A new systematic modelling methodology for improving cyber-attack evaluation on states’ Critical Information Infrastructure (CII) Kosmas Pipyros March 2019 Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory Department of Informatics A new systematic modelling methodology for improving cyber-attack evaluation on states’ Critical Information Infrastructure (CII) Kosmas Pipyros A dissertation submitted for the partial fulfillment of a Ph.D. degree January 2019 Department of Informatics Athens University of Economics & Business Athens, Greece ii Supervising Committee: 1. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business (Chair). 2. Dimitris Gritzalis, Professor, Athens University of Economics & Business (Deputy Rector). 3. Lilian Mitrou, Professor, University of the Aegean. Examination Committee: 1. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business (Chair). 2. Dimitris Gritzalis, Professor, Athens University of Economics & Business (Deputy Rector). 3. Lilian Mitrou, Professor, University of the Aegean. 4. Evgenia Alexandropoulou, Professor, University of Macedonia. 5. Ioannis Mavridis, Professor, University of Macedonia. 6. Maria Kanellopoulou – Bottis, Associate Professor, Ionian University. 7. Panayiotis Kotzanikolaou, Assistant Professor, University of Piraeus. iii A new systematic modelling methodology for improving cyber-attack evaluation on states’ Critical Information Infrastructure (CII) Copyright © 2019 by Kosmas Pipyros Department of Informatics Athens University of Economics and Business 76 Patission Ave., Athens GR-10434, Greece All rights reserved. No part of this manuscript may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the author. iv Disclaimer The views and opinions expressed in this thesis are those of the author and do not in any way represent the views, official policy or position of the Athens University of Economics and Business or his employer. "Η έγκριση διδακτορικής διατριβής υπό του Τμήματος Πληροφορικής του Οικονομικού Πανεπιστημίου Αθηνών δεν υποδηλοί αποδοχή των γνωμών του συγγραφέως.” (Ν. 5343/ 1932, άρθρο. 202) v Acknowledgements Reaching to the end of my doctoral studies I consider myself very fortunate for being able to work with my encouraging professors of my supervising committee. I had the opportunity to meet them during my master’s degree and I would like to express my gratitude for giving me the opportunity to embark on a master’s degree in information systems security without having the necessary background because my bachelor’s degree is on Law. Their lectures were the inspiration for my PhD thesis and I feel very grateful for that. More specifically, I would like to express my appreciation to my Ph.D. Supervisor Prof. Theodoros Apostolopoulos for giving me the opportunity to accomplish this research. Professor, thank you for your continuous guidance, support and inspiration during the more than five years of my academic research, for your encouragements and for your enlightening suggestions. I would also like to express my deep gratitude and appreciation to Prof. Lilian Mitrou for her guidance, enthusiastic encouragement and useful comments during the development of this research work. This Ph.D. thesis would not have been accomplished without her valuable and constructive suggestions and recommendations. Her willingness to give her time so generously is very much appreciated. It gives me pleasure to express my deep sense of gratitude to Prof. Dimitris Gritzalis for his continuous guidance, meticulous suggestions and astute criticism during my PhD. Furthermore, his academic advices and support helped me to improve my work and to keep my progress on schedule. I would like also to express my thanks to Dr. Christos Thraskias for the stimulating discussions and his invaluable scientific advices and help during the development of our research method. He was the one that help me the most during my first research steps and I feel very grateful for his support and professionalism but mainly for his friendship. Finally, I would like to express my gratitude to my dearest wife, Sotiroula for her unconditional love, patience, support but especially for bringing to life our beloved son a few months ago. This dissertation is dedicated to him. Athens, 28th December 2018 vi Dedication To our son Theodore: ‘You have made me stronger, better and more fulfilled than I could have ever imagined.’ vii Abstract Over the past decades, rapid advances in Information and Communication Technologies (ICTs) have connected billions of individuals across the globe, integrated economies through connected supply chains, and spurred new efficiencies through World Wide Web (WWW). The rapid development ICTs, its presence in every aspect of human life and the high degree of dependency on cyberspace make cybersecurity a common objective for a society’s proper functioning and the well-being of its citizens. As the European Commission states in its Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace” (JOIN 1, European Commission, 2013), cyber security: “[…] commonly refers to the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure”. Despite the general integrity of digital networks and systems, deep digital integration has also created new vulnerabilities and threats by individual hackers, organized crime, terrorist groups and even nation states. Those threats, commonly referred to as cyber-attacks, include actions “[…] taken to undermine the functions of a computer network for a political or national security purpose”. Furthermore, the US National Research Council (2009) defines cyber-attacks as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks”. The more Critical Infrastructures (hereafter CI) are becoming independent from human intervention the higher the well-being of societies and citizens but also the vulnerability of states. The increasing number and complexity of cyber-attacks on states’ CI in recent years has been transforming cyberspace into a new battlefield where “the mouse and the keyboard being the new weapons” bringing out “cyber warfare” as the “5th dimension of war”. In 2010, the Pentagon has acknowledged cyberspace as a new field for war, after land, sea, air and space, which is vital for military operations (William J. Lynn, 2010). In order to defend USA Critical Information Infrastructure (hereafter CII) from cyber-attacks former US President Barack Obama (2009-2017) declared America’s digital infrastructure a strategic national asset (The White House, 2010). Moreover, former US Secretary of Defense Leon Panetta (2011-2013), during his speech “Defending the nation from cyber-attacks in 2011, pointed out that this is a pre- 9/11 moment and that a cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11”. The decision of the US government reflected the need to address the challenges posed with regard to cyber-attacks that could be qualified as cyberwar actions. viii Furthermore, at EU level, only for the year 2016 there were more than 4,000 ransomware attacks per day with 80% of the European companies to experience at least one cyber security incident. In addition, more than 150 countries and 230,000 systems across sectors and countries were affected with a substantial impact on essential services connected to CI. Therefore, Jean- Claud Juncker, President of the European Commission, in his recent State of the Union address to the European Commission in 13 September 2017 pointed out that “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks. Cyber-attacks know no borders, and no one is immune” (State of the Union 2017, European Commission). The number and complexity of cyber-attacks has been increasing steadily in recent years. The major players in today’s cyber conflicts are well organized and heavily funded teams with specific goals and objectives, working for or supported by a nation-state. Cyber-attacks such as those of Estonia (2007) and Iran (2010) demonstrate the significance and the magnitude of the problem. Moreover, at international level, the “WannaCry” ransomware attack of May 2017 affected hundreds of thousands of computers in 150 countries. In addition, the “NotPetya” attack a month later, which the United States publicly attributed to Russia, was deemed by the White House to be the most expensive cyber-attack in history (Center for Strategic & International Studies, Significant Cyber Incidents, 2018). The continuous increase in both the number and the intensity of cyber-attacks on states’ CII renders the research on defining and evaluating these categories of cyber-attacks into a pressing need. Today all the EU member states (ENISA) and most of the NATO member states have a National Cyber Security Strategy (NCSS) as a key policy feature, helping them to tackle risks which have the potential