Reasoning about Critical Infrastructure Dependencies for Vulnerability Discovery

Malice aside, even the pursuit of legitimate local goals such as cost minimisation, availability, and resilience in subsystems of a Critical Information Infrastructure (CII) can induce subtle dynamic behaviours and dependencies that  endanger higher-level goals and security of services. However, in practice, the subsystems of a CII may not be entirely cooperative, potentially having different and perhaps conflicting management goals; and some subsystems may be malicious or untrustworthy. Consequently, vulnerabilities may arise accidentally or deliberately through the dependency on subsystems with conflicting goals, or systems which might contain potentially rogue elements. 

This talk is about aspects of our work in the SATURN project. In the talk I will present our conceptual model and analytical framework for reasoning about dependencies in CIIs. I will also talk about a recent experiment on the Cyber Range (a Cyber war-gaming environment for high-fidelity stress-testing of enterprise and information infrastructures), that shows how the interaction between enterprise policies at various organisations can compromise an information-layer policy of a customer.