Handbook on Securing Cyber-Physical Critical Infrastructure

Acquiring Editor: Rick Adams

Development Editor: David Bevans

Project Manager: Danielle S. Miller

Designer: Dennis Schaeffer

Morgan Kaufmann is an imprint of Elsevier

225 Wyman Street, Waltham, MA 02451, USA

© 2012 Elsevier, Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher's permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

Handbook on securing cyber-physical critical infrastructure / Sajal K. Das, Krishna Kant, Nan Zhang (editors).

      p. cm.

    Includes bibliographical references and index.

    ISBN 978-0-12-415815-3

1. Computer networks–Security measures–Handbooks, manuals, etc. 2. Computer security–Handbooks, manuals, etc. I. Das, Sajal K. II. Kant, Krishna. III. Zhang, Nan, 1982–

    TK5105.59.H3533 2012

    005.8–dc23

2011038620

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library.

ISBN: 978-0-12-415815-3

For information on all MK publications visit our website at www.mkp.com

Printed in the United States of America

12 13 14 15 10 9 8 7 6 5 4 3 2 1

To my family – Rupa, Roop and Rivu – for their love and support. – Sajal K. Das

To Josephine, Ramsey and Rajeev. – Krishna Kant

To my daughter Evelyn. – Nan Zhang

About the Authors

Dr. Sajal K. Das is a University distinguished Scholar Professor of Computer Science and Engineering and the founding Director of the Center for Research in Wireless Mobility and Networking at the University of Texas at Arlington. During 2008–2011, he was a program director at the NSF. His research interests include wireless and sensor networks, mobile and pervasive computing, smart environments and heath care, mobile cloud computing, security and privacy, social networks, and applied game theory. He has published over 500 papers (including 7 best paper awards), 46 book chapters, 5 US patents, and coauthored three books including Smart Environments: Technology, Protocols, and Applications (Wiley, 2005). He serves as the Founding Editor-in-Chief of Elsevier's Pervasive and Mobile Computing journal.

Krishna Kant is a research professor at the Center for Secure Information Systems, George Mason University, Fairfax, VA. His current areas of research include robustness in the Internet, cloud computing security, and sustainable computing. He has published in a wide variety of areas in computer science and has authored a graduate textbook on performance modeling of computer systems. He received his Ph.D. degree in 1981 from University of Texas at Dallas and has since held academic positions at Northwestern University and Pennsylvania State University, Industry positions in Bell Labs, Telcordia, and Intel, and governmental positions at the National Science Foundation.

Dr. Nan Zhang is an Assistant Professor of Computer Science at the George Washington University, Washington, DC, USA. Prior to joining GWU, he was an assistant professor of Computer Science and Engineering at the University of Texas at Arlington from 2006 to 2008. He received the B.S. degree from Peking University in 2001 and the Ph.D. degree from Texas A&M University in 2006, both in computer science. His current research interests include databases and information security/privacy. He received the NSF CAREER award in 2008.

About the Foreword Author

Dr. Robert F. Brammer is the President and CEO of Brammer Technology, LLC, a consultancy focusing on advanced information technology, environment and climate, and security. He recently retired as vice president for Advanced Technology and chief technology officer (CTO) for Northrop Grumman's Information Systems (IS) sector. In this role, he was responsible for the overall technology strategy and Independent Research and Development programs, technology and research partnerships, technical talent development and intellectual property management. Dr. Brammer has Ph.D. in mathematics from the University of Maryland, is a member of Phi Beta Kappa and Phi Kappa Phi, and is a Woodrow Wilson Fellow. He has served on advisory boards for the Department of Defense, the National Research Council, the Naval Studies Board, the National Science Foundation, the University Corporation for Atmospheric Research, and NASA.

Contributors

Michel Barbeau

School of Computer Science

Carleton University

Email: barbeau@scs.carlerton.ca

Elisa Bertino

CS Department

Purdue University

Email: bertino@cs.purdue.edu

Gedare Bloom

Department of Computer Science

The George Washington University

Email: gedare@gwmail.gwu.edu

Richard Brooks

Holcombe Department of Electrical and Computer Engineering

Clemson University

Email: rrb@acm.org

Julian Bunn

California Institute of Technology

Email: julian.bunn@caltech.edu

Alvaro A. Cardenas

Email: alvaro.cardenas-mora@us.fujitsu.com

Mani Chandy

California Institute of Technology

Email: mani@cs.caltech.edu

Yingying Chen

Department of Electrical and Computer Engineering

Stevens Institute of Technology

Email: yingying.chen@stevens.edu

Diane Cook

School of Electrical Engineering and Computer Science

Washington State University

Email: cook@eecs.wsu.edu

Ram Dantu

Department of Computer Science and Engineering

University of North Texas

Email: rdantu@unt.edu

Sajal K. Das

Department of Computer Science and Engineering

The University of Texas at Arlington

Email: das@uta.edu

Raja Datta

Department of Electronics & Electrical Communication Engineering

Indian Institute of Technology Kharagpur

Email: rajadatta@ece.iitkgp.ernet.in

Sabrina De Capitani di Vimercati

Dipartimento di Tecnologie dell'Informazione

Universitá degli Studi di Milano

Email: sabrina.decapitani@unimi.it

Casey Deccio

Sandia National Laboratories

Email: ctdecci@sandia.gov

Juan Deng

Holcombe Department of Electrical and Computer Engineering

Clemson University

Email: jdeng@clemson.edu

Mario Di Francesco

Email: mariodf@uta.edu

Al-Shaer Ehab

Department of Software and Information Systems

University of North Carolina

Email: ealshaer@uncc.edu

Yuguang Fang

Department of Electrical and Computer Engineering

University of Florida

Email: fang@ece.ufl.edu

Matthew Faulkner

California Institute of Technology

Email: mfaulk@caltech.edu

Tim Finin

Department of CSEE

UMBC

Email: finin@cs.umbc.edu

Sara Foresti

Dipartimento di Tecnologie dell'Informazione

Universitá degli Studi di Milano

Email: sara.foresti@unimi.it

Xinwen Fu

Department of Computer Science

University of Massachusetts

Lowell

Email: xinwenfu@cs.uml.edu

Mario Gerla

UCLA Computer Science Department

Email: gerla@cs.ucla.edu

Wenjun Gu

Department of Computer Science and Engineering

The Ohio State University

Email: gu.36@osu.edu

Yong Guan

Department of Electrical and Computer Engineering

Iowa State University

Email: guan@iastate.edu

Jun-Won Ho

Department of Information Security

Seoul Women's University

Email: jwho@swu.ac.kr

Pramod Jagtap

Amazon.com Inc.

