Determining Risks from Advanced Multi-step Attacks to Critical Information Infrastructures

  • Zhendong Ma
  • Paul Smith
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8328)


Industrial Control Systems (ICS) monitor and control industrial processes, and enable automation in industry facilities. Many of these facilities are regarded as Critical Infrastructures (CIs). Due to the increasing use of Commercial-Off-The-Shelf (COTS) IT products and connectivity offerings, CIs have become an attractive target for cyber-attacks. A successful attack could have significant consequences. An important step in securing Critical Information Infrastructures (CIIs) against cyber-attacks is risk analysis – understanding security risks, based on a systematic analysis of information on vulnerabilities, cyber threats, and the impacts related to the targeted system. Existing risk analysis approaches have various limitations, such as scalability and practicability problems. In contrast to previous work, we propose a practical and vulnerability-centric risk analysis approach for determining security risks associated with advanced, multi-step cyber-attacks. In order to examine multi-step attacks that exploit chains of vulnerabilities, we map vulnerabilities into preconditions and effects, and use rule-based reasoning for identifying advanced attacks and their path through a CII.


Risk analysis critical infrastructure vulnerability 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Common vulnerabilities and exposures,
  2. 2.
    Common vulnerability scoring system,
  3. 3.
    CVE-compatible products and services,
  4. 4.
  5. 5.
    ISO/IEC 27000-series Information Security Management System Family of StandardsGoogle Scholar
  6. 6.
    Ammann, P., Pamula, J., Street, J., Ritchey, R.: A host-based approach to network attack chaining analysis. In: 21st Annual Computer Security Applications Conference (2005)Google Scholar
  7. 7.
    Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: Duqu: A Stuxnet-like malware found in the wild Technical report (October 2011),
  8. 8.
    Brundle, M., Naedele, M.: Security for Process Control Systems: An Overview. IEEE Security & Privacy 6(6), 24–29 (2008)CrossRefGoogle Scholar
  9. 9.
    Byres, E., Ginter, A., Langill, J.: How Stuxnet Spreads A Study of Infection Paths in Best Practice Systems, White paper (February 2011)Google Scholar
  10. 10.
    Çamtepe, S.A., Yener, B.: Modeling and detection of complex attacks. In: SecureComm., pp. 234–243 (2007)Google Scholar
  11. 11.
    Cheminod, M., et al.: Detecting chains of vulnerabilities in industrial networks. IEEE Transactions on Industrial Informatics 5(2), 181–193 (2009)CrossRefGoogle Scholar
  12. 12.
    Daley, K., Larson, R., Dawkins, J.: A structural framework for modeling multi-stage network attacks. In: ICPP Workshops, pp. 5–10 (2002)Google Scholar
  13. 13.
    Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet dossier. Symantec white paper (September 2010)Google Scholar
  14. 14.
    Igure, V.M., Laughter, S.A., Williams, R.D.: Security issues in SCADA networks. Computers & Security 25(7), 498–506 (2006)CrossRefGoogle Scholar
  15. 15.
    International Society of Automation: ANSI/ISA-99.00.01-2007 Security for Industrial Automation and Control Systems (2007)Google Scholar
  16. 16.
    Langner, R.: Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy 9(3), 49–51 (2011)CrossRefGoogle Scholar
  17. 17.
    Lippmann, R.P., Ingols, K.W.: An annotated review of past papers on attck graphs. Lincoln Laboratory Technical Report ESC-TR-2005-054 (March 2005)Google Scholar
  18. 18.
    Maggi, P., Pozza, D., Sisto, R.: Vulnerability modelling for the analysis of network attacks. In: Third International Conference on Dependability of Computer Systems, DepCos-RELCOMEX 2008, pp. 15–22 (2008)Google Scholar
  19. 19.
    McAfee: In the Dark: Crucial Industries Confront Cyberattacks (2011)Google Scholar
  20. 20.
    Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability (2001)Google Scholar
  21. 21.
    NIST: National vulnerability database,
  22. 22.
    Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 336–345. ACM, New York (2006)Google Scholar
  23. 23.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: 14th Conference on USENIX Security Symposium (2005)Google Scholar
  24. 24.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms (1998)Google Scholar
  25. 25.
    Ritchey, R.W., Ammann, P.: Using model checking to analyze network vulnerabilities. In: IEEE Symposium on Security and Privacy (2000)Google Scholar
  26. 26.
    Sawilla, R.E., Ou, X.: Identifying critical attack assets in dependency attack graphs. In: Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security (2008)Google Scholar
  27. 27.
    SecurityFocus: Bugtraq,
  28. 28.
    Sheyner, O., et al.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002)Google Scholar
  29. 29.
    SIEMENS: Security concept PCS 7 and WinCC - Basic document, white paper (August 2008)Google Scholar
  30. 30.
    Singhal, A., Ou, X.: Security risk analysis analysis of enterprise networks using probabilistic attack graphs. NIST Interagency Report 7788 (August 2011)Google Scholar
  31. 31.
    sKyWIper Analysis Team: sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks Technical report (May 2012),
  32. 32.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST special publication 800-30 risk management guide for information technology systems (2002)Google Scholar
  33. 33.
    Stouffer, K., Falco, J., Kent, K.: Guide to Industrial Control Systems (ICS) Security. NIST SP 800-82 (June 2011)Google Scholar
  34. 34.
    Symantec: Symantec Critical Infrastrucutrre Protection Survey (2011)Google Scholar
  35. 35.
    Ten, C.W., Manimaran, G., Liu, C.C.: Vulnerability Assessment of Cybersecurity for SCADA Systems. IEEE Trans. on Power Systems 23(4), 1836–1846 (2008)CrossRefGoogle Scholar
  36. 36.
    Ten, C.W., Manimaran, G., Liu, C.C.: Cybersecurity for critical infrastructures: attack and defense modeling. Trans. Sys. Man Cyber. Part A 40(4), 853–865 (2010)CrossRefGoogle Scholar
  37. 37.
    Tenable Network Security, Inc.: Boosting your network defenses with Tenable’s integral attack path analytics, white paper,
  38. 38.
    US-CERT: Security bulletins,

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Zhendong Ma
    • 1
  • Paul Smith
    • 1
  1. 1.Safety & Security DepartmentAustrian Institute of TechnologySeibersdorfAustria

Personalised recommendations