225 65 27MB
English Pages 255 [258]
SAFETY AND RISK IN SOCIETY
UNDERSTANDING CYBER THREATS AND ATTACKS
No part of this digital document may be reproduced, stored in a retrieval system or transmitted in any form or by any means. The publisher has taken reasonable care in the preparation of this digital document, but makes no expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of information contained herein. This digital document is sold with the clear understanding that the publisher is not engaged in rendering legal, medical or any other professional services.
SAFETY AND RISK IN SOCIETY Additional books and e-books in this series can be found on Nova’s website under the Series tab.
SAFETY AND RISK IN SOCIETY
UNDERSTANDING CYBER THREATS AND ATTACKS
BIMAL KUMAR MISHRA AND
JOSE R. C. PIQUEIRA EDITORS
Copyright © 2020 by Nova Science Publishers, Inc. All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted in any form or by any means: electronic, electrostatic, magnetic, tape, mechanical photocopying, recording or otherwise without the written permission of the Publisher. We have partnered with Copyright Clearance Center to make it easy for you to obtain permissions to reuse content from this publication. Simply navigate to this publication’s page on Nova’s website and locate the “Get Permission” button below the title description. This button is linked directly to the title’s permission page on copyright.com. Alternatively, you can visit copyright.com and search by title, ISBN, or ISSN. For further questions about using the service on copyright.com, please contact: Copyright Clearance Center Phone: +1-(978) 750-8400 Fax: +1-(978) 750-4470
E-mail: [email protected].
NOTICE TO THE READER The Publisher has taken reasonable care in the preparation of this book, but makes no expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of information contained in this book. The Publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or in part, from the readers’ use of, or reliance upon, this material. Any parts of this book based on government reports are so indicated and copyright is claimed for those parts to the extent applicable to compilations of such works. Independent verification should be sought for any data, advice or recommendations contained in this book. In addition, no responsibility is assumed by the Publisher for any injury and/or damage to persons or property arising from any methods, products, instructions, ideas or otherwise contained in this publication. This publication is designed to provide accurate and authoritative information with regard to the subject matter covered herein. It is sold with the clear understanding that the Publisher is not engaged in rendering legal or any other professional services. If legal or any other expert assistance is required, the services of a competent person should be sought. FROM A DECLARATION OF PARTICIPANTS JOINTLY ADOPTED BY A COMMITTEE OF THE AMERICAN BAR ASSOCIATION AND A COMMITTEE OF PUBLISHERS. Additional color graphics may be available in the e-book version of this book.
Library of Congress Cataloging-in-Publication Data Names: Kumar Mishra, Bimal, editor. | Piqueira, Jose R.C., editor. Title: Understanding cyber threats and attacks / Bimal Kumar Mishra (editor), Principal, Markham College of Commerce, Hazaribag, Jharkhand, India, Jose R.C. Piqueira (editor), Professor, Mathematics, Av. Prof. Luciano Gualberto, Saõ Paulo, SP, Brazil. Description: Hauppauge : Nova Science Publishers, 2020. | Series: Safety and risk in society | Includes bibliographical references and index. | Identifiers: LCCN 2020035189 (print) | LCCN 2020035190 (ebook) | ISBN 9781536183368 (hardcover) | ISBN 9781536185379 (adobe pdf) Subjects: LCSH: Information technology--Security measures. | Computer security. | Computer networks--Security measures. | Corporations--Security measures. | National security. Classification: LCC HD30.2 .U523 2020 (print) | LCC HD30.2 (ebook) | DDC 005.8--dc23 LC record available at https://lccn.loc.gov/2020035189 LC ebook record available at https://lccn.loc.gov/2020035190
Published by Nova Science Publishers, Inc. † New York
CONTENTS Preface Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
vii Cyber Threats for the Oil and Gas Sector in an Age of Connected Production Antônio Carlos Bastos de Godói Exploring the Delayed and Optimally Controlled Dynamics of Malicious Objects in Computer Network Sangeeta Kumari and Ranjit Kumar Upadhyay Cyber Threats and Attacks in Smart Energy Networks Zoya Pourmirza and Sara Walker A Twofold Mathematical Model to Study the Malware Attack of Compromised IoT Botnet on Targeted Networks Ajit Kumar Keshri A Survey on Compartmental Models in Computer Viruses Cristiane M. Batistela and Manuel A. M. Cabrera
1
31
65
103
117
vi Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Contents Rethinking Cybersecurity as a Group Phenomenon: Impact of Shared Mental Models on Cybersecurity Decisions within Communities of Practice Susan Squires and Jamie Johnson Auditing National Cybersecurity Strategies in Order to Protect Nation-States’ Cyber Assets Regner Sabillon Effect of Vaccination on the Attack of Malicious Objects in Wireless Network Malti Kumari, Binay Kumar Mishra and R. N. Sinha Mathematical Model on Cyberattack Behavior in E-Commerce Binay Kumar Mishra and Santosh Kumar Srivastava Understanding Cyber Threats and Cyber Attacks on Satellites Jyoti Kumari Gupta and Dinesh Kumar Saini
143
165
197
213
231
About the Editors
243
Index
245
PREFACE In 1961, Leonard Kleinrock submitted to the MIT a PhD thesis entitled: “Information Flow in Large Communication Nets”1, an innovative idea for message exchanging procedures, based on the concept of postoffice packet delivery procedures. It was the seed of ARPANET, a wide area data communication network, implemented in 1969, considered the origin of the Internet. At the end of the 1970's, digital transmission and packet-switching allowed the building of ISDN (Integrated Services Data Networks). Voice and data were integrated in the same network, given birth to electronic offices combining computation and communication technologies. The electronic miniaturization and the popularization of microcomputers in the 1980's, brought computer communication to home, allowing the integration and automation of many domestic tasks and access to some daily facilities from home. A new technological breakthrough came in 1989, when Tim BernersLee, a British scientist working at the European Organization for Nuclear Research (CERN), conceived the world wide web (www), easing the communication between machines around the world2.
John Scales Avery, “Information Theory and Evolution”, World Scientific: Singapore, 2nd edition, 2012. 2 https://home.cern/science/computing/birth-web/short-history-web. 1
viii
Bimal Kumar Mishra and Jose R. C. Piqueira
Nowadays, combining Kleinrock and Berners-Lee seminal ideas for network hardware and software, Internet became all pervasive in the daily life around the world, transforming the old telephone set into a small multipurpose computer. Consequently, human life radically changed. Our dependence on computer networks became undeniable and together with it, harmful programs or malwares, developedtodamagemachinesortostealinformation, represent permanent threat toindividuals and society. In computer science a new work research line emerged: cybersecurity,which includes developing models, routines and software to protect machines and networks from malicious programs. This new discipline has attracted researchers to develop ideas for protecting people and corporations. Cyber-security is the object of this book, that presents hints about how the community is working to manage these threats: Mathematical models based on epidemiology studies, Control of malwares and virus propagation, Protection of essential service plants to assure reliability, the direct impact of virus and malwares over human activities and behavior, Government entities which are highly concerned with the necessary preventive actions. As cyber-security is a new and wide subject, the intention was to give a general idea of some points, leaving to the readers the task to go ahead. Bimal Kumar Mishra Jose R. C. Piqueira Editors
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 Editors: B. Mishra and J. Piqueira © 2020 Nova Science Publishers, Inc.
Chapter 1
CYBER THREATS FOR THE OIL AND GAS SECTOR IN AN AGE OF CONNECTED PRODUCTION Antônio Carlos Bastos de Godói* Research Centre for Gas Innovation, University of São Paulo, São Paulo, SP, Brazil
ABSTRACT The oil and gas industry has undergone major technological changes during the past few years, whereby innovative industrial control systems, the Internet of Things, robotics and cloud computing were integrated into the operational infrastructure to accomplish the business goals of a smart oil and gas factory. Although this integration provides new capabilities, reduces emissions, improve quality and energy conservation, a sophisticated ecosystem of computation, networking and physical operational processes reduces the isolation from the outside, makes the industry highly vunerable to cyberattacks and entails a large attack surface and multiple attack vectors. Cybersecurity emerges as a prominet topic in the industry as the risks and possible catastrophic impacts facing *
Corresponding Author’s Email: [email protected].
2
Antônio Carlos Bastos de Godói the sector escalate. This chapter provides an overview of the cybersecurity challenges facing the oil and gas sector, addresses some major publically reported cyber incidents, delves into security issues in industrial control systems used in the sector and discusses cybersecurity management considering both risk assessment and mitigation schemes, particularly for the upstream and downstream oil and gas segment.
Keywords: cybersecurity, oil and gas, ICS
1. INTRODUCTION Industrial control system (ICS) is a general term that encompasses supervisory control and data acquisition (SCADA), distributed control system (DCS), and other control system configurations as Programmable Logic Controller (PLC) and Human-Machine Interface (HMI). ICSs are largely used in nearly every industrial sector and critical infrastructure. Historically, ICS had little resemblance to interconnected information technology systems, inasmuch as ICSs were considered “isolated systems” using specialized hardware and software and running proprietary protocols. The oil and gas industry has been confronted with new technological revolution represented by the Internet of Things, cloud computing and big data, capable of information real-time processing and improving operational efficiency of manufacturing by acquiring effective knowledge from significant amount of data. Further, innovative applications of a modern factory accomplish the business goals of oil and gas enterprises, such as emissions reduction, energy conservation and quality improvement. Specifically, these enhancements include [1]:
remote operation based on Internet of Things: involving sensor monitoring, collection and processing of logistics information, device status, real-time field monitoring and equipment in the whole factory; safety management in the field: data model will be set up, so as to allow remote monitoring of dangerous on-site places and work
Cyber Threats for the Oil and Gas Sector …
3
processes, as well as the ability to supervise and control safety production; management and continuous optimization of the production plan; energy management: establish the energy optimization model from the perspective of key equipment, energy pipeline network; health, safety and environment management and control; process and quality control: the parameters of the control circuit will be automatically adjusted when working conditions change.
ICS managers are increasingly using modern IT solutions to boost competitiveness and support sustainable growth in the industry. Innovative ICS adopted in the sector are implemented using industry standard computers, operating systems and network protocols; therefore, their composition is increasingly similar to conventional IT systems [2]. Although this integration provides new capabilities, it reduces the isolation from outside and provides an increasing number of vulnerabilities and attack vectors, comprehending access through corporate network or via the Internet, virtual private network (VPN), wireless and dial-up connections. The growing acceptance of highly integrated automation systems in the oil and gas sector brings with it potential breaches of security, which could result in millions of dollars in economic losses and heavy harm to the environment, putting the safety and welfare of the citizens at risk. In accordance with these statements, in a 2019 survey that involved 40 participants from the oil and gas sector, Ernst & Young reported that “60% of the organizations surveyed had a significant cybersecurity incident” and “95% say their cybersecurity function does not fully meet their organization’s needs” [3]. The economic success of the oil and gas industry will progressively depend upon the security of process control systems which are threatened from different sources, including terrorist groups, industrial spies, hostile governments, hackers, dissatisfied employees, human errors and accidents. One important aspect of cyberattacks is that the methods become more sophisticated with increasing the system connection to the network. In this scenario, advanced persistent threats (APTs), which uninterruptedly
4
Antônio Carlos Bastos de Godói
collects data by exploiting vulnerabilities using diverse attack techniques [4], and collaborative attacks with botnets and worms can have serious disruptive results. This chapter provides an overview of the cybersecurity risks, sheds light on the nature of challenges facing the oil and gas sector, delves into some major publically reported cyber incidents, addresses issues related to ICS and examines risk assessment and mitigation strategies. The organization of this chapter is as follows. In the next section, some major cybersecurity incidents in the oil and gas sector will be reviewed to provide insight into escalating business risks. Section 3 delves into the security issues in industrial systems, including the root causes of vulnerabilities and threats in ICS. Then, in section 4, strategic cybersecurity management will finally be addressed, considering both risk assessment and mitigation schemes, particularly for the upstream and downstream oil and gas segment. At last, closing remarks will summarize the main points in section 5.
2. HISTORY OF CYBER INCIDENTS AND THREATS TO ICS IN THE OIL AND GAS SECTOR The fact that the industry has a relative monopoly on primary sources of information regarding the impact of cyberattack incidents on critical information infrastructures, limits the access to incident-response data necessary to get a full picture of the compromise and post-infection outcomes. Nevertheless, some major cyber-threats to oil and gas industry have been publically reported, and are described below to highlight that cyber-incidents are becoming more complex:
Night Dragon – the operation was named by cybersecurity company, McAfee®, to the coordinated covert and targeted cyberattacks beginning in November 2009, conducted against global oil, energy and petrochemical companies. The attacks
Cyber Threats for the Oil and Gas Sector …
5
involved social engineering, spear-phishing, exploitation of Microsoft operating system vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations. The primary operational technique used by the attackers comprised a variety of tools, including customized RATs that provided complete remote administration capabilities [5]. Night Dragon attacks demonstrated that a skillful and persistent adversary could break into energysector companies to steal valuable information. Equally concerning is the fact that the attackers could also compromise ICSs and take control of critical energy systems; Gas Pipeline Cyber-Intrusion Campaign – Beginning in December 2011, United States Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) recognized an active series of cyber-attacks by a sophisticated threat actor targeting natural gas sector companies. Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations. Analysis of the malware and artifacts associated with these cyberattacks has identified this activity as related to a single campaign with spear-phishing activity that targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused [6]; Shamoon – Saudi Aramco – On August 15, 2012, a destructive malware attacked the computer systems of Saudi Aramco, the largest energy company in the world. The attackers carefully selected the day of the year that more than 55,000 employees stayed at home from work to prepare for one of Islam’s holiest nights – Lailat al Qadr, or the Night of Power. That morning, a person with privileged access to the company’s computer unleashed a virus that erased data on three-quarters of Aramco’s corporate PCs, including documents, spreadsheets, e-mails and
6
Antônio Carlos Bastos de Godói
files – replacing all of it with an image of a burning American flag. Immediately after the attack, Aramco was forced to shut down the company’s internal corporate network, disabling employees’ email and Internet access to stop the virus from spreading [7]. When the Shamoon malware triggered, it renders infected systems unusable by overwriting the Master Boot Record (MBR). Symantec detailed the malware in its official blog on August 16, 2012 [8]. ICS-CERT also issued a security report on the malware [9]. Although there was no evidence that Shamoon had any direct impact on ICS systems or critical infrastructure in the Middle East, Saudi Aramco were taught the hard lesson that malicious threat actors can and do conduct destructive attacks and there has been a secondary impact on risk assessment for providers of critical services worldwide; Norway Oil and Gas Industry Cyberattack – In August 2014, Norway’s National Security Authority (NSM) announced threat actors had compromised as many as 50 Norwegian oil companies, including its largest, state-owned oil firm Statoil. The NSM advised 250 other energy companies to check their networks for evidence of malicious activity. This incident affected several clients in the energy sector. In one case, actors sent a phishing email with a malicious attachment to a high-ranking employee in the procurement division at a Nordic energy company. Threat actors also sent phishing e-mails to several other company employees, including two in the legal and procurement departments. These phishing e-mails appeared to be from human resources representatives and contained malicious PDF attachments [10-12]; TRITON/Trisis/HatMan – At the end of 2017, FireEye published a report on a new ICS attack framework, which they dubbed “TRITON,” designed to cause operational disruption to critical infrastructure [13]. Symantec released an additional late 2017 report on the same malware, that they described as a new Trojan and referred to it as “Trisis” [14]. Meanwhile, ICS-CERT
Cyber Threats for the Oil and Gas Sector …
7
published a December 2017 report on the same malware, yet called it a third name “HatMan” [15]. The malware was the world’s first known cyberattack on a safety instrumented system (SIS) [14] [16]. Safety instrumented systems are a type of ICS designed to monitor the performance of critical systems and take remedial action should an unsafe condition be detected. This could include overly high temperatures or pressure readings in industrial systems. The SIS is designed to detect such dangerous conditions and take action to put the systems into a safe state. Regardless of the name, the malware targets Schneider Electric’s Triconex safety instrumented system, which is used across a broad range of high hazard industries including Oil&Gas, exploration and production, refining, petrochemical, chemical, pipelines and distribution [15]. Attacks on SIS devices could potentially cause disruption and facilitate sabotage. A worst case scenario is an attack where an SIS malfunctions and therefore fails to prevent an industrial accident and cause physical damage or harm people. Although intrusions of this nature does not represent an immediate intent to disrupt targeted systems, they may be a preparation to launch a future attack. As has been mentioned, it should be noted that this list is not exhaustive and only includes some of the major publicly reported cyberthreats incidents related to the oil and gas sector. Additionally, an unknown number of issues affecting critical infrastructure is kept undisclosed by the corporations as it may contain sensitive industrial data. Other studies, that provide a more comprehensive review of industrial control system cyber issues, can be referred to for further information on ICS cyber threats [17]. As oil and gas industry share some common infrastructure framework with smart industries of different sectors, the statistics about cyberattacks against ICS largely used in the modern enterprises can also be applied to describe the risks faced by oil and gas business.
8
Antônio Carlos Bastos de Godói
3. CYBER VULNERABILITIES IN INDUSTRIAL CONTROL SYSTEMS A Positive Technologies report shows that in 2018 the number of new vulnerabilities in ICS rose by 30% compared to 2017. The study, which considered information from publicly available sources, also describes the vulnerabilities by component, types, impact and severity, as can be seen in Figure 1-4, respectively [18]. Apart from showing a significant increase in the number of vulnerabilities, the work also gives a perspective on the type of risks and class of ICS affected.
Figure 1. Percentage of vulnerabilities in ICS component types published in 2018 (adapted from [18]).
Figure 2. Types of vulnerabilities in ICS components published in 2018 (adapted from [18]).
Cyber Threats for the Oil and Gas Sector …
9
The severity of risks in ICS components was assessed based on the Common Vulnerability Scoring System (CVSS) version 3 (first.org/cvss) [18]. Figure 2 shows that a significant share of exposures involve improper authentication or excessive privileges, while these types of vulnerabilities relate to diverse computational systems, they represent a serious threat to ICS endowed with remote access capability, which can be exploited through the network. In addition, as can be seen in Figure 3, about 75% of vulnerabilities can affect ICS availability in full or part and exploitation of these weaknesses could render the systems unavailable. Equally concerning, as shown in Figure 4, is the fact that more than half of detected vulnerabilities were of critical or high severity. Apart from the industry’s critical infrastructure complex, a sophisticated ecosystem of computation, networking, and physical operational processes makes the industry highly vulnerable to cyberattacks, providing a large attack surface and multiple attack vectors. A large oil and gas company, for instance, can use hundreds of thousands of processors to run complex oil and gas reservoir simulation models [19]; generates, transmits, and stores a huge amount of sensitive and competitive field data; and operates thousands of drilling and production control systems. The following scenarios illustrate potential cybersecurity threats, which did not exist a few years ago:
Compromised remote access communication allows an agent to hijack a process control system and push production to unsafe conditions; Inappropriate security practices by a third-party contractor bring a malware into the production environment, compromising ICS and creating dangerous working conditions; Poor testing of IT systems prior to deployment results in a system crash, leading to malfunction or shutdown of operations; Technology acquired by the facility, without appropriate testing and evaluation, went unpatched and presents a vulnerability that allows cyber criminals to gain remote access to PLC and disrupt the production process.
10
Antônio Carlos Bastos de Godói
Figure 3. ICS vulnerabilities by impact in 2018 (adapted from [18]).
Figure 4. Severity of ICS vulnerabilities in 2018 (adapted from [18]).
Cyber Threats for the Oil and Gas Sector …
11
3.1. Main Causes of Cybersecurity Breaches in ICS The root causes of ICS vulnerabilities are discussed in [20], where six primary technical and administrative factors which lead to cybersecurity exposures have been identified: 1. Poorly Secured Legacy Systems Longer replacement periods: Industrial control systems typically have a 10-20 year life cycle. Therefore, it can take a long time for state of the art technologies to reach the sector; Costly and difficult to replace: Old legacy control systems are costly and difficult to replace and new control systems hardly add functionality to the controlled process, so an interesting return on investment is usually not reached; No security built in: Many legacy systems were designed before cybersecurity concerns became relevant. The systems were developed to be standalone in which threats from outside parties were nearly impracticable due to physical security of the equipment itself; Reduced processing power: Legacy systems, endowed with old technology, have limited processing power, memory and resources, so as advanced algorithms for cybersecurity are not possible or practical to implement; Difficult to integrate new security technologies into legacy equipment: Old systems are often incompatible with emerging ICS cybersecurity design because they lack processing power or use proprietary hardware or software. 2. Lack of Trained Cybersecurity Specialists On-site control engineers are typically trained in the control hardware and software from the aspect of controlling the process itself. Engineers have begun to use IT infrastructure technologies over the past decade such as Ethernet, switches, etc., however, there is a gap in training with regard
12
Antônio Carlos Bastos de Godói
to implementing effective security using existing features as well as the latest cybersecurity enhancements. •
• • •
Combination of ICS and IT security: A combination of control system and IT security expertise is not generally found. Most ICS personnel would have expertise in one or another, but hardly both; ICS cybersecurity training for new systems different from ICS cybersecurity training for legacy systems; Installing and configuring security can be time consuming; No precise definition of a secure ICS.
3. Delayed Application of Operating System and Application Software Patches • Patches are not applied at all, or not for a substantial time after their initial release, leaving the system vulnerable to well-known and possibly public domain attacks; • Delay in applying patches: New patches are released on nearly a daily schedule. Control engineers do not have the time to apply these patches on such schedule. The application of patches can disrupt the controlled process so they are schedule once in a while. This leaves the control system exposed while waiting for patches to be applied; • Incompatibility of patches: Software used in control systems are custom implementations and often not verified against patches as they are released. Patches can break control systems and the process is typically down or compromised until recovery can be completed; • Security patches are difficult to install in the control system. 4. Lack of Cybersecurity Situational Awareness ICS systems have limited logging capabilities, the focus of which has been of control and operation and not on cybersecurity. ICS components’ logging and event generation capabilities are focused on trouble shooting the system or determining if an operator failed to do his/her job. The
Cyber Threats for the Oil and Gas Sector …
13
limited logging that is available is not aggregated, and ongoing audit comparisons are rare. This introduces vulnerability by giving an attacker enough time to observe and hack the network ICS components without being detected. •
ICS components lack security related event generation: In some cases, event generation capabilities are very limited or may not be configured. Examples of cybersecurity related events include: authentication failure, forced register manipulation, firmware changes, and malformed protocol messages;
5. Communication Security • Unsecure protocols: Many protocols used in the industry for control were designed for simple and reliable communications, with no consideration for security; • Unsecured links: Many links are confined to the site, and thus physical security prevails; • Lack of isolation/separation: Control networks are poorly isolated from enterprise networks. 6. Remote Access • Employee access: Engineers need remote access to control systems for quick troubleshooting and for ease of configuration when sites are geographically spread out. Remote points of access that use the Internet may not be sufficiently secured; • Vendor access: Some vendors have wanted remote access to the equipment they supply, however security becomes a greater concern when vendors gain access to the control system. It is important to highlight that the above list includes cybersecurity issues specific to ICS, as a result, management issues, proper training for employees and other general cybersecurity issues have not been discussed. The technical set-up of ICS also poses inherent security challenges. Decisions about ICS software are in many cases not made centrally by
14
Antônio Carlos Bastos de Godói
corporate IT, but, rather, at the unit or field level, which results in products from different providers, technologies, and security standards. The decadeplus life cycle of ICS systems adds to the diversity problem, making it challenging to standardize, upgrade, and retrofit these instruments.
3.2. Risks for ICS in the Oil and Gas Sector In the oil and gas industry, the use of digital instrumentation at field level to process, analyze and act upon collected data close to operations rather than at centralized processing sites, have taken cyber risks into the front line of upstream operations. For instance, a hacker could disrupt the oil extraction process by modifying the parameters of the motor speed and thermal capacity of the instruments. Across the downstream sector, the risks are unequally distributed, as is illustrated in Table 1. The most critical are related to safety equipment, high pressure and high temperature processes which could lead to harmful conditions. Loss of electric power, cooling water, or steam generation could result in fire hazards, as well as refinery shutdowns. The contrasting priorities of companies’ operation technology and information technology departments further intensify risks and vulnerabilities. Systems close to drilling and well site operations such as sensors and programmable logic controllers are intended to run uninterruptedly, having availability as their primary attribute, followed by integrity and confidentiality. In contrast, enterprise IT systems such as ERP, hold a reverse priority order of confidentiality, integrity, and availability. These opposed objectives stand out in drilling and production control, where engineers fear that strict security measures could bring unacceptable latency into time critical systems, compromising operational response. Not all vulnerabilities stem from the technologies, also behavioral aspects come into play. For instance, a lack of security awareness within the organization can inadvertently expose systems to cyberattacks, such as
Risk
Business Function Scenario Unauthorized shutdown of plant utilities control system Explosion, loss of materials, equipment, damage, and unsafe conditions for personnel and adjacent populations
Tampering with market data and transaction systems
Increased financial risk exposure, loss of revenue, failure to meet business commitment, and reputational damage
Refinery operations
Supply and trading
Logistics and management Theft of inventory data on crude oil and refined products Reputational damage and failure to meet business commitments Explosion, spillage, environment damage, and unsafe conditions for personnel and adjacent populations
Storage and transfer Unauthorized access to and manipulation of pipeline systems Loss of revenue, reduced utilization of distribution network, failure to meet business commitments, and reputational damage
Loss of trucking dispatch information
Distribution
Table 1. Examples of potential downstream cybersecurity risks (adapted from [21])
Theft of customer credit card and sales data Financial liabilities, increased regulatory oversight, and reputational damage
Retail
16
Antônio Carlos Bastos de Godói
when employees bring media infected with malware into the environment. In addition, many employees believe their systems are an unlikely target, being reluctant to change their behavior and adopt new security protocols. In fact, not long ago they could simply assume their equipment were immune, which is no longer true since controllers and sensors can be altered in order to give misleading values and status information. Weather conditions, human error, and equipment fatigue can no longer be assumed as the main cause of process failures, since malicious manipulation of the systems should also be carefully considered. Whether a security breach is intentional or unintentional, the outcomes can be catastrophic, ranging from compromising sensitive information to triggering system failure.
4. CYBERSECURITY MANAGEMENT IN THE OIL AND GAS INDUSTRY While integrating effective cyber security measures into ICS is necessary, if not becoming mandatory, in order to get there, companies must reconcile the divergent points of view of IT and operations. In [22] the adoption of the bowtie method is suggested to bridge this gap. The bowtie analysis is a well-known method used in engineering for failure mode evaluation that can be applied for the oil and gas company, as shown in Figure 5. In addition, as illustrated in Figure 6, a diagram can be used to depict how cyber threats impact the three main areas of oil and gas industry, describing the risks for cyberattack scenarios within upstream, midstream and downstream sectors. Once the risks are identified, an oil and gas company should assess the maturity of its cyber security controls within the operational environment. Notwithstanding the fact that not every risk can be mitigated, it’s important to determine which controls are implemented and what should be improved. A multi-disciplinary effort involving team of business, operations, engineering, and IT security professionals is required to
Cyber Threats for the Oil and Gas Sector …
17
Figure 5. Example of a “Cyber Risk” bowtie analysis for an oil and gas company (adapted from [22]).
Figure 6. Impacts of cyberattacks on upstream, midstream and downstream oil and gas sectors (adapted from [22]).
18
Antônio Carlos Bastos de Godói
establish how potential cybersecurity vulnerabilities involve threats to business. After the risks have been understood, a unified program is required to address cybersecurity systematically across the business and operations. Although, building and implementing a program of this nature represent a multi-year effort, each phase should have the same objective, moving up the maturity scale to reach a secure and resilient ICS environment.
4.1. Addressing Cyber Threats: Assessment and Mitigation Strategies In the following, cyber risk assessment and possible mitigation strategies are presented, as further discussed in [22, 23], within the upstream and downstream oil and gas segment: 1. Upstream Sector Assessing vulnerability: Upstream stages (exploration, development, and production and abandonment) have a distinct cyber vulnerability and severity profiles, as illustrated in Figure 7. In addition, within a stage, such as development, field development planning has a different cyber risk profile than development drilling. Although each operation need to be secured, prioritizing the most critical, risk-prone is central for establishing a risk management strategy. Below, the most critical and risk-prone operations in each stage are discussed: Exploration: Of the three major stages, exploration has the lowest vulnerability and severity profile. Its cyber vulnerability is considered low since the first two operations, seismic imaging and geological and geophysical surveys have a closed data acquisition system. The likely financial impact of a cyberattack on geological, geophysical and seismic imaging is low, as attacking this operation would hardly cause harm or business disruption. However, in this operation, competitive data is at most risk, and an attack might
Cyber Threats for the Oil and Gas Sector …
19
remain unnoticed due to no visible impacts. Although, the current exploration workflow has a relatively safe cyber risk profile, companies are increasingly using advanced gravity wave sensors to improve accuracy of subsurface imaging and putting more seismic data to use by digitizing, storing, and processing it on supercomputers. Expanding software-based, high-performance computing would enable IoT-based value creation, however the impact of cyberattack would be greater. Development: Within the oil and gas value chain, development of oil and gas wells is an operation particularly exposed to cyber incidents. The development drilling operation involves similar techniques to those used in exploratory and appraisal drilling, but has a much bigger cyberattack vector, due to higher drilling activity, expensive infrastructure and services both above and below the surface, and a complex ecosystem of engineering firms, equipment, drillers and service firms, partners and consultants. As with the vulnerability factor, the severity of a cyberattack is highest in the development drilling operation. This phase has the highest future opportunity cost across all risk categories, whether it is an asset loss, business disruption, regulatory fines, IP theft, reputation damage or safety incident. The other two main phases of development, field development planning and well completions, have relatively lower cyber risk profiles. Field development planning has few real-time connections with other operations, but involves many areas such as geology, geophysics, reservoir management, therefore offering many entry points. The well completion process has a high probability of slipping into the highrisk zone. The industry is aggressively prototyping innovative connected technologies to reduce well completion time through real-time monitoring and advanced software. Production and abandonment: The production operation ranks highest on cyber vulnerability in upstream mainly because of its legacy asset base, which was not built for cybersecurity but has been retrofitted and patched over the years, and lack of monitoring
20
Antônio Carlos Bastos de Godói
tools on existing networks. In addition, the integrated industrial control systems are increasingly connected to the company’s enterprise resource planning. With a significant portion of global oil and gas production controlled by resource planning systems, this part of value chain faces cyber risks both from the top (IT systems) and bottom (hardcore legacy operation technology systems in the field). Therefore, the consequence of a cyberattack on production could be serious, affecting both the top and bottom lines. The last stage of the value chain, well intervention, workover, and abandonment, has a lower vulnerability profile, as the process mostly involves mechanical alteration, well diagnostics, and replacement and maintenance work. However, lately, vendors are increasingly adopting interoperable equipment and standard software platforms and HMIs to reduce costs, which in turn are raising risks. Mitigating cyber risks: Forming risk mitigation strategies is the next step, after ascertaining the vulnerabilities. This can be accomplished by focusing equally on gaining more insight into threats and responding more effectively to reduce their impact. So, for oil and gas strategists, a question is how to make the most critical operations – seismic imaging in exploration, drilling in development, and well production and abandonment – secure, vigilant and resilient. Next, potential mitigating strategies are presented for each of the critical operations, considering that the companies already have standard IT solutions in place: Exploration: Considering the substantial cost of data that can be stored, such as those from a seismic imaging project, having a trusted backup is essential to ensure that even if the actual data is compromised, the processing and interpretation of seismic data continue or remain resilient. With a shift toward digital storage and processing of data using multiple nodes, a company’s backup workflow also needs to align with this framework. Development: The drilling control system represents a key component of the operation sector, and a rogue software that seizes
Cyber Threats for the Oil and Gas Sector …
21
the control to manipulate essential parameters could result in angular deviation of the well, sudden fluid influx, and well integrity issues, leading to significant additional costs and putting both people and the environment at risk. Considering the complex ecosystem of vendors and equipment in drilling, a company can secure its operations by pre-testing new systems, equipment, and software before they enter the mainstream system. A company needs a holistic vigilant strategy, considering that securing every drilling asset is nearly impossible and additional security features may interfere with the availability of operations or slow down time-sensitive decision making.
Figure 7. Cyber vulnerability/severity matrix by upstream operations (adapted from [23]).
Production and abandonment: onshore industrial control systems that handles critical infrastructures should be managed with special focus on security due to the risks involved and strategic importance of the assets. For instance, a worm deployed
22
Antônio Carlos Bastos de Godói on an ICS could make changes to logics in PLCs and bypass the protective gearbox for motor pumps, eventually leading to suboptimal oil production and rupturing of wells. A holistic patchmanagement program using risk-based approach can be adopted by the company as an alternative to manage the security risks. This would require inventorying the assets, doing a detailed vulnerability/severity assessment for each asset, and prioritizing and scheduling updates promptly for critical assets. By correlating threat feeds from external sources with internal cyber data, a company can elevate its vigilance by identifying and managing threats early. It is essential for an oil and gas company to share, build, and monitor around key indicators of compromise from external sources, particularly knowing that cyberattacks on the industry’s SCADA system have a long history, with many attacks reemerging in one form or the other. For rapidly containing the damage, a company can practice responding through cyber war games or simulations. This could be particularly important with people involved in responding to incidents offshore or working in remote locations.
2. Downstream Sector Assessing vulnerability: In the case of downstream, equipment such as valves, compressors and pumps, not to mention entire separation and reaction trains, are monitored and controlled by sensors, algorithms and increasingly interconnected architecture. Over the time, the overlap between information technology and operation technology has increased, so a robust defense model, as shown in Figure 8, is required to outline the different sources of risk throughout the business and potential controls to mitigate the threats. This approach demonstrated the distribution of potential threats and how far they can reach.
Cyber Threats for the Oil and Gas Sector …
23
Figure 8. Layered security approach for vulnerability risk assessment (adapted from [21]).
Mitigating cyber risks: Once companies have identified risks, they should develop a framework to outline their overall cybersecurity strategy. Moreover, they need to make operations secure, vigilant and resilient. In the oil and gas sector, this means identifying the key building blocks to control risks across refineries and business units as well as developing the corporatelevel strategy needed to implement them. The companies also need to make sure that they have the process, technology and right people in place. The cybersecurity maturity level, as illustrated in Figure 9, offers a framework to appropriately tackle the problem, identifying the relative maturity levels of behaviors and key controls that should be in place to limit the risks. The rationale behind this model is that as companies identify new vulnerabilities and risks to business-critical operations, their defenses need to adapt. Using the framework can also bring together the key stakeholders across the company. For example, if the organization identifies personnel as a potential vulnerability, executives from across the talent, training, and IT sector can develop new training actions to improve cyber awareness. Security, vigilance and resilience should be considered as the ultimate goals for the cyber
24
Antônio Carlos Bastos de Godói risk prevention and mitigation approach. Below, these three key objectives as well as strategies to achieve them are further discussed:
Figure 9. Cybersecurity maturity framework applied to downstream operations (adapted from [21]).
Security: A system is considered secure if it has minimal exposure to potential cyber breaches. In this regard, companies should consider isolating potential attack surfaces, limiting unnecessary system interconnections, and restricting access to those who have
Cyber Threats for the Oil and Gas Sector …
25
been well vetted and properly trained. For example, refineries should consider separating business and operational systems. In some cases, organizations should also consider isolating critical process control loops altogether; Vigilance: A vigilant system is the one that has the appropriate tools to monitor processes and identify intrusions. The downstream value chain requires more than the ordinary firewall. One approach could be to take advantage of increasingly available connectivity and computing power to build automated security systems. Intelligent security systems, ideally would assess risks on their own and determine which issues could be fixed automatically and alert the cybersecurity team about the rest; Resilience: A system that has the capacity to operate continuously despite intrusions is resilient. Training employees to identify and isolate compromised systems and processes is a good starting point. Redundancy will likely be a key, as maintaining backup systems could provide fast restart capabilities following the elimination of a threat. Inherently safe design combined with manual bypasses could play a role as well. For logistics or commodity trading, duplication of data may be critical. Outsourcing functionality to external cloud computing might represent a solution.
CONCLUSION During the past few years, the traditional oil and gas industry has undergone technological changes in ICS which has become increasingly similar to corporate IT. As the industry is moving into the next stage of evolution, whereby the Internet of Things, robotics and digitization are integrated into the operational infrastructure, the interest of cyber criminals as well as the attack surface have increased. As the interconnectedness marches on, the risks and possible catastrophic impacts facing the oil and gas sector have made cybersecurity a prominent topic in the industry. In
26
Antônio Carlos Bastos de Godói
order to cope with attacks escalating in frequency and sophistication, organizations are developing transformation programs to address these new operational threats. However, solving these challenges requires a clear understanding of both engineering and IT as well as leading sector-specific cybersecurity practices to make operational processes secure, vigilant and resilient. Companies are enduring demanding challenges to keep in pace in term of their preparedness, as this requires the organizations to harmonize and align two cultures, engineering and IT. Developing a fully integrated strategic approach to cyber threats is critical to manufacture value chains as they marry operational technology and information technology, the very force driving the next evolutionary stage in industry. In addition, the operation environment demands tailored technical solutions that are not always easy to secure. Thinking about how to address cyber risks at the end of the process is simply likely too late. Cyber security should become an integral part of strategy, design, and operations, considered from the beginning of any new connected factory. Also, there is no simple fix or single product or patch that a company can apply to manage the cyber risks presented by the new manufacturing paradigm. The place to start is assessing the maturity of the cybersecurity controls environment. The extent of risks requires a secure, vigilant, and resilient approach to manage the threats and establish policies and mitigation strategies. Going beyond ordinary operational safety procedures to implement a mitigation program is not only essential for protecting an oil and gas company’s operational integrity amid a growing range of cyber incidents, but also to achieve excellence by taking advantage of the productivity benefits from a digitally integrated environment.
REFERENCES [1]
Li, Defang 2016 “Perspective for smart factory in petrochemical industry” Computers & Chemical Engineering 91:136-148.
Cyber Threats for the Oil and Gas Sector …
27
Leith, H. M., Piper, J. W. 2013 “Identification and application of security measures for petrochemical industrial control systems” Journal of Loss Prevention in the Process Industries 26:982-993. [3] Williams, Jeff and Ciepiela, Piotr 2019 Six cybersecurity issues for oil and gas companies, Ernst & Young Accessed November 7, 2019 (https://www.ey.com/en_us/oil-gas/six-cybersecurity-issues-for-oiland-gas-companies). [4] Singh, S; Sharma, PK; Moon, SY; Moon, D; Park, JH 2019 “A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions” Journal of Supercomputing 75:4543-4574. [5] McAfee 2011 Global Energy Cyberattacks: “Night Dragon” Accessed November 11, 2019 (https://www.heartland.org/_templateassets/documents/publications/29423.pdf). [6] ICS-CERT 2012 “Gas pipeline cyber intrusion campaign” ICS-CERT Monthly Monitor April 2012” Accessed November 12, 2019 (https://www.us-cert.gov/sites/default/files/Monitors/ICSCERT_Monitor_Apr2012.pdf). [7] N. Perlroth 2012 “In cyberattack on Saudi Firm, U.S. sees Iran fighting back” The New York Times, October 23, 2012 (https://www.nytimes.com/2012/10/24/business/global/cyberattackon-saudi-oil-firm-disquiets-us.html). [8] Symantec, 2012 “The Shamoon Attacks,” Symantec, August 16, 2012 (https://www.symantec.com/connect/blogs/shamoon-attacks) [9] ICS-CERT 2012 ICS Joint Security Awareness Report JSAR-12-24101B: Shammon/DistTrack Malware. Accessed November 12, 2019 (https://www.us-cert.gov/ics/jsar/JSAR-12-241-01B). [10] FireEye 2015 “Cyber threats to the Nordic region” Accessed November 12, 2019 (https://www.fireeye.com/content/dam/fireeyewww/global/en/current-threats/pdfs/rpt-nordic-threat-landscape.pdf). [11] News in English 2014 “Statoil held off hacker attack” Accessed November, 12 2019 (https://www.newsinenglish.no/2014/08/| 28/statoil-held-off-hacker-attack/). [2]
28
Antônio Carlos Bastos de Godói
[12] J. Leyden 2014 “Major cyberattack hits Norwegian oil industry” The Register August 27, 2014 (https://www.theregister.co.uk/2014/ 08/27/nowegian_oil_hack_campaign/). [13] B. Johnson, D. Caban, M. Krotofil, D. Scali, N. Brubaker, and C. Glyer, 2017 “Attackers deploy new ICS attack framework ‘TRITON’ and cause operational disruption to critical infrastructure”, FireEye December 14, 2017 (www.fireeye.com/blog/threat-research/2017/12/ attackers-deploy-new-ics-attack-framework-triton.html). [14] Symantec 2017 “Symantec, Triton: New malware threatens industrial safety systems” Accessed in November 13, 2019 (www.symantec.com/blogs/threat-intelligence/triton-malware-ics). [15] ICS-CERT 2017 “Hatman – Safety System Targeted Malware” ICSCERT) Accessed November 13, 2019 (https://www.uscert.gov/sites/default/files/documents/MAR-17-35201%20HatMan%E2%80%94Safety%20System%20Targeted%20Mal ware_S508C.pdf). [16] Gibbs, S. 2017 “Triton: Hackers take out safety systems in ‘watershed’ attack on energy plant” The Guardian, December 15, 2017 (https://www.theguardian.com/technology/2017/dec/15/tritonhackers-malware-attack-safety-systems-energy-plant). [17] Hemsley, K.; Fisher, R. 2018 “History of Industrial Control System Cyber Incidents” Idaho National Laboratory - December 2018 (https://www.osti.gov/servlets/purl/1505628 accessed in November 13, 2019). [18] Positive Technologies 2019, “ICS vulnerabilities: 2018 in review” Accessed January, 23 2020 (https://www.ptsecurity.com/wwen/analytics/ics-vulnerabilities-2019/?sphrase_id=70216). [19] Doug Black 2017 “ExxonMobil, NCSA, Cray Scale reservoir simulation to 700,000+ processors,” EnterpriseTech, February 17, 2017, (https://www.enterpriseai.news/2017/02/17/exxonmobil-ncsacray-scale-reservoir-simulation-700000-processors/). [20] Graham, J,; Hieb, J.; Naber, J. 2016 “Improving cybersecurity for Industrial Control Systems” IEEE 25th International Symposium on Industrial Electronics (ISIE) – 8-10 June 2016.
Cyber Threats for the Oil and Gas Sector …
29
[21] Slaughter, A.; Zonneveld, P.; Shattuck, T. 2017 “Refining at risk – Securing downstream assets from cybersecurity threats” Deloitte, November 27, 2017 (https://www2.deloitte.com/us/en/insights/ industry/oil-and-gas/securing-downstream-oil-and-gas-assetscybersecurity-threats.html). [22] Zonneveld, P.; Slaughter, A. 2017 “An integrated approach to combat cyber risk – Securing industrial operations in oil and gas” Deloitte (https://www2.deloitte.com/content/dam/Deloitte/global/ Documents/Energy-and-Resources/intergrated-approach-combatcyber-risk-oil-gas.pdf). [23] Mittal, A.; Slaughter, A.; Zonneveld, P. 2017 “Protecting the connected barrels – Cybersecurity for upstream oil and gas” Deloitte (https://www2.deloitte.com/content/dam/Deloitte/ru/Documents/ener gy-resources/DUP_Protecting-the-connected-barrels.pdf).
