Skip to main content
SpringerLink
Log in

A model-driven approach for vulnerability evaluation of modern physical protection systems

  • Regular Paper
  • Published:
Software & Systems Modeling Aims and scope Submit manuscript

Abstract

Modern physical protection systems integrate a number of security systems (including procedures, equipments, and personnel) into a single interface to ensure an adequate level of protection of people and critical assets against malevolent human actions. Due to the critical functions of a protection system, the quantitative evaluation of its effectiveness is an important issue that still raises several challenges. In this paper we propose a model-driven approach to support the design and the evaluation of physical protection systems based on (a) UML models representing threats, protection facilities, assets, and relationships among them, and (b) the automatic construction of a Bayesian Network model to estimate the vulnerability of different system configurations. Hence, the proposed approach is useful both in the context of vulnerability assessment and in designing new security systems as it enables what-if and cost–benefit analyses. A real-world case study is further illustrated in order to validate and demonstrate the potentiality of the approach. Specifically, two attack scenarios are considered against the depot of a mass transit transportation system in Milan, Italy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26
Fig. 27
Fig. 28
Fig. 29
Fig. 30
Fig. 31
Fig. 32
Fig. 33
Fig. 34
Fig. 35
Fig. 36
Fig. 37

Similar content being viewed by others

Notes

  1. MEthodological Tools for Railway Infrastructure Protection—http://metrip.unicampus.it/.

  2. http://www.secur-ed.eu/.

  3. http://www.cs.cmu.edu/~javabayes/.

References

  1. Amalfitano, D., Fasolino, A.R., Scala, S., Tramontana, P.: Towards automatic model-in-the-loop testing of electronic vehicle information centers. In: WISE’14, Proceedings of the 2014 ACM International Workshop on Long-term Industrial Collaboration on Software Engineering, Vasteras, Sweden, September 16, 2014, pp. 9–12 (2014)

  2. Bagheri, E., Ghorbani, A.A.: UML-CI: a reference model for profiling critical infrastructure systems. Inf. Syst. Front. 12(2), 115–139 (2010)

    Article  Google Scholar 

  3. Benerecetti, M., De Guglielmo, R., Gentile, U., Marrone, S., Mazzocca, N., Nardone, R., Peron, A., Velardi, L., Vittorini, V.: Dynamic state machines for modelling railway control systems. Sci. Comput. Program. (2016). doi:10.1016/j.scico.2016.09.002

  4. Berkenkötter, K., Hannemann, U.: Modeling the railway control domain rigorously with a UML 2.0 profile. In: Computer Safety, Reliability, and Security, pp. 398–411. Springer, Berlin (2006)

  5. Bernardi, S., Flammini, F., Marrone, S., Mazzocca, N., Merseguer, J., Nardone, R., Vittorini, V.: Enabling the usage of uml in the verification of railway systems: the DAM-rail approach. Reliab. Eng. Syst. Saf. 120, 112–126 (2013)

    Article  Google Scholar 

  6. Bernardi, S., Flammini, F., Marrone, S., Merseguer, J., Papa, C., Vittorini, V.: Model-driven availability evaluation of railway control systems. In: Computer Safety, Reliability, and Security. Lecture Notes in Computer Science, vol. 6894, pp. 15–28. Springer, Berlin (2011)

  7. Bistarelli, S., Fioravanti, F., Peretti, P., Santini, F.: Evaluation of complex security scenarios using defense trees and economic indexes. J. Exp. Theor. Artif. Intell. 24(2), 161–192 (2012)

    Article  Google Scholar 

  8. Brown, G., Carlyle, M., Salmeron, J., Wood, K.: Analyzing the vulnerability of critical infrastructure to attack and planning defenses. In: Tutorials in Operations Research, INFORMS, pp. 102–123. INFORMS (2005)

  9. Chao, L., Tao, T.: Epsilon-based model transformation and verification of train control system specification. In: 2011 30th Chinese Control Conference (CCC), pp. 5562–5567 (2011)

  10. Czarnecki, K., Helsen, S.: Feature-based survey of model transformation approaches. IBM Syst. J. 45(3), 621–645 (2006)

    Article  Google Scholar 

  11. Department of Homeland Security: NIPP 2013-partnering for critical infrastructure security and resilience. Tech. rep., U.S. Department of Homeland Security (2013)

