A service oriented approach to the assessment of
Infrastructure Security
Author: Marcelo Masera, Joint Research Centre, European Commission via E. Fermi 1,
21020 Ispra – VA- Italy. Phone: +039 0332789238, Fax: +039 0332789576. Email:
marcelo.masera@jrc.it
Author: Igor Nai Fovino, Joint Research Centre, European Commission, via E. Fermi 1,
21020 Ispra – VA- Italy. Phone: +039 0332786541, Fax: +039 0332789576. Email:
igor.nai@jrc.it
Abstract:
The pervasive use of the information and communication technologies (ICT) in Critical
Infrastructures requires the introduction of specific security assessment approaches. The
study of the local effects of vulnerabilities and failures has to be put in the context of the
whole system, as ICT systems are highly interconnected. In addition most industrial
control and communication systems are getting connected with corporate information
systems. This facilitates the access from internal and external networks, and converts ICT
security assessment in a primary concern.
Some approaches have been proposed based on the relationships between structural and
functional descriptions and security goals, and at associating vulnerabilities to known
attacks. These methodologies are typically based on the analysis of local problems. In the
present paper, we want to propose a further step: the systematic correlation and analysis
of structural, functional and security information, under a service–oriented light. In order
to achieve this objective we propose to center the analysis on the concept of service,
linking the interactions among services (modeled as service chains) with that of
vulnerabilities, threats and attacks. It is demonstrated how this approach facilitates the
assessment of security
Key Words: Critical Infrastructures, Security Assessment, Services, Threats,
Vulnerabilities, Attacks, System-of-Systems.
Introduction
Security threats are one of the main problems of this computer-based era. All systems
making use of information and communication technologies (ICT) are prone to failures
and vulnerabilities that can be exploited by malicious software and agents. Industrial
critical installations present particular features that differentiate them from more
conventional ICT systems. Industrial systems combine typical information system (e.g.
data bases), with real-time elements implementing the control functions. In the latest
years, these hybrid infrastructures started to be connected to internal and external
communication networks, and security has become a subject of primary concern,
especially relevant to the complex field of Critical Infrastructure Protection.
Security risk assessment and management of critical industrial IT infrastructures is a
relatively new discipline. Most efforts are concentrated on typical corporate information
systems. Industrial systems present some specific features: the co–existence of
heterogeneous environments (e.g. real–time and desktop applications), and the constraints
deriving from physical phenomena (e.g. power stability) and business objectives (e.g.
productivity and performance). These factors determine how IT systems can be handled:
for instance, it is not always possible to stop industrial system for installing security
patches.
The assessment and management of security issues deal with a varied set of information:
some referring to the system characteristics (e.g. identification of vulnerabilities and
assets, security policies), other to threats (their intentions, resources, capabilities), and
other to the potential attack mechanisms and the relative countermeasures that could be
applied in order to avoid or mitigate the effects of negative incidents. In addition one has
to consider the interactions of malicious acts with accidental failures and human errors.
The evolution of systems intro infrastructures adds a further level of complexity:
infrastructures are systems–of–systems, greatly interconnected (mainly due to the
pervasive use of ICT), and characterised by interdependencies that can give place to
system–wide propagation of negative effects.
Some approaches have been proposed to the analysis of infrastructural systems (see next
section). They generally aim at linking structural and functional descriptions to security
goals, and at associating vulnerabilities to known attacks. Taking as starting point an
embryonic security assessment methodology presented by Masera and Nai [25], in the
present paper, we propose a further step: enriching the local treatment of security–
relevant information, to an assessment based on the systematic correlation and analysis
of such information. This would allow passing from a point view of security events, to
one revealing dependencies of infrastructural aystems. We first present an overview of
the present state of the art in the field of system and security modeling. Then we focus
our attention on the relationships existing among the different “information sets” that can
be used for describing a system from the security standpoint. Finally we introduce a
security assessment approach based on the analysis of those relationships, using the
concept of service as the guiding principle.