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 c 2020 Nova Science Publishers, Inc. Editors: B. Mishra and J. Piqueira
Chapter 2
E XPLORING THE D ELAYED AND O PTIMALLY C ONTROLLED DYNAMICS OF M ALICIOUS O BJECTS IN C OMPUTER N ETWORK Sangeeta Kumari∗ and Ranjit Kumar Upadhyay† Department of Mathematics & Computing, Indian Institute of Technology (Indian School of Mines), Dhanbad, Jharkhand, India
Abstract In this chapter, we explore the spread dynamics of malware propagation in computer network. A SIRS (Susceptible - Infected - Recovered Susceptible) type e-epidemic model is proposed using saturated incidence rate and sigmoid type recovery rate. Our main focus is to investigate the effect of time delay and optimal control on the system dynamics. Existence, stability and bifurcation analyses of the equilibria are performed. Furthermore, we design an optimal control strategy for the proposed system to extend the stability region and reduce the number of infected nodes in computer network. Numerical simulations are performed for validating the theoretical results with the help of MATLAB. The importance of data packet transmission rate and the processing time delay on the system dynamics has been investigated. A threshold value is calculated to ensure the eradication or persistence of malware and explored its dynamics with ∗ Corresponding Author’s † Corresponding Author’s
Email: [email protected]. Email: [email protected] (Corresponding author).
32
Sangeeta Kumari and Ranjit Kumar Upadhyay the help of contour plot. Based on the obtained results, most effective measures are suggested to control the spread of malicious entities.
Keywords: time-delay, computer network, stability analysis, Hopf-bifurcation, optimal control
1.
INTRODUCTION
Time-delay systems interpretation has become a prominent field of research because of its monotonous presence in control theory and engineering applications such as in-network control systems, chemical processes, metallurgical processing systems, engine cooling systems, manufacturing and so forth [1, 2]. Different time delays included into the mathematical models for describing the system dynamics of computer and wireless networks [3, 4]. Delay differential equations exhibit complex dynamics compared to ordinary differential equations (ODEs) as a time delay can lead a stable equilibrium into unstable and destabilise the host. Many authors [5–9] deal with different types of recovery functions. Recovery of the node is an essential mechanism to control the node’s crashing to some extent and eradicate the malware from the network. Malware includes computer viruses along with other malicious software like computer worms, spyware, ransomware, trojan horses, adware, rootkits, bootkits, keyloggers, malicious browser helper object and so on. Most active malware threats are actually computer worms or trojan horse program instead of computer viruses. Usually, viruses execute some harmful activity on infected host computers as occupy hard disk space or central processing unit time, access and steal private information, corrupt data, display political, humorous or threatening messages on the user’s screen, spam the e-mail contacts, log their keystrokes, or even make the computer useless. However, not all viruses import a lethal payload and try to hide themselves; its characteristic is that they are self-replicating computer programs which modify other software without user permission. If we think about the incidence rate, then first comes in mind is the bilinear incidence rate β SI. Bilinear incidence rate is repeatedly used in the modeling, however there are many reasons for its alteration or modification. For instance, β SI β SI the saturated incidence rate of the forms 1+aS and 1+bI are formulated as the crowding effects of infective and behavioral changes of susceptible individuals [10, 11]. These incidence rates appear more reasonable compared to the bilinear incidence rate β SI, as they introduce the behavioral changes of susceptible en-
Exploring the Delayed and Optimally Controlled Dynamics ...
33
tities and crowding effect or protection measure of the infective entities which prevent the unboundedness of the contact rate by selecting appropriate parameters. Moreover, other forms of nonlinear incidence rates are also frequently used in many articles [12–14]. Recovery is an effective method which can be used to control the spread of malware within a network. In e-epidemic models, the treatment/recovery function depicts the probability at which each infected node has receiving the treatment against the malware at a given time. Numerous models included treatment rates by assuming proportional to the number of infected individuals. Exquisitely, if we face a treated infected node, all infected nodes should have updated anti-malicious software. However, limited nodes have anti-malicious softwares, hence a saturated recovery or treatment functions is more realistic as it tend to a finite limit as the number of infected node increases [4, 10, 11, 15, 16]. Liu et al. [17] discussed the dynamics of the SIRS model with incubation time delay on a scale-free network. In fact, multifarious models, include compartment models [18–20], node-based models [21, 22], spatial models [23, 24], optimal control models [25–27] and game model [28], have been suggested mainly. Nevertheless, there are few researches concerning the combined effects of logistic growth rate, saturated incidence rate and treatment or recovery rate on the viral spread. Main objectives of investigating the temporal (1) and delay system (12) are listed below. • How malware propagates throughout the networks? • Is the malware spread probabilities increase or decrease by varying the threshold condition? • Are the processing time delay and recovery of infected nodes responsible for controlling the malware spread in the network? • Is the introduction of optimal control variable is effectively reduces the infection from the network? This chapter is structured as: In the next Section 2, the existence of equilibrium points, linear and nonlinear stability analysis of the non-delay system are investigated. Optimal control analysis of non-delay system are performed in Section 3. In Section 4, stability of delay system and direction and stability of Hopf bifurcation are established. Numerical simulation is performed in the
34
Sangeeta Kumari and Ranjit Kumar Upadhyay
required respective sections. Finally, we give a brief discussion of our results in Section 4.1.
Model Formulation and Assumptions We have divided the host into three classes: susceptible (S), infected (I) and recovered (R). A node is susceptible if it is in healthy condition, i.e., free from the malware, whereas is prone to the infection by the malware. If a node is contaminated by malware, then it comes under infected node. An infected node transmits multiple copies of the malware to its susceptible neighbor while sending control messages or data to them. Recovered nodes are immune to the malware. Now, we consider the following facts or model assumptions: (i) Susceptible node increases according to logistic growth rate rS 1 − KS with node multiplication rate r and carrying capacity K due to the limited coverage of the sensor network. System is realistic at the initial phase of the malware emergence, since the infected node number is rare [29]. (ii) Malware propagates into the network when an infected data packet transfers from an infected node to a susceptible node. A saturated incidence β SI rate, f (S, I) = 1+aI is assumed, where a is a non-negative constant and β is the data packet transmission rate. In this incidence rate, the number of active contacts between infective and susceptible hosts may saturate at high infective levels due to crowding of infective host or due to protection measures by a susceptible host [30]. This incidence rate is best to the view point of worm control and security purpose in the computer network [31]. (iii) The probability at which susceptible and infected nodes become a recovered node is η and 1+αγ I 2 due to immunization patching. We have h(I) =
α I2 , where I ≥ 0, α > 0, γ > 0. 1 + γ I2
Clearly, we can conclude that h(I) is continuously differentiable and increasing function of I as h(0) = 0, h0 (I) > 0, and lim h(I) = I→∞
α , γ
Exploring the Delayed and Optimally Controlled Dynamics ...
35
where α /γ is the maximum recovery efficiency of the infected node in the computer network. (iv) Infected node is crashed due to physical damage or energy exhaustion or might crash for experiencing an unexpected resource limit in the network at the rate µ . (v) The rate at which a recovered node becomes susceptible is δ because of losing temporary immunity. Now, considering all the assumptions as mentioned earlier, malware propagation model in the computer networks is presented by the following set of ODEs: dS β SI S = rS 1 − − − η S + δ R, dt K 1 + aI dI β SI α I2 (1) = − − µ I, dt 1 + aI 1 + γ I 2 dR α I2 = ηS + − δ R. dt 1 + γ I2 with the initial conditions (ICs) S(0) > 0, I(0) ≥ 0, R(0) ≥ 0. All the parameters of system (1) are positive constants.
Boundedness of the System Investigating positiveness and boundedness of the system (1) is important from mathematical point of view as it confirms that the system is well-posed or not. We therefore, will prove the system (1) is uniformly bounded. 2
K(r+ζ ) Theorem 1.1. Set Ω = {(S, I, R) ∈ R+ } is the 3 : 0 < W = S+I +R ≤ 4r ζ region of attraction for all solutions initiating in the interior of positive octant independent on ICs, where ζ is a constant such that ζ < µ .
Proof. Let us suppose W (t) = S(t) + I(t) + R(t), ∀t. Then differentiating W (t) with respect to time along the solution of temporal system (1) is dW S = rS 1 − − µ I. dt K
36
Sangeeta Kumari and Ranjit Kumar Upadhyay
Now for each ζ > 0, the following inequality holds r dW + ζ W = (r + ζ )S − S2 − (µ − ζ )I, dt K K(r + ζ )2 r K(r + ζ ) 2 = − S− − (µ − ζ )I, 4r K 2r K(r + ζ )2 ≤ − (µ − ζ )I. 4r Right-hand side of the above expression is bounded if we take ζ < µ . That is, dW K(r + ζ )2 + ζW ≤ . dt 4r Referring the comparison lemma for t ≥ Te ≥ 0. Then K(r + ζ )2 K(r + ζ )2 e − −W (Te) e−ζ (t−T ) . W (t) ≤ 4r 4r For Te = 0, we have
W (t) ≤
K(r + ζ )2 K(r + ζ )2 − −W (0) e−ζ t . 4rζ 4rζ
For large value of t, we have lim sup W (t) ≤ t→∞
K(r + ζ )2 . 4rζ
Hence, all the nodes are uniformly bounded for any initial value in K(r + ζ )2 + Ω = (S, I, R) ∈ R3 : 0 < W = S + I + R ≤ . 4rζ
2.
E XISTENCE OF E QUILIBRIA AND STABILITY A NALYSIS OF THE MODEL SYSTEM
Three non-negative equilibrium points exist for the system (1). They are trivial equilibrium E0 (0, 0, 0), malware-free equilibrium E1 K, 0, Kδη and malwareinduced equilibrium point E ∗ (S∗ , I ∗ , R∗ ).
37
Exploring the Delayed and Optimally Controlled Dynamics ...
Threshold Condition Basic reproduction number (or threshold condition R0 ) is the number of secondary infections produced by a single infected nodes during the mean course of infection in a completely susceptible cases [32]. By using the next generation matrix approach [33], we construct F and V as follows.
β SI α I2 , V = + µ I. 1 + aI 1 + γ I2 Now, differentiate F and V with respect to I in order to find F and V . F=
F=
βS , (1 + aI)2
V=
2α I + µ. (1 + γ I 2 )2
Now the next generation matrix K at the malware-free equilibrium point E1 is given by
βK . µ Hence, basic reproduction number R0 is given by the spectral radius of K as K = FV −1 =
βK . µ Now, in terms of finding malware-induced point, S∗ and R∗ can be written in terms of parameters and I ∗ from the second and third equations of system (1). R0 = ρ {K } =
S∗ =
1 + aI ∗ β
α I∗ + µ , 1 + γ I∗ 2
R∗ =
α I ∗ (β I ∗ + η (1 + aI ∗ )) + (1 + aI ∗ )(1 + γ I ∗2 )η µ . β δ (1 + γ I ∗ 2 )
From the first equation of system (1), I ∗ can be given by the following polynomial p6 I ∗ 6 + p5 I ∗ 5 + p4 I ∗ 4 + p3 I ∗ 3 + p2 I ∗ 2 + p1 I ∗ + p0 = 0, where p0 =r µ 2 (1 − R0 ) < 0,
p1 =µ K β 2 + µ r(α + aµ )(2 − R0 ),
p2 =r((α + aµ )2 + aα µ (2 − R0 ) + 2γ µ 2 (1 − R0 )),
p3 =2arα (α + aµ ) + 2β 2 K γ µ + γ r µ (2aµ + α )(2 − R0 ), p4 =r(γ 2 µ 2 (1 − R0 ) + aαγ µ (4 − R0 ) + a2 (α 2 + 2γ µ 2 )), p5 =γ µ (2a2 rα + K β 2 γ + arγ µ (2 − R0 )),
p6 =r(aγ µ )2 > 0.
(2)
38
Sangeeta Kumari and Ranjit Kumar Upadhyay
According to Descartes’ rule of signs, there exist at least one positive root for the polynomial (2), if R0 > 1 as the coefficients p0 is negative and p6 is positive. From Eq. (2), one can obtain I ∗ and hence S∗ and R∗ as well. Now, Jacobian matrix J of the system (1) is given by, βI r 1 − 2S K − 1+aI − η βI J = 1+aI η
βS − (1+aI) 2
βS (1+aI)2
− (1+2αγ II2 )2 − µ 2α I (1+γ I2 )2
δ
0 . −δ
The characteristic equation of Jacobian J at E0 (0, 0, 0) is given by (λ + µ )(λ 2 + (−r + δ + η )λ − rδ ) = 0. One of the root of this characteristic equation, −µ is clearly negative, and the other two roots are positive, or one is positive and another is negative depending on r < δ + η orr > δ + η. Thus, E0 is unstable. Characteristic equation of Jacobian J at E1 K, 0, Kδη is (λ + µ − β K)(λ 2 + (r + δ + η )λ + rδ ) = 0. One of the root is (β K − µ ) = −µ (1 − R0 ), and another two roots are negative or have negative real parts. Therefore, E1 is locally asymptotically stable (LAS) if R0 < 1 otherwise unstable. Stability conditions for the malware-induced equilibrium point is given in Eq. (16). Contour plots, also known as level plots, are a way of showing a 3-dimensional surface on a 2dimensional plane. It graphs two predictor parameters or variables on the y-axis and a response variable R0 as contours. A contour plot is most suitable to see how the value of R0 changes as a function of two input parameters. In figure 1, contour plots demonstrate the variation in R0 with transmission rate β , carrying capacity K and crashing rate of infected node µ . We can observe that minimum values of transmission rate and carrying capacity will bring the value of R0 less than one i.e., will prevent the network from the infection. For the considered set of parameter values mentioned in Eq. (35), malwareinduced equilibrium point, E ∗ (55.779, 140.949, 56.4456) settled down to an asymptotic state at τ = 0 which is verified by the R-H criterion as all the three conditions of Eq. (16) hold, and also its eigenvalues λ1 = −2.83603, λ2 = −0.695426, λ3 = −0.395856 are negative. At β = 0.006, basic reproduction number is R0 = 0.857143 < 1, i.e., malware-free equilibrium point E1 (100, 0, 100) exists, and it is LAS (c.f. figure 2(a)). Since the infected node vanishes, hence the system has strong defense mechanism and is robust against possible malware attacks. Branch point exists at β = 0.007 as R0 = 1, indicates the occurrence of transcritical bifurcation at this point. At β = 0.05, malware-induced equilibrium E ∗ (97.9564, 11.439,98.6175) takes
39
Exploring the Delayed and Optimally Controlled Dynamics ...
0.9
1.5
1
1
0.8
0.5
0.4
0.6
0.4
0.2
1
1.5
1
2
0.3
0.5 0
8 1.
0.005 β
2
0.5
1. 4
1.5
0.25
6
1.
1
0.8
0.6
0.2
0.6
0.4
1
1. 2
1.
4
0.7
0.5
µ
1. 2
0.8
0.6
0.4
µ
0.2
0.8
1
0.35
0.2 0
0.01
50 K
(a)
5
2.
100
(b) 5
2.
1
1
1.5
3
2
0.5
0.8
2.5 1. 5
1
2
β
0.6
1.5
1
5 0.
0.4
1
0.5
0.2 0 0
0.5
0.5
1
1.5
2
2.5
K
(c)
Figure 1. Contour plots display the variations in R0 with (a) β and µ at K = 100, (b) K and µ at β = 0.006, (c) K and β at µ = 0.7. Other parameters are same as mentioned in Eq. (35). place as R0 = 7.14286 > 1, shown in figure 2(b). Hence we conclude that as the value of malware transmission rate increases, density of infected node also increases. In figure 3(b), BP stands for branch point1 and H stands for neutral saddle point2. This figure represents the existence of transcritical bifurcation at β = 0.007. 1A 2A
(bifurcation) point where a system switches its stability as well as equilibria. point where sum of all the eigenvalues of system is zero.
40
Sangeeta Kumari and Ranjit Kumar Upadhyay R0 = 0.857143
R0 = 7.14286
120
100
100
80
Nodes
60
Nodes
S I R
80
40
60 40 20
20 0 0
S I R
10
20
30
40
0 0
50
10
20
Time
30
40
50
Time
(a)
(b)
Figure 2. Time series of all the nodes at (a) β = 0.006 and (b) β = 0.05. Values of all other parameters are same as mentioned in Eq. (35). 3
1 β=0.006 (R =0.857143) 0
2
β=0.008 (R =1.14286) 0
1
0.6 I
Infected node
0.8
0.4
0
0.2
−1
0 0
50 Time
(a)
100
−2 H 0
BP
H
H
0.005
0.01 β
0.015
0.02
(b)
Figure 3. (a) Effect of transmission rate β , (b) Occurrence of transcritical bifurcation at β = 0.007. Values of all the other parameters are same as mentioned in Eq. (35).
Global Stability Analysis Global stability assures that in an extensive network with an unspecified number of users and at any condition, the rates are properly controlled network blockage conditions accordingly so that bottlenecks are entirely used and at that time congestion collapse is evaded [34]. Global stability for malware-free equilibrium and malware-induced points will be perform using Lasalle’s principle and Lyapunov direct method, respectively.
Exploring the Delayed and Optimally Controlled Dynamics ...
41
Theorem 2.1. If R0 < 1, the system (1) at the malware-free equilibrium point Kη E1 K, 0, δ is globally asymptotically stable (GAS).
Proof. In order to prove the malware-free equilibrium E1 is GAS, we construct the following Lyapunov function V (S, I, R) =
Z S ξ1 − K K
ξ1
d ξ1 + I +
Z R ξ2 − Kδη Kη δ
ξ2
d ξ2 .
Now in order to show the derivative of V (S, I, R) to be negative definite, we differentiate it with respect to time t and have S˙ K η R˙ V˙ (S, I, R) =(S − K) + I˙ + R − , S δ R S βI δR β SI α I2 =(S − K) r 1 − − −η + + − − µI K 1 + aI S 1 + aI 1 + γ I 2 Kη α I2 + 1− ηS + − δR , δR 1 + γ I2 S β KI δ KR Kη α I2 =r(S − K) 1 − ηS + , + − µ I + 2η K − − K 1 + aI S δR 1 + γ I2 r δ KR Kη α I2 ηS + ≤ − (S − K)2 + β KI − µ I + 2η K − − , K S δR 1 + γ I2 r δR Kη α I2 = − (S − K)2 − (1 − R0) µ I − K − 2η − ηS + . K S δR 1 + γ I2
Furthermore, V˙ = 0 at E1 K, 0, Kδη . Therefore, the largest compact invariant set in {(S, I, R) ∈ Ω : V˙ = 0} is the singleton E1 . Sufficient condition for V˙ (S, I, R) to be negative definite require the conditions R0 < 1. By the LaSalle’s invariance principle theorem [35], the system (1) at the point E1 is GAS if R0 < 1. Next, we will find sufficient conditions for the malware-induced equilibrium point E ∗ to be GAS. Theorem 2.2. Let the malware-induced equilibrium point E ∗ (S∗ , I ∗ , R∗ ) is LAS i.e., (16) satisfies. Then it is globally stable in interior of the positive octant R3+ if the conditions
42
Sangeeta Kumari and Ranjit Kumar Upadhyay ! α I ∗2 ∗ + η S , 1 + γ I ∗2 4α 2 (I ∗ + M2 )2 β aS∗ α 1 1 < ∗ + − γ M2I ∗ , 2 2 2 ∗ ∗ ∗ 2 ∗ R (1 + aI ) (1 + aM2)(1 + aI ) 1 + γ I M3 (1 + γ I ) 1 + γ M2
γ M2 I ∗ < 1,
4
δ η + M1 M3
2
0, i.e., optimal control problem have minimum value at control variable u∗ . Then, we substitute u∗ in the control system (4) to
46
Sangeeta Kumari and Ranjit Kumar Upadhyay
solve the optimality system, and have the following system: dS∗ β S∗ I ∗ β S∗ I ∗ S∗ =rS∗ 1 − − 1 − max min (λ2 − λ1 ) , 1 , 0 dt K B(1 + aI ∗ ) 1 + aI ∗ − η S∗ + δ R∗ , β S∗ I ∗ β S∗ I ∗ α I ∗2 dI ∗ , 1 ,0 − − µ I∗, = 1 − max min (λ2 − λ1 ) ∗ ∗ dt B(1 + aI ) 1 + aI 1 + γ I∗2 dR∗ α I ∗2 − δ R∗ , =η S∗ + dt 1 + γ I∗2 (10)
with
H∗
at
(t, S∗, I ∗ , R∗ , u∗ , λ
H ∗ = AI ∗ +
1 , λ2 , λ3 )
so that
2 B β S∗ I ∗ . max min (λ2 − λ1 ) , 1 ,0 2 B(1 + aI ∗ )
(11)
Now, numerically we solve the systems (10) and (11) to fine the optimal control solution and states.
Numerical Simulation for Control Problem The optimal system is solved by an indirect method (see [26, 27, 37]) using fourth order Runge-Kutta (R-K) method. This approach consists of solving transversality conditions, state and adjoint equations. We will implement the following algorithm in order to obtain optimal control for the system (4) using MATLAB: Step 1. Initialize with an assumed value for the desired control. Step 2. Determine the state equations using 4th order forward R-K method. Step 3. Solve the adjoint system using the obtained solutions from Step 2 with the aid of 4th order backward R-K method (due to the transversality conditions). Step 4. Restore the control variable u by using a convex combination of the initial control and control characterization. Step 5. Repeat the Steps 2-4 until the variables are in good agreement with the unknowns from previous iterations, if yes, then stop and choose the current values as the solutions.
47
Exploring the Delayed and Optimally Controlled Dynamics ...
Now, we plot the optimal curves by considering the weight constants A = 100 and B = 2. Solid and dashed lines display the system without control and with control. Figures 4(a) and 4(c) clarify that the number of susceptible and recovered nodes with control is higher as compared to without control and in figure 4(b), the plot shows that level of infected node with control decreases as compared to without control. Figure 4 clearly demonstrate the positive impact of employing control measures by increasing the susceptible and recovered nodes density and reduce the infected node density for the considered crucial parameter values. 150
60 Infected node
Susceptible node
70
50 40
50
without control with control
30 20 0
100
50
100 Time
150
without control with control 0 0
200
50
(a)
150
200
150
200
(b)
80
1 0.8
60
0.6 40
u
Recovered node
100 Time
0.4 20 0 0
without control with control 50
100 Time
(c)
150
200
0.2 0 0
50
100 Time
(d)
Figure 4. Dynamical behaviour of (a) Susceptible node, (b) Infected node, (c) Recovered node with and without control (d) Control variable. Other parameters are same as given in (35).
48
4.
Sangeeta Kumari and Ranjit Kumar Upadhyay
D ELAY SYSTEM A NALYSIS
In this section, introducing τ as the processing time delay that taken by the recovered node at the time of their immunity loss. Then the delay differential equation is given by dS β SI S = rS 1 − − − η S + δ R(t − τ ), dt K 1 + aI dI β SI α I2 (12) = − − µ I, dt 1 + aI 1 + γ I 2 dR α I2 = ηS + − δ R(t − τ ). dt 1 + γ I2 with the ICs S(θ ) =ϕ1 (θ ) ≥ 0, I(θ ) = ϕ2 (θ ) ≥ 0, R(θ ) = ϕ3 (θ ) ≥ 0,
θ ∈ [−τ , 0], ϕi (0) > 0; (i = 1, 2, 3),
(13)
where ϕ : [−τ , 0] → R3 with ||ϕ || = sup {|ϕ1 (θ )|, |ϕ2(θ )|, |ϕ3 (θ )|}, −τ ≤θ ≤0
such that ϕ = (ϕ1 , ϕ2 , ϕ3 ). All the parameters are positive. Let us linearize the system (12) at E ∗ using the following transformations as the perturbed variables. x(t) = S(t) − S∗ , y(t) = I(t) − I ∗ and z(t) = R(t) − R∗ . Then we obtain the following system S∗ β I∗ β S∗ x˙ = r 1 − − − η x(t) − y(t) + δ z(t − τ ), K 1 + aI ∗ 1 + aI ∗ β I∗ β S∗ α I∗ y˙ = x(t) + − − µ y(t), 1 + aI ∗ 1 + aI ∗ 1 + γ I ∗ 2 α I∗ z˙ =η x(t) + y(t) − δ z(t − τ ). 1 + γ I∗2
Exploring the Delayed and Optimally Controlled Dynamics ... Now the above system can be delayed terms as x(t) a11 a12 d y(t) = a21 a22 dt z(t) a31 a32
where
49
represented in matrix form of non-delayed and 0 x(t) 0 0 δ x(t − τ ) 0 y(t) + 0 0 0 y(t − τ ) , 0 z(t) 0 0 −δ z(t − τ )
2S∗ β I∗ rS∗ δ R∗ a11 =r 1 − − −η = − − ∗ < 0, ∗ K 1 + aI K S ∗ ∗ βS βI < 0, a21 = > 0, a12 = − (1 + aI ∗)2 1 + aI ∗
β S∗ α I ∗ (1 − γ I ∗2 ) 2α I ∗ aβ S∗ I ∗ 1 − − µ = − − < 0 if I ∗ < √ , 2 (1 + aI ∗ )2 (1 + γ I ∗ )2 (1 + aI ∗ )2 γ (1 + γ I ∗ 2 )2 ∗ 2α I > 0. a31 =η > 0, a32 = (1 + γ I ∗ 2 )2 (14)
a22 =
The characteristic equation of the linearized system is
λ 3 + A1 λ 2 + A2 λ + e−λ τ (B1 λ 2 + B2 λ + B3 ) = 0, where A1 = − a11 − a22 , B1 =δ ,
(15)
A2 = a11 a22 − a12 a21 ,
B2 = −δ (a11 + a22 + a31 ),
B3 =δ (−a21 (a12 + a32 ) + a22 (a11 + a31 )). Case 1. Let τ = 0, then the reduced characteristic equation of the system (12) becomes
λ 3 + (A1 + B1 )λ 2 + (A2 + B2 )λ + B3 = 0. According to the Routh-Hurwitz criteria, system (12) at the malware-induced equilibrium E ∗ in the absence of delay i.e., τ = 0 is LAS if the following conditions satisfy a22 + δ ≤ 0,
a11 + η < 0,
a21 a32 ≤ a22 (a11 + η ).
(16)
Case 2. Substituting λ = ιω0 , τ = τ0 in Eq. (15) (for simplicity denoting ω0 and τ0 by ω and τ respectively), we obtain ιω 3 + A1 ω 2 − ι A2 ω + (B1 ω 2 − ι B2 ω − B3 ) cos ωτ − (ι B1 ω 2 + B2 ω − ι B3 ) sin ωτ = 0, (17)
50
Sangeeta Kumari and Ranjit Kumar Upadhyay
Now, collect real and imaginary parts of the above Eq. (17), we obtain (B1 ω 2 − B3 ) cos ωτ − B2 ω sin ωτ = − A1 ω 2 ,
B2 ω cos ωτ + (B1 ω 2 − B3 ) sin ωτ = ω 3 − A2 ω .
Simple algebraic calculations yield
ω 2 ((−A1 B1 + B2 )ω 2 + (A1 B3 − A2 B2 )) , B22 ω 2 + (B1 ω 2 − B3 )2 ω (B1 ω 4 − (A2 B1 − A1 B2 + B3 )ω 2 + A2 B3 ) sin ωτ = . B22 ω 2 + (B1 ω 2 − B3 )2
cos ωτ =
(18)
Now, using the relation sin2 ωτ + cos2 ωτ = 1, we get
ω 6 + (A21 − 2A2 − B21 )ω 4 + (A22 − B22 + 2B1 B3 )ω 2 − B23 = 0.
(19)
Eq. (19) has at least one positive real root ω0 by Descarte’s rule of signs. Thus, we have from Eq. (18)
τl =
(B2 − A1 B1 )ω 4 + (A1 B3 − A2 B2 )ω 2 1 + 2l π cos−1 , ω0 B22 ω 2 + (B1 ω 2 − B3 )2
l = 0, 1, 2, · · · . (20)
Furthermore, let λ (τ ) = ξ (τ ) + ιω (τ ) be the root of Eq. (15) hold ξ (τl ) = 0, ω (τl ) = ω0 (l = 0, 1, 2, · · ·). Then let us define, τ0 = min {τl }. l=0,1,2,···
Lemma 4.1. Transversality condition holds if the following satisfies −1 dλ ℜ 6= 0. dτ τ =τ 0
Proof. First, we will differentiate Eq. (15) with respect to τ , we have −1 dλ 2B1 λ + B2 + (3λ 2 + 2A1 λ + A2 )eλ τ τ = − , dτ λ (B1λ 2 + B2 λ + B3 ) λ 2 ιωτ B2 + 2ιω B1 + (A2 − 3ω + 2ιω A1 )e τ = − . 2 2 −B2 ω + ιω (−B1 ω + B3 ) ιω
Exploring the Delayed and Optimally Controlled Dynamics ...
51
Now, real part from the above equation is collected at the critical point τ0 then we obtain −1 dλ U1V1 +U2V2 ℜ = , dτ V12 +V22 τ =τ 0
where
U1 =A2 − 3ω 2 + ω (2B1 − B2 τ ) sin ωτ + (B1 ω 2 τ + B2 − B3 τ ) cos ωτ , U2 =2A1 ω − (B1 ω 2 τ + B2 − B3 τ ) sin ωτ + ω (2B1 − B2 τ ) cos ωτ , V1 =ω (−B1 ω 2 + B3 ) sin ωτ − B2 ω 2 cos ωτ ,
V2 =B2 ω 2 sin ωτ + ω (−B1 ω 2 + B3 ) cos ωτ . Thus, transversality condition holds if U1V1 + U2V2 > 0 at the critical point τ0 and hence Hopf bifurcation takes place at τ = τ0 . Theorem 4.1. The system (12) at E ∗ (S∗ , I ∗ , R∗ ) is LAS when τ ∈ [0, τ0) and if condition (16) satisfy; otherwise, unstable for τ > τ0 . Furthermore, system undergoes Hopf bifurcation at E ∗ when τ = τ0 provided U1V1 +U2V2 > 0.
4.1.
Stability and Direction of Hopf Bifurcation
In this section, stability and direction of bifurcating periodic solutions of the system (12) will study with the help of normal form theory and center manifold theorem [40]. Space of continuous real-valued functions are defined as C = C([−1, 0], R3 ). Let x = S − S∗ , y = I − I ∗ , z = R − R∗ and normalize the delay t → t/τ . Let τ = τ0 + υ , µ ∈ R, then υ = 0 is Hopf bifurcation value of the system (12) and system can be transformed into the functional differential equation as x˙ = Lυ (Xt ) + F(υ , Xt ),
(21)
where X(t) = (x(t), y(t), z(t))> ∈ C, Xt (θ ) = X(t + θ ), θ ∈ [−1, 0] and Lυ : C → R3 , F(·, υ ) : C × R → R3 are given by Lυ (ϕ ) = (τ0 + υ )[J1 ϕ (0) + J2 ϕ (−1)],
(22)
52
Sangeeta Kumari and Ranjit Kumar Upadhyay
such that
a11 a12 0 J1 = a21 a22 0 , a31 a32 0
0 0 δ J2 = 0 0 0 . 0 0 −δ
The value of ai j ; i, j = 1, 2, 3 are given in Eq. (14). Now β ϕ1 (0)ϕ2 (0) − Kr ϕ12 (0) − 1+a ϕ2 (0) β ϕ1 (0)ϕ2 (0) f ( υ , ϕ ) = ( τ0 + υ ) . 1+aϕ2(0) 0
(23)
By Riesz representation theorem, a function ζ (θ , υ ) exists whose components are of bounded variation for θ ∈ [−1, 0] such that Lυ ϕ =
Z 0
−1
d ζ (θ , υ )ϕ (θ ),
∀ϕ ∈ C.
By considering Eq. (22), we can choose the following function
ζ (θ , υ ) = (τ0 + υ )[J1 δ (θ ) + J2 δ (θ + 1)], where δ (θ ) is Dirac delta function. For ϕ ∈ C1 ([−1, 0], R3), define ( d ϕ (θ ) , θ ∈ [−1, 0), A(υ )ϕ (θ ) = R 0d θ −1 d ζ (s, υ )ϕ (s) = Lυ ϕ , θ = 0,
(24)
and
R(υ )ϕ (θ ) =
0, θ ∈ [−1, 0), F(υ , ϕ ), θ = 0.
Now, the system (21) becomes X˙t = A(υ )Xt + R(υ )Xt , where Xt (θ ) = X(t + θ ) for θ ∈ [−1, 0]. For ψ ∈ C1 ([0, 1], (R3)∗ ), define ( − d ψ (s) , s ∈ (0, 1], A∗ (υ )ψ (s) = R 0 ds −1 d ζ (t, 0)ψ (−t), s = 0,
(25)
53
Exploring the Delayed and Optimally Controlled Dynamics ... and a bilinear inner product hψ (s), ϕ (θ )i = ψ¯ (0).ϕ (0) −
Z θ
Z 0
θ =−1 ξ =0
ψ¯ > (ξ − θ )d ζ (θ )ϕ (ξ )d ξ ,
(26)
where ζ (θ ) = ζ (θ , 0). Thus, A(0) and A∗ (0) are adjoint operators and their eigenvalues are ±ιω0 τ0 . Let q(θ ) = (1, v1 , v2 )> eιω0 τ0 θ and q∗ (s) = P(1, v∗1 , v∗2 )> eιω0 τ0 s be the eigenvectors of A(0) and A∗ (0) at θ = 0 corresponding to eigenvalues ιω0 τ0 and −ιω0 τ0 respectively. A∗ (0)q∗ (s) = −ιω0 τ0 q∗ (s),
A(0)q(θ ) = ιω0 τ0 q(θ ),
which gives for θ = 0
1
a12 δ e−ιω0τ0 1 0 −ιω0 + a11 v1 = 0 , a21 −ιω0 + a22 0 v2 0 a31 a32 −ιω0 − δ e−ιω0 τ0 ιω0 τ0 ιω + a a δ e 0 11 12 = 0 0 0 . v∗1 v∗2 a21 ιω0 + a22 0 a31 a32 ιω0 − δ eιω0 τ0
Thus, we obtain
v1 =
a21 , ιω0 − a22
v2 =
a31 + a32 v1 , ιω0 + δ e−ιω0 τ0
v∗1 = − (ιω0 + a11 + a31 v∗2 ), hq∗ (s), q(θ )i =q¯∗ (0).q(0) −
Z 0Z θ
v∗2 =
δ eιω0 τ0 . −ιω0 + δ eιω0 τ0
(27)
q¯∗> (ξ − θ )d ζ (θ )q(ξ )d ξ ,
−1 ξ =0 ∗ ∗ ¯ ¯ ¯ =P{(1, v1, v2 )(1, v1 , v2 )>
−
Z 0
Z θ
θ =−1 ξ =0
(1, v¯∗1 , v¯∗2 )e−ιω0 τ0 (ξ −θ )d ζ (θ )(1, v1, v2 )> eιω0 τ0 ξ d ξ },
¯ =P{{1 + v1 v¯∗1 + v2 v¯∗2 } − q¯∗> (0) ¯ + v1 v¯∗ + v2 v¯∗ − q¯∗> (0) =P{1 1 2
Z 0
Z 0
Z θ
θ =−1 ξ =0
θ =−1 Z 0
eιω0 τ0 θ d ζ (θ ) d ξ q(0)},
ξ |θξ =0 eιω0 τ0 θ d ζ (θ ) q(0)},
θ eιω0 τ0 θ d ζ (θ ) q(0)}, 0 0 δ ¯ + v1 v¯∗ + v2 v¯∗ + q¯∗> (0)τ0 0 0 0 e−ιω0 τ0 q(0)}, =P{1 1 2 0 0 −δ =P¯ 1 + v1 v¯∗1 + v2 v¯∗2 + τ0 δ v2 (1 + v¯∗2 )e−ιω0 τ0 . ¯ + v1 v¯∗ + v2 v¯∗ − q¯∗> (0) =P{1 1 2
θ =−1
54
Sangeeta Kumari and Ranjit Kumar Upadhyay
From Eq. (26), we obtain hq∗ (s), q(θ )i =P¯ 1 + v1 v¯∗1 + v2 v¯∗2 + τ0 δ v2 (1 + v¯∗2 )e−ιω0τ0 .
We have using normalization condition hq∗ (s), q(θ )i = 1,
−1 P¯ = 1 + v1 v¯∗1 + v2 v¯∗2 + τ0 δ v2 (1 + v¯∗2 )e−ιω0τ0 .
Similarly, hq∗ , qi ¯ = 0 can be proved and obtain the value of q and q∗ . Now we compute the coordinates to interpret the center manifold C0 at µ = 0. Let xt be solution of Eq. (25) at µ = 0. Define z(t) =hq∗ , xt i,
W (t, θ ) =xt (θ ) − z(t)q(θ ) − z¯(t)q( ¯ θ ), =xt (θ ) − 2ℜ{z(t)q(θ )}.
(28) (29)
On the center manifold C0 , we have W (t, θ ) = W (z(t), z¯(t), θ ), where W (z, z¯, θ ) = W20 (θ )
z2 z¯2 z3 +W11 (θ )z¯z +W02 (θ ) +W30 (θ ) + · · · , 2 2 6
(30)
z and z¯ are local coordinates for center manifold C0 in the direction of q∗ and q¯∗ . Here we only consider the real solution xt ∈ C0 of Eq. (25), which gives ∆
z˙(t) =ιω0 τ0 z + q¯∗ (0).F0(z, z¯). Rewrite this equation as follows z˙(t) =ιω0 τ0 z + g(z, z¯),
(31)
where g(z, z¯) = q¯∗ (0).F0 (z, z¯) and expand g(z, z¯) in powers of z and z¯, that is g(z, z¯) = g20
z2 z¯2 z2 z¯ + g11 z¯z + g02 + g21 +··· . 2 2 2
(32)
It follows from Eqs. (28) and (30) xt (θ ) = W (z, z¯, θ ) + 2ℜ{zq(θ )}, =W20 (θ )
z2 z¯2 +W11 (θ )z¯z +W02 (θ ) + (1,v1 ,v2 )> eιω0 τ0 θ z + (1, v¯1 , v¯2 )> e−ιω0 τ0 θ z¯ + ··· . 2 2
55
Exploring the Delayed and Optimally Controlled Dynamics ... Thus z2 z¯2 (1) (1) +W11 (0)z¯z +W02 (0) + · · · , 2 2 2 z¯2 z (2) (2) (2) x2t (0) =v1 z + v¯1 z¯ +W20 (0) +W11 (0)z¯z +W02 (0) + · · · . 2 2 It follows along with Eq. (23) (1)
x1t (0) =z + z¯ +W20 (0)
g(z, z¯) = q¯∗ (0).F0(z, z¯) = q¯∗ (0).F(0, xt ), β x1t (0)x2t (0) ¯∗ β x1t (0)x2t (0) r 2 ¯ = τ0 P − x1t (0) − + v1 , K 1 + ax2t (0) 1 + ax2t (0) r β x1t (0)x2t (0) = τ0 P¯ − x21t (0) + (v¯∗1 − 1) , K 1 + ax2t (0) r 2r 2 ∗ ∗ ¯ ¯ ¯ = τ0 P − + β v1 (v1 − 1) z + − + β (v1 + v¯1 )(v1 − 1) z¯z K K r 2 1 1 r + − + β v¯1 (v¯∗1 − 1) z¯ + −(2W11 +W20 ) + β (v¯∗1 − 1) K K 1 1 2 1 2 −av1 (v1 + v¯1 ) + v1 W11 +W11 + (v¯1W20 +W20 ) z2 z¯ . 2 We obtain the following expressions of g20 , g11 , g02 and g21 by following the steps of Hassard et al. [40] r g20 =2τ0 P¯ − + β v1 (v¯∗1 − 1) , K 2r ∗ g11 =τ0 P¯ − + β (v1 + v¯1 )(v¯1 − 1) , K r g02 =2τ0 P¯ − + β v¯1 (v¯∗1 − 1) , (33) K 1 1 r g21 =2τ0 P¯ −(2W11 +W20 ) + β (v¯∗1 − 1)(−av1 (v1 + v¯1 ) K 1 1 2 1 2 +v1W11 +W11 + (v¯1W20 +W20 )) , 2 with
ι g20 ι g¯02 q(θ ) + q( ¯ θ ) + E1 e2ιω0 τ0 θ , ω0 τ0 3ω0 τ0 ι g11 ι g¯11 W11 (θ ) = − q(θ ) + q( ¯ θ ) + E2 , ω0 τ0 ω0 τ0
W20 (θ ) =
(34)
56
Sangeeta Kumari and Ranjit Kumar Upadhyay (1)
(2)
(3)
(1)
(2)
(3)
where E1 = (E1 , E1 , E1 )> and E2 = (E2 , E2 , E2 )> ∈ R3 are constant vectors and given as follows. r − − β v1 −a12 −δ e−2ιω0 τ0 K 2 (1) , E1 = β v1 2ιω0 − a22 0 A˜ −2ιω0 τ0 0 −a32 2ιω0 + δ e 2ιω0 − a11 − r − β v1 −δ e−2ιω0 τ0 K 2 (2) , E1 = −a21 β v1 0 A˜ −2ιω0 τ0 −a31 0 2ιω0 + δ e 2ιω0 − a11 −a12 − Kr − β v1 2 (3) E1 = −a21 2ιω0 − a22 β v1 , A˜ −a31 −a32 0 −2ιω0 τ0 2ιω0 − a11 −a − δ e 12 . ˜ A = −a21 2ιω0 − a22 0 ιω τ −2 −a31 0 0 −a32 2ιω0 + δ e r − − β ℜ{v1 } a12 δ K 2 (1) E2 = − β ℜ{v1 } a22 0 , ˜ B 0 a32 −δ a11 − r − β ℜ{v1 } δ K 2 (2) E2 = − a21 β ℜ{v1 } 0 , ˜ B a31 0 −δ a11 a12 − r − β ℜ{v1 } a11 a12 δ K 2 (3) E2 = − a21 a22 β ℜ{v1 } , B˜ = − a21 a22 0 . B˜ a31 a32 −δ a31 a32 0 So far, W20(θ ) and W11 (θ ) have been expressed by the parameters of system (12). Therefore, g21 given in Eq. (33) can be expressed explicitly. Thus, we can compute the following results: ι |g02 |2 g21 2 c1 (0) = g20 g11 − 2|g11 | − + , 2ω0 τ0 3 2 ℜ{c1 (0)} µ1 = − , 0 ℜ{λ (τ0 )} β1 =2ℜ{c1 (0)}, 0
ℑ{c1 (0)} + µ1 ℑ{λ (τ0 )} T1 = − , ω0 τ0
Exploring the Delayed and Optimally Controlled Dynamics ...
