**1. Introduction**

The physical and cyber protection of critical infrastructures (CIs) is crucial to ensure the availability of multiple essential services. Concerning the physical security aspects, critical infrastructures are, in most cases, complex and geographically distributed systems hence hard to protect. Regardless of the specific scenario, a CI can be represented as a set of sub-systems able to interact and cooperate in order to provide services that are essential for the economy, society and public wellness. For example, in gas distribution systems, the cooperation of metering and regulation stations is fundamental to guarantee the proper functioning of the entire infrastructure. In power grids and water distribution infrastructures, the availability of

electrical power and water, depends respectively on the joint action of singular sub-systems such as bus or water supply stations. Analogously, the correct operation of a plant depends on the right operativeness of several elements as illustrated by the 4STER European project.

The main common aspect about these cited events is that a local event is able to compromise the functionality of the entire plants due to a domino effect. The identification of the most critical sub-systems is a crucial point for the definition of effective protection strategies able to improve the survivability of the systems. To this end, it is fundamental to identify adequate metrics and indicators to quantify the criticality rate

associated to each sub-system, especially in highly heterogeneous contexts.

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes…*

*DOI: http://dx.doi.org/10.5772/intechopen.95367*

From the literature, one of the typical strategies to obtain such metrics is to simulate the effects of negative events, such as local faults, in order to provide insights on the most critical elements, for which protection needs to be raised. In particular, a well-established approach is to focus on intentional attacks, considering a rational attacker that aims at maximizing the damage while keeping low the effort required for his/her malicious action. Starting from the seminal works of Arulsevan et al. [6] it has become paramount that attacks that take into account the topology of the infrastructure, can select more effectively the target sites, increasing the damage dealt (e.g., in terms of disconnection of large portions of the infrastructure by causing services interruption). In [7–10] multiple approaches for the identification of critical nodes in infrastructure networks are presented. All these methods consists in optimization problems able to discover the nodes whose removal from the network compromise the connectivity of the entire system. All these approaches requires initial assumptions about the attacker budget and preferences despite this information are not available in general in a real context. Moreover, the results of these approaches are able to highlight the most critical node in a network but not provide a metric capable of quantifying the degree of criticality for each node of the infrastructure. In more details, the approach presented in [7] proposes a method, able to identify the most critical nodes, based on the result of an optimization problem characterized by the presence of assumptions about the strategy of an attacker in terms of available budget and dimension of disconnected components. Similar assumptions are considered also in the approach presented in [8, 9], the authors propose a method which aims at minimizing the attack cost against the infrastructure with constraints about the features of the network. Finally, assumptions about the attacker preferences are also required in the formulation presented in [10]. In general, centrality measures, such as the node degree or betweenness centrality are often adopted as criticality measures, while in [11] the authors propose a critical index for the elements of a CI by analyzing the solutions of a multi objective optimization problem without any assumption about the attacker behaviour. However, the adoption of a unique metric or indicator about the criticality rate of each node of the system is quite unrealistic due to the complex nature of the infrastructures. Two approaches able to consider multiple metrics with the aim to compute a final aggregated criticality holistic indicator are presented in [12, 13]. The proposed approaches take into account multiple indicators based on multiple data source (topology data, field-related data, expert evaluations, etc.) but not provide a final step necessary to define a defensive strategy

**1.1 Related works**

and evaluate its effectiveness.

**113**

**1.2 Contribution and outline of the chapter**

In this chapter we want to propose a procedure able to define a defensive strategy for CIs based on multiple node criticality measures. In more details, the procedure is based on three steps, as depicted in **Figure 1**: In the first stage (Section 2) we provide some specific criticality measure for CIs based on the connectivity of the system. The identification of the criticality measures is a fundamental stage in

Critical infrastructure are characterized by a high level of interconnection and interdependency where the operation of a subsystem is essential for the functioning of others. In such a context, the disruption of a subsystem can easily escalate creating waterfall effect impacting multiple services and geographic areas. Therefore, in order to guarantee the functioning of the entire infrastructure it is necessary to protect adequately each sub-system from fault or exogenous events potentially capable of compromising normal operativity levels. As reported in [1], on the 28th September 2003, in Italy and some areas of Switzerland, about 56 million people lost power due to a storm-tossed tree branch that hit Swiss power lines. About 30,000 people remained trapped in trains, several hundred passengers were stranded on underground transit systems, and there were significant knock-on effects across other critical infrastructures. Similarly, the 2005 Hurricane Katrina [2] caused widespread power outages throughout Louisiana, Mississippi, Alabama, Florida, Kentucky and Tennessee due to the cascading effects initiated by a local event. Another example is the 2011 Great East Japan earthquake [3] and the resulting tsunami: 1.5 million households did not have access to their water supply, 4.4 million households were left without electricity, and all the local railway services were halted, and communications were suspended.

Domino effects over the entire infrastructure due to local fault are not caused only by accidental faults or natural disasters, but could also be intentionally caused by malicious actors. For example, with the increasing reliance of CI on Information & Communication Technology (ICT) malicious actors can perform attacks via cyberspace triggering service disruptions significant economic losses and even kinetic effects. This has been particular concerning in relation to the energetic sector with a significant increase of cyber threats capable of causing outages and blackout in power systems.

The first example of how a cyber attack can affect the operativity of CI causing mechanical damage was provided by the Aurora project [4]. This was a test performed by the Idaho National in which the simulation of a cyberattack led to the destruction of a 27-ton generator. Another Significant example is represented by the Stuxnet worm. The worm was able to modify the rotation speed of particular motors installed inside the centrifuges used for the uranium enrichment in plant in Iran. Similarly, recent blackouts in Ukraine in 2015 and 2016 were respectively caused by Blackenergy3 and CrashOverride, two malware specially designed to cause blackouts via cyber intrusion [5].

In addition, we have to consider impacts on workers'safety. Power plants, water plants, gas plants can provoke accidents and enormous damages. Seveso plants can be used for the storage of hazardous materials: an attack aimed at these plants can also cause a domino effect. The capability to adjust machine parameters in order to improve performance or simply in order to change behavior can make other people with criminal intent adjust parameters so that workers and others can be put at risk of harm. Example of parameters can be speeds, forces, torques that can be put at dangerous levels. In addition, graphical interfaces used for human-machine interaction can be altered so that people could see a situation not corresponding to reality (not reported error codes or messages, different values of parameters or measures). In order to identify hazards associated to the use of a machine or a set of machines, procedures like HAZOP, HAZID, accident reviews must be taken into consideration. Anyway, security and safety must be considered as part of the normal working processes and not always this happens.

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes… DOI: http://dx.doi.org/10.5772/intechopen.95367*

The main common aspect about these cited events is that a local event is able to compromise the functionality of the entire plants due to a domino effect. The identification of the most critical sub-systems is a crucial point for the definition of effective protection strategies able to improve the survivability of the systems. To this end, it is fundamental to identify adequate metrics and indicators to quantify the criticality rate associated to each sub-system, especially in highly heterogeneous contexts.

#### **1.1 Related works**

electrical power and water, depends respectively on the joint action of singular sub-systems such as bus or water supply stations. Analogously, the correct operation of a plant depends on the right operativeness of several elements as illustrated

services were halted, and communications were suspended.

