Advanced Sciences and Technologies for Security Applications Dimitris Gritzalis Marianthi Theocharidou George Stergiopoulos E ditors Critical Infrastructure Security and Resilience Theories, Methods, Tools and Technologies Advanced Sciences and Technologies for Security Applications Serieseditor AnthonyJ.Masys,AssociateProfessor,DirectorofGlobalDisasterManagement, HumanitarianAssistanceandHomelandSecurity,UniversityofSouthFlorida, Tampa,USA AdvisoryBoard GiselaBichler,CaliforniaStateUniversity,SanBernardino,CA,USA ThirimachosBourlai,WVU-StatlerCollegeofEngineeringandMineral Resources,Morgantown,WV,USA ChrisJohnson,UniversityofGlasgow,UK PanagiotisKarampelas,HellenicAirForceAcademy,Attica,Greece ChristianLeuprecht,RoyalMilitaryCollegeofCanada,Kingston,ON,Canada EdwardC.Morse,UniversityofCalifornia,Berkeley,CA,USA DavidSkillicorn,Queen’sUniversity,Kingston,ON,Canada YoshikiYamagata,NationalInstituteforEnvironmentalStudies,Tsukuba,Japan The series Advanced Sciences and Technologies for Security Applications comprises interdisciplinary research covering the theory, foundations and domain-specific topics pertaining to security. Publications within the series are peer-reviewedmonographsandeditedworksintheareasof: – biologicalandchemicalthreatrecognitionanddetection(e.g.,biosensors,aero- sols,forensics) – crisisanddisastermanagement – terrorism – cyber security and secure information systems (e.g., encryption, optical and photonicsystems) – traditionalandnon-traditionalsecurity – energy,foodandresourcesecurity – economicsecurityandsecuritization(includingassociatedinfrastructures) – transnationalcrime – humansecurityandhealthsecurity – social,politicalandpsychologicalaspectsofsecurity – recognition and identification (e.g., optical imaging, biometrics, authentication andverification) – smartsurveillancesystems – applications of theoretical frameworks and methodologies (e.g., grounded theory,complexity,networksciences,modellingandsimulation) Together, the high-quality contributions to this series provide a cross-disciplinary overviewofforefrontresearchendeavoursaimingtomaketheworldasaferplace. The editors encourage prospective authors to correspond with them in advance of submitting a manuscript. Submission of manuscripts should be made to the Editor-in-ChieforoneoftheEditors. Moreinformationaboutthisseriesathttp://www.springer.com/series/5540 Dimitris Gritzalis (cid:129) Marianthi Theocharidou George Stergiopoulos Editors Critical Infrastructure Security and Resilience Theories, Methods, Tools and Technologies 123 Editors DimitrisGritzalis MarianthiTheocharidou DepartmentofInformatics DirectorateE.Space,SecurityandMigration AthensUniversityofEconomics EuropeanCommission–JointResearch andBusiness Centre Athens,Greece Ispra,Italy GeorgeStergiopoulos DepartmentofInformatics AthensUniversityofEconomics andBusiness Athens,Greece ISSN1613-5113 ISSN2363-9466 (electronic) AdvancedSciencesandTechnologiesforSecurityApplications ISBN978-3-030-00023-3 ISBN978-3-030-00024-0 (eBook) https://doi.org/10.1007/978-3-030-00024-0 LibraryofCongressControlNumber:2018961423 ©SpringerNatureSwitzerlandAG2019 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthors,andtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictional claimsinpublishedmapsandinstitutionalaffiliations. ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Contents PartI Governance&RiskManagement ResilienceApproachtoCriticalInformationInfrastructures............... 3 EricLuiijfandMariekeKlaver MethodologiesandStrategiesforCriticalInfrastructureProtection...... 17 NikolaosPetrakosandPanayiotisKotzanikolaou RiskAnalysisforCriticalInfrastructureProtection......................... 35 RichardWhite Risk-Based Analysis of the Vulnerability of Urban InfrastructuretotheConsequencesofClimateChange..................... 55 Erich Rome, Manfred Bogen, Daniel Lückerath, Oliver Ullrich, Rainer Worst, Eva Streberová, Margaux Dumonteil, Maddalen Mendizabal, Beñat Abajo, Efrén Feliu, Peter Bosch, AngelaConnelly,andJeremyCarter PartII Dependencies&NetworkAnalysis IdentificationofVulnerabilitiesinNetworkedSystems...................... 79 LucaFaramondiandRobertoSetola Game-Theoretic Decision Making for the Resilience ofInterdependentInfrastructuresExposedtoDisruptions................. 97 YipingFangandEnricoZio SmallestPseudoTargetSetIdentificationandRelatedProblems UsingtheImplicativeInterdependencyModel ............................... 115 Arun Das, Chenyang Zhou, Joydeep Banerjee, Anisha Mazumder, andArunabhaSen Leveraging Network Theory and Stress Tests to Assess InterdependenciesinCriticalInfrastructures ................................ 135 LucaGalbuseraandGeorgiosGiannopoulos v vi Contents PartIII Industrial&AutomationControlSystems Micro-GridControlSecurityAnalysis:AnalysisofCurrentand EmergingVulnerabilities........................................................ 159 PeterBeaumontandStephenWolthusen EngineeringEdgeSecurityinIndustrialControlSystems.................. 185 PiroskaHaller,BélaGenge,andAdrian-VasileDuka SecureInterconnectionofIT-OTNetworksinIndustry4.0................. 201 CristinaAlcaraz PartIV Cybersecurity Analysis and Triage of Advanced Hacking Groups Targeting WesternCountriesCriticalNationalInfrastructure:APT28,RED October,andRegin............................................................... 