State of The Art
In the scientific literature there is no comprehensive work tailored to industrial ICT
security assessment, however there is relevant work in the field of ICT security, system
modelling and system safety. In this section we give an overview of approaches relevant
to the topic of this paper.
The assessment of industrial systems is traditionally the field of classical safety risk
studies. Only recently security issues have started to be considered of primary relevance.
Keeney et al. [1] presented a study on computer system sabotage of critical
infrastructures. Stoneburner, Goguen and Feringa [2] in their study on Risk Management
for Information Technology Systems described a nine-step procedure for the risk
assessment of information systems. Moreover Swiderski and Snyder [3] introduced the
concept of threat modelling, and a structured approach for identifying, evaluating, and
mitigating risks to system security. A study of such approach on a Web Application
environment is showed in [4]. In addition, there are some tools developed for general
purpose like “Microsoft Security Assessment Tool” [7], and “Citicus” [8]. The first one is
a traditional “check list” assessment process; in other words, the whole assessment
process goes through a series of “question-answer” sessions, guiding the analysis through
an iterative process, and producing as output a set of recommendations and best practices.
It is quick and easy method, that can only provide rough results far from precise and
exhaustive. The second tool, Citicus, is based on the concept of perceived information
risks, categorising them according to some customized criteria.
The OCTAVE approach [5], introduced by the Software Engineering Institute in the late
90s, currently represents the most complete and exhaustive methodology for information
systems, but it hasn’t been used and conceived for industrial applications. The more
relevant tool was developed by the project CORAS (2001-2003) [6], supporting a
methodology for model-based risk analysis of security-critical systems – but this
methodology has been applied to e-government and e-commerce, not to industrial control
systems or, in general to heterogeneous complex systems.
From these methods we can derive some useful remarks. The assessment of security
requires the proper description of the system at issue, from all relevant perspectives:
policies and operations, structure and function, physical links and information flows, etc.
The problem of “Infrastructure Modelling” has been treated mainly for design and
operational purposes, but the analysis of security requires further considerations Different
approaches have been suggested in order to model systems in light of security. The work
presented in [5] by Alberts & Dorofee is a good example of a risk assessment
methodology based on a system description. However such a description lacks mainly in
two points: it is not formal and, more relevant, it cannot deal with complex System-ofSystems. Folker den Braber et al. present in [11] another risk assessment approach
partially based on a system description. It tries to partially capture the concept of adverse
environment by introducing (using UML) the concept of “Threat Scenario”. This, of
course, is an advance in the representation of systems that could be adapted for the
description of several interacting systems. Nevertheless, this was not the intention of the
authors and represents only a possible adaptation of the methodology. Masera and Nai
Fovino in three correlated works [12, 13, 14], present an approach based on the concept
of system–of–systems, that preserves the operational and managerial independence of
the components while capturing at the same time the concept of relationship among
components, services and subsystems. In the present work we adopt as starting point such
approach (summarized in a deeper detail in the following section).
Finally, security assessment needs to consider attack scenarios. There exist several
methods used to describe security information related to malicious acts. Historically the
first approach in that sense was related to the creation of vulnerability databases (of
which Bugtraq [15] is an example). However, they are basically focused on the
description of vulnerabilities, lacking completely (but that isn't their goal) the description
of the means and ways by which they can be exploited by attacks. The most promising
approach capturing the latter characteristic is the Graph Based Attack Models [16]. In this
category two can be considered the main modeling approaches: Petri Net based Models
and Attack Trees models. A good example of the first category is the Attack Net Model
introduced by McDermott [28] in which the places of a Petri Net represent the steps of an
attack and the transitions are used to capture precise actions performed by the attackers.
The second approach (attack trees), proposed originally by Bruce Schneier [17] is based
on the use of expansion trees to show the different attack lines that could affect a system
describing their steps and their interrelationships. Such an approach has been extended by
Masera and Nai [18] by introducing the concept of Attack Projection. In the present paper
we adopt such attack representation as reference.
Preliminary Environment Definitions
A risk assessment of ICT industrial infrastructures requires two types of
characterizations, which we denominate Security Definitions and System Definitions. In
what follows we give some preliminary description of such concepts.
