Abstract
Modern physical protection systems integrate a number of security systems (including procedures, equipments, and personnel) into a single interface to ensure an adequate level of protection of people and critical assets against malevolent human actions. Due to the critical functions of a protection system, the quantitative evaluation of its effectiveness is an important issue that still raises several challenges. In this paper we propose a model-driven approach to support the design and the evaluation of physical protection systems based on (a) UML models representing threats, protection facilities, assets, and relationships among them, and (b) the automatic construction of a Bayesian Network model to estimate the vulnerability of different system configurations. Hence, the proposed approach is useful both in the context of vulnerability assessment and in designing new security systems as it enables what-if and cost–benefit analyses. A real-world case study is further illustrated in order to validate and demonstrate the potentiality of the approach. Specifically, two attack scenarios are considered against the depot of a mass transit transportation system in Milan, Italy.
Similar content being viewed by others
Notes
MEthodological Tools for Railway Infrastructure Protection—http://metrip.unicampus.it/.
References
Amalfitano, D., Fasolino, A.R., Scala, S., Tramontana, P.: Towards automatic model-in-the-loop testing of electronic vehicle information centers. In: WISE’14, Proceedings of the 2014 ACM International Workshop on Long-term Industrial Collaboration on Software Engineering, Vasteras, Sweden, September 16, 2014, pp. 9–12 (2014)
Bagheri, E., Ghorbani, A.A.: UML-CI: a reference model for profiling critical infrastructure systems. Inf. Syst. Front. 12(2), 115–139 (2010)
Benerecetti, M., De Guglielmo, R., Gentile, U., Marrone, S., Mazzocca, N., Nardone, R., Peron, A., Velardi, L., Vittorini, V.: Dynamic state machines for modelling railway control systems. Sci. Comput. Program. (2016). doi:10.1016/j.scico.2016.09.002
Berkenkötter, K., Hannemann, U.: Modeling the railway control domain rigorously with a UML 2.0 profile. In: Computer Safety, Reliability, and Security, pp. 398–411. Springer, Berlin (2006)
Bernardi, S., Flammini, F., Marrone, S., Mazzocca, N., Merseguer, J., Nardone, R., Vittorini, V.: Enabling the usage of uml in the verification of railway systems: the DAM-rail approach. Reliab. Eng. Syst. Saf. 120, 112–126 (2013)
Bernardi, S., Flammini, F., Marrone, S., Merseguer, J., Papa, C., Vittorini, V.: Model-driven availability evaluation of railway control systems. In: Computer Safety, Reliability, and Security. Lecture Notes in Computer Science, vol. 6894, pp. 15–28. Springer, Berlin (2011)
Bistarelli, S., Fioravanti, F., Peretti, P., Santini, F.: Evaluation of complex security scenarios using defense trees and economic indexes. J. Exp. Theor. Artif. Intell. 24(2), 161–192 (2012)
Brown, G., Carlyle, M., Salmeron, J., Wood, K.: Analyzing the vulnerability of critical infrastructure to attack and planning defenses. In: Tutorials in Operations Research, INFORMS, pp. 102–123. INFORMS (2005)
Chao, L., Tao, T.: Epsilon-based model transformation and verification of train control system specification. In: 2011 30th Chinese Control Conference (CCC), pp. 5562–5567 (2011)
Czarnecki, K., Helsen, S.: Feature-based survey of model transformation approaches. IBM Syst. J. 45(3), 621–645 (2006)
Department of Homeland Security: NIPP 2013-partnering for critical infrastructure security and resilience. Tech. rep., U.S. Department of Homeland Security (2013)
Drago, A., Marrone, S., Mazzocca, N., Tedesco, A., Vittorini, V.: Model-Driven estimation of distributed vulnerability in complex railway networks. In: Proceedings of the IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC), pp. 380–387 (2013)
Ezell, B.C.: Infrastructure vulnerability assessment model (I-VAM). Risk Anal. 27(3), 571–583 (2007)
Flammini, F.: Critical Infrastructure Security: Assessment, Prevention, Detection, Response. Information & Communication Technologies, WIT Press, Southampton (2012)
Flammini, F., Gaglione, A., Mazzocca, N., Pragliola, C.: Quantitative security risk assessment and management for railway transportation infrastructures. In: Critical Information Infrastructure Security. Lecture Notes in Computer Science, vol. 5508, pp. 180–189. Springer, Berlin (2009)
Flammini, F., Gentile, U., Marrone, S., Nardone, R., Vittorini, V.: A petri net pattern-oriented approach for the design of physical protection systems. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), LNCS vol. 8666, pp. 230–245 (2014)
