Simulation-Based Cyber-Attack Assessment of Critical Infrastructures

Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 191)


Nations, more than ever, depend on the correct functionality of critical infrastructures. In order to deliver their services, critical infrastructure providers often rely on information technologies. Thus, cyber attacks can lead to severe impacts within a nation’s critical infrastructure landscape causing deep scars to health, safety and economic wealth. To provide the demanded service level of critical infrastructures and to reduce the impacts of disruptions and unavailability of components during attacks, it is essential to have a comprehensive understanding of the linkages between providers on the one side and to have the capabilities to identify vulnerabilities of systems and their consequences if exploited on the other side. Therefore, in this paper, we present a agent-based modeling and simulation approach facilitating the assessment of critical infrastructure entities under attack. To demonstrate the capabilities we further provide a motivational example how our approach can be used to perform simulation-based evaluation of cyber attacks. We further provide an overview of our simulation prototype.


Cyber attacks Critical infrastructures protection Agent-based modeling and simulation Anticipation games Distributed denial of service 



This work has been supported by the Austrian Research Promotion Agency (FFG) under the Austrian Security Research Programme KIRAS.


  1. 1.
    Mansfield, N.: Development of policies for protection of critical information infrastructures. Technical report, Organisation for Economic Co-operation and Development (OECD) (2007)Google Scholar
  2. 2.
    German Federal Office for Information Security: Recommendations for critical information infrastructure protection (2013)Google Scholar
  3. 3.
    Symantec: Symantec intelligence quarterly report: Q4 2010 - targeted attacks on critical infrastructure. Technical report, Symantec (2010)Google Scholar
  4. 4.
    Mandiant: Mandiant intelligence center report - apt1: Exposing one of china’s cyber espionage units. Technical report, Mandiant (2013)Google Scholar
  5. 5.
    Public Safety Canada: Ontario-U.S. power outage - impacts on critical infrastructure (2006). Accessed: 16 May 2012
  6. 6.
    Centre for Natural Hazard Research: Types of hazards. Accessed: 16 May 2012
  7. 7.
    Hellström, T.: Critical infrastructure and systemic vulnerability: towards a planning frame. Saf. Sci. 45, 415–430 (2007)CrossRefGoogle Scholar
  8. 8.
    Min, H., Beyeler, W., Brown, T., Son, Y., Jones, A.: Toward modeling and simulation of critical national infrastructure interdependencies. IIE Trans. 39(1), 57–71 (2007)CrossRefGoogle Scholar
  9. 9.
    Rinaldi, S.M., Peerenboom, J.P., Kelly, T.K.: Identifying, understanding and analyzing critical infrastructure inderdependencies. IEEE Control Syst. Mag. 21, 11–25 (2001)CrossRefGoogle Scholar
  10. 10.
    Potter, C., Waterfall, G.: Information security breaches survey 2012. Technical report, PwC (2012)Google Scholar
  11. 11.
    Cornish, P., Livingstone, D., Clemente, D., Yorke, C.: Cyber security and the uk’s critical national infrastructure. Technical report, Chatham House (2011)Google Scholar
  12. 12.
    Baker, S., Filipiak, N., Timlin, K.: In the dark - crucial industries confront cyberattacks. Technical report, McAfee - Center for Strategic International Studies (2011)Google Scholar
  13. 13.
    Obama, B.: Taking the cyberattack threat seriously (July 2012)Google Scholar
  14. 14. (2013). Accessed: 20 February 2013
  15. 15.
    CERT CC: Denial of Service Attacks (1999). Accessed: 20 February 2013
  16. 16.
    George Mason University: The CIP Report, August 2010. Accessed: 16 May 2012
  17. 17.
    Boin, A., McConnell, A.: Preparing for critical infrastructure breakdowns: the limits of crisis management and the need for resilience. J. Contingencies Crisis Manage. 15(1), 50–59 (2007)CrossRefGoogle Scholar
  18. 18.
