Stefano De Porcellinis, Gabriele Oliva, Stefano Panzieri and Roberto Setola, “A Holistic-Reductionistic Approach for Modeling Interdependencies”,Critical Infrastructure Protection III, C. Palmer and S. Shenoi (Eds.), vol. 311/2009, pp. 215-227, Springer AICT, Vol. 311, 2009. (issn:1868-4238 (Print) 1868-422X (Online)) (ISBN: 978-3-642-04797-8)

[doi:10.1007/978-3-642-04798-5_15]

Abstract: Modelling and analyzing critical infrastructures and their interdependencies are essential to discovering hidden vulnerabilities and threats. Several current approaches engage a holistic perspective and rely on abstract models; others incorporate a reductionistic perspective and focus on inter-domain and intra-domain interactions among elementary components. This paper proposes a mixed approach in which holism and reductionism coexist. A critical infrastructure is expressed at different, albeit interrelated, levels of abstraction, and intermediate entities that provide specific aggregate resources or services are introduced.

Stefano De Porcellinis, Gabriele Oliva, Stefano Panzieri and Roberto Setola, “Modelling Interdependency among Physical, Cyber and Human Behaviour via a MHR approach,” Proceedings of the Workshop “Modelling interdependency between Technological and Human Systems under Crisis Scenarios” held within the International Workshop “Coping with Crises in Complex Socio-Economic Systems” (COST09), ETH Zurich, June 8-13, 2009.

Abstract: Any critical infrastructure is a complex system, whose behaviour depends, often, on the interaction with other infrastructures and with the environment but, always, with its users, operators and managers. In this paper we illustrated a formulation of the MHR approach, developed by the authors in [5], in order to specifically take into account the human component inside a complex infrastructure scenario. To this end, each infrastructure is decomposed into its physical, cyber and organizational views. Each view is then represented using models with different level of abstraction, in terms of elementary components, services and, also, merged holistic blocks. In this framework, it is possible to model the human factor during a crisis situation, describing the capability of the different teams to perform their intended tasks, taking into account the availability of physical and cyber resources, the support provided by other teams but, also, the influence of managing and coordinating actions provided by the organizative assets of the infrastructure.

Andrea Gasparri, Gabriele Oliva and Stefano Panzieri, “On the distributed synchronization of on-line IIM Interdependency Models,” Proceedings of the 7th IEEE Int. Conf. on Industrial Informatics (INDIN 2009), pp. 795-800, Cardiff (UK), June 24-26, 2009.

[doi:10.1109/INDIN.2009.5195904]

Abstract: In the last few years Critical Infrastructures have become more and more tightly interconnected and their protection is one of the major issues for the national and international security. In order to achieve that, many modeling techniques for the interdependencies existing among them have been proposed. Now, a crucial issue is how to use such models to develop tools able to estimate the status of key elements of CIs, quantify the possible threats and suggest adequate countermeasures to human operators and actors. Due to security, commercial and technological aspects, the only feasible approach is to provide distributed and interconnected state/interdependency estimators. In this paper the general problem of the state estimation of interconnected systems sharing the same model is introduced. A first step in the solution of such a challenging problem is then provided in the case of linear systems. The final objective of this research is to define an effective framework for the problem at hand, and then implement and validate an on-line distributed state/interdependency estimator within the EU IST MICIE project.

Y. Jiang, J. Jiang and P. Capodieci, “A SVM based behaviour monitoring algorithm towards detection of un-desired events in critical infrastructures,” Proceedings of the 2nd International Workshop on Computational Intelligence in Security for Information Systems (CISIS’09), Springer AISC 63, pp. 61-68, Spain, 23-26 September 2009.

[doi:10.1007/978-3-642-04091-7_8]

Abstract: In this paper, we report our recent research activities under MICIE, a European project funded under Framework-7 Programme, in which a SVM-based behaviour modelling and learning algorithm is described. The proposed algorithm further exploits the adapted learning capability in SVM by using statistics analysis and K-S test verification to introduce an automated parameter control mechanism, and hence the SVM learning and detection can be made adaptive to the statistics of the input data. Experiments on telecommunication network data sets support that the proposed algorithm is able to detect undesired events effectively, presenting a good potential for development of computer-aided monitoring software tools for protection of critical infrastructures.

