Ludovic Pietre-Cambacedes’s research while affiliated with Électricité de France (EDF) and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (22)


Mieux intégrer sûreté et cybersécurité : problématique, enjeux et perspectives
  • Chapter

July 2015

·

49 Reads

Ludovic Pietre-Cambacedes

·


Fig. 2. Safety – security lifecycle model [10]. 
Fig. 3. Con fl ict resolution at the requirements level [10]. 
Fig. 4. Key lifecycle alignment points [30]. 
Fig. 5. Security – safety lifecycle [26]. 
Fig. 7. Safety security integrated risk analysis process.

+3

A Survey of Approaches Combining Safety and Security for Industrial Control Systems
  • Article
  • Full-text available

February 2015

·

10,591 Reads

·

376 Citations

Reliability Engineering & System Safety

The migration towards digital control systems creates new security threats that can endanger the safety of industrial infrastructures. Addressing the convergence of safety and security concerns in this context, we provide a comprehensive survey of existing approaches to industrial facility design and risk assessment that consider both safety and security. We also provide a comparative analysis of the different approaches identified in the literature. Free download of the article on the following link until May 21, 2015 http://authors.elsevier.com/a/1Qn-43OQ~f8zFQ

Download

Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline

September 2014

·

89 Reads

·

61 Citations

Lecture Notes in Computer Science

Siwar KRIAA

·

·

Frédéric Colin

·

[...]

·

Ludovic Pietre-Cambacedes

The digitalization of industrial control systems (ICS) raises several security threats that can endanger the safety of the critical infrastructures supervised by such systems. This paper presents an analysis method that enables the identification and ranking of risks leading to a safety issue, regardless of the origin of those risks: accidental or due to malevolence. This method relies on a modeling formalism called BDMP (Boolean logic Driven Markov Processes) that was initially created for safety studies, and then adapted to security. The use of the method is first illustrated on a simple case to show how it can be used to make decisions in a situation where security requirements are in conflict with safety requirements. Then it is applied to a realistic industrial system: a pipeline and its instrumentation and control system in order to highlight possible interactions between safety and security.


Cyber Security of Nuclear Instrumentation & Control Systems: Overview of the IEC Standardization Activities

June 2013

·

136 Reads

·

12 Citations

IFAC Proceedings Volumes

This paper provides an overview of the work of the International Electrotechnical Committee (IEC) on the development of a series of standards dealing with the cyber security of nuclear power plant (NPP) instrumentation and control (I&C) systems. In particular, the status and content of the first, top level document of the series, IEC 62645, is described. A more recent draft, IEC 62859, dealing with the coordination between safety and cyber security aspects, is also presented. Future work and perspectives associated with this new series of standards are finally discussed.


DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

March 2013

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.


DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

March 2013

·

603 Reads

·

371 Citations

Computer Science Review

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.


Cross-fertilization between safety and security engineering

February 2013

·

412 Reads

·

168 Citations

Reliability Engineering & System Safety

The purpose of this paper is to give a comprehensive view of methods, models, tools and techniques that have been created in safety engineering and transposed to security engineering, or vice versa. Since the concepts of safety and security can somewhat vary according to the context, the first section of the paper deals with the scope and definitions that will be used in the sequel. The similarities and differences between the two domains are analyzed. A careful screening of the literature (this paper contains 201 references) made it possible to identify cross-fertilizations in various fields such as architectural concepts (e.g. defense in depth, security or safety kernels), graphical formalisms (e.g. attack trees), structured risk analyses or fault tolerance and prevention techniques.


Figure 2. 
Figure 5. 
Figure 6. 
Modeling the Stuxnet attack with BDMP: Towards more formal risk assessments

October 2012

·

2,475 Reads

·

85 Citations

Attack modeling has recently been adopted by security analysts as a useful tool in risk assessment of cyber-physical systems. We propose in this paper to model the Stuxnet attack with BDMP (Boolean logic Driven Markov Processes) formalism and to show the advantages of such modeling. After a description of the architecture targeted by Stuxnet, we explain the steps of the attack and model them formally with a BDMP. Based on estimated values of the success probabilities and rates of the elementary attack steps, we give a quantification of the main possible sequences leading to the physical destruction of the targeted industrial facility. This example completes a series of papers on BDMP applied to security by modeling a real case study. It highlights the advantages of BDMP compared to attack trees often used in security assessment.