Seattle, WA, USA

Email: pramod1@umbc.edu

Anupam Joshi

Department of CSEE

UMBC

Email: joshi@cs.umbc.edu

Krishna Kant

Research Professor

George Mason University

Email: krishna.kant@intel.com

Palanivel Kodeswaran

IBM India Research Lab

Bangalore, India

Email: palani.k@gmail.com

Narayanan Krishnan

School of EECS

Washington State University

Email: ckn@eecs.wsu.edu

Eugen Leontie

Department of Computer Science

The George Washington University

Email: eugen@gwu.edu

Na Li

Computer Science and Engineering Department

The University of Texas at Arlington

Email: na.li@mavs.uta.edu

Wenjia Li

Department of Computer Sciences

Georgia Southern University

Email: wenjiali@georgiasouthern.edu

Annie Liu

California Institute of Technology

Email: aliu@cs.caltech.edu

Donggang Liu

Email: dliu@uta.edu

Yang Liu

Email: yangl@iastate.edu

Wenjing Lou

Computer Science Department

Virginia Polytechnic Institute and State University

Email: wjlou@vt.edu

Chris Ma

Advanced Digital Sciences Center

Illinois at Singapore Pte Ltd

Email: chris.ma@adsc.com.sg

C. E. Veni Madhavan

Department of Computer Science and Automation

Indian Institute of Science

Email: cevm@csa.iisc.ernet.in

Ningrinla Marchang

Department of Computer Science and Engineering

North Eastern Regional Institute of Science and Technology

Email: ningrinla@yahoo.co.in

Sharad Mehrotra

Department of Computer Science

University of California

Irvine

Email: sharad@ics.uci.edu

Bhagi Narahari

Department of Computer Science

The George Washington University

Email: narahari@gwu.edu

Y. Narahari

Department of Computer Science and Automation

Indian Institute of Science

Email: hari@csa.iisc.ernet.in

Guevara Noubir

College of Computer and Information Science

Northeastern University

Email: noubir@ccs.neu.edu

Michael Olson

California Institute of Technology

Email: molson@cs.caltech.edu

Bera P.

Department of Software and Information Systems

University of North Carolina

Email: bpadmalo@uncc.edu

Mayank Raj

Email: mayank.raj@mavs.uta.edu

Nageswara Rao

Science and Mathematics Division

Oak Ridge National Laboratory

Email: raons@ornl.gov

Parisa Rashidi

Department of Computer and Information Science and Engineering

University of Florida

Email: prashidi@eecs.wsu.edu

Kui Ren

Department of Electrical and Computer Engineering

Illinois Institute of Technology

Email: kren@ece.iit.edu

Brian Rivera

US Army Research Laboratory

Tactical Network Assurance Branch

Email: brian.rivera1@us.army.mil

Sandip Roy

School of Electrical Engineering and Computer Science

Washington State University

Ghosh S. K.

School of Information Technology

Indian Institute of Technology

Email: skg@iitkgp.ac.in

Rei Safavi-Naini

Department of Computer Science

University of Calgary

Email: rei.safav@gmail.com

Pierangela Samarati

Dipartimento di Tecnologie dell'Informazione

Universitá degli Studi di Milano

Email: pierangela.samarati@unimi.it

Rahul Simha

Department of Computer Science

The George Washington University

Email: simha@gwu.edu

Christopher Smith

Email: cssmith@gwmail.gwu.edu

Mark-Oliver Stehr

Computer Science Laboratory

SRI International

Email: stehr@csl.sri.com

Jinyuan Sun

Department of Electrical Engineering and Computer Science

niversity of Tennessee

Email: jysun@utk.edu

Carolyn Talcott

Computer Science Laboratory

SRI International

Email: clt@cs.stanford.edu

Jin Teng

Department of Computer Science and Engineering

The Ohio State University

Email: tengj@cse.ohio-state.edu

Nalini Venkatasubramanian

Department of Computer Science

University of California

Irvine

Email: nallini@ics.uci.edu

Yan Wan

Department of Electrical Engineering

University of North Texas

Email: Yan.Wan@unt.edu

Xiaohui Wang

Department of Computer Science

George Mason University

Email: xyang3@gmu.edu

Dong Xuan

Department of Computer Science and Engineering

The Ohio State University

Email: xuan@cse.ohio-state.edu

Mengran Xue

School of Electrical Engineering and Computer Science

Washington State University

Email: morashu@gmail.com

Jie Yang

Department of Electrical and Computer Engineering

Stevens Institute of Technology

Email: jyang@stevens.edu

David Yau

Department of Computer Science

Purdue University

Email: yau@cs.purdue.edu

Shucheng Yu

Department of Computer Science

Donaghey College of Engineering and Information Technology

University of Arkansas at Little Rock

Email: sxyu1@ualr.edu

Wei Yu

Department of Computer and Information Sciences

Towson University

Email: wyu@towson.edu

Seok Bae Yun

Holcombe Department of Electrical and Computer Engineering

Clemson University

Email: syun@clemson.edu

Chi Zhang

University of Science and Technology of China

School of Information Science and Technology

Email: zhangchi@ufl.edu

Nan Zhang

Department of Computer Science

George Washington University

Email: nzhang10@gwu.edu

Xiaoyan Zhu

School of Telecommunications

Xidian University

Email: xyzhu@mail.xidian.edu.cn

Foreword

It is a pleasure for me to write the foreword to this book. The security of critical infrastructure is a significant priority for many countries, and I believe that this handbook can make an important contribution to research and education on this subject by organizing a well-selected collection of fundamental papers of enduring value on vital topics. The editors have done an outstanding work in many fields comprising this subject, including wireless communications, data center engineering, sensor network design, and other areas. That work has connected them broadly in the research community and enabled them to be selective for this book.

As appropriate in a handbook, the editors have taken a comprehensive approach to the subject. There are 30 chapters written by a total of 78 different authors, assuring a breadth of vision and perspective. There is a balanced organization of these chapters into eight major parts. These parts begin with theoretical foundations, including applications of control theory, game theory, system identification, and network modeling to critical infrastructure. The final part comprises six chapters addressing security topics in real-world critical infrastructure systems, including electric power, transportation, health, and telecommunications. In between are the chapters focusing on the themes of security in mobile wireless networks, sensor networks, and technology platforms. Other parts include the essential areas of cloud computing, event monitoring and situational awareness, and policy issues. This organization combined with the depth of the chapters enables the reader to get both a broad view of the field and a deep discussion of critical issues.

During my career, I have had the opportunity to contribute to several National Academy and Defense Science Board Task Forces whose work focused on homeland security and critical infrastructure. Notable among those was the National Academy Task Force on Science and Technology for Counter-Terrorism in 2001 and 2002 [1]. The work of that group laid the foundation for much of the research on homeland security for the past decade. The scope of this handbook is very consistent with the breadth of issues that we addressed in that study. Of course, these chapters are addressing the current topics like cloud computing and the SmartGrid that are core to today's designs of cyber-physical systems for critical infrastructure.

One important current example of a cyber-physical critical infrastructure system is the New York City Wireless Network (NYCWiN). Motivated by the events of 9/11 and influenced by the above National Academy study, Northrop Grumman initiated a series of research projects in highly secure mobile broadband networks. One result of this research was Northrop Grumman's selection to build NYCWiN, the first such network for public safety in the world [2]. Its design includes many features to mitigate both cyber and physical threats. That highly secure network became fully operational in 2009, and its cyber-physical system architecture is enabling improvements in traffic control, transportation, public health, and environmental quality, as well as providing communications for emergency response. Some of the key concepts that we developed for that network are discussed in this handbook as topics for future research. I am encouraged to see paths to further developments that will enable future networks with increased functionality and security.

Our critical infrastructure has tremendous value and drives major segments of the US economy. For example, North American energy assets are worth more than $1T [3]. Despite this asset value and capability for the economy, much of the infrastructure is aging, difficult to maintain, and not competitive internationally. Many organizations have begun to address these strategic national issues [4].

How we as a nation choose to renew our infrastructure systems in the coming years will help determine the quality of life for future generations. It will also help determine our success in meeting other national challenges, including those of remaining economically competitive, reducing our dependence on imported oil, and dealing with issues related to global climate change, national security, and disaster resilience.