A. Bobbio, E. Ciancamerla, S. Di Blasi, A. Iacomini, F. Mari, I. Melatti, M. Minichino, A. Scarlatti, E. Tronci, R. Terruggia, E. Zendri, “Risk Analysis of SCADA Systems Interconnecting Power Grids and Telco Networks via Heterogeneous Models and Tools,” Proceedings of the 4th International Conference on Risks and Security of Internet and Systems (CRISIS’09), pp. 90-97, Toulouse, France, 19-22 October 2009.

[doi:10.1109/CRISIS.2009.5411974]

Abstract: The automation of Power Grids by means of Supervisory Control and Data Acquisition (SCADA) systems has led to an improvement of Power Grid operations and functionalities but also to pervasive cyber interdependencies between Power Grids and Telecommunication Networks. Many power grid services are increasingly depending upon the adequate functionality of SCADA system which in turn strictly depends on the adequate functionality of its Communication infrastructure. We propose to tackle the SCADA risk analysis by means of different and heterogeneous modeling techniques and software tools. We demonstrate the applicability of our approach through a case study on an actual SCADA system for an electrical power distribution grid. The modeling techniques we discuss aim at providing a probabilistic dependability analysis, followed by a worst case analysis in presence of malicious attacks and a real-time performance evaluation.

P. Capodieci, L. Lev, Y. Shneck, E. Ciancamerla, M. Minichino, S. Diblasi, C. Foglietta, S. Panzieri, S. Deporcellinis, D. Lefevre, M. Castrucci, V. Suraci and P. Simões, “From heterogeneous modeling and analysis to an on line prediction tool to improve QoS of interdependent networks,” Proceedings of Electricity 2009 (The Annual Conference of the Society of Electrical and Electronic Engineers in Israel), Tel-Aviv, Israel, 1 November 2009.

Abstract: The work presented in this paper is in the frame of MICIE EU FP7 project (Tool for systemic risk analysis and secure mediation of data exchanged across linked CI information infrastructures), which has the main aim of designing and implementing a so-called MICIE alerting system to identify, in real time, the level of possible threats induced on a given Critical Infrastructure (CI) by undesired events happened in the same CI and/or in other interdependent CIs. Heterogeneous models, as the ones presented in this paper, are under development to perform short-term predictions of the QoS of the CIs according to the services of the CI, the level of interdependences between the CIs, and the undesired events identified in the reference scenario.

G. Oliva, S. Panzieri and R. Setola, “Agent Based Input-Output Interdependency Model,” International Journal on Critical Infrastructure Protection, Elsevier, Vol. 3, Issue 2, pp. 76-82, 2010.

[doi:10.1016/j.ijcip.2010.05.001]

Abstract: The modeling and analysis of critical infrastructures and their interdependencies are essential to discovering hidden vulnerabilities and the related threats to national and international security. Over the past few years, several approaches have been proposed to address this problem. The so-called holistic approaches are relatively abstract, but are easily validated using real economic data. Other approaches based on agent-based models provide deeper views of the interdependencies existing between subsystems of different infrastructures. However, agent-based models are often difficult to validate because quantitative data of the appropriate granularity may not be available. This paper presents an agent-based input–output inoperability model designed to overcome the limitations of the holistic and agent-based paradigms. In order to provide a detailed and expressive framework, the exchange of resources between infrastructures is explicitly modeled while inoperability becomes an internal parameter. Nevertheless, the model is easily transformed into a fine-grained, input–output inoperability model whose coefficients can be obtained based on real data.

Jocelyn Aubert, Thomas Schaberreiter, Christophe Incoul, Djamel Khadraoui, Benjamin Gâteau, “Risk-Based Methodology for Real-Time Security Monitoring of Interdependent Services in Critical Infrastructures,” Proceedings of The Fifth International Conference on Availability, Reliability and Security (ARES 2010 – The International Dependability Conference), pp. 262-267, Krakow, Poland, February 15-18, 2010.

[http://doi.ieeecomputersociety.org/10.1109/ARES.2010.102]

Abstract: In today's world, where most of the critical infrastructures (CI) are based on distributed systems, security failures have become very common, even within large corporations. The critical infrastructures are tightly interconnected, mutually dependent, and are exposed everyday to new risks. These (inter)dependencies generate potential cascading effects that may spread a malfunction or an attack from one part of the system to another dependent infrastructure. In this paper, we propose a risk-based methodology that aims to monitor interdependent services based on generic risks and assurance levels using the classical security properties: Confidentiality, Integrity and Availability. This allows each CI owner to monitor, react and adopt the best behaviour corresponding to the security status of its different services.

