Modelling Security of Critical Infrastructures: A Survivability Assessment

Critical infrastructures, usually designed to handle disruptions caused by human errors or random acts of nature, define assets whose normal operation must be guaranteed to maintain its essential services for human daily living. Malicious intended attacks to these targets need to be considered during system design. To face with these situations, defense plans must be developed in advance. In this paper, we present a UML profile, named SecAM, that enables the modelling and security specification for critical infrastructures during the early phases (requirements, design) of systems development life-cycle. SecAM endows security assessment, through survivability analysis, of different security solutions before system deployment. As a case study, we evaluate the survivability of the Saudi Arabia crude-oil pipeline network under two different attack scenarios. The stochastic analysis, carried out with Generalized Stochastic Petri nets, quantitatively estimates the minimisation of attack damages into the crude-oil network.

[1]  Vickie R. Westmark A definition for information system survivability , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[2]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[3]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[4]  Haralambos Mouratidis,et al.  Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems , 2003, CAiSE.

[5]  Jan Jürjens,et al.  A framework to support alignment of secure software engineering with legal regulations , 2011, Software & Systems Modeling.

[6]  Elisa Bertino,et al.  CHAPTER 3 – Security for Distributed Systems: Foundations of Access Control , 2008 .

[7]  Hilde Houmb,et al.  Towards a UML Profile for Security Assessment Siv , 2003 .

[8]  swright National Security Strategy , 2015 .

[9]  Mario Piattini,et al.  Developing a Secure Mobile Grid System through a UML Extension , 2010, J. Univers. Comput. Sci..

[10]  Miguel Correia,et al.  Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery , 2010, IEEE Transactions on Parallel and Distributed Systems.

[11]  R. A. Khan,et al.  Secure software development: a prescriptive framework , 2011 .

[12]  Lin Liu,et al.  Security Requirements Engineering in the Wild: A Survey of Common Practices , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference.

[13]  Jan Jürjens,et al.  From goal‐driven security requirements engineering to secure design , 2010, Int. J. Intell. Syst..

[14]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[15]  Roberto Nardone,et al.  Vulnerability modeling and analysis for critical infrastructure protection applications , 2013, Int. J. Crit. Infrastructure Prot..

[16]  Mohammad Zulkernine,et al.  UMLintr: a UML profile for specifying intrusions , 2006, 13th Annual IEEE International Symposium and Workshop on Engineering of Computer-Based Systems (ECBS'06).

[17]  Ricardo J. Rodríguez,et al.  Modelling and analysing resilience as a security issue within UML , 2010, SERENE.

[18]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[19]  Eunjee Song,et al.  An Approach to Verifying Security and Timing Properties in UML Models , 2010, 2010 15th IEEE International Conference on Engineering of Complex Computer Systems.

[20]  C. Q. Lee,et al.  The Computer Journal , 1958, Nature.

[21]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[22]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[23]  Gerald G. Brown,et al.  Analyzing the Vulnerability of Critical Infrastructure to Attack and Planning Defenses , 2005 .

[24]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[25]  Mario Piattini,et al.  Analysis of Secure Mobile Grid Systems: A systematic approach , 2010, Inf. Softw. Technol..

[26]  Bran Selic,et al.  A Systematic Approach to Domain-Specific Language Design Using UML , 2007, 10th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC'07).

[27]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[28]  Simona Bernardi,et al.  Model-Driven Dependability Assessment of Software Systems , 2013, Springer Berlin Heidelberg.

[29]  Joseph H. Saleh,et al.  On the concept of survivability, with application to spacecraft and space-based networks , 2012, Reliab. Eng. Syst. Saf..

[30]  Javier Campos,et al.  From UML activity diagrams to Stochastic Petri nets: application to software performance engineering , 2004, WOSP '04.

[31]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[32]  Wilson Goudalo,et al.  Toward the Engineering of Security of Information Systems (ESIS): UML and the IS Confidentiality , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[33]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[34]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[35]  Shari Lawrence Pfleeger,et al.  Security in Computing, 4th Edition , 2006 .

[36]  Nancy R. Mead,et al.  Survivable Network System Analysis: A Case Study , 1999, IEEE Softw..

[37]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[38]  Simona Bernardi,et al.  A Min-Max Problem for the Computation of the Cycle Time Lower Bound in Interval-Based Time Petri Nets , 2013, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[39]  Mario Piattini,et al.  Security requirement with a UML 2.0 profile , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[40]  Feza Buzluca,et al.  A UML profile for role-based access control , 2009, SIN '09.

[41]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[42]  Ali A. Ghorbani,et al.  UML-CI: A reference model for profiling critical infrastructure systems , 2010, Inf. Syst. Frontiers.

[43]  Marco Ajmone Marsan,et al.  Modelling with Generalized Stochastic Petri Nets , 1995, PERV.

[44]  Mario Piattini,et al.  A UML 2.0 profile to define security requirements for Data Warehouses , 2009, Comput. Stand. Interfaces.

[45]  Manachai Toahchoodee,et al.  Verification and Trade-Off Analysis of Security Properties in UML System Models , 2010, IEEE Transactions on Software Engineering.