**3. Literature review on modelling interdependency**

In literature, three main methodologies for the modelling approaches of critical infrastructure modelling are presented: agent-based simulation, input–output analysis and network modelling. Please refer to [7] for heterogeneous and/or unclassified approaches.

Each infrastructure is considered by agent-based simulations to be a complex adaptive structure, consisting of agents representing single aspects of the infrastructure itself. Different agents can be modelled at different degrees of abstraction based on the proposed level of resolution modelling. The primary benefit of agent-based simulation is the ability to establish synergistic behaviors as agents begin to work together [8].

The second method is based on the economic theory of Input–Output proposed by Leontief in the early 1930s, but later adapted to modelling infrastructures. Haimes and Jiang developed the linear input–output inoperability model (IIM) to research the impact of interdependencies on the inoperability of interconnected networked systems [9]. The key benefit of the IIM and its improvements is that the suggested solution is simple and flexible. IIM is usually confined to the financial costs of interdependencies.

In recent years, researchers have investigated new approaches to interdependency modelling of infrastructures. The most promising technique is based on graph and network theory. This approach uses abstract graphs made of nodes and arcs to describe infrastructures, representing links between components within infrastructures. The key benefit is to leverage closed form expressions and numerical simulations to characterise their topology, performance and uncertainty.

### **4. Mixed Holistic Reductionist (MHR) approach**

In this chapter, we propose an already applied approach, for helping during the modelling phase. To maximize the benefits of holistic and reductionist approaches, the Mixed Holistic Reductionist (MHR) [10] methodology was developed. The key goal of MHR approach is to provide a potential road-map to model critical infrastructures and their interdependencies properly.

In holistic modeling, infrastructures are seen as specific agents with defined boundaries and functional properties, creating a global and overall analysis. The purpose of presenting an infrastructure as a single element is to define the various infrastructures and their geographical extent. The volume of data needed for modeling activities is very limited at this stage and can be found in public data-sets.

In the other hand, to better appreciate the overall infrastructure, the reductionist approach stresses the need to thoroughly understand the roles and behaviours of individual components. The reductionist approach drills down to each component in terms of inputs and outputs. At this level of abstraction is easy to find dependencies between equipment and single components.

Various levels of analysis are required in modelled systems and their boundaries are lost in the event of complex case studies. For the MHR model, either a top-down or bottom-up approach might see relationships between infrastructures at different levels. The other key benefit is to model infrastructures at at multiple complexity levels, taking into account the quantity of data available.

The connection point between the two abstraction levels, i.e. holistic and reductionist approaches, is the quality of services (in the following, abbreviated as "service") which is a key element for operators. This layer describes functional relationships between components and infrastructure at different levels of granularity. Services to clients and to other interconnected infrastructures are specifically treated in MHR as a middle layer between holistic and reductionist agents.

The MHR allows us to reach the right level of detail with minimal data and collected information. Some important considerations can be summarised in the following:


MHR approach allows to define three different typologies of agents: holistic agent, service agent and reductionist agents.

The infrastructure as a whole (or its general organizational divisions) is represented by a holistic agent (**Figure 2**) to provide a model that can understand the global interactions between infrastructures.

change topology, the aggregate state of a subset of specific and important

same way as an input failure with a suitable "cyber dynamic".

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation*

*DOI: http://dx.doi.org/10.5772/intechopen.94506*

Finally, with a reductionist agent, we can represent, with the right degree of abstraction, all physical or aggregated entities of the overall system. In **Figure 4**, the representation of a reductionist component is depicted. The picture does not explicitly consider a cyber threat: this malicious event can be represented in the

Finally, we can represent, with the right degree of abstraction, physical or aggregated components of the overall system with a reductionist agent. The

components.

*The service agent representation.*

**Figure 3.**

**9**

**Figure 2.**

*The holistic agent representation.*

A service agent represents a logical or organizational aspect, that provides an aggregate resource as the remote control: the remote control generally provides supervision, by means of software and data collection. Data can be collected through telecommunication network or field equipment in case of a geographically distributed infrastructure. In **Figure 3**, a service component is depicted considering the classical model of an agent in CISIApro 2.0. Some examples of service are: the ability to supply customers, the ability to produce resources, the ability to

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation DOI: http://dx.doi.org/10.5772/intechopen.94506*

**Figure 2.** *The holistic agent representation.*

**Figure 3.** *The service agent representation.*

change topology, the aggregate state of a subset of specific and important components.