221 Henry Mwiki, Tooska Dargahi, Ali Dehghantanha, andKim-KwangRaymondChoo AviationCybersecurityandCyber-Resilience:AssessingRiskinAir TrafficManagement ............................................................. 245 GeorgiaLykou,GeorgeIakovakis,andDimitrisGritzalis OpenSourceIntelligenceforEnergySectorCyberattacks.................. 261 Anastasis Keliris, Charalambos Konstantinou, Marios Sazos, andMichailManiatakos ATaxonomyofSideChannelAttacksonCriticalInfrastructures andRelevantSystems............................................................ 283 Nick Tsalis, Efstratios Vasilellis, Despina Mentzelioti, andTheodoreApostolopoulos Part I Governance & Risk Management Resilience Approach to Critical Information Infrastructures EricLuiijfandMariekeKlaver Abstract Thischapter discussesnewsocietalriskduetothefastinformationand communication as well as operational technology changes which are not yet fully takenintoaccountbygovernmentalpolicymakersandregulators.Internet-of-things, cloudcomputing,massconsumer marketsandembedded operationaltechnologies are some of the areas outlined in this chapter which may be the cause for serious disruptions of critical infrastructures, critical information infrastructures, essential services,andtheundisturbedfunctioningofthesociety.Currentnationalprotection approaches mainly focus on the classical telecommunication sector and the stove- pipedcriticalsectorssuchasenergy,health,transport,etcetera.Thischapterargues thatachangeofmindandactionsareneededtoproperlygovernthenewcyberrisk before serious incidents occur and that such a new approach is urgently needed to makethesocietiesatlargemoreresilient. Keywords Policyandmanagement · Policyanalysis · Criticalinformation infrastructure · Criticalinfrastructureprotection · Operationaltechnology · InternetofThings · Essentialservices E.Luiijf((cid:2)) LuiijfConsultancy,Zoetermeer,TheNetherlands e-mail:[email protected] M.Klaver NetherlandsOrganisationforAppliedScientificResearchTNO,TheNetherlands e-mail:[email protected] ©SpringerNatureSwitzerlandAG2019 3 D.Gritzalisetal.(eds.),CriticalInfrastructureSecurityandResilience, AdvancedSciencesandTechnologiesforSecurityApplications, https://doi.org/10.1007/978-3-030-00024-0_1 4 E.LuiijfandM.Klaver 1 Introduction Thefast-changingworldofinformationandcommunicationtechnologies(ICT)and theincreasinguseofOperationalTechnology(OT)1introducesnewcybersecurity- relatedrisktocriticalinfrastructures(CI),criticalinformationinfrastructures(CII), essential services, and societies at large. In an attempt to mitigate and manage this cyber risk, nations have created or are creating CI protection (CIP) and cyber securityrelatedlawsandregulations.Mostnationssolelyfocusonthewell-known classicaltelecommunicationsectorandtheICTintheirstove-pipedverticalcritical sectors such as energy, health, transport, etcetera. Only recently, some additional cyber-related essential services such as cloud, certificate and root/Domain Name Services(DNS)servicesareforinstancerecognizedaspartoftheUnitedStatesCI [6] and by the European Union in the so-called network and information security (NIS) directive [8]. By May 2018, the latter directive had to be transposed by the EU Member States in national legislation. At the end of November 2018, the EU Member States should have designed the operators of essential services (OES) and digital service providers (DSP). In this chapter, we will debate that nationalgovernmentsandregulatorsoverlookedmajorareasofICTandOTservices critical to nations. Both unexpected massive scale disruptions of those services or cyberattacksstemmingfromsuchICTandOTmaycauseseriouseffectstoCI,CII andsocietiesatlarge. Therefore, we will analyze the full spectrum of the cyber risk elements that stems from the omnipresent use of ICT and OT in all aspects of our modern societies. We will show the pitfalls of the current approach to dealing with this risk. Key elements of the cyber risk to society are currently largely overlooked by governmentalpolicymakersandregulators.SuchICTandOTelementsarehidden inplainsightbeingkeyservicestocurrentCIandCIIservicesaswellaswidelyused ICT-servicesontheonehand.Ontheotherhand,newICTdevelopmentseithermay poseanewthreattoCI,CII,andsociety,orsoonwillneedtoberecognizedasCII bynations. Lastbutnotleast,nationspushCIoperatorstoputalotofefforts(andcosts)to secureandprotectcertaincritical(tele)communicationservicesthatalreadymaybe consideredoverratedascriticaltosocietyand/orforwhichthecriticalityforsociety isdiminishingrapidlyduetomodalshiftstointernet-basedservices. Following this introduction, we provide some key definitions for this chapter. Tolaysomegroundwork, wesummarizeananalysisofanextensive setofCIand NIS policies by nations with respect to what nations consider as their critical and essentialinformationtechnology-basedservices. 1Operational technology (OT) according to [3] is the technology commonly found in cyber- physical systems that is used to manage physical processes and actuation through the direct sensing, monitoring and or control of physical devices. OT generally monitors and controls physicalprocesseswithsensorsandactuatorssuchasmotors,valves,andpumps.