Dynamic Risk Analyses and Dependency-Aware Root Cause Model for Critical Infrastructures

  • Steve MullerEmail author
  • Carlo Harpes
  • Yves Le Traon
  • Sylvain Gombault
  • Jean-Marie Bonnin
  • Paul Hoffmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10242)


Critical Infrastructures are known for their complexity and the strong interdependencies between the various components. As a result, cascading effects can have devastating consequences, while foreseeing the overall impact of a particular incident is not straight-forward at all and goes beyond performing a simple risk analysis. This work presents a graph-based approach for conducting dynamic risk analyses, which are programmatically generated from a threat model and an inventory of assets. In contrast to traditional risk analyses, they can be kept automatically up-to-date and show the risk currently faced by a system in real-time. The concepts are applied to and validated in the context of the smart grid infrastructure currently being deployed in Luxembourg.



This work was supported by the Fonds National de la Recherche, Luxembourg (project reference 10239425) and was carried out in the framework of the H2020 project ‘ATENA’ (reference 700581), partially funded by the EU.


  1. 1.
    Rinaldi, S.M.: Modeling and simulating critical infrastructures and their interdependencies. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences, p. 8. IEEE (2004)Google Scholar
  2. 2.
    International Organization for Standardization: ISO/IEC 27019 (2013)Google Scholar
  3. 3.
    Bundesamt für Sicherheit in der Informationstechnik (BSI): IT-Grundschutz (2005)Google Scholar
  4. 4.
    Aubigny, M., Harpes, C., Castrucci, M.: Risk ontology and service quality descriptor shared among interdependent critical infrastructures. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 157–160. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  5. 5.
    Foglietta, C., Panzieri, S., Macone, D., Liberati, F., Simeoni, A.: Detection and impact of cyber attacks in a critical infrastructures scenario: the CockpitCI approach. Int. J. Syst. Syst. Eng. 4(3–4), 211–221 (2013)CrossRefGoogle Scholar
  6. 6.
    Suh, B., Han, I.: The IS risk analysis based on a business model. Inf. Manag. 41(2), 149–158 (2003)CrossRefGoogle Scholar
  7. 7.
    Tong, X., Ban, X.: A hierarchical information system risk evaluation method based on asset dependence chain. Int. J. Secur. Appl. 8(6), 81–88 (2014)Google Scholar
  8. 8.
    Breier, J.: Asset valuation method for dependent entities. J. Internet Serv. Inf. Secur. (JISIS) 4(3), 72–81 (2014)Google Scholar
  9. 9.
    Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M., Lykou, G., Gritzalis, D.: Time-based critical infrastructure dependency analysis for large-scale and cross-sectoral failures. Int. J. Crit. Infrastruct. Prot. 12, 46–60 (2016)CrossRefGoogle Scholar
  10. 10.
    Baiardi, F., Sgandurra, D.: Assessing ICT risk through a Monte Carlo method. Environ. Syst. Decis. 33(4), 486–499 (2013)CrossRefGoogle Scholar
  11. 11.
    Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  12. 12.
    Homer, J., Ou, X., Schmidt, D.: A sound and practical approach to quantifying security risk in enterprise networks. Kansas State University Techn. Report (2009)Google Scholar
  13. 13.
    Pearl, J.: Causality: Models, Reasoning, and Inference. Cambridge University Press, New York (2000)zbMATHGoogle Scholar
  14. 14.
    Muller, S., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M.: Efficiently computing the likelihoods of cyclically interdependent risk scenarios. Comput. Secur. 64, 59–68 (2017)CrossRefGoogle Scholar
  15. 15.
    Klein, R.: Information modelling and simulation in large dependent critical infrastructures – an overview on the european integrated project IRRIIS. In: Setola, R., Geretshuber, S. (eds.) CRITIS 2008. LNCS, vol. 5508, pp. 131–143. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  16. 16.
    Grochocki, D., Huh, J.H., Berthier, R., Bobba, R., Sanders, W.H., Cárdenas, A.A., Jetcheva, J.G.: AMI threats, intrusion detection requirements and deployment recommendations. In: 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm), pp. 395–400. IEEE (2012)Google Scholar
  17. 17.
    ENISA: Communication network interdependencies in smart grids (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Steve Muller
    • 1
    • 2
    • 3
    Email author
  • Carlo Harpes
    • 1
  • Yves Le Traon
    • 2
  • Sylvain Gombault
    • 3
  • Jean-Marie Bonnin
    • 3
  • Paul Hoffmann
    • 4
  1. 1.itrust consulting s.à r.l.NiederanvenLuxembourg
  2. 2.University of LuxembourgLuxembourgLuxembourg
  3. 3.Telecom BretagneRennesFrance
  4. 4.Luxmetering G.I.E.ConternLuxembourg

Personalised recommendations