Many of the approaches to renew our infrastructure systems involve significant uses of advanced information technology and networking. Infrastructure designs with state-of-the-art information technology can deliver lower costs with increased flexibility, functionality, and performance. Moreover, these designs can reduce energy requirements and use environmentally friendly materials.

However, the large and growing base of cyber threats can significantly reduce the benefits and limit the credibility of these advanced design approaches by exploiting the information technology that yields so many benefits. The cyber threats to our critical infrastructures are far more serious than most people realize [5]. Our current infrastructure is underdeveloped for addressing cyber risk from threats as sophisticated, for example, as Stuxnet [6]. This type of malware can manipulate critical infrastructure and can cause significant damage and destruction. Cybersecurity must be built into the infrastructure to mitigate the effects from such increasingly sophisticated threats [7]. Without it, we will lose much of the potential benefits to be gained from IT investments. Securing new designs for cyber-physical systems in critical infrastructure like electric power (e.g., the SmartGrid), transportation, healthcare, and telecommunications are important examples of such developments discussed in this handbook. These developments make this handbook so important and timely.

The field of cyber-physical systems has its roots in the work of Norbert Wiener in the development of cybernetics [8]. I worked on many cyber-physical systems in the Apollo Program where we used the results of Wiener's work to build real-time systems for vital operations in many mission phases. We overcame many challenges in technology, operational concepts, quality, and many others to put men on the Moon and return them safely. However, one challenge that we did not have to face is the cybersecurity threat that architects and engineers must address today. The reality of that threat will cause significant changes in research and education programs in the twenty-first century. Architects and engineers working in critical infrastructure design, development, and operations will need a thorough understanding of cyber threats and approaches to mitigate them. This handbook can make significant contributions to the effectiveness of research and education programs required to meet these needs.

Robert F. Brammer

President and CEO,

Brammer Technology LLC

REFERENCES

[1] National Research Council, Making The Nation Safer-The Role of Science and Technology In Countering Terrorism, National Academy Press, Washington DC, 2002.

[2] H. Morganstern. NYCWiN Interoperable Communications—A Report on the New York City Wireless Innovations, in: The Counter Terrorist, September/October 2008.

[3] R. Anderson, S. Fuloria, Security Economics and Critical Infrastructure, University of Cambridge, Cambridge, UK, 2011.

[4] National Academy of Sciences, Sustainable Critical Infrastructure Systems: A Framework for Meeting 21st Century Imperatives, National Academy Press, Washington DC, 2009.

[5] G. Wilshusen, Continued Attention Needed to Protect Our Nation’s Critical Infrastructure and Federal Information Systems, United States Government Accountability Office, Testimony Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, House of Representatives, March 16, 2011

[6] E. Byres, What Does Stuxnet Mean for Industrial Control Systems? The Future of Critical Infrastructure Security, www.tofino.com, March 2011.

[7] R. Brammer, Cyber Security—The Vital Ingredient for Today’s and Tomorrow’s Infrastructure Needs, Energy, Environment, Defense, and Security 2011, Washington DC, May 4, 2011.

[8] N. Wiener, Cybernetics: Or Control and Communication in the Animal and the Machine, 2nd revised ed., MIT Press, Cambridge, MA, 1961.

Securing Cyber-Physical Infrastructure: Perspectives and Overview of the Handbook

I-1 Introduction

Modern society depends on sophisticated infrastructures to carry out its day-to-day activities. Such infrastructures includes buildings (e.g., homes, factories, offices, schools, shopping malls, etc.), utility networks (e.g., electricity, water, gas, sewage, etc.), transportation networks (e.g., roads, railroads and stations, harbors, shipping channels and yards, airports, etc.), transport vehicles (trains, planes, buses, etc.), food and goods distribution networks, healthcare delivery systems, information technology (IT) networks, and so on. Efficient management of these physical and/or cyber infrastructures not only involves sophisticated control systems, but also computing and communication paradigms (see Fig. I-1). Control of large-scale entities such as transportation systems could involve integrated communication, computing and control over wide geographic areas. The IT systems themselves play a dual role in this context: they have an associated physical infrastructure that needs to be configured, managed, and protected. Yet, the IT infrastructure leads to a complex cyber world that helps control cyber-infused physical infrastructures.

Figure I-1 A view of cyber-physical systems.

The role of IT infrastructure also extends well beyond the (semi) automatic control of the physical infrastructure. The nearly ubiquitous smart devices (including sensors) and their increasing capabilities allow them to play significant roles in the intelligent control and protection of the physical infrastructure. In particular, these devices can sense vital information (location, speed, noise, pollution, seismic activity, congestion, etc.), perform (possibly with the help of cloud computing) complex computations such as activity recognition, situation awareness, reasoning, and decision making, and ultimately enable humans to effect the desired control or protection over physical infrastructures. This intertwining of physical and IT infrastructures calls for a holistic treatment of cyber-physical systems in terms of control, protection, and security.

Due to the scale, complexity, and resource limitations, both cyber and physical components of critical infrastructures are vulnerable to a variety of security challenges and threats, such as disruption and damage due to natural disasters or social crises like wars and riots, terrorist activities that deliberately target infrastructure to injure, disrupt, and frighten citizens, and malicious attacks or intrusions with the intent of disrupting communications or stealing sensitive information and records. Furthermore, the worldwide reach of the Internet allows malicious cyber criminals to coordinate and launch attacks on both cyber and cyber-physical infrastructures from anywhere in the world.

These attack-related security challenges call for effective safeguard techniques for monitoring, detection, and prevention of attacks, as well as recovery from attacks, thereby protecting critical national and global infrastructures. In particular, the main objective of infrastructure security is to deter, avert, and detect both previously known and potential attacks. In addition, when the attack and resultant damage do occur, the security mechanisms should point to appropriate defensive actions to protect unaffected portions of the infrastructure as well as help diagnose, reconfigure, and repair the affected parts. Because both the physical and cyber infrastructures may be attacked and damaged, a coordinated action on both fronts is often necessary, which could be extremely complex.

Intelligent control of cyber-physical infrastructure requires continuous collection and analysis of data relevant for assessing the state and performance of the infrastructure. An essential component of this data is how people use the infrastructure. For example, in order to optimize energy conversion and distribution in the smart grid, it is essential to learn how households and businesses use energy throughout the day. Similarly, intelligent traffic and congestion management requires information about commuting habits of people. This brings in serious privacy issues and potential for leakage and misuse of the information for security attacks. Thus, privacy preservation is also an important goal of security mechanisms. Unfortunately, the goal of privacy preservation directly conflicts the goal of effective threat monitoring and timely evasive action. An essential attribute of intelligent cyber control of physical infrastructure is the availability of additional degrees of freedom and the ability to manipulate the configuration under program control. For example, an intelligent, metro-area wide management of traffic signals requires new capabilities to remotely control the state and duration of traffic lights. Such new capabilities result in additional complexity, new failure modes, numerous opportunities for misconfiguration, and new ways of attacking the infrastructure often at a much wider scale than a simpler dumb infrastructure. Similarly, the complex cyber-infrastructure required to manage these capabilities is more likely to suffer from misconfigurations, software bugs, robustness issues, and new attack pathways. This makes a holistic treatment of cyber-physical systems both essential albeit exceedingly complex.