Finally, with a reductionist agent, we can represent, with the right degree of abstraction, all physical or aggregated entities of the overall system. In **Figure 4**, the representation of a reductionist component is depicted. The picture does not explicitly consider a cyber threat: this malicious event can be represented in the same way as an input failure with a suitable "cyber dynamic".

Finally, we can represent, with the right degree of abstraction, physical or aggregated components of the overall system with a reductionist agent. The

**Figure 4.** *The reductionist agent representation.*

representation of a reductionist aspect is represented in the **Figure 4**. The input failure contains natural disaster events, failures and faults, but also cyber threats.

### **5. CISIApro 2.0 simulator**

In this chapter, CISIApro 2.0 simulates the impact of anomalies and security attacks on the communication infrastructure and on the interlinked CIs. It will also support the decision-making process allowing a "what-if analysis" by simulating the application of countermeasures and reconfiguration and their impact on system resilience.

CISIApro 2.0 (Critical Infrastructure Simulation by Interdependent Agents) [11] is a software engine able to calculate complex cascading effects, taking into account (inter)dependencies and faults propagation among the involved complex systems.

CISIApro 2.0 is an Agent-Based simulation software consisting primarily of two modules, see **Figure 5**. The first one is the off-line tool in which it is possible to design and implement complex and highly interdependent scenarios. While the second one is the on-line tool which is implemented in Simulink (Mathworks).

CISIApro 2.0 is a database-centric architecture in which the database plays a key role as deonstrated in **Figure 5**. This implies a centralized asynchronous design that allows good modularity and scalability where each part of the IT infrastructure interacts, independently, with the centralized database in order to access the last data from the field (e.g. SCADA Systems), Complex Event Processing and generic IoT (Internet of Things) data systems, but also the simulation's outputs.

plays the important role of Hybrid Risk Evaluation Tool. Hybrid because it is able to get information of different natures (sensor and data acquisition and complex event processing systems) and translating them in operational levels of resources, faults or

With the proposed architecture, through CISIApro 2.0 modelling software, it is

possible to dynamically change the interdependencies model and plugin other modules in order to have a pseudo-real-time scalable and flexible system, which can be changed at any time. The DB stores the information needed for the representa-

services for the entities introduced in the critical infrastructure model.

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation*

*DOI: http://dx.doi.org/10.5772/intechopen.94506*

tion of several Critical Infrastructures, such as:

**Figure 5.**

**Figure 6.**

**11**

*CISIApro 2.0 Graphical User Interface.*

*CISIApro 2.0 architecture.*

Using the Mixed-Holistic-Reductionist (MHR) approach, modelling complex interdependent systems is a prerequisite to produce an effective model. Once modelled the involved scenario, with MHR methodology can be applied with CISIApro 2.0.

From this point of view, CISIApro 2.0 engine does not only analyze actual situation and calculate the risk projected in the possible near future but, first, it *Resilience in Critical Infrastructures: The Role of Modelling and Simulation DOI: http://dx.doi.org/10.5772/intechopen.94506*

**Figure 5.** *CISIApro 2.0 architecture.*


**Figure 6.** *CISIApro 2.0 Graphical User Interface.*

plays the important role of Hybrid Risk Evaluation Tool. Hybrid because it is able to get information of different natures (sensor and data acquisition and complex event processing systems) and translating them in operational levels of resources, faults or services for the entities introduced in the critical infrastructure model.

With the proposed architecture, through CISIApro 2.0 modelling software, it is possible to dynamically change the interdependencies model and plugin other modules in order to have a pseudo-real-time scalable and flexible system, which can be changed at any time. The DB stores the information needed for the representation of several Critical Infrastructures, such as:


It should be noted that CISIApro 2.0 has introduced efficient ways to model, execute and debug simulations and cascading effects. In particular, an intuitive Graphical User Interface, **Figure 6**, is provided to create entities and connect them in easy way.

### **6. Case study and results**

The proposed scenario consists of three major components: the telecommunication network, the hospital ward and the smart factory. For industrial automation and possible remote operations, the fifth generation of telecommunication networks would be an essential improvement [12].

The telecommunication network of the reference scenario is represented in **Figure 7**. The purpose of this network is to manufacture and deliver services and it has a hierarchical structure consisting of three main sectors: backbone, metro and access networks.

The Optical Packet Backbone (OPB) is a multi-service network that exchanges voice, data and video services. This network is based on IP/MPLS (Multi-Protocol Label Switching) technology and the network is fully redundant in all its components and resistant to failure conditions to ensure a high level of the delivered services.

