The pervasive use of information and communication technologies (ICT) in critical infrastructures requires security assessment approaches that consider the highly interconnected nature of ICT systems. Several approaches incorporate the relationships between structural and functional descriptions and security goals, and associate vulnerabilities with known attacks. However, these methodologies are typically based on the analysis of local problems. This paper proposes a methodology that systematically correlates and analyzes structural, functional and security information. The security assessment of critical infrastructure systems is enhanced using a service-oriented perspective, which focuses the analysis on the concept of service, linking the interactions among services – modeled as service chains – with vulnerabilities, threats and attacks.
Keywords: Security assessment, vulnerabilities, threats, attacks, services, systemof- systems
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
C. Alberts and A. Dorofee, Managing Information Security Risks: The OCTAVE (SM) Approach, Addison-Wesley, Boston, Massachusetts, 2002.
O. Alhazmi, Y. Malaiya and I. Ray, Security vulnerabilities in software systems: A quantitative perspective, in Data and Applications Security XIX (LNCS 3654), S. Jajodia and D. Wijesekera (Eds. ), Springer, Berlin- Heidelberg, Germany, pp. 281-294, 2005.
A. Avizienis, J. Laprie, B. Randell and C. Landwehr, Basic concepts and taxonomy of dependable and secure computing, IEEE Transactions on Dependable and Secure Computing, vol. 1(1), pp 11-33, 2004.
E. Bertino, D. Bruschi, S. Franzoni, I. Nai Fovino and S. Valtolina, Threat modeling for SQL servers, Proceedings of the Eighth IFIP TC-6 TC-11 Conference on Communications and Multimedia Security, pp. 189-201, 2004.
M. Bishop, Computer Security: Art and Science, Addison-Wesley, Boston, Massachusetts, 2003.
Citicus, Citicus ONE (www.citicus.com ).
F. den Braber, T. Dimitrakos, B. Gran, M. Lund, K. Stølen and J. Aagedal, The CORAS methodology: Model-based risk management using UML and UP, in UML and the Unified Process, L. Favre (Ed. ), IGI Publishing, Hershey, Pennsylvania, pp. 332-357, 2003.
G. Dondossola, J. Szanto, M. Masera and I. Nai Fovino, Evaluation of the effects of intentional threats to power substation control systems, Proceed- ings of the International Workshop on Complex Network and Infrastruc- ture Protection, 2006.
Institute of Electrical and Electronics Engineers, IEEE Standard Glossary of Software Engineering Terminology (IEEE Standard 610. 12-1990), Pis- cataway, New Jersey, 1990.
International Organization for Standardization, Code of Practice for Information Security Management (ISO/IEC 17799:2000), Geneva, Switzerland, 2000.
A. Jones and D. Ashenden, Risk Management for Computer Security: Protecting Your Network and Information Assets, Elsevier ButterworthHeinemann, Oxford, United Kingdom, 2005.
M. Keeney, E. Kowalski, D. Cappelli, A. Moore, T. Shimeall and S. Rogers, Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Technical Report, U. S. Secret Service and CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2005.
M. Masera, Interdependencies and security assessment: A dependability view, Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, Taipei, 2006.
M. Masera and I. Nai Fovino, A framework for the security assessment of remote control applications of critical infrastructures, Proceedings of the Twenty-Ninth ESReDA Seminar, 2005.
M. Masera and I. Nai Fovino, Emergent disservices in interdependent systems and systems-of-systems, Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, 2006.
M. Masera and I. Nai Fovino, Modeling information assets for security risk assessment in industrial settings, Proceedings of the Fifteenth EICAR Annual Conference, 2006.
M. Masera and I. Nai Fovino, Models for security assessment and management, Proceedings of the International Workshop on Complex Network and Infrastructure Protection, 2006.
M. Masera and I. Nai Fovino, Through the description of attacks: A multidimensional view, Proceedings of the Twenty-Fifth International Conference on Computer Safety, Reliability and Security, pp. 15-28, 2006.
J. McDermott, Attack net penetration testing, Proceedings of the New Security Paradigms Workshop, pp. 15-22, 2002.
Microsoft Corporation, Microsoft Security Assessment Tool (www.securityguidance.com ).
B. Schneier, Attack trees: Modeling security threats, Dr. Dobb’s Journal, December 1999.
SecurityFocus, Bugtraq vulnerability database (securityfocus. com).
J. Steffan and M. Schumacher, Collaborative attack modeling, Proceedings of the ACM Symposium on Applied Computing, pp. 253-259, 2002.
G. Stoneburner, A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems, Special Publication 800-30, National Institute of Standards and Technology, U. S. Department of Commerce, Gaithersburg, Maryland, 2002.
F. Swiderski and W. Snyder, Threat Modeling, Microsoft Press, Redmond, Washington, 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Masera, M., Fovino, I.N. (2008). A Service-Oriented Approach for Assessing Infrastructure Security. In: Goetz, E., Shenoi, S. (eds) Critical Infrastructure Protection. ICCIP 2007. IFIP International Federation for Information Processing, vol 253. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-75462-8_26
Download citation
DOI: https://doi.org/10.1007/978-0-387-75462-8_26
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-75461-1
Online ISBN: 978-0-387-75462-8
eBook Packages: Computer ScienceComputer Science (R0)