57
which decides the bifurcating periodic solution’s dynamics at critical value τ0 in center manifold. These symbols µ1 , β1 and T1 defines direction, stability and period of bifurcating periodic solutions respectively. If µ1 > 0(< 0), then Hopf bifurcation is supercritical (subcritical) and bifurcating periodic solutions exist for τ > τ0 (τ < τ0 ). The bifurcating periodic solutions are stable (unstable) if β1 < 0 (β1 > 0) and period increases (decreases) if T1 > 0 (T1 < 0).
Numerical Simulations of Delay System We aim to support analytical results and study the dynamical behavior of the delay system (12). System is integrated using MATLAB built in function ‘dde23’. The following set of parameter values is considered throughout the simulation. r = 4, K = 100, β = 0.9, a = 0.5, η = 0.5, δ = 0.5, α = 0.3, γ = 0.9, µ = 0.7. (35)
A critical point of time delay is obtained at τ0 = 3.89483 for the system (12) such that the system is stable when τ < τ0 and becomes unstable when τ > τ0 . In figure 5, system dynamics is investigated for different values of τ . Initially, the system is stable at τ = 3 < τ0 = 3.89483 (c.f. figure 5(a)) and as it crosses its critical value, it exhibits limit cycle behaviour and thus unstable at τ = 4 > τ0 = 3.89483 (c.f. figure 5(b)). Hence, we conclude that large delay destabilizes the entire network. The bifurcation diagram is plotted in figure 5(c), clearly shows that the bifurcation point is τ0 = 3.89483, which verifies our analytical result. At the malware-induced point E ∗ (55.779, 140.949,56.4456), Eq. (19) has one positive root ω = 0.411358 and the system bifurcates for the critical delay τ0 = 3.89483. Now, we have c1 (0) = 0.143548 − 0.344523ι , µ1 = −2.95567, β1 = 0.287097, T1 = 0.0728961 at given parameter values. Thus, we conclude that the bifurcation is subcritical at τ0 = 3.89483 as µ1 < 0, and bifurcating periodic solution is forward, unstable and increasing, which is presented in figure 5(c). Since the recovery rate δ plays a crucial role in the malware spreading, thus we discuss outcomes for different values of the recovery rates. At γ = 0, the system stability region extended, as shown in figure 6(a). For the value of τ = 4.5 at γ = 0, the system exhibits stable dynamics (c.f. figure 6(a)) whereas, at τ = 5.5, the system shows unstable behavior in figure 6(b). Hence, we conclude that as the maximum recovery of the infected node increases, the stability region also increases.
58
Sangeeta Kumari and Ranjit Kumar Upadhyay τ=3 200
τ=4 S
I
200
R
Nodes
Nodes
150 100
I
R
100 50
50 0 0
S
150
0 100
200 300 Time
400
−50 0
500
100
200 300 Time
(a)
400
500
(b) 200 150
Nodes
100 50 0 −50 −100 3.4
3.6
3.8
τ
4
4.2
4.4
(c)
Figure 5. Effect of τ on the dynamics of delay system (12). Bifurcation diagram is presented in (c) for all the nodes (S-*, I-o, R-+) with respect to time delay. Values of other parameters are same as mentioned in Eq. (35). γ =0, τ = 4.5 600
S
γ =0, τ = 5.5 I
800
R
500 Nodes
Nodes
I
R
600
400 300 200
400 200 0
100 0 0
S
100
200 300 Time
(a)
400
500
−200 0
100
200 300 Time
400
500
(b)
Figure 6. Effect of time delay on the system dynamics at γ = 0. Values of other parameters are same as mentioned in Eq. (35).
Exploring the Delayed and Optimally Controlled Dynamics ...
59
C ONCLUSION An e-epidemic delay SIRS model is proposed using a modified saturated incidence rate and sigmoid type recovery rate in a computer network. Existence of equilibrium points and their stability are calculated for the temporal and delay systems, and also Hopf bifurcation analysis has been performed under specific criteria for the delay system. Stability and direction of Hopf bifurcation are analyzed. Our main results are summarized as: • Threshold condition is defined with the help of basic reproduction number, which confirms the extinction and persistence of the malware in the network. When basic reproduction number is less than unity, system is robust against possible worm attacks as the infected node vanishes. Whereas at R0 > 1, infected node persists in the system and hence, there is a chance of malware attack. • The infected data transmission or malware proliferation can be controlled when the system stabilizes and out of control when the system shows periodic behavior. • The effect of optimal control measures are discussed. Appropriate use of control measures help in minimize the density of infected node or malware transmission to a significant amount and maximize the stability region as well. • Significant delay destabilizes the system, and therefore Hopf bifurcation occurs. the data transmission rate β shows a vital role in the infected data or malware eradication from the entire network. The outcomes of the present study are applicable in infected data or malware eradication and its spreading prediction in the network. These points are worth important for regular communications between the nodes, security, and robust operation of the computer networks. We conclude that the optimal control and time delay are the most effective parameters for the network systems. Above results give an idea about when and where countermeasures should be used for prevention, control, and elimination of malware proliferation in computer networks.
60
Sangeeta Kumari and Ranjit Kumar Upadhyay
R EFERENCES [1] Wu, L., H.-K. Lam, Y. Zhao, and Z. Shu (2015). Time-delay systems and their applications in engineering 2014. Mathematical Problems in Engineering 2015. [2] Zong, G., W. X. Zheng, L. Wu, and Y. Yi (2013). New developments in time-delay systems and its applications in engineering. Mathematical Problems in Engineering 2013. [3] Upadhyay, R. K. and S. Kumari (2018b). Detecting malicious chaotic signals in wireless sensor network. Physica A: Statistical Mechanics and its Applications 492, 1129–1152. [4] Upadhyay, R. K. and S. Kumari (2019). Discrete and data packet delays as determinants of switching stability in wireless sensor networks. Applied Mathematical Modelling 72, 513–536. [5] Dubey, P., B. Dubey, and U. S. Dubey (2016). An SIR model with nonlinear incidence rate and Holling type III treatment rate. In Applied Analysis in Biological and Physical Sciences, pp. 63–81. Springer. [6] Hu, Z., S. Liu, and H. Wang (2008). Backward bifurcation of an epidemic model with standard incidence rate and treatment rate. Nonlinear Analysis: Real World Applications 9(5), 2302–2312. [7] Wang, W. (2006). Backward bifurcation of an epidemic model with treatment. Mathematical biosciences 201(1-2), 58–71. [8] Wang, W. and S. Ruan (2004). Bifurcations in an epidemic model with constant removal rate of the infectives. Journal of Mathematical Analysis and Applications 291(2), 775–793. [9] Zhou, L. and M. Fan (2012). Dynamics of an SIR epidemic model with limited medical resources revisited. Nonlinear Analysis: Real World Applications 13(1), 312–324. ´ G. P´erez (2019). Dynamics of a time-delayed SIR [10] Avila-Vales, E. and A. epidemic model with logistic growth and saturated treatment. Chaos, Solitons & Fractals 127, 55–69.
Exploring the Delayed and Optimally Controlled Dynamics ...
61
´ G., E. Avila-Vales, and G. E. Garc´ıa-Almeida (2019). Bifurca[11] P´erez, A. tion analysis of an SIR model with logistic growth, nonlinear incidence, and saturated treatment. Complexity 2019. [12] Cui, Q., Z. Qiu, W. Liu, and Z. Hu (2017). Complex dynamics of an SIR epidemic model with nonlinear saturate incidence and recovery rate. Entropy 19(7), 305. [13] Upadhyay, R. K., S. Kumari, and A. Misra (2017). Modeling the virus dynamics in computer network with SVEIR model and nonlinear incident rate. Journal of Applied Mathematics and Computing 54(1-2), 485–509. [14] Zhu, H., S. A. Campbell, and G. S. Wolkowicz (2003). Bifurcation analysis of a predator-prey system with nonmonotonic functional response. SIAM Journal on Applied Mathematics 63(2), 636–682. [15] Pang, J., J.-a. Cui, and J. Hui (2011). Rich dynamics of epidemic model with sub-optimal immunity and nonlinear recovery rate. Mathematical and Computer Modelling 54(1-2), 440–448. [16] Upadhyay, R. K. and S. Kumari (2018a). Bifurcation analysis of an eepidemic model in wireless sensor network. International Journal of Computer Mathematics 95(9), 1775–1805. [17] Liu, Q., M. Sun, and T. Li (2017). Analysis of an SIRS epidemic model with time delay on heterogeneous network. Advances in Difference Equations 2017(1), 309. [18] Mishra, B. K., K. Haldar, and D. N. Sinha (2016). Impact of information based classification on network epidemics. Scientific reports 6, 28289. [19] Ren, J. and Y. Xu (2018). A compartmental model to explore the interplay between virus epidemics and honeynet potency. Applied Mathematical Modelling 59, 86–99. [20] Yao, Y., C. Sheng, Q. Fu, H. Liu, and D. Wang (2019). A propagation model with defensive measures for PLC-PC worms in industrial networks. Applied Mathematical Modelling 69, 696–713. [21] Gan, C. (2016). Modeling and analysis of the effect of network eigenvalue on viral spread. Nonlinear Dynamics 84(3), 1727–1733.
62
Sangeeta Kumari and Ranjit Kumar Upadhyay
[22] Zhang, C., J. Peng, and J. Xiao (2019). An advanced persistent distributed denial-of-service attacked dynamical model on networks. Discrete Dynamics in Nature and Society 2019. [23] Zhu, L. and H. Zhao (2015). Dynamical analysis and optimal control for a malware propagation model in an information network. Neurocomputing 149, 1370–1386. [24] Zhu, L., H. Zhao, and X. Wang (2015). Stability and bifurcation analysis in a delayed reaction–diffusion malware propagation model. Computers & Mathematics with Applications 69(8), 852–875. [25] Kumari, S., P. Singh, and R. K. Upadhyay (2019). Virus dynamics of a distributed attack on a targeted network: Effect of firewall and optimal control. Communications in Nonlinear Science and Numerical Simulation 73, 74–91. [26] Lenhart, S. and J. T. Workman (2007). Optimal control applied to biological models. CRC Press. [27] Rodrigues, H. S., M. T. T. Monteiro, and D. F. Torres (2014). Optimal control and numerical software: An overview. arXiv preprint arXiv:1401.7279. [28] Yang, L.-X., P. Li, Y. Zhang, X. Yang, Y. Xiang, and W. Zhou (2018). Effective repair strategy against advanced persistent threat: A differential game approach. IEEE Transactions on Information Forensics and Security 14(7), 1713–1728. [29] Zhang, J.-Z., Z. Jin, Q.-X. Liu, and Z.-Y. Zhang (2008). Analysis of a delayed SIR model with nonlinear incidence rate. Discrete Dynamics in Nature and Society 2008. [30] Li, X.-Z., W.-S. Li, and M. Ghosh (2009). Stability and bifurcation of an SIR epidemic model with nonlinear incidence and treatment. Applied Mathematics and Computation 210(1), 141–150. [31] Zhang, Z., Y. Chu, S. Kumari, and R. K. Upadhyay (2019). Delay dynamics of worm propagation model with non-linear incidence rates in wireless sensor network. Journal of Zhejiang University (Science Edition) 46(2), 168–186.
Exploring the Delayed and Optimally Controlled Dynamics ...
63
[32] Diekmann, O., J. A. P. Heesterbeek, and J. A. Metz (1990). On the definition and the computation of the basic reproduction ratio R0 in models for infectious diseases in heterogeneous populations. Journal of mathematical biology 28(4), 365–382. [33] Van den Driessche, P. and J. Watmough (2002). Reproduction numbers and sub-threshold endemic equilibria for compartmental models of disease transmission. Mathematical biosciences 180(1-2), 29–48. [34] Abate, A., M. Chen, Y. Wang, A. Zakhor, and S. Sastry (2013). Design and analysis of a flow control scheme over wireless networks. International Journal of Robust and Nonlinear Control 23(2), 208–228. [35] LaSalle, J. P. (1976). The Stability of Dynamical Systems, Volume 25. SIAM. [36] Pontryagin, L. S. (1987). Mathematical theory of optimal processes. Routledge. [37] Lashari, A. A. and G. Zaman (2012). Optimal control of a vector borne disease with horizontal transmission. Nonlinear Analysis: Real World Applications 13(1), 203–212. [38] Birkhoff, G. (1973). Current trends in algebra. The American Mathematical Monthly 80(7), 760–782. [39] Lukes, D. L. (1982). Differential equations: Classical to controlled. Elsevier. [40] Hassard, B. D., D. Hassard, N. D. Kazarinoff, Y.-H. Wan, and Y. W. Wan (1981). Theory and applications of Hopf bifurcation, Volume 41. CUP Archive.
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 Editors: B. Mishra and J. Piqueira © 2020 Nova Science Publishers, Inc.
Chapter 3
CYBER THREATS AND ATTACKS IN SMART ENERGY NETWORKS Zoya Pourmirza* and Sara Walker School of Engineering, Newcastle University, Newcastle, UK
ABSTRACT Smart energy systems are interconnected heterogeneous and multi layered systems that are coupled together with other critical infrastructures such as transport and cyber infrastructure. Due to increased use of information and communication technology and integration of energy system with cyber infrastructures, understanding and protecting against Cyber-Attacks are of paramount importance. In the modern energy system,a secure system not only refers to ensuring the security of supply, but also it refers to defending against Cyber-Attacks such as data integrity attack,and protecting against cyber incidents such as cascading failure and failures of smart meters and other connected devices. The energy systems are generally more resilient against noncyber related incidents and are able to recover quickly without the incident being realised by end users. However, there have been fewer investigations on cyber related incidents and attacks which can * Corresponding Author’s Email: [email protected].
66
Zoya Pourmirza and Sara Walker compromise the availability and security of the energy system and have significant impact on the energy network, energy providers, and energy consumers, and other dependent networks. In this chapter we discuss cyber security goals related to smart energy systems and identify the potential cyber threats and vulnerabilities of thissystem. We discuss the sources, targets and types of cyber threats, includingsecurity holes in the existing communication infrastructure (e.g., SCADA and AMI system), threats to the energy system control signals andnetwork status data at each layer of energy system. The incentives and impacts of the CyberAttack/incident are identified and mitigation techniques to reduce the negative impacts of such events are proposed. Finally, three main energy network blackouts, which were caused by either Cyber-Attackor failure of cyber components,are explored.
Keywords: smart energy system, cyber security, cyber interdependency, availability, integrity, confidentiality, SCADA, AMI
1. INTRODUCTION Understanding cyber-threats and attacks in energy systems are of paramount importance. According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) the energy sector has the highest proportion of reported cyber incidents, amongst all infrastructure sectors (ICS-CERT 2012). Figure 1 demonstrates the outcome of this invetigation. Energy security is at the core of national, economic, and environmental security, since a cyber-attack on the energy sector could lead to failure of one or more energy networks and collapse of other dependent systems. Energy systems are going through a transition period, becoming smarter and greener to meet the UN’s Intergovernmental Panel on Climate Change (IPCC) goal to maintain the global temperature increase below 2°C. To achieve this target, energy networks need to evolve, with Information Communication Technologies (ICT) and integration of a number of different energy vectors playing key roles in that evolution. This future smart integrated energy system faces new challenges; one such challenge is to understand cyber-threats and potential attacks in energy systems.
Cyber Threats and Attacks in Smart Energy Networks
67
In this chapter we will discuss what smart energy systems are, and why cyber-security in these systems is critical. We will explore how a smart energy system could become less cyber-secure than traditional energy systems. We will discuss key vulnerabilities, and we will investigate cyberthreats and potential attacks for these elements. Firstly, smart energy networks are built upon existing power grid communication protocols with a number of known vulnerabilities. Secondly, the frequency or severity of cyber-attacks may increase as smart technology deployment in the energy system increases, due to the coupling of new communication networks to the energy system. These coupled systems introduce additional access points for infiltrators. The cyber-security mitigation techniques which are currently available focuson securing the network and associated economic environment. However, these mitigation techniques may not be appropriate for a future smart energy network with real-time monitoring, data acquisition and controllers. We will show that defending against energy system cyberattacks requires precise understanding of the energy system structure, identifying and assessing who can attack, evaluating attack impacts, understanding which security mechanisms to deploy, and managing attacks when they occur. These solutions should align with policy and national security objectives, and provide balance between security, affordability, and business needs.
Figure 1. Incidents report per sector published by ICS CERT (ICS-CERT 2012).
68
Zoya Pourmirza and Sara Walker
Finally in this chapter we will analyse a number of cyber-attacks that have been reported, in which legacy energy systems were compromised, including energy systemblackouts in Italy, Ukraine, and the USA.
2. SMART ENERGY SYSTEMS Energy systems across the globe are experiencing a period of significant change. Drivers of change are generally categorized as decarbonisation, digitalization, deregulation and decentralization. Decarbonisation policy is driven globally by the Intergovernmental Panel on Climate Change (IPCC). To limit global temperature change to no more than 2ºC, we need to rapidly move towards energy systems with net zero greenhouse gas emissions. For electricity systems, this can be achieved through greater use of generation technologies such as wind, solar, hydro, biomass and geothermal, as well as nuclear energy. Decarbonisation of heat is putting pressure on existing gas systems to consider biogas and hydrogen alternatives. Some policy discussions propose electrification of heating load alongside decarbonisation of the electricity system. Some countries already have district heating schemes, which may enable decarbonisation of heating. Decarbonisation of transport is also a complex problem, with solutions for the majority of private car transportation to move to electric vehicles, alongside use of fuel cells and hydrogen for other modes. Essentially, to deliver decarbonisation across different energy end uses, it is expected that a greater number of end uses will shift to low carbon electricity. Increased demand for electricity, combinedwith an increase in the number of intermittent generation units, creates complex supply-demand balancing issues for the system. Distributed generation and storage, in a decentralized energy system, area possible approach to the decarbonisation driver (Patsios et al. 2016, Crossland et al. 2018), and therefore decentralization and decarbonisation are closely linked. For some areas of the globe, decentralization is the most
Cyber Threats and Attacks in Smart Energy Networks
69
cost effective way of enabling remote communities to have access to clean affordable energy (Sustainable Development Goal 7). Storage is seen as a technology which can assist with the complex supply-demand balancing issue (Kianmehr et al. 2019). Furthermore, electric vehicles can play a role as storage connected to energy systems (Jenkins et al. 2017). Increased integrated operation of gas and electricity networks, including storage in both systems, can assist both networks in achieving flexibility and reliability in the face of significant change (Hosseini, Allahham, and Taylor 2018). For example, due to the intermittent nature of some renewable energy technologies, the electricity system may benefit from the storage capacity in gas network linepack in order to manage supply-demand matching (Wilson and Rowley 2019). Historically, utilities often developed as Government-owned and regulated sectors. However, in order to inject investment from the private sector into energy systems, many countries have deregulated their energy systems and opened up energy markets to competition. For example, the European gas and electricity markets were liberalized and deregulated over a period from 1996 to 2009 (European Parliament 2016). In liberalized sectors, Government policy can be difficult to deliver, since the agents of delivery are private companies. However, policy financial mechanisms can be used to drive engagement of private providers, as can regulation through license obligations, for example. In order to enable an energy system to be reliable and flexible, realtime data is needed. That data, provided through a two way digital communication architecture, enables automation of control for the energy system through use of extensive data about the status of numerous energy system components (Pourmirza and Brooke 2013). Digitalisation of energy systems therefore enables system operators to consider co-ordinated and optimal strategies for control, operation and future planning of energy systems (Ma et al. 2018). Methods for handling large data sets and control decisions, for multi-vector energy systems, are still developing (O’Dwyer et al. 2019, Sarantakos et al. 2019, Yi et al. 2019, Etim et al. 2019).
70
Zoya Pourmirza and Sara Walker
3. CYBER-SECURITY CONCERNS FOR SMART ENERGY SYSTEMS One main difference between cyber threats to smart energy systems and conventional ICT system is that cyber-security in the former system is not only about protecting cyber assets, but also about protecting the cyber and physical assets and critical infrastructure. In such cases, having access to the control devices and data warehouses remotely over a communication channel may cause a number of different threats to both cyber and physical assets and critical infrastructure of the energy system. Additionally, having logical and physical access to metering devices, such as smart meters, is another potential threat to the system. Furthermore, revealing the daily routines of such energy systems would be a threat. For example attackers can:
check the pattern of energy usage draw conclusions on how many occupants there are in a building understand who is not in the buildingfor an extended period (e.g., at holiday) identify what occupants are doing know if occupants are working from the office or their home
3.1. Cyber Vulnerabilities and Impacts on energy Grids The smart energy system that couples the communication networks to the legacy grid introduces additional cyber risks and vulnerabilities, which can seriously affect the energy systems in terms of operation and reliability. In energy systems some of these security vulnerabilities can be exploited in parallel. This is particularly worrying as the physical dimension of energy systems is prone to cascading effect in case of targeted failures. Some of the critical vulnerabilities of smart energy system have been identified as:
Cyber Threats and Attacks in Smart Energy Networks
71
Physical vulnerabilities Platform vulnerabilities Policy vulnerabilities Interdependency vulnerabilities Information and Communication vulnerabilities
These are discussed below in further detail: Physical vulnerabilities: refers to issues such as ease of access to physical devices (e.g., smart metering device), and when the physical components of energy system are being affected by environmental incidents, such as flooding, earthquake, and lightning. Platform vulnerabilities: refers to the known security problems of the cyber infrastructure in the smart energy systems,covering connected devices, computing resources, and the backend network of the energy system. As an example, the attacker can exploit the vulnerability of the system and initiate an attack on the system, when an operating system patch is not installed. Also, an adversary can exploit the vulnerability of the system when the vulnerable application does not have an intrusion detection system or firewall. An example of attacks that compromise the energy system by exploiting platform vulnerability is Denial of Service (DoS) and buffer overflow (Zubair and Abdurraoof 2013). Policy vulnerabilities: refers to weak policies that are set for the system by an accountable staff such as security managers. For example if the system is compromised by an adversary due to a weak password, then thepolicy administrator is responsible for such an attack. Therefore, it is important to define a strong security policy to safeguard the energy system against policy vulnerabilities (Zubair and Abdurraoof 2013). Interdependency vulnerabilities: refers to highly dependent systems that provide services to other infrastructures and receive services from other infrastructures, such as the bidirectional relation between energy systems and communication networks. These interdependencies could be physical, logical, geographical and cyber. Although the interdependent systems offer benefit to one another, at the same time they pose threats to
72
Zoya Pourmirza and Sara Walker
the other dependent infrastructures. We will discuss interdependency vulnerability in the next section. Information and Communication (ICT) vulnerabilities: refers to security threats which are posed by cyber infrastructureand connected devices, such as smart meters, routers, and switches. For example,malconfiguration of such devices, flooding the communication network with messages (e.g., Denial of Service attack), and modifyingthe source or destination of IP packets are examples of serious concernsfor the system. Adversaries might attack the energy system based on different problems or vulnerabilities in ICT system, such as:
Homogeneity: when all the devices in the system use the same Operating System (OS) this system is a homogeneous system, and so if an adversary breaks that OS, he/she would be able to break other devices with the same OS. Therefore, the recommendation is to have multiple systems, with multiple OS. Unconfirmed code: When there is a human being involved in a system, regardless of the security technology implemented in the system, the system is vulnerable. This is because the human being can be the source of threats intentionally or unintentionally. He/She can carry portable storage devices such as a CD, floppy disk, or memory stick with sensitive information. Some of the networks used in energy systems are closed network and they are not connected to the internet. However, they are vulnerable to unconfirmed code, since a human can access these closed networks. Over-privileged user: when staff have a very high privilege status and are able to access critical information, or are able to modify the internal structure of the system, this is potentially another vulnerability of the energy systems. Insecure implementation: when the sophisticated security protocols are available and have been implemented in the system, but they are not implemented carefully, the system is vulnerable to insecure implementation. As an example, when the encryption
Cyber Threats and Attacks in Smart Energy Networks
73
keys of security protocols are not secured appropriately, and other staff might be aware of the location of the keys (e.g., on a disk). Threats and vulnerabilities identified in this chapter are not fixed and evolve continuously, therefore security solutions must evolve similarly to address these changes. However, the full extent of the impacts of such vulnerabilities that lead to cyber-attacks on energy systems is hard to grasp due to their highly complex and interdisciplinary nature, and the interdependencies between energy systems and a fast-changing ICT landscape. However, any attack on the ICT of the energy system will, therefore, have negative impacts of varying severity on energy system operation. Such attacks are usually undertaken to
Mislead the operation and control of the utility provider Manipulate the market and misguide the billing systems Compete with other utility service providers Ransome the utility service providers Disturb balance between demand and supply Carry out terrorist activities to damage local and/or national power infrastructure Convey mistrust between people and government Increase or decrease the cost of energy consumption and energy distribution
Later in this chapter we will review the three most significant cyberattack/incidents that have happened and discuss their impact on the energy systems.
3.2. Cyber-Interdependency Critical infrastructures that provide services to other infrastructures and receive services from another infrastructures are highly interdependent. These interdependencies could be physical, logical,
74
Zoya Pourmirza and Sara Walker
geographical and cyber. Cyber interdependency happens when the correct operation of a physical infrastructure such as energy and transport infrastructure depend on the information in transit within the Information and Communication Technology (ICT) infrastructure. The ICT infrastructure is the backbone of the modern smart energy system, that is responsible to deliver data and control signals in twodirections. However, this cyber-interdependencycould provide bothopportunities and risks to the whole system due to their reliance on external services. An example of cyber-dependent infrastructure failure is the shut-down of a power station in Italy in2003 which led to failure of acommunication node, causing a cascading failure in the system and finally led to further shut down of power stations (Buldyrev et al. 2010). We will discuss the Italy power grid shut down in more detail, later in this chapter. Smart energy systems are interdependent systems with bidirectional interactions. These are complex systems with a number of layers integrating together as a whole system. Data dependency at each layer has different implications on the operation of the whole system. The criticality of data depends on the direction of data transmission, the source and destination of data, and the purpose for data transmission in each layer. Data collected from the energy systemis either load data or status data, providing information about the status of the energy system which is sent to the advanced managementsystem. If data is generated at the advanced management system (for example control data) then it is regarded as critical data, and their availability is important for overall operation of the system. However, the criticality of control data varies according to their source and destination. For example critical data carries signals to switch loads on different lines or increase generation capacity. However, non-critical data are those that are sent to consumers to manage load based on a demand-response management system. This signal is a request (not an instruction) and there is no obligation to comply withit, therefore it is considered as non-critical data (Ebrahimy and Pourmirza 2017). Here we will analyse different layer of data dependency in smart energy systems. The first layer of data dependency inenergy systems is
Cyber Threats and Attacks in Smart Energy Networks
75
between residential or commercialenergy users and local control centres, where information about consumer usage is sent to local or central centres for processing. Two way communication at this layer implies that operator can also send signals to consumers to suggest load reduction or limit user access to services. Overall, the availability of data at this level helps demand-response and provide economic benefit tothe users, while unavailability of data at this level is tolerable by the system, as it is not critical for operation (Ebrahimy and Pourmirza 2017). The second layer of data dependency in energy system is between transmission substation, distribution substation, loadserving entity and energy management system (EMS). The EMS receives data from Remote Telemetry Unit (RTU), programable logic Unit (PLC), and smart relays that transmit data about load and status of the system. This information are fed into estate estimator to analyse optimal power flow and contingencyplan and detect bad and false data received to run the optimal power system. The information at this layer has direct impacton the system reaction, in terms of whether to increase/decrease capacity, switch the load or disconnect a node from the grid. Therefore, availability of data at this layer is critical for the correct operation of the system (Ebrahimy and Pourmirza 2017). The third layer of data dependency in energy system is regarding the data created in other dependent critical infrastructures, that can directly influence the energy system operation. For example weather data could be used to anticipate energy demand. The data travel in this layer is not critical data, but they are used to provide better monitoring and control the energy system (Ebrahimy and Pourmirza 2017).
4. CYBER-SECURITY CONCERNS FOR COMMUNICATION INFRASTRUCTURE IN SMART ENERGY GRIDS In energy systems, there are a number of different networks that offer communication infrastructure at various levels. These are networks such as SCADA, AMI, and Customer Energy Management System. Each of these
76
Zoya Pourmirza and Sara Walker
networks introduces its own challenges and security concerns for the energy system.
4.1. SCADA (Supervisory Control and Data Acquisition) SCADA (Supervisory Control and Data Acquisition) are intelligent monitoring and control systems that are used in a number of different industries such as oil and gas refining and transportation, telecommunication, water and waste control, and power grids. For example in electricity grids, the SCADA system is used as the intelligent monitoring system which provides the communication infrastructure across the grid from voltage levels 132 kV to 11 kV. (Yang, Barria, and Green 2011) explained the implementation of SCADA via the Distribution Network Operators (DNOs). This system contains a master terminal and many Remote Telemetry Units (RTUs). The RTUs are responsible for gathering network measurements from the devices in the substations, and for transmitting commands to the control devices and the master node. The master node is located at the control centre of the DNO and is in charge of processing and storing the received data. There can be heterogeneous communication channels such as proprietary wireless (often microwave) and fibre optic channels between the RTUs and the master terminal. Although the utility communications are based on proprietary communication systems and have limited, if any, access to the public internet, recently utilities have proposed the use of public information networks along with Virtual Private Networking (VPN) systems to encrypt the communications (Hines, Veneman, and Tivnan 2014). In this system the data is updated every 10 - 20 seconds, a rate that is too slow to provide sufficiently continuous data delivery and real-time applications (Roberts 2004). These SCADA systems are vulnerable to cyber-attacks due to a number of reasons, such as: lack of active network monitoring and traffic monitoring, insufficient reporting capabilities of some connected devices, and weak authentication schemes that enable hackers to access the SCADA system.
Cyber Threats and Attacks in Smart Energy Networks
77
4.2. AMI (Advanced Metering Infrastructure) A second communication infrastructure, that transmits data such as billing data and meter disconnect commands, is called Advanced Metering Infrastructure (AMI), which is an updated version of Automated Meter Reading (AMR). AMI is a combination of smart meters and utilitycustomer communication systems. AMI uses either mesh network or Power Line Carrier (PLC) systems. In the mesh network system, smart meters are connected to each other to transmit data to and from data collectors. In the PLC system, data are transmitted through physical power lines as embedded pulses. Data collectors usually use proprietary fibre optic or broadband wireless systems. There are a number of cyber-security concerns amongst AMI systems, including concerns about their communication network or headend1 security concerns. Since some parts of AMI networks operate on low bandwidth technologies (e.g., WiFi, Zigbee, PLC), while some other parts of AMI network may operate on high bandwidth technologies (particularly where high traffic is expected), this could result in cyber-security concerns in terms of communication throughput2. As an example, transmitting a large volume of certificates to all smart meters may cause throughput concerns, due to AMI network configurations (Cleveland 2008). Another cyber-security concern in AMI systems would be regarding their headend security. Whilst physical damage to AMI headend is not a big concern, as they are usually located in a relatively safe area, cybersecurity issues are still relevant. For example, since AMI headend data need to be accessed by other systems, this can pose a cyber-security concern because security policies and technologies are not coordinated amongst various systems. The SCADA and AMI are not designed in a way to communicate easily. Utilities are now proposing SCADA-like networks for electricity distribution grids, in which these two communication infrastructures can collaborate with less restriction. However, this new 1
AMI headend is responsible to exchanges information between AMI network and the Meter Data Management system. 2 Throughput is the ratio of successful data delivery over a communication channel.
78
Zoya Pourmirza and Sara Walker
layer of coupling between SCADA and AMI introduces a major security concern, as these automation systems are able to control switches with considerable loads (Hines, Veneman, and Tivnan 2014). Additionally, the large volume of different types of data travelling through AMI headend necessitates differentiated security requirements (e.g., security requirements for sensitive meter data is different from air temperature data, and is different from critical data such as data affecting the loads), and no one solution can handle all these differences (Cleveland 2008).
4.3. Customer Energy Management System A Customer Energy Management System is a communication infrastructure that provides communication amongst customer-owned devices and smart meters. These systems are either called Building Management Systems (BMS) when providing services to commercial and industrial customers, or Home Area Networks (HAN) when providing services to residential customers. These systems enable customer-owned devices to communicate with smart meters wirelessly using Zigbee (IEEE Standard 802.15) or WiFi (IEEE Standard 802.11). The security concern at this level of the communication network relates to customer privacy issues and use of public communication systems such as the Internet (Hines, Veneman, and Tivnan 2014).
4.4. Other Communication Infrastructure Furthermore, Smart Energy Systems include additional communication networks that are responsible for financial-related activities. They provide data to enable services such as buying and selling energy contracts, and exchanging the bid and dispatch related information between generator, purchaser, and energy market operator. In general, encrypted Internetbased channels are used to perform this trading. However, these financial
Cyber Threats and Attacks in Smart Energy Networks
79
communication networks are critical to ensure reliable and efficient energy system operation (Hines, Veneman, and Tivnan 2014). The communication networks discussed above use a number of different communication standards and protocols in order to exchange data and services between their players. These communication protocols are such as: IEC 61850-8-1 Goose, IEC 61850-9-2 sampled values, C37.118, MODBUS, DNP3, IRIG-B &1PPS Sync, IEC 6087-5-104, OPC UA Server, TCP/IP, UDP, RS-232, RS-422, RS-485, IEEE 1588. These protocols are widely susceptible to cyber-attacks, such as Man-in-theMiddle (MitM) attack and Denial of Service (DOS) attack, which are additional cyber-security concerns.
5. CYBER-SECURITY REQUIREMENTS NIST (NIST 2010) has identified three main cyber security requirements that are relevant to the energy systems, which are:Confidentiality, Integrity, and Availability.
Integrity: Trusting the information that is flowing. (e.g., Data injection attack). Availability: making sure the information is available in a timely manner. Confidentiality: data is only accessible by authorised user.
In most of the cyber-physical systems confidentiality has the highest priority, then integrity, and finally availability. Protection against cyberattack should be prioritised based on criticality and available resources. Therefore, in the Smart Grid systems, availability and integrity have the highest priority, and finally confidentiality. Availability has the highest importance, because keeping the energy supply is more important than anything else. Integrity is also very important because untrusted information can affect the control decision.
80
Zoya Pourmirza and Sara Walker
5.1. Integrity Thedata integrity requirement for energy systems refers to verifying that data in transit between different devices in the system are trusted, accurate, and have not been manipulated or fabricated. An attack vector that could compromise integrity of the energy system is thefalse data injection attack (Li et al. 2017, Yuan, Li, and Ren 2012, Rawat and Bajracharya 2015). Data integrity attacks can lead to misrepresenting sensor data to trick state estimation systems (Liu, Ning, and Reiter 2009), falsifying the network topologies (Kim and Tong 2013), or triggering controllers to make incorrect decisions which could initiate economic losses and operational issues (Liu and Li 2017). Data integrity can be compromised in a number of ways such as:
Human errors when data is entered Human attack Errors that occur when data is transmitted from one computer to another Software bugs or viruses Hardware malfunctions, such as disk crashes Natural disasters, such as fires and floods
One of the targets for data integrity attack in the energy system is estate estimation, which incorporates contingency techniques such as filtering and/or removing bad data. However, adversariesconstantly develop new techniques to avoid error detection techniquesand inject false data into state estimators. Studies have investigatedvulnerability of state estimation under data tampering attack, in which false data has passed bad data filtration processes and are accepted by the estimator (Liu, Ning, and Reiter 2009, Liu and Li 2017, Kosut et al. 2010). The attack on data integritycandecrease the awareness of component failure and lead to incorrect decision-making.
Cyber Threats and Attacks in Smart Energy Networks
81
The following threats or errors can comprise the data integrity in a communication system of the Smart Grid:
Data Fabrication: If an unauthorized party gains access to the system and inserts false objects into it, this is fabrication and it degrades the authenticity of the system (e.g., add noise to the signals). Data Modification: If an unauthorized party gains access to a system and make some changes to it, then this tampering is known as modification. This modification is an attack on the integrity of the system or the organisation. Interception: This occurs when any unauthorized unit gains access to an asset. This attack means that there is no privacy, therefore it is also an attack on confidentiality too. The unauthorized unit or party could be an individual, a program or even another computer, and can compromise the data integrity.
Thus, ensuring data integrity in the Smart energy system is critical for safety and security of the energy grid for a number of reasons. Data integrity in the energy systems is important both for trusting data in transit and also the control commands, such as avoiding modified, fabricated, and unauthorized command being transmitted over the power grid. This could lead to a serious physical and cyber damages. One of the daunting hacking scenarios for the Smart Grid is when attackers transmit disconnect commands to a huge number of smart meters through cyberspace, acting as legitimate meter management system (Cleveland 2008). The lowest level in the energy system that necessitates data integrity is the smart meters, so these devices must be protected, both cyber-wise and physically,against threats that comprise the data integrity. These devices are prone to physical attack such as being removed/stolen and are also prone to cyber-attack such as exchanging or manipulating data on their chips. Accordingly, we need to identify if any such attack/error has happened, and then take appropriate remedial actions, such as discounting data, ignoring control commands, asking for retransmission, etc.
82
Zoya Pourmirza and Sara Walker
Additionally, home gateway, data concentrators, AMI (Advanced Metering Infrastructure) headend, substation monitoring devices, and other smart energysystem devices also necessitate data integrity. Since, these devices can act as an interface to critical equipment of the energy system, they can be used to impose serious harm to the system. For example, the AMI headend can be used to alter pricing signals, reset meters, request load control actions, or to connect/disconnect loads and distributed generation. Therefore, it is vital to prevent, detect, and rectify even subtle unauthorized changes that have been imposed on both data and control commands either intentionally or unintentionally.
5.2. Availability Availability of the energy systems can be compromised by naturaldisasters, physical and mechanical failures, and also Cyber-Attacks. It is believed that theavailability of the energy sector is so vital in all levels of the society thata cyber-attack on the energy systemscould have catastrophic consequences on safety of individuals andthe operations of the dependent systems (Rasmussen et al. 2017). Even relatively small power failures have knock on effects due to the way our infrastructures are linked. For example, power failure at Clapham Junction, London in April 2015 left over 900 people stranded on trains for up to 5 hours. Availability in the cyber infrastructure of the energy systems refers to making sure the information is available in a timely manner. Although energy providers are well prepared for sudden mechanical failures or physical disturbance which would compromise the availability of the energy system, they are not yet well prepared for situations that affect the availability of cyber infrastructure in the energy system. In traditionalenergy systems, poor availability of meter data was not a significant concern in the system, since utilities estimated meter readings with limited information. In modern smart energy systems, the meter readings carry sensitive information and control signals that are being exchanged between several entities. Thus, availability of datato
Cyber Threats and Attacks in Smart Energy Networks
83
delivercontrol signals and sensitive information is crucial in the smart energy systems (Cameron et al. 2019). Availability of data in the smart energy systems are most evident in Advanced Metering Infrastructure (AMI) and in networks where traffic loads can compromise the availability of the overall energy system. As an example, in an AMI system facilitating the timely movement of data is very important, even if the network is flooded or it is under attack. This is because the cyber infrastructure in suchnetworks are responsible to deliver critical information such as outage alarms andmanage distributed generation, distribution automation or other critical functions that would affect the availability of the energy system (Cleveland 2008).
5.3. Confidentiality A confidentiality attack is an attack in which attackerswould gain unauthorized access to sensitive customer data or measurement data. Thisattack does not necessarily have a physical impact on the energy system, but can lead to a more destructive attack. Confidentiality attackare used to steal access credentials or rights from operators. Mitigating this attack is not an easy task, as it largely targets a human controller, rather than a machine controller. Confidentiality can be secured bytechniques such as authentication mechanisms, role-based access control, and cryptography techniques. An example of a confidentiality attack on energy system is the cyberattack on the Ukrainian power grid, in which a social engineering mechanism called spear-phishing was employed (Lee, Assante, and Conway 2016). This attack strategy was used to steal access credentials to the system, whichenhanced easier installation of remote access tools, and gave control of the system over to the adversary. We will discuss the cyber-attack on Ukrainian power grid in detail later in this chapter.
84
Zoya Pourmirza and Sara Walker
6. CYBER-ATTACK MITIGATION TECHNIQUES FOR SMART ENERGY SYSTEMS A number of standards used to address the cyber-security challenges inenergy systems are: NIST 800-53, IEC 62351, NIST CSF and DoE C2 M2. Although these standards provide a guideline to protect the information system within the energy sector, they have deficiencies with respect to the way to protect the system from the insider threats. To prove these deficiencies, Ebrahim and his team (Ibrahim 2018) has experimented and passed the authentication schemes, role-bases access control, and encryption technologies which are endorsed by these standards, by initiationof an insider attack. It is believed that these standards leave vulnerabilities in the energy system, since their requirements are either too high or too Information Technology (IT) centric, assuming the attackers are outsiders, without inside knowledge and access to the security controls that safeguard the devices installed in energy networks. A number of protection mechanisms that utilities use to safeguard their energy system are: authentication, encryption, anomaly detection, access control, which are believed to be inadequate for energy systems. Also, it should be considered that the existing cyber security practice for the energy system is based on a single problem,such that each individual security problems is investigated separately. However, a holistic approach is required to address the security challeneges of the whole energy systems (Ebrahimy and Pourmirza 2018).
6.1. TCP/IP Protocol Using TCP/IP protocol for data transmission in energy systems could help mitigate the cyber-threats. TCP/IP protocol provides services such as Internet Protocol Security (IPsec) and Transport Layer Security (TLS). IPsec can authenticate and encrypt data packages. IPsec can be used in VPN and encrypted tunnels between end-users and router and firewalls.
Cyber Threats and Attacks in Smart Energy Networks
85
TLS is designed to deliver privacy and data integrity by using end-to-end encryption and authentication. However, TCP/IP does not securethe network against an insider adversary who has the TLS credentials (Ibrahim 2018).
6.2. Blockchain Technology Another protection system that has been introduced is the use of blockchain technology that could mitigate the implications of cyber-attack in energy systems. Blockchain is designed to remove the need of a third party in transactions to provide peer-to-peer (P2P) energy payments (Mustafa, Cleemput, and Abidin 2016). Blockchain has originally been designed to tackle financial issues. Researchers (Liang et al. 2019) have proposed a blockchain based data protectionthat eliminates the possibility of attack implications on energy systems. They proposed to use the distributed security featuresof blockchain technology to improve the selfdefensive capabilitiesof the energy systems against cyber-attacks.
6.3. Self-Organising Architecture Use of Self-Organising Architecture (SOA) has also been introduced to mitigate the Denial of Service (DoS) Cyber-Attackon energy systems (Cameron et al. 2019). Figure 2 demonstrates SOA as a potential solution to mitigate the DoS attack on the network layer of the internet protocol stack (also called TCP/IP protocol stack). Such an attack can compromise the availability of the energy system, leading to control degradation and total control loss. It has been concluded that SOA can decrease the burden at the control layer, which would prevent control degradation experienced by the static architecture.
