Abstract
Critical infrastructures together with their utility networks play a crucial role in the societal and individual day-to-day life. Thus, the estimation of potential threats and security issues as well as a proper assessment of the respective risks is a core duty of utility providers. Despite the fact that utility providers operate several networks (e.g., communication, control, and utility networks), most of today’s risk management tools only focus on one of these networks. In this chpater, we will give an overview of a novel risk management process specifically designed for estimating threats and assessing risks in highly interconnected networks. Based on the internationally accepted standard for risk management, ISO 31000, our risk management process integrates various methodologies and tools supporting the different steps of the process from risk identification up to risk treatment. At the heart of this process, a novel game-theoretic approach for risk minimization and risk treatment is applied. This approach is specifically designed to take the information coming from the various tools into account and model the complex interplay between the heterogeneous networks, systems, and operators within a utility provider. It operates on qualitative and semiquantitative information as well as empirical data and uses distribution-valued payoffs to account for the unpredictable effects occurring in this highly uncertain environment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
HyRiM | Hybrid Risk Management for Utility Providers. URL https://www.hyrim.net//
National Institute of Standards and Technology (NIST). URL https://www.nist.gov/
National Vulnerability Database (NVD). URL https://nvd.nist.gov/
Alshawish, A., Abid, M.A., Sui, Z., He, X., de Meer, H., Strobl, A., Opitz, A., Rass, S., Zambrano, A.: Deliverable 4.3 – Report on How to Enhance Perimeter Security Using New Surveillance Technologies. HyRiM Deliverable, Passau, Germany (2017). URL https://www.hyrim.net/project-deliverables/
Bill, B.: WannaCry: the ransomware worm that didn’t arrive on a phishing hook. Tech. rep., Sophos Ltd (2017). URL https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/
Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutz-Kataloge. Bonn, Germany (2016). URL https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html. English Version
Busby, J., Gouglidis, A., Rass, S., König, S.: Modelling security risk in critical utilities: the system at risk as a three player game and agent society. In: Systems, Man, and Cybernetics (SMC), 2016 IEEE International Conference on, pp. 1758–1763. IEEE, Budapest, Hungary (2016)
Cimpanu, C.: Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software (2017). URL https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted -accounting-software/
Condliffe, J.: Ukraine’s Power Grid Gets Hacked Again, a Worrying Sign for Infrastructure Attacks (2016). URL https://www.technologyreview.com/s/603262/ukraines-power-grid-gets-hacked-again-a-worrying-sign-for- infrastructure-attacks/
E-ISAC: Analysis of the Cyber Attack on the Ukrainian Power Grid. Tech. rep., Washington, USA (2016). URL https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
European Comission: DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. Official Journal of the European Union p. L 194/1 (2016). URL http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L1148&from=EN
Faschang, M.: Loose Coupling Architecture for Co-Simulation of Heterogeneous Components. Ph.D. thesis, Vienna University of Technology, Vienna, Austria (2015)
Faschang, M., Kupzog, F., Mosshammer, R., Einfalt, A.: Rapid control prototyping platform for networked smart grid systems. In: Proceedings IECON 2013 - 39th Annual Conference of the IEEE Industrial Electronics Society, pp. 8172–8176. IEEE, Vienna, Austria (2013)
Findrik, M., Smith, P., Kazmi, J.H., Faschang, M., Kupzog, F.: Towards secure and resilient networked power distribution grids: Process and tool adoption. In: Smart Grid Communications (SmartGridComm), 2016 IEEE International Conference on, pp. 435 – 440. IEEE Publishing, Sidney, Australia (2016)
Fitzgerald, J., Pierce, K.: Co-modelling and Co-simulation in Embedded Systems Design. In: Collaborative Design for Embedded Systems, pp. 15–25. Springer, Berlin, Heidelberg (2014). URL https://link.springer.com/chapter/10.1007/978-3-642-54118-6_2. https://doi.org/10.1007/978-3-642-54118-6_2
Fox-Brewster, T.: Petya Or NotPetya: Why The Latest Ransomware Is Deadlier Than WannaCry (2017). URL http://www.forbes.com/sites/thomasbrewster/2017/06/27/petya-notpetya-ransomware-is-more-powerful-than-wannacry/
Gonzalez-Longatt, F., Luis Rueda, J.: PowerFactory Applications for Power System. Power Systems. Springer International Publishing (2014). URL http://www.springer.com/de/book/9783319129570. https://doi.org/10.1007/978-3-319-12958-7
Gouglidis, A., Green, B., Busby, J., Rouncefield, M., Hutchison, D., Schauer, S.: Threat Awareness for Critical Infrastructures Resilience. In: Resilient Networks Design and Modeling (RNDM), 2016 8th International Workshop on Resilient Networks Design and Modeling, pp. 196 – 202. IEEE Publishing, Halmstad, Sweden (2016)
Grimmett, G.R.: Percolation Theory. Springer, Heidelberg, Germany (1989)
Gross, J., Cylance SPEAR Team: Operation Dust Storm (2016). URL https://www.cylance.com/content/dam/cylance/pdfs/other/Op_Dust_Storm_Report.pdf
Homeland Security: NIPP 2013: Partnering for Critical Infrastructure Security and Resilience (2013). URL https://www.dhs.gov/publication/nipp-2013-partnering-critical-infrastructure-security-and-resilience
Hutchison, D., Rouncefield, M., Busby, J., Gouglidis, A.: Deliverable 3.1 - Analysis of human and organizational factors in utility vulnerability and resilience. HyRiM Deliverable, Lancaster, UK (2015). URL https://www.hyrim.net/project-deliverables/
