2.

2 Part II: Models and Defensive Mechanisms

As with any other element of the Critical Infrastructures, protecting the Critical Infor-
mation Infrastructure particularly against deliberate attacks cannot rely on reactive de-
fence mechanisms and be limited in the ability to extrapolate current and future threats
from historical data even for accidents and natural disasters since the information in-
frastructure’s rate of change is likely to invalidate such conclusions rapidly. A major
element of research on critical infrastructures and also the CII has therefore focused
 Overview of Critical Information Infrastructure Protection 7

on model-building and, to a lesser extent, their validation. Such models are crucial in
identifying not only in high-level interactions that are not obvious in their strength or
potentially even existence, but can also be employed in exploratory settings. This can
occur either systematically, exploring parts of the parameter space, or in the form of
targeted exercises and scenarios that allow a more fine-grained investigation not only
of the behaviour of the Critical Information Infrastructure, but also the entities
interacting with it.
The chapter by Svendsen and Wolthusen provides a high-level survey of some of the
most significant and influential strands of research on modelling and simulation of crit-ical
infrastructures. Such models typically include or are focused on the CII, but may also
extend further and incorporate other sectors that have an impact on the CII. More-over,
similar to the hierarchy of strategic considerations found by Dunn Cavelty and Suter,
modelling techniques span a very broad range of abstraction levels ranging from
qualitative models describing national or even supranational entities on a sector-by-sector
basis for the purpose of qualitative analyses of resilience or macro-economic ef-fects to
highly quantitative models of smaller-scale effects. The chapter therefore seeks to provide
at least reference models sampled from this broad spectrum. These include, at the
qualitative level, economic models such as Input-Output models but also models of
interacting entities such as those based on System Dynamics. Although limited in their
predictive ability, such models are valuable as aids to understanding dependencies and
interactions, particularly for more complex models that cannot be understood eas-ily
without the support of simulation environments. Characterising or even predicting the
behaviour of threat agents as well as neutral or friendly entities interacting in the CI(I)
domain is, however, a highly desirable objective that has recently gained attention and is
modelled using game-theoretical and related behavioural techniques in ongoing research
that can aid in areas such as defensive resource allocation. A major part of the chapter is,
however, devoted to the large body of research on graph-based models of critical
infrastructures at different levels, which in turn can range from techniques found in
statistical physics to highly accurate domain-specific models. The graph or other
combinatorial representation, however, is often crucial in such models to gain an
understanding of relations and structural properties that go significantly beyond artifacts
and phaenomena arising from particular parameter choices.
The following chapter of this part, by Raciti, Cucurull and Nadjm-Tehrani, focus its
attention on Water Management Systems as water quality has recently received con-
siderable attention from the security research community. Authors argue that real-time
monitoring of water quality requires analysis of sensor data gathered at distributed lo-
cations, as well as subsequent generation of alarms when quality indicators indicate
anomalies. In these infrastructures, event detection systems should produce accurate
alarms, with low latency and few false positives. In this sense, this chapter shows how an
existing learning based anomaly detection technique is applied to the detection of
contamination events in water distribution systems. The initial hypothesis of authors is that
the clustering algorithm ADWICE that has earlier been successfully applied to n-
dimensional data spaces in IP networks, can also be deployed for real-time anomaly
detection in water management systems. The chapter describes the evaluation of the
anomaly detection software when integrated in a SCADA system that manages water
8 J. Lopez, R. Setola, and S.D. Wolthusen

sensors and provides data for analysis within the Water Security initiative of the U.S. Environmental Protection Agency
(EPA). Also, this chapter elaborates on the analysis of the performance of the approach for two stations using performance
metrics such as detection rate, false positives, detection latency, and sensitivity to the contamination level of the attacks.
The first results, in terms of detection rate and false positive rate, have shown some contaminants are easier to detected
than others. Additionally, authors discuss on the reliability of the analysis when data sets are not perfect, that is, where
data values may be missing or less accurate as indicated by sensor alerts.