86
Zoya Pourmirza and Sara Walker
Figure 2. The global view of cyber-attacks in order of priority, focusing on availability (Cameron et al. 2019).
6.4. Security Control Suggested by the National Institute of Standard and Technology The National Institute of Standards and Technology (NIST) introduced a number of security controls that can be implemented in the energy system to mitigate the impact of cyber threats or cyber incidents. A subset of NIST security control are: isolating control systems;logging and continuously monitoring control systems; patching, updating and maintaining secure systems;contingency planning;after action reporting;ensuring physical security; and ensuring complex passwordspolicy (Whitehead et al. 2017). These are discussed further below. In order to isolate the control system, it is recommended to avoid connecting the control system to the internet, to locate control system networks and devices behind firewalls, andto use Virtual Private Network (VPN) as a secure method of connection, if remote access to the control centre is required. Additionally, logging and continuously monitoring control systems to detect intruders and infections can be used to mitigate cyber-threats. It is important to monitor all the network segments, since different network segments demonstrate different results, and by combining results of all
Cyber Threats and Attacks in Smart Energy Networks
87
segments, we may identify problems which were not demonstrated in a single network segment. In order to inform the system operator about the status of the networkand provide analysis capabilities, a number of techniques can be used such as: intrusion detection systems (IDS), intrusion prevention systems (IPS), network access control (NAC), and alarming system which can be triggered when the normal condition of the network deviates beyond defined threshold points (Pourmirza and Brooke 2013, Pourmirza and Brooke 2014). It has also been suggested to perform patches and update software and firmware every month. Another technique to mitigate the cyber threats is to have a contingency plan. Accordingly, once the cyber-attack/incidents (e.g., equipment failure) happens, there should be a recovery plan designed to quickly restore the system. Preparing the action report after the incident, to discuss why an incident occurred, analyse the event, and learn from theevent is another technique to mitigate further similar incidents. Finally, securing physical aspects of control system, as well as securing the system against electronic penetration of insiders or outsiders, using complex and random passwords, and having a frequent password rotation plan,are some techniques that could potentially protect the energy system from adversaries (Whitehead et al. 2017).
7. REAL WORLD CYBER-ATTACKS AND INCIDENTS ON ENERGY SYSTEMS In this section we will analyse three real world cyber incident and cyber-attacks that have been reported, in which legacy energy systems are compromised. These cyber complications on energy systems include: the blackout in Italy in 2003, the cyber-attacks on the Ukrainian power-grid in 2015, and the cyber-attack on US gas pipelines in 2018.
88
Zoya Pourmirza and Sara Walker
7.1. Blackout in Italy As discussed earlierin this chapter, energy systems are interdependent networks, where the failure of a node or fraction of nodes in a network may result in the failure of dependent nodes in another dependent network, which would lead to a cascading failure. A real-world example of a cyber incident on the energy system which was caused by a cascading failure is the blackout in Italy on 28th September 2003. In this incident the shutdown of power stations directly led to the failure of nodes in the Internet communication network, which consequently caused further shutdown of power stations. This failure happened due to the fact that electricity grid and Internet communication network have a bidirectional dependency: power stations rely on the communication node for control, and communication nodes rely on the electricity grid to receive electricity supply. One of the differences between an isolated single network and interdependent network is that in an isolated network removal of a significant number of nodes may result in a network shut down, while in an interdependent network removal of a small fraction of nodes may lead to complete fragmentation of the whole system (Buldyrev et al. 2010). A line flashover to trees (faults) and line trips on the Swiss electricity transmission network, near the Italian border, were the starting point of the Italian blackout. This event happened when interconnecting lines were heavily loaded andled to the disconnection of the Italian network from the Union for the Co-ordination of the Transmission of Electricity (UCTE) grid. The disconnectioncaused a large power grid imbalance, which resulted in afrequency drop in the Italian grid. Inadequate action by the operator to control the situation led to failure to control the underfrequencytransient. As the result,protection on the electricity network shut down large parts of the electricity system and nearly 45 million people were left without power. Finally, the whole recovery took about 19 hours (Sforna and Delfanti 2006). Post-event analysis was conducted by different organizations such as the Italian government and the European system operator, and a number of recommendations were made. A delay to update of operating procedures
Cyber Threats and Attacks in Smart Energy Networks
89
for security was identified as not acceptable. Additionally, it was recommended that procedures to manage the emergency situation be improved to prevent operator delays. Such procedures depend on the availability and efficiency of the communication network, and in thisItalian system failure the telephone communication system proved to be less reliable than expected. Finally, it was recommended that the Italian electricity system operator enlarge theirdefencesystems,to monitor the external grids that could affect the security of their system (Sforna and Delfanti 2006).
7.2. Blackout in Ukraine On 23rd December 2015, three provinces in the Ukraine reported an electricity blackout as the result of a cyber-attack on their electricity grid. The attack was directed at six electricity distribution networks, three of which were directly affected by network failure. Although the other three did not experienced electricity blackout, attackers were able to intrude into their system. This cyber-attack was targeting the distribution level, affecting around 225,000 people and more than 50 substations. Restoration took up to 6 hoursand required the utilities to sendtechnicians to the substations to manually control the electricity grid. This incident is the first publicly documented cyber-attack on an electricity grid control system. Whitehead et al. (Whitehead et al. 2017) have collected information about the cyber-attack on Ukrainian power grid by researching through available documents such as U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICSCERT), Electricity Information Sharing and Analysis Centre (EISAC), and the government of Ukraine. Based on the available information, the following stagesare identified for this event. 1) Stage 1: Spear Phishing Six months before 23rd December 2015, a spear phishing email that appeared to be from the Ukrainian Energy Ministry was sent
90
Zoya Pourmirza and Sara Walker out to staff inUkrainian distribution utilities. This emailcontaineda malicious Microsoftdocumentwith a macro that installed Black Energy 3 (BE3) onto theworkstations, and enabled access to the network. 2) Stage 2: Explore and Movement in the compromised Network BE3 and other tools performed reconnaissance,and provided an initial backdoor for the attackers which then enabled movement through the networks. ICS-CERT reported that one or more computers in each of thesix distribution utilities were compromised by BE3. In April 2015, a further backdoor malware was installed on compromised workstations, which enable easier access to compromised machine. 3) Stage 3: Credentials Harvested When the network was explored by attackers, they could discover and access the Microsoft Active Directory servers in one of the distribution networks. The active directory server contains information such as usernames and passwords and, when compromised, led to brute force attack on the credentials stored on the server. In another distribution network, attackers discovered passwords using an unknown method. While BE3 contained a password stealing plug-in, investigators couldn’t find this specific plug-in in the compromised network. 4) Stage 4: Virtual Private Network Tunnel Created By using the harvested credentials, attackers created an encrypted tunnel. The tunnel (which was called a virtual private network (VPN) by ICS-CERT) was used by attackers to penetrate the electricity distribution network. In this process, attackers used standard remote accesstools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), and Remote Administrator (Radmin), to access the Human Machine Interfaces (HMIs) of control systems. Since two-factor authentication was not needed to access the distribution network, the attackers created this encrypted channel using only user credentials.
Cyber Threats and Attacks in Smart Energy Networks
91
5) Stage 5: Compromise and Reconnaissance of HMI Computers Remote access to the HMI applicationled to attackers being able to access and interact with SCADA control systems remotely. Although a router splits corporate and SCADA networks, the firewall rules were inadequately configured. It is believed, prior to this incident, attackers executed reconnaissance on and compromised aroundseventeen local dispatch centreHMIs, which wereassociatedwith over 50 substations. 6) Stage 6: Take Control of Circuit Breakers On 23rd December 2015, at 15:30, attackers took control of the HMI operator and opened the breaker. They first entered SCADA networks via the compromised SCADA computers and launched the first power outage attack. One minute later at 15:31, attackers launched an attack on another electricity distribution network, and finally the third attack occurred at 16:00. The operators could observe the mouse moving on their system, but could not stop the attackers from manipulating the HMI. The movement of the mouse suggested this was not an automatic attack. Shortly after 16:00 the electricity utility operator at one of the distribution networks could disable the HMI administrator account, while attackers were shutting down the system using a second HMI administrator account. Finally, the operators were able to take the SCADA system offline, disable the remote access and turn the SCADA to manual mode. Since circuit breakers were disconnected within a one minute time period, it is believed a number of attackers coordinated the attack manually. 7) Stage 7: Additional Attack Actions In order to complicate the attack, prevent customers from reporting outages, and increase the complexity of effort needed to return the grid to its normal operation mode, attackers launched three other malicious activities: a) Initiated a coordinated Telephony Denial of Service (TDoS): This attack was launched to flood the call centres with
92
Zoya Pourmirza and Sara Walker automated calls from foreign phone numbers and thereby prevent affected customers from reporting outages. This affected the operator’s response time, due to their lack of knowledge of the situation and location of outages. b) Disabled the Uninterruptable Power Supplies (UPSs): Attackers accessed the UPS and used the UPS remote management interface to arrange a shutdown later in the afternoon. c) Updated Malicious Firmware: Attackers corrupted the firmware on a remote terminal unit (RTU) and damaged the serial-to-Ethernet port servers. 8) Stage 8: Execute KillDisk
Attackers ran the KillDisk malware on targeted machines in all three distribution utility networks, to erase some files and damage the master boot record. This negatively affected the control centre HMI. Figure below (Figure 3) illustrates the 8 stages of the cyber-attack on the Ukrainian power gridthat has been discussed.
Figure 3. Model of cyber-attack on Ukrainian power grid (Whitehead et al. 2017).
Cyber Threats and Attacks in Smart Energy Networks
93
Table 1. Cyber-security threats and control mechanisms to mitigate Ukrainian power grid attack (Whitehead et al. 2017) Stage Overall 1) Initial Access to Enterprise Network
Threat Lack of asset and system knowledge Spear phishing
2) Pivot in Enterprise Network
Malware (BE3)
3) Elevate Privileges
Compromised credentials: - Software key logger - Brute force
4) Maintenance Access
Tunnel access
5) Gain Access to Control System 6) Attack
Remote access to HMI/SCADA Remote access to breaker/control system
7) Attack Complication
a) Telephony DoS b) UPS remote access c) Malicious firmware update
8) Destroy Hard Drives
Malware (Kill Disk)
Security Controls Monitoring (intrusion detection systems, net flow analysis, baselines, logging) - Training - Email security controls (remove attachments, automatically scan attachments) - Antivirus - IDS - Host based firewalls - Ensuring user least privilege - Password rotation - Antivirus - Strong credentials - IDS - Syslogs - Good firewall rules - Multifactor authentication - VPN controls - Monitoring - Network segmentation - Ensure user least privilege - Strong authentication - Encrypted remote access - Quick isolation - Dedicated or non-public communication channels - Incident planning a) - Backup communications - Call blocking - Asset knowledge b) - Network segmentation - No interactive remote access - Strong authentication c) - Firmware validation (hashing, signatures) - Hardware backups (hot and cold systems) - Recovery procedures - Automatic data backups - Antivirus
94
Zoya Pourmirza and Sara Walker
Table 1 published by (Whitehead et al. 2017) demonstrates the 8 stages of Ukrainian cyber-attack, with associated threats and technical security controls that could be used to mitigate threats at each stage. Finally it has been concluded that Ukrainian cyber-attack was not the result of a single vulnerability or a single attack on one specific target, rather it was the result of a number of complicated and coordinated attacks on various segments of the electricity grid. Therefore, in order to make an energy system secure we need to make sure the software and hardwaresecure network design, security policies, and trained staff are all integrated in a well-coordinated system to prevent similar attacks infuture. Finally, cyber security solutions for energy systems cannot be based on a single mitigation technique, but a collection of solutions need to be integrated in the energy system.
7.3. Cyber-Attack on Gas Pipeline in the USA Oil and gas companies are benefiting from being digitalized and interconnected. However, gas pipelinesare susceptible to cyber-attacks since they incorporate computer systems and internet-enabled devices. Attackers can take over the control systems to interrupt or damage gas pipelines. Until now, a series of cyber intrusions have been reported among US gas pipeline operators. The interdependency between gas pipelines and the electricity sector is increasing the cyber-security concerns among each of these sectors. Such concerns were highlighted in June 2018 by two commissioners on the Federal Energy Regulatory Commission (FERC) mentioning, “as … natural gas has become a major part of the fuel mix, the cybersecurity threats to that supply have taken on new urgency” (Parfomak 2019). A real-world cyber-attack on gas pipelines was reported in March 2018. In this incidentat least four major U.S. gas pipelines reported attacks. These attackstargeted the third-party electronic communication system, which is responsible for communication with customers. This led to data and electronic system shut down in the communication system. Three of
Cyber Threats and Attacks in Smart Energy Networks
95
thesepipeline providersconfirmed thatthe data black out was due to a cyber-attack. The main target was the EDI (electronic data interchange) system, which controls computer-to-computer document exchanges with customers. However, it was not confirmed if the attackers were targeting customer data or aiming to take financialadvantage by extracting money from the company via DDoS (distributed denial-of-service) attack or ransomware Fortress (FORTRESS 2019). This attack stressed the possible vulnerabilities of the energy systems. These systems are more susceptible to cyber-attacks due to the increased interdependency between pipeline infrastructure and digital systems. They are also vulnerable to attacks, because they contain consumer and business data, such as trading strategies, and exploration and production technologies data. Devices such as control valves, pressure monitors and other devices, which are connected to wireless networks, are essential for operation of refineries and oil wells. These various connected devices opens more doors for attackers. The identified risks of intrusion into the control system of gas network are discussed below. Acyber-attack on the US gas grid, with 2.5 million miles of oil, gas, and chemical pipelines, could potentially lead to: disrupted deliveries, explosions, fire, and spills, which could threaten people, infrastructures, and the environment NewYork Times (2018). Generally, it has beenunderstood that regardless of how well organisations protect their own resources, third party companies with weak security controls, may generate vulnerabilities that could be easily exploited. Ponemon Institude (Ponemon Institute 2017) carried out research to explore how cyber-security risks are addressed in the operational technology (OT) environment of oil and gas companies in the US. They have surveyed 377 individuals who were responsible for securing and supervising cyber-risks in OT environments. Although oil and gas companies are benefiting from increased digital systems, a large number of respondent to the survey believed that digitalization has made the system more vulnerable to security attacks. Respondents also believed that the exploratory information and production information are the greatest risks to the system. Additionally, vulnerabilities of oil and gas grids are
96
Zoya Pourmirza and Sara Walker
highlighted as: potential partners and acquisition targets, financial and organizational reports, operational information, details on drilling sites and field production information from sensors. Finally, a number of cybersecurity risk mitigation techniques for oil and gas companies have been identified as: analysis of user behaviour, hardening endpoints, and encrypting data in motion.
CONCLUSION The digital revolution, including increased use of metering and computational devices embedded in energy systems, as well as sophisticated data collection techniques, has affected the energy generation, network operation, and end use consumption of our energy systems. In smart energy systems, sensitive and critical data are travelling in both directionfrom a central generationpoint to end users,through multi layered architecture of the system. These data are being transmitted via public networks such as the internet or private and close networks. Energy related data are being exchanged with other dependent critical infrastructure, where correctoperation of each of these infrastructure depends on the correct operation of dependent infrastructure, which is why we call the energy systema cyber-dependent network. These energy-related data vary in type, size, format, and their responsibilities. The challenge is that the increased use of ICT and data volume and evolution of cyber infrastructure is growing faster than the evolution of tools and techniques to ensure security ofthe energy system. We are way behind ensuring the quality, availability, integrity, and confidentiality of data generated and transmitted through the energy system. In order to safeguard these energy systems against cyber security risks and cyber incidents, one should have detailed understanding of the energy systems. This means a need to understand how smart energy systems are less cybersecure than traditional energy systems, the security requirements of energy systems, the existing and potential vulnerabilities of energy systems, incentives of adversaries to launch an attack against systems, and
Cyber Threats and Attacks in Smart Energy Networks
97
knowledge of which layer of the energy system would be targeted by which type of attack. These topics all have been explored in this chapter. It is believed that the cyber-security mitigation techniques available today are more focused on securing the ICT infrastructure and associated economic environment, without counting for energy system characteristics and requirements. Accordingly, this chapter identified a number of mitigation techniques that could be implemented in the energy systems, to reduce the negative impact of Cyber-Attacks, such as using TCP/IP protocol, blockchain, self-organising architecture, network segmentation, VPN for remote access, contingency planning, after incident reporting, and policies for physical security and password rotation. Finally, to conclude this chapter three real world cyber-attack and cyber-incidents have been studied. These real world incidents are the blackout in Italy in 2003, the cyber-attacks on the Ukrainian power-grid in 2015, and the cyber-attack on US gas pipelines in 2018. In summary, the cause of such incidents, how they have impacted the energy system, and how they could be mitigated, have been discussed (Whitehead et al. 2017).
REFERENCES 2018. Cyberattack Shows Vulnerability of Gas Pipeline Network. The New York Times. Buldyrev, Sergey V., Roni Parshani, Gerald Paul, H. Eugene Stanley, and Shlomo Havlin. 2010. “Catastrophic cascade of failures in interdependent networks.” Nature 464 (7291):1025-1028. doi: 10.1038/nature08932. Cameron, Calum, Charalampos Patsios, Phil C. Taylor, and Zoya Pourmirza. 2019. “Using Self-Organizing Architectures to Mitigate the Impacts of Denial-of-Service Attacks on Voltage Control Schemes.” IEEE Transactions on Smart Grid 10 (3):3010-3019. doi: 10.1109/TSG.2018.2817046. Cleveland, Frances. 2008. “Cyber security issues for Advanced Metering Infrasttructure (AMI).” 2008 IEEE Power and Energy Society General
98
Zoya Pourmirza and Sara Walker
Meeting - Conversion and Delivery of Electrical Energy in the 21st Century, 20-24 July 2008. Crossland, F. Andrew, Darren Jones, S. Neal Wade, and L. Sara Walker. 2018. “Comparison of the Location and Rating of Energy Storage for Renewables Integration in Residential Low Voltage Networks with Overvoltage Constraints.” Energies 11 (8). doi: 10.3390/en11082041. Ebrahimy, Razgar, and Zoya Pourmirza. 2017. “Cyber-interdependency in Smart Energy Systems.” International Conference on Information Systems Security and Privacy- ICISSP, Porto, Portugal. Ebrahimy, Razgar, and Zoya Pourmirza. 2018. “Mitigating Cyber Threats in Smart Energy Subsystems Using Safety Critical Analysis Techniques.” 2018 IEEE International Conference on Smart Energy Grid Engineering (SEGE), 12-15 Aug. 2018. Etim, Nyong-Bassey Bassey, Damian Giaouris, Charalampos Patsios, Shady Gadoue, Athanasios I. Papadopoulos, Panos Seferlis, Spyros Voutetakis, and Simira Papadopoulou. 2019. “Probabilistic adaptive model predictive power pinch analysis (PoPA) energy management approach to uncertainty.” The Journal of Engineering 2019 (17):42884292. doi: 10.1049/joe.2018.8154. European Parliament. 2016. Understanding electricity markets in the EU: Briefing. Brussels: European Union. FORTRESS. 2019. Emerging Risk Brief: Cyber Attacks on US Pipelines in 2019. https://fortressinfosec.com/emerging-risk-brief-cyber-attacks-onus-pipelines-in-2019/. Hines, Paul, Jason Veneman, and Brian Tivnan. 2014. Smart Grid: Reliability, Security, and Resiliency. Hosseini, Seyed Hamid Reza, Adib Allahham, and Phil Taylor. 2018. “Techno-Economic-Environmental Analysis of Integrated Operation of Gas and Electricity Networks.” 2018 IEEE International Symposium on Circuits and Systems (ISCAS), 27-30 May 2018. Ibrahim, Erfan. 2018. A Comprehensive Tutorial on Cybersecurity. https://tbbllc.com/blog/f/a-comprehensive-tutorial-on-cybersecurityfrom-erfan?blog=y.
Cyber Threats and Attacks in Smart Energy Networks
99
ICS-CERT. 2012. ICS-CERT Monitor. Monitor Report. U.S. Department of Homeland Security. Jenkins, Andrew M., Charalampos Patsios, Phil C. Taylor, Olamayowa Olabisi, Neal Wade, and Phil Blythe. 2017. “Creating virtual energy storage systems from aggregated smart charging electric vehicles.” CIRED - Open Access Proceedings Journal 2017 (1):1664-1668. doi: 10.1049/oap-cired.2017.0937. Kianmehr, Ehsan, Saman Nikkhah, Vahid Vahidinasab, Damian Giaouris, and Taylor. Phil. 2019. “A Resilience-based Architecture for Joint Distributed Energy Resources Allocation and Hourly Network Reconfiguration.” IEEE Transactions on Industrial Informatics. doi: 10.1109/TII.2019.2901538. Kim, Jinsub, and Lang Tong. 2013. “On Topology Attack of a Smart Grid: Undetectable Attacks and Countermeasures.” IEEE Journal on Selected Areas in Communications 31 (7):1294-1305. doi: 10.1109/JSAC.2013.130712. Kosut, Oliver, Liyan Jia, Robert J. Thomas, and Lang Tong. 2010. “Limiting false data attacks on power system state estimation.” 2010 44th Annual Conference on Information Sciences and Systems (CISS), 17-19 March 2010. Lee, Robert, Michael Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid Electricity Information Sharing and Analysis Centre. Li, Beibei, Rongxing Lu, Wei Wang, and Kim-Kwang Raymond Choo. 2017. “Distributed host-based collaborative detection for false data injection attacks in smart grid cyber-physical system.” Journal of Parallel and Distributed Computing 103:32-41. doi: https://doi.org/10.1016/j.jpdc.2016.12.012. Liang, Gaoqi, Steven R. Weller, Fengji Luo, Junhua Zhao, and Zhao Yang Dong. 2019. “Distributed Blockchain-Based Data Protection Framework for Modern Power Systems against Cyber Attacks.” IEEE Transactions on Smart Grid 10 (3):3162-3173. doi: 10.1109/ TSG.2018.2819663.
100
Zoya Pourmirza and Sara Walker
Liu, Xuan, and Zuyi Li. 2017. “False Data Attacks against AC State Estimation with Incomplete Network Information.” IEEE Transactions on Smart Grid 8 (5):2239-2248. doi: 10.1109/TSG.2016.2521178. Liu, Yao, Peng Ning, and Michael K. Reiter. 2009. “False data injection attacks against state estimation in electric power grids.” Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA. Ma, Tengfei, Junyong Wu, Liangliang Hao, Wei-Jen Lee, Huaguang Yan, and Dezhi Li. 2018. “The optimal structure planning and energy management strategies of smart multi energy systems.” Energy 160:122-141. doi: https://doi.org/10.1016/j.energy.2018.06.198. Mustafa, Mustafa, Sara Cleemput, and Aysajan Abidin. 2016. “A local electricity trading market: Security analysis.” 2016 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGTEurope), 9-12 Oct. 2016. NIST. 2010. Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security. The Smart Grid Interoperability Panel Cyber Security Working Group. O’Dwyer, Edward, Indranil Pan, Salvador Acha, and Nilay Shah. 2019. “Smart energy systems for sustainable smart cities: Current developments, trends and future directions.” Applied Energy 237:581597. doi: https://doi.org/10.1016/j.apenergy.2019.01.024. Parfomak, Paul W. 2019. Pipeline Security: Homeland Security Issues in the 116th Congress Congressional Research Service CRS Insight. Patsios, Charalampos, Billy Wu, Efstratios Chatzinikolaou, Daniel J. Rogers, Neal Wade, Nigel P. Brandon, and Phil Taylor. 2016. “An integrated approach for the analysis and control of grid connected energy storage systems.” Journal of Energy Storage 5:48-61. doi: https://doi.org/10.1016/j.est.2015.11.011. Ponemon Institute. 2017. The State of Cybersecurity in the Oil & Gas Industry: United States. Ponemon Institute. Pourmirza, Zoya, and John M. Brooke. 2014. “Energy Aware Communication in the Smart Grid.” International Conference on Smart Grids and Green IT Systems.
Cyber Threats and Attacks in Smart Energy Networks
101
Pourmirza, Zoya, and John M. Brooke. 2013. “A Realistic ICT Network Design and Implementation in the Neighbourhood Area of the Smart Grid” Smart Grid and Renewable Energy 4 (6). doi: 10.4236/sgre.2013.46050. Rasmussen, Theis B., Guangya Yang, Arne H Nielsen, and Zhaoyang Dong. 2017. “A review of cyber-physical energy system security assessment.” 2017 IEEE Manchester PowerTech, 18-22 June 2017. Rawat, Danda B., and Chandra Bajracharya. 2015. “Detection of False Data Injection Attacks in Smart Grid Communication Systems.” IEEE Signal Processing Letters 22 (10):1652-1656. doi: 10.1109/LSP.2015.2421935. Roberts, D. A. 2004. Network Management Systems for Active Distribution Networks: A Feasibility Study. Edited by Great Britain. Department of Trade and Industry: SP POWER SYSTEMS LTD, SCOTTISHPOWER PLC. Sarantakos, Ilias, David M. Greenwood, Jialiang Yi, Simon R. Blake, and Phil C. Taylor. 2019. “A method to include component condition and substation reliability into distribution system reconfiguration.” International Journal of Electrical Power & Energy Systems 109:122138. doi: https://doi.org/10.1016/j.ijepes.2019.01.040. Sforna, Marino, and Maurizio Delfanti. 2006. “Overview of the events and causes of the 2003 Italian blackout.” 2006 IEEE PES Power Systems Conference and Exposition, 29 Oct.-1 Nov. 2006. Whitehead, David, Kevin Owens, Dennis Gammel, and Jess Smith. 2017. Ukraine cyber-induced power outage: Analysis and practical mitigation strategies. Wilson, Grant, and Paul Rowley. 2019. Flexibility in Great Britain's gas networks: analysis of linepack and linepack flexibility using hourly data. London: UK Energy Research Centre. Yang, Qiang, Javier A. Barria, and Tim C. Green. 2011. “Communication Infrastructures for Distributed Control of Power Distribution Networks.” IEEE Transactions on Industrial Informatics 7 (2):316327. doi: 10.1109/TII.2011.2123903.
102
Zoya Pourmirza and Sara Walker
Yi, Jialiang, Chloe Pages, Adib Allahham, Damian Giaouris, and Charalampos Patsios. 2019. “Modelling and simulation of a smartgrid architecture for a real distribution network in the UK.” The Journal of Engineering 2019 (8):5415-5418. doi: 10.1049/joe.2018.8217. Yuan, Yanling, Zuyi Li, and Kui Ren. 2012. False Data Injection Attacks in Smart Grid: Wiley. Zubair, Baig, and Alamoudy Abdurraoof. 2013. “An Analysis of Smart Grid Attacks and Countermeasures.” Journal of Communications 8:473-479. doi: 10.12720/jcm.8.8.473-479.
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 Editors: B. Mishra and J. Piqueira © 2020 Nova Science Publishers, Inc.
Chapter 4
A TWOFOLD MATHEMATICAL MODEL TO STUDY THE MALWARE ATTACK OF COMPROMISED IOT BOTNET ON TARGETED NETWORKS Ajit Kumar Keshri* Department of Computer Science and Engineering, Birla Institute of Technology, Mesra, Ranchi, Jharkhand, India
ABSTRACT The Internet of Things (IoT) is redefined the services of Internet and is broadly used in many fields. The mainstream adaptation and widespread use of IoT also has given birth about its security. Most IoT notes are connected to the Internet through wireless networks using technologies such as Wi-Fi and RFID. Since, IoT devices are not fullflagged computers, anti-malware or other security systems are not possible to implement in such devices with tiny OS, less powerful *
Corresponding Author’s Email: ajitkeshribitmesra.ac.in.
104
Ajit Kumar Keshri processor with limited capabilities and with very restricted memory size. IoT devices are more vulnerable than any other network devices due to their factory default username and password. In this chapter, a twofold mathematical model is proposed where vulnerable IoT devices are compromised first and then with the help of a zombie army made of these compromised IoT nodes makes a DDoS attack on a targeted network. The model is analyzed at equilibrium points to find the conditions for their stability. Extensive numerical simulation is performed to validate the model developed.
Keywords: Internet of Things (IoT), Distributed Denial of Service (DDoS) attack, wireless network, malware, targeted attack
INTRODUCTION In 2014, Brendan O’Brien, Chief Architect & Co-founder of Aria said: “If you think the Internet has changed your life, think again. The IoT is about to change it all over again!”. The mainstream adaptation and widespread use of IoT proofs the above said statement. Now with the invent of IoT, not only highly specialized devices but also a much broader range of devices can be connected to the Internet. IoT node can be a home appliance, healthcare device, CCTV camera, webcam, smart plug, traffic light, electric meter, street light, vehicle, smart TV, TV settop box and almost anything fitted with sensors, actuators, power units and embedded systems and most importantly it must be a Internet Protocol (IP) enable device [1]. The only major concern is its security because they were not designed with security in mind. IoT devices are more vulnerable than any other IP enabled Internet devices due to the following reasons: 1) Most IoT devices are connected to the Internet via wireless networks. Wireless networks are more vulnerable than wired networks due to their transmission through air and use of weak protocols in compare to wired network.
A Twofold Mathematical Model to Study the Malware Attack …
105
2) Most of the IoT devices have company provided username and password. The users are not allowed to change it or the user due to their gullibility or stupidity not changed the password. 3) IoT devices are not full-flagged computers, anti-malware or other security systems are not possible to implement in such devices with tiny OS, no powerful processor and no sufficient memory. Development of epidemic models is now very common not only in biology but also in computer networks and have already been proved to play a key role in providing a better planning for defense framework against various biological diseases or malware attacks respectively [2-6]. Some epidemic models also were developed for rumor propagation through online social networks [7]. But still not enough expertise is available in the field of epidemic modeling of different types of wireless networks. Out of various types of wireless networks, the popularity and adaptation of wireless fidelity (Wi-Fi) networks like, wireless sensor networks (WSNs), wireless nano-sensor networks (WNSNs), Internet of Things (IoT) based networks, networks of cyber physical systems (CPS) and so on, increases in an unbeatable pace. In this chapter, for the first time ever, an epidemic model that shows a relationship among IoT nodes, distributed denial of service (DDoS) attack on IoT nodes and targeted nodes in a network of critical infrastructure, is developed and analyzed.
LITERATURE REVIEW If an attack on a single server or on a small network is performed through a large number of nodes, then it is termed as distributed attack. Distributed denial of service (DDoS) attack is one of them. In a DDoS attack, large number of vulnerable nodes gets compromised by a perpetrator through the attack of malware. These compromised nodes then form a zombie army and lunches attack at the same time on perpetrator’s
106
Ajit Kumar Keshri
victim upon receiving command from the master [8]. In fourth quarter of 2015, 75 percent of DDoS attacks were through wireless networks [9]. Public or private critical infrastructure of any country or organization that has Internet connection is termed here as targeted resource. In the past, number of distributed attacks on such resources was conducted by cyber perpetrators. On Apil 27, 2007, a series of DDoS attacks on Estonia’s number of targeted resources like websites of Estonis’s parliament, ministries, leading banks and newspapers were conducted [10]. Similarly, on August 7, 2008, DDoS attacks on Georgia’s targeted resources like military and defense institutions, IT systems were also conducted and as a result these critical infrastructures were proved insecure and vulnerable to disruptions of any kind of online activities [11]. Another example of a successful DDoS attack on critical infrastructure was made by Stuxnet on Iran’s nuclear infrastructure resource in 2010 [12]. In 2016, three major Mirai botnet attacks made of IoT devices were organized. Mirai botnet consisting of 150000 IoT devices were used to conduct 1Tbps DDos attack [13]. It is one of the biggest DDoS attack successfully organized on French hosting company OVH. The rest of the chapter is structured as follows. Section 3 formulates the epidemic model with the help of ordinary differential equations. Section 4 investigates the model by evaluating basic reproduction number, equilibrium points and their local stability. Section 5 analyses the simulation performed. Finally, Section 6 presents the summary of this chapter.
HIPOTHESIS AND MODEL FORMULATION In this chapter, we develop a mathematical model which is based on number of hypotheses listed in Table 1. Based on these hypotheses, we develop an epidemic model which integrated four different aspects as internal or external IoT node, wireless network, distributed attack and targeted resource, as shown in Figure 1.
A Twofold Mathematical Model to Study the Malware Attack …
107
Table 1. Hypothesis of our model Symbol St It Rt Sa Ia Ea
εt εa Α
σ1
σ2
R0 R0a R0t
Description The susceptible targeted nodes The infectious targeted nodes The recovered targeted nodes The susceptible attacking IoT nodes The infectious attacking IoT nodes The external attacking IoT nodes The per infectivity contact rate The rate of recovery of Infectious targeted nodes The rate at which recovered targeted nodes become susceptible The rate at which disinfected attacking IoT nodes become susceptible The rate at which attacking IoT nodes (susceptible or infectious) get detached from the Internet to join external attacking IoT nodes The rate at which external attacking IoT nodes get connected to the Internet to join susceptible attacking IoT nodes The rate at which external attacking IoT nodes get connected to the Internet to join infectious attacking IoT nodes The natural death rate and birth rate of attacking IoT nodes The basic reproduction number The basic reproduction number for the attacking IoT population The basic reproduction number for the target population
According to our assumption, an IoT node is termed as internal node only if it is connected to the Internet, and similarly, if it is disconnected from Internet, it is known as external node. The structure of the proposed model has twofold.
108
Ajit Kumar Keshri
Figure 1. Schematic representation of a model of DDoS attack on targeted resource through IoT nodes.
First, perpetrators achieve a zombie army by targeting vulnerable IoT nodes of attacking population. Second, the entire zombie army lunches a massive attack on a specific target population simultaneously. For the targeted population, the system of ordinary differential equations that describes the rate of change of different compartments and as per our above assumptions, depicted in Figure 1, is formulated as:
dSt S t I a t Rt dt dI t S t I a I t dt
(1.1)
A Twofold Mathematical Model to Study the Malware Attack …
109
dRt I t t Rt dt where, St (t ) I t (t ) Rt (t ) 1 . Similarly, for the attacking population, the system of ordinary differential equations that describes the rate of change of different compartments is formulated as:
dSa Sa I a Sa a I a 1Ea Sa dt dI a Sa I a I a a I a 2 Ea I a dt
(1.2)
dEa Sa I a 1Ea 2 Ea Ea dt where, Sa (t ) I a (t ) Ea (t ) 1 System (1.1) and (1.2) can be reduced to an equivalent system of ordinary differential equations as follows: dSt St I a t 1 St I t dt
dI t S t I a I t dt dI a 1 I a Ea I a I a a I a 2 Ea I a dt
dEa 1 I a Ea I a 1Ea 2 Ea Ea dt
(2)
110
Ajit Kumar Keshri The feasible region for system (2) can be given as {( S t , I t , I a , E a ) R 4 : S t 0, I t 0, I a 0, E a 0, S t I t 1, I a E a 1}
This feasible region is positively invariant with respect to system (2).
MATHEMATICAL ANALYSIS OF THE MODEL Basic Reproduction Number Since the transmission potential can be measured by basic reproduction number (often denoted by R0 ), the success or failure of any attack of malicious objects depends on it. It can be defined as the expected number of secondary cases that one case will generate i.e., average number of secondary infection caused in a totally susceptible population of IoT nodes by a single infectious node during its entire infectious lifetime. R0 is an important threshold that can determine whether the infection persists in the wireless network asymptotically or it eventually dies out with time i.e., if
R0 1 , each infected IoT node infects, on average, more than one susceptible IoT node and hence the infection persists, whereas if R0 1 , each infected IoT node infects, on average, less than one susceptible IoT node and hence the infection dies out [14]. Since,
dI a dI t 0 are the essential conditions for an 0 and dt dt
epidemic to occur, the basic reproduction number for the target population
R0t and for the attacking IoT population R0a is as follows: R0 t
and R0 a . ( a )
A Twofold Mathematical Model to Study the Malware Attack …
111
Combining both, we get
2 R0 a
(3)
Existence and Local Stability of Equilibrium System
(2)
admits
an
infection
free
equilibrium
point
E0 1, It 0, I a 0,0 and also a unique endemic equilibrium point
E * St* , I t* , I a* , Ea* which exists only when a .
Local Stability of the Infection-Free Equilibrium If R0 a 1 , the infection free equilibrium point E0 ,0,0,0 of
system (2) is locally asymptotically stable in and is unstable if R0 a 1 .
Local Stability of the Endemic Equilibrium If
R0 a 1 , then there exists a unique endemic equilibrium
E * St* , I t* , I a* , Ea* that is locally asymptotically stable in the interior of .
NUMERICAL SIMULATIONS AND DISCUSSION An interesting outcome of our model is that the success or failure of distributed attack on targeted resource is only depending on R0a .
112
Ajit Kumar Keshri
Therefore, in all the two examples mentioned below, our model is simulated either for R0 a 1 or for R0 a 1 , as applicable. Example 1. The local stability of the infection free equilibrium point has been numerically simulated to depict the scenario graphically which is shown in Figure 2. Here, the initial point is considered as
St 0.97, I t 0.02, Rt 0.01, Sa 0.65, I a 0.05, Ea 0.3 with the following parameter values
0.3, t 0.4, 0.02, 0.12, a 0.3, 1 0.7, 0.2, 2 0.0002 . The value of R0a is obtained as 0.483 i.e., R0 a 1 . It is clearly observed that the equilibrium point E0 turns out to be stable. Example 2. The local stability of the endemic equilibrium point has been numerically simulated to depict the scenario graphically which is shown in Figure 3. Here, the initial point is considered as
St 0.97, I t 0.02, Rt 0.01, Sa 0.69, I a 0.01, Ea 0.3 following parameter values
Figure 2. Local stability of infection free equilibrium when R0 a
1.
with the
A Twofold Mathematical Model to Study the Malware Attack …
Figure 3. Local stability of endemic equilibrium when R0 a
113
1.
0.5, t 0.01, .004, 0.12, a 0.003, 1 0.4, 0.3, 2 0.4 . The value of R0a is obtained as 1.182 i.e., R0 a 1 . In Figure 3, the compartment It and Ia are seen to have stabilized at non-zero values, thereby showing the stability of the endemic equilibrium.
SUMMARY An epidemic model for attack on IoT nodes and then IoT botnet based DDoS attack on targeted resources is developed and its overall dynamics are analyzed. First an epidemic model based on attack on IoT nodes and then an epidemic model for attacks on targeted network through this compromised IoT nodes is achieved. In addition, the effects of IoT nodes in terms of internal or external nodes are also discussed by including them in the model. Simulation based experiments allowed us to corroborate the analytical findings. Our models can play a key role in risk assessment and in policy making against distributed attacks through IoT nodes on targeted resources.
114
Ajit Kumar Keshri
REFERENCES [1]
Mishra, B. K., Keshri, A. K., Mallick, D. K. and Mishra, B. K. Mathematical model on distributed denial of service attack through Internet of things in a network. Nonlinear Engineering, vol. 8, no.1, pp. 486 - 495, 2019. [2] Hethcote, H. W. A thousand and one epidemic models, in: S. A. Levin (Ed.), Frontiers in Theoretical Biology, Lecture Notes in Biomathematics 100, Springer, Berlin, p. 504, 1994. [3] Mishra, B. K., Haldar, K. and Sinha, D. N. Impact of Information based Classification on Network Epidemics, Nature, Scientific Reports 6, Article number 28289, 2016. DOI: 10.1038/srep28289. [4] Pastor-Satorras, R., Castellano, C., Van Mieghem, P. and Vespignani, A. Epidemic processes in complex networks. Reviews of modern physics, vol. 87, no. 3, pp. 925, 2015. [5] Keshri, A. K., Mishra, B. K. and Mallick, D. K. A predator–prey model on the attacking behavior of malicious objects in wireless nanosensor networks. Nano communication networks, vol. 15, pp.1 16, 2018. [6] Rao, Y. S., Keshri, A. K., Mishra, B. K. and Panda, T. C. Distributed denial of service attack on targeted resources in a computer network for critical infrastructure: A differential e-epidemic model. Physica A: Statistical Mechanics and its Applications, 2020. [7] Keshri, A. K., Mishra, B. K. and Rukhaiyar, B. P. When rumors create chaos in e-commerce. Chaos, Solitons and Fractals, 109497, 2020. [8] Farraposo, S., Gallon, L. and Owezarski, P. Network security and DoS Attacks, Technical Report, LAAS-CNRS, France, 2005. [9] Verisign Distributed Denial of Service Trends Report, vol. 2, Issue 4, 4th Quarter 2015. [10] Shackelford, S. Estonia two-and-a-half years later: a progress report on combating cyber attacks, 2009.
A Twofold Mathematical Model to Study the Malware Attack …
115
[11] Gamreklidze, E. Cyber security in developing countries, a digital divide issue: The case of Georgia, Journal of International Communication, vol. 20, no. 2, pp. 200 - 217, 2014. [12] Langner, R. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security and Privacy, vol. 9, no. 3, pp. 49 - 51, 2011. [13] Said, N. B., Biondi, F., Bontchev, V., Decourbe, O., Wilson, T. G., Legay, A. and Quilbeuf, J. Detection of Mirai by Syntactic and Semantic Analysis, 2017. [14] Jones, J. H. Notes on R0, Department of Anthropological Sciences Stanford University, 2007.
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 Editors: B. Mishra and J. Piqueira © 2020 Nova Science Publishers, Inc.
Chapter 5
A SURVEY ON COMPARTMENTAL MODELS IN COMPUTER VIRUSES Cristiane M. Batistela* and Manuel A. M. Cabrera† Escola Politécnica da Universidade de São Paulo Avenida Prof. Luciano Gualberto, São Paulo, SP,Brasil
ABSTRACT Classical SIR epidemiological model applied to data communication systems inspired a lot of models. In the context of computer viruses propagation, a lot of effort has been dedicated to study how to avoid their, trying to create antivirus programs acting as vaccines in personal computers, quarantine or other strategic network nodes. Another way to combat viruses propagation is to establish preventive policies based on the whole operation of a system that can be modeled with population models, similar to those that are used in epidemiological studies. This article provides a survey of available literature of some methodologies employed by researchers to investigate concepts associating epidemiological modeling to study the spread of viruses in computer network and what strategies have been adopted to contain this * †
Corresponding Author’s Email: [email protected]. Corresponding Author’s Email: [email protected].
118
Cristiane M. Batistela and Manuel A. M. Cabrera propagation. The bibliography provided with the article will be of help researchers working in this field.