I-2 Scope of the Handbook

This handbook is intended to provide a comprehensive coverage of the theoretical foundations and practical solution techniques for securing critical cyber-physical infrastructures including the information technology (IT) infrastructure. Effective security of cyber-physical systems must consider a variety of issues including physical barriers to intrusion/disruption, social and legal deterrents, human behavior and usability aspects, and acceptable privacy norms in addition to the scientific and engineering solutions. This handbook is primarily focused on scientific and engineering solution techniques, frameworks and applications. Although in many cases, such fundamental solutions can be adapted to a variety of socio-legal contexts, they are not specifically dealt within this handbook.

To address the scientific and engineering challenges facing the design of secure infrastructures, one must properly understand the limits of cyber-physical systems that may range from largely autonomous systems to those that merely provide useful information for human processing and control. Human–machine interaction is a rich multidisciplinary area, and it is not the intent of this handbook to delve into its challenges. Instead, the handbook is focused on scientific challenges of coping with a wide variety of scenarios that impact the robustness, security or privacy of specific technology, network and system architectures and application areas.

The existing literature on infrastructure security is scattered across several journals, conference proceedings, and rather narrowly focused books. In contrast, this handbook attempts a comprehensive coverage of foundations in the area of cyber-physical and pervasive infrastructure security. Specifically, it brings together in a systematic way high quality contributions on the critical challenges, innovative solutions, and foundational techniques for infrastructure protection and security by leading experts in the field.

I-3 Overview of the Handbook

The handbook consists of the following eight parts, each of which contains multiple chapters focusing on various aspects in that part. Together, the 30 chapters paint a fairly comprehensive picture of the challenges, tools and techniques for securing critical cyber-physical infrastructure against evolving threats and vulnerabilities. Each chapter ends with discussion on open problems and future research and technology challenges. Each chapter also includes a set of thoughtful exercises that can be used in a classroom setting. Thus the unique treatment of the book would be of considerable interest to researchers, practitioners, professionals, and students. In the following, we present a brief overview for each of the parts and the chapters therein.

I-3.1 Part I: Theoretical Foundations

The first part of the handbook consists of four chapters dealing with advanced foundational material in the areas of control theory, game theory, and epidemic theory as they apply to uncertainty management, vulnerability and threat analysis, and worm propagation in securing cyber-physical networks and systems. The focus here is not on basic theory behind private and public key cryptography, or encryption and access control, which are also important but widely covered in many other books and tutorial articles.

Chapter 1 addresses the interplay of security and vulnerability in analyzing threats and uncertainties in cyber-physical networks. Specifically, from control theory perspective, this chapter formally defines and characterizes security as an indication of how easily an adversary can identify network dynamics from noisy measurements, and additionally how vulnerability provides an impact measure for an adversary. The proposed formalisms are then applied to air traffic management, a complex cyber-physical system.

Chapter 2 focuses on game formulations for infrastructure security by analyzing the power of an adversary's intent to obtain more accurate results without compromising other entities' private information. The developed theory is applied to two important infrastructure security applications, namely anomaly detection and anonymous communication.

Chapter 3 considers game theory as a tool for developing analytical framework for cyber-physical networks consisting of sensors and computational nodes. In particular, it deals with placement and modality detection of sensors as well as spatial data collection and fusion for the purposes of source localization and trajectory tracking of various environmental phenomena in cyber-physical systems.

Chapter 4 addresses how to defend against epidemics of worm propagation and associated attacks in cyber-physical infrastructure. It studies worm evolution–interaction process from a system knowledge perspective, as well as the corresponding defensive countermeasures given worm-related knowledge.

I-3.2 Part II: Security for Wireless Mobile Networks

Wireless mobile networks are becoming increasingly integral part of communication infrastructure required to monitor and control cyber-physical systems. For example, wireless technologies such as Wimax/LTE (Long Term Evolution) are being considered for monitoring smart grid in addition to wired technologies such as BPL (Broadband over Power Line). As mentioned earlier, mobile devices enhanced with a variety of sensing and computing capabilities are increasingly being used for applications related to infrastructure security and robustness such as reporting of attacks, anomalies, or other unusual circumstances. Therefore, security of wireless networks is crucial in protecting cyber-physical infrastructures.

There exist a multitude of wireless access technologies including infrastructure-based cellular wireless networks, infrastructureless mobile ad hoc networks (MANET), 802.11-based wireless LANs, and so on. However, radio frequency wireless communications occur over a broadcast medium and hence wireless channels are inherently insecure. Indeed, they are prone to eavesdropping and vulnerable to adversaries such as jamming, identity-based attacks, spoofing, and Sybil attacks. These attacks can severely affect the operation of wireless mobile networks, and hence resistance against them is essential for successful use of such networks for controlling cyber-physical systems. Part II of the handbook contains four chapters addressing some of these important challenges and related state of the art solutions.

Chapter 5 lists a variety of issues and challenges in securing wireless and mobile networks. While reviewing pertinent solution mechanisms from the literature, the chapter addresses how to mitigate security threats to wireless communications (e.g., unauthorized access to a medium and transmission in WiFi or 802.11-based wireless LANs) as well as to supporting mobility (e.g., in mobile IP and location tracking). The underlying techniques are based on cryptography.

Chapter 6 provides an overview of current design principles to build robust wireless infrastructure in adversarial settings. Through case studies (cellular and wireless LAN), this chapter demonstrates that cross-layer attacks and virtually undetectable denial of service attacks are possible in today's wireless infrastructure. It then covers schemes to protect against insider and outsider attacks, cryptographic and coding-based protection mechanisms, and key assignment for robust broadcast; as well as game theoretic approach to deal with adaptive attackers.

Chapter 7 deals with security challenges in MANETs and categorizes the types of attacks as active and passive, depending on whether an attack disrupts the network protocol functions while extracting vital information. After introducing various schemes for certification authority, key management and distribution, several popular techniques for securing routing protocols in MANETs are presented in this chapter.

Chapter 8 provides an overview of the feasibility of launching identity-based attacks in wireless networks and their impact on network performance. It describes existing schemes to prevent such attacks through cryptographic authentication. This chapter also presents new studies that utilize unique properties of wireless systems and exploit domain-specific information to defend against identity-based attacks. The domain-specific information includes location of communicating devices, radio propagation characteristics, and properties of medium access control (MAC) layer.

I-3.3 Part III: Security for Sensor Networks

Wireless sensor networks (WSNs) provide an indispensable sensing and actuation platform in a wide variety of cyber-physical infrastructure and systems, such as smart metering of electric grids, distance and speed monitoring of vehicles in transportation systems, environment and health monitoring, security and surveillance, early warning systems and disaster management, and so on. WSNs, along with auxiliary computation facilities, such as clouds, can help integrate sensing, communication, computation, and control functionalities. However, sensor networks with limited resources (e.g., CPU, storage, energy, wireless bandwidth) are known to be vulnerable to various attacks that could impair normal operations. A major security issue with WSNs is that sensor nodes are often unattended and could be physically captured and compromised by an adversary. The captured nodes could then be used to launch a variety of attacks, some of which may be very difficult to detect and isolate. Other WSN attacks include simply monitoring of a node's communication patterns by an adversary and then draining their battery or overwhelming them. Therefore, there is a great demand for efficient and effective defense mechanisms to protect WSNs.

In hostile situations, it is critical to enforce network access control to ensure sensory data integrity, availability, and confidentiality. Chapter 9 discusses two practical, efficient, and distributed access control methods in WSNs. One of the methods uses only symmetric cryptographic operations, whereas the other applies public key cryptography.