  12. Drago, A., Marrone, S., Mazzocca, N., Tedesco, A., Vittorini, V.: Model-Driven estimation of distributed vulnerability in complex railway networks. In: Proceedings of the IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC), pp. 380–387 (2013)

  13. Ezell, B.C.: Infrastructure vulnerability assessment model (I-VAM). Risk Anal. 27(3), 571–583 (2007)

    Article  Google Scholar 

  14. Flammini, F.: Critical Infrastructure Security: Assessment, Prevention, Detection, Response. Information & Communication Technologies, WIT Press, Southampton (2012)

    Google Scholar 

  15. Flammini, F., Gaglione, A., Mazzocca, N., Pragliola, C.: Quantitative security risk assessment and management for railway transportation infrastructures. In: Critical Information Infrastructure Security. Lecture Notes in Computer Science, vol. 5508, pp. 180–189. Springer, Berlin (2009)

  16. Flammini, F., Gentile, U., Marrone, S., Nardone, R., Vittorini, V.: A petri net pattern-oriented approach for the design of physical protection systems. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), LNCS vol. 8666, pp. 230–245 (2014)

  17. Flammini, F., Marrone, S., Iacono, M., Mazzocca, N., Vittorini, V.: A multiformalism modular approach to ERTMS/ETCS falure modeling. Int. J. Reliab. Qual. Saf. Eng. 21(01), 1450001 (2014). doi:10.1142/S0218539314500016

    Article  Google Scholar 

  18. Flammini, F., Marrone, S., Mazzocca, N., Vittorini, V.: Petri net modelling of physical vulnerability. In: Critical Information Infrastructure Security. Lecture Notes in Computer Science, vol. 6983, pp. 128–139. Springer, Berlin (2013)

  19. Flammini, F., Mazzocca, N., Moscato, F., Pappalardo, A., Pragliola, C., Vittorini, V.: Multiformalism techniques for critical infrastructure modelling. J. Syst. Syst. Eng. 2(1), 19–37 (2010)

    Article  Google Scholar 

  20. Flammini, F., Vittorini, V., Mazzocca, N., Pragliola, C.: A Study on multiformalism modeling of critical infrastructures. In: Critical Information Infrastructure Security. Lecture Notes in Computer Science, vol. 5508, pp. 336–343. Springer, Berlin (2009)

  21. Frigault, M., Wang, L.: Measuring network security using Bayesian network-based attack graphs. In: Proceedings of the 32nd Annual IEEE International Computer Software and Applications Conference, COMPSAC 2008, 28 July–1 August 2008, Turku, Finland, pp. 698–703 (2008)

  22. Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic Bayesian network. In: Proceedings of the 4th ACM Workshop on Quality of Protection (QoP 2008), Alexandria, VA, USA, October 27, 2008, pp. 23–30 (2008)

  23. Garcia, M.L.: Vulnerability Assessment of Physical Protection Systems. Butterworth-Heinemann, Oxford (2005)

    Google Scholar 

  24. Garcia, M.L.: Design and Evaluation of Physical Protection Systems. Butterworth-Heinemann, Oxford (2007)

    Google Scholar 

  25. Gentile, U., Marrone, S., Mele, G., Nardone, R., Peron, A.: Test specification patterns for automatic generation of test sequences. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), LNCS, vol. 8718, 170–184 (2014). doi:10.1007/978-3-319-10702-8_12

  26. Georg, G., Anastasakis, K., Bordbar, B., Houmb, S.H., Ray, I., Toahchoodee, M.: Verification and trade-off analysis of security properties in UML system models. IEEE Trans. Softw. Eng. 36(3), 338–356 (2010)

    Article  Google Scholar 

  27. Gribaudo, M., Iacono, M., Marrone, S.: Exploiting bayesian networks for the analysis of combined attack trees. Electron. Theor. Comput. Sci. 310, 91–111 (2015). In: Proceedings of the Seventh International Workshop on the Practical Application of Stochastic Modelling (PASM)

  28. Heckerman, D.: A tutorial on learning with Bayesian networks. In: Learning in Graphical Models, pp. 301–354. MIT Press, Cambridge (1999)

  29. Hei, X., Chang, L., Ma, W., Gao, J., Xie, G.: Automatic transformation from UML statechart to petri nets for safety analysis and verification. In: 2011 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), pp. 948–951 (2011)

