Modelling the impact of cyber attacks on the traffic control centre of an urban automobile transport system by means of enhanced cybersecurity

This paper aims to show the major role means of protection play for strengthening the cybersecurity of critical transport infrastructure by using the advanced method of simulation modelling. The simulation model of a Traffic Control Centre (TTC) of an urban Automobile Transport System (ATS) is created by the author in the Riverbed Modeler Academic Edition 17.5 computer networks simulation system and is exposed to the impact of a Denial-of-Service attack. In addition, logical conclusions have been made on the basis of the experimental results obtained and evaluated by comparative analysis with results from analogous previous studies.


Introduction
The focus of the present research is on the measures of strengthening and maintaining a secure, operational and sustainable critical transport infrastructure and in particular an urban Automobile Transport System (ATS) by building a reliable cyber protection of its Traffic Control Centre (TCC).
For this purpose, the author has studied and analyzed various advanced simulation environments based on agent-based modelling such as NetLogo [1], Aimsun 8.0, Cisco Packet Tracer and Riverbed Modeler.The capabilities of Riverbed Modeler Academic Edition 17.5 for modelling of computer networks by using a rich palette of realistic network devices and components, which could be precisely configured, make it the preferable software for assessing the impact of a Denialof-Service attack on the TCC.
It is logical that the choice of an impenetrable protection is preceded by a detection of the vulnerabilities in a system.An example of an adaptive conceptual architecture for critical infrastructure cybersecurity is shown in Fig. 1.As it can be seen, the Topological Vulnerability Analysis (TVA) and the strategies for reducing the vulnerability are carried out at the prevention stage of the overall management, monitoring and analysis process, while the reinforcement of security by technical means is recommended to be done at the last stage.
The advantages of complex systems modelling by using professional simulation software are defined on the basis of a comparison with the other publicly known method of "penetration tests" for assessing the vulnerability of the critical infrastructure against cyber attacks.

Advantages of simulation modelling for assessing the vulnerability of critical infrastructure to cyber attacks
Simulation modelling is the main tool of TVA that is expressed in monitoring the state of network assets and maintaining models of network vulnerabilities and residual risk.It combines these to produce models that show the impact of individual and combined vulnerabilities on overall security posture [2].
In Riverbed Modeler Academic Edition 17.5 there is a possibility for specifying the settings of the DoS-attack profile and the vulnerability called "probability of infection" in percentages, as it can be seen from the screenshot shown in Fig. 2. The study could begin with absence of vulnerability (None) and continue to set the maximum vulnerability of 100 %.Penetration tests are used to verify security and, in particular to detect vulnerabilities in security systems by attacking them in the same way as a potential hacker would.One of the main differences between the two methods is that penetration tests must be implemented in "virtual machines" with vulnerable applications in order to safely test different techniques that target a system breakthrough, using publicly available tools [3].This can be considered as an advantage of simulation modelling as compared to penetration tests, because the direct installation of simulation software on a personal computer does not pose a threat of infection.
Indeed, both methods in their essence are intended to detect vulnerabilities in the system but differ in the purpose of taking this action.In simulation modelling vulnerability assessment precedes simulation execution, while in penetration tests the attacker wastes time looking for weak points in the system.Practically, every complex system of great importance such as a TCC is protected in some way and it takes the attacker a relatively long time to overcome these means of protection.In this case, the advantage of simulation modelling is the possibility for the impact of a cyber attack to be seen instantly by relevant settings for ignoring the protection.
Actually, the full process of penetration testing is executed in seven successive phases as follows: Preengagement, Information gathering, Threat modelling, Vulnerability analysis, Exploitation, Post exploitation, Reporting [3].An analogous sequence of five phases in modelling a DoS-attack on a TCC in Riverbed Modeler Academic Edition 17.5 can be presented as a comparison: Gathering information about the DoS-attack, Attack modelling, Vulnerability assessment, Simulation execution, Summary evaluation of the results.By using the method of simulation modelling the phases become fewer as there is no direct and continuous communication with the client who has commissioned the penetration testing.This can be considered as another advantage of simulation modelling, because the client is not constantly involved in the process of performing a penetration test, but gets a finished end product.Additionally, penetration testing is usually conducted on site at the institution or organization that has commissioned it and this causes a disruption of its normal functioning during this process.

