Quantitative Evaluation of the Efficacy of Defence-in-Depth in Critical Infrastructures

  • Oleksandr Netkachov
  • Peter PopovEmail author
  • Kizito Salako
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


This chapter reports on a model-based approach to assessing cyber-risks in a cyber-physical system (CPS), such as power-transmission systems. We demonstrate that quantitative cyber-risk assessment, despite its inherent difficulties, is feasible. In this regard: (i) we give experimental evidence (using Monte-Carlo simulation) showing that the losses from a specific cyber-attack type can be established accurately using an abstract model of cyber-attacks – a model constructed without taking into account the details of the specific attack used in the study; (ii) we establish the benefits from deploying defence-in-depth (DiD) against failures and cyber-attacks for two types of attackers: (a) an attacker unaware of the nature of DiD, and (b) an attacker who knows in detail the DiD they face in a particular deployment, and launches attacks sufficient to defeat DiD. This study provides some insight into the benefits of combining design-diversity – to harden some of the protection devices in a CPS – with periodic “proactive recovery” of protection devices. The results are discussed in the context of making evidence-based decisions about maximising the benefits from DiD in a particular CPS.


Stochastic models Defence-in-depth Power transmission system Adversary model Cyber-attacks NORDIC-32 IEC 61850 



This work was supported by the UK EPSRC CEDRICS project, part of the UK Research Institute of Trustworthy Industrial Control Systems (RITICS), by the UK GCHQ and by the AQUAS project funded in part by the EU ECSEL – JU Programme (project ID 737475).


  1. 1.
    Eckhardt DE, Lee LD (1985) A theoretical basis for the analysis of multiversion software subject to coincident errors. IEEE Trans Softw Eng SE-11(12):1511–1517CrossRefGoogle Scholar
  2. 2.
    Popov P, Littlewood B. (2004) The effect of testing on reliability of fault-tolerant software. In: Dependable Systems and Networks (DSN’04). IEEE Computer Society Press, FlorenceGoogle Scholar
  3. 3.
    DHS, I.-C (2016) Recommended practice: improving industrial control system cybersecurity with defense-in-depth strategies, 58. Available from:
  4. 4.
    Netkachov O, Popov PT, Salako K (2016) Model-based evaluation of the resilience of critical infrastructures under cyber attacks. In: Ellinas G, Panayiotou C, Kyriakides E, Polycarpou M (eds) Critical information infrastructures security (CRITIS 2014). Springer, Limasol, pp 231–243CrossRefGoogle Scholar
  5. 5.
    Sousa P et al (2010) Highly available intrusion-tolerant services with proactive-reactive recovery. IEEE Trans Parallel Distrib Syst 21(4):452–465CrossRefGoogle Scholar
  6. 6.
    Arsenault D, Sood A, Huang Y (2007)Secure, resilient computing clusters: self-cleansing intrusion tolerance with hardware enforced security (SCIT/HES). In: 2nd International conference on availability, reliability and security. IEEE Computer Society Press, Los Alamitos, CAGoogle Scholar
  7. 7.
    Teixeira A et al (2011) A cyber security study of a SCADA energy management system: stealthy deception attacks on the state estimator*. IFAC Proc 44(1):11271–11277CrossRefGoogle Scholar
  8. 8.
    Liu Y, Ning P, Reiter MK (2009) False data injection attacks against state estimation in electric power grids. In: Proceedings of the 16th ACM conference on computer and communications security. ACM, Chicago, Illinois, USA, pp 21–32Google Scholar
  9. 9.
    Christensen CM (1997) The innovator’s dilemma: when new technologies cause great firms to fail. Harvard Business School Press, BostonGoogle Scholar
  10. 10.
    Netkachova K et al (2015) Using structured assurance case approach to analyse security and reliability of critical infrastructures. In: SAFECOMP 2015: ASSUREworkshop. Springer, Delft, Netherlands, pp 345–354Google Scholar
  11. 11.
    Stubbe CM (1995) Long term dynamics, phase II. CIGRE TF 38.02.08Google Scholar
  12. 12.
    Peppas D (2008) Development and analysis of Nordic32 power system model in powerfactory in school of electrical engineering, electric power systems. Royal Institute of Technology, Stockholm, p 77Google Scholar
  13. 13.
    Bloomfield RE et al (2017) Preliminary interdependency analysis: an approach to support critical-infrastructure risk-assessment. Reliab Eng Syst Saf 167:198–217CrossRefGoogle Scholar
  14. 14.
    Netkachov O (2018) HPS: high performance simulation engine of cyber-physical systems. Available from:
  15. 15.
    Falliere N, Murchu LO, Chien E (2011) W32.Stuxnet Dossier, 69. Available from:
  16. 16.
    Popov P (2017) Models of reliability of fault-tolerant software under cyber-attacks. In: The 28th IEEE international symposium on software reliability engineering (ISSRE’2017). IEEE, Toulouse, p 228Google Scholar
  17. 17.
    Zetter K (2016) Countdown to zero day: Stuxnet and the launch of the world’s first digital weapon. Broadway Books (A Division of Bantam Doubleday Dell Publishing Group Inc); Reprint edition (15 Sept. 2015) New York, p 448Google Scholar
  18. 18.
    Netkachov A, Popov P, Salako K (2014) Quantification of the impact of cyber attack in critical infrastructures. In: 1st International workshop on reliability and security aspects for critical infrastructure protection (ReSA4CI 2014). Springer, Florence (co-located with SAFECOMP 2014)Google Scholar
  19. 19.
    ISA (2017) ISA-62443-3-2, security for industrial automation and control systems: security risk assessment, system partitioning and security levels. International Association of Automation (ISA), p 38Google Scholar
  20. 20.
    Kriaa S, Bouissou M, Pietre-Cambacedes L (2012) Modeling the Stuxnet attack with BDMP: towards more formal risk assessments. In: Martinelli F et al (eds) 7th International conference on risks and security of internet and systems (CRiSIS). IEEE, Cork, p 8Google Scholar
  21. 21.
    Maynard P,McLaughlin K,Sezer S 2016 Modelling Duqu 2.0 malware using attack trees with sequential conjunction. In: 2nd International conference on information systems security and privacy. SciTePress, RomeGoogle Scholar
  22. 22.
    Popov PT (2015) Stochastic modeling of safety and security of the e-Motor, an ASIL-D device. In: Koornneef F, van Gulijk C (eds) 34th International conference on computer safety, reliability, and security (SAFECOMP 2015). Springer, Delft University of Technology, Delft, pp 385–399Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2019

Authors and Affiliations

  • Oleksandr Netkachov
    • 1
  • Peter Popov
    • 1
    Email author
  • Kizito Salako
    • 1
  1. 1.University of LondonLondonUK

Personalised recommendations