Reasoning about Vulnerabilities in Dependent Information Infrastructures: A Cyber Range Experiment Adedayo O. Adetoye, Sadie Creese, and Michael H. Goldsmith Cyber Security Centre Department of Computer Science University of Oxford Oxford, OX1 3QD, UK {adedayo.adetoye,sadie.creese,michael.goldsmith}@cs.ox.ac.uk http://www.cybersecurity.ox.ac.uk/ Abstract. Malice aside, even the pursuit of legitimate local goals such as cost minimisation, availability, and resilience in subsystems of a critical information infrastructure (CII) can induce subtle dynamic behaviours and dependencies that endanger higher-level goals and security of services. However, in practice, the subsystems of a CII may not be entirely cooperative, potentially having differ- ent and perhaps conflicting management goals; and some subsystems may be malicious or untrustworthy. Consequently, vulnerabilities may arise accidentally or deliberately through the dependency on subsystems with conflicting goals, or systems which might contain potentially rogue elements. We have developed an analytical framework for reasoning about vulnerabilities and risks in dependent critical infrastructure. To validate the analytical framework we have carried out a series of experiments on a Cyber Range facility, simulating dependent informa- tion infrastructures. This paper presents results obtained from the experiments. Keywords: Dependent Information Infrastructure, Analytical Tools, Cyber Range Experiment. 1 Introduction Critical Information Infrastructures (CIIs) seldom operate in isolation. Often they are built, and sometimes they organically emerge from smaller (perhaps autonomous) sub- systems. Thus, the services provided by CIIs may rely on subsystems with various de- grees of quality and which have complex dependency relationships between them. Even though the typical CII will be distributed, emergent, and connected together via com- plex dependency relationships; from the user’s perspective, the services that the CII provides must operate transparently, securely, and efficiently regardless of the struc- ture or complexity of the underlying system. When dealing with critical infrastructures however, guaranteeing quality is even more important, because not meeting service re- quirements or violating policies can have very dire consequences. In order to provide guarantees about services with respect to the user requirements, various subsystems of the CII may have to collaborate together. This is not always possible because the systems may fall under different administrative boundaries with B. H¨ ammerli, N. Kalstad Svendsen, and J. Lopez (Eds.): CRITIS 2012, LNCS 7722, pp. 155–167, 2013. c  Springer-Verlag Berlin Heidelberg 2013