Download the full version of the textbook now at textbookfull.

com

Cyber Security in Critical Infrastructures A

Game Theoretic Approach Stefan Rass

https://textbookfull.com/product/cyber-security-
in-critical-infrastructures-a-game-theoretic-
approach-stefan-rass/

Explore and download more textbook at https://textbookfull.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

Game Theory for Security and Risk Management From Theory

to Practice Static Dynamic Game Theory Foundations
Applications Stefan Rass (Editor)
https://textbookfull.com/product/game-theory-for-security-and-risk-
management-from-theory-to-practice-static-dynamic-game-theory-
foundations-applications-stefan-rass-editor/
textbookfull.com

Adversarial and Uncertain Reasoning for Adaptive Cyber

Defense Control and Game Theoretic Approaches to Cyber
Security Sushil Jajodia
https://textbookfull.com/product/adversarial-and-uncertain-reasoning-
for-adaptive-cyber-defense-control-and-game-theoretic-approaches-to-
cyber-security-sushil-jajodia/
textbookfull.com

Cross Layer Design for Secure and Resilient Cyber Physical

Systems A Decision and Game Theoretic Approach Quanyan Zhu

https://textbookfull.com/product/cross-layer-design-for-secure-and-
resilient-cyber-physical-systems-a-decision-and-game-theoretic-
approach-quanyan-zhu/
textbookfull.com

Megatrends Defining the Future of Tourism A Journey Within

the Journey in 12 Universal Truths Valentina Boschetto
Doorly
https://textbookfull.com/product/megatrends-defining-the-future-of-
tourism-a-journey-within-the-journey-in-12-universal-truths-valentina-
boschetto-doorly/
textbookfull.com
Expert T-SQL Window Functions in SQL Server 2019: The
Hidden Secret to Fast Analytic and Reporting Queries Kathi
Kellenberger
https://textbookfull.com/product/expert-t-sql-window-functions-in-sql-
server-2019-the-hidden-secret-to-fast-analytic-and-reporting-queries-
kathi-kellenberger/
textbookfull.com

Making Eden: how plants transformed a barren planet First

Edition Beerling

https://textbookfull.com/product/making-eden-how-plants-transformed-a-
barren-planet-first-edition-beerling/

textbookfull.com

Research First Edition Philip Kerr

https://textbookfull.com/product/research-first-edition-philip-kerr/

textbookfull.com

Understanding Sustainable Development John Blewitt

https://textbookfull.com/product/understanding-sustainable-
development-john-blewitt/

textbookfull.com

Finance and the Behavioral Prospect: Risk, Exuberance, and

Abnormal Markets 1st Edition James Ming Chen (Auth.)

https://textbookfull.com/product/finance-and-the-behavioral-prospect-
risk-exuberance-and-abnormal-markets-1st-edition-james-ming-chen-auth/

textbookfull.com
Arrhythmia Essentials Brian Olshansky

https://textbookfull.com/product/arrhythmia-essentials-brian-
olshansky/

textbookfull.com
Advanced Sciences and Technologies for Security Applications

Stefan Rass
Stefan Schauer
Sandra König
Quanyan Zhu

Cyber-Security
in Critical
Infrastructures
A Game-Theoretic Approach
Advanced Sciences and Technologies for
Security Applications

Series Editor
Anthony J. Masys, Associate Professor, Director of Global Disaster Management,
Humanitarian Assistance and Homeland Security, University of South Florida,
Tampa, USA

Advisory Editors
Gisela Bichler, California State University, San Bernardino, CA, USA
Thirimachos Bourlai, Statler College of Engineering and Mineral Resources,
West Virginia University, Morgantown, WV, USA
Chris Johnson, University of Glasgow, Glasgow, UK
Panagiotis Karampelas, Hellenic Air Force Academy, Attica, Greece
Christian Leuprecht, Royal Military College of Canada, Kingston, ON, Canada
Edward C. Morse, University of California, Berkeley, CA, USA
David Skillicorn, Queen’s University, Kingston, ON, Canada
Yoshiki Yamagata, National Institute for Environmental Studies, Tsukuba, Ibaraki,
Japan
Indexed by SCOPUS

The series Advanced Sciences and Technologies for Security Applications com-
prises interdisciplinary research covering the theory, foundations and domain-
specific topics pertaining to security. Publications within the series are peer-
reviewed monographs and edited works in the areas of:
– biological and chemical threat recognition and detection (e.g., biosensors,
aerosols, forensics)
– crisis and disaster management
– terrorism
– cyber security and secure information systems (e.g., encryption, optical and
photonic systems)
– traditional and non-traditional security
– energy, food and resource security
– economic security and securitization (including associated infrastructures)
– transnational crime
– human security and health security
– social, political and psychological aspects of security
– recognition and identification (e.g., optical imaging, biometrics, authentication
and verification)
– smart surveillance systems
– applications of theoretical frameworks and methodologies (e.g., grounded theory,
complexity, network sciences, modelling and simulation)
Together, the high-quality contributions to this series provide a cross-disciplinary
overview of forefront research endeavours aiming to make the world a safer place.
The editors encourage prospective authors to correspond with them in advance of
submitting a manuscript. Submission of manuscripts should be made to the Editor-
in-Chief or one of the Editors.