Means of protection against cyber attacks based on the potential vulnerabilities
The first step in defining an optimal protection strategy is to determine precisely the vulnerability of the specific management system which could be related to lapses in: • network configuration -not using flow management methods; unencrypted passwords; bad device configuration in terms of security.• network hardware -unsafe physical ports and unreliable physical protection.• means of protection -misconfigured firewalls, undefined network security perimeter.• software -buffer overflow, DoS-attacks, lack of Intrusion Detection System (IDS), failure to maintain Logs and monitor them in real time.• hardware -insufficient testing, unreliable physical protection, unauthorized access, insecure remote access, Electromagnetic Interference (EMI).• communication system -unsuitable Logs of firewalls and routers, lack of monitoring, authentication and verification of data integrity.• security policies and procedures [4].
On the basis of the classified main vulnerabilities the author recommends the following means for overall improvement of cybersecurity: • antivirus software -constant update of the software is required to prevent penetration into the system.• router -this autonomous device working with IP addresses can be defined as a smart device compared to the switch, because except for distributing the traffic it is also able to reduce the vulnerability of the system to cyber threats from Internet.The similarity between Riverbed Modeler and Cisco Packet Tracer is the possibility to simulate the complete network by connecting real types network devices and components.The main advantage of Riverbed Modeler compared to Cisco Packet Tracer is the possibility for directly simulating the impact of cyberattacks on different computer networks.For this reason the author has preferred Riverbed Modeler Academic Edition 17.5 to make the part of this research related to modelling the TCC and a cyberattack on it.
The research can be continued using the professional traffic modelling software Aimsun 8.0 after a logical assumption that the servers or services stop responding to client requests as a result of the simulated DoS-attack and this affects the Traffic Signal Control System.In this paper the focus is on strengthening the protection through a firewall insertion in order to reduce the probability of infection and respectively traffic changes under the impact of a DoS-atack to be prevented.Disturbances in normal signalling of traffic lights are observed after the server has stopped working due to the communication between the server and the signal controllers of the traffic lights [7].Using reliable protections in TCC should help to support the normal traffic flows without increasing time delay and mean queues observed under the impact of successful cyberattacks.
The research of Prof. J. Alex Halderman from the University of Michigan in the field of computer security can be used in support of the claims about the course and consequences of cyberattacks on an urban ATS.In this study, the team led by Prof. Halderman concludes that the vulnerabilities they discovered in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness, which is expressed in: unencrypted radio signals; use usernames and passwords by default; a debug port that is easy to be attacked; using an older version of the installed software [8].
The author's reference model (MRef) of TCC has a typical network configuration including 3 workstations, 3 servers and a switch connected in a linear bus network.It has been developed in Riverbed Modeler Academic Edition 17.5 using built-in protections simulated by specific settings.The model is subjected to the impact of a DoS-attack that causes such an intensive traffic (flooding) that the processing of the requests is impeded [9].
The author has chosen to work with a firewall type ethernet2_slip8_firewall_adv, which is a specially programmed router.A screenshot of the model is shown in Fig. 3.The duration of this simulation is 30 s and is divided into six equal intervals of 5 s.Table 1 contains simulation results from 10 scenarios.
In the current research, the method used for verification of the model is based on the reaction time that represents а time interval between the beginning of an action and beginning of the corresponding response.The research is made for 10 consecutive scenarios.This method has been preferred by the author, because it demonstrates one of the great advantages of simulation modelling.It provides an opportunity the research to be done entirely in a virtual environment in order to save financial resources for realization in a physical environment using a hardware prototype.Therefore, the simulation results can be accepted as sufficiently reliable and at this stage it is not required to be compared with results of other analogous studies.
The comparative diagrams in Figures 4, 5 and 6 show in which second of running the simulation are registered peak levels of TS and T R , respectively with built-in protections and a firewall.The dark blue chart shows T R without a firewall, while the red one shows T R with a firewall.The green chart shows T S without a firewall, while the light blue one shows T S with a firewall.Table 2, 3 and 4 contain the summary results of all three charts and show in which time intervals R in seconds are registered peak levels of T S and T R as functions of the selected three values of the inter arrival time T, respectively without and with a firewall.