Security description
This refers to security-related concepts such as threat, vulnerability, attack and risk.
More in detail, Threat, as defined in [19] and in the Internet RFC glossary of terms, is a
potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm. A Vulnerability, by definition
[21][22], is a weakness in the architecture design/implementation of an application or a
service. As direct consequence, an Attack can be identified as the entire process
implemented by a Threat Agent to exploit a system by taking advantage of one or more
Vulnerabilities. Finally, as a summary of the previous definition, a Risk, according to the
ISO/IEC 17799:2000 [20], may be defined as the probability that a damaging incident is
happening (when a threat can be actualized by exploiting a vulnerability), times the
potential damage.
System description
This refers to all the concepts required for system modeling, as the definitions of system,
sub-system, component, service etc. Every system can be defined as a collection of
entities collaborating to realize a set of objectives [23]. For an inheritance principle, such
definition is true also for the concept of sub-system. Masera and Nai in [12, 13] define a
component as an atomic object able to fulfill actively or passively defined tasks and the
services as tasks performed by components or sub-systems (such services can be “on
request”). Moreover the same authors define the concept of dependency among
components and sub-systems (e.g. a system object A depends from a system object B if B
is required by A in order to reach its mission) and, in [13] the concept of information flow
as a set of point-to-point relationships describing the whole life cycle of an information
item. Finally in [25] an Asset is defined as any element (in the more general sense of the
term) with value to the relevant stakeholders of the related system. As the loss (or at least
the impairment) of an asset will negatively affect that value, the objective of security
management is to appropriately protect them. Therefore assets are the security-relevant
entities of the system because (a) their destruction, inability to perform its intended
functions, or disclosure to unauthorized agents cause a detrimental effect, (b) malicious
threats agents might have an interest in targeting them, (c) they can be exposed to
malicious actions by vulnerabilities and faults of the components or by errors of the
operators of the system.
An Asset could take two main forms: an internal set of components whose loss will cause
detriment to the owner/operator of the system, or an external service supplied to users of
the system. For example a costly component or a set of sensitive data could be examples
of internal assets. A control function is an example of external asset. The type of assets
that distinguishes IT-based systems from physical systems are of course “Information
Assets” - Masera and Nai [13] proposed an approach for their description.
The Service oriented Paradigm
Beyond the basic description of components, vulnerabilities, attacks etc., we see the need
for a paradigm assisting in the interconnection of the different elements that need to be
analyzed. One has to identify and examine, for example, the potential effect that a
vulnerability affecting a component might have on the whole system (e.g. on the business
objectives of a certain industrial facility). As the elements to be considered in a “systemof-systems” situation are manifold, a key challenge is to avoid an excess of data that will
hamper the analysis by obfuscating the most significant aspects.
For dealing with this question, we make use of the concept of Service – see [12,13]. In
this light, objects in a system are producers/consumers of services. This concept allows
generating a very detailed description of the relationships and of the dependence
mechanisms, which are at the basis of the security relevant issues of infrastructural
systems. More in detail:
Definition: we define a service as a tuple s =< name , description, ID, sdr > where
name identifies the service, description gives a brief functional description of the service
and ID is the identifier of the “producer of the service” and sdr represents the information
on the dependencies of the service (i.e. “in order to fulfill its duty the service x needs the
direct support of the services k,z,m”).
The concept of service has its complement: Disservice, the lack of provision of the
service. The concept of disservice is used in the field of dependability, but its importance
has been not yet captured in the field of ICT security assessment.
Applying a service-oriented description, the system assumes a “network” aspect. Every
component and subsystem is directly or indirectly interconnected –by what we call
“Service Chains”– with all of those components/subsystems which are in some way
necessary for the proper provision of its intended services.
Regarding Assets, it is possible to describe them as a mix of internal and external services
– more than just a set of hardware and software elements. This is a more operative
approach that permits linking the system and the security descriptions of a system.
