Adedayo Adetoye

A logical high-level framework for Critical Infrastructure resilience and risk assessment

Critical Infrastructures (CIs) play crucial roles in modern societies and our reliance on their proper functioning even in the face of accidental failures and deliberate targeted attacks makes their protection of paramount importance. A notable characteristic of CIs is their interdependencies that may exist at many levels and facets of the infrastructure, and which may sometimes lead to unforeseen and unexpected interactions. In particular, the underlying dependencies may induce domino effects in the propagation of failure impacts with devastating consequences and pose serious threats. Thus, technologies that provide new insights and visibility into the infrastructure dependencies, helping stakeholders to understand root causes and to predict the propagation of failure impacts are valuable for the assessment of risks and the engineering of resilience into the infrastructure. This paper presents a logical framework for the high-level modelling of CI dependencies along with analytical tools for automated reasoning about resilience properties of CIs.

Analysis of Dependencies in Critical Infrastructures

Unforeseen and unexpected dependencies and interactions within a critical infrastructure (CI) network may pose serious threats, and the lack of knowledge or understanding of such dependencies can be a risk to the system. This is true whether events that propagate adverse impacts through these dependencies have malicious intent or not. We therefore present a framework for modelling and reasoning about dependencies within CIs. The framework includes a domain-specific modelling language for CI dependencies and configuration, a formalism and calculus for reasoning about dependencies within the CI model, and tools to provide analytical capabilities that may be used for decision support during risk assessment and analysis of CIs.

A Policy Model for Secure Information Flow

When a computer program requires legitimate access to confidential data, the question arises whether such a program may illegally reveal sensitive information. This paper proposes a policy model to specify what information flow is permitted in a computational system. The security definition, which is based on a general notion of information lattices, allows various representations of information to be used in the enforcement of secure information flow in deterministic or nondeterministic systems. A flexible semantics-based analysis technique is presented, which uses the input-output relational model induced by an attackers observational power, to compute the information released by the computational system. An illustrative attacker model demonstrates the use of the technique to develop a termination-sensitive analysis. The technique allows the development of various information flow analyses, parametrised by the attackers observational power, which can be used to enforce what declassification policies.

A modelling approach for interdependency in digital systems-of-systems security - extended abstract

There is little doubt that the proper functioning of our modern society depends upon cyberspace, and that the continued growth in appetite for new technology and the potential benefits associated with it shows little sign of abating. Unfortunately the reality of modern information and communications systems involves a complex array of hardware, middleware, software, communications protocols and services, operated by a diverse set of stakeholders (users and providers each with a heterogeneous set of changing motives (including personal, enterprise, or societal gains). Everyday services that we take for granted often rely on complex interdependent systems, with the result that a seemingly unrelated failure in one of the subsystems, invisible to the service consumer, may lead to an all too visible collapse of the service that they expect. In the context of information and network risk management this complexity means that it is currently very difficult to predict how an organisation might be impacted by vulnerabilities being exploited or failures accidentally manifesting elsewhere in a system. Additionally, organisations responsible for subsystems are likely to evolve different risk-management cultures and practice, making their adoption and use of network and information risk controls (and consequences for other interdependent subsystems) difficult to predict.

Reasoning about Vulnerabilities in Dependent Information Infrastructures: A Cyber Range Experiment

Malice aside, even the pursuit of legitimate local goals such as cost minimisation, availability, and resilience in subsystems of a critical information infrastructure (CII) can induce subtle dynamic behaviours and dependencies that endanger higher-level goals and security of services. However, in practice, the subsystems of a CII may not be entirely cooperative, potentially having different and perhaps conflicting management goals; and some subsystems may be malicious or untrustworthy. Consequently, vulnerabilities may arise accidentally or deliberately through the dependency on subsystems with conflicting goals, or systems which might contain potentially rogue elements. We have developed an analytical framework for reasoning about vulnerabilities and risks in dependent critical infrastructure. To validate the analytical framework we have carried out a series of experiments on a Cyber Range facility, simulating dependent information infrastructures. This paper presents results obtained from the experiments.

Static Analysis of Information Release in Interactive Programs

In this paper we present a model for analysing information release (or leakage) in programs written in a simple imperative language. We present the se- mantics of the language, an attacker model, and the notion of an information release policy. Our key contribution is the static analysis technique to compute information release of programs and to verify it against a policy. We demonstrate our approach by analysing information released to an attacker by faulty password checking pro- grams; our example is inspired by a known flaw in versions of OpenSSH distributed with various Unix, Linux, and OpenBSD operating systems.