Summary evaluation
On the basis of the tabular and graphical results the author has come to the following conclusions.When a firewall is used the number of sent packets T S, max is generally lower than the number of packets sent when built-in protections by vulnerability settings are used.Before the time interval [25; 30], when the number of sent packets is less than 80, a better filtration of the packets sent is observed due to the firewall insertion as compared with the case of using only built-in device protections.In the last time interval, when the number of sent packets exceeds 80, there is a "saturation" which may be due to a limitation of the used type of a firewall.It is also necessary to establish whether the packets themselves represent a threat or not.In case that certain packets threaten the system is necessary to improve the selected firewall model by replacing it with another model, or by integrating it with other means of protection.
In addition, when a firewall is used the cases of flooding are reduced to only one in the last time interval from all ten scenarios, while without the inserted means of enhanced protection the flooding starts in the time interval [20; 25] and it deepens in the last time interval [25; 30].This means that a system denial can be observed in at least two of all 10 scenarios.If this should be presented with the probability of an adverse event, then when a firewall is used, this probability is equal to 10 %, but it is at least twice as much if there is not a firewall insertion.

Recommendation to enhance the protection used
One of the reliable solutions for analyzing the received packets are Intrusion Detection Systems (IDS), which evaluate each packet and assess whether it is a hazard or not.If a packet is defined as a source of a cyber threat, the system decides whether to ignore it completely, log it to be analyzed by the administrator or immediately alerts that such a packet has infiltrated the network.
The IDS can be placed in different locations in the network, as well as in the firewall itself.The advantage of placing it in the firewall is that many of the suspicious packets will be blocked at the entrance and potential cyber threats will be prevented.Besides, IDS control the firewall.An IP address of the network controller that monitors the traffic should not be set when configuring IDS to prevent a potential attacker from detecting the device.The aim is for the IDS sensor to be protected from network scans and attacks that it is trying to find.In this case the disadvantage is that the removal of the IP address causes problems for administrators to manage the process.The solution is to use two network interfaces, one of which is configured without IP and works as a sensor, and the other one is connected to a separate local area network that collects information and manages IDS devices [10].

Conclusion
This research is an example of applying simulation modelling for solving problems related to cybersecurity of critical transport infrastructure.There are possibilities for the study to be extended in order to improve the methods and means of protection using the simulation results.
It has been demonstrated that the negative impact of a cyber attack on the TCC can be reduced by using appropriate protection, but the wide variety of existing cyber threats requires that the means of protection are constantly tested, updated and improved.The demonstrated method proves that the use of a simulation environment is a very effective way to achieve that aim.
One of the directions in which the research can be expanded is an additional verification based on the margin of error by comparing the simulation results with measurements in a physical environment.In the present case, such study is not intended because the aim is to emphasize the advantages of simulation modelling itself.

Fig. 3 .
Fig. 3.The model of TCC with a firewall insertion under the impact of a DoS-attack.

the impact of a DoS-attack on the Traffic Control Centre of an urban Automobile Transport System through a firewall insertion
This "decoy" appears to contain operating system vulnerabilities that make it an attractive target for hackers.While it appears vulnerable to attack, it actually prevents access to valuable data, administrative controls and other computers.Administrators can collect data on the identity, access, and compromise methods used by the intruder.
complexes, routers, and other security measures.The interpretation of rules is implemented consistently by filters that allow for or prohibit the transmission of data (packets) to the next filter or protocol level.•Honeypotsand Honeynets -honeypots represent fake computer systems, setup as a "decoy", that are used to collect data on intruders.4Modelling

Table 1 .
Peak levels of "traffic sent" (TS, max) and "traffic received" (TR, max), depending on the inter arrival time (T) for the model under the impact of a DoS-attack respectively without and with a firewall.