Skip to main content
SpringerLink
Log in

A Risk Management Approach for Highly Interconnected Networks

  • Chapter
  • First Online:
Game Theory for Security and Risk Management

Part of the book series: Static & Dynamic Game Theory: Foundations & Applications ((SDGTFA))

Abstract

Critical infrastructures together with their utility networks play a crucial role in the societal and individual day-to-day life. Thus, the estimation of potential threats and security issues as well as a proper assessment of the respective risks is a core duty of utility providers. Despite the fact that utility providers operate several networks (e.g., communication, control, and utility networks), most of today’s risk management tools only focus on one of these networks. In this chpater, we will give an overview of a novel risk management process specifically designed for estimating threats and assessing risks in highly interconnected networks. Based on the internationally accepted standard for risk management, ISO 31000, our risk management process integrates various methodologies and tools supporting the different steps of the process from risk identification up to risk treatment. At the heart of this process, a novel game-theoretic approach for risk minimization and risk treatment is applied. This approach is specifically designed to take the information coming from the various tools into account and model the complex interplay between the heterogeneous networks, systems, and operators within a utility provider. It operates on qualitative and semiquantitative information as well as empirical data and uses distribution-valued payoffs to account for the unpredictable effects occurring in this highly uncertain environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 139.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. HyRiM | Hybrid Risk Management for Utility Providers. URL https://www.hyrim.net//

  2. National Institute of Standards and Technology (NIST). URL https://www.nist.gov/

  3. National Vulnerability Database (NVD). URL https://nvd.nist.gov/

  4. Alshawish, A., Abid, M.A., Sui, Z., He, X., de Meer, H., Strobl, A., Opitz, A., Rass, S., Zambrano, A.: Deliverable 4.3 – Report on How to Enhance Perimeter Security Using New Surveillance Technologies. HyRiM Deliverable, Passau, Germany (2017). URL https://www.hyrim.net/project-deliverables/

  5. Bill, B.: WannaCry: the ransomware worm that didn’t arrive on a phishing hook. Tech. rep., Sophos Ltd (2017). URL https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/

  6. Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutz-Kataloge. Bonn, Germany (2016). URL https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html. English Version

  7. Busby, J., Gouglidis, A., Rass, S., König, S.: Modelling security risk in critical utilities: the system at risk as a three player game and agent society. In: Systems, Man, and Cybernetics (SMC), 2016 IEEE International Conference on, pp. 1758–1763. IEEE, Budapest, Hungary (2016)

    Google Scholar 

  8. Cimpanu, C.: Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software (2017). URL https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted -accounting-software/

  9. Condliffe, J.: Ukraine’s Power Grid Gets Hacked Again, a Worrying Sign for Infrastructure Attacks (2016). URL https://www.technologyreview.com/s/603262/ukraines-power-grid-gets-hacked-again-a-worrying-sign-for- infrastructure-attacks/

  10. E-ISAC: Analysis of the Cyber Attack on the Ukrainian Power Grid. Tech. rep., Washington, USA (2016). URL https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

  11. European Comission: DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. Official Journal of the European Union p. L 194/1 (2016). URL http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L1148&from=EN

  12. Faschang, M.: Loose Coupling Architecture for Co-Simulation of Heterogeneous Components. Ph.D. thesis, Vienna University of Technology, Vienna, Austria (2015)

    Google Scholar 

  13. Faschang, M., Kupzog, F., Mosshammer, R., Einfalt, A.: Rapid control prototyping platform for networked smart grid systems. In: Proceedings IECON 2013 - 39th Annual Conference of the IEEE Industrial Electronics Society, pp. 8172–8176. IEEE, Vienna, Austria (2013)

    Google Scholar 

  14. Findrik, M., Smith, P., Kazmi, J.H., Faschang, M., Kupzog, F.: Towards secure and resilient networked power distribution grids: Process and tool adoption. In: Smart Grid Communications (SmartGridComm), 2016 IEEE International Conference on, pp. 435 – 440. IEEE Publishing, Sidney, Australia (2016)

    Google Scholar 

  15. Fitzgerald, J., Pierce, K.: Co-modelling and Co-simulation in Embedded Systems Design. In: Collaborative Design for Embedded Systems, pp. 15–25. Springer, Berlin, Heidelberg (2014). URL https://link.springer.com/chapter/10.1007/978-3-642-54118-6_2. https://doi.org/10.1007/978-3-642-54118-6_2