Andrea Gasparri, Francesco Iovino, Gabriele Oliva and Stefano Panzieri, “Online Distributed Interdependency Estimation with Partial Information Sharing,” Proc. of COMPENG 2010 - Complexity in Engineering, pp. 82-84, Rome, 22-24 February 2010.

[http://doi.ieeecomputersociety.org/10.1109/COMPENG.2010.30]

Abstract: Infrastructures are becoming more and more interoperable, while stakeholders are not aware of the overall behavior. In order achieve a global awareness, in this paper the need for cooperation is stressed; however, due to security and commercial issues, only few, very abstract data can be shared. In this paper a distributed interdependency estimation framework is provided, able to grant a minimal disclosure of data among the infrastructures, while letting operators make decisions with a wider perspective. The final objective of this research is to define an effective framework for the problem at hand, and then implement and validate an on-line distributed state/interdependency estimator within the EU IST MICIE project.

P. Capodieci, S. Diblasi, E. Ciancamerla, M. Minichino, C. Foglietta, D. Lefevre, G. Oliva, S. Panzieri, R. Setola, S. De Porcellinis, F. Delli Priscoli, M. Castrucci, V. Suraci, L. Lev, Y. Shneck, D. Khadraoui, J. Aubert, S. Iassinovski, J. Jiang, P. Simoes, F. Caldeira, A. Spronska, C. Harpes, M. Aubigny, “Improving Resilience of Interdependent Critical Infrastructures via an On-Line Alerting System,” Proc. of COMPENG 2010 - Complexity in Engineering, pp. 88-90, Rome, Italy, 22-24 February 2010.

[http://doi.ieeecomputersociety.org/10.1109/COMPENG.2010.28]

Abstract: This paper illustrates the activities under development within the FP7 EU MICIE project. The project is devoted to design and implement an on-line alerting system, able to evaluate, in real time, the level of risk of interdependent Critical Infrastructures (CIs). Such a risk is generated by undesired events and by the high level of interconnection of the different infrastructures. Heterogeneous models are under development to perform short-term predictions of the Quality of Service (QoS) of each CI according to the QoS of the others, to the level of interdependency among the Infrastructures, and according to the undesired events identified in the reference scenario.

E. Ciancamerla, S. Di Blasi, C. Foglietta, D. Lefevre, M. Minichino, L. Lev and Y. Shneck, “QoS of a SCADA system interconnecting a Power grid and a Telco network,” Fourth National Conference of the Italian Association of Energy Management (AIGE), Rome, Italy, 26-27 May 2010.

The main objective of a SCADA system of a Power distribution grid is to assist utility companies in supplying power to customers, according to Quality of Service (QoS) indicators established by a National Electric Authority. SCADA performs real time measurements and commands to improve operations on its Power grid by means of Remote Terminal Units that are connected to a SCADA control Centre throughout a dedicated or even a public Telco network.

In the paper, indicators of QoS of Fault Isolation and System Restoration (FISR) service, delivered by SCADA system are computed, discussed and correlated to quality indicators of power supplied to customers. In delivering FISR service (and many other services), SCADA system, Telco network and Power grid act as a whole heterogeneous network. While SCADA system and Telco network can be well represented by means of discrete event simulators, to represent a Power grid a continuous simulator is typically required. Here, limited to FISR service, SCADA system, Telco network and ARES_2010.pdf power grid have been represented by using a unique discrete event simulator.

E. Ciancamerla, S. Di Blasi, C. Foglietta, D. Lefevre, M. Minichino, L. Lev and Y. Shneck. “QoS of a SCADA system versus QoS of a Power Distribution Grid,” Proc. of the 10th Int. Probabilistic Safety Assessment & Management (PSAM) Conference – PSAM 10, Seattle, USA, 7-11 June 2010.

Abstract: The main objective of a SCADA system of a Power distribution grid is to assist utility companies in supplying power to customers, according to Quality of Service (QoS) indicators established by a National Electric Authority. SCADA performs real time measurements and commands to improve operations on its Power grid by means of Remote Terminal Units that are connected to a SCADA control Centre throughout a dedicated or even a public Telco network. In the paper, indicators of QoS of Fault Isolation and System Restoration (FISR) service, delivered by SCADA system are computed, discussed and correlated to quality indicators of power supplied to customers. In delivering FISR service (and many other services), SCADA system, Telco network and Power grid act as a whole heterogeneous network. While SCADA system and Telco network can be well represented by means of discrete event simulators, to represent a Power grid a continuous simulator is typically required. Here, limited to FISR service, SCADA system, Telco network and power grid have been represented by using a unique discrete event simulator.