More information about this series at http://www.springer.com/series/5540

Stefan Rass • Stefan Schauer • Sandra König
Quanyan Zhu

Cyber-Security in Critical
Infrastructures
A Game-Theoretic Approach
Stefan Rass Stefan Schauer
Universitaet Klagenfurt Austrian Institute of Technology GmbH
Klagenfurt, Austria Wien, Austria

Sandra König Quanyan Zhu

Austrian Institute of Technology GmbH Tandon School of Engineering
Wien, Austria New York University
Brooklyn, NY, USA

ISSN 1613-5113 ISSN 2363-9466 (electronic)

Advanced Sciences and Technologies for Security Applications
ISBN 978-3-030-46907-8 ISBN 978-3-030-46908-5 (eBook)
https://doi.org/10.1007/978-3-030-46908-5

© Springer Nature Switzerland AG 2020

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
. . . to our families. . .
Contents

Part I Introduction
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 What are Critical Infrastructures? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Security Challenges for Critical Infrastructures . . . . . . . . . . . . . . . . . . . . 5
1.2.1 Natural and Physical Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.2 Cyber Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Advanced Persistent Threats (APT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.1 Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.2 Life-Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4 Selected Real-Life Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.1 The Blackout in Italy (2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.2 The Transportation Gridlock in Switzerland (2005) . . . . . . 13
1.4.3 The Attack on the Ukrainian Power Grid (2015) . . . . . . . . . 14
1.4.4 The WannaCry and NotPetya Malware Infections
(2017) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.4.5 The Blackout in Venezuela (2019) . . . . . . . . . . . . . . . . . . . . . . . . . 17
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2 Critical Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1 Examples and Definitions of Critical Infrastructures . . . . . . . . . . . . . . . 21
2.1.1 What Makes an Infrastructure “Critical”? . . . . . . . . . . . . . . . . . 21
2.1.2 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2 Cyber Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.1 Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.2.2 Malware and Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3 Physical Security of Critical Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.1 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.2 Jamming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.3 Terrorist Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.4 Cyber-Physical Security of Critical Infrastructures. . . . . . . . . . . . . . . . . 28

vii
viii Contents

2.5 Simulation of Effects of Security Incidents . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.5.1 Network Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.5.2 Stochastic Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.5.3 Dynamic Simulation Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.5.4 Agent-Based Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.5.5 Economy Based Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.6 Viewing Security as a Control Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3 Mathematical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.1 Preference and Ordering Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2 Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.3 Multiple Goal Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4 Decision Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.4.1 Bayesian Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4.2 Minimax-Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.5 Game Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.5.1 Normal Form Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.5.2 Zero-Sum Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.5.3 Extensive Form Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.6 Extended Concepts: Modeling Goal Interdependence. . . . . . . . . . . . . . 76
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4 Types of Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.2 Stackelberg Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.3 Nash Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.4 Signaling Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.5 Games Over Stochastic Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5 Bounded Rationality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.1 Utility Maximization and Rationality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.2 The Fundamental Principles of Decision Making . . . . . . . . . . . . . . . . . . 101
5.3 Violations of the Invariance Axiom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.4 Decision Weights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.5 Rank-Dependence and Prospect Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.6 Violations of Transitivity and Regret Theory . . . . . . . . . . . . . . . . . . . . . . . 110
5.7 Border Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
5.8 Procedural Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Part II Security Games

6 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.1 Steps in a Risk Management Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.2 Resilience Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Contents ix

6.3 Quantifying Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

6.4 Adversarial Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.4.1 Assessment of Utilities and Chances . . . . . . . . . . . . . . . . . . . . . . 129
6.4.2 Assessment of Action Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
7 Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
7.1 Why Cyber-Insurance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
7.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
7.3 Three-Person Game Framework for Cyber Insurance . . . . . . . . . . . . . . 140
7.3.1 Attack-Aware Cyber Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
7.3.2 Insurer’s Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
7.4 Disappointment Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
8 Patrolling and Surveillance Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
8.1 The General Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
8.2 The Art Gallery Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
8.3 From Art Galleries to Patrolling Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
8.4 A Simple Matrix Game Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
8.5 Graph Traversal Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
8.6 Strategy Reduction Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
8.6.1 Decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
8.6.2 Contraction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
8.6.3 Symmetrization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
8.7 Further Variations of Patrolling Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
8.7.1 Patrolling in Continuous Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
8.7.2 Accumulation Games. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
8.7.3 Covering Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
8.8 Surveillance Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
9 Optimal Inspection Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
9.1 Repeated, Independent Inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
9.1.1 Solving the Non-detection Game . . . . . . . . . . . . . . . . . . . . . . . . . . 184
9.1.2 Solving the Inspection Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
9.2 Sequential and Dependent Inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
9.3 Inspections Against Stealthy Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
9.3.1 Periodic Inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
9.3.2 Leading Defender and Following Attacker . . . . . . . . . . . . . . . . 195
9.3.3 Inspections at Random Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
9.4 Inspections Against Stealthy Intrusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
9.4.1 Setting up the Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
9.4.2 Inspections at Random Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
9.4.3 Probabilistic Success on Spot Checks . . . . . . . . . . . . . . . . . . . . . 207
x Contents