Critical infrastructure are characterized by a high level of interconnection and interdependency where the operation of a subsystem is essential for the functioning of others. In such a context, the disruption of a subsystem can easily escalate creating waterfall effect impacting multiple services and geographic areas. Therefore, in order to guarantee the functioning of the entire infrastructure it is necessary to protect adequately each sub-system from fault or exogenous events potentially capable of compromising normal operativity levels. As reported in [1], on the 28th September 2003, in Italy and some areas of Switzerland, about 56 million people lost power due to a storm-tossed tree branch that hit Swiss power lines. About 30,000 people remained trapped in trains, several hundred passengers were stranded on underground transit systems, and there were significant knock-on effects across other critical infrastructures. Similarly, the 2005 Hurricane Katrina [2] caused widespread power outages throughout Louisiana, Mississippi, Alabama, Florida, Kentucky and Tennessee due to the cascading effects initiated by a local event. Another example is the 2011 Great East Japan earthquake [3] and the resulting tsunami: 1.5 million households did not have access to their water supply, 4.4 million households were left without electricity, and all the local railway

Domino effects over the entire infrastructure due to local fault are not caused only by accidental faults or natural disasters, but could also be intentionally caused by malicious actors. For example, with the increasing reliance of CI on Information & Communication Technology (ICT) malicious actors can perform attacks via cyberspace triggering service disruptions significant economic losses and even kinetic effects. This has been particular concerning in relation to the energetic sector with a significant increase of cyber threats capable of causing outages and

The first example of how a cyber attack can affect the operativity of CI causing

In addition, we have to consider impacts on workers'safety. Power plants, water plants, gas plants can provoke accidents and enormous damages. Seveso plants can be used for the storage of hazardous materials: an attack aimed at these plants can also cause a domino effect. The capability to adjust machine parameters in order to improve performance or simply in order to change behavior can make other people with criminal intent adjust parameters so that workers and others can be put at risk of harm. Example of parameters can be speeds, forces, torques that can be put at dangerous levels. In addition, graphical interfaces used for human-machine interaction can be altered so that people could see a situation not corresponding to reality (not reported error codes or messages, different values of parameters or measures). In order to identify hazards associated to the use of a machine or a set of machines, procedures like HAZOP, HAZID, accident reviews must be taken into consideration. Anyway, security and safety must be considered as part of the normal work-

performed by the Idaho National in which the simulation of a cyberattack led to the destruction of a 27-ton generator. Another Significant example is represented by the Stuxnet worm. The worm was able to modify the rotation speed of particular motors installed inside the centrifuges used for the uranium enrichment in plant in Iran. Similarly, recent blackouts in Ukraine in 2015 and 2016 were respectively caused by Blackenergy3 and CrashOverride, two malware specially designed to

mechanical damage was provided by the Aurora project [4]. This was a test

by the 4STER European project.

*Issues on Risk Analysis for Critical Infrastructure Protection*

blackout in power systems.

cause blackouts via cyber intrusion [5].

ing processes and not always this happens.

**112**

From the literature, one of the typical strategies to obtain such metrics is to simulate the effects of negative events, such as local faults, in order to provide insights on the most critical elements, for which protection needs to be raised. In particular, a well-established approach is to focus on intentional attacks, considering a rational attacker that aims at maximizing the damage while keeping low the effort required for his/her malicious action. Starting from the seminal works of Arulsevan et al. [6] it has become paramount that attacks that take into account the topology of the infrastructure, can select more effectively the target sites, increasing the damage dealt (e.g., in terms of disconnection of large portions of the infrastructure by causing services interruption). In [7–10] multiple approaches for the identification of critical nodes in infrastructure networks are presented. All these methods consists in optimization problems able to discover the nodes whose removal from the network compromise the connectivity of the entire system. All these approaches requires initial assumptions about the attacker budget and preferences despite this information are not available in general in a real context. Moreover, the results of these approaches are able to highlight the most critical node in a network but not provide a metric capable of quantifying the degree of criticality for each node of the infrastructure. In more details, the approach presented in [7] proposes a method, able to identify the most critical nodes, based on the result of an optimization problem characterized by the presence of assumptions about the strategy of an attacker in terms of available budget and dimension of disconnected components. Similar assumptions are considered also in the approach presented in [8, 9], the authors propose a method which aims at minimizing the attack cost against the infrastructure with constraints about the features of the network. Finally, assumptions about the attacker preferences are also required in the formulation presented in [10]. In general, centrality measures, such as the node degree or betweenness centrality are often adopted as criticality measures, while in [11] the authors propose a critical index for the elements of a CI by analyzing the solutions of a multi objective optimization problem without any assumption about the attacker behaviour. However, the adoption of a unique metric or indicator about the criticality rate of each node of the system is quite unrealistic due to the complex nature of the infrastructures. Two approaches able to consider multiple metrics with the aim to compute a final aggregated criticality holistic indicator are presented in [12, 13]. The proposed approaches take into account multiple indicators based on multiple data source (topology data, field-related data, expert evaluations, etc.) but not provide a final step necessary to define a defensive strategy and evaluate its effectiveness.

#### **1.2 Contribution and outline of the chapter**

In this chapter we want to propose a procedure able to define a defensive strategy for CIs based on multiple node criticality measures. In more details, the procedure is based on three steps, as depicted in **Figure 1**: In the first stage (Section 2) we provide some specific criticality measure for CIs based on the connectivity of the system. The identification of the criticality measures is a fundamental stage in

*v <sup>j</sup>* ∈*V*, is a subset of links in *E* that connects *vi* and *v <sup>j</sup>* without creating loops. An undirected graph *G* ¼ f g *V*, *E* is *connected* if each node can be reached by each other

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes…*

For the sake of clarity, we report here the notation adopted in the rest of the

adjacency matrix *A* and without considering nodes *vi*s*:*t*:***x***<sup>i</sup>* ¼ 0

*<sup>b</sup>* Relative utility ratio among alternatives *i* and *j* according to metric *i*

*ab* Matrix of utility ratios among alternatives *a*and*b*according to metric *i*

As mentioned above the first step of the proposed approach for the identification of a defensive strategy is the identification of metrics of interests able to evaluate the network criticalities from multiple points of view. Despite in literature this process is often reduced to a simple centrality measure computation, in this section we propose two other applicable approaches, based on the infrastructure connectivity, to compute the criticality of each sub-systems of a CI. For the sake of clarity, in this context we represent the entire infrastructure via undirected graph *G* ¼ f g *V*, *E* where *V* is the set of *n* nodes *vi*, (each node represents a sub-system of the CI) and *E*⊆*V* � *V* is

Both the approaches for the critical node identification, presented in this section are based on the concept of connectivity. In our models, when a node is attacked and is unable to operate, we remove the node and the incident edges from the graph. The deletion of particular critical nodes could compromise the connectivity of the other elements of the network. Notice that, for each node *vi* we consider a removal cost *ci* > 0. With the aim to measure the degree of connectivity of the graph *G*, we adopt the Pairwise Connectivity (PWC), it is an index that captures the overall degree of connectivity of a graph on the basis of the couples of nodes

*vi* ð Þ , *<sup>v</sup> <sup>j</sup>* <sup>∈</sup>*V*�*V*, *vi*6¼*<sup>v</sup> <sup>j</sup>*

� �. An edge connects two nodes if a real physical

*p vi*, *v <sup>j</sup>*

� �, (1)

*NPWC A*ð Þ , *x* Normalized pairwise connectivity for a graph with

evaluated via characteristic function *g*

node by means of the links in *E*.

P Pareto Front

*Mi <sup>i</sup>*‐th metric

*ci* Removal cost for node *vi PWC G*ð Þ Pairwise connectivity of *G*

*DOI: http://dx.doi.org/10.5772/intechopen.95367*

*χ<sup>i</sup>* Critical index for node *vi*

*ϕ<sup>i</sup>* Shapley value for player *i*

*m* Number of metrics

*B* Defensive budget

the set of *e* undirected edges *vi*, *v <sup>j</sup>*

connected by means of edges in *G*.