Information, components and subsystems provide or require services to other
information, components and subsystems – and certain services coalesce through service
chains in elements of specific value for the system’s stakeholders: these are the system
assets. To clarify the concept, let’s consider the following example: a system X provides
to external customers an Information Service IS (e.g. a power plant supplies data on the
energy produced). Such service is performed by means of a Web Application Service
(WAS) at the subsystem level. The data forwarded to the customers are stored in a
database, which provides a Storage Service (SS). Such data are the results of computation
based on the information retrieved by remote Field Sensors which provide a Field
Monitoring Service (FMS).The high-level service IS, is linked to WAS in a functional
way. Moreover there exists an information flow link between WAS and SS, and between
SS and FMS. In other words, there exists an indirect service link between IS, WAS and
FMS. Such set of links, showing how, for instance, a failure of FMS could have an effect
on IS, present a good example of service chain.
As in [14] we can define a service relation as follows:
Definition: a system Sn is defined as a set Sn={s1.. .sn, desc} where s1.. .sn are services
provided by Sn and desc is the general description of the system. Without loosing
generality we can describe a subsystem and a component in the same way.
Definition: Let SoS = {Sa, Sb,…, Sn} be the set of the systems/subsystems/components in
SoS, let Serv be the set of all the services of SoS, a service dependency record is a tuple
sdr =< s, s id , inset, outset, lf > , where s is a service, Sid is the identifier of a
system/subsystem/component Sa in SoS (which “produces” the service), Inset where
Inset = {< d , w >| d ∈ Serv , w ∈ ℵ} represents the collection of the services directly
contributing to the realization of the service, with an associated relevance w; lf represents
a second order logic expression describing, combined with the weights w of Inset, how
and with which relevance the contributing services are logically linked. For instance the
provision of service A requires the combination of services B, C and D, with a logic
[(wb.B ∧ wc.C ) ∨ wd .D] . Finally Outset is the list of services to which the service s directly
provides a contribution.
Applying this to a SoS, we are then able to reconstruct all the links among services. We
call this the “service chain” of the object under analysis. This is an oriented graph
describing the direct and indirect links among all services provided by and within that
SoS. From a security perspective, what is important is to use these service chains to
recognize all the dependencies that play a role in a security event (e.g. propagation of
failures, cascading effects, etc.). As defined in Masera [26], a “security” dependency
situation exists when there is a relationship between two systems A and B, such that, an
internal fault in B, can be propagated through a chain of faults, errors and failures onto
system A. In such case, taking inspiration from Avizienis et al. [27], we can speak of
Pathological Chains.
Pathological chains can be caused by (a) accidental events due to internal faults or human
errors, or (b) malicious attacks. Since every component in our system description has
associated a set of known vulnerabilities (i.e. the vulnerabilities which, with a certain
plausibility y may affect a target component), we can enrich the description of the
pathological chain adding the information related to the vulnerabilities. In this way, the
appraisal of service chains considering dependencies and vulnerabilities result in what we
call vulnerability chains. The introduction of these chains brings three main advantages:
1. It allows identifying which low level vulnerabilities (associated to low level
components) can have an effect on high level services (typically the services
provided by the system to the external world).
2. It allows capturing the potential non-negligible side effects of any identified
vulnerability.
3. It constitutes the glue that links the system description knowledge (components,
services, assets etc.) with the security knowledge (vulnerabilities, attacks, threats)
Fig. 1 Example of Vulnerability Chains
Service Oriented Vulnerability Analysis Process
By adopting the description paradigm presented before, it is possible to identify which
low level vulnerabilities (i.e. affecting low level component) can have a negative security
effect on the Assets.
Basically the approach is the following:
1. For each asset all dependencies are computed (we remember here that an asset
can be composed of physical and logical subsystems, services and components).
2. For each element in the asset, we retrieve the services it provides.
3. By exploring the service relationships associated to every service (while taking
care of possible cyclic dependencies), we can identify all the low level
components which in some way contribute to the service.
4. We associate the vulnerabilities which may potentially affect the low level
components, to the Asset.