F. Caldeira, M. Castrucci, M. Aubigny, D. Macone, E. Monteiro, F. Rente, P. Simões and V. Suraci, “Secure Mediation Gateway Architecture Enabling the Communication Among Critical Infrastructures,” Proc. of the Future Network & Mobile Summit 2010, Florence, Italy, 16-18 June 2010.

Abstract: Representing one of the most technological dependencies of contemporary societies, Critical Infrastructures (CIs) have to ensure the highest security levels to be able of fulfil their duty in any circumstances. This is the main goal of MICIE (Tool for systemic risk analysis and secure mediation of data exchanged across linked CI information infrastructures) FP7 ICT-SEC project: the design and implementation of a real-time CI risk level prediction and alerting system [1]. In order to reach this objective, one of the main key challenge to be addressed is the design and the implementation of a Secure Mediation Gateway (SMGW), namely a new innovative network element able to: (i) discover CI status information, (ii) overcome information heterogeneity and (iii) provide a secure communication of such information among peer CIs. All the information discovered and collected by the SMGW are then provided to a dedicated prediction tool which is in charge of calculating a risk prediction for the CIs. This paper presents the functional architecture of the SMGW designed within the MICIE project, putting in evidence how it is possible to discover information and exchange critical information over a insecure network like Internet.

Olivier Pauplin and Jianmin Jiang, “A Dynamic Bayesian Network Based Structural Learning towards Automated Handwritten Digit Recognition,” Proceedings of the 5th Int. Conf. on Hybrid Artificial Intelligence Systems (HAIS’10), 23-25 June 2010, San Sebastián, Spain. LNAI 6076, pp. 120-127, Springer.

[DOI: 10.1007/978-3-642-13769-3_15]

Abstract: Pattern recognition using Dynamic Bayesian Networks (DBNs) is currently a growing area of study. In this paper, we present DBN models trained for classification of handwritten digit characters. The structure of these models is partly inferred from the training data of each class of digit before performing parameter learning. Classification results are presented for the four described models.

P. Simões, P. Capodieci, M. Minichino, E. Ciancamerla, S. Panzieri, M. Castrucci and L. Lev, “An Alerting System for Interdependent Critical Infrastructures”, Proc. of the 9th European Conference on Information Warfare and Security (ECIW 2010), Thessaloniki, Greece, 1-2 July 2010.

Abstract: In the last few years we have witnessed a strong interest in the protection of Critical Infrastructures (CIs) such as power distribution networks, power plants, refineries, water distribution, transportation systems, hospitals or telecommunication networks. Despite their relevance for public safety and security, these infrastructures are highly exposed to a large number of threats, including natural hazards, component failure, criminal threats and terrorism. Several research projects address this topic. Many of them focus on building CI simulators for preventive analysis of system vulnerabilities, while others try to proactively strengthen partial sections of the CIs (such as fault tolerant components or secure control networks). Nevertheless, despite their positive results, those projects seldom provide mechanisms to assess, in real time, the risk level associated with each of the services provided by the addressed CI. Moreover, they do not take into account the high level of interdependency between heterogeneous CIs (power distribution failures, for instance, have a direct impact on telecommunication networks, which also affect other critical infrastructures and so on) or, when they do, they have to make compromises at the level of scalability, performance of the privacy of sensitive information.

In this paper we present a CI alerting system that takes a step further, when compared to those approaches, by estimating in real time the risk level associated with each service provided by the CI (i.e. the current likelihood of service degradation or service shutdown induced on a given CI by undesired events occurred in that CI and/or other interdependent CIs).

F. Caldeira, E. Monteiro, and P. Simões, “Trust and Reputation Management for Critical Infrastructure Protection”, in Proc. of the 6th Int. Conf. on Global Security, Safety and Sustainability (ICG3S 2010), Lisbon, Portugal, Springer CCIS 92, pp. 39-47, Sept. 2010.