*<sup>i</sup>* Relevance of metric *i*

*P* Set of players in the cooperative game Γð Þ *P*, *g* Cooperative game for players in *P*

Global robustness index

**2. Node criticality metrics based on network connectivity**

connection exists between the two corresponding sub-systems.

*PWC G*ð Þ¼ <sup>X</sup>

chapter.

*r* ð Þ*i <sup>a</sup> =r* ð Þ*i*

*Ri*

*w* Y

**115**

#### **Figure 1.**

*Flow chart of the proposed three-steps procedure.*

the defensive strategy definition process. In literature, graph centrality measures are often adopted as criticality measures for infrastructure but these approaches (e.g. Node degree or node betweenness) are quite ineffective as proved in [11]. In the second stage (Section 3) a methodology to merge multiple criticality metrics, based on the well-known Analytic Hierarchy Process [14], is described in order to overcome the limit about the application of a single metric in a complex environment. Moreover, such methodology allows considering also the criticality evaluations given for a subset of infrastructure nodes. The definition of the defensive strategy is provided in the last step (Section 4) and its effectiveness is proved by analyzing the global robustness of the network with respect to multiple robustness evaluation methods. Finally, in (Section 5), the application of the three-step procedure is illustrated with respect to the case study network with the aim of proving the effectiveness of the proposed strategy.

#### **1.3 Notation**

Let us denote by ∣*X*∣ the cardinality of a set *X*; moreover, we represent vectors via boldface letters, and we use **k***<sup>m</sup>* to indicate a vector in *<sup>m</sup>* whose components are all equal to *k*, while by *In* we identify the *n* � *n* identity matrix. Finally, we denote the sign of *x*∈ by *sign x*ð Þ and by *sign X*ð Þ the entry-wise sign of a matrix *X*. Let *G* ¼ f g *V*, *E* denote a *graph* with a finite number *n* of nodes *vi* ∈*V* and *e* edges *vi*, *v <sup>j</sup>* <sup>∈</sup>*<sup>E</sup>* <sup>⊆</sup>*<sup>V</sup>* � *<sup>V</sup>*, from node *vi* to node *<sup>v</sup> <sup>j</sup>*. A graph is said to be *undirected* if *vi*, *v <sup>j</sup>* ∈*E* whenever *v <sup>j</sup>*, *vi* ∈ *E* (see **Figure 2**). The *adjacency matrix* of a graph *G* is an *n* � *n* matrix *A* such that *Aij* ¼ 1 if *v <sup>j</sup>*, *vi* <sup>∈</sup> *<sup>E</sup>* and *Aij* <sup>¼</sup> 0 otherwise. A *path* over an undirected graph *G* ¼ f g *V*, *E* , starting at a node *vi* ∈*V* and ending at a node

**Figure 2.** *Example of a graph G* ¼ f g *V*, *E with* ∣*n*∣ ¼ 5 *nodes and* ∣*E*∣ ¼ 6 *edges.*

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes… DOI: http://dx.doi.org/10.5772/intechopen.95367*

*v <sup>j</sup>* ∈*V*, is a subset of links in *E* that connects *vi* and *v <sup>j</sup>* without creating loops. An undirected graph *G* ¼ f g *V*, *E* is *connected* if each node can be reached by each other node by means of the links in *E*.

For the sake of clarity, we report here the notation adopted in the rest of the chapter.


### **2. Node criticality metrics based on network connectivity**

As mentioned above the first step of the proposed approach for the identification of a defensive strategy is the identification of metrics of interests able to evaluate the network criticalities from multiple points of view. Despite in literature this process is often reduced to a simple centrality measure computation, in this section we propose two other applicable approaches, based on the infrastructure connectivity, to compute the criticality of each sub-systems of a CI. For the sake of clarity, in this context we represent the entire infrastructure via undirected graph *G* ¼ f g *V*, *E* where *V* is the set of *n* nodes *vi*, (each node represents a sub-system of the CI) and *E*⊆*V* � *V* is the set of *e* undirected edges *vi*, *v <sup>j</sup>* � �. An edge connects two nodes if a real physical connection exists between the two corresponding sub-systems.

Both the approaches for the critical node identification, presented in this section are based on the concept of connectivity. In our models, when a node is attacked and is unable to operate, we remove the node and the incident edges from the graph. The deletion of particular critical nodes could compromise the connectivity of the other elements of the network. Notice that, for each node *vi* we consider a removal cost *ci* > 0. With the aim to measure the degree of connectivity of the graph *G*, we adopt the Pairwise Connectivity (PWC), it is an index that captures the overall degree of connectivity of a graph on the basis of the couples of nodes connected by means of edges in *G*.

$$\text{PWC}(G) = \sum\_{\{v\_i, v\_j\} \in V \times V, v\_i \neq v\_j} p(v\_i, v\_j),\tag{1}$$

the defensive strategy definition process. In literature, graph centrality measures are often adopted as criticality measures for infrastructure but these approaches (e.g. Node degree or node betweenness) are quite ineffective as proved in [11]. In the second stage (Section 3) a methodology to merge multiple criticality metrics, based on the well-known Analytic Hierarchy Process [14], is described in order to overcome the limit about the application of a single metric in a complex environment. Moreover, such methodology allows considering also the criticality evaluations given for a subset of infrastructure nodes. The definition of the defensive strategy is provided in the last step (Section 4) and its effectiveness is proved by analyzing the global robustness of the network with respect to multiple robustness evaluation methods. Finally, in (Section 5), the application of the three-step procedure is illustrated with respect to the case study network with the aim of proving

Let us denote by ∣*X*∣ the cardinality of a set *X*; moreover, we represent vectors via boldface letters, and we use **k***<sup>m</sup>* to indicate a vector in *<sup>m</sup>* whose components are all equal to *k*, while by *In* we identify the *n* � *n* identity matrix. Finally, we denote the sign of *x*∈ by *sign x*ð Þ and by *sign X*ð Þ the entry-wise sign of a matrix *X*. Let *G* ¼ f g *V*, *E* denote a *graph* with a finite number *n* of nodes *vi* ∈*V* and *e* edges

∈ *E* (see **Figure 2**). The *adjacency matrix* of a graph *G* is

<sup>∈</sup> *<sup>E</sup>* and *Aij* <sup>¼</sup> 0 otherwise. A *path* over

<sup>∈</sup>*<sup>E</sup>* <sup>⊆</sup>*<sup>V</sup>* � *<sup>V</sup>*, from node *vi* to node *<sup>v</sup> <sup>j</sup>*. A graph is said to be *undirected* if

an undirected graph *G* ¼ f g *V*, *E* , starting at a node *vi* ∈*V* and ending at a node

the effectiveness of the proposed strategy.

*Flow chart of the proposed three-steps procedure.*

*Issues on Risk Analysis for Critical Infrastructure Protection*

an *n* � *n* matrix *A* such that *Aij* ¼ 1 if *v <sup>j</sup>*, *vi*

*Example of a graph G* ¼ f g *V*, *E with* ∣*n*∣ ¼ 5 *nodes and* ∣*E*∣ ¼ 6 *edges.*

**1.3 Notation**

**Figure 1.**

*vi*, *v <sup>j</sup>*

*vi*, *v <sup>j</sup>*

**Figure 2.**

**114**

∈*E* whenever *v <sup>j</sup>*, *vi*

where *p vi*, *v <sup>j</sup>* � � is 1 if the pair *vi*, *v <sup>j</sup>* � � is connected via a path in *G*, and is zero otherwise. Noting that the maximum number of couples of nodes in a graph with *n* nodes is *n n*ð Þ �<sup>1</sup> <sup>2</sup> , the *normalized pairwise connectivity* (NPWC) is defined as:

$$\text{NPWC}(G) = \frac{\text{2PWC}(G)}{n(n-1)} \in [0, 1]. \tag{2}$$

As described in [11], in general, a multi-objective problem is characterized by the presence of multiple optimal solutions **<sup>x</sup>**ð Þ*<sup>j</sup>* collected in the Pareto front set <sup>P</sup>. Each solution is associated to a couple of values *<sup>f</sup>* <sup>1</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � �, *<sup>f</sup>* <sup>2</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � � � � according to the two objective functions. In other words, each optimal solution **x**ð Þ*<sup>j</sup>* represents a different attack strategy with damages caused on the network *<sup>f</sup>* <sup>1</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � � and different

> <sup>∀</sup>**x**ð Þ*<sup>j</sup>* <sup>∈</sup>P**x**ð Þ*<sup>j</sup> i*

<sup>∣</sup>P<sup>∣</sup> (8)

attack effort *<sup>f</sup>* <sup>2</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � � as depicted in **Figure 3**.