Chapter 10 deals with how to defend WSNs against physical attacks and introduces the associated challenges. It also presents a sacrificial node-based defense mechanism in which a few sensors purposefully perform the tasks of attacker detection and attacker information propagation in order to save other sensors, at the expense of themselves being detected and destroyed by the attacker.

Chapter 11 describes a robust framework for detection and isolation of limited and wide-spread attacks in static and mobile WSNs. In the limited attack, an attacker physically captures a few nodes, compromises and moves them to multiple locations to evade detection. In the wide-spread attack, on the other hand, an attacker can generate many replicas of a few compromised nodes and widely disseminate them over the network. This chapter describes how to combat against such attacks, by developing efficient mechanisms for detecting node compromises as well as node replicas.

I-3.4 Part IV: Platform Security

All mechanisms for securing protocols, applications, and user data depend on three fundamental assumptions: (a) the hardware itself is not bugged or has Trojan logic that steals information, updates or perturbs it clandestinely, or interferes with the correct execution of the program logic, (b) the basic software tools such as compilers, runtime systems, drivers, etc. function as expected and do not compromise the higher level software, and (c) the system is not compromised during boot up or runtime. If any of these assumptions do not hold, mechanisms implemented to secure individual protocols or applications may be suspect. Therefore, the Part of platform security addresses three fundamental areas: (a) ensuring that the hardware does not harbor Trojan logic (or circuits), (b) ensuring the integrity of software and exploitation of compiler techniques in this regard, and (c) hardening the system against compromise and providing a trusted computing base.

Topics (a) and (c) are addressed in Chapter 12, whereas topic (b) is addressed in Chapter 13. In particular, Chapter 12 discusses the issue of detecting Trojan circuits, watermarking/fingerprinting the hardware, architectural support to detect attacks and to secure the execution, and using software to check hardware.

Chapter 13 discusses watermarking techniques for software, software obfuscation (which tries to make the code unintelligible), techniques to ensure that the code integrity is preserved, and information flow tracking and verification mechanisms.

These hardware and software techniques can result in systems that are much harder to attack successfully and thus simplify the job of securing individual applications.

I-3.5 Part V: Cloud Computing and Data Security

In critical cyber-physical infrastructure, significant security concerns often arise from data processing and transmission. In particular, large amounts of sensitive data may need to be protected when transmitted or hosted at a data center that may not be entirely trusted to protect the confidentiality or integrity of the data. Moreover, certain components of sensitive data may have to be published to agents without full access right to the data, such as aggregate information of a dataset for report generation purposes without divulging the values of individual (sensitive) tuples.

Part V consists of four chapters on securing the transmission, processing, and publishing of large amounts of security-sensitive data. The chapters also cover various data encryption and perturbation techniques as the underlying primitives for protecting data security and privacy.

Chapter 14 deals with the first issue – that is, the transmission of security-sensitive data. In particular, it considers the problem of data outsourcing, the security concerns it incurs, and how to mitigate the concerns through a multitude of data transformation techniques, for example, encryption, perturbation, as well as access control techniques. By leveraging these techniques, this chapter covers not only the protection of data confidentiality, but also the assurance of data integrity in storage and query processing.

Chapter 15 addresses the second issue – that is, how to ensure security when data are processed in private and public clouds. In particular, it discusses a comprehensive set of security issues for generic cloud computing systems, outlines the types of data to be protected as well as the potential attacks that an adversary may launch to compromise data security, and reviews a number of necessary security services and mechanisms required for enforcing data security. This chapter also summarizes the state-of-the-practice security mechanisms adopted by real-world cloud computing service providers such as Amazon Web Services, Microsoft Windows Azure, and Google App Engine.

Chapter 16 also addresses the problem of data security in cloud computing. Nonetheless, unlike the previous chapter, this chapter focuses on a specific type of cloud computing systems – those composed of mobile devices. Note that mobile cloud computing systems are especially suitable for cyber-physical infrastructures because of the versatility and portability offered by such systems. This chapter first explains why data security is the most important obstacle preventing the wide adoption of mobile cloud computing systems. Then, it describes a number of security mechanisms and case studies of using them in real-world applications of mobile cloud computing systems.

Chapter 17 considers the last issue discussed above – that is, the publishing of security-sensitive data. Specifically, this chapter focuses on the publishing of social network topologies – a problem often arising in cyber-physical infrastructures – to untrusted third parties. The key technical challenge here is how to publish the minimum amount of information that is necessary for the intended purpose of publishing (e.g., mining the topology to identify terrorists). This chapter describes various data perturbation mechanisms that can enable social network publishing without violating the privacy/security of each individual user/vertex in the social network.

I-3.6 Part VI: Event Monitoring and Situation Awareness

To properly secure a critical cyber-physical infrastructure, it is important to monitor it comprehensively and recognize interesting and actionable events in real time. Wireless devices and sensors play important roles in monitoring and detecting such events. Furthermore, owing to severe resource constraints on the sensors, the collected data may not be simply sent to a central place for processing; instead, mechanisms to reduce data (e.g., local filtering, aggregation, and simple event detection) and judicious distributed processing to recognize anomalies and patterns become essential. A critical element of event monitoring is situational awareness so that monitoring, reasoning and control actions can be efficiently managed. Online automated understanding of situation is a highly desirable yet extremely ambitious goal that involves a large number of research challenges. Part VI (consisting of four chapters) discusses these issues and corresponding solutions.

Chapter 18 deals with the problem of distributed network and system monitoring. The focus is on addressing the important challenges of using limited memory space and computational resources to process a continuous stream of large amounts of sensory data coming in at a high speed. This chapter reviews the existing algorithms that offer bounded running time and small memory footprints– that is, algorithms that are feasible to be used in real-time distributed monitoring systems. This chapter also shows various analytical applications that these algorithms enable over a continuous stream of sensory data – for example, online PCA, n-gram analysis, time-decaying aggregation, etc.

Chapter 19 addresses the next step – that is, how to discover and track patterns of interest from the input data. In particular, it discusses how to identify input sequences that represent normal behavior, how to exploit machine learning to generate abstract models of such input sequences, and how to detect abnormal behavior. This chapter also describes an implementation of the discussed techniques on a fully automated smart home project that detects anomalies in a person's living environments.

Chapter 20 considers the construction of a semantics foundation and flexible programming environment in order to enable the human-centric deployment of a robust sensing system that supports hierarchical modeling and reasoning of monitored events. It outlines the major design principles for creating a sensing/monitoring middleware, and also discusses the roles of formal methods and reasoning in the realization of such a middleware framework. A system featuring such a middleware framework, SATWARE, is discussed as a case study in this chapter.

Chapter 21 considers how a sensing system can detect and respond to rapidly evolving threats such as earthquakes, tsunamis, etc. An important issue here is how to leverage the vast amount of sensors controlled by individual members of the community, e.g., phone sensors controlled by individuals, camera sensors controlled by businesses. This chapter considers three broad categories of threat detection and mitigation tasks: warning of impending threats, responding to disasters immediately after they occur, and characterizing the sensing infrastructure and environment using data measured during normal times. The chapter also compares community-based threat detection/mitigation with the traditional agency-based method, and finds that while the community-based solution often excels in scalability and (low) cost, it also incurs concerns on the privacy of sensor owners and the security of system operation.

