IFIP Advances in Information and Communication Technology 311 Editor-in-Chief A.JoeTurner,Seneca,SC,USA EditorialBoard FoundationsofComputerScience MikeHinchey,Lero,Limerick,Ireland Software:TheoryandPractice BertrandMeyer,ETHZurich,Switzerland Education BernardCornu,CNED-EIFAD,Poitiers,France InformationTechnologyApplications RonaldWaxman,EDAStandardsConsulting,Beachwood,OH,USA CommunicationSystems GuyLeduc,UniversitédeLiège,Belgium SystemModelingandOptimization JacquesHenry,UniversitédeBordeaux,France InformationSystems BarbaraPernici,PolitecnicodiMilano,Italy RelationshipbetweenComputersandSociety ChrisanthiAvgerou,LondonSchoolofEconomics,UK ComputerSystemsTechnology PaoloPrinetto,PolitecnicodiTorino,Italy SecurityandPrivacyProtectioninInformationProcessingSystems KaiRannenberg,GoetheUniversityFrankfurt,Germany ArtificialIntelligence MaxA.Bramer,UniversityofPortsmouth,UK Human-ComputerInteraction AnneliseMarkPejtersen,CenterofCognitiveSystemsEngineering,Denmark EntertainmentComputing RyoheiNakatsu,NationalUniversityofSingapore IFIP–TheInternationalFederationforInformationProcessing IFIPwasfoundedin1960undertheauspicesofUNESCO,followingtheFirst WorldComputerCongressheldinParisthepreviousyear.Anumbrellaorgani- zation for societies working in information processing, IFIP’s aim is two-fold: tosupportinformationprocessingwithinitsmembercountriesandtoencourage technologytransfertodevelopingnations.Asitsmissionstatementclearlystates, IFIP’s mission is to be the leading, truly international, apolitical organizationwhichencouragesandassistsinthedevelopment,ex- ploitationandapplicationofinformationtechnologyforthebenefit ofallpeople. IFIPisanon-profitmakingorganization,runalmostsolelyby2500volunteers.It operatesthroughanumberoftechnicalcommittees,whichorganizeeventsand publications.IFIP’seventsrangefromaninternationalcongresstolocalseminars, butthemostimportantare: • TheIFIPWorldComputerCongress,heldeverysecondyear; • Openconferences; • Workingconferences. TheflagshipeventistheIFIPWorldComputerCongress,atwhichbothinvited andcontributedpapersarepresented.Contributedpapersarerigorouslyrefereed andtherejectionrateishigh. As with the Congress, participation in the open conferences is open to all and papersmaybeinvitedorsubmitted.Again,submittedpapersarestringentlyref- ereed. The working conferences are structured differently. They are usually run by a workinggroupandattendanceissmallandbyinvitationonly.Theirpurposeis tocreateanatmosphereconducivetoinnovationanddevelopment.Refereeingis lessrigorousandpapersaresubjectedtoextensivegroupdiscussion. Publications arising from IFIP events vary. The papers presented at the IFIP WorldComputerCongressandatopenconferencesarepublishedasconference proceedings,whiletheresultsoftheworkingconferencesareoftenpublishedas collectionsofselectedandeditedpapers. Anynationalsocietywhoseprimaryactivityisininformationmayapplytobe- comeafullmemberofIFIP,althoughfullmembershipisrestrictedtoonesociety percountry.FullmembersareentitledtovoteattheannualGeneralAssembly, Nationalsocietiespreferringalesscommittedinvolvementmayapplyforasso- ciateorcorrespondingmembership.Associatemembersenjoythesamebenefits asfullmembers,butwithoutvotingrights.Correspondingmembersarenotrep- resentedinIFIPbodies.Affiliatedmembershipisopentonon-nationalsocieties, andindividualandhonorarymembershipschemesarealsooffered. Charles Palmer Sujeet Shenoi (Eds.) Critical Infrastructure Protection III ThirdAnnual IFIP WG 11.10 International Conference on Critical Infrastructure Protection Hanover, New Hampshire, USA, March 23-25, 2009 Revised Selected Papers 1 3 VolumeEditors CharlesPalmer DartmouthCollege,I3P Hanover,NH03755,USA E-mail:[email protected] SujeetShenoi UniversityofTulsa Tulsa,OK74104,USA E-mail:[email protected] LibraryofCongressControlNumber:2009935462 CRSubjectClassification(1998):B.8,C.4,B.1.3,B.2.3,B.7.3,C.2,I.6 ISSN 1868-4238 ISBN-10 3-642-04797-1SpringerBerlinHeidelbergNewYork ISBN-13 978-3-642-04797-8SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. springer.com ©IFIPInternationalFederationforInformationProcessing2009 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:12768615 