Keywords: bifurcation, cluster, disease-free, equilibrium point, SIR, stability
INTRODUCTION The proliferation of computer network changed the human society, bringing a lot of benefits and offers us a lot of funcionalities and facilities. Our dependence on access to computer networks is undeniable, and together with that, the advent of technological networks, such as the Internet and Wireless Sensor (WSNs), changed the form of communication and data transfer between human society, becoming indispensable. Soon after we celebrate half a century of the existence of the Internet, it can be understood that it has gone through four phases: first phase associated with access to knowledge and information; second phase perceived by the dedication to modify the forms of financial and commercial transactions; the next phase, marked by the ability to establish online relationships between people, and the current phase known as the internet of things associated with technology that makes not only computers and cell phones have access to the internet, but also other machines [6, 49]. The Internet played an important transformation of the world and reached a state that is not even recognized as a service, but a part of the environment around us, where anything can be smart. The new generation of Internet conceptualizes the world which has all the things around you are having some kind of digital identity and part of some network, communicating and sharing information. However, the increasing use of computers and technological networks has allowed the appearance of programs that are harmful to computers and consequently, their propagation and destruction power evolved over the past few years, causing losses and representing a major threat to human society.
A Survey on Compartmental Models in Computer Viruses
119
Programs, such as viruses and worms, can infect other programs by modifying them to include a possibly evolved copy itself. With the infection property, a virus can spread throughout a computer system or network. Every program that gets infected may also act as a virus and contribues for the infection grows. The power of destruction and with striking characteristics, such as unpredictability and high propagation capacity of the viruses and malwares, have increased over the years representing important threats to society and to corporative networks. Consequently, due to the rapid spread of viruses on the computer network and its ability to replicate, one of the focus of omputer infection study it has been to find models that describe this behavior. In addition, mathematical models are able to show the sensitivity, the characteristics that provide transmission and indicate the best prevention strategies. The security challenges for this environment have attracted various researchers and consequently increasing need of secure for this devices. There exist a lot of security challenges with the proposed architecturesand the technologies [1]. Thus, a new important area of computer science has been developed, cybernetic security, wich working together with processes and technologies to threat reduction, vulnerability reduction, incident response, including computer network operations to protect information from being stolen, compromised or attacked. In order to study the computer virus propagation, the cybernetic security, has built mathematical models, related to the dynamic operation of the systems [34, 32]. One of the central tasks is to develop control strategies of computer virus and minimize its propagation. The first academic paper on self-reproducing programs was written by John Von Neumann. The term “computer virus” was coined Cohen suggesting analogies between computer and biological viruses [12]. Both associated with operationof a unit, (cell or program), of a host, (organism or computer). Consequently, it is natural to look for inspiration in the defense mechanisms that biological organisms acquired against disease. The idea
120
Cristiane M. Batistela and Manuel A. M. Cabrera
that analogies can be useful in the defense of computers was proposed by Murray [39], but the first antivirus technology projects and implementations were proposed by Cohen. This mathematical approach to computer virus propagation started inspired by biology with microscopic [12, 39] and macroscopic [21, 22, 23] approximation. From the perscpective of the division scale of computer on networks, the models can be divided in compartment models and node level models. Node level models are those models that regard a single computer as an object to investigate. The beginning of the study of these models is proposed by Van Mieghem with SIS(susceptible-infected-susceptible) model [52]. Since then, multifarious propagation models have been developed [9, 59, 60, 65]. The macroscopic level is based on classic disease propagation models, providing possible dynamics of the infection process and giving hints on how to design the architecture of the network. The basic model inspiring the macroscopic models is the epidemiological SIR (Susceptible-InfectedRemoved) by Kermack and McKendrick [21] and described in the MathematicalBiology texts [11, 40]. Inspired by the above mentioned works and based on the compartment level SIR model, this his research remainly addresses to apply concepts epidemiological modeling to study and understand the spread of viruses in computer network. Remaining chapter is ordered as follows: in the next section, an introduction for computers and epidemiology, in section 3 some compartmental modelsfollowed by a review and for contributions in the area.
COMPUTERS AND EPIDEMIOLOGY Participants Epidemiology studies the incidence and distribution of diseases in various populations. Individuals of a population are considered as unique
A Survey on Compartmental Models in Computer Viruses
121
entities, for example, humans, animals or computers. The relationship between different individuals and the environment, constitutes a system epidemiological. Depending on the individuals considered, it is understood parasites, individuals of the population, computers and others. If these alterations are considered in humans or that influence the field of health, the classic meaning of the epidemiological concept is used. On the other hand, the use of epidemiology applied to the field of computer science can also be used, if the scope is for computer virus infection. Analogies are instructive and the similarity between the analogy and the study object which it describes, may teach us things about the content of the problem. The use of the name “virus”, to refer to the kind of computer program we are dealing with, is suggestive of the way in which it spreads and how it behaves. Since the behavior of a virus program is analogous an infectious process, the findings and strategies of this field can provide important information. With this conception, many terms from epidemiology are useful in understanding computer viruses and their spread over a network [23]. Some of these terms are listed below:
computer virus: a program when executed infects other machine; birth rate: the rate at which a virus attempts to replicate from one machine to another; death rate: the rate at which virus is elimineted from infected machines; epidemic threshold: the relationship between the viral birth and death rates at which a disease will take off and become widespread; epidemic: the widespread occurrence of a disease; infected machine: a computer that contains a virus and can spread that virus to other computers; susceptible machine: a computer that can become infected when in contact with infected machine; latent period: susceptible machine go to latent period, that is, nodes become infected but not infectious.
122
Cristiane M. Batistela and Manuel A. M. Cabrera
Many researchers have suggested applying theories of the spread of disease to computer viruses [39]. One of the advantages is to consider individuals, in this case computers, in discrete states, as “susceptible” and “infected”, while details of diseases or infection within the individual are ignored, such as which executable files are infected inside the computer. This mathematical approach to computer virus propagation started inspired by biology and the behavior of viruses or malwares must be understood at two levels: microscopic [12, 39] and macroscopic [21, 22] approximation. For computer virus, the microscopic view came first, thanks to Cohen's pioneering work that explained viruses in detail, even before a small threat occurs [12]. The macroscopic way was delayed, as there was no information on the prevalence of attacks and there were not many attempts at mathematical modeling. The situation is being remedied by the collection of statistics from actual incidents and by computer simulation of virus spread. The microscopic study is associated with the development of more effective antivirus programs through the study structure and behavior of new viruses. As there is a delay in the emergency of new viruses and the specific antiviruses for this infectious agent, as a result, viruses spread quickly over the Internet. To remedy this microscopic approximation, associated with the inability contain the spread of viruses, biological epidemiological models have been analyzed and Kephart proposed a model macroscopic, showing that the virus behavior can be predicted through information about the laws governing the spread of viruses [23]. This macroscopic approach to computer viruses, using knowledge of epidemiology, has led to some ideas and tools that can help establish strategies to reduce risk, combining parameters [28] and show society how to deal better with the threat. Epidemiological modeling is associated with the dynamic behavior of processes in which the population is studied according to their epidemiological status, and equations of differences or differences are used
A Survey on Compartmental Models in Computer Viruses
123
to represent the dynamics between states due to the rate of birth, mortality, infection and recovery. To formulate a dynamic model for the spread of an epidemic disease, the population of a certain region is divided into different groups or compartments. The model that describes the dynamic relationship between these groups is called the compartmental model. The interest of study characterizes the models according to their particularities, such as the study of the population at each stage, the division of the disease stage, how the variations of populations occur over time, among others. The macroscopic level is based on the classical model of disease propagation [24, 25, 26], whose dynamics can indicate the possible infection process. The classical epidemiological macroscopic model SIR, proposed by Kermack and McKendrick, is the basis for the development of macroscopic models, providing a dynamic model dividing the individuals of a population into three compartments containing the susceptible individuals (S), the infected (I), and the removed (R) ones. The class of susceptibles includes all susceptibles that are free from infection, that is, they are healthy, but can be infected by an infectious agent at any time, while those infected are the units that have been infected and have the potential to transmit infection to the rest of the population by establishing adequate contact with the susceptible class. The removed or recovered compartment is made up of all individuals who have ceased their infectivity and acquired immunity, which can be permanent or temporary, depending on whether they remain in this class or whether they have the capacity to become susceptible. The contact rate of infectivity defines the average number of suitable contacts, that is, enough contact for the transmission of infection by computer per unit of time. With epidemiological models, it is possible to investigate whether a contagious disease will cause an epidemic, whether it will become endemic or whether it will be eradicated naturally. For this analysis, the model itself, the parameter values and the initial conditions must be taken into account. An important tool for verifying the occurrence of an epidemic is the basal reproduction number or basal reproductive factor (R0), which is
124
Cristiane M. Batistela and Manuel A. M. Cabrera
defined as the average number of secondary infections produced by a single infected individual during the period of infection of an completely susceptible population . This value, R0, represents a critical value, for a combination of characteristic system parameters and initial conditions, and determines whether the disease will spread or not. This value, which depends on the parameters and peculiarities of each model, allows exploring many characteristics, among them, the distribution of the infectious period, the dynamics of the disease-free population and even intrinsic characteristics of the population such as behavior, treatments, heterogeneity. For the construction of the model, one of the simplifications it is the consideration of individuals, in this case, computers, in discrete states. For proper contact to occur, it is necessary that an infected individual establishes contact with a susceptible to that the transmission of the disease occurs, and, in computers, this contact can vary considerably from one computer virus to another. The date of birth of each virus depends on the established frequency of adequate contact and hence the birth rate of computer viruses is related to several factors, among them, everything that favors or makes difficult replication and precautions associated with network users. The death rate of each virus is associated with the healing capacity of each infection and, depending on the disease in question, an individual may become immune or susceptible again. For computer viruses, this rate is related to intrinsic characteristics, being able to be softened by conscious users and with adequate protection system. Birth or death rates can be controlled by the action of antiviruses. These technologies differ in their actions and can act as a scanner to scan stored programs with infection and compare them with a set of known viruses, increasing the mortality rate, controlling access systems, preventing unauthorized programs from altering other programs, decreasing the virus birth rate, and management integrity, being a antivirus technology whose strategy is to detect and prevent the spread of viruses, looking for general methods that viruses use to spread and alerting the user some anomaly produced by the virus.
A Survey on Compartmental Models in Computer Viruses
125
Understanding the epidemiology of computer viruses coupled with policies efficient public policies are fundamental for controlling the spread of viruses in networks and security measures. To this end, many models have been proposed. On the lastdecade, this knowledge was expanded through works on epidemiology of computer viruses, which have considered aspects that characterize the network. In the last two decades, the work on computer virus epidemiology has been mainly focused on the following two topics:
Viruses can spread on networks that are fully connected and are premise, that each computer on the network is equally accessed any other computer on the network. Some classic models are modified compared to conventional models. With that, a series of contributions is evident in the study of virus spread. A list of some models found in the literature that make use of the strategy of dividing the population in compartments: (SIS) SusceptibleInfected-Susceptible [21] (SIR) Susceptible-Infected-Removed [24, 25, 26, 46], (SIA) Susceptible-Infected-Antidotal [43], (SIRA) Susceptible-Infected-Removed-Antidotal [8, 10, 44], (SIQRA) Susceptible-Infected-Quarantine-Removed-Antidotal [45], (SEIRS) Susceptible-Exposed-Infected-Recovered-Susceptible [32], (SEIQRS) Susceptible-Exposed-Infectious-QuarantineRecovered-Susceptible [30], (SEIQV) Susceptible-ExposedInfectious-Quarantine-Vaccinated [53], (SICS) SusceptibleInfected-Countermeasure-Susceptible [67], (SLBS) SusceptibleLatent-Breaking-Susceptible [57]. Viruses spreading on complex networks, which was stimulated by the discovery that the Internet follows a power-law degree distribution [2, 41, 42]. These works were responsible for studying the impact of network topology on the spread of viruses. As a result, several network based epidemic virus models have been studied, varying between (SI) Susceptible-Infected [7, 19] and SIS models [54] for SIR models [36] and SBLS models [58] were investigated.
126
Cristiane M. Batistela and Manuel A. M. Cabrera
SOME COMPARTIMENTAL MODELS There is many compartimental models indicated for epidemiology [40] and their origin is Kermack and Mckendrick SIR (Susceptible-InfectedRemoved) models [24, 25, 26]. The SIR model is composed of three populations: Susceptible - all computers in this group can become infected when in contact with an infected individual; Infected - all computers in this group are infected and can spread the infection; Removed - the individuals in this group died or were removed from the population, as shown in Figure 1. In addition, the incubation period way that a susceptible person who contracts the disease immediately becomes infected and that the spatial distribution of individuals is evenly distributed across space.
Figure 4. SIR model.
The susceptible population S is infected with a rate, that is related to the probability of susceptible computers to establish effective communications with infected ones. Therefore, this rate is proportional to the product SI, with proportion factor represented by 𝛼and infected computers can become uselless and removed with a rate controlled by 𝛽. As reported by [43] the dynamic equation for the populations S, Iand R are: 𝑆̇ = −𝛼𝑆𝐼 ̇ {𝐼 = 𝛼𝑆𝐼 − 𝛽𝐼 𝑅̇ = 𝛽𝐼
(1)
Adopting initial conditions S(0) ≥ 0, I(0) ≥ 0 and R(0) ≥ 0. In models such as SIR, there is an interest in studying the dynamics to investigate whether a contagious disease will cause an epidemic, whether it
A Survey on Compartmental Models in Computer Viruses
127
will be endemic or naturally eradicated. This depends on the model itself, and the characteristics of theinitial system parameters and conditions. According to (1), it is concluded that in t = 0 if dI/dt < 0, the disease tends to disappear when 𝛼S(0) 0, that is, when 𝛼S(0) >𝛽. Adopting these characteristics of the model described in Figure 1, the basal reproduction rate is defined (2): 𝑅0 =
𝛼𝑆(0) 𝛽
(2)
The basal reproduction rate analysis indicates that when there is an epidemic R0 > 1; and there is no epidemic when R0 < 1. For the model in Figure 1, R0 depends on the population initial S(0), contagion rate 𝛼and recovery rate 𝛽.
Figure 5. SIRA model.
Based on a model described by (1), adding an antidotal (A) compartment, representing the nodes of the network equipped with fully effective antivirus programs, the SIRA model for computer viruses propagation was proposed, as shown in Figure 2. The total population T is divided into four groups: S of non infected computers subjected to possible infection; A of noninfected computers equipped with antivirus; I of infected computers; and R of removed ones due to infection or not. The susceptible population S is infected with a rate that is related to the probability of susceptible computers to establisheffective communications with infected ones. Therefore, this rate is proportional to the product SI,
128
Cristiane M. Batistela and Manuel A. M. Cabrera
with proportion factorrepresented by β. Conversion of susceptible into antidotal is proportional to the product SA and is controlled by αSA, that is an operational parameter defined by the antivirus distribution strategy of the network administration. Infected computers can be fixed by using antivirus programs being converted into antidotal ones with a rate proportional to AI, with a proportion factor given by αIA, or become useless and removed with a rate controlled by δ. Removed computers can be restored and converted into susceptible with a proportion factor σ. Considering these facts, the model can be described by (3): 𝑆̇ = −𝛼𝑆𝐴 𝑆𝐴 − 𝛽𝑆𝐼 + 𝜎𝑅 𝐼 ̇ = 𝛽𝑆𝐼 − 𝛼𝐼𝐴 𝐴𝐼 − 𝛿𝐼 𝑅̇ = 𝛿𝐼 − 𝜎𝑅 ̇ 𝐴 = 𝛼𝑆𝐴 𝑆𝐴 + 𝛼𝐼𝐴 𝐴𝐼 {
(3)
This model represents the dynamics of the propagation of the infection of a known virus and, consequently,the conversion of antidotal into infected is not considered. Therefore, by using this model, a vaccination strategy canbe defined, providing an economical use of the antivirus programs. Then, disease-free and endemic equilibriumpoints are calculated, stability and bifurcation conditions are derived. The analysis of the SIRA model shows that, for a given constant total number of machines of a network, the main control parameters are the infection rate, and how fast the infected machines are removed for reformatting procedures [44]. Recently, the SIRA model showed improvement related to the practical situation considering variable populations, deriving network robustness conditions [8]. The main idea to control the virus spread is to keep the nodes isolated for some time. When a node is found to be infected, it can be quarantined by the detection virus program. It is then monitored for an interval corresponding to the inappropriate behavior indicated by the process. If during this action no wrong behavior is observed, it is released. To study the consequence of quarantine actions in a network many models are proposed. Based on a model described by (3), adding an antidotal (Q)
A Survey on Compartmental Models in Computer Viruses
129
compartment the SIRA model, introducing quarantine nodes generating the SIQRA model [45]. Once entering in the quarantine compartment, after the evaluation, the machine can either return to the network or be removed. If a machine returns, it can become either susceptible or antidotal.
Figure 6. SIQRA model.
In Figure 3, the relation between compartments I and A is represented by αIA, related to the vaccination rate of the network β, the interaction between S and I, measuring how the infected nodes change the operational systems of the susceptible ones; the rate of transformation from R to S is represented by σ, i.e., the recovering capacity of the nodes; and the rate of transformation from Q to S, 𝜔, giving the rate of quarantine liberation. Parameters αSAand αQA represent how the antidotal nodes actuates over susceptible and quarantine operational systems, respectively. Furthermore, the interaction coefficient between compartments Q and R, giving an idea of the rate of nonrecovered nodes subjected to quarantine is measured by α. Two different quarantine strategies are presented, with consideration without nonlinear interaction between blocks I and Q and other considering that blocks I and Q interact nonlinearly allowing the onset of endemic situations. Dynamic equations for the populations S, I, Q, R and A, without saturartion term, are given by (4):
130
Cristiane M. Batistela and Manuel A. M. Cabrera
𝑆̇ = −𝛽𝑆𝐴 𝑆𝐴 − 𝛽𝑆𝐼 + 𝜎𝑅 + 𝜔𝑄 𝐼 ̇ = 𝛽𝑆𝐼 − 𝛼𝐼𝐴 𝐴𝐼 − 𝛿𝐼 𝑄̇ = 𝛿𝐼 − 𝜔𝑄 − 𝛼𝑄𝐴 𝑄 − 𝛼𝑄 Q. 𝑅̇ = 𝛼𝑄 − 𝜎𝑅 ̇ { 𝐴 = 𝛼𝑆𝐴 𝑆𝐴 + 𝛼𝐼𝐴 𝐴𝐼 + 𝛼𝑄𝐴 𝑄
(4)
Considering the model with term saturation, the dynamic equations are given by (5): 𝑆̇ = −𝛽𝑆𝐴 𝑆𝐴 − 𝛽𝑆𝐼 + 𝜎𝑅 + 𝜔𝑄 𝐼 ̇ = 𝛽𝑆𝐼 − 𝛼𝐼𝐴 𝐴𝐼 − 𝛿𝐼𝑄 𝑄̇ = 𝛿𝐼𝑄 − 𝜔𝑄 − 𝛼𝑄𝐴 𝑄 − 𝛼𝑄 𝑅̇ = 𝛼𝑄 − 𝜎𝑅 { 𝐴̇ = 𝛼𝑆𝐴 𝑆𝐴 + 𝛼𝐼𝐴 𝐴𝐼 + 𝛼𝑄𝐴 𝑄
(5)
The SIRA model was complemented with a quarantine strategy and the simulations indicate that network performance can be increased in the great majority of the cases. The model was studied under two aspects: in the presence and absence of saturation. Saturation is about the behavior of the Q term that depends on the antivirus program capacity and the infection rate. The main results shows that if the antivirus detection rate is greater than the infection rate, there is no saturation; if the infection rate surpasses the antivirus detection capacity, saturation occurs. First, the SIR model was presented and the condicions for virus propagation was explaned. The SIR model was complemented with a compartmental antidotal (A) that supposedly improve the operational network robustness, then introducing quarantine nodes, the the simulations indicate that network performance can be increased in the great majority of the cases and hypothesis that must be tested in real situations. Much effort has been made to study strategies on how to avoid harmful actions, trying to create antivirus programs that act as vaccines on personal computers or on strategic network nodes.
A Survey on Compartmental Models in Computer Viruses
131
REVIEW FOR MODELS OF COMPUTER VIRUS SPREAD Adapting epidemiological models to computer populations different strategias were developed: as to how to treat chance, in relation to the mathematical treatment of time, the consideration of the individual as a discrete or continuous entity, determination solution and others. As for the way to treat chance, it can be classified into two levels: stochastic model [3, 4, 5] and deterministic model [21, 22, 32, 33, 35, 43]. In the first case, the model includes stochastic variables, giving a probabilistic distribution to the system, incorporating uncertainty, a characteristic intrinsic to epidemiological systems. On the other hand, deterministic models provide the same results every time they are simulated with the same initial conditions, being adequate to verify the sensitivity of the system to the variation of the parameters [14]. A relevant feature of a model is related to the treatment mathematician of time, which can be discrete or continuous. Discreet models employ difference equations and partition time into fractions usually of equal duration and are able to inform and compare the number of individuals every moment of time. Continuous models use differential equations to express instantaneous rates of change and consider time as a variable continuous [18]. At first, continuous models are initially employed, due to the greater ease of analysis, and then, if necessary, some discretization method is used [48]. To understand the spread of viruses, mathematical modeling provides gains for virus spread control strategies, suggesting mechanisms of defense through antivirus [31, 44] and vaccination strategies [32, 16] Antivirus technology is one of the most relevant in defenses against infection of computers and has a great impact on the spread of viruses, even that long-term behavior is not adequately predicted [20]. For a better understanding of the effectiveness of antivirus, a large number of mathematical models have been proposed in order to investigate the epidemic behavior of computer viruses. A compartmental model with the introduction of the antidote, susceptible, infected and antidotal compartiment (SIA) [43], had another
132
Cristiane M. Batistela and Manuel A. M. Cabrera
modified version and its conditions of balance and bifurcation were determined [44]. Furthermore, the ability of antivirus has been assessed and it is possible to verify the occurrence of local or global bifurcation. As containing the prevalence of virus has become urgent, virus detection and elimination through antivirus has become the mainsuppression of infectious agents. Studies show that these antivirus programs may have altered performance with alerts at the initial stage of the invasion. To assess the effectiveness of different types of alert strategies, some models have been suggested to be an important complement to containment of propagation of viruses or malwares [65, 47]. Most virus spread models assume that, once infected, any susceptible machine is in a latent state and that, using softwareantivirus on the affected network, the virus can be completely and immediately eliminated. Research has shown that there is no perfect antivirus software that can detect and eliminate all types of viruses [68]. The spread of computer viruses during a virus outbreak on a network with limited capacity antivirus software has been the focus of study. Computer virus propagation model, that incorporates these two types of new state transitions has been studied and as a contribution it is possible to verify the probability of the outbreak and the rate of transmission are strongly related to the basal reproduction value, which determines whether the virus can become extinct [56]. In order to aproximate the model closer to reality, other work proposals have considered the presence of computers with thelatency characteristics, because an infected computer that is in latency is capable of infecting others by copying or downloading the file. Models that include latency in its dynamics, it is possible to check computer compartments with a small cure rate, whose qualitative properties of the model can be studied using the Lyapunov function, and the behavior stability of equilibrium points is evaluated with the expression of the basal reproductive rate, the results of which suggest effective strategies for eradicate viruses distributed on the network [57]. To complement the
A Survey on Compartmental Models in Computer Viruses
133
studies model with latency, other systems are proposed through dynamic analysis described by time delayed equations [63, 64]. Another suggestion of a dynamic model for studying the spread of viruses is consider the time delay in the period that the antivirus software uses to clean the virus of the infected computer as a bifurcation parameter [13]. Associating time delayed models in the period of infection and quarantine, with time delay models in the antivirus software action period, it is possible to find gains for model studies with two time and property delays associated with the existence of bifurcation [29]. Another effective strategy for eradicating computer viruses is vaccination, which considers that some susceptible computers, inside or outside the Internet, may acquire temporary immunity. Most models neglect the influence of the vaccination strategy on the prevalence of viruses. Model of virus spread with probability of linear vaccination was studied, indicating thatthis human intervention plays an important role in reducing the spread viruses, causing the susceptible computer to recover directly, and infected computer becomes susceptible directly [15]. Ensure that that the combination of parameters to keep basal reproduction below the threshold endemic, is very favorable, implying that prevention is more important than the cure and that the rate of disconnection from the Internet contributes to the suppression of spread of the virus. As a consequence, regular updating is strongly recommended antivirus software, even if your computer is not visibly infected and unplugged. The study of linear vaccination shows that the probability of non-linear vaccination it is a variety of strategy and a new model has been proposed [16], being possible to verify that the virus free balance and the viral balance are asymptotically stable, depending on the combinations of parameters, indicating that these theoretical predictions may contribute to the eradication of viruses. Understand how computer viruses spread over the Internet, through studies on the network topology, has brought great contributions to the knowledge of the dynamics of virus propagation and has been extensively investigated. For these purposes, the Internet can be characterized by graphs, in which nodes and links represent computers connected to the
134
Cristiane M. Batistela and Manuel A. M. Cabrera
network and the communication links between them, respectively. Research shows, in particular, that high heterogeneity facilitates spread of computer viruses, as well as the free-scale property of the Internet [58]. The optimal control theory, highly applied to the propagation control of epidemics, has also been considered in the context of computers. Upon finding control function, such that the accumulated number of infected nodes during the considered time is minimized, virus propagation optimization is verified. In an initial work on controlled virus propagation, it is possible to verify a delayed model in which the suppression of the spread of viruses is effective by adopting optimal control measures [66]. Many models used to study the prevalence of viruses, addressing the optimal control theory do not consider the combined impact of an infection rate non-linear and removable infected media. Considering these peculiarities and associanting these two types of incidences, new models are characterized and analyzed [17], suggesting a control of infected computers, through thetheoretical analysis of optimal control, since for the model studied any effort to eradicate computer viruses is inoperative. Such studies provide new practical control measures and theoretical support to improve existing strategies antivirus and develop more elaborate models. Another application of optimal control strategies occurs in the use for modeling of disruptive computer viruses. These viruses are defined as viruses whose period of life consists of two consecutive phases: the latent phase and the disruptive phase. In phase latent the virus remains hosted and does not perform any disruptive operation, since the virus in the disruptive phase, being in hosting performance, performs a series of operations that disrupt the host, such as distorting data, deleting files. The study of optimal control can be used, only for time scales small, where the characteristics of the network remain unchanged. This kind of study has been done in the direction of cost effective [9], in analyzes of criteria for the existence of optimal control. In addition, the assessment of disruptive viruses on computers, in situations which each node in the network has its attributes, using a heterogeneous epidemiological model has been proposed [55]. For this study, a criterion for the global stability of the virus-free equilibrium is
A Survey on Compartmental Models in Computer Viruses
135
given and the existence of a unique viral equilibrium is presented. On this basis, some policies of suppressing disruptive malware are recommended. In this direction, many works have not yet been done, such as pulse quarantine strategy, to be incorporated in the proposal [61]. In addition, it is possible to study problems of this type and associate them with work in which networks vary time [51]. Another form of infection that has attracted the attention of researchers is caused by non-resident viruses, where the viruses were not loaded into memory computers, but are susceptible to spread [37, 38], and recently the global exponential stability free of virus, in a more realistic model, has been relevant [50] providing tools for the study of exponential stability in endemic equilibrium. Models including compartments classified as quarantine have great importance, being one of the most repair processes network virus propagation [30]. Another form of attack, which cannot be ignored today, is attacks on networks with wireless sensors, WSNs. Using epidemiological theory, a model considering a quarantine compartment is used to describe propagationof worms in network WSNs [27]. Mathematical analysis shows that the basal reproducibility is fundamental for the study of the dynamics behavior. Other works associating quarantine and networks wireless have been studied [33]. The study of the consequence of quarantine actions in a network with introducing in a model with antidotal compartmental was analised. Analytical and numerical approaches result in parameter conditions for the existence and stability of disease-free and endemic equilibrium points for two different cases: saturation and nonsaturation of the quarantine population block [45]. The concept of beta-derivative and Caputo fractional derivative has assisted in investigating the spread of computer virus in a system. Fractional derivative, however, in epidemiology serves a memory capable of tracing the spread from beginning to the infected individual. For betaderivative which ranges between fractional order and local derivative, the spread of computer virus at local level is identified with a given fractional order [10].
136
Cristiane M. Batistela and Manuel A. M. Cabrera
CONCLUSION This chapter reports a detailed survey of compartmental models in computer viruses. The survey also provides different theoretical developments which has been done over the years using mathematical modeling and how control strategies have provided tools to minimize the damage caused by cyber attacks over a wide section of researchers. The extensive bibliography in support of the different developments of virus propagation research provided with the chapter should be of great help researchers in the future.
CONFLICT OF INTERESTS The author declares that there is no conflict of interests regarding the publication of this article.
REFERENCES [1]
[2] [3]
[4]
Adat, V., B. B. Gupta, “Security in Internet of Things: issues, challenges, taxonomy, and architecture,” Telecommunication Systems, 67(3), pp. 423-441, 2018. Albert, R., A. L. Barab, “Statistical mechanics of complex networks,” Reviews of modern physics, 74(1), pp. 47-97, 2002. Amador, J., J. R. Artalejo, “Stochastic modeling of computer virus spreading with warning signals,” Journal of the Franklin Institute, 350(5), pp.1112-1138, 2013. Amador, J., “The stochastic SIRA model for computer viruses,” AppliedMathematics and Computation, 232, pp. 1112-1124, 2014.14.
A Survey on Compartmental Models in Computer Viruses
[5]
[6] [7]
[8]
[9]
[10]
[11] [12] [13]
[14]
[15]
[16]
137
Amador, J., “The SEIQS stochastic epidemic model with external sourceof infection,” Applied Mathematical Modelling, 40(19-20), pp. 8352-8365,2016. Ashton, K., “That internet of things thing,” RFID journal, 22(7), pp.97-114, 2009. Barthmy, M., A. Barrat, R. Pastor-Satorras, A. Vespignani,”Velocity andhierarchical spread of epidemic outbreaks in scale-free networks,” Physicalreview letters, 92(17), 178701, 2004. Batistela, C. M., J. R. C. Piqueira, “SIRA computer viruses propagationmodel: mortality and robustness,” International Journal of Applied andComputational Mathematics, 4(5), pp. 128, 2018. Bi, J., X. Yang, Y. Wu, Q. Xiong, J. Wen, Y. Y. Tang, “On the optimal dynamic control strategy of disruptive computer virus,” Discrete Dynamicsin Nature and Society, 2017, 2017. Bonyah, E., A. Atangana, M. A. Khan, “Modeling the spread of computervirus via Caputo fractional derivative and the betaderivative,” Asia Pacific Journal on Computational Engineering, 4(1), 1, 2017. Brauer, F., P. D. Driessche, J. Wu, “Lecture notes in mathematical epidemiology”. ed. Springer, Berlin, Germany, 2008. Cohen, F., “Computer viruses: theory and experiments,” Computers andSecurity, 6(1), pp. 22-35, 1987. Dong, T., X. Liao, H. Li, “Stability and Hopf bifurcation in a computervirus model with multistate antivirus,” In Abstract and Applied Analysis, 2012, 2012. Diekmann, O., M. C. M. De Jong, J. A. J. Metz, “A deterministic epidemicmodel taking account of repeated contacts between the same individuals,” Journal of Applied Probability, 35(2), pp. 448462, 1998. Gan, C., X. Yang, W. Liu, Q. Zhu, X. Zhang, “Propagation of computervirus under human intervention: a dynamical model,” Discrete Dynamicsin Nature and Society, 2012, 2012. Gan, C., X. Yang, W. Liu, Q. Zhu, “A propagation model of computer viruswith nonlinear vaccination probability,”
138
[17]
[18] [19]
[20] [21]
[22]
[23] [24]
[25]
[26]
Cristiane M. Batistela and Manuel A. M. Cabrera
Communications in NonlinearScience and Numerical Simulation, 19(1), pp. 92-100, 2014. Gan, C., M. Yang, Z. Zhang, W. Liu, “Global dynamics and optimal control of a viral infection model with generic nonlinear infection rate,” Discrete Dynamics in Nature and Society, 2017, 2017. Hethcote, H. W., “The mathematics of infectious diseases,” SIAM review,42(4), pp. 599-653, 2000.15. Karsai, M., M. Kivel. K. Pan, K. Kaski, J. Kert, A. L. Barab, J. Saram,“Small but slow world: How network topology and burstiness slow downspreading,” Physical Review E, 83(2), 025102, 2011. Kephart, J. O., T. Hogg, B. A. Huberman, “Dynamics of computationalecosystems,” Physical Review A, 40(1), pp. 404, 1989. Kephart, J. O., S. R. White, “Directed-graph epidemiological models ofcomputer viruses,” In Computation: the micro and the macro view pp.71-102, 1992. Kephart, J. O., S. R. White, “Measuring and modeling computer virusprevalence,” In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, pp. 2-15, 1993. Kephart, J. O., S. R. White, D. M. Chess, “Computers and epidemiology,” IEEE Spectrum 30(5) pp. 20-26, 1993. Kermack, W. O., A. G. McKendrick, “Contributions of mathematical theory to epidemics,” Proceedings of the Royal Society of London, Series A,containing papers of a mathematical and physical character, 115(772), pp.700-721, 1927. Kermack, W. O., A. G. McKendrick, “Contributions of mathematical theory to epidemics,” Proceedings of the Royal Society of London, Series A,Containing Papers of a Mathematical and Physical Character, 138(834),pp. 55-83, 1932. Kermack, W. O., A. G. McKendrick, “Contributions to the mathematicaltheory of epidemics - Further studies of the problem of endemicity,” Proceedings of the Royal Society of London, Series A, Containing Papers of aMathematical and Physical Character, 141(843), pp. 94-122, 1933.
A Survey on Compartmental Models in Computer Viruses
139
[27] Khanh, N. H., “Dynamics of a worm propagation model with quarantinein wireless sensor networks,” Appl. Math. Inf. Sci, 10(5), 1739-1746, 2016. [28] Li, P., X. Yang, Q. Xiong, J. Wen, Y. Y. Tang, “Defending against theadvanced persistent threat: An optimal control approach,” Security andCommunication Networks, (2018), 2018. [29] Liu, J., C. Bianca, L. Guerrini, “Dynamical analysis of a computer virusmodel with delays,” Discrete Dynamics in Nature and Society, 2016. [30] Mishra, B. K., N. Jha, “SEIQRS model for the transmission of maliciousobjects in computer network,” Applied Mathematical Modelling, 34(3),710-715, 2010. [31] Mishra, B. K., S. K. Pandey, “Efect of anti-virus software on infectiousnodes in computer network: a mathematical model,” Physics Letters A, 376(35), pp. 2389-2393, 2012.16. [32] Mishra, B. K., N. Keshri, “Mathematical model on the transmissionof worms in wireless sensor network,” Applied Mathematical Modelling, 37(6), pp. 4103-4111, 2013. [33] Mishra, B. K., S. K. Srivastava, B. K. Mishra, “A quarantine model onthe spreading behavior of worms in wireless sensor network,” Transactionon IoT and Cloud Computing, 2(1), pp. 1-12, 2014. [34] Mishra, B. K., A. K. Keshri, D. K. Mallick, B. K. Mishra, “Mathematicalmodel on distributed denial of service attack through Internet of thingsin a network,” Nonlinear Engineering, 8(1), pp. 486-495, 2019. [35] Misra, A. K., M. Verma, A. Sharma, “Capturing the interplay betweenmalware and anti-malware in a computer network,” Applied Mathematicsand Computation, 229, pp. 340-349, 2014. [36] Moreno, Y., R. Pastor-Satorras, A. Vespignani, A. “Epidemic outbreaksin complex heterogeneous networks,” The European Physical Journal B- Condensed Matter and Complex Systems, 26(4), 521-529, 2002.
140
Cristiane M. Batistela and Manuel A. M. Cabrera
[37] Muroya, Y., L. I. Huaixing, T. Kuniya, “On global stability of a nonresident computer virus model,” Acta Mathematica Scientia, 34(5), 1427-1445, 2014. [38] Muroya, Y., T. Kuniya, “Global stability of nonresident computer virusmodels,” Mathematical Methods in the Applied Sciences, 38(2), pp. 281-295, 2015. [39] Murray, W. H., “The application of epidemiology to computer viruses,” Computers and Security, 7(2), pp. 139-145, 1988. [40] Murray, J. D., “Mathematical Biology”. 3rd ed. SpringerVerlag,NewYork,2002. [41] Pastor-Satorras, R., A. Vespignani, “Epidemic spreading in scalefree networks,” Physical review letters, 86(14), 3200, 2001. [42] Pastor-Satorras, R., A. Vespignani, “Epidemic dynamics and endemicstates in complex networks,” Physical Review E, 63(6), 066117, 2001. [43] Piqueira, J. R. C., A. A. De Vasconcelos, C. E. Gabriel, V. O. Araujo,“Dynamic models for computer viruses,” Computers and Security, 27(7-8), pp. 355-359, 2008. [44] Piqueira, J. R. C., V. O. Araujo, “A modifed epidemiological model forcomputer viruses” Applied Mathematics and Computation, 213(2), pp.355-360, 2009. [45] Piqueira, J. R. C., C. M. Batistela, “Considering Quarantine in theSIRA Malware Propagation Model,” Mathematical Problems in Engineering, 2019, 2019.17. [46] Ren, J., X. Yang, Q. Zhu, L. X. Yang, C. Zhang, “A novel computer virusmodel and its dynamics,” Nonlinear Analysis: Real World Applications, 13(1), 376-384, 2012. [47] Sahneh, F. D., C. M. Scoglio, “Optimal information dissemination in epidemic networks,” In 2012 IEEE 51st IEEE Conference on Decision andControl (CDC), pp. 1657-1662, 2012. [48] Satsuma, J., R. Willox, A. Ramani, B. Grammaticos, A. S. Carstea, “Extending the SIR epidemic model,” Physica A: Statistical Mechanics andits Applications, 336(3-4), pp. 369-375, 2004.
A Survey on Compartmental Models in Computer Viruses
141
[49] Stergiou, C., K. E. Psannis, B. G. Kim, B. Gupta, “Secure integration ofIoT and cloud computing,” Future Generation Computer Systems, 78, pp.964-975, 2018. [50] Tang, C., Y. Wu, “Global exponential stability of nonresident computervirus models,” Nonlinear Analysis: Real World Applications, 34, pp. 149-158, 2017. [51] Valdano, E., L. Ferreri, C. Poletto, V. Colizza, “Analytical computation ofthe epidemic threshold on temporal networks,” Physical Review X, 5(2),021005, 2015. [52] Van Mieghem, P., J. Omic, R. Kooij, “Virus spread in networks,” IEEE/ACM Transactions on Networking (TON), 17(1), pp. 1-14, 2009. [53] Wang, F., Y. Zhang, C. Wang, J. Ma, S. Moon, “Stability analysis ofa SEIQV epidemic model for rapid spreading worms,” Computers andSecurity, 29(4), 410-418, 2010. [54] Wen, L., J. Zhong, “Global asymptotic stability and a property of the SISmodel on bipartite networks,” Nonlinear Analysis: Real World Applications, 13(2), 967-976, 2012. [55] Wu, Y., P. Li, L. X. Yang, X. Yang, Y. Y. Tang, “A theoretical method forassessing disruptive computer viruses,” Physica A: Statistical Mechanicsand its Applications, 482, pp. 325-336, 2017. [56] Xu, Y., J. Ren, “Propagation efect of a virus outbreak on a network withlimited anti-virus ability,” PLoS One, 11(10), 2016. [57] Yang, L. X., X. Yang, L. Wen, J. Liu, “A novel computer virus propagationmodel and its dynamics,” International Journal of Computer Mathematics, 89(17), pp. 2307-2314, 2012. [58] Yang, L. X., X. Yang, J. Liu, Q. Zhu, C. Gan, “Epidemics of computerviruses: a complex-network approach,” Applied Mathematics and Computation, 219(16), pp. 8705-8717, 2013.18. [59] Yang, L. X., M. Draief, X. Yang, X, “The impact of the network topology on the viral prevalence: a node-based approach,” PLoS ONE, 10(7),e0134507, 2015. [60] Yang, L. X., M Draief, X. Yang, “The optimal dynamic immunizationunder a controlled heterogeneous node-based SIRS
142
[61]
[62]
[63]
[64]
[65]
[66]
[67]
[68]
Cristiane M. Batistela and Manuel A. M. Cabrera
model,” Physica A:Statistical Mechanics and its Applications, 450, pp. 403-415, 2016. Yao, Y., L. Guo, H. Guo, G. Yu, F. X. Gao, X. J. Tong, “Pulse quarantine strategy of internet worm propagation: modeling and analysis,” Computers Electrical Engineering, 38(5), pp. 1047-1061, 2012. Zhang, T., L. X. Yang, X. Yang, Y. Wu, Y. Y. Tang, “Dynamic malwarecontainment under an epidemic model with alert,” Physica A: StatisticalMechanics and its Applications, 470, pp. 249-260, 2017. Zhang, Z., H. Yang, “Hopf bifurcation of an SIQR computer virus modelwith time delay,” Discrete Dynamics in Nature and Society, 2015. Zhang, Z., D. Bi, “Dynamical analysis of a computer virus propagationmodel with delay and infectivity in latent period,” Discrete Dynamics inNature and Society, 2016. Zhang, X., C. Gan, “Optimal and Nonlinear Dynamic Countermeasureunder a Node-Level Model with Nonlinear Infection Rate,” Discrete Dynamics in Nature and Society, 2017, 2017. Zhu, Q., X. Yang, L. X. Yang, C. Zhang, “Optimal control of computervirus under a delayed model,” Applied Mathematics and Computation, 218(23), pp. 11613-11619, 2012. Zhu, Q., X. Yang, L. X. Yang, X. Zhang, “A mixing propagation model ofcomputer viruses and countermeasures,” Nonlinear Dynamics, 73(3), pp.1433-1441, 2013. Zuo, Z. H., Q. X. Zhu, M. T. Zhou, M. T. “On the time complexity ofcomputer viruses,” IEEE Transactions on information theory, 51(8), pp.2962-2966, 2005.
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 Editors: B. Mishra and J. Piqueira © 2020 Nova Science Publishers, Inc.
Chapter 6
RETHINKING CYBERSECURITY AS A GROUP PHENOMENON: IMPACT OF SHARED MENTAL MODELS ON CYBERSECURITY DECISIONS WITHIN COMMUNITIES OF PRACTICE Susan Squires*, PhD and Jamie Johnson†, PhD Department of Anthropology, University of North Texas, Denton, Texas, US
ABSTRACT Information Technology (IT) professionals are finding it difficult to mitigate risky security behavior in the workplace. Current interventions are often reactive and don’t always work. Is it possible that cyber-security breaches persist because professional solutions remain embedded in 20th century models? We propose a new theoretical paradigm to advance cyber-security intervention based upon group rather than individual * †
Corresponding Author’s Email: [email protected]. Corresponding Author’s Email: [email protected].
144
Susan Squires and Jamie Johnson phenomena. In this chapter, we describe a pilot study that considered work-based communities as an alternative unit of analysis to user-based studies. Initial investigation of three such groups revealed shared mental models of beliefs, myths and misconceptions about cyber-security. We propose that shared mental models can be leveraged to mediate members’ risky decisions using data-driven socio-technical interventions.