  30. Holm, H., Ekstedt, M., Sommestad, T., Korman, M.: A manual for the cyber security modeling language. Royal Institute of Technology (KTH), Technical Report (2013)

  31. Holm, H., Shahzad, K., Buschle, M., Ekstedt, M.: P\({}^{\text{2 }}\)CySeMoL: predictive, probabilistic cyber security modeling language. IEEE Trans. Dependable Sec. Comput. 12(6), 626–639 (2015)

    Article  Google Scholar 

  32. Houmb, S.H., Georg, G., St, S.H., Collins, F., France, R.: An integrated security verification and security solution design trade-off analysis. In: Integrating Security and Software Engineering: Advances and Future Visions. IDEA Group Publishing, pp. 190–219 (2007)

  33. Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Proceedings of the 5th International Conference on the Unified Modeling Language (UML’02), pp. 412–425. Springer, London (2002)

  34. Kappel, G., Langer, P., Retschitzegger, W., Schwinger, W., Wimmer, M.: Model transformation by-example: A survey of the first wave. In: Conceptual Modelling and Its Theoretical Foundations. Lecture Notes in Computer Science, vol. 7260, pp. 197–215. Springer, Berlin (2012)

  35. Kordy, B., Mauw, S., Radomirovic, S., Schweitzer, P.: Attack-defense trees. J. Log. Comput. 24(1), 55–87 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  36. Lewis, T., Darken, R., Mackin, T., Dudenhoeffer, D.: Model-Based Risk Analysis for Critical Infrastructures, pp. 3–19. Critical Infrastructure Security - WIT Press, Southampton (2011)

  37. Macdonald, D., Clements, S., Patrick, S., Perkins, C., Muller, G., Lancaster, M., Hutton, W.: Cyber/physical security vulnerability assessment integration. In: 2013 IEEE PES Innovative Smart Grid Technologies (ISGT), pp. 1–6 (2013)

  38. Marrone, S., Flammini, F., Mazzocca, N., Nardone, R., Vittorini, V.: Towards model-driven V&V assessment of railway control systems. Int. J. Softw. Tools Technol Transf 16(6), 669–683 (2014)

    Article  Google Scholar 

  39. Marrone, S., Nardone, R., Orazzo, A., Petrone, I., Velardi, L.: Improving verification process in driverless metro systems: The MBAT project. In: Proceedings of the 5th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation. Applications and Case Studies (ISoLA 2012), Part II, Heraklion, Crete, Greece, October 15–18, 2012, pp. 231–245 (2012)

  40. Marrone, S., Nardone, R., Tedesco, A., D’Amore, P., Vittorini, V., Setola, R., De Cillis, F., Mazzocca, N.: Vulnerability modeling and analysis for critical infrastructure protection applications. Int. J. Crit. Infrastruct. Protect. 6(34), 217–227 (2013)

    Article  Google Scholar 

  41. Marrone, S., Rodríguez, R.J., Nardone, R., Flammini, F., Vittorini, V.: On synergies of cyber and physical security modelling in vulnerability assessment of railway systems. Comput. Electr. Eng. 47, 275–285 (2015)

    Article  Google Scholar 

  42. Mauw, S., Oostdijk, M.: Foundations of attack trees. In: 8th International Conference Information Security and Cryptology (ICISC 2005), Seoul, Korea, December 1–2, 2005, Revised Selected Papers, pp. 186–198 (2005)

  43. Mens, T., Van Gorp, P.: A taxonomy of model transformation. Electr. Notes Theor. Comput. Sci. 152, 125–142 (2006)

    Article  Google Scholar 

  44. Murray, A.: An overview of network vulnerability modeling approaches. GeoJournal 78(2), 209–221 (2013)

    Article  Google Scholar 

  45. Nardone, R., Gentile, U., Benerecetti, M., Peron, A., Vittorini, V., Marrone, S., Mazzocca, N.: Modeling railway control systems in promela. Commun. Comput. Inf. Sci. 596, 121–136 (2016). doi:10.1007/978-3-319-29510-7_7

    MATH  Google Scholar 

  46. Nardone, R., Gentile, U., Peron, A., Benerecetti, M., Vittorini, V., Marrone, S., De Guglielmo, R., Mazzocca, N., Velardi, L.: Dynamic state machines for formalizing railway control system specifications. Commun. Comput. Inf. Sci. 476, 93–109 (2015). doi:10.1007/978-3-319-17581-2_7