I-3.7 Part VII: Policy Issues in Security Management

Policy takes an important role in most security management systems including critical cyber-physical infrastructure. Since policies are specified by the administrators of the system, the specification must consider human factors such as ease of understanding. Policies should also be analyzable formally so that it is possible to verify policy implementations and detect potential conflicts and inconsistencies. Part VII consists of three chapters on policy issues and configuration management.

Chapter 22 considers the use of high-level semantic policies to manage the trust relationship among entities involved in a cyber-physical infrastructure, in particular, when detecting, evaluating, and responding to threats. Specifically, it shows how the policies can be used to protect the traditional Internet backbone by automatically configuring BGP (border gateway protocol) routers. It also describes how the same framework can be used to secure information and devices in a mobile network.

Chapter 23 focuses on security policies for access control. Specifically, it covers several access control models (mandatory, discretionary, role-based, and attribute-based) as well as a number of tools for analyzing access control policies and determining conflicts and redundancies. In addition, this chapter discusses various case studies of using formal methods to support access control as well as security in general. It also outlines the current trend in access control methods, especially in the context of critical cyber-physical infrastructures.

Chapter 24 addresses the enforcement of security policies. It discusses a formal verification methodology for analyzing various types of security policies and configurations – for example, access control lists, IPSec security policy configurations, etc. In particular, this chapter describes a binary decision diagram-based approach for analyzing IPSec configurations and a graph mining-based approach for analyzing the correctness of access control list configurations.

I-3.8 Part VIII: Security Issues in Real-World Systems

Part VIII examines security in several real-world systems. Each of these systems has its own unique attributes, security threats and requirements, and unique challenges in securing it while minimizing loss of privacy. This part of the handbook consists of six chapters dealing with security in three very different cyber-physical systems (smart grid, automobiles, and mobile healthcare delivery), and three cyber systems (Internet infrastructure, vehicular networks, and peer-to-peer telecommunication networks).

Chapter 25 discusses the security of smart grid. The key to success of smart grid is wide-spread monitoring of energy consumption behaviors so that energy generation and distribution can be managed intelligently, and the consumers can be given feedback how to use the energy more efficiently. However, this is fraught with privacy and security risks, which the chapter exposes along with potential solutions.

Chapter 26 discusses security of automotive systems that deploy increasingly complex embedded computing systems to control a variety of aspects including fuel injection, speed control, smart braking, collision avoidance, fuel efficiency optimization, theft deterrence, equipment monitoring (e.g., tire condition and air pressure), participation in vehicular networks, etc. This increasing sophistication creates ample opportunities for misconfiguration and security attacks. This chapter provides a comprehensive coverage of the vulnerabilities and approaches to making automotive systems more robust.

Chapter 27 discusses security and privacy issues in mobile healthcare systems. Because of the numerous advantages of maintaining and exchanging healthcare information electronically, healthcare is rapidly moving away from paper-based systems to electronic health record- (EHR) based technologies. The ubiquitous availability of mobile devices has the potential to exploit this and truly revolutionize healthcare delivery to the masses. This chapter presents the design of security architecture, called HIPS, for EHR systems based on cryptographic tools. The proposed system attempts to provide full privacy for patients and can handle emergency situations.

Chapter 28 discusses security and robustness of the current Internet infrastructure including name resolution and various communication layers. In particular, the chapter discusses the vulnerabilities of both plain domain name system (DNS), security enhanced DNS, and robustness of interdomain routing under both isolated and large-scale failures. The chapter also discusses robustness of various other commonly deployed network protocols. As computer systems and networks become more sophisticated and complex, they experience increasing impact on functionality, performance, reliability, and security due to configuration errors and attack opportunities provided by them. Thus, hardening the configuration management and detecting misconfigurations becomes a vital problem, which is also addressed in this chapter.

Chapter 29 discusses application of vehicular ad-hoc networks (VANETs) to handle disaster and emergency scenarios where the normal communication infrastructure is partially or fully obliterated. The chapter considers two goals: support of emergency vehicles, and establishment of a general purpose V2V (Vehicle to Vehicle) emergency network that can survive large-scale disasters. The emergency vehicle network in this context can be used to provide critical infrastructure to provide access to remote resources, interconnection of multiple rescue teams, urban surveillance, and vehicle evacuation. The security and privacy of such a network and ways to test such networks during normal conditions are also addressed in the chapter.

Chapter 30 discusses the security of Voice over Internet Protocol (VoIP) telecommunication networks. Such networks offer a number of opportunities for hackers to spread spam, to steal services and personal information, illegal wiretapping, and disrupting communications. The chapter shows that various commercial VoIP services in existence today are vulnerable to exploitations. It then details a variety of attack scenarios and offers solutions for mitigating vulnerabilities.

I-4 How to Use The Handbook

The intended audience of this handbook includes different sectors of the society such as researchers, engineers, professionals, teachers, and undergraduate/graduate students interested in the fundamentals of security in cyber and physical systems, as well as how they apply to important applications in daily lives, such as smart power grid, emergency and disaster management, intelligent transportation systems, healthcare industry, cyber-security, etc. In the following, we list a number of scenarios on how to use this handbook as a text or a reference.

I-4.1 Advanced Undergraduate or Graduate Course

We recommend structuring a semester- or quarter-long course on cyber-physical infrastructure security into three major components: theoretical foundations, infrastructure security techniques, and real-world case studies. The first component covers Part I of the handbook. The second component covers Parts II–VII, whereas the last component covers Part VIII.

Specifically, for a semester-long course, we recommend covering all parts in the book, whereas leaving Chapters 4, 8, 11, 17, 20, and 24 as optional readings. The real-world applications of interest can be picked up from Part VIII as needed.

For a quarter-long course, on the other hand, we recommend covering Part I, selected chapters from Parts II–VII, and appropriate application areas from Part VIII. The selection of parts and chapters therein depends on the emphasis area of the course.

Some possibilities include:

(a) A course on security and robustness of computer networks could involve Parts II (wireless networks) and 3 (sensor networks), along with Chapters 28 (Internet), 29 (vehicular networks), and 30 (SIP-based VoIP). If needed, this coverage can be augmented with external material on network resilience and dependability.

(b) A course geared towards security in physical infrastructure could include Chapter 3, Parts III (sensor networks), 6 (situation awareness), and 7 (policies), and application topics in Chapters 25, 26, 27 and 29. The coverage can be enhanced with additional applications such as security of airports or other public infrastructures.

(c) A course geared towards security in cyber-infrastructure could include Parts IV (platform security) and 7 (policies), Chapters 15 and 16 (cloud computing), and application Chapters 28 and 30. Additional coverage could include physical security in data centers and other IT infrastructure.

I-4.2 A Training Course

The book can be used for focused training courses on various aspects of cyber-physical infrastructure security. The specific parts and chapters would depend on the duration and focus of the training. For example, some topics for short courses (a week or less) that could be based on this handbook include wireless network security, internet robustness and security, database security, cloud computing security, smart grid security, computing platform security, sensor network security, vehicular network security, etc.

Acknowledgements

This idea of the handbook grew out of a one week workshop on infrastructure security organized by two of the editors (Das and Kant) and attended by all three editors as well as some of the chapter contributors. This workshop was hosted by the Indian Institute of Science, Bangalore, India from January 9 to January 13, 2010, and was jointly sponsored by the US National Science Foundation (NSF) and the Indo-US Science and Technology Forum (IUS-STF). We would like to acknowledge the support of these organizations and Dr. Arabinda Mitra, the then Executive Director of IUS-STF. We would like to acknowledge the support of the staff of Morgan Kauffman, particularly Rick Adams, David Bevans and Danielle Miller, for their excellent support throughout the production of this handbook.