Flammini, F., Marrone, S., Iacono, M., Mazzocca, N., Vittorini, V.: A multiformalism modular approach to ERTMS/ETCS falure modeling. Int. J. Reliab. Qual. Saf. Eng. 21(01), 1450001 (2014). doi:10.1142/S0218539314500016
Flammini, F., Marrone, S., Mazzocca, N., Vittorini, V.: Petri net modelling of physical vulnerability. In: Critical Information Infrastructure Security. Lecture Notes in Computer Science, vol. 6983, pp. 128–139. Springer, Berlin (2013)
Flammini, F., Mazzocca, N., Moscato, F., Pappalardo, A., Pragliola, C., Vittorini, V.: Multiformalism techniques for critical infrastructure modelling. J. Syst. Syst. Eng. 2(1), 19–37 (2010)
Flammini, F., Vittorini, V., Mazzocca, N., Pragliola, C.: A Study on multiformalism modeling of critical infrastructures. In: Critical Information Infrastructure Security. Lecture Notes in Computer Science, vol. 5508, pp. 336–343. Springer, Berlin (2009)
Frigault, M., Wang, L.: Measuring network security using Bayesian network-based attack graphs. In: Proceedings of the 32nd Annual IEEE International Computer Software and Applications Conference, COMPSAC 2008, 28 July–1 August 2008, Turku, Finland, pp. 698–703 (2008)
Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic Bayesian network. In: Proceedings of the 4th ACM Workshop on Quality of Protection (QoP 2008), Alexandria, VA, USA, October 27, 2008, pp. 23–30 (2008)
Garcia, M.L.: Vulnerability Assessment of Physical Protection Systems. Butterworth-Heinemann, Oxford (2005)
Garcia, M.L.: Design and Evaluation of Physical Protection Systems. Butterworth-Heinemann, Oxford (2007)
Gentile, U., Marrone, S., Mele, G., Nardone, R., Peron, A.: Test specification patterns for automatic generation of test sequences. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), LNCS, vol. 8718, 170–184 (2014). doi:10.1007/978-3-319-10702-8_12
Georg, G., Anastasakis, K., Bordbar, B., Houmb, S.H., Ray, I., Toahchoodee, M.: Verification and trade-off analysis of security properties in UML system models. IEEE Trans. Softw. Eng. 36(3), 338–356 (2010)
Gribaudo, M., Iacono, M., Marrone, S.: Exploiting bayesian networks for the analysis of combined attack trees. Electron. Theor. Comput. Sci. 310, 91–111 (2015). In: Proceedings of the Seventh International Workshop on the Practical Application of Stochastic Modelling (PASM)
Heckerman, D.: A tutorial on learning with Bayesian networks. In: Learning in Graphical Models, pp. 301–354. MIT Press, Cambridge (1999)
Hei, X., Chang, L., Ma, W., Gao, J., Xie, G.: Automatic transformation from UML statechart to petri nets for safety analysis and verification. In: 2011 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), pp. 948–951 (2011)
Holm, H., Ekstedt, M., Sommestad, T., Korman, M.: A manual for the cyber security modeling language. Royal Institute of Technology (KTH), Technical Report (2013)
Holm, H., Shahzad, K., Buschle, M., Ekstedt, M.: P\({}^{\text{2 }}\)CySeMoL: predictive, probabilistic cyber security modeling language. IEEE Trans. Dependable Sec. Comput. 12(6), 626–639 (2015)
Houmb, S.H., Georg, G., St, S.H., Collins, F., France, R.: An integrated security verification and security solution design trade-off analysis. In: Integrating Security and Software Engineering: Advances and Future Visions. IDEA Group Publishing, pp. 190–219 (2007)
Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Proceedings of the 5th International Conference on the Unified Modeling Language (UML’02), pp. 412–425. Springer, London (2002)
Kappel, G., Langer, P., Retschitzegger, W., Schwinger, W., Wimmer, M.: Model transformation by-example: A survey of the first wave. In: Conceptual Modelling and Its Theoretical Foundations. Lecture Notes in Computer Science, vol. 7260, pp. 197–215. Springer, Berlin (2012)
Kordy, B., Mauw, S., Radomirovic, S., Schweitzer, P.: Attack-defense trees. J. Log. Comput. 24(1), 55–87 (2014)
Lewis, T., Darken, R., Mackin, T., Dudenhoeffer, D.: Model-Based Risk Analysis for Critical Infrastructures, pp. 3–19. Critical Infrastructure Security - WIT Press, Southampton (2011)
Macdonald, D., Clements, S., Patrick, S., Perkins, C., Muller, G., Lancaster, M., Hutton, W.: Cyber/physical security vulnerability assessment integration. In: 2013 IEEE PES Innovative Smart Grid Technologies (ISGT), pp. 1–6 (2013)
Marrone, S., Flammini, F., Mazzocca, N., Nardone, R., Vittorini, V.: Towards model-driven V&V assessment of railway control systems. Int. J. Softw. Tools Technol Transf 16(6), 669–683 (2014)
Marrone, S., Nardone, R., Orazzo, A., Petrone, I., Velardi, L.: Improving verification process in driverless metro systems: The MBAT project. In: Proceedings of the 5th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation. Applications and Case Studies (ISoLA 2012), Part II, Heraklion, Crete, Greece, October 15–18, 2012, pp. 231–245 (2012)