Applying this procedure, we are then able to identify which vulnerability, associated to
which component, can have an impact on the assets, and of which nature. This overall
knowledge will allow analyzing the effects of threats and attacks, and deciding on the
effectiveness of current policies, benchmarking potential solutions, running security
scenarios, etc. In our approach, vulnerabilities are classified according to their estimated
relevance following an identification of potential threats. In figure 2 the high level pseudo
language code of the procedure is shown.
Input: the set of System Assets (SA) Output: the set SA enriched with information related to the vulnerabilities associated
Main
{
Select Asset from SA
For each element i in Asset do
J=i
If i is a service then J=service.ID
Inspect (J)
}
Function Inspect (J)
{
If check_cycle(J)=false
then
if J.vulnset ≠ ø then Asset.vulnset=Asset.vulnset+J.vulnset
for each service provided by J
{
sdr=retrieve s.sdr
for each service in s.sdr.inset Inspect(s.sdr.inset.ID)
}}
Figure 2: Asset-Vulnerability association pseudo-code
Service Oriented Threat Assessment Process
Determining the vulnerability of a system is not enough. It is then required to analyze
which threats might exploit the identified vulnerabilities. We propose to expand the
security analysis process, described by Masera and Nai in [25] into a Service-oriented
Threat Assessment Process. The objective of this process is to determine which
vulnerable assets are exposed to different types of threats, taking into consideration the
vulnerability chains.
Usually when this kind of analysis is applied to relatively small systems, it is solved by
assigning known threats to possible target assets, on the basis of some, usually not well
documented, hypothesis made by the analyst. But this approach, apart from not being
systematic, says nothing about the proportion of security situations being considered from
the total of negative possible events.
Threat analyses can be improved by using the information derived from the previous
vulnerability analysis. A threat is relevant only if there is the real possibility to realize it.
In the assessment, ICT threats have to be correlated to assets which, from the
vulnerability viewpoint, can be affected by them. Similar to the approach presented in the
previous section, a “service oriented” threat analysis is as follows:
1. From the set of assets, only the sub-set of assets affected by significant
vulnerabilities (as resulted from the previous vulnerability analysis) is selected.
2. For each element of the subset of vulnerable assets, the subsystem services
involved are identified.
3. The hypothesized threats (derived from some parallel identification of plausible
threats, applicable to the type of system under analysis) are instantiated and
correlated to the previously identified subsystem services (as explained in Masera
and Nai, [25], an effective way of conducting this analysis is to assign threats only
to subsystem services).
4. By exploring the service dependencies and relationships, it is verified which
threats can propagate their effects to the vulnerable assets.
In this way, not only we are able to obtain a more focused, motivated and documented set
of “threatable” subsystem services, but we demonstrate how threats can affect services
and therefore assets, directly by targeting components, or indirectly by effects onto
correlated assets, which will propagate through the service dependency chains.
Service Oriented Attack Analysis
The process of Attack Analysis is devoted to the identification of the potential attacks
that can be successfully developed by the previously identified threats. The validation of
the possibility that an attack take place against a target system is not a simple task,
especially in the case of complex and large systems.
Attack trees are becoming a normal means for representing the steps and the conditions
required to carry out an offensive action against some vulnerable assets. However, attack
trees usually are too abstract, in the sense that they refer to types of components. For the
validation of attacks, attack trees have to be instantiated for the specific elements and
characteristics of the system under analysis. This requires the consideration of all
interconnections and relative interdependencies, as most attacks require the combination
or concurrency of two or more vulnerabilities, and potential alternative paths.
An attack validation conducted without such kind of knowledge will either produce a
large number of false positives (i.e. attacks considered valid, but not really exploitable),
or will discard potential attacks deriving from vulnerabilities coupled in unobvious ways.
The information derived from the service oriented analysis give us the possibility to
mitigate those problems by focusing the examination of the attacks onto the vulnerable
disservice chains. In other words, by applying these types of knowledge to the disservice
chains, we are able to identify whether there is some connection between vulnerable
components that is attackable by one of the verified threats. All other chains must be
considered safe with respect to the effects of potential attacks. The attack validation in a
service oriented perspective proceeds as follows:
1. The attacks that can be associated to the verified threats are identified and
presented as hypothesis to be validated
2. For each verified threat, the associated subsystems and all the respective
relationships are identified
3. The attack trees associated to each verified threat are validated applying existing
information about the disservice chains, the dependency relationships and the
possible conditional assertion (i.e. assertions describing some additional
conditions needed in order to realize the attack) associated to such objects.