*DOI: http://dx.doi.org/10.5772/intechopen.95367*

**2.2 A critical index based on a cooperative game**

strategies.

cooperative game.

**Figure 3.**

**117**

In [11], the Critical Index *χ<sup>i</sup>* is defined as in Eq. (8):

*χ<sup>i</sup>* ¼ P

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes…*

where ∣P∣ represents the number of solutions in the Pareto front. In other words it is defined as the ratio between the frequency with which a node *vi* is involved in the attacks listed in the Pareto front and its cardinality. If the critical index *χ<sup>i</sup>* is close to 0 this implies that the node is rarely involved in attack plans, instead, the closer it is to 1, more frequently the node is involved in optimal attack

An alternative approach for the identification of the most critical nodes in a network is presented in [15]. Analogously to the critical index based on the results of the multi-objective optimization problem, the proposed method is based on the concept of NPWC. Differently from the previous critical index, this measure come from the game theory and is based on the solution of a

A cooperative game, sometimes called a value game or a profit game, is a competition among groups of players. Formally, a cooperative game is defined by a set of players *<sup>P</sup>* and a characteristic function *<sup>v</sup>* : <sup>2</sup>*<sup>N</sup>* ) <sup>þ</sup> which associate to all possible coalitions of players a utility rate. The function describes how much

collective payoff a set of players can gain by forming a coalition.

*Pareto front: the optimal solutions set for multi-objective optimization problem.*

**Remark 1** *NPWC G*ð Þ is a measure of connectivity of the graph *G*, in fact, it is easy to note that

$$G \text{ connected} \Leftrightarrow \text{NPWC}(G) = \mathbf{1}.\tag{3}$$

When *NPWC G*ð Þ<1, the graph is not connected, but the larger *NPWC G*ð Þ is, the more *<sup>G</sup>* is "close" to be a connected graph. □

We now provide a more descriptive definition of a NPWC by taking into account a subset of attacked nodes. Let *A* be the adjacency matrix of an undirected graph *<sup>G</sup>* <sup>¼</sup> f g *<sup>V</sup>*, *<sup>E</sup>* and let **<sup>x</sup>**<sup>∈</sup> *<sup>n</sup>* be a column vector whose entries *xi* = 0 if the *<sup>i</sup>*-th node has been removed due to an attack or a fault and *xi* = 1 otherwise, we define the connectivity as:

$$\text{NPWC}(A, \mathbf{x}) = \frac{\mathbf{1}\_n^T \left[ \text{sign} \left( \sum\_{i=0}^{n-1} \hat{A}^i \right) - I\_n \right] \mathbf{1}\_n}{n(n-1)} \tag{4}$$

where *<sup>A</sup>*^*ij* <sup>¼</sup> *Aijxix <sup>j</sup>*, **<sup>1</sup>***<sup>n</sup>* is a column vector composed by *<sup>n</sup>* entries equal to 1.

#### **2.1 A critical index based on optimization problem**

The definition of the Critical Index *χ<sup>i</sup>* for a node *vi*, come directly from the solutions of a multi-objective problem defined by assuming the point of view of a malicious attacker.

In Eq. (5) the behavior of an attacker is defined as a multi-objective optimization problem characterized by two conflicting objectives: the reduction of the connectivity in terms of NPWC and the simultaneous minimization of the required attack effort in terms of removal cost. We reiterate that if an attacker want to disconnect a node *vi* from the graph then (s)he must pay a cost *ci*.

Problem 1

$$\begin{array}{ll}\min f(\mathbf{x}) = & \min \left[ \, f\_1(\mathbf{x}), f\_2(\mathbf{x}) \right]^T, \\ \mathbf{x} \in \{0, 1\}^n \end{array} \tag{5}$$

where **x** represents the vector of decision variables, whose entries *xi* are equal to 0 if the node *vi* is involved in the attack, 1 otherwise and where

$$f\_1 = \text{NPWC}(A, \mathbf{x}) \tag{6}$$

and

$$f\_2 = \frac{\mathbf{c}^T(\mathbf{1}\_n - \mathbf{x})}{\mathbf{1}^T \mathbf{c}} \tag{7}$$

where **<sup>c</sup>** <sup>¼</sup> ½ � *<sup>c</sup>*<sup>1</sup> … *cn <sup>T</sup>* is the vector whose entries represent the cost necessary to remove each node from the graph.

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes… DOI: http://dx.doi.org/10.5772/intechopen.95367*

As described in [11], in general, a multi-objective problem is characterized by the presence of multiple optimal solutions **<sup>x</sup>**ð Þ*<sup>j</sup>* collected in the Pareto front set <sup>P</sup>. Each solution is associated to a couple of values *<sup>f</sup>* <sup>1</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � �, *<sup>f</sup>* <sup>2</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � � � � according to the two objective functions. In other words, each optimal solution **x**ð Þ*<sup>j</sup>* represents a different attack strategy with damages caused on the network *<sup>f</sup>* <sup>1</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � � and different attack effort *<sup>f</sup>* <sup>2</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � � as depicted in **Figure 3**.

In [11], the Critical Index *χ<sup>i</sup>* is defined as in Eq. (8):

$$\chi\_i = \frac{\sum\_{\forall \mathbf{x}^{(\cdot)} \in \mathcal{P}} \mathbf{x}\_i^{(\cdot)}}{|\mathcal{P}|} \tag{8}$$

where ∣P∣ represents the number of solutions in the Pareto front. In other words it is defined as the ratio between the frequency with which a node *vi* is involved in the attacks listed in the Pareto front and its cardinality. If the critical index *χ<sup>i</sup>* is close to 0 this implies that the node is rarely involved in attack plans, instead, the closer it is to 1, more frequently the node is involved in optimal attack strategies.

#### **2.2 A critical index based on a cooperative game**

An alternative approach for the identification of the most critical nodes in a network is presented in [15]. Analogously to the critical index based on the results of the multi-objective optimization problem, the proposed method is based on the concept of NPWC. Differently from the previous critical index, this measure come from the game theory and is based on the solution of a cooperative game.

A cooperative game, sometimes called a value game or a profit game, is a competition among groups of players. Formally, a cooperative game is defined by a set of players *<sup>P</sup>* and a characteristic function *<sup>v</sup>* : <sup>2</sup>*<sup>N</sup>* ) <sup>þ</sup> which associate to all possible coalitions of players a utility rate. The function describes how much collective payoff a set of players can gain by forming a coalition.

**Figure 3.** *Pareto front: the optimal solutions set for multi-objective optimization problem.*

where *p vi*, *v <sup>j</sup>*

nodes is *n n*ð Þ �<sup>1</sup>

easy to note that

the connectivity as:

malicious attacker.

