Resilience Assessment of Critical Infrastructures: From Accidental to Malicious Threats

Abstract

In the last decade, a large body of research has been dedicated to the analysis, assessment and protection of critical infrastructures against potential threats that might affect the dependability, the security or the resilience of the services supported by such infrastructures. The concept of resilience is receiving increased attention. It is defined as the persistence of service delivery that can justifiably be trusted, when facing changes. Historically, most of the efforts were dedicated to the protection of critical infrastructures against accidental faults and natural disasters. The situation changed significantly after the September 11, 2001 tragic events that led to increased international concerns about the security and robustness of critical infrastructures in response to evolving malicious threats. The vulnerability of critical infrastructures have increased as a result of the wider use of open networks and information infrastructures, and the proliferation of vulnerable operating systems and SCADA control devices. Recent events targeting critical infrastructures show that the threat is real. We can mention as an example the Stuxnet sophisticated malware discovered in July 2010 that targeted specific industrial computer control equipment and software, used for instance in nuclear power plants in Iran. The interdependencies within and between critical infrastructures are also widely recognized as an important vulnerability source of these infrastructures as they give rise to multiple error propagation channels that make them more prone to exposure to accidental as well as to malicious threats. Consequently the impact of infrastructure components failures and their severity can be exacerbated and are generally much higher and more difficult to foresee, compared to failures confined to single infrastructures. Such interdependencies may lead to the occurrence of cascading, escalating and common mode failures. As an example, most major power grid blackouts that have occurred in the past were initiated by a single event (or multiple related events such as a power grid equipment failure that is not properly handled by the SCADA, that gradually leads to cascading failures and eventual collapse of the entire system). In this context, resilience assessment frameworks based on stochastic modelling and experimental techniques are needed to analyze interdependencies related failures and to assess their impact, taking into account both accidental and malicious threats in an integrated way. These techniques should be scalable to cope with the increasing complexity of the infrastructures. This objective has been addressed in particular in the context of the CRUTIAL project (http://crutial.rse web.it/) considering the example of power grid critical infrastructures and the associated information infrastructures dedicated to their management and control. In CRUTIAL the interdependencies between infrastructures have been investigated by means of models at different abstraction levels: i) from a very abstract view expressing the essence of the typical phenomena due to the presence of interdependencies, ii) to an intermediate detail level representing in a rather abstract way the structure of the infrastructures, in some scenarios of interest, iii) to a quite detailed level where the infrastructures components and their interactions are investigated at a finer grain, considering elementary events occurring at the components level and analyzing their impact at the system level. Accordingly, the proposed resilience assessment framework is based on a hierarchical modelling approach that accommodates the composition of different types of models and formalisms, including generalized stochastic Petri nets, fault trees, Stochastic Well formed Nets, and Stochastic Activity Networks. Additionally, a new formalism called Dependent Automata has been developed to provide a rigorous definition of interdependencies related failures. Also, unified models for describing cascading and escalating failures considering accidental and malicious threats in a integrated way have been defined. Besides these models, the CRUTIAL project resilience assessment activities included architecture validation activities as well as testbed based experiments to analyse the impact of different attack scenarios on control applications.