Abstract: Today’s Critical Infrastructures (CI) depend on Information and Communication Technologies (ICT) to deliver their services with the required level of quality and availability. ICT security plays a major role in CI protection and risk prevention for single and also for interconnected CIs were cascading effects might occur because of the interdependencies that exist among different CIs. This paper addresses the problem of ICT security in interconnected CIs. Trust and reputation management using the Policy Based Management paradigm is the proposed solution to be applied at the CI interconnection points for information exchange.

The proposed solution is being applied to the Security Mediation Gateway being developed in the European FP7 MICIE project, to allow for information exchange among interconnected CIs.

J. Aubert, T. Schaberreiter, C. Incoul and D. Khadraoui, “Real-Time Security Monitoring of Interdependent Services in Critical Infrastructures. Case study of a Risk-Based Approach”, ESREL 2010, Rhodes, Greece, September 5-9, 2010. (ISSN proceeding: 978-0-415-60427-7)

Abstract: In this paper, we propose a risk-based methodology that aims to monitor interdependent services based on generic risks and assurance levels using the classical security properties: confidentiality, integrity and availability (C,I,A). This allows to determine the security state of a critical infrastructure service, taking it's dependencies to other services into account. Furthermore, our approach allows to monitor the system state on-line during system operation. Monitoring of the security state of a service helps to determine the quality of the provided service (QoS) and allows each CI provider to react and adopt the best behaviour corresponding to the security status of its different services.

E. Ciancamerla, C. Foglietta, D. Lefevre, M. Minichino, L. Lev and Y. Shneck, “Discrete event simulation of QoS of a SCADA system interconnecting a Power grid and a Telco network”, 1st IFIP International Conference on Critical Information Infrastructure Protection – IFIP World Computer Congress (WCC 2010), Brisbane, Australia, 20-23 September 2010.

Abstract. Indicators of Quality of Service (QoS) of Fault Isolation and System Restoration (FISR) service, delivered by SCADA system are computed, discussed and correlated to quality indicators of power supplied to customers. In delivering FISR service, SCADA system, Telco network and Power grid act as a whole heterogeneous network. While SCADA system and Telco network can be well represented by means of discrete event simulators, to represent a power grid a continuous simulator is typically required. In the paper, to compute QoS of FISR, SCADA system, Telco network and Power grid have been represented by a unique model by means of a discrete event simulator.

Matthieu Aubigny, Marco Castrucci, Carlo Harpes, “Risk ontology and Service Risk Descriptor shared among interdependent CI,” Proc. of the 5th Int. Conf. on Critical Infrastructures Information Security (CRITIS 2010), Athens, Greece, September 2010.

Abstract. This paper presents first the ontology of risk for interdependent and heterogeneous Critical Infrastructures (CIs). It defines a Security Risk Descriptor (SRD) specifying the degradation of QoS over time, which should be shared between interconnected CI. The SRDs are shared in real time and contain risk predictions, so that this sharing can be useful to avoid failures, identify interdependencies, or accelerate and coordinate power failure recoveries and service restoration. Finally, the paper proposes a simplified method to determine the SRD of a delivery service as a function of the SDR of supporting services and parameters depending on the service delivery infrastructure. The approach is based on ISO 15408 and ISO 27005 frameworks, and has been defined within the European FP-7 project MICIE, in line with EU initiative to establish a Critical Infrastructure Warning Information Network (CIWIN).

F. Caldeira, P. Simões and E. Monteiro, “Trust and Reputation for Information Exchange in Critical Infrastructures” Proc. of the 5th Int. Conf. on Critical Infrastructures Information Security (CRITIS 2010), Athens, Greece, September 2010.

Abstract. Today’s Critical Infrastructures (CI) are highly interdependent in order to deliver their services with the required level of quality and availability. Information exchange among interdependent CIs plays a major role in CI protection and risk prevention for interconnected CIs were cascading effects might occur because of their interdependencies. This paper addresses the problem of the quality of information exchanged among interconnected CIs and also the quality of the relationship in terms of trust and security. The use of trust and reputation indicators associated with the information exchange is the proposed solution.

The proposed solution is being applied to information exchange among interconnected CIs in scope of the European FP7 MICIE project, in order to improve information accuracy and to protect each CI from using inconsistent and non trustable information about critical events.

Filipe Caldeira, Edmundo Monteiro and Paulo Simões, “Trust and reputation management for critical infrastructure protection”, Int. J. Electronic Security and Digital Forensics, Inderscience Publishers, pp. 187-203, Vol. 3, No. 3, 2010.