Problem 1

and

**116**

remove each node from the graph.

� � is 1 if the pair *vi*, *v <sup>j</sup>*

*Issues on Risk Analysis for Critical Infrastructure Protection*

*NPWC A*ð Þ¼ , **x**

**2.1 A critical index based on optimization problem**

node *vi* from the graph then (s)he must pay a cost *ci*.

0 if the node *vi* is involved in the attack, 1 otherwise and where

� � is connected via a path in *G*, and is zero

*G* connected⇔*NPWC G*ð Þ¼ 1*:* (3)

*n n*ð Þ � <sup>1</sup> <sup>∈</sup>½ � 0, 1 *:* (2)

otherwise. Noting that the maximum number of couples of nodes in a graph with *n*

<sup>2</sup> , the *normalized pairwise connectivity* (NPWC) is defined as:

**Remark 1** *NPWC G*ð Þ is a measure of connectivity of the graph *G*, in fact, it is

When *NPWC G*ð Þ<1, the graph is not connected, but the larger *NPWC G*ð Þ is, the more *<sup>G</sup>* is "close" to be a connected graph. □ We now provide a more descriptive definition of a NPWC by taking into account a subset of attacked nodes. Let *A* be the adjacency matrix of an undirected graph *<sup>G</sup>* <sup>¼</sup> f g *<sup>V</sup>*, *<sup>E</sup>* and let **<sup>x</sup>**<sup>∈</sup> *<sup>n</sup>* be a column vector whose entries *xi* = 0 if the *<sup>i</sup>*-th node has been removed due to an attack or a fault and *xi* = 1 otherwise, we define

**1***T*

where *<sup>A</sup>*^*ij* <sup>¼</sup> *Aijxix <sup>j</sup>*, **<sup>1</sup>***<sup>n</sup>* is a column vector composed by *<sup>n</sup>* entries equal to 1.

The definition of the Critical Index *χ<sup>i</sup>* for a node *vi*, come directly from the solutions of a multi-objective problem defined by assuming the point of view of a

In Eq. (5) the behavior of an attacker is defined as a multi-objective optimization problem characterized by two conflicting objectives: the reduction of the connectivity in terms of NPWC and the simultaneous minimization of the required attack effort in terms of removal cost. We reiterate that if an attacker want to disconnect a

min *<sup>f</sup>*ð Þ¼ **<sup>x</sup>** min *<sup>f</sup>* <sup>1</sup>ð Þ **<sup>x</sup>** , *<sup>f</sup>* <sup>2</sup>ð Þ *<sup>x</sup>* � �*<sup>T</sup>*

where **x** represents the vector of decision variables, whose entries *xi* are equal to

*<sup>f</sup>* <sup>2</sup> <sup>¼</sup> **<sup>c</sup>***<sup>T</sup>*ð Þ **<sup>1</sup>***<sup>n</sup>* � **<sup>x</sup> 1***<sup>T</sup>***c**

where **<sup>c</sup>** <sup>¼</sup> ½ � *<sup>c</sup>*<sup>1</sup> … *cn <sup>T</sup>* is the vector whose entries represent the cost necessary to

*<sup>n</sup> sign* <sup>P</sup>*<sup>n</sup>*�<sup>1</sup>

*<sup>i</sup>*¼<sup>0</sup>*A*^*<sup>i</sup>* � �

h i

� *In*

**1***n n n*ð Þ � <sup>1</sup> (4)

,

*f* <sup>1</sup> ¼ *NPWC A*ð Þ , **x** (6)

(7)

**<sup>x</sup>**<sup>∈</sup> f g 0, 1 *<sup>n</sup>* (5)

*NPWC G*ð Þ¼ <sup>2</sup>*PWC G*ð Þ

Let *<sup>P</sup>* be the set of players, and *<sup>g</sup>* : <sup>2</sup>*<sup>P</sup>* ) <sup>þ</sup> a function that satisfies the following properties:

be obtained also resolving AHP on the basis of pair-wise comparisons between the

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes…*

For each metric we define the *<sup>n</sup>* � *<sup>n</sup>* matrix *<sup>R</sup>*ð Þ*<sup>i</sup>* whose entries are defined as

ð Þ*i <sup>a</sup>* and*r* ð Þ*i*

In other words, the matrix *R*ð Þ*<sup>i</sup>* collects the relative utility ratios between the *a*-th

ln *R*ð Þ*<sup>i</sup>*

and *b*-th nodes according to the *i*-th metric if both the evaluation are available.

*<sup>b</sup>* might be undefined if *r*

By considering the matrices *R*ð Þ*<sup>i</sup>* , we aim at finding the aggregated holistic

The holistic indicator **r** <sup>∗</sup> is a new node criticality measure that represents a compromise between the *m* initial metrics *M*<sup>1</sup> … *Mm* by taking into account the SMEs preferences *wi*. In other words, Problem 2 aims at finding the criticality

In this section we propose a methodology to define a defensive strategy able to improve the survivability of the network with a focus on the connectivity maintenance with respect to nodes deletion. As introduced in Section 2, an attack cost *ci* is associated to each node *vi*. Our aim is the definition of a new distribution of the budget in order to minimize the loss of connectivity in case of malicious attacks.

costs. We propose a new allocation of the budget by defining the removal cost proportionally to the holistic indicator **r** <sup>∗</sup> described in Section 3. Hence, we define

> ^*ci* <sup>¼</sup> <sup>1</sup> *B*

It is now necessary evaluate the robustness of a network with a particular defensive strategy. As introduced in Section 2.1, due to its multi-objective nature, Problem 1 is characterized by the presence of multiple optimal solutions collected in the Pareto front <sup>P</sup>. Each optimal solution **<sup>x</sup>**ð Þ*<sup>j</sup>* is associated to a couple of values: a particular connectivity value *<sup>f</sup>* <sup>1</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � � and an attack cost *<sup>f</sup>* <sup>2</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � �, where *<sup>f</sup>* <sup>1</sup> and *<sup>f</sup>* <sup>2</sup>

**r** <sup>∗</sup> *<sup>i</sup>* **1n**

In [11], the global robustness index Q is defined as the area under the polygonal chain connecting the points ( *<sup>f</sup>* <sup>1</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � �,*<sup>f</sup>* <sup>2</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � �) in the Pareto front using trapezoidal

*<sup>i</sup>*¼<sup>1</sup>*ci* the defensive budget computed on the basis of the initial removal

X *b* ∣*R*ð Þ*<sup>i</sup> ab*6¼0

*<sup>a</sup>* , assigned to the *a*-th node, such that the ratios **r** <sup>∗</sup>

*<sup>b</sup>* are defined

ð Þ*i*

*ab* � � � *log r*ð Þþ *<sup>a</sup> log r*ð Þ*<sup>b</sup>* � �<sup>2</sup>

*<sup>a</sup> =***r** <sup>∗</sup>

*<sup>T</sup>***<sup>r</sup>** <sup>∗</sup> *:* (12)

*<sup>b</sup>* minimize the

(10)

(11)

*<sup>b</sup>* ¼ 0, due to this reason, we

different metrics.

Notice that some ratio *r*

**<sup>r</sup>** <sup>∗</sup> <sup>¼</sup> arg min **r**∈ *<sup>n</sup>* þ

indicator **r** <sup>∗</sup>

Let *<sup>B</sup>* <sup>¼</sup> <sup>P</sup>*<sup>n</sup>*

the new removal costs ^*ci* as follows:

rule for numerical integration.

**119**

represent the two objective function of Problem 1.