Fig. 1 represents a very simple BDMP modeling a two step attack with two alternatives for Step 1. The "trigger", represented by the dotted arrow, ensures that the leaf representing Step 2 is realizable only if Step 1 has been completed. The times needed for the realization of the leaves are defined by stochastic processes; their behaviors can be made dependent on other leaves by means of the triggers. Tab. 1 shows the three kinds of leaves defined for security modeling. Their complete definitions can be found in [PCB10b].
Fig. 5: A simple model to explain AA, TSE and ISE leaves
Figaro model (textual)
Security Modeling with BDMP: From Theory to Implementation

June 2011

·

647 Reads

·

17 Citations

This paper discusses the implementation and use of the BDMP (Boolean logic Driven Markov Processes) formalism, recently adapted to graphical attack modeling. Theoretically, it offers an attractive trade-off between readability, scalability, modeling power and quantification capabilities. In practice, efficient model construction and analysis need complementary tools and enhancements. They have been developed only once the implementation and the first security studies have been realized. In particular, attack sequence filtering based on attacker profiles and sensitivity analysis provide a significant help. Perspectives include the addition of a security pattern library or the connection with other modeling frameworks.


Citations (18)


... This is true when considering safety (i.e., the absence of risk connected with unintentional malfunctions) and security (i.e., the absence of risk linked with intentional attacks) [34]. To perform transparent, complete and accountable risk assessment, it is fundamental to explicitly account for the role objects play in Events and Actions in which they participate, and for how their status affects safety and security interplay: a door being locked causes the impossible escape event in case of fire but simultaneously stops the action of a burglar entering your house [22,26,35]. Formalisms widely employed in industry and academia to conduct risk assessment -such as fault trees [30] and attack trees [33] -are not equipped to explicitly reason about objects. ...

Reference:

DODGE: Ontology-Aware Risk Assessment via Object-Oriented Disruption Graphs
Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline
  • Citing Conference Paper
  • September 2014

Lecture Notes in Computer Science

... Threats to systems or individuals are complex and varied (Bubnovskaia, Leonidova & Lysova, 2019;Leveson, 2020), differing in nature (ex., malicious/accidental), origin (ex., internal/external), and target (ex., individual/system/environment) (Andéol-Aussage et al. 2013;Brantingham & Brantingham, 1991;Piètre-Cambacédès & Chaudet, 2010). Personnel training, OSH standards, and system redundancies are often used to address internally or system-originating threats to safety, like equipment malfunctions and human error (Kriaa et al., 2015). Crime prevention and physical security strategies, conversely, are used to address maliciously originating threats, such as intrusion, sabotage, or violence (Kriaa et al., 2015;Piètre-Cambacédès & Chaudet, 2010). ...

A Survey of Approaches Combining Safety and Security for Industrial Control Systems

Reliability Engineering & System Safety

... A well-known example of such an attack is Stuxnet (2010) [32], [33], a sophisticated malware that targeted the Natanz uranium enrichment facility in Iran. Stuxnet aimed to disrupt the centrifuges by manipulating the industrial control systems without detection. ...

Modeling the Stuxnet attack with BDMP: Towards more formal risk assessments

... Impacts of a terroristic attack in terms of security can be measured in economic losses and public effects, impacts in terms of safety through casualties. For a review of the different security and safety definitions see CAMBACÉDÈS & CHAUDET (2010). No. 81, 1 st Q. 2011 automation of productive services have created a world-wide network in which all kinds of users operate. ...

The SEMA referential framework: Avoiding equivocations on security and safety issues
  • Citing Conference Paper
  • March 2010

... Threats to systems or individuals are complex and varied (Bubnovskaia, Leonidova & Lysova, 2019;Leveson, 2020), differing in nature (ex., malicious/accidental), origin (ex., internal/external), and target (ex., individual/system/environment) (Andéol-Aussage et al. 2013;Brantingham & Brantingham, 1991;Piètre-Cambacédès & Chaudet, 2010). Personnel training, OSH standards, and system redundancies are often used to address internally or system-originating threats to safety, like equipment malfunctions and human error (Kriaa et al., 2015). ...

The SEMA referential framework: Avoiding ambiguities in the terms "security" and "safety"
  • Citing Article
  • June 2010

International Journal of Critical Infrastructure Protection

... In order to propose improved methodologies for joint S&S risk analysis throughout the system lifecycle, it is crucial to explore the relationships between these two domains. Numerous authors have discussed the similarities and differences between S&S, including [17,[42][43][44]. S&S share a common aim of addressing undesirable events within the system and engage in overlapping tasks, such as identifying, analysing, assessing, and mitigating risks. ...

Des relations entre sûreté et sécurité

... One possible solution involves the definition of information security zones with the plant and using "data diodes" that often claim to provide 100% one way data passage. As explained in [16] however, such devices are far from a "silver bullet" due to the inability of the receiver to provide feedback, such as acknowledgements, to the sender and this could result in missing data. ...

Deconstruction of some industrial control systems cybersecurity myths
  • Citing Article