Abstract. Today’s critical infrastructures (CIs) depend on information and communication technologies (ICTs) to deliver their services with the required level of quality and availability. ICT security plays a major role in CI protection and risk prevention for single and also for interconnected CIs were cascading effects might occur because of the interdependencies that exist among different CIs. This work addresses the problem of ICT security in interconnected CIs. Trust and reputation management using the policy-based management paradigm is the proposed solution to be applied at the CI interconnection points for information exchange. The proposed solution is being applied to the Security Mediation Gateway being developed in the scope of the European FP7 MICIE project, to allow information exchange among interconnected CIs.

T. Schaberreiter, C. Bonhomme, J. Aubert, C. Incoul and D. Khadraoui, “Support tool development for real-time risk prediction in interdependent critical infrastructures”, International Workshop on Risk and Trust in Extended Enterprises (RTEE'2010), San Jose, California – USA, November 1-4, 2010. (ISSN proceeding: 0929-0672)

Abstract: In this work we present implementation details of RESCI-MONITOR (Real-time Evaluation of Security - MONITOR), a support tool enabling to simulate and evaluate previous work on CI security modelling. The CI security model enables to monitor CI services and its associated dependencies in real-time by evaluating the current risk in CI services. The multi-agent based support tool is able to receive real-time measurements from the infrastructure, transform them into risk parameters and evaluate them in combination with the current risk independent infrastructure services.

P. Capodieci, M. Minichino, S. Panzieri, M. Castrucci, A. Neri, L. Lev and P. Simões. “MICIE: An Alerting Framework for Interdependent Critical Infrastructures”, Towards a Service-Based Internet (Proc. of the 3rd European Conf. ServiceWave 2010), Springer LNCS 6841, pp. 207-208, Ghent, Belgium, December 2010.

In this demonstration we present the MICIE platform for on-line risk assessment in scenarios with heterogeneous interdependent Critical Infrastructures (CIs) such as power distribution networks, power plants, refineries, water distribution networks, transportation systems and telecommunication networks. These CIs are highly exposed to a large number of threats, including natural hazards, component failures and intentional attacks. Moreover, the increasing interdependence between CIs amplifies the effects of such threats and adds novel challenges to risk assessment tools. In this context, MICIE is the first systematic approach to integrate CI interdependence factors in on-line risk assessment, addressing both the development of on-line risk assessment models and the development of an information sharing platform for continuous exchange of relevant risk information between interdependent CIs.

Serguei Iassinovski. “Risk level estimation in interdependent critical infrastructures using intelligent RAO simulator”, Proceedings of the Congress on Intelligent Systems and Information Technologies (AIS-IT 2010). Moscow: Physmathlit, 2010, pp. 8-14.

Abstract: Risk level estimation is one of important issues in critical infrastructures management. Moreover, new challenges arise in critical infrastructures interdependency. To estimate risks, various models are used. The paper describes an approach based on the interdependent critical infrastructures modeling with RAO-method and Intelligent RAO simulator. Common model of three infrastructures (electrical, communication and SCADA) is presented along with demonstrative simulation run results.

A. Bobbio, G. Bonanni, E. Ciancamerla, R. Clemente, A. Iacomini, M. Minichino, A. Scarlatti, R. Terruggia, E. Zendri, “Unavailability of critical SCADA communication links interconnecting a power grid and a Telco network, Reliability Engineering & System Safety”, Volume 95, Issue 12, 19th European Safety and Reliability Conference, December 2010, Pages 1345-1357, ISSN 0951-8320, DOI: 10.1016/j.ress.2010.06.011.

Abstract: The availability of power supply to power grid customers depends upon the availability of services of supervision, control and data acquisition (SCADA) system, which constitutes the nervous system of a power grid. In turn, SCADA services depend on the availability of the interconnected networks supporting such services. We propose a service oriented stochastic modelling methodology to investigate the availability of large interconnected networks, based on the hierarchical application of different modelling formalisms to different parts of the networks. Interconnected networks are decomposed according to the specific services delivered until the failure and repair mechanisms of the decomposed elementary blocks can be identified. We represent each network by a convenient stochastic modelling formalism, able to capture the main technological issues and to cope with realistic assumptions about failure and recovery mechanisms. This procedure confines the application of the more intensive computational techniques to those subsystems that actually require it. The paper concentrates on an actual failure scenario, occurred in Rome in January 2004 that involved the outage of critical SCADA communication links, interconnecting a power grid and a Telco network.