*R*ð Þ*<sup>i</sup> ab* <sup>¼</sup> *<sup>r</sup>*

*DOI: http://dx.doi.org/10.5772/intechopen.95367*

ð Þ*i <sup>a</sup> =r* ð Þ*i*

indicator **r** <sup>∗</sup> ∈ *<sup>n</sup>* that solves the following problem.

*i*¼1 *wi* X*n a*¼1

deviation from the ratios *R*ð Þ*<sup>i</sup>* for the *m* considered metrics.

**4. Defensive strategy definition and evaluation**

treat zero-valued entries as not available data.

*<sup>f</sup>*ð Þ¼ **<sup>r</sup>** <sup>X</sup>*<sup>m</sup>*

**Problem 2** Find **r** <sup>∗</sup> ∈ *<sup>n</sup> that solves*

ð Þ*i <sup>a</sup> =r* ð Þ*i <sup>b</sup>* if both*r*

<sup>0</sup> *otherwise* (

follows:


The cooperative game Γð Þ *P*, *g* is defined by the couple ð Þ *P*, *g* where the elements of *P* are the players of the game and the characteristic function of the game *g S*ð Þ estimates the utility of each coalition *S*∈2*P*.

Cooperative games can be solved via multiple approaches, the Shapley value [16] is one of the possible concepts of solution. The Shapley value assigns to each player *i* ∈*P*, a reward *ϕ<sup>i</sup>* . The larger is the contribution given by *i* in all the possible coalitions of players, based on the function *g*, the larger is the reward *ϕ<sup>i</sup>* for the player *i*.

The Shapley value is a column vector Φ whose entries are *ϕ<sup>i</sup>* are defined according to Eq. (9).

$$\phi\_i = \frac{1}{n!} \sum\_{\mathbb{S} \subseteq P\{i\}} |\mathbb{S}|!(n - |\mathbb{S}| - 1)! (\mathbf{g}(\mathbb{S} \cup \{i\}) - \mathbf{g}(\mathbb{S})) \tag{9}$$

With the aim to adopt these concepts to provide a critical index able to quantify the criticality of each node of the network, a cooperative game Γð Þ *N*, *nPWC* is defined. The set of players is represented by the set of nodes *N* while the characteristic function *g* is *NPWC* (Eq. (3)). Notice that, in [15], it is demonstrated that the NPWC satisfy the two fundamental properties of a characteristic function.

The solution of the proposed game will assign a reward to each node in *V* proportional to its contribution to the connectivity expressed in terms of *NPWC*, hence the Shapley value can be considered a valid node criticality metric.

#### **3. A multi-criteria vulnerability detection index**

As briefly introduced in Section 1, a research of the most critical nodes based on a single metric is practically worthless and extremely simplistic. In this section we propose an approach able to provide a holistic indicator able to take into account multiple criticality evaluations based on multiple metrics also in presence of incomplete data. The proposed method is based on the well-known Analytic Hierarchy Process (AHP) introduced by Saaty [17]. For a given set of *m* alternatives, relative utility ratios *ri=rj* are defined by experts. Such a setting is typical in contexts involving human decision-makers, which are usually more comfortable providing relative comparisons among the utilities of the different alternatives (e.g., "Alternative *i* is twice better than alternative *j*"), rather than directly assessing an absolute utility value of each alternative (i..e, "The value of alternative *i* is ..."). The AHP is a procedure able to estimate the absolute utilities *ri* starting from the given utility ratios *ri=rj*. See [17] for additional notions about the AHP.

We now suppose to have *m* different metrics *M*<sup>1</sup> … *Mm*. According to these metrics, the entries of the column vectors **r**ð Þ<sup>1</sup> … **r**ð Þ *<sup>m</sup>* represents the criticality rate of each node of the graph. Notice that the method is applicable also if for some metrics the criticality ratio of some node is not available [12]. Finally, let *w*<sup>1</sup> … *wm* be positive weights defined by subject-matter experts (SMEs) representing the relevance of each metric. The larger is the weight associated to the *i*-th metric, the larger the influence of such metric in the final holistic indicator. Such weights can

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes… DOI: http://dx.doi.org/10.5772/intechopen.95367*

be obtained also resolving AHP on the basis of pair-wise comparisons between the different metrics.

For each metric we define the *<sup>n</sup>* � *<sup>n</sup>* matrix *<sup>R</sup>*ð Þ*<sup>i</sup>* whose entries are defined as follows:

$$R\_{ab}^{(i)} = \begin{cases} r\_a^{(i)} / r\_b^{(i)} \text{if } \text{both} \, r\_a^{(i)} \text{ and} \, r\_b^{(i)} \text{ are defined} \\ 0 \, \text{otherwise} \end{cases} \tag{10}$$

In other words, the matrix *R*ð Þ*<sup>i</sup>* collects the relative utility ratios between the *a*-th and *b*-th nodes according to the *i*-th metric if both the evaluation are available. Notice that some ratio *r* ð Þ*i <sup>a</sup> =r* ð Þ*i <sup>b</sup>* might be undefined if *r* ð Þ*i <sup>b</sup>* ¼ 0, due to this reason, we treat zero-valued entries as not available data.

By considering the matrices *R*ð Þ*<sup>i</sup>* , we aim at finding the aggregated holistic indicator **r** <sup>∗</sup> ∈ *<sup>n</sup>* that solves the following problem.

**Problem 2** Find **r** <sup>∗</sup> ∈ *<sup>n</sup> that solves*

Let *<sup>P</sup>* be the set of players, and *<sup>g</sup>* : <sup>2</sup>*<sup>P</sup>* ) <sup>þ</sup> a function that satisfies the following

• Superadditive property: if *<sup>S</sup>*, *<sup>T</sup>* <sup>∈</sup> <sup>2</sup>*<sup>P</sup> <sup>s</sup>:t: <sup>S</sup>* <sup>∩</sup> *<sup>T</sup>* <sup>¼</sup> <sup>∅</sup>, then *v S*ð Þ <sup>∪</sup> *<sup>T</sup>* <sup>≥</sup>*g S*ð Þþ *g T*ð Þ

The cooperative game Γð Þ *P*, *g* is defined by the couple ð Þ *P*, *g* where the elements of *P* are the players of the game and the characteristic function of the game *g S*ð Þ

Cooperative games can be solved via multiple approaches, the Shapley value [16] is one of the possible concepts of solution. The Shapley value assigns to each player

With the aim to adopt these concepts to provide a critical index able to quantify

As briefly introduced in Section 1, a research of the most critical nodes based on a single metric is practically worthless and extremely simplistic. In this section we propose an approach able to provide a holistic indicator able to take into account multiple criticality evaluations based on multiple metrics also in presence of incomplete data. The proposed method is based on the well-known Analytic Hierarchy Process (AHP) introduced by Saaty [17]. For a given set of *m* alternatives, relative utility ratios *ri=rj* are defined by experts. Such a setting is typical in contexts involving human decision-makers, which are usually more comfortable providing relative comparisons among the utilities of the different alternatives (e.g., "Alternative *i* is twice better than alternative *j*"), rather than directly assessing an absolute utility value of each alternative (i..e, "The value of alternative *i* is ..."). The AHP is a procedure able to estimate the absolute utilities *ri* starting from the given utility

We now suppose to have *m* different metrics *M*<sup>1</sup> … *Mm*. According to these metrics, the entries of the column vectors **r**ð Þ<sup>1</sup> … **r**ð Þ *<sup>m</sup>* represents the criticality rate of each node of the graph. Notice that the method is applicable also if for some metrics the criticality ratio of some node is not available [12]. Finally, let *w*<sup>1</sup> … *wm* be positive weights defined by subject-matter experts (SMEs) representing the relevance of each metric. The larger is the weight associated to the *i*-th metric, the larger the influence of such metric in the final holistic indicator. Such weights can

the criticality of each node of the network, a cooperative game Γð Þ *N*, *nPWC* is defined. The set of players is represented by the set of nodes *N* while the characteristic function *g* is *NPWC* (Eq. (3)). Notice that, in [15], it is demonstrated that the NPWC satisfy the two fundamental properties of a characteristic function. The solution of the proposed game will assign a reward to each node in *V* proportional to its contribution to the connectivity expressed in terms of *NPWC*,

hence the Shapley value can be considered a valid node criticality metric.

of players, based on the function *g*, the larger is the reward *ϕ<sup>i</sup>* for the player *i*. The Shapley value is a column vector Φ whose entries are *ϕ<sup>i</sup>* are defined

. The larger is the contribution given by *i* in all the possible coalitions

∣*S*∣!ð Þ *n*�j*S*j�1 !ð Þ *g S*ð Þ� ∪ f g*i g S*ð Þ (9)

properties:

• *g*ð Þ¼ ∅ 0

*i* ∈*P*, a reward *ϕ<sup>i</sup>*

**118**

according to Eq. (9).

estimates the utility of each coalition *S*∈2*P*.

