An approach to modelling and mitigating infrastructure interdependencies

of Internet-oriented infrastructure systems, such as web server compounds, is reasonably well understood. Although it is not completely mastered (for example, denial of service is still a research subject), it is receiving adequate attention. However, such is not the case with the problem of resilience of critical utility infrastructures, such as energy transport networks (electricity, gas), telecommunication, water, etc. This problem is not completely understood, mainly due to the hybrid composition of these infrastructures [1]. The process control of utility infrastructures is based on SCADA (Supervisory Control and Data Acquisition) systems which yield the operational ability to acquire data, supervise and control whatever is the business in question (electricity, water, gas, telecomm). However, they also have interconnections to the standard corporate intranets, and hence indirectly to the Internet (e.g., remote access via dedicated or public networks). The aforementioned SCADA systems were classically not designed to be widely distributed and remotely accessed, let alone be open. They grew-up standalone, closed, not having security in mind. However, several wide area monitoring systems (WAMS), protection and control systems, implementing special protection schemes over the power transmission network, etc. are emerging whose architecture is based on open communication infrastructures. Such a trend towards open communication systems, is in line with other industrial automation systems that rely ever more on standardized hardware, software and communication components. Whilst it seems non-controversial that such an approach brings a certain level of threat, namely but not only through interference, we know of no work that has tried to equate the problem by defining a model of “modern utilities distributed systems architecture”. We believe that evaluation work on such a model will let us learn about activity patterns of interdependencies that will reveal the potential for far more damaging fault/failure scenarios than those that have been anticipated up to now. Moreover, such a model will be highly constructive as well, for it will form a structured framework for: conceiving the right balance between prevention and removal of vulnerabilities and attacks, and tolerance of remaining potential intrusions and designed-in faults. In fact, this evolution led to the inevitable: access to operational networks such as remote SCADA systems, ended up entangled with access to corporate intranets and public Internet, without there being computational and resilience models that understand (