T. Schaberreiter, J. Aubert, D. Khadraoui, “Critical Infrastructure Security Modelling and RESCI-MONITOR: A Risk Based Critical Infrastructure Model,” IST-Africa 2011 Conference, Gabarone - Botswana, May 11-13, 2011.

Abstract: In this work we present a CI modelling approach called CI security modelling and RESCI-MONITOR, a tool that allows implementing a CI security model. The CI security model allows to monitor CI services and its associated dependencies in real-time by evaluating the current risk in CI services. The multi-agent based support tool RESCI-MONITOR is able to receive real-time measurements from the infrastructure, transform them into risk parameters and evaluate them in combination with the current risk in dependent infrastructure services.

Gabriele Oliva Stefano Panzieri and Roberto Setola, “Simultaneous Consensus and Synchronization of Identical Linear Systems with Different Constant Inputs,” submitted to IEEE Transactions on Automatic Control.

Abstract: In this paper an approach for the synchronization of arrays of coupled continuous-time linear systems, where each system receives a different constant input, is introduced. Extending the state of each system, and considering a distributed state feedback law, the conditions for the synchronization of these systems are studied, and the resulting evolution is further characterized in the case of average and sum synchronization. The proposed method then addresses, at the same time, the consensus on the input vectors of the different systems, and the synchronization of such systems in a unified approach. In order to show the effectiveness of the proposed framework, a small but significant case study, related to the field of Critical Infrastructure Protection is proposed. In fact, a set of interconnected Online Distributed Interdependency Estimators, each equipped with the same Input-Output Inoperability Model (IIM) are considered, and each estimator only receives the inputs coming from the particular Critical Infrastructure where the interdependency estimator is attested.

Marco Castrucci, Alessandro Neri, Filipe Caldeira, Jocelyn Aubert, Djamel Khadraoui, Matthieu Aubigny, Carlo Harpes, Vincenzo Suraci and Paulo Simões, “Design and implementation of a mediation system enabling secure communication among Critical Infrastructures,” submitted to the Elsevier International Journal of Critical Infrastructure Protection (IJCIP).

Abstract: Interdependencies existing among different Critical Infrastructures (CI) imply that they become increasingly difficult to be protected without using a systemic approach that considers the single infrastructures as a part of a complex system of infrastructures. A strong collaboration among CI owners is required to avoid, or at least to limit, the propagation of failures from an infrastructure to the others and to put CI in safety mode. The key element enabling this needed cooperation is the possibility for them to exchange relevant information related to the status of their infrastructures and to the services provided. In this paper, we present a middleware solution that allows CIs to share real-time information, enabling the design and implementation of fault mitigation strategies and mechanisms to prevent the cascading phenomena generated by the failure propagation from one infrastructure to another. The proposed solution has been designed and developed in the scope of the EU FP7 MICIE project, and it has been tested at Israel Electrical Corporation facilities.

A. Bobbio, R. Terruggia, E. Ciancamerla, M. Minichino, “Reliability Analysis of Multi-source Multi-sink Critical Interacting Systems,” submitted to DCDS11 – International Workshop on Dependable Control of Discrete Systems, June 15-17, 2011, Germany

Abstract: Traditional reliability studies on probabilistic networks are devoted to evaluate the probability that two nodes or K nodes are connected, assuming that nodes are undifferentiated. In flow networks, however, we need to distinguish between source nodes where the flow is generated and sink nodes where the flow is utilized. Sink nodes may usually be fed by many sources. To this end, we have extended the traditional studies to include multisource multi-sink networks. A case study is analysed consisting in a portion of an electrical grid controlled by its SCADA system through a public telecommunication network.

F. Caldeira, T. Schaberreiter, E. Monteiro, J. Aubert, P. Simões, D. Khadraoui, “Trust based interdependency weighting for on-line risk prediction in interdependent critical infrastructures,” submitted to the Ninth Annual Conference on Privacy, Security and Trust (PST2011), Montreal, Canada, July 19-21, 2011.

Abstract: Critical infrastructure (CI) services are consumed by the society constantly and we expect them to be available 24 hours a day. A common definition is that CIs are so vital to our society that a disruption or destruction would have a severe impact on the social well-being and the economy on a national and an international level. CI sectors include, amongst others, the electricity, telecommunication, air traffic and transport sectors. CIs can be mutually dependent on each other and a failure in one infrastructure can cascade to another interdependent infrastructure to cause service disruptions. Methods to better assess and monitor CIs and their interdependencies in order to predict possible risks have to be developed.

