Securing Critical Infrastructures at software and interdependency â€؛ Publications â€؛ PhD Thesis...آ 

  • View
    0

  • Download
    0

Embed Size (px)

Text of Securing Critical Infrastructures at software and interdependency â€؛ Publications â€؛ PhD...

  • Securing Critical Infrastructures at

    software and interdependency levels

    George Stergiopoulos

    November 2015

  • ii

    Securing Critical Infrastructures

    at software and interdependency levels

    George Stergiopoulos

    A dissertation submitted for the partial fulfillment

    of a Ph.D. degree

    November 2015

    Department of Informatics

    Athens University of Economics & Business

    Athens, Greece

  • ii i

    Supervising Committee:

    1. Dimitris Gritzalis, Professor, Athens University of Economics & Business (Chair)

    2. Ioannis Mavridis, Associate Professor, University of Macedonia

    3. Panagiotis Katsaros, Assistant Professor, Aristotle University of Thessaloniki

    Examination Committee:

    1. Dimitris Gritzalis, Professor, Athens University of Economics & Business

    2. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business

    3. Ioannis Mavridis, Associate Professor, University of Macedonia

    4. Konstantinos Lambrinoudakis, Associate Professor, University of Piraeus

    5. Panagiotis Katsaros, Assistant Professor, Aristotle University of Thessaloniki

    6. Ioannis Marias, Assistant Professor, Athens University of Economics & Business

    7. Panos Kotzanikolaou, Assistant Professor, University of Piraeus

  • iv

    Securing Critical Infrastructures

    at software and interdependency levels

    Copyright © 2015

    by

    George Stergiopoulos

    Department of Informatics

    Athens University of Economics and Business

    76 Patission Ave., Athens GR-10434, Greece

  • v

    All rights reserved. No part of this manuscript may be reproduced or transmitted

    in any form or by any means, electronic, mechanical, photocopying, recording, or

    otherwise, without the prior written permission of the author.

    "Η έγκριση διδακτορικής διατριβής υπό του Τμήματος Πληροφορικής του Οικονομικού

    Πανεπιστημίου Αθηνών δεν υποδηλοί αποδοχή των γνωμών του συγγραφέως.”

    (Ν. 5343/ 1932, άρθρο. 202)

  • vi

    Acknowledgements It is common that doctoral students overlook the acknowledgements section. Instead, they

    focus their writing on the main content while trying to produce a robust and all around sound

    text that will adequately depict their research efforts. Still, most fail to recognize that, without

    the significant help of large group of people, these research efforts would have borne little to

    no fruit. This is why, I will dedicate the following paragraphs to all those that helped me,

    directly or indirectly, achieve my goal during my doctoral studies.

    First and foremost, I would like to thank my Ph.D. supervisor Prof. Dimitris Gritzalis. His

    role was twofold, that of an academic teacher and a personal research and business advisor.

    Thus, he was influential to my research. Prof. Gritzalis guided me through my doctoral studies

    and helped me mature both as a researcher and as a professional. I am grateful to be a part of

    Prof. Dimitris Gritzalis’s Critical Infrastructure Protection group; a group, which, under Prof.

    Gritzalis’s constant care and supervision, infused me with a wide variety of knowledge,

    experience and understanding of both the academic, and the business sector. He is the person

    who motivated my decision to focus on critical infrastructure protection and information

    systems analysis for the past 5 years.

    I also would like to thank Ass. Prof. Panagiotis Kotzanikolaou and Ass. Prof. Panagiotis

    Katsaros for their excellent contribution and help during my doctoral studies. Their experience,

    patience and guidance was of utmost importance and acted as a steady light that helped me

    overcome multiple obstacles during my research efforts; both technical and theoretical. I would

    also like to thank Bill Tsoumas who believed in me from the very start and altruistically helped

    during my preliminary steps in research.

    During my doctoral studies, I was blessed to have colleagues that supported me in many

    ways. Thus, I would like to thank Dr. Marianthi Theoharidou and Dr. Bill Tsoumas for teaching

    me how to write a paper. I was lucky enough to have Marianthi as my partner in some of my

    research efforts. I am also grateful to Nikos Virvilis and Miltiadis Kandias for their friendship,

    cooperation and support. Their help and guidance bore fruits and aided me to learn how to

    manage my tasks and complete them flawlessly and on time. Last but not least, I would like to

    thank certain people who I met during my doctoral studies and influenced my course of action.

    I sincerely thank Alexios Mylonas, Nikos Tsalis, Vasilis Stavrou and Nick Bozovits for their

    help, cooperation and friendship during all those years in the university. I would also be remiss

    not to thank Vasilis Spyropoulos, Vasilis Zafeiris, Nantia Makrinioti and Tassos Venetis, for

    their friendship and for the challenges that we faced together while working in the Information

    Systems and Databases lab (ISLAB).

    Partners and academic staff aside, I feel obliged to express my gratitude to other people that

    influenced my research journey, supported and aided me when times were harsh and I felt that

    I would never make it. People that are a part of who I am now, and, thus owe them a lot.

  • vi i

    Amongst many, I am deeply thankful to Violetta Sotiropoulou, Mihalis Maniatakos and George

    Kourepis. Their friendship and support went the extra mile in mitigating anxiety, difficulties

    and ill thoughts that occurred along the way. I am very grateful to have them by my side and

    would like to thank them for helping me mature as a personality.

    Finally, I feel obliged to express my deepest gratitude and love to my parents for their

    unconditional, constant love and support; both psychological and economical. I thank them for

    infusing me the ethics, qualities and understanding needed to succeed in life. For this reason,

    this dissertation is dedicated to them.

    Athens, 5th September 2015

  • vi ii

    Dedication

    To my parents:

    “When I was a boy, my parents were so ignorant I could hardly stand to

    have them around. But when I got to be thirty, I was astonished at how

    much they have learned in just a few years”

  • ix

    Abstract A Critical infrastructure is the backbone of a nation's economy, security and health. It is

    those infrastructures that provide power and water to homes, support the transportation and

    communication systems people rely on. The criteria for determining what might be a critical

    infrastructure, and which infrastructures thus qualify, have expanded over time (DHS, 2013).

    A Critical infrastructure is defined as those assets, systems and networks, whether physical or

    virtual, so vital to a country that their incapacitation or destruction would have a debilitating

    effect on security, national economic security, national public health or safety, or any

    combination thereof (DHS, 2013).

    At the very least, a growing list of infrastructures in need of protection will require the

    federal government to prioritize its efforts and try to minimize the impact on the nation’s critical

    infrastructures of any future failure of any kind (e.g. terrorist attack or systems failure) while

    taking into account what those impacts might be and the likelihood of their occurring (Motef

    et al., 2003).

    Considering all the above, it is made obvious that critical infrastructures, along with their

    services and systems must be protected against all types of failures; both human-made and

    natural phenomena. Critical infrastructures provide services needed for a nation to function

    properly and support its citizens, such as the health care system, transportations,

    communications etc. Even more, failures in these infrastructures can be triggered by attackers

    in order to maim a nation and/or to increase revenues (e.g. theft, information leakage etc).

    Up until now, research has focused in securing critical infrastructures by utilizing Risk

    Assessment methodologies based on ISOs (like the ISO 27001), security audits and penetration

    tests on its information systems. However, little progress has been made in securing

    infrastructures from failures in other, interconnected infrastructures on which they depend to

    work efficiently. Modern infrastructures are often depended on other infrastructures to function

    properly. This necessity has led to the development of complex networks of interdepended

    infrastructures. These dependency graphs of hide information about what will happen if a

    failure occurs; in other words, they are as safe as their most critical path o