4. The attacks validated are used for computing the potential impact on the assets,
taking into consideration all direct or indirect effects from the affected
subsystems.
In this way we identify the possible set of successfully realizable attacks, examining of
only those candidates those are vulnerable, diminishing the number of false positives.
Preliminary Results and Conclusions
In order to test the performance, quality and benefits of the approach presented, we
developed a software tool named InSAW (Industrial Security Assessment Workbench),
implementing the analysis steps presented in this work (system description, vulnerability
assessment, threat assessment, and attack assessment) plus an additional phase related to
the final overall risk assessment. From a technical point of view, the tool is based on a
MSSQL relational DB, with an intermediated object oriented layer based on Hibernate
and on a set of modular analysis engines developed using the Microsoft .Net technology.
The test phase has been conducted as follows:
1. Selection of a set of industrial study cases (remote control of primary substations,
control of power plant), and performance of security assessments using our
methodology with desktop tools.
2. Application of the InSAW tool, with an automatic determination of
service/disservice chains and related computations of vulnerability, threat and
attack analysis (there is of course the need to previously input a whole description
of the target system).
3. Comparison of the results between the manual and the automatic analyses.
Although this is a preliminary set of tests, since their number is limited, the results (some
of which can be found in [29]) are promising and allow us to extrapolate some
considerations:
1. The service oriented approach provides the analyst with a better and more
comprehensive understanding of the relations, connections and dependencies
among the different components of the system
2. The vulnerability and threat assessments benefit from the analysis of the service
dependencies as it is possible to identify side-effect connections between
vulnerabilities and assets which cannot be easily noticed with manual means.
3. The service oriented approach extremely augment the precision of the attack
validation, as each attack step can be related to all relevant aspects that might
influence it.
In conclusion, in this paper, after a presentation of the state of the art, we introduced a
new approach to the assessment of infrastructural system security, having as core the
concept of service and the description and analysis of the service dependencies. The
concept of service facilitates the correlation between the information about the system
and the considerations made on the possible security impairments of the system. The
proposed assessment approach proceeds by combining the different types of links among
the components of the system. Moreover, the whole framework, as described shortly in
this section has been fully implemented in a software tool. Automating assessment
procedures is of undoubtedly value for analysts, mainly in consideration of the dynamic
nature of security events, with the need to consider endless flows of new information on
vulnerabilities, threats, attack exploits and countermeasures. In the future we plan to
conduct an extensive testing phase in order to strongly verify the correctness of the
approach proposed and to present the detailed results obtained in a dedicated paper.
Moreover we plan to link such approach with other security-relevant activities, such as
early warning, diagnostics and information exchange.
Bibliography
[1] M. Keeney, E. Kowalski, D. Cappelli, A. Moore, T. Shimeall, S. Rogers. “Insider
Threat Study: Computer System Sabotage in Critical Infrastructure Sectors”. CMU,
May 2005.
[2] G. Stoneburner, A. Goguen, A. Feringa. “Risk Management Guide for Information
Technology Systems”. Special publication 800-3, National institute of Standards and
Technology.
[3] Frank Swiderski and Window Snyder. “Threat Modeling”, Microsoft Press 2004.
[4] E. Bertino, D. Bruschi, S. Franzoni, I. Nai-Fovino, and S. Valtolina. “Threat
modelling
for
SQL
Servers”.
Eighth
IFIP
TC-6
TC-11
Conference
on
Communications and Multimedia Security (CMS 2004), September 2004, UK,
pp189-201.
[5] C. Alberts A. Dorofee “Managing Information Security Risks: The OCTAVE (SM)
Approach”, July 2002, Addison Wesley Professional
[6] Folker den Braber, Theo Dimitrakos, Bjørn Axel Gran, Ketil Stølen, Jan Øyvind
Aagedal, “The CORAS methodology: Model-based risk management using UML and
UP”, in UML and the Unified Process. IRM Press, 2003.