    Chapter  Google Scholar 

  16. Fox-Brewster, T.: Petya Or NotPetya: Why The Latest Ransomware Is Deadlier Than WannaCry (2017). URL http://www.forbes.com/sites/thomasbrewster/2017/06/27/petya-notpetya-ransomware-is-more-powerful-than-wannacry/

  17. Gonzalez-Longatt, F., Luis Rueda, J.: PowerFactory Applications for Power System. Power Systems. Springer International Publishing (2014). URL http://www.springer.com/de/book/9783319129570. https://doi.org/10.1007/978-3-319-12958-7

    Google Scholar 

  18. Gouglidis, A., Green, B., Busby, J., Rouncefield, M., Hutchison, D., Schauer, S.: Threat Awareness for Critical Infrastructures Resilience. In: Resilient Networks Design and Modeling (RNDM), 2016 8th International Workshop on Resilient Networks Design and Modeling, pp. 196 – 202. IEEE Publishing, Halmstad, Sweden (2016)

    Google Scholar 

  19. Grimmett, G.R.: Percolation Theory. Springer, Heidelberg, Germany (1989)

    MATH  Google Scholar 

  20. Gross, J., Cylance SPEAR Team: Operation Dust Storm (2016). URL https://www.cylance.com/content/dam/cylance/pdfs/other/Op_Dust_Storm_Report.pdf

  21. Homeland Security: NIPP 2013: Partnering for Critical Infrastructure Security and Resilience (2013). URL https://www.dhs.gov/publication/nipp-2013-partnering-critical-infrastructure-security-and-resilience

  22. Hutchison, D., Rouncefield, M., Busby, J., Gouglidis, A.: Deliverable 3.1 - Analysis of human and organizational factors in utility vulnerability and resilience. HyRiM Deliverable, Lancaster, UK (2015). URL https://www.hyrim.net/project-deliverables/

  23. ICS-CERT: Cyber-Attack Against Ukrainian Critical Infrastructure (2016). URL https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

  24. ICS-CERT: Indicators Associated With WannaCry Ransomware (2017). URL https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01I

  25. ICS-CERT: Petya Malware Variant (2017). URL https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C

  26. International Standardization Organization: ISO 28001: Security management systems for the supply chain - Best practices for implementing supply chain security, assessments and plans - Requirements and guidance. Geneva, Switzerland (2007). English version

    Google Scholar 

  27. International Standardization Organization: ISO 31000: Risk Management – Principles and Guidelines. Geneva, Switzerland (2009). English version

    Google Scholar 

  28. International Standardization Organization: ISO/IEC 27005: Information technology - Security techniques - Information security risk management. Geneva, Switzerland (2011). English version

    Google Scholar 

  29. ISACA: COBIT 5 for Risk. Rolling Meadows, USA (2013)

    Google Scholar 

  30. ISACA: State of Cyber Security. Implications for 2016. An ISACA and RSA Conference Survey (2016). URL http://m.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdf

  31. Kenah, E., Robins, J.M.: Second look at the spread of epidemics on networks. Physical Review. E, Statistical, Nonlinear, and Soft Matter Physics 76(3 Pt 2), 036,113 (2007). https://doi.org/10.1103/PhysRevE.76.036113

  32. König, S., Rass, S., Schauer, S.: A Stochastic Framework for Prediction of Malware Spreading in Heterogeneous Networks. In: B. Brumley, J. Röning (eds.) Secure IT Systems. 21st Nordic Conference, NordSec 2016, Oulu, Finland, November 2–4, 2016. Proceedings, pp. 67–81. Springer International Publishing, Cham (2016)

    Google Scholar 

  33. König, S., Rass, S., Schauer, S., Beck, A.: Risk Propagation Analysis and Visualization using Percolation Theory. International Journal of Advanced Computer Science and Applications(IJACSA) 7(1), 694 – 701 (2016)

    Google Scholar 

  34. Kovacs, E.: Critical Infrastructure Incidents Increased in 2015: ICS-CERT (2016). URL http://www.securityweek.com/critical-infrastructure-incidents-increased-2015-ics-cert

  35. Maschler, M., Solan, E., Zamir, S.: Game Theory. Cambridge University Press (2013)

    Google Scholar 

  36. Newman, M.E.J.: Spread of epidemic disease on networks. Physical Review E 66(1), 016,128 (2002). https://doi.org/10.1103/PhysRevE.66.016128. URL https://link.aps.org/doi/10.1103/PhysRevE.66.016128