The Optical Packet Metro (OPM) network is a metropolitan and regional collection and aggregation network capable, depending on the configuration, of managing traffic flows at the Ethernet, IP or MPLS level. Like OPB, the OPM network is a multi-service network in which both fixed and mobile services combine and, as such, guarantee the requirements of scalability, reliability, availability, and flexibility. The access network meets end-users in the telecommunications industry and greatly influences the features of the service offered.

There are several systems, each with varying efficiency and coverage zones, to build "the last mile", which is the part of the network that stretches from the client site to the first access node. The latest generation of access network (GPON-Gigabit Passive Optical Network) based on fiber optic infrastructure with OLT (Optical Line Terminal) and ONU (Optical Network Unit) is briefly described at the bottom left of **Figure 7**.

(DSLAM) where the users' broadband lines connected to that particular central

transceivers responsible for the radio coverage of the territory.

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation*

*DOI: http://dx.doi.org/10.5772/intechopen.94506*

*The representation of the telecommunication network of the scenario.*

next-generation security devices and application controllers as:

• F5 BIGIP (Web Application Firewall).

and Protection System, E-mail filtering, Layer 4 Firewall)

The security fabric and data-center layer are achieved using a few

On the right side of the picture, we insert the mobile network with the Base Transceiver Station (BTS) of the GSM networks that consist of antennas and

• Fortinet FortiGate (URL Filtering, Centralised Antivirus, Intrusion Detection

station are terminated.

**Figure 7.**

**13**

The distinctive aspect of this technology is the development of a network in which many recipients are reached by a single optical fiber: this enables you to prohibit the introduction of individual fiber ties between the control panel and the receiver, thus minimizing the cost of infrastructure.

In the central part of the figure, we have a broadband network. The strength of this technology, which has encouraged its growth and proliferation, lies in the fact that voice and data services use the same copper cables as the conventional telephone network. Data traffic received by the consumer is isolated by a splitter from voice traffic and processed by a Digital Subscriber Line Access Multiplexer

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation DOI: http://dx.doi.org/10.5772/intechopen.94506*

**Figure 7.**

*The representation of the telecommunication network of the scenario.*

(DSLAM) where the users' broadband lines connected to that particular central station are terminated.

On the right side of the picture, we insert the mobile network with the Base Transceiver Station (BTS) of the GSM networks that consist of antennas and transceivers responsible for the radio coverage of the territory.

The security fabric and data-center layer are achieved using a few next-generation security devices and application controllers as:


Linked to the telecommunication network, we have a hospital ward represented in **Figure 8** that has been simplified to be modeled. This ward consists of a portion of the electrical grid in the yellow blocks, the water networks in blue blocks, the HVAC (Heating, Ventilation, and Air Conditioning) system in green blocks. We also add the building, made of eight rooms, where two are the operating rooms, and six are other rooms. These are the physicians' room, the staff room, the rooms used for visits, the surgery, and the waiting room, and the storage of medication and surgical supplies. These two types of rooms are modeled distinctly to underline their different relevance in the ward: while the medical and operating rooms are dedicated to patient care, must continue to provide the services requested optimally even after a failure, on the contrary, a malfunction of ordinary rooms does not drastically affect the quality of the service offered by the entire department.

The telecommunication network facilitates electrical hospital records to be processed in the clouds and relies on network-connected medical devices and systems.

Linked to the telecommunication network, a smart factor is present and is modeled in **Figure 9**. The smart factory for this scenario was modeled with reference to the radio access network architecture implemented in the factories of the future. **Figure 9** shows a completely autonomous local architecture, characterized by a pico site and an on-premises data center hub, which stores and performs data processing locally. The pico site is a small cellular base station typically covering a small area.

The 5G network is the best solution for this scenario [13, 14], which also makes it possible to incorporate the remote control of robots: according to this model, in a cloud environment, rather than in the robot itself, various functions aimed at regulating motion can be stored. It is thus assumed that the security of the networks in which the control modules work from cyber attacks is of vital importance.