[7] “Microsoft Security Assessment Tool” https://www.securityguidance.com/
[8] “Citicus ONE”. http://www.citicus.com
[9] A. Jones, D. Ashenden “Risk Management for Computer Security : Protecting Your
Network & Information Assets” . Elsevier, March 2005
[10] International Standard (ISO/IEC) 17799:2000 - Code of Practice for Information
Security Management
[11] Braber, F., Dimitrakos, T., Gran, B.A., Stølen, K., & Aagedal, J.O. (2003). The
CORAS methodology: Model-based risk management using UML and UP. in UML
and the Unified Process. IRM Press.
[12] Masera, M. & Nai Fovino, I., Models for security assessment and management. In
proceeding of the International Workshop on Complex Network and Infrastructure
Protection, 2006.
[13] Masera, M. & Nai Fovino, I. (2006). Modelling Information Assets for Security
Risk Assessment in Industrial settings. 15th EICAR Annual Conference
[14] Nai Fovino, I. & Masera, M. (2006). “Emergent Disservices in Interdependent
Systems and System-of-Systems”. In proceeding of the IEEE Conference on Systems,
Man and Cybernetics, October 8-11 2006, Taipei.
[15] Bugtraq vulnerability database. http://securityfocus.com
[16] Steffan, J., Schumacher, M.: Collaborative attack modeling. In proceeding of the
Symposium on Applied Computing, Madrid, Spain (2002) pp. 253 – 259
[17] Schneier,
B.:
Modeling
Security
Threats,
Dr.
Dobb's
Journal.
https://www.schneier.com/paper-attacktrees-ddj-ft.html (2001).
[18] Nai Fovino, I. & Masera.M (2006). "Through the Description of Attacks: a
multidimensional View". In proceeding of the 25th International Conference on
Computer Safety, Reliability and Security 26-29 September 2006 Gdansk, Poland
[19] Jones, A., Ashenden, D.(2005). “Risk Management for Computer Security :
Protecting Your Network & Information Assets”. Elsevier (March 2005).
[20] Code of Practice for Information Security Management. International Standard
(ISO/IEC) 17799:2000.
[21] Alhazmi, O., Malaiya, Y., & Ray, I. (2005). “Security Vulnerabilities in Software
Systems: A Quantitative Perspective”. Lecture Notes in Computer Science, Volume
3654/2005. (2005) Publisher: Springer-Verlag GmbH.
[22] Bishop, M. (2004). “Computer Security Art and Science” (November 2004)
AddisonWesley.
[23] IEEE Std 610.12-1990, IEEE Standard Glossary of Software Engineering
Terminology
[24] Code of Practice for Information Security Management. International Standard
(ISO/IEC) 17799:2000.
[25] Masera, M. & Nai Fovino, I. (2005). “A framework for the security assessment of
remote control applications of critical infrastructures”, ESREDA 2005.
[26] Masera, M. (2006). “Interdependencies and Security Assessment: a Dependability
view”. In proceeding of the IEEE Conference on Systems, Man and Cybernetics,
October 8-11 2006, Taipei.
[27] Avizienis, A., Laprie, J.C., Randell, B. and Landwehr, C. (2004). “Basic Concepts
and Taxonomy of Dependable and Secure Computing”. IEEE Tr. On Dependable and
Secure Computing, Jan–March 2004 (Vol 1, No. 1), pp 11–33.
[28] McDermott, J. (2000). “Attack Net Penetration Testing”. In The 2000 New
Security Paradigms Workshop (Ballycotton, County Cork, Ireland, Sept. 2000), ACM
SIGSAC, ACM Press, pp. 15-22.
[29] Dondossola, G., Szanto, J., Masera, M. and Nai Fovino, I. (2006). “Evaluation of
the effects of intentional threats to power substation control systems”. In proceeding
of the International Workshop on Complex Network and Infrastructure Protection,
Rome, 2006.