Keywords: collective security, community of practice, mental models, decision-making
1. INTRODUCTION Between 70% and 97% of all cyber breaches can be attributed directly or indirectly to human actions (Ponemon Institute LLC 2016). Such breaches are attributed to users’ inability to comprehend the seriousness of security or to follow security protocols. In reaction, IT professionals have traditionally focused on the individual, ever tightening computer-mediated cyber-security interventions and processes to thwart risky user decisions. And yet the breaches continue. In this chapter, we suggest the inability to manage cyber-security breaches is embedded in a 20th century legacy cyber-security paradigm. In this model, Human-Computer Interactions (HCI) considers the usermachine dyad as the unit of analysis for understanding risk-taking decisions. HCI guidelines (Laurel 1990) and design principles (Norman 1988), still followed to this day, provide a frame to optimize a user’s interactions with their technology. With growing “connectivity”, the relationships that people have with and through technology have evolved. Communications systems (Twitter, Skype, Snap Chat, Facebook) across multiple instant access platforms (smart phones, tablets, laptops, even wearable devices such as Fit-bit) enable an “always on” interconnected world. As Tom Holt and Adam Bossler recognized in their article, An Assessment of Current State of Cybercrime Scholarship: “These innovations spurred massive changes in our perceptions of personal expression and social interaction. …
Rethinking Cybersecurity as a Group Phenomenon
145
Computers and the Internet now serve as the backbone for virtually all facets of modern life...” (Holt and Bossler 2014, 20). We argue that cyber-security decisions are no longer the sole domain of human-computer interaction. Rather, we should look beyond the dyad to explore the group context in which a user is vested and the influence of shared mental models on individual decisions. A 21st Century paradigm recognizes these new interaction dynamics amongst members of social groups, and replaces HCI with a Member-Group Interaction (MGI). An MGI paradigm requires a holistic approach to cyber-security that takes into account (1) collective level mental models, including beliefs and values that shape awareness, and subsequent decisions, (2) the social information systems that transmit and reinforce knowledge about cyber-security risk, (3) organizational level structures including cost-benefit incentives and policy interventions, and (4) integrated technical systems that can support appropriate collective mental models. Consequently, we will need to rethink how we study and research cyber-security. We propose a fundamental redesign to shape how we think and speak about the phenomena, beginning with the language we use to describe and discuss the problem. This includes replacing words such as user, which suggests solitary individual action, with concepts such as member and collective, to more accurately reflect interconnected networks that impact 21st century social realities. But, where to begin? And, what is the new unit of analysis? To frame research that can guide development of successful cyber defense mechanisms using a collective paradigm, we call for exploring alternative approaches to group phenomenon for the investigation of cybersecurity. Expanding security research to the collective level fundamentally restructures scientific understanding of group-level impacts on cybersecurity decisions. However, group is too broad a category on its own. Initial studies suggest that group variations, including online social communities, professional communities, work group organizations, etc., should be bound as populations of study for understanding risky cyber decision-making practices and their impacts.
146
Susan Squires and Jamie Johnson
This chapter contends that context matters, and combines two units of analysis, Communities of Practice (CoP) and Mental Models, to investigate if and how cyber-security decision-making practices are learned and shared on-the-job. If shared mental models can be confirmed in groups, such research promises better understanding about how individual assessments of cybersecurity are conditioned and shaped by workplace groups. Expanding our knowledge of cyber risk to the group-level can be used to craft cyber defense solutions consistent with the group’s mental models that reside at the foundation of risky decision making. A community of practice (CoP) is a group of people who share a craft and/or a profession. CoP provides a contextual structural system to study cybersecurity mental models within the context of the work group. It is through the process of sharing information and working together within the group that the members learn from each other, and build community based mental models (Lave and Wenger 1991). setting the stage for individual decisions. Mental models are “internalized, mental representations of a device or idea that facilitates reasoning” (Lave and Wenger 1991) acting as “lenses through which individuals see and interact with the world” (JohnsonLaired 1983). Mental models shape how people interpret the world and form their “attitudes, beliefs, opinions, theories, perceptions, mental maps of how things are or should be and frames of reference” (Wash 2010). Gross and Rosson (2007) see mental models as a potential basis for promoting more effective security practice, but only a few studies have set out to inductively elicit user mental models in detail from simple metaphorical heuristics (Bury et al. 2008; Hoban et al. 2014) to complex decision trees (Blythe and Camp 2012; Bravo-Lillo et al. 2011) and most notably taxonomies (Rader et al. 2012; Raja et al. 2011). Wash and Rader (2011)investigate the role of social sharing of security stories influence mental models (Handwerker and Wozniak 1997). Codio’s (2012) comparative study of privacy found that the community context led to substantially different management of individual privacy at home compared to work. Bury et al. demonstrated how community context influences perceptions of risk, danger and security (Bury et al. 2008). More
Rethinking Cybersecurity as a Group Phenomenon
147
recently, Squires and Shade (2015) concluded that the use of metaphorical language to heighten security may have some effectiveness, but the complexity of user mental models should not be underestimated. While shared mental models represent the next level of sophistication, little is known about their genesis. To fully understand and leverage mental models they must be understood as the product of a community. Combining an examination of shared mental models with an investigation of the mechanics-underlying group-level practice opens a new avenue for research about how mental models are formulated and modified. Codio (2012) and Bury et al. (2008) observe that security is practiced within a collective social context and suggest that the goals and responsibilities shared by employees in workplaces, shape individual security actions. Similarly, Dourish and Anderson (2006) point out that individual risk perception is imbedded in a context of language, rhetoric, values and norms users share with other members of their work community or group. They argue that, while individual assessments of risk have value, results can still vary considerably depending greatly on the context, values, the nature of information that must be protected, and the value placed on that information. It is within this collective context that mental models are developed.
2. RESEARCH One research objective of this study was to legitimate CoPs as a unit of analysis by discovering shared sets of meanings which members collectively ascribed to ideas, objects, events and people. To investigate the usefulness of CoPs as units of analysis we conducted three empirical case studies that considered the context and community in which mental models of cybersecurity are likely to be found. To investigate group-level systems, the proposed research used three structural characteristics identified in Communities of Practice (CoP): 1) shared education or knowledge provides common ground for members’ participation, guides learning, and gives meaning to actions, 2) community creates the social
148
Susan Squires and Jamie Johnson
fabric for learning, and fosters interactions and a sharing of ideas 3) practice provides framework around which the community develops, shares and maintains its core of knowledge (Wenger, 1998). Using the established set of conceptual tools for investigating the underlying mechanisms of socially shared practices, this research will examine how mental models are constructed and maintained at the group level by investigating 1) group norms, or rules regulating members’ behavior, 2) shared knowledge among members that guides learning, and influences decision making, 3) role modeling of practices and behaviors among the members that is fostered by the group, and 4) community context, which provides a place for interactions and a sharing of ideas to occur naturally (Wash et al. 2015). Using a mixed-method ethnographic approach, we aim to investigate cybersecurity beliefs and decisions in the workplace context of three professional Communities of Practice (CoP). These highly non-random Communities of Practice have been selected because of their historic vulnerability to cyber threats and their heightened concerns for risk: 1) healthcare professionals, 2) finance professionals, and 3) IT professionals. IT inclusion allows us to compare a highly aware, expert CoP to two nonexpert CoPs. Unlike previous studies, a Member-Group Interaction (MGI) paradigm is pivotal for investigating efficacy and impact of CoP mental models on individual cybersecurity decisions.
3. METHODOLOGY Our hypothesis is that individual security decisions will be influenced by the work group. To test this hypothesis, we will employ an ethnographic research design. Ethnography is a holistic, systematic, and theoretically grounded approach to describe, interpret, and understand a group’s belief and practices (Bernard 2011). Ethnography constitutes part of a mixed method design which utilizes qualitative case study research to identify appropriate variables for subsequent quantitative studies, that can “test models using “sound”, or data driven survey instruments (Bernard 2011).
Rethinking Cybersecurity as a Group Phenomenon
149
Social scientists originally developed this set of methods to understand non-Western societies. In the last part of the 20th century Western organizations adopted ethnographic methodology because of its ability to reveal implicit underlying patterns within corporate groups. Now, 21st century technology sectors utilize ethnographic mixed methods to unravel online interactions and associated social activity. The study is conducted with the approval of our university’s Institutional Review Board (IRB) and the participants were compensated $30 for one hour of their time.
3.1. Case Study Participants Three highly non-random work-based Communities of Practice were used to determine if they did indeed shared beliefs and practices about cyber-security. The three work sectors were 1) financial 2) healthcare, and 3) IT. We recruited a total of 30 participants, 10 from each CoP category. Participants were both male and female. All participants were between the age of 21 and 60 years old. Figure 1 shows the demographic information about participants’ professional affiliation, age, gender, and cybersecurity knowledge.
3.2. Recruitment Participants were recruited using intercept, emailing and a snowball technique (Bernard 2011) in which participants recommend co-workers as interview subjects. A total of 30 interviews were conducted out of which 2 were incomplete and were removed from data analysis. Although the participant numbers were small, uncovering relevant shared patterns can be discerned with a relatively small number of people because of the nonrandom nature of each of the three populations.
HC TP TP HC HC HC TP AF AF HC AF HC HC AF AF HC AF TP TP AF/HC AF/HC TP AF/TP AF TP AF AF TP
JN TP LH KG EE CS GF BP JB SB DH GL AL PP JM DS BB VR TS LF TT ML MP CC MM DW LH KF
40-59 40-59 21-40 21-40 21-40 21-40 40-59 60+ 40-59 21-40 40-59 40-59 21-40 40-59 21-40 21-40 60+ 40-59 21-40 40-59 21-40 40-59 21-40 40-59 21-40 40-59 40-59 40-59
Age
Figure 1. Participants’ Demographics.
COP
Participant
F M F F F M M F F M M F F F F M M M M F F F M F M F F M
Gender
2 5 5 4 2 4 5 1 1 4 4 1 3 3 3 2 2 3 4 3 2 5 4 3 5 3 3 4
Cybersecurity Knowledge
1 = lacks basic understanding of cybersecurity 2 = demonstrates below average understanding 3 = demonstrates basic/average understanding 4 = demonstrates intermediate/above average understanding 5 = demonstrates mastery/expertise
TP = Technical Professional HC = HealthCare AF = Accounting and Finance
Rethinking Cybersecurity as a Group Phenomenon
151
3.3. Study Procedure To discover beliefs and practices of each of the three CoP memberships, an inductive, qualitative, approach, ethnography, was used to collect data from each of the three CoPs. Since we do not know what variables will be important ethnography was chosen at a data collection method to elucidate the relevant symbolic meanings and practices shared by the three case groups. Ethnography is inherently multimodal. Everything is counted as data. Because it is conducted in situ the researcher can record observation, capture actions, and artifacts in context in addition to conducting interviews (Ladner 2014). Interviews are semi structured so that stories as well as thoughts and opinions are captured. As Sunderland and Denney explain, “Stories are often good vehicles for understanding meaning because they are full of telling details and emotions often without people realizing it” (Sunderland and Denny 2007).
3.4. Data Collection Ethnographic methods were used for documenting 1) context by capturing physical and descriptive elements of the environment, 2) practices through written, photographic or video documentation of action, and 3) semi-structured open-ended interviews that ask broad questions in a conversational style while ensuring that all topics on a structured interview guide are eventually addressed. This study was conducted with University of North Texas IRB approval.Following IRB guidelines, participants were informed of the study goals and were assured that information they provided would remain confidential. Further, all were provided this information in a written informed consent form to read and sign. The consent form includes precise information about study procedure and participant’s right on participation. Once written consent was obtained, the participant participated in a one-hour interview. All interviews were recorded.
Susan Squires and Jamie Johnson
152
3.5. Data Analysis Our analysis is based on a theory from anthropology that meanings are socially created. Analysis seeks to understand the symbolic meaning behind social practices “to understand how people use shared subconscious symbols and meaning to guide (decisions)” (Sunderland and Denny 2007). Analysis has a number of steps. Once all the interviews were transcribed and observations recorded. We coded the data using two established methods: repetition and pattern matching. As Ryan and Bernard (2003) explain, “Repetition is one of the easiest ways to identify themes. The goal is to find common themes among all the members of each CoP. Some of the most obvious themes in a corpus of data are those “topics that occur and reoccur” or are “recurring regularities” (Ryan and Bernard 2003). A second complimentary coding method is based on pattern matching, which is also called similarity and differences by Glaser and Strauss (1967). This method relies on “constant comparison method” involves searching for similarities and differences by making systematic comparisons across units of data (Glaser and Strauss 1967). There are three stages for coding: 1. Initial Coding of Text: Going line by line, and observation to observation, researches breakdown the text and images into small segments that contain a word or phrase or element related to the concepts under study. Multiple analysts may independently code the data to insure inter-rater reliability. For this study, there were three researchers who coded the data. Several hundred codes were generated in this first stage. 2. Concept Development: In the second stage a set of codes for each concept identified is finalized by the analysts after they come to agreement on how each coded concept is related to a larger more inclusive concept using a comparative method across the data. A small set of 30 cyber-security concepts of were finalized. These concepts included ideas about “what is cyber-security,” “how does security work,” “explanations on how security is breached”, “intrusiveness of security”, “security precautions taken,” “need for
Rethinking Cybersecurity as a Group Phenomenon
153
security information,” “how to get around security,” “who is responsible for security,” “workplace security goals vs. the need for worker to do their jobs,” “consequences of tight security,” “security at home.” 3. Integrating Concepts into a Theory: Using the agreed upon concept categories the next step is to link them together in theoretical models around a central category that hold everything together. Grounded Theory (Glaser and Strauss) provides the frame in which patterns in language, beliefs and practices are identified, described, and interpreted to allow similarities and differences to “emerge” creating a deductive “dataset” of shared beliefs and practices often indicated by shared rules and expectations. Each code becomes a short phrase or statement. Independent coding was conducted by three researchers. Only the patterns found by all three are presented in the chapter.
4. RESULTS In this section, we present the results of the study findings. In each of the groups a set of unique themes emerged that supported our hypothesis that each work group would have its own integrated model of beliefs, and subsequent decision-making that impact cyber threats and risk.
ORGANIZATIONAL CONTEXT OF CYBERSECURITY Before we discuss the three groups included in this study, it is important to understand the security context in which they all work. For most companies, security is now the sole responsibility of IT management. And IT managers do not bother to communicate security information beyond sending out the occasional notice to change a password or to warn of phishing. Overall, we found that most IT managers think security is too
154
Susan Squires and Jamie Johnson
technical and far beyond the comprehension of company employees. Instead IT managers put their energy into security technology rather than communication. Educating company employees is perceived as time consuming with dubious results. Security technology is the only real safeguard.
4.1. Technical Professional (TP) CoP Technical professions included electrical engineering, system engineering, software engineering among others. All have technical roles at their company including technical support, coding and risk management compliance. They are very knowledgeable about security. (See Figure 1).
SHARED SECURITY BELIEF THEMES Theme 1: Cyber Security a Priority: It is not surprising that in the workplace context security is considered crucial. They believe that the technical security systems set up by IT are important and make a concerted effort to comply with directives from IT security managers when prompted even if the request involves a task that they routinely take such actions without prompts. The following quote is representative. “Technically they (the users) are supposed keep the equipment secure, but I do the updates myself” (software engineer). Theme 2: Overlap of Work and Personal Devices: Concern about cybersecurity carries over to personal devices outside the workplace. A common comment was, “I encrypt my hard drives and make my passwords 16 digits, I’m very concerned about that” (Tech Support employee). They see a real contrast between themselves and the non-technical employees. One engineer summed up what everyone reported in the IT CoP. “I have a lot more concern about (security) than (the non-technical employees). 80% of the people don’t care” (engineer).
Rethinking Cybersecurity as a Group Phenomenon
155
Theme 3: Lack of Information from IT: For these technical professionals, the lack of information from IT is troubling. These savvy professionals don’t always know why they are required to take security actions. IT controls the security. “the company tells me to update it. … prompts me to update. typically (IT) doesn’t (explain) they just say you need to update it. Now” (engineer). Another explained, “I know at work they have security stuff installed, I don’t know the brand, but corporate IT won’t let me do it at work even if I wanted to. They have stuff in place to prevent that” (engineering manager).
SECURITY DECISIONS Theme 1: Make Good Security Decisions: Because the technical group is so knowledgeable about cybersecurity risk they are quite diligent in keeping up with security both at work and at home. A common comment was, “I installed AT&T security at home so that I can access it at home and make sure everything is secure at home“ (Tech support employee). If they run into some issue that they cannot solve, they turn to more knowledgeable colleagues. “(Joe] has got advanced knowledge about a lot of stuff. I would typically go to my boss first, (then) I would definitely bounce it off of (Joe)” (Tech support manager). Theme 2: Need More Information from IT to Make Good Decisions: While most TP participants understand, and respect the control over cyber security, they would like to understand more. A few even resent their lack of inclusion. “I’m a software engineer, been playing with computers since I was ten I don’t need their craziness” (software engineer). Some even resent IT and are smart enough to work around IT security precautions. “I use Firefox because it lets me set up my own proxy for just my browser. And that is mostly because I do not want work to see what I am doing” (software engineer).
156
Susan Squires and Jamie Johnson
TP CoP Summary: This technology Savvy CoP is very knowledgeable about cyber security and makes decisions to avoid risk at work and at home. They see themselves in contrast to non-technical employees who are less knowledgeable and make more risky decisions. In the end, they know that technology cannot keep up with cyber security threats and commonly believe “the best anti-virus software is your brain.” They act accordingly. However, they would like to know more about security at their company and resent this lack of inclusion.
4.2. Accounting and Finance CoP Accounting and Finance CoP probably had the most diverse skill set participants of the three categories ranging from little or no knowledge of cybersecurity to above average knowledge. (See Figure 1.) This group of professionals included a credit card sales person, an accounts manager, accounts payable, an auditor and accountants.
SHARED SECURITY BELIEF THEMES Theme 1: IT Support Depends on Company Size: In the small companies, IT may be a third-party contractor, in the large financial institutions the company will have its own IT department. The context of large financial institutions can have incredibly restrictive security policies. As one participant summed up the situation for financial institutions, “We don’t communicate with people outside the company on instant messenger or email, from a device perspective they (IT) have everything locked down, there’s not much we have control over, we have to change our password, and we have to lock our device any time you step away from it. (Bank Manager). In smaller companies, security is not as tight. The typical situation in these companies is reported in the following comment. “I have a friend (who) works for a major bank... things are very different (there) because
Rethinking Cybersecurity as a Group Phenomenon
157
we’re just making sure that we are not accidentally giving access to people who shouldn’t have access. She’s actually dealing with people that are trying to infiltrate a system” (Small business accountant). Theme 2: Good Cyber-security is Good for Business: Despite the differing levels of threat, all in this group was concerned with detail as befits their profession regardless of where they work. This attention to detail extended to their security risk and precaution.
SHARED SECURITY DECISIONS Theme 1: Better Knowledge Leads to Better Decisions: All paid some level of attention to cyber security and had some general idea about the reasons behind recommended security behaviors. “I’m doing the accounting on a stand-alone on the hard drive. I’m not putting it online or sharing it with other computers” one accounts receivable accountant noted. In the financial group, we did see a trend: the less knowledgeable the employee was about cyber security, the more likely they would seek help and advice from the company’s IT. Theme 2: Seek Self Help: Many in this CoP took additional precautions by extending their knowledge through self-education. More often when some IT question came up, the financial participants will ask an IT experienced relative, friend or colleague for advice. Theme 3: Follow Directions: Typically, they will not seek out help from IT even though most rely on IT to keep data safe. As one accountant summed up this common theme, “Everybody does (follow the IT directives) Couldn’t tell you (why we are asked), I don’t have access to that information. (I) follow the prescribed protocol I don’t have a choice. No one has a choice. Everyone follows.
158
Susan Squires and Jamie Johnson
Theme 4: Fear of Doing Something Wrong: This quote sums up the common concern. “I’m not worried about security I’m worried I’m going to do something wrong that I didn’t know was wrong” (accounts payable). Fear of “doing something wrong is a legitimate fear for those especially in large financial institutions. For those employees, the fear goes beyond a cyber security breach. As one financial professional who worked in a large bank explained, “and you can be terminated for not locking your device” (Bank Manager). Theme 5: Lack of Knowledge Leads to Risky Decisions: Tight security policy combined with limited information on the reasons behind them, has led to speculation and even risky decisions to work around the restrictions. “Even though you may need the data to do your job they don’t want you to have access to it, so they expect you to come up with a work around ... Well I still communicate with vendors it’s just a hassle” (accountant). Bank managers realize the hassle and many make sure to discuss security risk with staff. “I think you always have to be reminding people of what to do and what not to do. If they get complacent that’s when problems arise” (Manager). Theme 6: Work Practices are Used at Home: For most security behaviors learned on the job are transferred to home. Home computers typically have anti-virus software installed and everyone uses a password that is updated frequently. “So I set up my work email, just how I’ve set up my Gmail on my phone, so whenever I have to change my password I have to go in and reset it” (Bank employee).
4.3. Healthcare Healthcare included managers professionals and health researchers.
in
medical
facilities,
medical
Rethinking Cybersecurity as a Group Phenomenon
159
SHARED SECURITY BELIEF THEMES Theme 1: No Knowledge of Security: In the healthcare field, most participants admitted they were “luddites.” They may receive monthly newsletters on cyber-security and e-mails are distributed to management with security updates for discussion with their department. They all “followed the rules” as set forth by IT security without really understanding the security risk behind the rules. (See figure1). This group recognizes their lack of knowledge, and are eager to learn more about cyber security. As one healthcare worker noted better education would help. For example, one healthcare provider explained, “the company started sending out emails on what to look for.” It helped. Theme 2: HIPPA Compliance Concerns: HIPPA compliance is the top security concern for these health professionals. “All these rules and laws concerning the protection of medical information really influenced me about online security. We have HIPPPA police that come in and quiz us on our security measures” (health care manager). Theme 3: Fear of Consequences” There are consequences for any health care facility that allows a security breach including. “very large fines that can be given to organization when that data is released and it’s based on the amount of personal health information in that report” (Healthcare manager). Such high cyber-security takes a toll on employees, “I’d like to just turn on my computer and start working but, obviously, that’s just not possible ... . Obviously I get frustrated with it, but I understand it, it has to be there” (Healthcare support). Theme 4: No Transfer of Work Practices to Home: At home security practices are not always transferred. (When shopping with my IPhone) I don’t know that I really do (take precautions). I just take it for granted everything’s safe” (healthcare support). Another told us, “I don’t worry. Hackers are interested in my company not my personal stuff.”
160
Susan Squires and Jamie Johnson
5. DISCUSSION While the three CoP groups had some similarities, they had significant differences in their understanding of cybersecurity and decisions they might take to mitigate risk. One key similarity was that across all three groups the more cyber security knowledge a participant had, the higher the likelihood that they would ask security advice from a knowledgeable a colleague, friend or relative. Differences centered on knowledge of and experience with cyber security. Overall, those in technical professionals are conversant with cybersecurity and active in making good security decisions themselves. The TP CoP would like to know more about why they are asked to undertake a security action by IT and resent this lack of inclusion. The technical savvy group should be a partner in the fight for cyber security. This group should be a partner in the fight for cyber security. Financial participants had less knowledge about cyber-security in general and made efforts to self-educate themselves. Among Healthcare Professionals there is very little knowledge about cyber security and how to recognize a threat. As a result, they very much depend on IT to keep them safe at work. Unlike the other groups, the security decisions made at work do not always transfer to security behaviors for personal devices. However, most in this group would like to learn. Education does not need to be technical. Rather simple examples about what forms a cyber risk might take would be beneficial.
CONCLUSION In summary, we have performed a comparative study of three nonrandom work community cases: Technical Professionals, Financial workers and Healthcare providers. While all three have some cybersecurity beliefs and decision-making in common, we found distinct differences between the groups. The common thread that runs through all
Rethinking Cybersecurity as a Group Phenomenon
161
the groups is the desire for more cyber-security knowledge. Importantly, the type of knowledge needed depends on the type of CoP. Overall the starting hypothesis that the three groups would share beliefs within the group was confirmed along with the finding that the three CoPs were very different in security knowledge and decision-making that distinguished each and from the others, provides evidence for using workgroups as a unit of analysis for our new paradigm. This was a small pilot study. To validate our hypothesis, next steps are to convert the themes identified in the case studies, to variables that can be used to create a survey administered to a large sample with statistical reliability. Understanding the collective needs of each CoP group can then be leveraged by IT to prove targeted support and messaging which should replace IT’s current default position which accepts that the user is the weak link in security but accepts that risk.
REFERENCES Asgharpour, F., D. Liu, and L. J. Camp. 2007. “Mental Models of Computer Security Risks.” Paper presented at the 2007 Workshop on the Economics of Information Security (WEIS), Pittsburg, Pennsylvania, June 7-8. Bernard, H. Russell. 2011.Handbook of Methods in Cultural Anthropology. Sixth ed. Walnut Creek: Altamira Press. Blythe, J., and L. J. Camp. 2012. “Implementing Mental Models.” Paper presented at the 2012 IEEE Symposium on Security and Privacy Workshops (SPW), San Francisco, California, May 20-23. Bravo-Lillo, C., Lorrie Faith Cranor, Julie Downs, and Saranga Komanduri. 2011. “Bridging the Gap in Computer Security Warnings: A Mental Model Approach.” IEEE Security & Privacy Magazine 9, no. 2: 18–26. Bravo-Lillo, Cristian. 2014. “Improving Computer Security Dialogs: An Exploration of Attention and Habituation.” PhD diss., Carnegie Mellon University.
162
Susan Squires and Jamie Johnson
Bury, Sara, Johnathan Ishmael, Nicholas J. P. Race, and Paul Smith. 2008. “Towards an Understanding of Security Concerns within Communities.” Mobile Computing, Networking and Communications, Avignon, France, October 12-15. Paper presented at the 2008 IEEE International Conference on Wireless. Camp, L. J. 2009. “Mental Models of Privacy and Security.” Technology and Society Magazine, IEEE 28, no. 3: 37–46. Codio, Sherley. 2012. “Understanding Community Privacy through Focus Group Studies.” Master’s Thesis, Virginia Tech University. Dourish, Paul, and Ken Anderson. 2006. “Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena.” Human-Computer Interaction 21, no. 3: 319–342. Glaser, Barney G & Strauss, Anselm L. 1967. The Discovery of Grounded Theory: Strategies for Qualitative Research. Chicago: Aldine Publishing Company. Gross, Joshua B., and Mary Beth Rosson. 2007. “Looking for Trouble: Understanding End-user Security Management.” In Proceedings of the 2007 Symposium on Computer Human Interaction for the Management of Information Technology (CHIMIT ‘07), Article 10. Massachusetts: Association for Computing Machinery. Handwerker, W. P. and D. F. Wozniak. 1997. “Sampling Strategies for the Collection of Cultural Data: An Extension of Boas’s Answer to Galton’s Problem.” Current Anthropology 38 (5): 869-875. Hoban, Katie, Emilee Rader, Rick Wash, and Kami Vaniea. 2014. “Computer Security Information in Stories, News Articles, and Education Documents.” Poster presented at the 2014 Symposium on Usable Privacy and Security (SOUPS), California, U.S., July 9-11. Holt, Thomas J., and Adam M. Bossler. 2014. “An Assessment of the Current State of Cybercrime Scholarship.” Deviant behavior 35, no. 1 (January): 20-40. Johnson-Laird, P. N. 1983. Mental Models: Towards a Cognitive Science of Language, Inference, and Consciousness. Cambridge: Cambridge University Press.
Rethinking Cybersecurity as a Group Phenomenon
163
Ladner, Sam. 2014. Practical Ethnography: A Guide to Doing Ethnography in the Private Sector. California: Left Coast Press. Laurel, Brenda, ed. 1990. The Art of Human-Computer Interface Design. Boston: Addison-Wesley. Lave, Jean, and Etienne Wenger. 1991. Situated Learning: Legitimate Peripheral Participation. New York: Cambridge University Press. Larkin, J. 1983. “Expert representations of physics problems.” In Mental Models, eds. D. Gentner and A. Stevens. New Jersey: Lawrence Erlbaum Association. Norman, Donald. 1988. The Design of Every Day Things. New York: Basic Books. Ponemon Institute LLC. 2017. “Cost of Cyber Crime 2016 and the Risk of Business Innovation.” https://www.ponemon.org/local/upload/file/ 2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203. pdf Rader, Emilee, Rick Wash, and B. Brooks. 2012. “Stories as Informal Lessons About Security.” In Proceedings of the Eighth Symposium on Usable Privacy and Security, Washington, D.C.: Association for Computing Machinery. Raja, F., K. Hawkey, S. Hsu, K. L. Wang, and K. Beznosov. 2011. “Promoting a Physical Security Mental Model for Personal Firewall Warnings.” In Proceedings of the 2011 Annual Conference Extended Abstracts on Human Factors in Computing Systems. New York: Association for Computing Machinery. Raja, F., K. Hawkey, S. Hsu, K. L. C. Wang, and K. Beznosov. 2011. “A Brick Wall, a Locked Door, and a Bandit: a Physical Security Metaphor for Firewall Warnings.” In Proceedings of the Seventh Symposium onUsable Privacy and Security. New York: Association for Computing Machinery. Ryan, Gery W., and H. Russell Bernard. 2003. “Techniques to Identify Themes.” Field Methods 15, no. 1: 85–109. Squires, Susan, and Michael L. Van De Vanter. 2012. “Communities of Practice.” In A Companion to Organizational Anthropology, edited by
164
Susan Squires and Jamie Johnson
D. Douglas Caulkins and Ann T. Jordan, 289–310. John Wiley &Sons. Squires, Squires, Susan and Molly Shade. 2015. “People, the Weak Link in CyberSecurity: Can Ethnography Bridge the Gap?” In Building Bridges, Ethnographic Praxis in Industry Proceedings 2015: 47 - 57. Sunderland, Patricia L., and Rita M. Denny. 2007. Doing Anthropology in Consumer Research. California: Left Coast Press. Vaniea, Kami, Emilee Rader, and Rick Wash. 2014. “Mental Models of Software Updates.” Seattle: International Communication Association. Wash, Rick. 2010. “Folk Models of Home Computer Security.” In Proceedings of the Sixth Symposium on Usable Privacy and Security. New York: Association for Computing Machinery. Wash, Rick. 2012. “Folk Security.” IEEE Security and Privacy, Vol. 10, no. 6 (November/December): 88-90. Wash, Rick, and Emilee Rader. 2011. “Influencing Mental Models of Security: A Research Agenda.” In Proceedings of the Workshop on New Security Paradigms Workshop, 57-66. New York: Association for Computing Machinery. Wash, Rick and Emilee Rader. 2015. “Too Much Knowledge? Security Beliefs and Protective Behaviors Among US Internet Users” In Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS). California: USENIX. Wenger, Etienne. 1998. Communities of Practice: Learning, Meaning, and Identity. New York: Cambridge University Press. Weinberg, Darin, ed. 2002. Qualitative Research Methods. Massachusetts: Wiley Blackwell Publishers.
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 Editors: B. Mishra and J. Piqueira © 2020 Nova Science Publishers, Inc.
Chapter 7
AUDITING NATIONAL CYBERSECURITY STRATEGIES IN ORDER TO PROTECT NATION-STATES’ CYBER ASSETS Regner Sabillon* Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Barcelona, Spain
ABSTRACT Nation-States must identify priorities, objectives, goals and scope when designing a national cybersecurity strategy conducive to protect their most valued cyber assets against any cyberthreat or cyberattack. This chapter covers the steps to integrate our National CyberSecurity Strategy Model (NCSSM) in any Nation Cyber strategy that is either under development or improvement. This approach consists of developing international cybersecurity strategies, alliances and cooperation with different stakeholders at all possible levels. Our research reviewed the best practices of ten leading countries and five intergovernmental organizations in terms of developing effective cybersecurity strategies and policies. We also analyzed a series of *
Corresponding Author’s Email: [email protected].
166
Regner Sabillon cybersecurity best practices that can be aligned with cyber governance and cyber law when countries wish to develop or enhance national cyber strategies. In addition, we propose guidelines to audit the national cyber strategies by utilizing our CyberSecurity Audit Model (CSAM). This model is proposed to be utilized for conducting cybersecurity audits in any Nation State in pursuance of evaluating and measuring the cybersecurity assurance, maturity and cyber readiness and to detect the needs to increase cyber awareness to defend and protect critical cyber assets.
Keywords: national cybersecurity strategy, cybersecurity, cyber law, cyber governance, cyber policy, cyber domain National cybersecurity strategy auditing
1. INTRODUCTION A previous study (Luiijf et al., 2013) was conducted to analyze and compare the structure, sections and elements of nineteen National Cybersecurity Strategies (NCSS) from these countries [Australia, Canada, Czech Republic, Estonia, France, Germany, India, Japan, Lithuania, Luxembourg, Romania, The Netherlands, New Zealand, South Africa, Spain, Uganda, The United Kingdom - UK (2009 and 2011) and The United States of America (USA)]. Most NCSS in this study adopted a holistic approach for cyberspace, and all nations have considered international threats and risks in cyberspace. Most NCSS are targeting societies, more specifically citizens, businesses, public sector and government. As a result, the authors proposed a structure for developing NCSS that includes an executive summary, an introduction, a strategic national vision on cybersecurituy, existing NCSS’ relationships with other strategies at the national and international level and legal frameworks, any guidance principles, the definition of cybersecurity objectives, an inventory of tactical actions and a glossary. According to NATO (2013), cyber operations refer to the employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace, and under international laws. States may be
Auditing National Cybersecurity Strategies …
167
responsible for the conduction of cyber operations by their organs including non-state actors. For many years, there have been four known domains in warfare: Air, Sea, Space and Land. With the booming of the information era, a new domain was added which is now Cyberspace. Lemieux (2015) studied several events that led to the consolidation of cyber domains as part of modern warfare studies. Network-Centric Warfare (NCW) was instrumental during the US military dominance during the 1991 Gulf War, commanders took advantage of NCW to maintain their forces informed at all times regarding situational awareness, troop movement and always outmaneuvering enemy forces. Later on, these battlefield experiences were observed and explored by Russia and China for further acceptance into their own military operations. The US Department of Defense - DOD (DOD, 1991) published the Joint Publication 3-0: Operations which included ‘Information’ as the fifth warfighting domain to join the existing Air, Sea, Space and Land domains. The DOD (1996) declassified the National Military Strategy for Cyberspace Operations (NMS-CO) where information was escalated to the cyberspace domain. Many nation states are organizing their cyber capabilities in cyberspace by proposing, creating, implementing and continuously updating a National Cybersecurity Strategy, policy or programme. Sabillon et al. (2016) defined a cybersecurity policy as the instrument developed by nations to communicate and express those aspects that want a state to protect in cyberspace. North Atlantic Treaty Organization- NATO (2019) presents a repository with NCSS and legal documents for 81 countries [13 for Africa, 11 for Americas and The Caribbean, 19 for Asia and Oceania and 38 for Europe] and The European Union Agency for Cybersecurity (ENISA, 2019) maintains the ENISA NCSS map for the 28 member states of the European Union (EU) and for the 4 member states of the European Free Trade Association (EFTA) that lists the implementation date and the number of objectives of each NCSS. International Telecommunication Union (ITU) (2016) highlights that 72 out 193 member states have published a National Cybersecurity Strategy but the majority of countries
168
Regner Sabillon
now have a NCSS (ITU, 2019). According to the Global Cybersecurity Index GCI 2018 v3 (ITU, 2019), 58% of the United Nations members have a NCSS in place with Europe and countries from the Commonwealth of Independent States (CIS) with the highest numbers of nations with NCSS, while the Africa region has the lowest indicator (14 out of 44 countries with a NCSS). This chapter is structured as follows: In Section 2, we reviewed our initial research related to National Cybersecurity Strategies (NCSS) where we introduced the National CyberSecurity Strategy Model (NCSSM). Also, in Section 2; we highlighted the architecture and more specifically Domain 1 of the CyberSecurity Audit Model (CSAM) in order to audit Cybersecurity domains and subdomains at the national level to evaluate many cyber topics. Finally, Section 3 provides our conclusion and recommendations for further research.
2. ABOUT OUR RESEARCH 2.1. National Cybersecurity Strategies (NCSS) A cybersecurity policy is an instrument developed by nations to communicate and express those aspects that want a state to protect cyberspace. It is a statement which embodies the stance of a government to bind strongly to citizens, their rights and duties; now in a stage of the widespread reality of society where instant information, mobility and social networks are the norm of its operation. This reality of cyberspace requires a renewed understanding of the relationships with others and with the nations. Given the background, cybersecurity in a state policy formalizes a decision that a country now declares as a digital territory – and it has extended where similarly will exercise sovereignty, knowing that virtual space is shared with other nations and possess a national synergy (Sabillon et al., 2016). Our initial research was aimed to study national security strategies in ten countries from five different continents, study policymaking
Auditing National Cybersecurity Strategies …
169
considerations from five global intergovernmental organizations and describe the most current cybersecurity frameworks. The fundamental research had five parts. Part I reviewed the main features of national cybersecurity strategies in Australia, Canada, Israel, Japan, Malaysia, Norway, South Africa, The Netherlands, The United Kingdom and The United States of America. Part II examined the national security strategy perspectives from intergovernmental organizations like United Nations (UN), International Telecommunication Union (ITU), European Union (EU), the Organisation for Economic Co-operation and Development (OECD) and the North Atlantic Treaty Organization (NATO). Part III highlighted eleven cybersecurity frameworks that are in use globally. Part IV introduced a proposal of the National Cybersecurity Strategy Model (NCSSM) and all its components. And in Part V, we reviewed the international cooperation and knowledge transfer of the existing national strategies (Sabillon et al., 2016).
2.2. The National CyberSecurity Strategy Model (NCSSM) We present a National CyberSecurity Strategy Model (NCSSM) that is based on our previous research (Sabillon et al., 2016). The NCSSM (Figure 1) contains eight pillars that are in constant interaction and it includes certain input features to become effective. As a result, specific outcomes are in need to be assessed continually due to the changing nature of cyberspace. A study from Greiman (2015) compared national cybersecurity strategies, and then our research is based on main components of any national strategy, goals, action plans, involved agencies and future developments to consolidate and expand the strategies. Our Model is based on the recommendations that the ITU, NATO, OECD and EU introduced to include key aspects, stakeholders, components and pillars of any NCSS.
Figure 1. The National CyberSecurity Strategy Model (NCSSM).
Auditing National Cybersecurity Strategies …
171
2.2.1. Input This section requires a clear definition of the scope of the national cybersecurity strategy. Ideally, a clear understanding in terms of protecting critical information infrastructure must be achieved. Mission, Vision, Objectives and Goals of the national cybersecurity strategy are identifiable at this stage. 2.2.2. The Pillars 1) Cybersecurity Culture is the main pillar that supports the other pillars. How citizens and society apply the use of cyber security measures. 2) Stakeholders definition and engagement: A national agency will be in charge of the NCSS creation and implementation. All stakeholders must be identified with clear roles and responsibilities. 3) Capacity Building: All necessary measures must be taken to ensure protection from cyber threats, risks and vulnerabilities. Baseline security requirements for each sector must be defined including a minimum set of cyber security measures. Specific cybersecurity standards and frameworks are selected. A cadre of cybersecurity professionals must be recruited. 4) International Cooperation: Countries need to be involved with the cybersecurity policy making leaders including developed nations and intergovernmental organizations due to the international nature of cyber threats. 5) Cybersecurity: This pillar helps to achieve a strong cybersecurity framework and work in harmony with all different stakeholders to ensure jurisdiction. Procedural measures include accountability, risk management, security policing, compliance and assurance. Lastly, the technical measures are aligned with core systems and networks in terms of administration, identifying cyber threats, inspections, IT health monitoring and audits. 6) Legal Measures: Countries must engage in creating modern laws, policies to fight and prosecute cybercrime. Develop cyberlaw
172
Regner Sabillon capacity including police, private sector, judicial and legislative branches. 7) Organizational Architecture: This pillar is fundamental to define the NCCS coordinator and the different agencies that participate at the national level. Participating agencies are responsible to lead cybersecurity activities in all industries and sectors. A National CERT is defined. 8) Defense: Military forces and national security agencies are prepared to develop some kind of military cyber capability in protecting defense networks, cyber warfare activities, enabling network centric warfare or manage cyber warfare strategies.
2.2.3. Outcomes Valid outcomes of NCSS must be continually evaluated using key performance indicators and objective performance metrics. Cyber defense, Awareness, Cyber resilience and Enhancement of national cybersecurity output are the main components in this final phase. Despite the fact, that many nations have already implemented or are planning to implement a national cybersecurity strategy, very little efforts are targeted towards the contribution of international cybersecurity standardization, defining jurisdiction in international cyberspace or the contribution from developed nations to help developing countries to establish an initial cybersecurity programme, policy or strategy. There are just a few exceptions that can initiate the knowledge transfer, international cooperation and lessons learn sharing in these areas. Hence, existing national cybersecurity strategies include very little details for international cooperation in cybersecurity matters but in most cases this topic is inexistent or country leaders in cybersecurity topics are not interested in this kind of international cooperation. A consistent approach must be taken to defining a broader international cooperation to fight cybercrime, coordinate cybersecurity efforts and initiate a more aggressive approach for cyber governance and cybersecurity policymaking. Countries like the USA, the UK and the Netherlands have a more consistent approach to international cooperation in cybersecurity matters.
Auditing National Cybersecurity Strategies …
173
The United States developed the International Strategy for Cyberspace that consists on core principles to support cyberspace operations like fundamentals freedoms, respect for property, safeguard privacy, protection from cybercrime and the right of cyber self-defense1. The strategy intends to provide knowledge transfer to build cybersecurity capacity, to continually develop and share cybersecurity best practices, to enhance the ability to fight cyber criminality and to develop relationships with policy makers.2 The UK promoted an international dialogue at the London Conference on Cyberspace for the sake of developing international norms in cyberspace and The Netherlands through their national Cyber Security Council wish to collaborate with other countries to strengthen its international orientation. The Dutch Cyber Security Council wishes to expand the international network collaboration to develop national views.
2.3. The CyberSecurity Audit Model (CSAM) The CyberSecurity Audit Model (CSAM) is a new exhaustive model that encloses the optimal assurance assessment of cybersecurity in any organization and it can verify specific guidelines for Nation States that are planning to implement a National Cybersecurity Strategy (NCS) or want to evaluate the effectiveness of its National Cybersecurity Strategy or Policy already in place. The CSAM can be implemented to conduct internal or external cybersecurity audits, this model can be used to perform single cybersecurity audits or can be part of any corporate audit program to improve cybersecurity controls. Any audit team has either the options to perform a full audit for all cybersecurity domains or by selecting specific domains to audit certain areas that need control verification and hardening. The CSAM has 18 domains; domain 1 is specific for Nation States and 1
2
United States of America Government, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (Washington D.C: The White House 2011), Ch. 1, 5. United States of America Government, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, 10-15.