    Moteff, J., Parfomak, P.: CRS Report for Congress - Critical Infrastructure and Key Assets: Definition and Identification. Technical report, Congressional Research Service (2004). Accessed: 16 May 2012Google Scholar
  19. 19.
    Harris, S.: CISSP All-in-One Exam Guide, 5th edn. Mcgraw-Hill Professional, New York (2010)Google Scholar
  20. 20.
    ISO/IEC: ISO/IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management (2005)Google Scholar
  21. 21.
    Laprie, J.C.: Dependable computing: concepts, limits, challenges. In: 25th IEEE International Symposium on Fault-Tolerant Computing, Pasadena, CA, USA, pp. 42–54. IEEE (1995)Google Scholar
  22. 22.
    Avizienis, A., Laprie, J.C., Randell, B.: Fundamental concepts of dependability. Seven 1145, 7–12 (2001)Google Scholar
  23. 23.
    Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)CrossRefGoogle Scholar
  24. 24.
    Sherwood, J., Clark, A., Lynas, D.: Enterprise security architecture. Technical report, SABSA Institute (2009)Google Scholar
  25. 25.
    Sherwood, J., Clark, A., Lynas, D.: Enterprise Security Architecture: A Business-Driven Approach. CRC Press, San Francisco (2005)Google Scholar
  26. 26.
    Bursztein, E.: NetQi: a model checker for anticipation game. In: Cha, S.S., Choi, J.-Y., Kim, M., Lee, I., Viswanathan, M. (eds.) ATVA 2008. LNCS, vol. 5311, pp. 246–251. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Bursztein, E.: Extending anticipation games with location, penalty and timeline. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 272–286. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Bursztein, E.: Multiple-sites defense strategy. Technical report, LSV, ENS Cachan, CNRS (2009)Google Scholar
  29. 29.
    BSI-Standard 100–4: Business Continuity Management (2008)Google Scholar
  30. 30.
    Macal, C.M., North, M.J.: Tutorial on agent-based modelling and simulation. J. Simul. 4(3), 151–162 (2010)CrossRefGoogle Scholar
  31. 31.
    Allan, R.: Survey of agent based modelling and simulation tools. Engineering 501, 57–72 (2009)Google Scholar
  32. 32.
    Liu, D., Wang, X., Camp, L.J.: Game theoretic modeling and analysis of insider threats. Int. J. Crit. Infrastruct. Prot. 1, 75–80 (2008)CrossRefGoogle Scholar
  33. 33.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: a game-theoretic analysis of information security games. In: Proceedings of the 17th International Conference on World Wide Web, pp. 209–218. ACM (2008)Google Scholar
  34. 34.
    Boehmer, W.: Dynamic systems approach to analyzing event risks and behavioral risks with game theory. In: 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third International Conference on Social Computing (SocialCom), pp. 1231–1238 (2011)Google Scholar
  35. 35.
    Specht, S., Lee, R.: Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, pp. 543–550 (2004)Google Scholar
  36. 36.
    Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)CrossRefGoogle Scholar
  37. 37.
    Gottwald, S.: Studyon critical dependencies of energy, finance and transportinfrastructures on ict infrastructure. Technical report, European Commission (2009)Google Scholar
  38. 38.
    OpenL Tablets: Business Friendly Rules (2013). Accessed: 14 March 2013
  39. 39.
    Luke, S., Cioffi-Revilla, C., Panait, L., Sullivan, K., Balan, G.: MASON: a multi-agent simulation environment. Trans. Soc. Model. Simul. Int. 82(7), 517–527 (2005)CrossRefGoogle Scholar
  40. 40.
    George Mason University: MASON (2012). Accessed: 26 July 2012
  41. 41.
    Luke, S.: Multiagent simulation and the MASON library, August 2011.
  42. 42.
    Naveh, B.: Contributors: JGraphT (2013). Accessed: 15 March 2013
  43. 43.
    Refractions Research: PostGIS, March 2013. Accessed: 15 March 2013
  44. 44.
    mcobject: Perst - an open source, object-oriented embedded database, March 2013. Accessed: 15 March 2013
  45. 45.
    Object Refinery Limited: JFreeChart (2013). Accessed: 15 March 2013
  46. 46.
    JasperSoft: iReport Desinger (2013). Accessed: 15 March 2013

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Insitute of IT Security ResearchSt. Pölten University of Applied SciencesSt. PöltenAustria

Personalised recommendations