The scenario contains also several services, modeled as service agents in CISIApro 2.0. Among those services, we focus our attention on the "5G Service", which is also included in **Figure 7**. 5G technology helps you to manage and control the movements of the programmable robotic arms remotely, increase humanmachine interaction, capture the information processed by these intelligent systems and handle them in real-time. With regards to the hospital, the goal is to pervasively

> interconnect healthcare structures, doctors, patients, and healthcare personnel, to increase efficiency and effectiveness. In this context, the capabilities of 5G are useful for remote surgery, for remote control of the vital parameters of patients recovering from or suffering from chronic conditions and for exchanging medical

The case study aims to examine the effects of a cyber-attack on the 5G core component, explicitly a DoS (Denial of Service). In this situation, we are not interested in how this attack was carried out, but we are more interested in the

The operative level of the "5G Core" agent is zero, as depicted in **Figure 10**, because it is the node that can not produce any output resource. The other entities of the telecommunications are not affected by this cyber-attack, because they don't

Different consequences affect the hospital and the smart factory. The domino effect on the smart factory is depicted in **Figure 11**. In the factory, there are four entities that need the 5G Core services to work: those entities are 5G-PGW-SGW, 5G-Pico, and the two antennas RU. Those elements are the red blocks in **Figure 11**, and they have an operative level equal to zero because they can not properly

data in real-time between the different technical figures.

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation*

*DOI: http://dx.doi.org/10.5772/intechopen.94506*

possible consequences of interconnected facilities.

need this service to properly work.

*The consequences on the "5G Core" component.*

produce their outputs.

**15**

**Figure 9.**

**Figure 10.**

*The factory in CISIApro 2.0 simulator.*

**Figure 8.** *The hospital in CISIApro 2.0 simulator.*

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation DOI: http://dx.doi.org/10.5772/intechopen.94506*

#### **Figure 9.**

*The factory in CISIApro 2.0 simulator.*

**Figure 10.** *The consequences on the "5G Core" component.*

interconnect healthcare structures, doctors, patients, and healthcare personnel, to increase efficiency and effectiveness. In this context, the capabilities of 5G are useful for remote surgery, for remote control of the vital parameters of patients recovering from or suffering from chronic conditions and for exchanging medical data in real-time between the different technical figures.

The case study aims to examine the effects of a cyber-attack on the 5G core component, explicitly a DoS (Denial of Service). In this situation, we are not interested in how this attack was carried out, but we are more interested in the possible consequences of interconnected facilities.

The operative level of the "5G Core" agent is zero, as depicted in **Figure 10**, because it is the node that can not produce any output resource. The other entities of the telecommunications are not affected by this cyber-attack, because they don't need this service to properly work.

Different consequences affect the hospital and the smart factory. The domino effect on the smart factory is depicted in **Figure 11**. In the factory, there are four entities that need the 5G Core services to work: those entities are 5G-PGW-SGW, 5G-Pico, and the two antennas RU. Those elements are the red blocks in **Figure 11**, and they have an operative level equal to zero because they can not properly produce their outputs.

resilience. In critical infrastructure protection world, assessing risk is very complex due to, among the others, due to interdependency: managing risk is well-established in each infrastructure, but the risk of interconnected infrastructures is still an open

Modelling infrastructures and their interdependencies could help in managing risk and also resilience. The proposed approach is called MHR and it is implemented with CISIApro 2.0, an agent-based simulator, which assesses the consequences of events on the reference scenario. We test the proposed approach into a telecommunication scenario, with a hospital ward and a smart factory. The results demonstrate the correctness of this approach that is currently under validation within the EU H2020 RESISTO project. During the project, the system will be integrated into

This chapter is partially supported by the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 786409 (RESISTO - RESIlience enhancement and risk control platform for communication infra-

real test-bed provided by various telecommunication providers.

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation*

problem without a single solution.

*DOI: http://dx.doi.org/10.5772/intechopen.94506*

**Acknowledgements**

STructure Operators).

**Conflict of interest**

**Author details**

**17**

Chiara Foglietta\*† and Stefano Panzieri† University of Roma Tre, Rome, Italy

† These authors contributed equally.

provided the original work is properly cited.

\*Address all correspondence to: chiara.foglietta@uniroma3.it

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

The authors declare no conflict of interest.

#### **Figure 11.**

*The consequences on the factory section in CISIApro 2.0.*

#### **Figure 12.** *The consequences on the hospital section.*

Unlike the aforementioned elements, the two robots have an operative level of 0.4: although they cannot be controlled remotely or the information processed by them can be collected, however, these intelligent systems continue to operate.

In **Figure 12**, the output for the hospital is depicted. The absence of the 5G service has a more significant impact on medical rooms and operating rooms, due to the importance that hospital infrastructure has. In fact, despite following the cyber attack, it is no longer possible to carry out remote surgery, remotely monitor the vital parameters of patients and manage electronic medical records, these health rooms are still available for use and to ensure adequate care for patients.