    MATH  Google Scholar 

  47. OMG: UML Profile for MARTE: Modeling and Analysis of Real-time Embedded Systems (2011). Version 1.1, formal/11-06-02

  48. Parker, D.: Risks of risk-based security. Commu. ACM 50(3), 120 (2007)

    Article  MathSciNet  Google Scholar 

  49. Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers Inc., San Francisco (1988)

    MATH  Google Scholar 

  50. Risk Steering Committee: DHS Risk Lexicon, 2010 Edition (2010)

  51. Roadnight, J.: Will physical security information management (PSIM) systems change the global security world? Tech. rep., CornerStone (2011)

  52. Rodríguez, R.J., Marrone, S.: Model-based vulnerability assessment of self-adaptive protection systems. In: Intelligent Distributed Computing IX, pp. 439–449. Springer (2016)

  53. Rodríguez, R.J., Merseguer, J., Bernardi, S.: Modelling security of critical infrastructures: a survivability assessment. Comput. J. 58(10), pp. 2313–2327 (2015)

  54. Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)

    Article  Google Scholar 

  55. Sagan, S.: The problem of redundancy problem: why more nuclear security forces may produce less nuclear security. Risk Anal. 24(4), 935–946 (2004)

    Article  Google Scholar 

  56. Selic, B.: A Systematic Approach to domain-specific language design using UML. In: 10th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC), pp. 2–9. IEEE Computer Society, Santorini Island, Greece (2007)

  57. Setola, R., Sforza, A., Vittorini, V., Pragliola, C.: Railway Infrastructure Security. Springer, Berlin (2015). doi:10.1007/978-3-319-04426-2

    Book  Google Scholar 

  58. Sforza, A., Starita, S., Sterle, C.: Optimal Location of Security Devices, pp. 171–196. Springer, Cham (2015). doi:10.1007/978-3-319-04426-2_9

    Google Scholar 

  59. Sforza, A., Sterle, C., D’Amore, P., Tedesco, R., De Cillis, F., Setola, R.: Optimization models in a smart tool for the railway infrastructure protection. In: Critical Information Infrastructure Security. Lecture Notes in Computer Science, vol. 8328, pp. 191–196. Springer, Berlin (2013)

  60. Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)

    Article  Google Scholar 

  61. US Department of Homeland Security: Fundamentals Homeland Security Risk Management Doctrine. Washington, DC: US Department of Homeland Security (2011)

  62. Vittorini, V., Marrone, S., Mazzocca, N., Nardone, R., Drago, A.: A model-driven process for physical protection system design and vulnerability evaluation. Top. Saf. Risk Reliab. Qual. 27, 143–169 (2015)

    Article  Google Scholar 

  63. Wilson, J., Jackson, B., Eisman, M., Steinberg, P., Riley, K.: Securing America’s Passenger-Rail Systems. RAND Corporation, Santa Monica (2007)

    Google Scholar 

  64. Xie, P., Li, J., Ou, X., Liu, P., Levy, R.: Using Bayesian networks for cyber security analysis. In: Proceedings of the 40th IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 211–220 (2010)

  65. Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: a game-theoretic intrusion response and recovery engine. IEEE Trans. Parallel Distrib. Syst. 25(2), 395–406 (2014)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DIETI, Università di Napoli Federico II, Via Claudio 21, 80125, Naples, Italy

    Annarita Drago, Nicola Mazzocca, Roberto Nardone & Valeria Vittorini

  2. DMF, Seconda Università di Napoli, viale Lincoln, 5, 81100, Caserta, Italy

    Stefano Marrone

  3. Innovation and Competitiveness Unit, Ansaldo STS, via Argine, 425, 80100, Naples, Italy

    Annarita Tedesco

Authors
  1. Annarita Drago
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefano Marrone
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nicola Mazzocca
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Roberto Nardone
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Annarita Tedesco
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Valeria Vittorini
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Roberto Nardone.

Additional information

Communicated by Prof. Ruth Breu.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Drago, A., Marrone, S., Mazzocca, N. et al. A model-driven approach for vulnerability evaluation of modern physical protection systems. Softw Syst Model 18, 523–556 (2019). https://doi.org/10.1007/s10270-016-0572-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-016-0572-7

Keywords

Search

Navigation