Thesis Contribution

The original contribution of this thesis is to provide methods for enhancing ef- fectiveness and reliability of integrated security systems in order to guarantee an adequate protection level. To achieve the desired level of protection, a two phase approach is proposed combining proactive and reactive strategies. The rst in- volves a vulnerability assessment of a PPS based on quantitative methods while the second introduces an interoperability framework for improving reaction to at- tacks. The overall approach will be applicable to the design phase of a PPS as well as to the evaluation phase of an existing PPS in order to determine the changes to be made for achieving the desired level of security. The pivotal points on which this thesis is founded are mainly two:

• dening and developing an interoperability framework for improving eec- tiveness and exibility of a PSIM system;

• dening a methodology for evaluating vulnerabilities of a PPS system. These are two complementary approaches that converge towards the same objec- tive. The rst approach provides a tool for integrating and making interoperable

dierent security systems and security management systems in order to counteract the attacks. However, hardening of all potential targets against all possible forms of attack is cost prohibitive. For this reason, the second approach aims to as- sign condence levels to protection of assets derived from an accurate quantitative evaluation of vulnerability of the PPS.

Chapter 2

A Model-Driven Approach to

Vulnerability Evaluation

As said in the section 1.2.2, a PPS involves systems, procedures and people for protecting assets and facilities from malevolent human attacks. The need to have an interoperability context interconnecting heterogeneous monitoring systems, se- curity systems and security operators, has conducted towards the adoption of new category of management systems known as PSIM. Such systems collect and correlate events from security devices and information systems enabling situation awareness and management reporting. Nevertheless, eective protection calls for the availability of proper methodologies and tools to evaluate the vulnerability of critical assets and the ability of the adopted protection system to meet its ob- jectives. In the context of security information management, the vulnerability is often dened as a weakness that can be exploited by a threat. This denition is widely used in risk assessment methodologies designed to be qualitative and based on the work of skilled security analysts. In fact, vulnerability is commonly quali- tatively evaluated, also relying on the availability of historical data related to past threat events. On the contrary, eective protection needs to an accurate quanti- tative evaluation of vulnerability able to produce scientic and rigorous measures. In the eld of physical security few eorts have been made to the development of approaches for the quantitative analysis of vulnerability. The objective of this chapter is to propose a model-driven approach in order to evaluate quantitatively

the vulnerability of CIs through the eectiveness evaluation of the whole PPS. In particular, the proposed methodology is based on a MDE approach that con- siders the three aspects of the matter of interest: infrastructure, attack, and pro- tection. Hence, this modeling approach evaluates the vulnerability of an asset with respect to the threats and specic protection systems applied. The approach denes a UML prole for Vulnerability Analysis and Modeling for Critical Infras- tructure Protection (CIP_VAM) and the automated generation of quantitative vulnerability models from UML annotated artifacts.

2.1 Aims, Scope and Hypotheses

This work contemplates security aspects of CIs considering situations where the perpetrators exploit vulnerable elements of the civilian infrastructure for the pur- pose of indiscriminate murder or criminal activities.

Vulnerabilities may be associated with physical (e.g., a broken fence), cyber (e.g., lack of a rewall), or human (e.g., untrained guards) factors. For this reason, security of critical infrastructures is often considered a multi-faceted and multi- disciplinary problem that requires an integrated approach [5860]. Nevertheless, as outlined in the chapter 1, this work considers the concerns of security tied to physical and human factors without considering those related to the cyber ones. In the physical security eld, the vulnerabilities identication and evaluation are necessary activities in order to restrict as possible as the consequences originat- ing from voluntary actions. Nevertheless, these are dicult tasks that must be adapted to the application domain and the current needs of the organizations. The environment of the critical infrastructures is strongly distributed in the space and the eect of this is to have likely weaknesses distributed along the whole system1_. In eect, a vulnerability is a weak spot that might be exploited to launch an attack and accordingly it is strictly related to the capacity of counteract threats that take place in that moment. Furthermore, not all weakness aect the system's vulner- ability equally and so each of them contributes to it in a dierent measure. This measure reects the likelihood of the weakness of being exploited during attacks.

To be more precise we can consider the vulnerability as specic to an asset due to the its attractiveness from an attacker's point of view, physically distributed and aected by circumstances also seemingly independent, and variable because it changes and spreads in the course of the time according to what happens. In particular, for a given asset the variability of vulnerability is due not only to the typology of attack and the set of protection systems used, but also to the actions undertaken to contain propagation of the eects. Vulnerabilities to a specic at- tack are indications of the practicality of an attack, assuming security measures are in place.

There have been few attempts to combine more factors that contribute to vulnera- bility. This investigation aims at propose a comprehensive approach that includes environmental, physical, human, and organizational variables in addition to op- erational measurements of protection components which can help to enhance the understanding of vulnerability regarding to the main threats. The assessment of overall vulnerability requires the consideration of all protective interventions, both active and passive.

Specically, the focus is on quantitative methods since they allow to obtain a measure for evaluating the protection of an asset in a more rigorous way and then how notable is the risk in case of attacks considering the applied choices. Hence, here the denition introduced by Lewis in [19] is adopted, where vulnerability is the conditional probability that the asset is damaged, given that an attack or incident occurs(see the formula 1.2 in the section 1.2.1).