ICS-CERT: Cyber-Attack Against Ukrainian Critical Infrastructure (2016). URL https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
ICS-CERT: Indicators Associated With WannaCry Ransomware (2017). URL https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01I
ICS-CERT: Petya Malware Variant (2017). URL https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C
International Standardization Organization: ISO 28001: Security management systems for the supply chain - Best practices for implementing supply chain security, assessments and plans - Requirements and guidance. Geneva, Switzerland (2007). English version
International Standardization Organization: ISO 31000: Risk Management – Principles and Guidelines. Geneva, Switzerland (2009). English version
International Standardization Organization: ISO/IEC 27005: Information technology - Security techniques - Information security risk management. Geneva, Switzerland (2011). English version
ISACA: COBIT 5 for Risk. Rolling Meadows, USA (2013)
ISACA: State of Cyber Security. Implications for 2016. An ISACA and RSA Conference Survey (2016). URL http://m.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdf
Kenah, E., Robins, J.M.: Second look at the spread of epidemics on networks. Physical Review. E, Statistical, Nonlinear, and Soft Matter Physics 76(3 Pt 2), 036,113 (2007). https://doi.org/10.1103/PhysRevE.76.036113
König, S., Rass, S., Schauer, S.: A Stochastic Framework for Prediction of Malware Spreading in Heterogeneous Networks. In: B. Brumley, J. Röning (eds.) Secure IT Systems. 21st Nordic Conference, NordSec 2016, Oulu, Finland, November 2–4, 2016. Proceedings, pp. 67–81. Springer International Publishing, Cham (2016)
König, S., Rass, S., Schauer, S., Beck, A.: Risk Propagation Analysis and Visualization using Percolation Theory. International Journal of Advanced Computer Science and Applications(IJACSA) 7(1), 694 – 701 (2016)
Kovacs, E.: Critical Infrastructure Incidents Increased in 2015: ICS-CERT (2016). URL http://www.securityweek.com/critical-infrastructure-incidents-increased-2015-ics-cert
Maschler, M., Solan, E., Zamir, S.: Game Theory. Cambridge University Press (2013)
Newman, M.E.J.: Spread of epidemic disease on networks. Physical Review E 66(1), 016,128 (2002). https://doi.org/10.1103/PhysRevE.66.016128. URL https://link.aps.org/doi/10.1103/PhysRevE.66.016128
Oppliger, R.: Quantitative Risk Analysis in Information Security Management: A Modern Fairy Tale. IEEE Security Privacy 13(6), 18–21 (2015). https://doi.org/10.1109/MSP.2015.118
Paganini, P.: Operation Dust Storm, Hackers Target Japanese Critical Infrastructure (2016). URL http://securityaffairs.co/wordpress/44749/cyber-crime/operation-dust-storm.html
Rass, S.: On Game-Theoretic Risk Management (Part One) – Towards a Theory of Games with Payoffs that are Probability-Distributions. ArXiv e-prints (2015)
Rass, S., König, S., Schauer, S.: Deliverable 1.2 - Report on Definition and Categorisation of Hybrid Risk Metrics. HyRiM Deliverable, Vienna, Austria (2015). URL https://www.hyrim.net/project-deliverables/
Rass, S., König, S., Schauer, S.: Uncertainty in Games: Using Probability-Distributions as Payoffs. In: Decision and Game Theory for Security, no. 9406 in Lecture Notes inComputer Science, pp. 346 – 357. Springer, London, UK (2015)
Rass, S., König, S., Schauer, S.: Decisions with Uncertain Consequences - A Total Ordering on Loss-Distributions. PLOS ONE 11(12), e0168,583 (2016). https://doi.org/10.1371/journal.pone.0168583. URL http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0168583
Rass, S., König, S., Schauer, S.: Defending Against Advanced Persistent Threats Using Game-Theory. PLOS ONE 12(1), e0168,675 (2017). https://doi.org/10.1371/journal.pone.0168675. URL http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0168675
Salathé, M., Jones, J.H.: Dynamics and Control of Diseases in Networks with Community Structure. PLOS Computational Biology 6(4), e1000,736 (2010). https://doi.org/10.1371/journal.pcbi.1000736. URL http://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1000736
Sander, L.M., Warren, C.P., Sokolov, I.M., Simon, C., Koopman, J.: Percolation on heterogeneous networks as a model for epidemics. Mathematical Biosciences 180(1), 293–305 (2002). https://doi.org/10.1016/S0025-5564(02)00117-7. URL http://www.sciencedirect.com/science/article/pii/S0025556402001177
Stoneburner, G., Goguen, A., Feringa, A.: NIST SP800-30 Risk Management Guide for Information Technology Systems. Gaithersburg, USA (2002). URL http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Varga, A., Hornig, R.: An Overview of the OMNeT++ Simulation Environment. In: Proceedings of the 1st International Conference on Simulation Tools and Techniques for Communications, Networks and Systems & Workshops, Simutools ’08, pp. 60:1–60:10. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), ICST, Brussels, Belgium, Belgium (2008). URL http://dl.acm.org/citation.cfm?id=1416222.1416290
Zetter, K.: Everything We Know About Ukraine’s Power Plant Hack | WIRED (2016). URL https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/
Acknowledgements
This work was supported by the European Commission’s Project No. 608090, HyRiM (Hybrid Risk Management for Utility Networks) under the 7th Framework Programme (FP7-SEC-2013-1).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Schauer, S. (2018). A Risk Management Approach for Highly Interconnected Networks. In: Rass, S., Schauer, S. (eds) Game Theory for Security and Risk Management. Static & Dynamic Game Theory: Foundations & Applications. Birkhäuser, Cham. https://doi.org/10.1007/978-3-319-75268-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-75268-6_12
Published:
Publisher Name: Birkhäuser, Cham
Print ISBN: 978-3-319-75267-9
Online ISBN: 978-3-319-75268-6
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)