Εντοπίστηκε ένα σφάλμα στη λειτουργία της ΠΥΞΙΔΑΣ όταν χρησιμοποιείται μέσω του προγράμματος περιήγησης Safari. Μέχρι να αποκατασταθεί το πρόβλημα, προτείνουμε τη χρήση εναλλακτικού browser όπως ο Chrome ή ο Firefox. A bug has been identified in the operation of the PYXIDA platform when accessed via the Safari browser. Until the problem is resolved, we recommend using an alternative browser such as Chrome or Firefox.
Λογότυπο αποθετηρίου

Πλοήγηση ανά Επιβλέπων "Katsaros, Panagiotis"

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Α Β Γ Δ Ε Ζ Η Θ Ι Κ Λ Μ Ν Ξ Ο Π Ρ Σ Τ Υ Φ Χ Ψ Ω
Φιλτράρετε τα αποτελέσματα πληκτρολογώντας τα πρώτα γράμματα
Τώρα δείχνει 1 - 1 από 1
  • Μικρογραφία εικόνας
    Τεκμήριο
    Securing critical infrastructures at software and interdependency levels
    Stergiopoulos, George; Athens University of Economics and Business, Department of Informatics; Gritzalis, Dimitris; Mavridis, Ioannis; Katsaros, Panagiotis
    A Critical infrastructure is the backbone of a nation's economy, security and health. It is those infrastructures that provide power and water to homes, support the transportation and communication systems people rely on. The criteria for determining what might be a critical infrastructure, and which infrastructures thus qualify, have expanded over time (DHS, 2013). A Critical infrastructure is defined as those assets, systems and networks, whether physical or virtual, so vital to a country that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof (DHS, 2013). At the very least, a growing list of infrastructures in need of protection will require the federal government to prioritize its efforts and try to minimize the impact on the nation’s critical infrastructures of any future failure of any kind (e.g. terrorist attack or systems failure) while taking into account what those impacts might be and the likelihood of their occurring (Motef et al., 2003). Considering all the above, it is made obvious that critical infrastructures, along with their services and systems must be protected against all types of failures; both human-made and natural phenomena. Critical infrastructures provide services needed for a nation to function properly and support its citizens, such as the health care system, transportations, communications etc. Even more, failures in these infrastructures can be triggered by attackers in order to maim a nation and/or to increase revenues (e.g. theft, information leakage etc). Up until now, research has focused in securing critical infrastructures by utilizing Risk Assessment methodologies based on ISOs (like the ISO 27001), security audits and penetration tests on its information systems. However, little progress has been made in securing infrastructures from failures in other, interconnected infrastructures on which they depend to work efficiently. Modern infrastructures are often depended on other infrastructures to function properly. This necessity has led to the development of complex networks of interdepended infrastructures. These dependency graphs of hide information about what will happen if a failure occurs; in other words, they are as safe as their most critical path of interdependencies and as exposed as their most dangerous node. In addition (and in a lower granularity level) high level software applications nowadays are capable of controlling important machinery in critical infrastructures from a distance. Even though it is common knowledge that software applications are known to manifest flaws in their business logic implementation (either due to user or programming errors), yet little to no effort has been made in finding a way to secure the software assets that handle important machinery inside critical infrastructures from user error. Logical flaws might lead to a serious critical infrastructure failure and even initiate cascading effects between interconnected infrastructures. In this context, the process of analyzing the security of a critical infrastructure appears to be twofold: First and foremost, we must not only secure each infrastructure alone, but must also be in a position to pinpoint potential cascading effects amongst depended critical infrastructures and analyze what their impacts would be along with the likelihood of their occurring, same as proposed for a single critical infrastructure in (DHS, 2013). At the same time, since software has taken all the burden of controlling most parts of a CI, securing a critical infrastructure means securing their information systems at a software level; i.e. to secure the application ecosystem used to control a critical infrastructure by offering mechanisms that protect critical infrastructures from software vulnerabilities yet to be dealt with. This work approaches security in critical infrastructures by developing possible, practical solutions for both aforementioned granularity levels of infrastructure protection. This work differentiates from the mainstream security literature concerning the protection of critical infrastructures, by (a) developing a combined multi-methodology able to pinpoint and assess cascading failures amongst critical infrastructures, (b) by developing algorithms and strategies that can be implemented for the detection of infrastructures that affect many other CI and successful risk mitigation in interconnected infrastructures and (c) by developing a method for the automatic detection of logical errors, race conditions and vulnerabilities in high-level software used in CIs; specifically, in software able to remotely control machinery in critical infrastructures. To the best of our knowledge, this is the first method able to detect logical errors in diverse situations and diverse types of software. Although our initial target was to use the aforementioned method in software handling machinery, the method can be used in a wider basis to detect business logic errors in all types of software. To raise the bar, this dissertation also presents two novel tools, PLATO and CIDA that are manifestations of the proposed methods for securing a critical infrastructures in both analyzed granularity levels. These tools perform automated analysis and do not require significant technical expertise from users. Specifically, PLATO is a tool able to automatically detect some types of logical errors in software. It, amongst other experiments, it was used to detect logical errors in high-level capable of controlling infrastructure machinery remotely. Furthermore, a macroscopic prediction model that identifies potential dangerous dependency chains between critical infrastructures and the evolution of hazards over the course of time is proposed, coupled with a graph theory analysis model able to pinpoint dangerous standalone Critical infrastructures that greatly affect the overall stability of a graph of interconnected critical infrastructures. These methods were implemented in CIDA, a tool that can model cascading effect between infrastructures, analyze the evolution of hazards and, finally, pinpoint dangerous Cis able to cause massive damage in multiple interconnected infrastructures; if a failure were to manifest on them. As a case study, this work utilizes known real-world cascading failure scenarios and software applications to test both developed tools. On the one hand, it explores whether – and under which circumstances – logical errors that affect execution and cause failures can be detected in source code (the PLATO too). On the other, it analyzes real-world cascading effect scenarios like the California Blackout Scenario to test whether the interdependency analysis methodologies can efficiently detect cascading failures and dangerous Cis. This work provides evidence suggesting that more work is required for the protection of critical infrastructures, while they use high-level software to control machinery and, at the same time, are depended on other infrastructures also prone to failures. This thesis interpolates material from three journal papers by the author and from various conference papers (Stergiopoulos, 2012) (Stergiopoulos, 2013) (Stergiopoulos, 2014) (Stergiopoulos, 2015). Chapter 3’s research core is based on (Vigna, 2011) and some of the aforementioned publications coauthored with Ass. Prof. Panagiotis Katsaros and Prof. Dimitris Gritzalis, respectively. Some material from each of these papers has also been incorporated into this introductory Chapter. Meanwhile, Chapters 4 and 5 use material from (Kotzanikolaou, 2010) (Kotzanikolaou, 2011) (Kotzanikolaou, 2012) (Kotzanikolaou, 2013) along with two of the aforementioned journals (Stergiopoulos, 2015) (Stergiopoulos, 2015), coauthored with Ass. Prof. Panagiotis Kotzanikolaou and Prof. Dimitris Gritzalis.