*Issues on Risk Analysis for Critical Infrastructure Protection*

*<sup>ϕ</sup><sup>i</sup>* <sup>¼</sup> <sup>1</sup> *n*!

X *S*⊆*P i* f g

**3. A multi-criteria vulnerability detection index**

ratios *ri=rj*. See [17] for additional notions about the AHP.

$$\mathbf{r}^\* = \underset{\mathbf{r} \in \mathbb{R}\_+^s}{\arg\min} f(\mathbf{r}) = \sum\_{i=1}^m w\_i \sum\_{a=1}^n \sum\_{b \mid R\_{ab}^{(i)} \neq 0} \left( \ln \left( R\_{ab}^{(i)} \right) - \log \left( r\_a \right) + \log \left( r\_b \right) \right)^2 \tag{11}$$

The holistic indicator **r** <sup>∗</sup> is a new node criticality measure that represents a compromise between the *m* initial metrics *M*<sup>1</sup> … *Mm* by taking into account the SMEs preferences *wi*. In other words, Problem 2 aims at finding the criticality indicator **r** <sup>∗</sup> *<sup>a</sup>* , assigned to the *a*-th node, such that the ratios **r** <sup>∗</sup> *<sup>a</sup> =***r** <sup>∗</sup> *<sup>b</sup>* minimize the deviation from the ratios *R*ð Þ*<sup>i</sup>* for the *m* considered metrics.

### **4. Defensive strategy definition and evaluation**

In this section we propose a methodology to define a defensive strategy able to improve the survivability of the network with a focus on the connectivity maintenance with respect to nodes deletion. As introduced in Section 2, an attack cost *ci* is associated to each node *vi*. Our aim is the definition of a new distribution of the budget in order to minimize the loss of connectivity in case of malicious attacks.

Let *<sup>B</sup>* <sup>¼</sup> <sup>P</sup>*<sup>n</sup> <sup>i</sup>*¼<sup>1</sup>*ci* the defensive budget computed on the basis of the initial removal costs. We propose a new allocation of the budget by defining the removal cost proportionally to the holistic indicator **r** <sup>∗</sup> described in Section 3. Hence, we define the new removal costs ^*ci* as follows:

$$
\hat{c}\_i = \frac{1}{B} \frac{\mathbf{r}^\* \!\!/ \!
}\_{\mathbf{1}\_\mathbf{n}} \text{.}\tag{12}
$$

It is now necessary evaluate the robustness of a network with a particular defensive strategy. As introduced in Section 2.1, due to its multi-objective nature, Problem 1 is characterized by the presence of multiple optimal solutions collected in the Pareto front <sup>P</sup>. Each optimal solution **<sup>x</sup>**ð Þ*<sup>j</sup>* is associated to a couple of values: a particular connectivity value *<sup>f</sup>* <sup>1</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � � and an attack cost *<sup>f</sup>* <sup>2</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � �, where *<sup>f</sup>* <sup>1</sup> and *<sup>f</sup>* <sup>2</sup> represent the two objective function of Problem 1.

In [11], the global robustness index Q is defined as the area under the polygonal chain connecting the points ( *<sup>f</sup>* <sup>1</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � �,*<sup>f</sup>* <sup>2</sup> **<sup>x</sup>**ð Þ*<sup>j</sup>* � �) in the Pareto front using trapezoidal rule for numerical integration.

As depicted in **Figure 3**, Q is a measure of the overall robustness of the network. In fact, the larger is the area, the higher is the value of the objectives associated to the solutions in the Pareto front; hence, high values of the global robustness index correspond to networks where the attacker is not able to deal large damage, or deals large damage only for large effort.

### **5. Case study**

In this section we prove the effectiveness of the proposed three-stage methodology able to improve the network survivability via critical nodes protection. The proposed strategy is tested on the CI represented by the network depicted in **Figure 4**. Notice that the case study is based on a network that does not represents a real infrastructure. The network is composed by *n* ¼ 15 nodes and *e* ¼ 35 edges. As discussed in Section 2, the first step of the methodology is devoted to the identification of criticality measures able to take into account the effects about the disconnection of a node from the graph by evaluating the loss of connectivity of the entire infrastructure. Notice that, the removal costs *ci* are set to 1 for each node of the infrastructure.

The first columns in **Table 1** collect the metrics defined by Eqs. 5 and 6 respectively. Concerning the distribution of the critical indices *χi*, the largest value are associated to the nodes 10 and 3. Notice that, the deletion of such nodes divides the nodes in two partitions, hence it strongly compromises the connectivity of the network in terms of nPWC.

Similar results are obtained by considering the computation of the Shapley value in order to solve the cooperative game as described in Section 2.2. We remark that this approach assigns a reward to each node of the network according to their contribution to the connectivity of the entire network by considering all the possible partitions of nodes. Notice that, the results computed via Shapley not consider the removal cost *ci* while the results of Problem 1 take into account also this aspect, moreover, in this case study all the removal costs *ci* are set to 1.

In the last column of **Table 1**, we show the criticality rate for each node according to the new holistic indicator computed as in Eq. (7) considering *m*=4 metrics (i.e. the critical index, the Shapley Value, the node Degree and the

order to emphasize the criticality metrics based on the concept of PWC.

*Criticality evaluations based on four different metrics and computed holistic indicator.*

indicator, as the fourth most critical node in the network.

*<sup>i</sup>*¼<sup>1</sup>*ci* <sup>¼</sup> 15.

budget *<sup>B</sup>* <sup>¼</sup> <sup>P</sup>*<sup>n</sup>*

**121**

*a*

*b*

*c*

**Table 1.**

**Node Critical Index** *χ<sup>i</sup>*

*DOI: http://dx.doi.org/10.5772/intechopen.95367*

*Criticality measure based on Eq. (5).*

*Criticality measure based on Eq. (6).*

*Holistic Indicator based on Eq. (7).*

**<sup>a</sup> Shapley Value** *ϕ<sup>i</sup>*

 0.1111 0.0354 2 0 0.0360 0.1852 0.0493 4 0 0.0587 0.2863 0.0952 4 24 0.1003 0.2593 0.1465 3 45 0.1143 0.0370 0.0354 2 0 0.0238 0.1111 0.0493 4 0 0.0484 0.1111 0.0521 6 3.5 0.0491 0.2593 0.0547 7 2 0.0618 0.1481 0.0515 3 15 0.0580 0.2963 0.1635 5 48 0.1389 0.0741 0.0515 3 15 0.0465 0.1852 0.0521 6 3.5 0.0577 0.1852 0.0521 6 3.5 0.0577 0.2222 0.0567 8 19.5 0.0871 0.2593 0.0547 7 2 0.0618