174
Regner Sabillon
domains 2-18 can be implemented at any organization. The organization can be any small, medium or large enterprise, the model is also applicable to any Non-Profit Organization (NPO).
Figure 2. The CyberSecurity Audit Model (CSAM).
The aim of this model is to introduce a cybersecurity audit model that includes all functional areas, in order to guarantee an effective cybersecurity assurance, maturity and cyber readiness in any organization or any Nation State that is auditing its National Cybersecurity Strategy (NCS). This model was envisioned as a seamless and integrated cybersecurity audit model to assess and measure the level of cybersecurity maturity and cyber readiness in any type of organization, no matter in what industry or sector the organization is positioned. Moreover, by adding guidelines assessment for the integration of a national cybersecurity policy, program or strategy at the country level. Many cybersecurity frameworks are mostly oriented towards a specific industry like the “PCI DSS” for credit card security, the “NERC CIP Cyber Security” for the bulk power system or the “NIST Cybersecurity Framework” for protecting national critical infrastructure. But all the existing frameworks do not provide a one-size fits all for planning and conducting cybersecurity audits. The necessity to mapping against specific cybersecurity frameworks is because
Auditing National Cybersecurity Strategies …
175
of regulatory requirements, to satisfy the demands of industry regulators, to comply with internal or external audits, to satisfy business purposes and customer requirements or simply by improving the enterprise cybersecurity strategy. The CyberSecurity Audit Model (CSAM) contains overview, resources, 18 domains, 26 sub-domains, 87 checklists, 169 controls, 429 sub-controls, 80 guideline assessment for any Nation State to audit cyberspace and NCSS thus an evaluation scorecard shown in Figure 2.
2.3.1. Overview This section introduces the model organization, the working methodology and the possible options for implementation. 2.3.2. Resources This component provides links to additional resources to help understanding some of the cybersecurity topics:
Cybersecurity: NIST Computer Security Resource Center, Financial Industry Regulatory Authority (FINRA) cybersecurity practices and Homeland Security cybersecurity. National Cybersecurity Strategy (NCS): North Atlantic Treaty Organization (NATO) cybersecurity strategy, European Union Agency for Network and Information Security (ENISA) cybersecurity strategy and Organisation for Economic Cooperation and Development (OECD) comparative analysis of national cybersecurity strategies. Governance: PricewaterhouseCoopers Board cybersecurity governance and MITRE cybersecurity governance. Cyber Assets: NERC critical cyber assets. Frameworks: Foresite common cybersecurity frameworks, United States Computer Emergency Readiness Team (US-CERT) framework and ISACA’s implementing the NIST cybersecurity framework.
176
Regner Sabillon
Architecture: Trusted Computer Group (TCG) architect’s guide and US Department of Energy’s IT security architecture. Vulnerability Management: SANS vulnerability assessment and Homeland Security vulnerability assessment and management. Cyber Threat Intelligence: SANS – Who’s using cyberthreat intelligence and how? Incident Response: Computer Security Incident Response Team (CSIRT) frequent asked questions. Digital Forensics: SANS forensics whitepapers. Awareness: National Cyber Security Alliance – Stay safe online and PCI DSS -Best practices for implementing security awareness program. Cyber Defense: SANS- The sliding scale of cybersecurity. Disaster Recovery: Financial Executives International (FEI) Canada – Cybersecurity and business continuity. Personnel: Kaspersky – Top 10 tips for educating employees about cybersecurity.
2.3.3. Domains The CSAM contains 18 domains. Domain 1 has been designed specifically for Nations States and domains 2-18 are applicable to any organization as illustrated in Table 1. Table 1. The CyberSecurity Audit Model (CSAM) domains The CyberSecurity Audit Model (CSAM) domains Domains 1) Nation States 2) Governance and Strategy 3) Legal and Compliance The CyberSecurity Audit Model 4) Cyber Assets (CSAM) 5) Cyber Risks 6) Frameworks and Regulations 7) Architecture and Networks 8) Information, Systems and Applications 9) Vulnerability Identification
Auditing National Cybersecurity Strategies …
177
The CyberSecurity Audit Model (CSAM) domains Domains 10) Threat Intelligence 11) Incident Management 12) Digital Forensics 13) Awareness Education 14) Cyber Assurance 15) Active Cyber Defense 16) Evolving Technologies 17) Disaster Recovery 18) Personnel
2.3.4. Sub-Domains All domains have at least one sub-domain but in certain cases there might be several sub-domains per domain. The sub-domains are:
Cyberspace Governance Strategy Legal and Compliance Cyber Asset Management Cyber Risks Frameworks and Regulations Architecture Networks Information Systems Applications Vulnerability Management Threat Intelligence Incident Management Digital Forensics Awareness Education Cyber Insurance Active Cyber Defense
178
Regner Sabillon
Evolving Technologies Disaster Recovery Onboarding Hiring Skills Training Offboarding
2.3.5. Controls Each domain has sub-domains that are assigned a reference number. Controls are identified by clause numbers and an assigned checklist. In order to verify the control evaluation, the cybersecurity control is either in place or inexistent. 2.3.6. Checklists Each checklist is linked to a specific domain and the subordinated subdomain. The checklist verifies the validity of the cybersecurity subcontrols in alignment with a control clause. The cybersecurity auditors have the option to collect evidence to verify the sub-control compliance. 2.3.7. Guideline Assessment The guideline assessment only applies to the Nation States domain. The guidelines are evaluated for cybersecurity culture, National Cybersecurity Strategy (NCS), cyber operations, critical infrastructure, cyber intelligence, cyber warfare, cybercrime and cyber diplomacy. 2.3.8. Evaluation Scorecard The control, guideline and sub-control evaluation is calculated after the audit has been completed. The evaluation consists in assigning scores and ratings for each control, guideline and sub-control as illustrated in Table 2.
Auditing National Cybersecurity Strategies …
179
Table 2. Cybersecurity maturity ratings for the Nation States domain Domain Sub-Domain Control Evaluation Yes
Guideline assessment Compliant
1-Nation States 1.1 Cyberspace 0-3 Immature 4-5 Developing 6-7 Mature 8 Advanced 0-30 Immature 31-50 Developing 51-69 Mature 70-80 Advanced
We calculate the final cybersecurity maturity rating of the Nation States domain by using the following criteria. The score can be mapped to a specific maturity level: Immature (I): 0-30 The Nation State does not have any plans to manage its cyberspace. A National Cybersecurity Strategy (NCS) or Policy is inexistent. Developing (D): 31-70 The Nation State is starting to focus on national cybersecurity. If technologies are in place, the Nation State needs to focus on key areas to protect cyberspace. Mature (M): 71-90 While the Nation State has a mature environment. Improvements are required to the key areas that have been identified with weaknesses. Advanced (A): 91-100 Nation State has excelled in national cybersecurity and cyberspace practices. There is always room for improvement. Nation State could become an international leader and help other Nation States with cybersecurity and cyberspace matters.
180
Regner Sabillon And for domains 2-18, we calculate the final cybersecurity maturity rating of any organization by using the following criteria: The score can be mapped to a specific maturity level:
Immature (I): 0-30 The organization does not have any plans to manage its cybersecurity. Controls for critical cybersecurity areas are inexistent or very weak. The organization has not implemented a comprehensive cybersecurity program. Developing (D): 31-70 The organization is starting to focus on cybersecurity matters. If technologies are in place, the organization needs to focus on key areas to protect cyber assets. Attention must be focused towards staff, processes, controls and regulations. Mature (M): 71-90 While the organization has a mature environment. Improvements are required to the key areas that have been identified with weaknesses. Advanced (A): 91-100 The organization has excelled in implementing cybersecurity best practices. There is always room for improvement. Keep documentation up-to-date and continually review cybersecurity processes through audits. The CSAM (Cybersecurity Domains 2-18) has been successfully implemented and validated in two Canadian Higher Education institutions (Sabillon, 2018 and 2019) along with the Cybersecurity Awareness TRAining Model -CATRAM (Sabillon et al., 2019). CSAM has been tested, implemented and validated along with CATRAM in three research scenarios (1) Cybersecurity audit of all model domains (2) Cybersecurity
Auditing National Cybersecurity Strategies …
181
audit of several domains (Governance and Strategy, Legal and compliance, Cyber Risks, Frameworks and Regulations, Incident Management, Cyber Insurance and Evolving Technologies) and (3) a single cybersecurity domain audit in our first target organization. A second case study was conducted in a different organization to validate the CSAM (Sabillon, 2019) and the results will be published accordingly. While the CSAM (Domain 1) can be used to audit the Cyberspace domain including assessing the existing NCSS for any Nation State, we must clarify that we have not been able yet to validate this specific domain of the CSAM at this point in time.
2.4. How to Audit any National Cybersecurity Strategy (NCSS) Using the CSAM The CSAM has a specific domain “Nation States” and a sub-domain “Cyberspace” to audit the Cyber function at a national, state, province or territory level. Table 3. Cybersecurity maturity rating of the Nation States domain Cybersecurity Audit Model (CSAM) Domain Sub-Domain: 1.1 Cyberspace
1-Nation States Ratings I D M
A
1.1.1 Cybersecurity Culture
☐
☐
☐
☐
1.1.2 National Cybersecurity Strategy
☐
☐
☐
☐
1.1.3 Cyber Operations
☐
☐
☐
☐
1.1.4 Critical Infrastructure
☐
☐
☐
☐
1.1.5 Cyber Intelligence
☐
☐
☐
☐
1.1.6 Cyber Warfare
☐
☐
☐
☐
1.1.7 Cybercrime
☐
☐
☐
☐
1.1.8 Cyber Diplomacy
☐
☐
☐
☐
Final Cybersecurity Maturity Rating
☐
☐
☐
☐
Score
182
Regner Sabillon
The Cyberspace sub-domain verifies controls in the cyber culture, National Cybersecurity Strategy, Cyber operations, critical infrastructure, cyber intelligence, cyber warfare, cybercrime and cyber diplomacy areas in Table 3.
2.5. Overall Nation State CyberSecurity Readiness (NSCSR) The CyberSecurity Readiness rating can be classified for any Nation State as follows: Immature (I): 0-30 The Nation State does not have any plans to manage its cyberspace. A National Cybersecurity Strategy or Policy is inexistent. The Cybersecurity readiness is inexistent at this level. Developing (D): 31-70 The Nation State is starting to focus on national cybersecurity. If technologies are in place, the Nation State needs to focus on key areas to protect cyberspace. The Cybersecurity readiness is developing at this stage. Mature (M): 71-90 While the Nation State has a mature environment. Improvements are required to the key areas that have been identified with weaknesses. The Cybersecurity readiness is at a mature level. Advanced (A): 91-100 Nation State has excelled in national cybersecurity and cyberspace practices. There is always room for improvement. Nation State could become an international leader and help other Nation States with cybersecurity and cyberspace matters. The Cybersecurity readiness is at an advanced level, but the Nation
Auditing National Cybersecurity Strategies …
183
State must continually update its cybersecurity strategy at all times. One of the most comprehensive guides (ITU, 2018) to develop a NCSS was recently designed for global cybersecurity leaders including the Commonwealth Secretariat (ComSec),the Commonwealth Telecommunications Organisation (CTO), Deloitte, the Geneva Centre for Security Policy (GCSP), the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford, the International Telecommunication Union (ITU), Microsoft, the NATO Cooperative Cyber Defence Centre Of Excellence (NATO CCD COE), the Potomac Institute for Policy Studies, RANDEurope, The World Bank and the United Nations Conference on Trade and Development (UNCTAD). This guide clearly identifies five phases for the lifecycle of any NCSS: 1) 2) 3) 4) 5)
Initiation Stocktacking and analysis Production of the National Cybersecurity Strategy Implementation Monitoring and evaluation
And the guide also focuses on seven areas for good practice: Governance, Risk management in national cybersecurity, Preparedness and resilience, Critical infrastructure services and essential services, Capability and capacity building and awareness raising, Legislation and regulation and Internal cooperation. We strongly advise that Domain 1 from our CyberSecurity Audit Model (CSAM) can be considered to plan and conduct partial or comprehensive cybersecurity audits of any NCSS in development, implementation, monitoring and evaluation phases.
184
Regner Sabillon
CONCLUSION AND FURTHER RESEARCH This chapter has focused on analyzing our research regarding the creation, policy making, structure, implementation, sustaining and auditing national cybersecurity strategies and the cyber domain for nations. The content of the national strategies varies widely and each country structures the strategy based on their needs related to fight cybercrime, critical infrastructure protection, stakeholders engagement, cybersecurity awareness, cyber resilience, cyber intelligence gathering, cyber attacks alertness and eradication, cyber incident response, cybersecurity research and development, cyber police organization, communication, military involvement, law and judiciary collaboration, cyber governance and international cooperation. As a result of our research, we present ‘The National CyberSecurity Strategy Model (NCSSM)’ that contains eight pillars: Cybersecurity Culture, Stakeholders definition and engagement; Capacity Building; International Cooperation; Cybersecurity; Legal Measures; Organizational Architecture; and Defense. The Model requires specific input features and the outcome is measured in terms of cyber defense, cyber awareness, cyber resilience and national cybersecurity. We also included Domain 1: Nation States of our CyberSecurity Audit Model (CSAM) that evaluates cybersecurity culture, NCCS, cyber operations, cyber critical infrastructure, cyber intelligence, cyber warfare, cybercrime and cyber diplomacy. Some countries have a higher level of maturity than others when dealing with cyberspace, cybersecurity and national cybersecurity strategy policy-making. These leading countries have to recognize the importance of international cooperation, alliance development to fight cybercrime, rule cyberspace and knowledge transfer of cybersecurity strategy matters. The CSAM is not for a specific industry, sector or organization – On the contrary, the model can be utilized to plan, conduct and verify cybersecurity audits everywhere. The CSAM has been designed to conduct partial or complete cybersecurity audits either by a specific domain, several domains or the comprehensive audit for all domains. Likewise, the
Auditing National Cybersecurity Strategies …
185
CATRAM can support the implementation of a foundation for consolidating a cybersecurity awareness training program at any organization. The limitation of our study is that Domain 1: Nation States and Subdomain 1.1: Cyberspace from our CyberSecurity Audit Model (CSAM) have not been validated in a single Nation or State. Hence, future testing will enhance the model architecture by engaging potential Nation States that may be interested in auditing their national cyberspace. Future research will need to focus on the development of international standards and regulations to tackle cybercrime, to expand international cooperation in cybersecurity and national strategies. The challenges to overcome are to secure nations, keep peace in cyberspace while creating dynamic cybersecurity strategies.
REFERENCES Australian Government (2013). Defence white paper 2013. Canberra: Department of Defence, Commonwealth of Australia. Retrieved from http://www.defence.gov.au/whitepaper/2013/docs/wp_2013_web.pdf>. Australian Government (2016). Australia’s Cyber Security Strategy. Canberra: Department of the Prime Minister and Cabinet, Commonwealth of Australia. Retrieved from https://www.pmc.gov.au/ sites/default/files/publications/australias-cyber-security-strategy.pdf. Benoliel, D. (2015). Towards a Cyber Security Policy Model: Israel National Cyber Bureau Case Study, 16 (3) North Carolina Journal of Law & Technology. 435-486. Retrieved from https://scholarship.law. unc.edu/cgi/viewcontent.cgi?referer=https://www.google.ca/&https redir=1&article=1283&context=ncjolt. Bodeau, D., Boyle, S., Fabius-Greene, J. and Graubart R. (2010). Cyber Security Governance, MITRE. Retrieved from https://www.mitre. org/sites/default/files/pdf/10_3710.pdf. Boyce, R. (2001). Vulnerability Assessment: The Pro-Active Steps to Secure your Organization, SANS Institute. Retrieved from
186
Regner Sabillon
https://www.sans.org/reading-room/whitepapers/threats/vulnerabilityassessments-pro-active-steps-secure-organization-453. Canadian Government (2013). Action Plan 2010-2015 for Canada’s Cybersecurity Strategy. Ottawa: Her Majesty the Queen in Right of Canada. Retrieved from http://www.securitepublique.gc.ca/cnt/rsrcs/ pblctns/ctn-pln-cbr-scrt/ctn-pln-cbr-scrt-eng.pdf. Canadian Government (2010). Canada’s Cybersecurity Strategy for a Stronger and More Prosperous Canada. Ottawa: Her Majesty the Queen in Right of Canada. Retrieved from http://publications.gc.ca/ collections/collection_2010/sp-ps/PS4-102-2010-eng.pdf. CERT Division (2017). CSIRT Frequently Asked Questions, Carnegie Mellon University. Retrieved from https://www.cert.org/incidentmanagement/csirt-development/csirt-faq.cfm. Department of Defense (2015). Resilient Military Systems and the Advanced Cyber Threat. Defense Science Board. Washington D.C.: Office of the Under Secretary of Defense for Acquisition, Technology and Logistics. Department of Homeland Security (2012). Vulnerability Assessment and Management, NICSS. Retrieved from https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/vulnerabilityassessment-and-management. Donaldson, S., Siegel, S., Williams, C.and Aslam, A. (2015). Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program against Advanced Threats. New York: Apress, 201-204. Elran, M. and Siboni, G. (2015). Establishing an IDF Cyber Command’, The Institute for National Security Studies Insight, No 719, 1-3. Retrieved from http://www.inss.org.il/uploadImages/systemFiles/No. 719 - Meir and Gabi for web.pdf. European Network and Information Security Agency (2012). National Cyber Security Strategies: Practical Guide on Development and Execution. Heraklion: ENISA. Retrieved from https://www. enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-securitystrategies-ncsss/national-cyber-security-strategies-an-implementationguide/at_download/fullReport.
Auditing National Cybersecurity Strategies …
187
European Union (2013). Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace. Brussels: European Commission. Retrieved from http://eeas.europa.eu/policies/eu-cybersecurity/cybsec_comm_en.pdf. European Union Agency for Cybersecurity – ENISA (2019). National Cyber Security Strategies (NCSSs) Map. Retrieved from https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ ncss-map. Financial Executives International – FEI (2014). Financial Executives, Cyber Security & Business Continuity, Canadian Executives Research Foundation (CFERF). Retrieved from https://www.feicanada.org/ enews/file/CFERF%20studies/2013-2014/IBM%20Cyber%20Security %20final3%202014.pdf. Financial Industry Regulatory Authority – FINRA (2015). Report on Cybersecurity Practices, 1- 46. Retrieved from https://www.finra. org/sites/default/files/p602363%20Report%20on%20Cybersecurity%2 0Practices_0.pdf. Foresite (2016). Quick guide to common Cybersecurity Frameworks. Retrieved from https://www.foresite.com/blog/quick-guide-to-common -cybersecurity-frameworks/. Greiman, V. (2015). Cyber Security and Global Governance, Proceedings of the 14th European Conference on Cyber Warfare & Security. Hattfield: University of Hertfordshire. International Telecommunication Union ITU (2019). Global Cybersecurity Index (GCI) 2018. Geneva: International Telecommunication Union ITU. Retrieved from https://www.itu.int/dms_pub/itu-d/opb/str/DSTR-GCI.01-2018-PDF-E.pdf. International Telecommunication Union ITU (2018). Guide to Developing a National Cybersecurity Strategy: Strategic Engagement in Cybersecurity. Geneva: International Telecommunication Union ITU. Retrieved from https://www.itu.int/dms_pub/itu-d/opb/str/D-STRCYB_GUIDE.01-2018-PDF-E.pdf. International Telecommunication Union ITU (2012). National Cybersecurity Strategy Guide. Geneva: Edited by Frederick Wamala.
188
Regner Sabillon
Retrieved from http://www.itu.int/ITU-D/cyb/cybersecurity/docs/ ITUNationalCybersecurityStrategyGuide.pdf. ISACA (2014). Implementing the NIST Cybersecurity Framework. Rolling Meadows: ISACA. ISACA (2013). Transforming Cybersecurity. Rolling Meadows: ISACA. ISACA (2015). Cybersecurity Fundamentals. Rolling Meadows: ISACA. Japanese Government (2013). Japan’s Cybersecurity Strategy: Towards a World Leading, Resilient and Vigorous Cyberspace. Tokio: Information Security Policy Council. Retrieved from https://www.nisc. go.jp/eng/pdf/cybersecuritystrategy-en.pdf. Kaspersky Lab (2015). Top 10 Tips for Educating Employees about Cybersecurity, AO Kaspersky Lab. Retrieved from http://go.kaspersky. com/rs/kaspersky1/images/Top_10_Tips_For_Educating_Employees_ About_Cybersecurity_eBook.pdf. Lee, R. (2015). The Sliding Scale of Cybersecurity, SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/ analyst/sliding-scale-cyber-security-36240. Lemieux, F. (2015). Current and emerging trends in cyber operations: Policy, Strategy and Practice. Palgrave Macmillan’s Studies in Cybercrime and Cybersecurity. New York: Palgrave Macmillan. Lindsay, J. (2013). Stuxnet and the limits of Cyber Warfare. Security Studies, 22 (3), 365-404. Retrieved from https://doi.org/10.1080/ 09636412.2013.816122. Luiijf, E., Besseling, K. and de Graaf, P. (2013). Nineteen national cyber security strategies. International Journal of Critical Infrastructures, Vol. 9, Nos. 1/2, 3–31. Malaysia Government (2006). National Cyber Security. Purtrajaya: Minister of Science, Technology and Innovation. ICT Policy Division. Retrieved from http://www.cybersecurity.my/data/content_files/ 46/1235.pdf?.diff=1392970989. Ministry of Economic Affairs and Communication (2017). 2014-2017 Estonia Cybersecurity Strategy, ENISA. Retrieved from https://www. enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map /Estonia_Cyber_security_Strategy.pdf.
Auditing National Cybersecurity Strategies …
189
National Cyber Security Alliance (2017). Stay Safe Online, NCS. Retrieved from https://staysafeonline.org/ncsam/. National Institute of Standards and Technology- NIST (2017). Framework for Improving Critical Infrastructure Cybersecurity, version 1.1. National Institute of Standards and Technology – NIST (2017). NIST Special Publications SP. Retrieved from http://csrc.nist.gov/ publications/PubsSPs.html. NATO Cooperative Cyber Defence Centre of Excellence – CCDCOE (2019). Cyber Security Strategy Documents. Retrieved from https://ccdcoe.org/library/strategy-and-governance/. Netherlands Government (2014). National Cyber Security Strategy (NCSS)2: From awareness to capability. Den Haag: National Coordinator for Security and Counterterrorism, Minister of Security and Justice. Retrieved from https://www.enisa.europa.eu/activities/ Resilience-and-CIIP/national-cyber-security-strategies-ncsss/NCSS2 Engelseversie.pdf. North American Electric Relaibility Corporation – NERC (2010). Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets, NERC. Retrieved from 0 (H4) Due to temporary immunity, recovered node become again susceptible node at constant rate 𝛿 > 0 (H5) Disinfected vaccinated node becomes again susceptible node at constant rate 𝜂 > 0
200
Malti Kumari, Binay Kumar Mishra and R. N. Sinha
(H6) Disinfected susceptible node are vaccinated at constant rate 𝜙 > 0.
3. E-EPIDEMIC MODEL OF WORM SPREAD IN WIRELESS SENSOR NETWORK Let S(t), I(t), R(t) and V(t) denote the number of susceptible, infectious, recovered, vaccinated nodes at time t, respectively. Assume that (t) = S(t) + I(t) + R(t) + V(t) for all t. The system of differential equations that describes the rate of change of different classes and as per our assumptions, is depicted in Figure 1.
𝜙𝑆 𝜂𝑉
A
S 𝜇
𝛽𝑆𝐼
I
(𝜇 + 𝜀)
𝛾𝐼
R
V
𝜇
𝜇
𝛿𝑅 Figure 1. Schematic representation of the effect of vaccination on the attack of malicious objects in a wireless network.
Effect of Vaccination on the Attack of Malicious Objects … dS dt
= A − βSI − (ϕ + μ)S + δR + ηV
dI dt
= βSI − (μ + ε + γ)I
201
(1) dR dt
= γI − (μ + δ)R(1)
𝑑𝑉 𝑑𝑡
= 𝜙𝑆 − (𝜂 + 𝜇)𝑉
where,
1 𝛿
is the periods of immunity of the recovered & vaccinated
susceptible nodes respectively, and A is the inclusion of new sensor nodes to the population, µ is the crashing rate of the sensor nodes due to hardware/software problem, 𝜀 is the crashing rate due to attack of worms, 𝛽 is the infectivity contact rate, 𝛾 is the rate of recovery, 𝛿 is the rate of transfer from R-class to S-class, 𝜂 is the rate of transmission from V-class to S-class, 𝜙is the vaccinating rate coefficient for the susceptible nodes. Now
𝑑𝑁 𝑑𝑡
= 𝐴 − 𝜇𝑁 − 𝜀𝐼
In the absence of an attack, the population size of the node approaches the carrying capacity A/ 𝜇. The differential equation for N implies that the solution of equation (1) starting in the positive orthant 𝑅4+ approach, enter or remain in the epidemiologically meaningful subset D = {(𝑆, 𝐼, 𝑅, 𝑉)/𝑆 > 0, 𝐼 ≥ 0, 𝑅 ≥ 0, 𝑉 ≥ 0, 𝑆 + 𝐼 + 𝑅 + 𝑉 ≤ 𝐴⁄𝜇} Thus, it suffices to consider solutions in region D. Solution of the initial value problem starting in D and defined by (1) exist and are unique on the maximal interval [25, 26]. Since the solution remains bounded in the positively invariant region D, the maximalinterval is (0,∞). Thus, the
202
Malti Kumari, Binay Kumar Mishra and R. N. Sinha
initial value problem epidemiologically.
is
well-posed
both
mathematically
and
4. EXISTENCE AND STABILITY OF EQUILIBRIUM 4.1. SIRV Model, Its Equilibrium Points and Stability In this section we try to find the eaquilibrium points of SIRV model and its stability. The equilibrium points is obtained by solving the system of equations as mentioned: 𝑑𝑆 𝑑𝑡
= 0;
𝑑𝐼 𝑑𝑡
= 0;
𝑑𝑅 𝑑𝑡
= 0;
𝑑𝑉 𝑑𝑡
=0
and on simple calculation, we get equilibrium points as: (𝜂+𝜇)𝐴
𝜙𝐴
P=(𝜇(𝜂+𝜙+𝜇) ,0, 0, (𝜂+𝜇)(𝜙+𝜇)−𝜂𝜙) for worm-free state and (𝑆 ∗ , 𝐼 ∗ , 𝑅 ∗ , 𝑉 ∗) for the endemic state, where, 𝑆∗ =
(𝜇+𝜀+𝛾)
𝐼∗ =
(𝜇+𝛿){𝜂𝜙−(𝜙+𝜇)+𝐴𝛽}
𝛽
𝛽{(𝜇+𝛿)−𝛿𝛾}
𝑅∗ =
{𝜂𝜙−(𝜙+𝜇)+𝐴𝛽}𝛾
𝑉∗ =
𝜙(𝜇+𝜀+𝛾) 𝛽(𝜂+𝜇)
𝛽{(𝜇+𝛿)−𝛿𝛾}
The basic reproduction number (R 0 ) is obtained on simple calculation and is given by
Effect of Vaccination on the Attack of Malicious Objects …
203
𝛽
𝑅0 = (𝜇+𝜀+𝛾) At worm-free equilibrium point P, the Jacobian matrix for SIRV model is −(𝜇 + 𝜙) 0 𝛿 𝜂 0 −(𝜇 + 𝜀 + 𝛾) 0 0 𝐽(𝑃) = 0 𝛾 −(𝜇 + 𝛿) 0 0 −(𝜂 + 𝜇) ] [ 𝜙 0
We assume S+I+R+V=1 Now, R=1-S-I-V We have, 𝑑𝑆 𝑑𝑡 𝑑𝐼 𝑑𝑡 𝑑𝑅 𝑑𝑡 𝑑𝑉 𝑑𝑡
= 𝐴 − 𝛽𝑆𝐼 − (𝜙 + 𝜇)𝑆 + 𝛿𝑅 + 𝜂𝑉 = 𝛽𝑆𝐼 − (𝜇 + 𝜀 + 𝛾)𝐼 = 𝛾𝐼 − (𝜇 + 𝛿)𝑅 = 𝜙𝑆 − (𝜂 + 𝜇)𝑉
Here we are focusing on vaccine, so we ignore the R-class to have a simplified SIV model.
204
Malti Kumari, Binay Kumar Mishra and R. N. Sinha Thus, 𝑑𝑆 𝑑𝑡 𝑑𝐼 𝑑𝑡 𝑑𝑉 𝑑𝑡
= 𝐴 − 𝛽𝑆𝐼 − (𝜙 + 𝜇)𝑆 + 𝛿(1 − 𝑆 − 𝐼 − 𝑉) + 𝜂𝑉 = 𝛽𝑆𝐼 − (𝜇 + 𝜀 + 𝛾)𝐼
(2)
= 𝜙𝑆 − (𝜂 + 𝜇)𝑉
4.2. SIV Model, Its Equilibrium Points and Stability For SIV Model the equilibrium points, we have, 𝑑𝑆 𝑑𝑡
= 0;
𝑑𝐼 𝑑𝑡
= 0;
𝑑𝑉 𝑑𝑡
=0
and on simple calculation, we get equilibrium points as: (A−δ)(η+μ)
ϕ(A−δ)
P=((η+ϕ+μ)(μ+δ) , 0, (η+ϕ+μ)(μ+δ)) for worm-free state and (𝑆 ∗ , 𝐼 ∗ , 𝑉 ∗) for the endemic state, where, 𝑆∗ =
𝐼∗ = 𝑉∗ =
(μ+ε+γ) β (A+δ)−(ϕ+μ+δ)(μ+ε+γ) (η+δ)(μ+ε+γ)ϕ − β β(η+μ)
(μ+ε+γ)−δ (μ+ε+γ)ϕ β(η+μ)
For SIV model, the basic reproduction number is obtained from the system (2):
Effect of Vaccination on the Attack of Malicious Objects …
205
𝛽
𝑅0 = (𝜇+𝜀+𝛾)
At worm-free equilibrium point P, the Jacobian matrix for SIV Model is
𝐽(𝑃) = [
−(𝜙 + 𝜇 + 𝛿) −𝛿 −(𝛿 − 𝜂) 0 −(𝜇 + 𝜀 + 𝛾) 0 ] 𝜙 0 −(𝜂 + 𝜇)
With the help of zero matrices, we find the following matrix is −𝜙 [ 0 𝜙
−(𝜇 + 𝛿) −𝛿 −(𝛿 − 𝜂) 0 0 0 −(𝜇 + 𝜀 + 𝛾) 0 0 0] + [ ] 0 0 0 0 −(𝜂 + 𝜇)
(3)
𝑅3 → 𝑅3 + 𝑅1
𝐽(𝑃) = [
−(𝜙 + 𝜇 + 𝛿) −𝛿 −(𝛿 − 𝜂) 0 −(𝜇 + 𝜀 + 𝛾) 0 ] 0 0 −(𝜂 + 𝜇)
Eigenvalues from equation (3) are: −(𝜙 + 𝜇 + 𝛿) , −(𝜇 + 𝜀 + 𝛾) , − (𝜂 + 𝜇) which all are negative; hence the system is locally asymptotically stable at worm-free equilibrium point P.
4.2.1. Theorem 1 The infection-free equilibrium 𝐸0 of the system (1) is locally asymptotically stable in 𝜏 if 𝑅0 < 1 and is unstable if 𝑅0 > 1.
𝐽𝐼𝐹𝐸 = [
−(𝜙 + 𝜇 + 𝛿) −𝛿 −(𝛿 − 𝜂) 0 −(𝜇 + 𝜀 + 𝛾) 0 ] 0 0 −(𝜂 + 𝜇)
206
Malti Kumari, Binay Kumar Mishra and R. N. Sinha
Eigenvalues are: −(𝜙 + 𝜇 + 𝛿) , −(𝜇 + 𝜀 + 𝛾) , − (𝜂 + 𝜇)which all are negative; hence the system is locally asymptotically stable at worm infection-free equilibrium point 𝐸0 .
4.2.2. Theorem 2 The endemic equilibrium 𝐸 ∗ is locally asymptotically stable in the interior of 𝜏 if 𝑅0 > 1.
𝐽𝐸𝐸 = [
−(𝜙 + 𝜇 + 𝛿) −𝛿 0 −(𝜇 + 𝜀 + 𝛾) 0 0
−(𝛿 − 𝜂) 0 ] −(𝜂 + 𝜇)
Eigenvalues from equation (3) are: −(𝜙 + 𝜇 + 𝛿) , −(𝜇 + 𝜀 + 𝛾) , − (𝜂 + 𝜇) which all are negative; hence the system is locally asymptotically stable at worm-free endemic equilibrium 𝐸 ∗ .
5. NUMERICAL SIMULATION From Figure 2 it is evident that the recovery rate sharply increases after a certain interval of time indicating that the antivirus software must run after every predictive time of interval. Dynamical behavior of recovered class with respect to time for: 1. A = 0.66; 𝛽 = 0.33; 𝛾 = 0.32; 𝛿 = 0.33; 2. A = 0.66; 𝛽 = 0.33; 𝛾 = 0.32; 𝛿 = 0.36; 3. A = 0.66; 𝛽 = 0.33; 𝛾 = 0.32; 𝛿 = 0.39; 4. A = 0.66; 𝛽 = 0.33; 𝛾 = 0.32; 𝛿 = 0.42;
𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066;
Effect of Vaccination on the Attack of Malicious Objects …
Figure 2. Recovery rate in respect of time.
Figure3. Dynamical behavior of recovered class versus infectious class.
207
208
Malti Kumari, Binay Kumar Mishra and R. N. Sinha
Figure 4. Local stability of infection free equilibrium when R0 < 1.
Dynamical behavior of recovered class versus infectious class when: 1. A = 0.66; 𝛽 = 0.33; 𝛾 = 0.32; 𝛿 = 0.33; 2. A = 0.66; 𝛽 = 0.33; 𝛾 = 0.32; 𝛿 = 0.36; 3. A = 0.66; 𝛽 = 0.33; 𝛾 = 0.32; 𝛿 = 0.39; 4. A = 0.66; 𝛽 = 0.33; 𝛾 = 0.32; 𝛿 = 0.42;
𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066;
Dynamical behavior of SIRV with respect to time when R0 < 1: 1. A = 0.66; 𝛽 = 0.33; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝛾 = 0.32; 𝛿 = 0.33; 2. A = 0.66; 𝛽 = 0.33; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝛾 = 0.32; 𝛿 = 0.36;
Effect of Vaccination on the Attack of Malicious Objects …
209
3. A = 0.66; 𝛽 = 0.33; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝛾 = 0.32; 𝛿 = 0.39; 4. A = 0.66; 𝛽 = 0.33; 𝜇 = 0.0003; ϕ = 0.22; 𝜂 = 0.32; 𝜀 = 0.066; 𝛾 = 0.32; 𝛿 = 0.42.
CONCLUSION Inspired by the compartmental biological epidemic model, we propose an e-SIRV model for the attacking behavior of worms in sensor nodes. The reproduction number is obtained to understand the spreading and fading of the malicious objects in the sensor field. With the help of MATLAB, an extensive simulation is performed to validate the developed model. From Figure 2 it is evident that the recovery rate sharply increases after a certain interval of time indicating that the antivirus software must run after every predictive time of interval. Figure 3 represents the dynamical behavior of recovered class versus the infectious class of the system under different parametric values. Figure 4 represents the local stability of infection-free equilibrium when R0 < 1 of the system under different parametric values. We establish that the worm-free equilibrium is locally asymptotically stable if the reproduction number is less than one. If we have a proper vaccination given to the sensor nodes, the susceptibility towards the attack of malicious objects will be very sharply decreased. The study will help the software organization in developing highly efficient antivirus software to minimize the attack of malicious signals in the sensor nodes. Also, the study will give an idea to the end-users for proper vaccination and regular use of antivirus software to the sensor nodes in the sensor field for making the defense mechanism strong and to minimize the attacks.
REFERENCES [1]
Mishra, B. K., Kumari, M. (2019) “Review on the history of malicious objects attacks in-network,” Indian Journal of Applied Research. Vol-9, issue-5, ISSN No. 2249-555X.
210 [2] [3]
[4] [5]
[6] [7]
[8]
[9]
[10]
[11]
[12]
[13]
Malti Kumari, Binay Kumar Mishra and R. N. Sinha www.Wikipedia.com. Mishra, B. K., Saini, D. K. (2007), “SEIRS epidemic model with delay for transmission of malicious objects in computer network,” Appl. Math. Comput. 188 (2) 1476-1482. Mishra, B. K., Saini, D. K. (2007), “Mathematical models on computer virus,” Appl. Math. Comput. 187 (2) 929-936. Mishra, B. K., Jha, N. (2007), “Fixed period of temporary immunity after run of anti-malicious software on computer nodes,” Appl. Math. Comput. 190 (2) 1207-1212. Gelenbe, E. (2007), “Dealing with software viruses: a biological paradigm,” Inform. Security Tech. Rep. 12 (4) 242-250. Gelenbe, E. (2005),” Dealing with software viuses under control,” in: 20th International Symposium on Computer and Information Sciences – ISCIS 2005, Lecture Notes in Computer Science, vol. 3733, Springer. Gelenbe, E., Kaptan, V., Wang, Y. (2004), “Biological metaphor for agent behavior,” in: 19th International Symposium on Computer and Information Science-ISCIS 2004, Lecture Notes in Computer Science, vol. 3280, Springer-Verlag, pp. 667-675. Piqueira, J. R. C., Cesar, F. B. (2008), “Dynamical models for computer virus propagation,” Math. Prob. Eng. doi: https://101155/ 2008/940526. Piqueira, J. R. C., Navarro, B. F., Monteiro, L. H. A. (2005), “Epidemiological model applied to virus in computer networks,” J. Comput. Sci. 1 (1) 31-34. Forest, S., Hofmeyr, S., Somayaji, A., Longastaff, T. (1994), “Selfnonself discrimination in a computer,” in: Proceeding of IEEE Symposium on Computer Security and Privacy, pp. 202-212. Wang, Y., Wang, C. X., (2003), “Modeling the effect of timing parameters on virus propagation,” ACM Workshop on Rapid Malcode, ACM, October 2003, pp. 61-66. Kermack, W. O., Mckendrick, A. G. (1927), “Contributions of mathematical theory to epidemics,” Proc. R. Soc. Lond. - Ser. A 115, 700-721.
Effect of Vaccination on the Attack of Malicious Objects …
211
[14] Kermack, W. O., Mckendrick, A. G. (1932), “Contributions of mathematical theory to epidemics,” Proc. R. Soc. Lond. - Ser. A 138, 55-83. [15] Kermack, W. O., Mckendrick, A. G. (1933), “Contributions of mathematical theory to epidemics,” Proc. R. Soc. Lond. - Ser. A 141, 94-122. [16] Tang, S., Li, W. (2006), “Qos supporting and optimal energy allocation for a cluster-based wireless sensor network,” Comput. Commun. 29 2569-2577. [17] Akyildiz, W., Su, Y. Sankarasubramaniam, E. Cayirci, (2002), “A survey on networks,” IEEE Commun. Mag. 40 (8). [18] Stantiford, S., Paxton, V. Weaver, 2000, in: “Proc. Of the 11th USENIX Security” Symposium (Security’02). [19] Chen, T. M., Robert, J. M. (2004), IEEE Comput. 48-53. [20] Pastor-Satorras, R., Vespignani, A. 2004, “Evolution and Structure of the Internet: A Statistical Physics Approach,” Cambridge University Press, Cambridge, UK. [21] Szor, P. 2006, “The Art of Computer Virus Research and Defense,” Symantec Press. [22] Levitt, N. (2005), IEEE Comput. 38 (4) 20-23. [23] Dagon, D., Starnear, T. (2004), IEEE Pervas. Comput. 3 11-15. [24] Mishra, B. K., Keshri, N. (2013), “Applied Mathematical Modelling” 37 (2013) 4103-4111. [25] Hale, J. K. (1980), “Ordinary Differential Equations,” second ed., Krieger, Basel. [26] Mishra, B. K., Nayak, P. K., Jha, N. (2009), “Effect of quarantine nodes in SEQIAmS model for the transmission of malicious objects in computer network,” Int. J. Math. Model. Simul. Appl. 2(1) 102113.
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 Editors: B. Mishra and J. Piqueira © 2020 Nova Science Publishers, Inc.
Chapter 9
MATHEMATICAL MODEL ON CYBERATTACK BEHAVIOR IN E-COMMERCE Binay Kumar Mishra1 and Santosh Kumar Srivastava2, 1
Department of Physics, Veer Kunwar Singh University, Ara, Bihar, India 2 Department of Computer Applications, Vinoba Bhave University, Hazaribagh, Jharkhand, India
ABSTRACT Cybercrime is a major issue these days in e-commerce. The defense mechanism in wireless or wired networks is too weak and is always prone to attack by the cyber attacker. The cyber consumer is trapped by a cyber attacker due to their stupidity, innocence, gullibility, and silliness. The article proposes Susceptible cyber consumer-Vulnerable-AggrievedRecovered-Susceptible cyber consumer model to describe the dynamic behavior of perpetrators. The article focuses on obtaining a threshold that determines the success or failure of a cyber attack. The stress is to find the local and global stability of the system. Numerical simulations are performed to support the theoretical stability of the system.
Corresponding Author’s Email: [email protected].
214
Binay Kumar Mishra and Santosh Kumar Srivastava
Keywords: cyber consumer, vulnerable, aggrieved, recovered, ecommerce
INTRODUCTION In the modern era, people have a problem with time. E-commerce has gained more popularity these days. New groups of consumers are increasing as online trading becomes a trend of modern life. E-commerce is the digital mode of business i.e., buying, selling, transferring money, exchanging products, services, or information with the help of the internet. It can be business to business (B2B), business to consumer (B2C). It is a paperless transaction where the consumer does not know about the sellers and products physically. It is a complex structure for consumers to adopt such type of online sellers. An Industry/Organization can expand its market to national and international markets through online services. It is mostly digitalized. Consumers can book to get products24x7. Current statistics of cyber consumers in India indicate that there is a wide gap between their numbers due to risk in E-commerce. There are some risks for E-commerce users such as online security, system reliability, customer dispute, credit/debit card fraud, the return of goods, and warranty of the product. Most of the traditional consumers still do not believe in online sellers due to faceless sellers.1.92 billion global digital buyers in 2019 out of a global population of 7.7 billion i.e., 25 percent of the world’s population are shopping online. In Figure 1, it’s estimated that there were 1.92 billion global digital buyers in 2019 and the figure is expected to increase to 2.14 billion people in 2021. As per Figure 2, in 2019, ecommerce sales account for 13.7 percent of retail sales worldwide. It is expected to be 17.5 percent of retail sales worldwide by 2021. Table 1 illustrates several online sellers, their revenue, fraud amount, and the reason for fraud. It raises issues of security for online financial transactions, disputes between sellers and buyers, awareness, and privacy among parties involved. In a wireless network, a threat of malware attack, is always the greatest concern of e-commerce users that is why the gap
Mathematical Model on Cyberattack Behavior in E-Commerce 215 between internet users and cyber consumers was increasing. According to a report by the Reserve Bank of India, 2059 cyber fraud cases were reported in 2017-18 worth Rs 109.6cr. A total of 5917 bank frauds were reported and about 335 of these cases were cyber frauds [1-5]. Several mathematical models have been developed regarding malware attacks in wireless networks for network security. This research article is an attempt to develop a Cyber consumer model that has four compartments: Susceptible cyber consumer, Vulnerable Consumer, Aggrieved Consumer and Recovered Consumer. Several mathematical models have been developed, analyzed, and applied to biological diseases. We analyze the spread and control of disease with the help of a mathematical model. Kermack and Mckendrick proposed two classical epidemic models i.e., SIR(Susceptible, Infected, Recovered) and SIS(Susceptible, Infected and Susceptible models in the year 1927 and 1932 respectively[6, 7]. Kephart and white developed the first application of mathematical models related to computer malware propagation in 1992[8]. DJ model which was related to rumor developed by Delay and Kendall in 1964 [9]. L Zhao et al. developed SIHR (Susceptible, Infected-Hibernator-Removed) model[10]. The approach of this model is to investigate the effects of both forgetting and remembering. Recently Mishra et al. developed a model on the rumor epidemic model in the year 2019[12]. It is based on the confused cyber consumer in the cyber world due to rumor.