Thanks are also due to all the authors for contributing excellent chapters on exciting topics and for their timely cooperation, without which this handbook would not be possible.

Finally, we would like to thank our family members for their encouragement and support.

TABLE OF CONTENTS

Cover Image

Title

Copyright

Dedication

About the Authors

Contributors

Foreword

Securing Cyber-Physical Infrastructure Perspectives and Overview of the Handbook

PART I. Theoretical Foundations

Introduction

Chapter 1. Security and Vulnerability of Cyber-Physical Infrastructure Networks

1.1 Introduction

1.2 Definitions for Security and Vulnerability of Network Dynamics

1.3 Network Control Tools for Characterizing and Designing Security and Vulnerability

1.4 Conclusions and Future Work

Chapter 2. Game Theory for Infrastructure Security

2.1 Introduction

2.2 Preliminaries

2.3 Intent-based Adversary Model for Anomaly Detection

2.4 Intent-based Adversary Model for Anonymous Communication Systems

2.5 Conclusion

Chapter 3. An Analytical Framework for Cyber-Physical Networks

3.1 Introduction

3.2 Spatial Dispersion Models

3.3 CPN Design and Analysis

3.4 CPN Infrastructure Robustness

3.5 Conclusions

Acknowledgments

Chapter 4. Evolution of Widely Spreading Worms and Countermeasures

4.1 Introduction

4.2 Objectives and strategies of Worm propagator and defender

4.3 Worm Initial Attacks

4.4 Defense against initial attacks

4.5 Worm Evolution

4.6 Defense Evolution versus Worm Evolution

4.7 Final Remarks

PART II. Security for Wireless Mobile Networks

Introduction

Chapter 5. Mobile Wireless Network Security

5.1 Introduction

5.2 Wireless Communications Security

5.3 Mobility Support Security

5.4 Conclusion and Future Research

Chapter 6. Robust Wireless Infrastructure against Jamming Attacks

6.1 Introduction

6.2 Design Vulnerabilities of Wireless Infrastructure

6.3 Resiliency to Outsider Cross-Layer Attacks

6.4 Resiliency to Insider Cross-Layer Attacks

6.5 Game-Theoretic Models and Mechanisms

6.6 Conclusions

Chapter 7. Security for Mobile Ad Hoc Networks

7.1 Introduction

7.2 Basic Features of Manet

7.3 Security Challenges

7.4 Security Attacks

7.5 Providing Basic Security Infrastructure

7.6 Security Solutions

7.7 Secure AD HOC Routing

7.8 Intrusion Detection and Response

7.9 Conclusions and Future work

Chapter 8. Defending Against Identity-Based Attacks in Wireless Networks

8.1 Introduction

8.2 Feasibility of Launching Identity-Based Attacks

8.3 Preventing Identity-Based Attacks via Authentication

8.4 Defending Against Spoofing Attacks

8.5 Defending Against Sybil Attacks

8.6 A Generalized Identity-Based Attack Detection Model

8.7 Challenges and Research Directions

8.8 Conclusion

PART III. Security for Sensor Networks

Introduction

Chapter 9. Efficient and Distributed Access Control for Sensor Networks

9.1 Introduction

9.2 Existing Schemes

9.3 System Models and Assumptions

9.4 Scheme I: Uni-Access Query

9.5 Scheme II: Multi-Access Query

9.6 Evaluation

9.7 Conclusion and Future Work

Chapter 10. Defending Against Physical Attacks in Wireless Sensor Networks

10.1 Introduction

10.2 Related Work

10.3 Physical Attacks in Sensor Networks

10.4 Challenges in Defending Against Physical Attacks

10.5 Case Study

10.6 Open Issues

10.7 Conclusions and Future Work

Chapter 11. Node Compromise Detection in Wireless Sensor Networks

11.1 Introduction

11.2 Related Work

11.3 Preliminaries

11.4 Limited Node Compromise Detection

11.5 Wide-spread Node Compromise Detection

11.6 Conclusion and Future Work

PART IV. Platform Security

Introduction

Chapter 12. Hardware and Security

12.1 Introduction

12.2 Hardware Supply Chain Security

12.3 Hardware Support for Software Security

12.4 Conclusions and Future Work

Chapter 13. Languages and Security

13.1 Introduction

13.2 Compiler Techniques for Copyrights and Watermarking

13.3 Compiler Techniques for Code Obfuscation

13.4 Compiler Techniques for Code Integrity

13.5 Proof-Carrying Code and Authentication

13.6 Static Analysis Techniques and Tools

13.7 Information Flow Techniques

13.8 Rule checking, Verification, and Run-time Support

13.9 Language Modifications for Increased Safety and Security

13.10 Conclusions and Future Work

PART V. Cloud Computing and Data Security

Introduction

Chapter 14. Protecting Data in Outsourcing Scenarios

14.1 Introduction

14.2 Data Encryption

14.3 Fragmentation for Protecting Data Confidentiality

14.4 Protecting Data Integrity

14.5 Open Issues

14.6 Conclusions

Acknowledgments

Chapter 15. Data Security in Cloud Computing

15.1 Overview

15.2 Data Security in Cloud Computing

15.3 Commercial and Organizational Practices

15.4 Summary

Chapter 16. Secure Mobile Cloud Computing

16.1 Introduction

16.2 Cloud Computing

16.3 Mobile Cloud Computing Security

16.4 Virtual Node Security

16.5 Virtual Network Security

16.6 Mobile Application Security

16.7 Research Challenges and Open Issues

16.8 Summary and Conclusion

Chapter 17. Relation Privacy Preservation in Publishing Online Social Networks

17.1 Introduction

17.2 Complete Identity Anonymization

17.3 Partially Exposing User Identity

17.4 Completely Disclosing User Identity

17.5 Utility Loss and Privacy Preservation Measures

17.6 Conclusion

PART VI. Event Monitoring and Situation Awareness

Introduction

Chapter 18. Distributed Network and System Monitoring for Securing Cyber-Physical Infrastructure

18.1 Overview

18.2 System Model and Design Principles

18.3 Recent Progress and Major Milestone Results

18.4 Open Problems

18.5 Summary and Future Directions

Chapter 19. Discovering and Tracking Patterns of Interest in Security Sensor Streams

19.1 Introduction

19.2 Sensor Event Analysis for Health Monitoring

19.3 Related Work

19.4 Discovering Activities

19.5 Recognizing Activities

19.6 Validation of Activity Discovery and Tracking Algorithms

19.7 Anomaly Detection

19.8 Conclusions

Chapter 20. Pervasive Sensing and Monitoring for Situational Awareness

20.1 Introduction

20.2 Hierarchical Modeling and Reasoning in Cyber-Physical Systems

20.3 Adaptive Middleware for Cyber-Physical Spaces

20.4 Enabling Scalability in Cyber-Physical Spaces

20.5 Dependability in Sentient Spaces

20.6 Privacy in Pervasive Spaces

20.7 Conclusions

Chapter 21. Sense and Response Systems for Crisis Management

21.1 Introduction

21.2 Decentralized Event Detection

21.3 Agency-Based and Community-Based Systems

PART VII. Policy Issues in Security Management

Introduction

Chapter 22. Managing and Securing Critical Infrastructure – A Semantic Policy- and Trust-Driven Approach