06/3180 543210 Contents Contributing Authors ix Preface xv PART I RISK MANAGEMENT 1 Information Risk Management and Resilience 3 Scott Dynes 2 Does the Liberalization of the European Railway Sector Increase 19 Systemic Risk? Marc Laperrouza 3 Risk-Based Criticality Analysis 35 Marianthi Theoharidou, Panayiotis Kotzanikolaou and Dimitris Gritzalis 4 Modeling and Managing Risk in Billing Infrastructures 51 Fabrizio Baiardi, Claudio Telmon and Daniele Sgandurra PART II CONTROL SYSTEMS SECURITY 5 A Taxonomy of Attacks on the DNP3 Protocol 67 Samuel East, Jonathan Butts, Mauricio Papa and Sujeet Shenoi 6 Design and Implementation of a Secure Modbus Protocol 83 Igor Nai Fovino, Andrea Carcano, Marcelo Masera and Alberto Trombetta vi CRITICAL INFRASTRUCTURE PROTECTION III 7 Providing Situational Awareness for Pipeline Control Operations 97 JonathanButts,HugoKleinhans,RodrigoChandia, MauricioPapa and Sujeet Shenoi 8 Enhancing the Safety, Security and Resilience of ICT and SCADA 113 Systems Using Action Research Stig Johnsen, Torbjorn Skramstad and Janne Hagen 9 AnOntologyforIdentifyingCyberIntrusionInducedFaultsinPro- 125 cess Control Systems Jeffrey Hieb, James Graham and Jian Guan 10 Using Physical Models for Anomaly Detection in Control Systems 139 Nils Svendsen and Stephen Wolthusen 11 Detecting Anomalies in Process Control Networks 151 Julian Rrushi and Kyoung-Don Kang PART III INFRASTRUCTURE SECURITY 12 Nondeducibility-Based Analysis of Cyber-Physical Systems 169 Thoshitha Gamage and Bruce McMillin 13 Stack-BasedBufferOverflowsinHarvardClassEmbeddedSystems 185 Kristopher Watts and Paul Oman 14 Secure Cross-Domain Train Scheduling 199 Mark Hartong, Rajni Goel and Duminda Wijesekera PART IV INFRASTRUCTURE MODELING AND SIMULATION 15 AHolistic-ReductionisticApproachforModelingInterdependencies 215 Stefano De Porcellinis, Gabriele Oliva, Stefano Panzieri and Roberto Setola Contents vii 16 Ontology-BasedCritical Infrastructure Modeling and Simulation 229 Vincenzo Masucci, Francesco Adinolfi, Paolo Servillo, Giovanni Dipoppa and Alberto Tofani 17 A Framework for Modeling Interdependencies in Japan’s Critical 243 Infrastructures Zaw Zaw Aung and Kenji Watanabe Contributing Authors Francesco Adinolfi is a Senior Researcher at the Research Center for Infor- mationandCommunicationsTechnologies(CRIAI),Portici,Italy. Hisresearch interests include knowledge management systems, ontologies and knowledge models, grid computing and open-source platforms. Zaw Zaw Aung is a Ph.D. student of Information Science and Control En- gineering at Nagaoka University of Technology, Nagaoka, Japan. His research interests include operational risk management, interdependency analysis and critical infrastructure modeling. Fabrizio Baiardi is a ProfessorofInformatics atthe UniversityofPisa,Pisa, Italy. Hisresearchinterestsincludecriticalinfrastructureprotection,riskman- agementofinformationandcommunicationssystems,andvirtualization-based approaches. Jonathan Butts is a Ph.D. student in Computer Science at the University of Tulsa, Tulsa, Oklahoma. His research interests include network, telecommuni- cations and SCADA systems security. Andrea Carcano is a Researcher at the University of Insubria, Varese, Italy. His researchinterests include industrial SCADA protocols and architectures. Rodrigo Chandia is a Ph.D. student in Computer Science at the University of Tulsa, Tulsa, Oklahoma. His research interests include SCADA security, computer security and open-source software development methodologies. Stefano De Porcellinis is a Researcherat University Campus Bio-Medico of Rome, Rome, Italy. His research interests include critical infrastructure mod- eling, simulation environments for complex systems, and fuzzy and nonlinear control techniques. x CRITICAL INFRASTRUCTURE PROTECTION III Giovanni DipoppaisaSeniorResearcherintheDepartmentofModelingand SimulationatENEACasacciaLaboratories,Rome,Italy. Hisresearchinterests includereal-timeembeddedsystems,machinelearningandoperationsresearch. Scott Dynes is a Senior Research Fellow at the Center for Digital Strategies, Tuck School of Business, Dartmouth College, Hanover, New