Marrone, S., Nardone, R., Tedesco, A., D’Amore, P., Vittorini, V., Setola, R., De Cillis, F., Mazzocca, N.: Vulnerability modeling and analysis for critical infrastructure protection applications. Int. J. Crit. Infrastruct. Protect. 6(34), 217–227 (2013)
Marrone, S., Rodríguez, R.J., Nardone, R., Flammini, F., Vittorini, V.: On synergies of cyber and physical security modelling in vulnerability assessment of railway systems. Comput. Electr. Eng. 47, 275–285 (2015)
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: 8th International Conference Information Security and Cryptology (ICISC 2005), Seoul, Korea, December 1–2, 2005, Revised Selected Papers, pp. 186–198 (2005)
Mens, T., Van Gorp, P.: A taxonomy of model transformation. Electr. Notes Theor. Comput. Sci. 152, 125–142 (2006)
Murray, A.: An overview of network vulnerability modeling approaches. GeoJournal 78(2), 209–221 (2013)
Nardone, R., Gentile, U., Benerecetti, M., Peron, A., Vittorini, V., Marrone, S., Mazzocca, N.: Modeling railway control systems in promela. Commun. Comput. Inf. Sci. 596, 121–136 (2016). doi:10.1007/978-3-319-29510-7_7
Nardone, R., Gentile, U., Peron, A., Benerecetti, M., Vittorini, V., Marrone, S., De Guglielmo, R., Mazzocca, N., Velardi, L.: Dynamic state machines for formalizing railway control system specifications. Commun. Comput. Inf. Sci. 476, 93–109 (2015). doi:10.1007/978-3-319-17581-2_7
OMG: UML Profile for MARTE: Modeling and Analysis of Real-time Embedded Systems (2011). Version 1.1, formal/11-06-02
Parker, D.: Risks of risk-based security. Commu. ACM 50(3), 120 (2007)
Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers Inc., San Francisco (1988)
Risk Steering Committee: DHS Risk Lexicon, 2010 Edition (2010)
Roadnight, J.: Will physical security information management (PSIM) systems change the global security world? Tech. rep., CornerStone (2011)
Rodríguez, R.J., Marrone, S.: Model-based vulnerability assessment of self-adaptive protection systems. In: Intelligent Distributed Computing IX, pp. 439–449. Springer (2016)
Rodríguez, R.J., Merseguer, J., Bernardi, S.: Modelling security of critical infrastructures: a survivability assessment. Comput. J. 58(10), pp. 2313–2327 (2015)
Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)
Sagan, S.: The problem of redundancy problem: why more nuclear security forces may produce less nuclear security. Risk Anal. 24(4), 935–946 (2004)
Selic, B.: A Systematic Approach to domain-specific language design using UML. In: 10th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC), pp. 2–9. IEEE Computer Society, Santorini Island, Greece (2007)
Setola, R., Sforza, A., Vittorini, V., Pragliola, C.: Railway Infrastructure Security. Springer, Berlin (2015). doi:10.1007/978-3-319-04426-2
Sforza, A., Starita, S., Sterle, C.: Optimal Location of Security Devices, pp. 171–196. Springer, Cham (2015). doi:10.1007/978-3-319-04426-2_9
Sforza, A., Sterle, C., D’Amore, P., Tedesco, R., De Cillis, F., Setola, R.: Optimization models in a smart tool for the railway infrastructure protection. In: Critical Information Infrastructure Security. Lecture Notes in Computer Science, vol. 8328, pp. 191–196. Springer, Berlin (2013)
Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)
US Department of Homeland Security: Fundamentals Homeland Security Risk Management Doctrine. Washington, DC: US Department of Homeland Security (2011)
Vittorini, V., Marrone, S., Mazzocca, N., Nardone, R., Drago, A.: A model-driven process for physical protection system design and vulnerability evaluation. Top. Saf. Risk Reliab. Qual. 27, 143–169 (2015)
Wilson, J., Jackson, B., Eisman, M., Steinberg, P., Riley, K.: Securing America’s Passenger-Rail Systems. RAND Corporation, Santa Monica (2007)
Xie, P., Li, J., Ou, X., Liu, P., Levy, R.: Using Bayesian networks for cyber security analysis. In: Proceedings of the 40th IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 211–220 (2010)
Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: a game-theoretic intrusion response and recovery engine. IEEE Trans. Parallel Distrib. Syst. 25(2), 395–406 (2014)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Prof. Ruth Breu.
Rights and permissions
About this article
Cite this article
Drago, A., Marrone, S., Mazzocca, N. et al. A model-driven approach for vulnerability evaluation of modern physical protection systems. Softw Syst Model 18, 523–556 (2019). https://doi.org/10.1007/s10270-016-0572-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-016-0572-7