METHODS Basic Terminologies Susceptible Consumer Class In this class consumers are common people who are fully or partially dependent on online transactions. They may be attacked by the cyber attacker at any time. They all are at risk.
216
Binay Kumar Mishra and Santosh Kumar Srivastava
Figure 1. Global digital buyers and expected consumers in 2021.
Figure 2.E-commerce sales account worldwide and its estimation by 2021.
Vulnerable Consumer Class In this class cyber consumers are those people who are doing online transactions and all may be attacked by cyber attackers at any transaction. In this class, Cyber consumers who had already been trapped by cyber attackers but they do not know at a particular time they have been trapped.
Mathematical Model on Cyberattack Behavior in E-Commerce 217 Table 1. Online sellers, their revenue, fraud amount, and the reason for fraud Company
Revenue
Fraud 5 Nabbed (Rs. 10 lakh & 42 mobile seized(2018) €5400 at 11000 times (2019) Fraud leading to the arrest of two Techies(2015) Per customers pay 20000 for winning lucky draw (2019)
Amazon.in
US$232.887 billion(2018)
eBay.in
US$10.746 billion(2018)
Flipkart.com
(US$2.9billion)
SnapDeal.com
(US$130million) (2017)
Naaptol.com
628 CRORE (2017-2018)
Women losses Rs 3.55 lakh
Limeroad.com
$3 million
12 lakh dues of the retailer
Fabindia.com
$65 million
Rs 525 crore
Homeshop18.com
443.87 crore
more than 1 lakh
shopclues.com
273 crores (US$39 million) (2018)
10 lakh+ fraud by Fraudsters
Zopper.com
$1.3 million in 2015-16
Gonoise.com
$4.5 million
Togofogo.com
$1.7M(2019)
demand money to give job damaged product sale Cheat to customers
Reason of fraud Placed orders for cellphones, claimed non delivery and got free phones in return created a fake PayPal account and set up with eBay account The buyer claimed to have received vim bar instead of phones but the claim was false Fraudsters called Snapdeal customers to inform them of winning tata safari worth Rs 12 lakh Fraudsters called customers to inform them of winning scratch card and got their account details Limeroad did not pay the due amount to the retailer The khadi and village industries commission has issued a fresh legal notice seeking damage of 525 crores from the ethnic wearretail chain FabIndia over its alleged unauthorized use of the registered trademark khadi established fake call center and collected money for the lucky draw Made fake call and gave fake lucky draw scheme then asked customers to pay money to collect the prize Money Laundering Fake Job Career Destroyer after selling no service respond by executive either wrong or damaged product delivered by company
218
Binay Kumar Mishra and Santosh Kumar Srivastava
Aggrieved Consumer Class In this class, consumers are infected due to their stupidity, innocence, gullibility, and get deceived by cyber attackers and spread the message to other e-commerce cyber user to escape. Such illustration and cases have an inverse effect on other cyber consumers. Recovered Consumer Class In this class, the aggrieved consumers are recovered temporarily or permanently with the help of the legal process, proper redressal platforms, or compensation.
NOMENCLATURE Symbol X Y Z W β α γ δ A μ1 μ2
Description Susceptible cyber Consumer Vulnerable consumer Aggrieved consumer Recovered Consumer per infectivity contact rate Rate of transmission from vulnerable compartment to Aggrievedcompartment Rate of transmission from Aggrieved compartment to Recovered compartment Rate of transmission from Recovered compartment to Cyber compartment Inclusion of new consumers to the Cyber consumer class Rate at which Cyber/Vulnerable/Aggrieved/Recovered consumers become traditional consumers Rate of Aggrieved consumers class due to the attack of perpetrators.
Table 2. IC3 Complain statistics Year 2014 2015 2016 2017 2018
Number of complaints 269422 288012 298728 301580 351937
Losses in $ 800.5 1070.7 1450.7 1418.7 2706.4
Mathematical Model on Cyberattack Behavior in E-Commerce 219
A
Susceptible Cyber Consumer X
βXY
Vulnerable consumer Y
αY
Aggreived Consumer Z
γZ
Recovered Consumer W
δW μ1
μ1
μ1
μ2
μ1
Figure 3. Schematic diagram. Figure 3: Schematic diagram
HYPOTHESIS AND MODEL FORMULATION Here X(t), Y(t), Z(t), and W(t) are the susceptible cyber consumer class, vulnerable consumer class, Aggrieved consumer class, and Recovered consumer class at time t, respectively. The hypotheses are as below: (H1)A is the inclusion of new cyber consumers. (H2) Cyber consumers have become vulnerable consumers at constant rate β > 0 (H3) Due to fraud, vulnerable consumers become aggrieved consumers at a constant rate of α > 0. (H4) Due to the effect of treatment, aggrieved consumers become recovered consumers at a constant rateγ > 0 (H5) Recovered consumers become cyber consumers at constant rate δ > 0. (H6) The rate at which cyber/vulnerable/aggrieved/recovered consumers become traditional consumersμ1 > 0. (H7) The crashing rate of aggrieved consumers class due to attack of perpetrators μ2 >0.
220
Binay Kumar Mishra and Santosh Kumar Srivastava
Model Formulation 𝑑𝑋 = 𝐴 + 𝛿𝑊 − μ1 X − βXY 𝑑𝑡 𝑑𝑌 = βXY − 𝛼𝑌 − μ1 Y 𝑑𝑡 𝑑𝑍 𝑑𝑡
= 𝛼𝑌 − 𝛾𝑍 − (μ1 + μ2 )Z
(1)
𝑑𝑋 = 𝛾𝑍 − 𝛿𝑊 − μ1 W 𝑑𝑡 We assume that 𝑁(𝑡) be the total number of consumers in e_business. i.e., 𝑁(𝑡) = 𝑋(𝑡) + (𝑡) + 𝑍(𝑡) + 𝑊(𝑡)
Existence and Stability of Equilibrium For equilibrium points, we have 𝑑𝑋 𝑑𝑡
𝑑𝑌
𝑑𝑍
𝑑𝑊
= 0, 𝑑𝑡 = 0, 𝑑𝑡 = 0, 𝑑𝑡 = 0
The
equilibrium
𝐴
points(𝑃 = μ , 0,0,0 )for 1
worm-free
and(𝑋 ∗ , 𝑌 ∗ , 𝑍 ∗ , 𝑊 ∗ )for the endemic state, where X∗ =
Y∗ =
α + 𝜇1 𝛽
(γ + 𝜇1 + 𝜇2 )(δ + 𝜇1 ){ 𝜇1 (α + 𝜇1 )– Aβ} 𝛽{𝛼𝛿𝛾 − (𝛿 + 𝜇1 )(α + 𝜇1 )(γ + 𝜇1 + 𝜇2 )}
state
Mathematical Model on Cyberattack Behavior in E-Commerce 221
thus
dN dt
Z∗ =
(δ + 𝜇1 )αδ{ 𝜇1 (α + 𝜇1 )– Aβ} 𝛽{𝛼𝛿𝛾 − (𝛿 + 𝜇1 )(α + 𝜇1 )(γ + 𝜇1 + 𝜇2 )}
W∗ =
γα{ 𝜇1 (α + 𝜇1 )– Aβ} 𝛽{𝛼𝛿𝛾 − (𝛿 + 𝜇1 )(α + 𝜇1 )(γ + 𝜇1 + 𝜇2 )}
= 𝐴 − 𝜇1 𝑁 − 𝜇2 (𝑌 + 𝑍)
(2)
Hence, the total number of nodes N conveys to
𝐴 𝑁
It follows from equation (2) that limn→∞ inf 𝑁(𝑡) ≤
𝐴 𝑁
We hence study the system (1) in the following feasible region 𝐷 = {𝑋, 𝑌, 𝑍, 𝑊) ∈ 𝑅4+ : 𝑋 > 0, 𝑌 ≥ 0, 𝑍 ≥ 0, 𝑊 ≥ 0; 𝑋 + 𝑌 + 𝑍 + 𝑊 ≤ 𝐴/𝑁} Which is a positively invariant set of the system (1). At worm-free equilibrium point P, the jacobian matrix is −𝜇1 0 𝐽(𝑃) = ( 0 0 All the roots γ), −(𝜇1 + δ).
0 0 𝑊 −(𝛼 + 𝜇1 ) 0 0 ) 𝛼 −(𝛾 + 𝜇1 + 𝜇2 ) 0 0 𝛾 −(𝛿 + 𝜇1 ) are
negative
i.e.,
(3)
-𝜇1 ,−(α + 𝜇1 ), −(𝜇1 + 𝜇2 +
THE BASIC REPRODUCTION NUMBER It can be obtained by FV-1, where V and F are
222
Binay Kumar Mishra and Santosh Kumar Srivastava 𝜇 +𝛼 𝑉=[ 1 −𝛼
0 0 𝛽 ],𝐹 = [ ] (𝛾 + 𝜇1 + 𝜇2 ) 0 0
The basic reproduction number is defined as the dominant eigenvalue of FV-1. That is, 𝑅0 =
αβ (γ + 𝜇1 + 𝜇2 )(α + 𝜇1 )
𝑅0 is a basic reproduction number as the expected number of secondary cases produced by a single infection in a susceptible population. If𝑅0 < 1,the number of aggrieved consumers slowly tends to zero i.e., infected e-commerce user dies out and if 𝑅0 > 1,the infected e_commerce user persist i.e., the number of aggrieved consumers become endemic.
LOCAL AND GLOBAL STABILITY Lemma 1: If R01, P is unstable. Let 𝑓∞ = limt→∞ 𝑖𝑛𝑓𝜃≥𝑡 𝑓(𝜃) 𝑓∞ = limt→∞ 𝑠𝑢𝑝𝜃≥𝑡 𝑓(𝜃) Lemma 2: Assume that bounded real value function𝑓: [0, ∞] → 𝑅be twice differentiable withbounded second derivative. Let 𝑘 → ∞and𝑓(t k )converges to𝑓 ∞ or f∞ then, limt→∞ 𝑓 ′ (t k ) = 0
Mathematical Model on Cyberattack Behavior in E-Commerce 223 Theorem 1: If R0 0there exist𝑡0 such that 1
𝑋(𝑡) ≤ 𝐻(𝑡) ≤
𝐴 + 𝜖1 , ∀ 𝑡 ≥ 𝑡0 𝜇1
Thus 𝑋 ∞ ≤ 𝐻(𝑡) ≤
𝐴 + 𝜖1 𝜇1
𝐴
Let𝜖1 → 0 𝑡ℎ𝑒𝑛𝑋 ∞ ≤ 𝜇
1
The second equation of (1) reduced to dY dt
A
= βY μ − (α + 𝜇1 )Y 1
now taking third equation of (1) with (3)
(4)
224
Binay Kumar Mishra and Santosh Kumar Srivastava 𝑌 𝑌 ( )≤K ( ) 𝑍 𝑍
(5)
where α + 𝜇1 𝐾=( −γ
0 ) 𝜇1 + 𝜇2 + γ
Let𝑅 +, such that𝑀 ≥ max((𝛾 + 𝜇1 + 𝜇2 ) , (𝜇1 + 𝛼)) Thus𝐾 + 𝑀𝐼2×2is a strictly possible matrix if𝑊1 and𝑊2 are the eigenvalues of K then𝐺1 + 𝑀, 𝐺2 + 𝑀are eigenvalues of𝐾 + 𝑀𝐼2×2. Thus from the Perron-Frobenius theorem, 𝐾 + 𝑀𝐼2×2has a simple positive eigenvalue equal to dominant eigenvalue and corresponding eigenvector 𝑒 > 0, which implies that𝐺1 and 𝐺2 are real. If𝐺1 + 𝑀is the dominant eigenvalue of𝐾 + 𝑀𝐼2×2, then 𝐺1 × 𝐺2 and 𝑒𝐾 = 𝑒 𝐺1 obviously𝐺1 and 𝐺2 are the root of the equation. λ2 + (𝛼 + 2𝜇1 )λ + (𝛼 + 𝜇1 )(𝜇1 + 𝜇2 + 𝛾) = 0 since𝑅0 < 1 𝑓𝑜𝑟 𝜖1 > 0, sufficiently small, we have (𝛼 + 𝜇1 )(𝜇1 + 𝜇2 + 𝛾) > 0 Therefore, the coefficient of the quadratic equation (5) are +ve. Thus 𝐺1 ,𝐺2 all are -ve from equation (6) for𝑡 ≥ 𝑡0 𝑑 (𝑒[𝑌(𝑡), 𝑍(𝑡)]) ≤ 𝐺1 . 𝑒[𝑌(𝑡), 𝑍(𝑡)] 𝑑𝑡 Integrating the above in the equation, we have 0 ≤ (𝑒[𝑌(𝑡), 𝑍(𝑡)]) ≤. 𝑒[𝑌(𝑡1 ), 𝑍(𝑡1 )]𝑒 𝐺1 (𝑡−𝑡1 ) 𝑓𝑜𝑟𝑡 ≥ 𝑡1 ≥ 𝑡0
(6)
Mathematical Model on Cyberattack Behavior in E-Commerce 225 Since𝐺1 < 0, 𝑒. [𝑌(𝑡), 𝑍(𝑡)] → 0 𝑎𝑠𝑡 → ∞ Using 𝑒 > 0 we have 𝑌(𝑡), 𝑍(𝑡) → (0,0)𝑎𝑠𝑡 → ∞ By Lemma 2, we choose a sequence 𝑡𝑛 → ∞, 𝑋𝑛 → ∞(𝑛 → ∞)𝑠𝑢𝑐ℎ𝑡ℎ𝑎𝑡𝑋(𝑋𝑛 ) → 𝑋 ∞ , 𝑋(𝑡𝑛 ) → 𝑋∞ , 𝑋(𝑡𝑛 ) → 0 since𝑌(𝑡) → 0, 𝑍(𝑡) → 0 𝑓𝑜𝑟 𝑡 → ∞𝑡husthe first equation of (1) we have limt→∞ X(𝑡) =
𝐴 𝜇1
Hence by incorporating lemma1, the worm free equilibrium P is globallyasymptotically stable, If𝑅0 < 1.
NUMERICAL SIMULATIONS AND DISCUSSION Runge-Kutta method of order 4 is used to simulate the data using parmetric values for the system (1). In the modern era, the globe is moving fastly towards e-commerce and cyber consumers are becoming more vulnerable due to the cyber crime or attack which is clearly depicted in Figure 4. The reason behind this is totally unawareness or lack of knowledge. But when proper guidelines are strictly released by the e-commerce organistaions and awareness programme is launched for e-customers digitally, then the rate of recovery of the aggrieved consumers are very fast, which we can observe in Figure 5. The population who has started performing business through the cyber world all are initially supposed to be susceptible popilation, and the cyber criminals are tracking their business activities performed through net, These cyber criminals provokes the susceptible population to enter in a different domain which appears very close to the e-business platform
226
Binay Kumar Mishra and Santosh Kumar Srivastava
where the consumers want to land, but due to their ignorance the consumers due to their ignorance lands in some different domain ans are trapped causing financial loss and mistrust towards e-commerce. This scenario is depicted in Figure 6. The bahaviour of aggrieved customers and vulnerable consumers in different times with the real parametric values is depicted in Figures 7, 8, and 9.
Figure 4. Propagation of consumer on time.
Figure 5. Recovered consumer versus aggrieved consumer.
Mathematical Model on Cyberattack Behavior in E-Commerce 227
Figure 6. Vulnerable consumer versus susceptible cyber consumer.
Figure 7. Aggrieved consumer versus vulnerable consumer.
228
Binay Kumar Mishra and Santosh Kumar Srivastava
Figure 8. Aggrieved consumer versus time with different parameterized value.
Figure 9. Vulnerable consumer on time with different parameterized values.
Mathematical Model on Cyberattack Behavior in E-Commerce 229
CONCLUSION This chapter is designed to give us a better understanding of how cyber consumers trapped by cyber attackers due to their stupidity, innocence, and silliness. The basic reproduction number (R0) is calculated if the reproduction number is less than one epidemic dies out and if the reproduction number greater than one it becomes endemic. Local asymptotic and global asymptotic stability is established. Numerical simulations using MATLAB is performed to validate the model developed. Managerial insight is provided in this chapter to conclude that awareness programme or e-business guidelines by the organization doing e-commerce must be widely circulated to all the e-customers so that they do not get trapped by the cyber criminals and perform their business activities smoothly.
REFERENCES [1] [2] [3] [4] [5] [6]
[7]
[8]
Ecommerce Foundation. Global B2C E-commerce Report 2016. Ecommerce Foundation. Global B2C E-commerce Report 2015. Ecommerce Foundation. Global B2C E-commerce Report 2014. https://www.statista.com. https://desidime.com/stores/provogue/reviews. Kermack WO, McKendrick AG. Contribution to the mathematical theory of epidemics. In: Proceedings of the Royal Society of London Series a-Containing Papers of a Mathematical and Physical Character (Kermack and McKendrick 1927, p. 700-21). Kermack WO, McKendrick AG. Contributions to the mathematical theory of epidemics. II. The problem of endemicity. Proc. R. Soc. Lond. A. (Kermack and McKendrick 1932, 138(834):55-83). Kephart JO, White SR. Directed-graph epidemiological models of computer viruses. In: Computation: the micro and the macro view (Kephart and White 1992, p.71-102).
230 [9]
Binay Kumar Mishra and Santosh Kumar Srivastava
Daley DJ, Kendall DG. Epidemics and rumours, Nature (Delay and Kendall 1964,204(4963):1118). [10] Zhao L, Wang J, Chen Y, Wang Q, Cheng J, Cui H. SIHR rumor spreading model in social networks. Physica A (Zhao et al.2012, 391(7):24 44-53). [11] Hale JK. Ordinary differential equations. Basel: Krieger (Hale 1980, 2nd ed.). [12] Keshri K, Mishra BK, Rukhaiyar BP. When rumors create chaos in eCommerce, Chaos Solitons Fractals (Keshri and Mishra 2019,218).
In: Understanding Cyber Threats and Attacks ISBN: 978-1-53618-336-8 Editors: B. Mishra and J. Piqueira © 2020 Nova Science Publishers, Inc.
Chapter 10
UNDERSTANDING CYBER THREATS AND CYBER ATTACKS ON SATELLITES Jyoti Kumari Gupta1 and Dinesh Kumar Saini2 1
Department of Computer Applications, Vinoba Bhave University, Hazaribag, India 2 India and Ex-Dean Faculty of Computing and Information Technology, Sohar University, Oman
ABSTRACT Cyber Space is becoming more competitive and there is a race of superiority, resilience, and capability. In this chapter, we introduce the latest developments that happened in the field of cyberspace and special emphasis is given on satellites. We introduce the concept of cyberspace, cyber-attack, and cyber defense. Satellite is the most important asset for any nation in the world, many countries use satellite for many purposes:navigation, communication, defense system, monitoring, multiple applications, and remote sensing, etc. Satellites gather intelligence, provide surveillance, and perform reconnaissance. These satellites prone to cyber-attacks are making them vulnerable. Satellite protection is a challenging task and too expensive & needs a lot of innovation and money.
232
Jyoti Kumari Gupta and Dinesh Kumar Saini
Keywords: satellite, cyber space, cyber-attack, malicious objects
INTRODUCTION In this chapter, we introduce the concept of cyber-attack on satellites, which is one of the emerging challenges in today’s world. These satellites can be hacked, interference, or even can be jammed. These attacks will stop world communication and phone lines. It will stop internet services. Satellites must be designed to avoid cyber-attacks (Kallberg, J. (2012). The impact of cyber-attack on human life will be very serious. Hackers can hack the satellite and can install malicious software that can alter the functionality of the satellites. Cyberspace has very expensive scientific equipment used for various purposes and these are very crucial for the nations, protecting these satellites is a very difficult task. Satellites are a major source of transmission of data and intrusion into these satellites is one of the major challenges. Satellite networks are very vulnerable because of human factors and the supply chain (Cohen, J. E., 2007). Satellites are made of thousands of hardware parts manufactured by various vendors in different countries which are called supply chain vulnerabilities, which may be used by the threat actors. Satellites have two components on the ground and space in which both of them are prone to attacks. Satellites are having purpose and functionality and both can be targeted for attack by sophisticated criminal groups, nations, and high-end amateurs. Since our systems are so interconnected there is also a huge threat that automated malicious code will one day make its way from corporate IT systems into ground stations and from there to space components.
2. SMALL SATELLITES Small satellites number are expanding quickly, the reason is that the investment required is day by day reducing due to cheaper Commercial off
Understanding Cyber Threats and Cyber Attacks on Satellites
233
the Shelf (COTS) hardware, open-source software, and Ground Stationsas-a-Service; this increases the likelihood of a cyber-attack significantly. The satellite has two main threats, which are to ground station infrastructure and the open-source software and COTS hardware, installed onboard satellites. By far the easiest of these to attack is the ground-based infrastructure, which will be internet-connected and operated by humans (who are much easier to ‘hack’ than computers, via social engineering and phishing attacks).” The low orbit of the Low-Earth Orbit (LEO) satellites are accessible than the Geostationary Orbit (GEO) satellite, from an RF power perspective. The satellites may have their kind of denial of service vulnerabilities, but Clifton believes the kind of modulation and encryption technologies available today should help to reduce cyberattacks. These new LEO constellations as a form of internet backbone — essentially an interconnected set of routers flying around the earth at high speed and exchanging broadband data with each other and with ground assets. Crystal Lister, senior director of insider and cyber threats, GPSG, believes the number of satellites going up does not necessarily increase the likelihood of a major attack. But, rather, it increases the size of the attack surface that security teams must defend. “A determined attacker only has to successfully penetrate your controls once while defenders have to be successful every time” (Ruttenberg, B.,et all 2017).
3. VULNERABILITIES Most of the systems are vulnerable to attacks no system can claim to be foolproof. Some of the vulnerable components which are like inconsistent software patching, weak encryption, and old IT equipment are key vulnerabilities to satellite networks. Legacy satellite communications platforms are not easily updated and must undergo significant testing to ensure that upgrades for communications, encryption, with next-generation platforms system functions.”
234
Jyoti Kumari Gupta and Dinesh Kumar Saini
Lister says “a satellite could be attacked simply because it has been identified by the bad guys as a target of opportunity (e.g., out of date patches, legacy IT, or OT system vulnerabilities) and that risk only increases”. Gourley says that because the software on satellites is designed by humans, this will mean it will have flaws that are not discovered until the systems are on orbit. “It is hard to keep Earth-based systems patched, just think of how hard it is to safely keep on-orbit systems patched! This means space-based systems will always have vulnerabilities that need to be mitigated,” he says. “Most all our satellites are designed to send and receive data. That is how they are controlled and how they pass the value back to the earth. By their very nature, they must be connected. This means we will always need to be on the lookout for vulnerabilities to mitigate” (Gourley, S. K. 2014). Davis adds, “Although technically possible, the resources required to attack the telemetry, tracking, and control (TT&C) communications links. This type of attack is most likely to be restricted to the nation-state. However, it is much easier to trick the people with legitimate access to the control infrastructure (via social engineering or phishing attacks) into unwittingly providing systems-level access to hackers attacking over the internet”(Davis 2014).
4. SECURITY IS MOVING TARGET Hackers can target key people who are involved in satellite communication or systems operators or key personnel with privileged systems access at the ground station. Hackers can use a spear phishing campaign via email and social media in order to trick them into inadvertently providing access to their workstation and then onto satellite control systems. These systems could then be manipulated over the internet to control the satellites or gain access to sensitive data.”
Understanding Cyber Threats and Cyber Attacks on Satellites
235
Human is the weakest link in the security chain, past data proves this and shows around 60 percent attacks are done by insiders often unwitting. Increasingly, however, given the ubiquity of IP connectivity, the threats are coming from external actors, including nation-states. “Ground systems are the most vulnerable weak points in a hierarchy that starts with the TT&Cs/Satellite Operations Centers (SOCs) and flows down through the Network Operation Centers (NOCs) and gateways, teleports, and earth terminals.
5. WHAT THE INDUSTRY NEEDS TO DO MOVING FORWARD New technologies are emerging like IoT, IoP, IoV, and 5G and it will be creating new kinds of challenges. The satellite industry is moving fast, building cyber and human-focused security measures into the systems from their inception, good cyber hygiene, limited privileged access, clean supply chain, and third-party governance and an understanding and appreciation of the cyber-physical security convergence that needs to take place to protect these systems and assets will be key. “You cannot prevent targeting of your systems or attempted attacks. You can seek to prevent, detect, and respond to incidents. Acknowledge the threats to your unique critical assets, evaluate your security posture, identify any vulnerability, and pursue risk mitigation strategies to enhance your defenses. It will be critical that IT and OT teams in the satellite sector work from the same business continuity or disaster recovery playbook when an incident does occur to contain the event efficiently and minimize negative impacts.”
6. NEW SPACE COMPANIES AND THE CYBER QUESTION The satellite sector is seeing a wave of innovation right now. However, as attractive as “NewSpace” is, it brings a great deal of risk that perhaps
236
Jyoti Kumari Gupta and Dinesh Kumar Saini
did not previously exist in the industry. Tergal says “everyone should be worried” about the potential for a hack here. He says. “New and start-up satellite companies should have a higher sense of what the cyber risks are going into the market and understand that they are not just building satellites, they are building an information ecosystem, that if breached and used for the wrong intent could have catastrophic consequences and place millions of lives in danger.” Gourley also adds a note of caution. He says, “At this point, mitigating the cyber threat seems to require much more attention than it is getting.” Davis adds, “All companies who are deploying assets into space should be made aware of the cyber risks, especially new companies who are racing to be first-to-market with their unique satellite-based application and not necessarily considering how their systems may potentially be compromised by hackers.” With an industry high on innovation and a huge-start up culture developing, these are fundamental questions. It will be interesting to see what happens over the next few years as these companies come to market, and whether, when, and how they might be targeted. VS
6.1. Cyber Attacks In cyber-attack, it is said to be a planned attack or done for any purpose. Malicious software is used for such an attack. Malicious is an adjective which is based on noun malice, which means the desire to harm others. So, a cyber-attack is maliciously done by individuals/organizations to break/harm the information system of another individual or organization. Sometime or usually the attacker gets some benefit for disturbing the victim’s network. Common types of cyber-attacks:-malware, phishing, man –in –the –middle attack, denial-of-service attack, SQL injection, zero-day exploit, DNS tunneling. Malware term is used for malicious software. Such as -spyware, ransomware, viruses, and worms. Malware enters into victim computer when he/she click on a dangerous link or email attachment which content
Understanding Cyber Threats and Cyber Attacks on Satellites
237
such types of risky software. Spyware infects any device and attackers gain access to sensitive information such as passwords, banking detail, etc. Ransomware is another type of malware, the malware can block the victim’s computer/system. Victims can’t access the system due to the encrypting of the data on such a system. Cybercriminals demand ransom to regain access to the system or data to the victim. Phishing is an increasingly common cyber threat. Such type of cyber-attack uses disguised email as a weapon the goal of such types of email, that recipient believes that the message is something they want or need a request from a bank or someone or anyone in the company and to click on link or download attachment. A man-in-the-middle attack (MITM) also known as eavesdropping attacks occur when attackers observe two-party communication and attackers insert into this communication. Attackers can filter and steal data. Denial-of-service attack or DOS attack is used to tie up the website’s resources .in this if users want to need to access the site/web page he/she cannot do so. SQL injection occurs when the attacker inserts malicious code into the server. Such type of server uses SQL. The attacker forces the server to reveal information. Zero days exploit is a cyber-attack that occurs on the same day a weakness is discovered in software at that point, it’s exploited before a fix becomes available from its creator. DNS tunneling is a cyber-attack that encodes the data of other programs or protocols in DNS queries and responses. Different types of wi-fi attacks that hackers use to eavesdrop on the wireless network are to obtain passwords and spread malware. The main types of wi-fi attacks:fake wi-fi access points, evil twins and man-in-the-middle attacks, packet sniffing, wardriving, war-shipping, MAC spoofing, etc. In spaced-based satellites, there are different types of threats:-jamming, spoofing to hacking communication, or navigation controls. When a signal comes from a satellite, upwards and downward signals are hacked by attackers. When signal jammed or spoofed by attackers the satellite alteration can be possible, incorrect information can be received by satellite and also sent to the satellite. They jam, hack, and exploit the signals gaining access to the satellite system.
238
Jyoti Kumari Gupta and Dinesh Kumar Saini
INSAT-4B was put into orbit in March 2007; according to two former engineers, who work in the ISRO’S liquid propulsion systems center, the Siemens software used in Siemens S7-400 PLA, activate the Stuxnet worm, resulting 24 transponders shutting down. Stuxnet worm only strikes a satellite’s PLC. PLC’s main function is to control the entire “logic of the spacecraft,” basically input and output signal. The Stuxnet worm was first discovered in June, a month before INSAT-4B was crippled by power failure. Above define cyber-attack affect the performance of space-based satellite station. In the ground station, the use of transmitters, satellite dish and up converter and other few things can easily be hacked and gained control over the satellite. India’s largest nuclear power plant called the Nuclear Power Corporation of India Limited (NPCIL) became a sufferer of a cyber-attack. India Space Research Organization (ISRO) also becomes a sufferer of a cyber-attack. According to a report published in ‘Indian Express’, ISRO become the sufferer of the Dtrack malware attack during chandrayaan2 lunar launch (launch date 22 July 2019). Attackers use DDOS technique when they insert foreign devices on ground satellites this device decrypts and decode system with this access attackers significant damages in the country and gain access to financial information and some skilled attackers use very small aperture terminals (VSATS) to penetrate of factories and industries. Australian defense forces are strongly dependent on satellite communication. Cyber-attacks on satellite not like physical attacks, don’t create massive clouds. If attacks are successful, target satellites are disabled, disrupted, damaged, or hijacked to provide false information but remain intact. Satellite is very vulnerable to cyber-attacks. Space-based satellite receives more attacks than ground satellites. Satellites are the most crucial asset and they control more than 80% of world operation activity, hence its security should be world priority.
Understanding Cyber Threats and Cyber Attacks on Satellites
239
7. CYBER DEFENSE Cybercrime is moving from the annoying server crashes or big corporations targeting small businesses and direct user hacks. The cyber defense used to be a concern for large companies and government agencies, not the average person. But now there is a new breed of hackers who target an individual’s smartphone, credit card payments, and personal data stored by small to medium-sized companies. Cyber defense is all about giving an entity the ability to thwart cyberattacks on the go through cybersecurity. It involves all processes and practices that will defend a network, its data, and nodes from unauthorized access or manipulation. The most common cyber defense activities will include:
Installing or maintaining hardware and software infrastructure that deters hackers Analyzing, identifying and patching system vulnerabilities Real-time implementation of solutions aimed at diffusing zerohour attacks Recovering from partially or fully successful cyber attacks
8. CYBER ATTACKS ON SATELLITES The life of satellites varies in terms of time and functionality between 5 to 30 years. Space has thousands of active satellites launched by various countries. Some of the satellites are inactive state. Transponders of these satellites are actively working for transmission of signals and used for communication. Supervisory control and data acquisition (SCADA) systems present in the satellite systems are considered a strategic vulnerability and have drawn growing attention in recent years.
240
Jyoti Kumari Gupta and Dinesh Kumar Saini
CONCLUSION Cyber Security for satellites is a big concern. Threats are emerging due to increasing networking of Space Systems, Use of low-provenance software and hardware and Identify System Security Requirements & Fix. New Techniques & Tools Can Help, like Static & dynamic code analysis and Code augmentation to “fight through” attacks. The designed message board and scenario graph approach are efficient for community detection and team forming applications.
REFERENCES Kallberg, Jan. “Designer satellite collisions from covert cyberwar.” Strategic Studies Quarterly 6, no. 1 (2012): 124-136. [2] Cohen, Julie E. “Cyberspace as/and Space.” Colum. L. Rev. 107 (2007): 210. [3] www.cisco.com/cyber attack-what are common cyber threats. [4] www.cyware.com/staying safe from cyber threats in wired networks. [5] www.webtitan.com/ wireless network attack cyber security-how vulnerable are satellites-to cyberattacks by Dr. Alexroney Mathew. [6] www.forbes.com/did the Stuxnet worm kill India’s INSAT-4B satellite. [7] www.cybersecurityinsiders.com/india’s ISRO became a victim of malware cyber attack. [8] www.aspistrategist.org.av/the cyber threat to satellites. [9] Finch, James P., and Shawn Steene. “Finding Space in Deterrence: Toward a General Framework for “Space Deterrence.” Strategic Studies Quarterly 5, no. 4 (2011): 10-17. [10] Brown, Lawrence V. Cyberterrorism and computer attacks. Novinka Books, 2006. [1]
Understanding Cyber Threats and Cyber Attacks on Satellites
241
[11] Wilson, Clay. Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for congress. Library of Congress Washington DC Congressional Research Service, 2008. [12] Ruttenberg, Brian, Dave Blumstein, Jeff Druce, Michael Howard, Fred Reed, Leslie Wilfong, Crystal Lister, Steve Gaskin, Meaghan Foley, and Dan Scofield. “Probabilistic Modeling of Insider Threat Detection Systems.” In International Workshop on Graphical Models for Security, pp. 91-98. Springer, Cham, 2017. [13] Gourley, Stephen K. “Cyber sovereignty.” Conflict and Cooperation in Cyberspace: The Challenge to National Security (2014): 277-290. [14] Davis, Paul K. “Deterrence, influence, cyber-attack, and cyber war.” NYUJ Int'l L. & Pol. 47 (2014): 327.
ABOUT THE EDITORS
Bimal Kumar Mishra, PhD, DSc Principal Markham College of Commerce, Hazaribag, India Email: [email protected] Professor Dr. Bimal Kumar Mishra was born in Matwari, Hazaribag, India in 1969. He received the MSc degree in Operational Research and MSc in Mathematics from University of Delhi, Delhi. He received his PhD in 1997 from Vinoba Bhave University, Hazaribag, India and DSc in 2007 from Berhampur University, Odisha, India. From 2001 to 2007 he worked as a faculty member at BITS, Pilani, India and from 2007 to 2017 at BIT, Mesra, Ranchi, India as a Professor and Head, Department of Mathematics. Currently he is a Principal at Markham College of Commerce, Hazaribag. His research interests includes nonliner dynamics and very specifically developing mathematical models on cyber attack/defense/crime, and
244
About the Editors
infectious diseases. He has published more than 130 research papers in international journals of repute. He has supervised around 20 PhD students.
José Roberto Castilho Piqueira, PhD Professor Escola Politécnica da Universidade de São Paulo, Brazil Email: [email protected] Professor Dr. José Roberto Castilho Piqueira was born in Sorocaba, SP, Brazil, in 1952. He received the BS, MS, and PhD degrees in electrical engineering from Universidade de São Paulo in 1974, 1983, and 1987, respectively. From 1974 to 1994, he worked in several telecommunication projects for Brazilian electronic and service industries, designing and developing circuits, equipment, and systems. Since 1994, he has been dedicated to teaching and research at Escola Politécnica da Universidade de São Paulo, and participating in projects for Brazilian Oil Agency and Brazilian Navy. Currently, he is a Full Professor, working with time distribution networks and running a laboratory where analytical and numerical studies support electronic and optical experiments, considering the several possible topologies and quantum control models. Besides, as synchronous complex networks appear in many aspects of human life, he works with some biological models by using differential equations and proposing complexity measures for some spreading phenomena. Considering his areas of interest, he published about a hundred of complete papers in international periodicals.
INDEX A
C
Advanced Metering Infrastructure (AMI), 66, 75, 77, 82, 83, 97 aggrieved, 213, 214, 215, 218, 219, 222, 225, 226, 227, 228 analysis, 5, 16, 17, 32, 33, 40, 59, 60, 61, 62, 63, 87, 88, 93, 96, 98, 99, 100, 101, 102, 110, 115, 123, 127, 128, 131, 133, 134, 135, 137, 139, 140, 141, 142, 144, 145, 146, 147, 149, 152, 161, 175, 183, 194, 195, 240 availability, 9, 14, 21, 66, 74, 75, 79, 82, 83, 85, 86, 89, 96
cluster, 118, 211 collective paradigm, 145 collective security, 144 community of practice, 144, 146 confidentiality, 14, 66, 79, 81, 83, 96 cyber consumer, 213, 214, 215, 216, 218, 219, 225, 227, 229 cyber domain, 166, 167, 184, 190 cyber governance, 166, 172, 184 cyber interdependency, 66 cyber law, 166 cyber policy, 166 cyber security, 16, 66, 79, 84, 94, 96, 100, 154, 155, 156, 157, 158, 159, 160, 171, 173, 174, 176, 183, 185, 186, 187, 188, 189, 191, 192, 195, 240 cyber security knowledge, 160 cyber space, 231, 232 cyber-attack, 5, 65, 66, 67, 68, 73, 76, 79, 81, 82, 83, 84, 85, 86, 87, 89, 92, 94, 95, 97, 98, 231, 232, 233, 236, 237, 238, 241 cybersecurity, vi, 1, 2, 3, 4, 9, 11, 12, 13, 15, 16, 18, 19, 23, 24, 25, 26, 27, 28, 29,
B beliefs, 144, 145, 146, 148, 149, 151, 153, 160, 164 bifurcation, 31, 32, 33, 38, 39, 40, 51, 57, 58, 59, 60, 61, 62, 63, 118, 128, 132, 133, 137, 142
246
Index
94, 98, 100, 143, 145, 146, 147, 148, 149, 150, 153, 154, 155, 156, 160, 165, 166, 167, 168, 169, 171, 172, 173, 174, 175, 176, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 239 cyber-security interventions, 144 cybersecurity knowledge, 149, 150
D decision-making, 80, 144, 145, 146, 153, 160 disease-free, 118, 124, 128, 135 Distributed Denial of Service (DDoS) attack, 95, 104, 105, 106, 108, 113, 114, 139 Distribution Network Operators (DNOs), 76
E e-commerce, 114, 213, 214, 218, 222, 225, 226, 229 Electricity Information Sharing and Analysis Centre (EISAC), 89, 99 epidemic model, 31, 33, 60, 61, 62, 105, 106, 113, 114, 137, 140, 141, 142, 197, 198, 199, 200, 209, 210, 215 equilibrium point, 36, 37, 38, 41, 42, 59, 104, 106, 111, 112, 118, 132, 135, 197, 202, 203, 204, 205, 206, 220, 221
H holistic approach, 84, 145, 166 Human-Machine Interface (HMI), 2, 91, 92, 93
I Industrial control system (ICS), 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 18, 20, 21, 25, 27, 28, 66, 67, 90, 99 Information and Communication (ICT), 65, 66, 70, 71, 72, 73, 74, 96, 101, 188, 193 integrity, 14, 21, 26, 65, 66, 79, 80, 81, 82, 85, 96, 124, 199 Internet of Things (IoT), v, 1, 2, 19, 25, 103, 104, 105, 106, 107, 108, 110, 113, 136, 139, 235
L local stability, 106, 111, 112, 197, 209
M malicious objects, v, vi, 31, 110, 114, 197, 198, 200, 209, 210, 211, 232 malware, v, 5, 6, 9, 16, 27, 28, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 49, 57, 59, 62, 90, 92, 93, 103, 104, 105, 135, 139, 140, 214, 215, 236, 237, 238, 240 mental models, vi, 143, 144, 145, 146, 147, 148, 161, 162, 163, 164 mixed, 148 mixed method design, 148
N national cybersecurity strategy, 165, 166, 167, 169, 171, 172, 173, 174, 175, 178, 179, 181, 182, 183, 184, 187
Index O oil and gas, 1, 2, 3, 4, 5, 7, 9, 14, 16, 17, 18, 19, 20, 22, 23, 25, 26, 27, 29, 76, 95
P Power Line Carrier (PLC) systems, 9, 61, 75, 77, 101, 238 practices, 9, 26, 145, 146, 148, 149, 151, 152, 153, 158, 159, 165, 173, 175, 176, 179, 180, 182, 187, 190, 194, 195, 239 Programmable Logic Controller (PLC), 2, 9, 14, 61, 75, 77, 101, 238
247
supervisory control and data acquisition (SCADA), 2, 22, 66, 75, 76, 77, 91, 93, 239 Susceptible - Infected - Recovered Susceptible (SIRS), 31, 33, 59, 60, 61, 62, 117, 118, 120, 123, 125, 126, 130, 140, 141, 198, 215 symbolic meaning, 151, 152
T targeted attack, 104 themes, 152, 153, 154, 156, 159, 161, 163
U R recovered, 31, 34, 35, 47, 48, 107, 123, 125, 198, 199, 200, 201, 206, 207, 208, 209, 213, 214, 215, 218, 219, 226 Remote Telemetry Units (RTUs), 76
U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICSCERT), 5, 6, 66, 67, 89
V S satellite, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240 security decisions, 145, 148, 155, 157, 160 shared security belief(s), 154, 156, 159 smart energy system, 66, 67, 68, 70, 71, 74, 78, 82, 83, 84, 96, 98 stability, 31, 32, 33, 38, 39, 40, 43, 51, 57, 59, 60, 62, 63, 104, 112, 113, 118, 128, 132, 134, 135, 137, 140, 141, 202, 204, 208, 213, 220, 222, 229
vaccination, vi, 128, 129, 131, 133, 137, 197, 198, 199, 200, 209 Virtual Private Networking (VPN), 3, 76, 84, 86, 90, 93, 97 vulnerable, 9, 12, 71, 72, 76, 95, 104, 105, 106, 108, 213, 214, 215, 216, 218, 219, 225, 226, 227, 228, 231, 232, 233, 235, 238, 240
W wireless network, vi, 32, 63, 95, 103, 104, 105, 106, 110, 197, 200, 214, 237, 240