Hampshire. His research interests include information risk management and the resilience of critical infrastructures to cyber disruptions. SamuelEastreceivedhisM.S.degreeinComputerSciencefromtheUniversity ofTulsa,Tulsa,Oklahoma. His researchinterestsinclude networksecurityand SCADA systems security. Thoshitha Gamage is a Ph.D. student in Computer Science at the Missouri University of Science and Technology, Rolla, Missouri. His research interests include information assurance, infrastructure protection and formal methods. Rajni Goel is an Associate Professor of Information Systems and Decision SciencesatHowardUniversity,Washington,DC.Herresearchinterestsinclude information assurance, forensics, control systems security and data mining. James Graham is the Henry Vogt Professor of Computer Science and En- gineering at the University of Louisville, Louisville, Kentucky. His research interests include information security, digital forensics, critical infrastructure protection, high performance computing and intelligent systems. Dimitris Gritzalis is a Professor of ICT Security and the Director of the InformationSecurityandCriticalInfrastructureProtectionResearchGroupat Athens University of Economics and Business, Athens, Greece. His research interests include critical ICT infrastructure protection, security in ubiquitous computing, IT security paradigms, VoIP security and IT security education. Jian Guan is anAssociate ProfessorofComputer InformationSystems inthe College of Business and Public Administration at the University of Louisville, Louisville, Kentucky. His researchinterests include ontologicalmodeling, fault diagnosis and sales force automation systems. Janne Hagen is a Ph.D. candidate in Computer and Information Science from the Norwegian Defence Research Establishment, who is studying at the University of Oslo, Oslo, Norway. Her research interests include information security, critical infrastructure protection and risk assessment. Contributing Authors xi Mark HartongisaSeniorElectronicsEngineerwiththeOfficeofSafety,Fed- eralRailroadAdministration,U.S.DepartmentofTransportation,Washington, DC.Hisresearchinterestsinclude informationassurance,digitalforensics,net- work security, control systems security, risk analysis and theoretical computer science. Jeffrey Hieb is an Assistant Professor of Engineering Fundamentals at the University of Louisville, Louisville, Kentucky. His research interests include informationsecurity,honeypots,digitalforensics,secureoperatingsystemsand engineering education. Stig Johnsen is a Senior ResearchScientist at SINTEF, Trondheim, Norway. Hisresearchinterestsincludeinformationsecurity,SCADAsystems,integrated oil and gas operations, and plant safety. Kyoung-Don Kang is an Assistant Professor of Computer Science at the State University of New York at Binghamton, Binghamton, New York. His researchinterestsinclude real-timedataservices,wirelesssensornetworks,and wireless network and embedded system security. Hugo Kleinhans is a Ph.D. student in Computer Science at the University of Tulsa, Tulsa, Oklahoma. His research interests include distributed systems, critical infrastructure protection, digital forensics and cyber policy. Panos KotzanikolaouisaLecturerofITSecurityandPrivacyattheUniver- sityofPiraeus,Piraeus,Greece;andaSeniorMemberoftheInformationSecu- rity and Critical Infrastructure Protection Research Group at Athens Univer- sity of Economicsand Business,Athens, Greece. His researchinterests include critical ICT infrastructure protection, mobile code/agent security, intelligent network security and sensor network security. Marc Laperrouza is a PostdoctoralFellow in the College of Management at the Swiss FederalInstitute ofTechnology,Lausanne,Switzerland. His research interests include the reform and regulation of network industries. Marcelo Maserais a Scientific Officer atthe Institute for the Protectionand Security of the Citizen, Joint Research Center of the European Commission, Ispra,Italy. Hisresearchinterestsincludethesecurityofnetworkedsystemsand systems of systems, risk governance, and control systems and communication systems security.