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes…*

**<sup>b</sup> Degree Betweenness Holistic Indicator ri**

**∗ c**

Betweenness centrality). According to the procedure defined in Section 3, we have set the metric relevance as follows: *w*<sup>1</sup> ¼ 0*:*3, *w*<sup>2</sup> ¼ 0*:*3, *w*<sup>3</sup> ¼ 0*:*2, and *w*<sup>4</sup> ¼ 0*:*2 in

The nodes color in **Figure 4** depends on the aggregated criticality values, according to the colormap. On the basis of this new indicator, the node 10 is the most critical node of the graph, in fact the deletion of this node strongly compromise the connectivity of the network and the creation of two disconnected partitions. Due to the same reason, a high criticality rate is also assigned to the nodes 4 and 3. Despite the node 14 is not essential for the connectivity, this node is characterized by a high node degree, in fact it is considered, according to the holistic

Starting from the results obtained by computing the holistic indicator **r** <sup>∗</sup> , we adopt a defensive strategy by defining a new attack cost ^*ci*, for each node, proportional to its holistic criticality rate as defined in Eq. (8). Notice that the defensive

The effectiveness of the proposed defensive strategy is proved by considering the global robustness index Q, we remark that it came from the solution of Problem 1 and it is defined as the area under the Pareto front. As depicted in **Figure 5**, the new allocation of the defensive budget *B* is very effective to contrast an attacker especially with limited budget. In more details, in case of uniform defensive strategy (i.e. all the attack costs set to 1) the area under the Pareto front is equal to <sup>Q</sup> <sup>¼</sup> 0*:*1229, while the new budget allocation (Eq. (8)) based on the holistic indicator **r** <sup>∗</sup>

improves the network robustness by increasing the area to <sup>Q</sup> <sup>¼</sup> <sup>0</sup>*:*1591.

Finally, the fourth and fifth columns of **Table 1** collect the node degree and the betweenness centrality [18] for each node in the graph.

**Figure 4.** *Case study network. The node color depends on the holistic criticality rate computed via Eq. (7).*


*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes… DOI: http://dx.doi.org/10.5772/intechopen.95367*

*Criticality measure based on Eq. (5).*

*b Criticality measure based on Eq. (6). c*

*Holistic Indicator based on Eq. (7).*

#### **Table 1.**

As depicted in **Figure 3**,

*Issues on Risk Analysis for Critical Infrastructure Protection*

large damage only for large effort.

**5. Case study**

infrastructure.

**Figure 4.**

**120**

network in terms of nPWC.

Q is a measure of the overall robustness of the network.

In fact, the larger is the area, the higher is the value of the objectives associated to the solutions in the Pareto front; hence, high values of the global robustness index correspond to networks where the attacker is not able to deal large damage, or deals

In this section we prove the effectiveness of the proposed three-stage methodology able to improve the network survivability via critical nodes protection. The proposed strategy is tested on the CI represented by the network depicted in **Figure 4**. Notice that the case study is based on a network that does not represents a real infrastructure. The network is composed by *n* ¼ 15 nodes and *e* ¼ 35 edges. As discussed in Section 2, the first step of the methodology is devoted to the identification of criticality measures able to take into account the effects about the disconnection of a node from the graph by evaluating the loss of connectivity of the entire infrastructure. Notice that, the removal costs *ci* are set to 1 for each node of the

The first columns in **Table 1** collect the metrics defined by Eqs. 5 and 6 respectively. Concerning the distribution of the critical indices *χi*, the largest value are associated to the nodes 10 and 3. Notice that, the deletion of such nodes divides the nodes in two partitions, hence it strongly compromises the connectivity of the

Similar results are obtained by considering the computation of the Shapley value in order to solve the cooperative game as described in Section 2.2. We remark that this approach assigns a reward to each node of the network according to their contribution to the connectivity of the entire network by considering all the possible partitions of nodes. Notice that, the results computed via Shapley not consider the removal cost *ci* while the results of Problem 1 take into account also this aspect,

Finally, the fourth and fifth columns of **Table 1** collect the node degree and the

moreover, in this case study all the removal costs *ci* are set to 1.

*Case study network. The node color depends on the holistic criticality rate computed via Eq. (7).*

betweenness centrality [18] for each node in the graph.

*Criticality evaluations based on four different metrics and computed holistic indicator.*

In the last column of **Table 1**, we show the criticality rate for each node according to the new holistic indicator computed as in Eq. (7) considering *m*=4 metrics (i.e. the critical index, the Shapley Value, the node Degree and the Betweenness centrality). According to the procedure defined in Section 3, we have set the metric relevance as follows: *w*<sup>1</sup> ¼ 0*:*3, *w*<sup>2</sup> ¼ 0*:*3, *w*<sup>3</sup> ¼ 0*:*2, and *w*<sup>4</sup> ¼ 0*:*2 in order to emphasize the criticality metrics based on the concept of PWC.

The nodes color in **Figure 4** depends on the aggregated criticality values, according to the colormap. On the basis of this new indicator, the node 10 is the most critical node of the graph, in fact the deletion of this node strongly compromise the connectivity of the network and the creation of two disconnected partitions. Due to the same reason, a high criticality rate is also assigned to the nodes 4 and 3. Despite the node 14 is not essential for the connectivity, this node is characterized by a high node degree, in fact it is considered, according to the holistic indicator, as the fourth most critical node in the network.

Starting from the results obtained by computing the holistic indicator **r** <sup>∗</sup> , we adopt a defensive strategy by defining a new attack cost ^*ci*, for each node, proportional to its holistic criticality rate as defined in Eq. (8). Notice that the defensive budget *<sup>B</sup>* <sup>¼</sup> <sup>P</sup>*<sup>n</sup> <sup>i</sup>*¼<sup>1</sup>*ci* <sup>¼</sup> 15.

The effectiveness of the proposed defensive strategy is proved by considering the global robustness index Q, we remark that it came from the solution of Problem 1 and it is defined as the area under the Pareto front. As depicted in **Figure 5**, the new allocation of the defensive budget *B* is very effective to contrast an attacker especially with limited budget. In more details, in case of uniform defensive strategy (i.e. all the attack costs set to 1) the area under the Pareto front is equal to <sup>Q</sup> <sup>¼</sup> 0*:*1229, while the new budget allocation (Eq. (8)) based on the holistic indicator **r** <sup>∗</sup> improves the network robustness by increasing the area to <sup>Q</sup> <sup>¼</sup> <sup>0</sup>*:*1591.

**Acknowledgements**

*DOI: http://dx.doi.org/10.5772/intechopen.95367*

**Author details**

Luca Faramondi<sup>1</sup>

**123**

Fabio Pera<sup>2</sup> and Roberto Setola<sup>1</sup>

Bio-Medico di Roma, Rome, Italy

provided the original work is properly cited.

\*, Giacomo Assenza<sup>1</sup>

, Gabriele Oliva<sup>1</sup>

1 Unit of Automatic Control, Department of Engineering, Università Campus

© 2021 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

2 National Institute for Insurance against Accidents at Work, Italy

\*Address all correspondence to: l.faramondi@unicampus.it

, Ernesto Del Prete<sup>2</sup>

,

This work was supported by INAIL via the European Saf€ra project "Integrated Management of Safety and Security Synergies in Seveso Plants" (Saf€ra 4STER).

*A Strategy to Improve Infrastructure Survivability via Prioritizing Critical Nodes…*

**Figure 5.** *Results of problem 1. Pareto fronts obtained by applying defensive strategies based on the holistic indicator (blue line), and uniform attack costs (red line).*
