulating, the subjectivity of the researcher is an essential part of the production of an interpretation. The chapter therefore discusses how the influence of the researcher can be ameliorated through the grounded theory methodology whilst also acknowledging the subjective input of the researcher through reflexivity. The chapter also presents a case study of how grounded theory was used in practice to study people's use and understanding of computer passwords and related security