22.1 Introduction

22.2 Related Work

22.3 A Policy and Trust Framework to Secure CPS

22.4 Prototype Implementations

22.5 Conclusion and Future Work

Chapter 23. Policies, Access Control, and Formal Methods

23.1 Introduction

23.2 Access Control Concepts and Models

23.3 Tools and Methods for Managing Access Control

23.4 Formal Methods

23.5 Access Control for Critical Infrastructures – Open Problems and Possible Approaches

23.6 Concluding Remarks

Chapter 24. Formal Analysis of Policy-Based Security Configurations in Enterprise Networks

24.1 Introduction

24.2 State of the Art

24.3 Formal Verification of Security Policy Implementations

24.4 Verification of IPSec Policies

24.5 Conclusion

24.6 Open Research Problems

PART VIII. Security in Real-World Systems

Introduction

Chapter 25. Security and Privacy in the Smart Grid

25.1 Introduction

25.2 The Smart Grid

25.3 Security and Privacy Challenges

25.4 Toward a Secure and Privacy-Preserving Smart Grid

25.5 Concluding Remarks

Chapter 26. Cyber-Physical Security of Automotive Information Technology

26.1 Introduction

26.2 Automotive Security Analysis

26.3 ECU Reprogramming Security Issues

26.4 Conclusion

Acknowledgments

Chapter 27. Security and Privacy for Mobile Health-Care (m-Health) Systems

27.1 Introduction

27.2 Electronic Health Record (EHR)

27.3 Privacy and Security in E-Health Care

27.4 State of the Art Design for Health Information Privacy and Sharing (HIPS)

27.5 Security Analysis

27.6 Conclusion and Future Work

Acknowledgments

Chapter 28. Security and Robustness in the Internet Infrastructure

28.1 Introduction

28.2 Vulnerabilities in Domain Name Resolution

28.3 Security Solutions for the Domain Name System

28.4 Secure End-to-End Communication Protocols

28.5 Integrity of Internet Routing

28.6 Integrity Below the IP Layer

28.7 Configuration Management Security

28.8 Conclusions and Future Challenges

Acknowledgments

Chapter 29. Emergency Vehicular Networks

29.1 Introduction

29.2 Emergency Vehicle Support

29.3 The Emergency Vehicle Grid

29.4 Basic Urban Grid Routing

29.5 Delay-Tolerant Vehicular Routing

29.6 Mobimesh and Geo-Location Server: Finding the Destination Coordinates During the Emergency

29.7 Content Routing Across the Vanet

29.8 Emergency Video Dissemination

29.9 Vehicular Grid Surveillance

29.10 Map Updates Using Crowdsourcing

29.11 Security in the Emergency Vehicular Network

29.12 Conclusions

Chapter 30. Security Issues in VoIP Telecommunication Networks

30.1 Introduction

30.2 Connection Establishment and Call Routing

30.3 Man-in-the-Middle Attacks

30.4 Voice Pharming

30.5 Billing Attacks

30.6 Security Requirements of a P2P Telecommunication Network

30.7 Small World VIP-P2PSIP-Based on Trust

30.8 Conclusion

Acknowledgements

Index

PART I

Theoretical Foundations

Introduction

Chapter 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks

Chapter 2 Game Theory for Infrastructure Security

Chapter 3 An Analytical Framework for Cyber-Physical Networks

Chapter 4 Evolution of Widely Spreading Worms and Countermeasures

As discussed in the previous introductory chapter, we live in a cyber–physical world which we desire to understand (sense), serve (via computation and communication), and control. With the technological advances of wireless communications, sensors, smart devices, embedded computing/control, and pervasive computing, it is possible to build complex cyber–physical infrastructure and smart environments, and these systems indeed abound in our daily lives. Due to their scale and complexity, such systems are vulnerable to a variety of attacks and threats. Therefore, robust design and secure management (monitoring and control) of cyber–physical infrastructure are crucial albeit extremely challenging.

With the goal of understanding and analyzing uncertainty in securing complex systems, Part I of this handbook consisting of four chapters attempts to build a solid theoretical foundation for security of cyber–physical networks and systems. The underlying concepts are developed on foundations in control theory, graph theory, game theory, and epidemic theory, and aim to provide a holistic perspective on security that considers both the cyber and physical worlds (see Figure 1). Other traditional techniques that do not explicitly consider cyber and physical aspects together (like cryptography or encryption of communications [3, 4, 6–8], robust control of physical components [2], or stochastic theory) are not in the scope of this part.

Figure 1 Foundations of cyber–physical systems.

Chapter 1 titled Security and Vulnerability of Cyber–Physical Infrastructure Networks: A Control-Theoretic Approach is motivated by the increasing need for developing automated decision support tools for cyber–physical networks (e.g., transportation, electric power grid, and health care) that are subject to uncertainties and adversarial attacks at multiple spatial and temporal scales. This chapter develops a new control theoretic framework that defines and characterizes the interplay between security and vulnerability in such systems. More precisely, the framework proposes holistic definitions for security and vulnerability; broadly applicable models for natural adversaries (uncertainties), sentient adversaries, and their interactions with system planners; and pointers to network control theory tools that may help to evaluate security and vulnerability according to these definitions. In developing the framework, the adversaries are conceptualized as seeking to estimate and/or actuate the physical dynamics of the networks, through measurement or modification of only a few network components at the cyber or physical level. As such, the adversary's ability to estimate/actuate the network dynamics is critically dependent on its topology or graph structure, and understanding this dependence is central to mitigating the adversarial behavior. To this end, this chapter develops abstract linear dynamical network models specified on a graph, for the physical and information-flow dynamics of a network. Security and vulnerability are defined thereof, as an adversary's perhaps intertwined ability to estimate and actuate critical aspects of the network dynamics, respectively, using localized measurements. As a canonical case study, the proposed formalisms are applied to air traffic management systems, a prototypical complex cyber–physical network.

Chapter 2 titled Game Theory for Infrastructure Security: The Power of Intent-Based Adversary Models deals with game formulations for modeling adversarial threats in distributed information sharing involving autonomous entities. Traditional adversary models are assumed to be behavior based or semi-honest – those that run the protocol exactly as specified (i.e., without any deviations), but may try to learn about the input of other entities from their views of the protocol. However, it is rather hard to determine whether an entity has the capability to change its input database or deviate from the protocol in real-world applications, thus making it difficult to defend against arbitrarily behaving adversaries. This chapter eliminates the constraints on the behavior of entities, and thereby formulates and analyzes the power of intent-based adversary model to obtain more accurate results without compromising other entities' private information. The developed game theory solution is applied to two important infrastructure security applications, namely anomaly detection and anonymous communication.

Chapter 3 titled An Analytical Framework for Cyber–Physical Networks discusses an important class of detection, identification, and tracking of spatial phenomena (DITSP) tasks, whose network solutions are necessarily cyber–physical in nature. For these tasks, spatially distributed sensors measure the physical phenomenon in space and time, and a network of computation, communication, and data nodes process the measurements to generate actionable information for decision making. This chapter presents an analytical framework to guide the design and implementation of Cyber–Physical Networks (CPN) in the aspects of modality selection of sensors; placement of sensors and computation modules for effective coverage; fusion of multimodal data in a unifying projective space for consolidated information; and robust estimation and optimization of model parameters by Bayesian and empirical methods. The robustness of the CPN, in the face of natural