In this work previous work on CI security modelling is extended. A trust based component is added to the security model as a means for improving its accuracy and its resilience to inconsistent information provided by peer CIs allowing to re-evaluate assessments based on impact analysis of interdependent service risk.

T. Schaberreiter, K. Karjalainen, K. Halunen, J. Röning, D. Khadraoui, “Risk assessment in critical infrastructure security modelling based on dependency analysis,” submitted to the 41st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2011), Hong Kong - China, June 27-30, 2011.

Abstract: Critical infrastructure (CI) services are consumed by the society constantly and we expect them to be available 24 hours a day. A common definition is that CIs are so vital to our society that a disruption or destruction would have a severe impact on the social well-being and the economy on a national and an international level. CI sectors include, amongst others, the electricity, telecommunication, air traffic and transport sectors. CIs can be mutually dependent on each other and a failure in one infrastructure can cascade to another interdependent infrastructure to cause service disruptions. Methods to better assess and monitor CIs and their interdependencies in order to predict possible risks have to be developed.

In this work we present a method for CI analysis to identify critical entities in the infrastructure at a management/organizational level as well as at a technical level. This analysis is the basis for CI monitoring using security modelling presented in previous work, which allows real-time monitoring of CI services. The analysis process is supported by the PROTOS-MATINE model for dependency analysis.

Di Giorgio A., Liberati F., “A Bayesian Belief Network Approach to the Critical Infrastructure Interdependencies Analysis”, submitted to IEEE Systems Journal, Special Issue “Complexity in Engineering: from Complex Systems Science to Complex Systems Technology”, October 2010.

This paper presents a novel approach to the critical infrastructures (CIs) interdependence analysis, based on the Dynamic Bayesian Network (DBN) formalism. An original modeling procedure is illustrated, which divides the DBN in three distinct levels: an atomic events level, a propagation level, and a services level. The first one models the adverse events which may impact on the analyzed CIs, the second one properly captures interdependencies among CIs' services and devices, and the last one allows to monitor the state of provided services. The resulting DBN permits to perform three kinds of analysis: a reliability study, which allows to find structural weaknesses of interconnected CIs, an adverse events propagation study, which highlights the role the interdependence plays in the propagation of adverse events, and a failure prediction analysis, that can serve as an useful guide to the fault localization process, in a context where, due to interdependence, failures may have many different explanations. A specific case study provided by Israel Electric Corporation is considered, and explicative simulations are presented and discussed in detail.

Di Giorgio A., Liberati F., “A Dynamic Bayesian Network Based Approach to the Critical Infrastructure Interdependencies Analysis”, submitted to the Mediterranean Conference on Control and Automation MED 2011.

P. Simões, “Uma Plataforma para Partilha de Informação Entre Infra-Estruturas Críticas Interdependentes”, invited presentation at “Ciência 2010 – Encontro com a Ciência e a Tecnologia em Portugal” (Lisbon, July 5th 2010).

L. Lev, P. Capodieci, “Tool for systemic risk analysis and secure mediation of data exchanged across linked CI information infrastructures,” presentation at the EUTC Annual Conference 2010 (London, October 29th 2010).

F. Caldeira, E. Monteiro and P. Simões, “Policy Based and Trust Management for Critical Infrastructure Protection,” presentation at the NET-SCIP Workshop on Security (Porto, PortugalOctober 13th 2010) (extended abstract).

Matthieu Aubigny, “Risk Modelling and Simulation for Critical Information Infrastructure Protection”, Master of Information Systems Security Management, Luxembourg University, 2009.

The subject of this Master Thesis elaborated in the FP7 Project MICIE framework, deals with the risk modelling and simulation for Critical Information Infrastructure Protection. According to a specific definition of service and to a service oriented approach of Critical Infrastructure, the thesis designs a top down methodology to identify and to model a system of several interdepend Critical Infrastructure. Based on an extended notion of dependability and an similar approach as ISO 15408, it proposes a taxonomy and metrics to assess the risk level and to qualify the service exchanged between interdepend infrastructure according to the notion of Quality of Service. Finally the thesis proposes a methodology to compute the risk level for interdepend infrastructure according some simplifying assumptions."