  37. Oppliger, R.: Quantitative Risk Analysis in Information Security Management: A Modern Fairy Tale. IEEE Security Privacy 13(6), 18–21 (2015). https://doi.org/10.1109/MSP.2015.118

    Article  Google Scholar 

  38. Paganini, P.: Operation Dust Storm, Hackers Target Japanese Critical Infrastructure (2016). URL http://securityaffairs.co/wordpress/44749/cyber-crime/operation-dust-storm.html

  39. Rass, S.: On Game-Theoretic Risk Management (Part One) – Towards a Theory of Games with Payoffs that are Probability-Distributions. ArXiv e-prints (2015)

    Google Scholar 

  40. Rass, S., König, S., Schauer, S.: Deliverable 1.2 - Report on Definition and Categorisation of Hybrid Risk Metrics. HyRiM Deliverable, Vienna, Austria (2015). URL https://www.hyrim.net/project-deliverables/

  41. Rass, S., König, S., Schauer, S.: Uncertainty in Games: Using Probability-Distributions as Payoffs. In: Decision and Game Theory for Security, no. 9406 in Lecture Notes inComputer Science, pp. 346 – 357. Springer, London, UK (2015)

    MATH  Google Scholar 

  42. Rass, S., König, S., Schauer, S.: Decisions with Uncertain Consequences - A Total Ordering on Loss-Distributions. PLOS ONE 11(12), e0168,583 (2016). https://doi.org/10.1371/journal.pone.0168583. URL http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0168583

    Article  Google Scholar 

  43. Rass, S., König, S., Schauer, S.: Defending Against Advanced Persistent Threats Using Game-Theory. PLOS ONE 12(1), e0168,675 (2017). https://doi.org/10.1371/journal.pone.0168675. URL http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0168675

    Article  Google Scholar 

  44. Salathé, M., Jones, J.H.: Dynamics and Control of Diseases in Networks with Community Structure. PLOS Computational Biology 6(4), e1000,736 (2010). https://doi.org/10.1371/journal.pcbi.1000736. URL http://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1000736

    Article  MathSciNet  Google Scholar 

  45. Sander, L.M., Warren, C.P., Sokolov, I.M., Simon, C., Koopman, J.: Percolation on heterogeneous networks as a model for epidemics. Mathematical Biosciences 180(1), 293–305 (2002). https://doi.org/10.1016/S0025-5564(02)00117-7. URL http://www.sciencedirect.com/science/article/pii/S0025556402001177

    Article  MathSciNet  Google Scholar 

  46. Stoneburner, G., Goguen, A., Feringa, A.: NIST SP800-30 Risk Management Guide for Information Technology Systems. Gaithersburg, USA (2002). URL http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

  47. Varga, A., Hornig, R.: An Overview of the OMNeT++ Simulation Environment. In: Proceedings of the 1st International Conference on Simulation Tools and Techniques for Communications, Networks and Systems & Workshops, Simutools ’08, pp. 60:1–60:10. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), ICST, Brussels, Belgium, Belgium (2008). URL http://dl.acm.org/citation.cfm?id=1416222.1416290

  48. Zetter, K.: Everything We Know About Ukraine’s Power Plant Hack | WIRED (2016). URL https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/

Download references

Acknowledgements

This work was supported by the European Commission’s Project No. 608090, HyRiM (Hybrid Risk Management for Utility Networks) under the 7th Framework Programme (FP7-SEC-2013-1).

Author information

Authors and Affiliations

  1. AIT Austrian Institute of Technology GmbH, Center for Digital Safety and Security, Klagenfurt, Austria

    Stefan Schauer

Authors
  1. Stefan Schauer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefan Schauer .

Editor information

Editors and Affiliations

  1. Institute of Applied Informatics, University of Klagenfurt, Klagenfurt, Kärnten, Austria

    Stefan Rass

  2. Center for Digital Safety & Security, Austrian Institute of Techno GmbH, Klagenfurt, Kärnten, Austria

    Stefan Schauer

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Schauer, S. (2018). A Risk Management Approach for Highly Interconnected Networks. In: Rass, S., Schauer, S. (eds) Game Theory for Security and Risk Management. Static & Dynamic Game Theory: Foundations & Applications. Birkhäuser, Cham. https://doi.org/10.1007/978-3-319-75268-6_12

Download citation

Publish with us

Policies and ethics

Search

Navigation