9.4.4 Probabilistic Success on Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . 208

9.4.5 Security Strategy Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
10 Defense-in-Depth-Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
10.1 The Need for Cross-Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
10.2 Socio-Cyber-Physical Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
10.2.1 Cyber-Physical Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
10.2.2 Security Economics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
10.3 Multi-layer Framework for Defense in Depth . . . . . . . . . . . . . . . . . . . . . . 215
10.4 Multi-layer Games for Strategic Defense in Depth . . . . . . . . . . . . . . . . . 218
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
11 Cryptographic Games. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
11.1 Rational Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
11.1.1 Game-Based Security and Negligible Functions . . . . . . . . . . 224
11.1.2 Honesty and Rationality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
11.1.3 Rational Interactive Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
11.2 Communication Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
11.2.1 Confidential Transmission Games . . . . . . . . . . . . . . . . . . . . . . . . . 235
11.2.2 Authentication Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
11.2.3 Practical Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
11.2.4 On Network Design Using Game Theory . . . . . . . . . . . . . . . . . 243
11.3 Critical Remarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
12 Practicalities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
12.1 Data Science and Choice of Model Parameters . . . . . . . . . . . . . . . . . . . . . 249
12.1.1 Probability Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
12.1.2 Learning Parameters Over Time . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
12.2 Risk and Loss Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
12.2.1 General Parameters Derived from Statistical Models . . . . . 252
12.3 Analytic Solutions for Special Games. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
12.3.1 Equilibria and Security Strategies . . . . . . . . . . . . . . . . . . . . . . . . . 254
12.3.2 2 × 2-Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
12.3.3 Diagonal Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
12.3.4 Fictitious Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
12.4 Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
12.4.1 Solving Extensive-Form Games . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
12.4.2 Solving Normal-Form Games. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
12.4.3 Solving Distribution-Valued Games . . . . . . . . . . . . . . . . . . . . . . . 263
12.5 Cost of Playing Equilibria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
12.6 Making the Most Out of Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
12.6.1 Including Disappointment in Finite Games . . . . . . . . . . . . . . . 272
12.6.2 Risks for Zero-Day Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Visit https://textbookfull.com
now to explore a rich
collection of eBooks, textbook
and enjoy exciting offers!
Contents xi

Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

List of Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
 Part I
Introduction
Chapter 1
Introduction

The man who is a pessimist before 48 knows too much; if he is

an optimist after it he knows too little.
M. Twain

Abstract This chapter opens the book by introducing the characteristics and
particularities of critical infrastructures. Their existence and interplay forms a vital
pillar of contemporary societies, and their protection is a top duty of governments
and security research. Recent years have shown a paradigm shift of cyber-attacks
from specific individual threat and attack scenarios, to a modern combination of
various attack types and strategies to what we call an advanced persistent threat
(APT) today. This term describes a diverse class of attacks that all share a set of
common characteristics, which presents new challenges to security that demand
urgent and continuous action by practitioners, researchers and every stakeholder
of a critical infrastructure. The main focus of the book is describing game theory as
a tool to establish security against APTs, and to this end, the introduction here starts
with the abstract characteristics of an APT, showcasing them with a set of selected
real-life documented cases of APTs that ends the chapter.

1.1 What are Critical Infrastructures?

In today’s life, society is using and relying on numerous services, which satisfy the
basic needs of people and guarantee a smooth flow of the everyday life. Among
those services are the supply with basic resources (e.g., electricity, communication,
heating, etc.), vital supplies (e.g., water, food, medicine and health care, etc.) as
well as industrial goods (e.g., oil, gas, etc.) and general services (e.g., transportation,
cash and financial services, etc.). The organizations and companies providing these
services are called Critical Infrastructures (CIs) and represent the backbone of
today’s society. A core characteristic of a CI is that any failure of a CI, either in

© Springer Nature Switzerland AG 2020 3

S. Rass et al., Cyber-Security in Critical Infrastructures, Advanced Sciences
and Technologies for Security Applications,
https://doi.org/10.1007/978-3-030-46908-5_1
4 1 Introduction

er ity
t ic
wa ct
r
e
el
u-
r t. m
mn
po o
s co ti
an le a
tr te nic
g
in ce al
a nk an d ic ly
b fin e p
msup
&
y t
nc en
ge ces m s
r rn ce
e vi ve vi
em ser go ser

Fig. 1.1 Schematic representation of the complex network of CI

part or as a whole, will have considerable impact not only on the infrastructure itself
but also on the social well-being of people [6].
Over the last decades, the interrelations among CIs have increased such that CIs
have become more and more dependent on each other. These dependencies emerged
due to the fact that national and international supply chains have become more
important and many infrastructures depend on the resources other infrastructures
provide (cf. Fig. 1.1). The most prominent example is power supply; almost every
modern organization relies on a continuous availability of electricity such that CI
can provide their main services to full capacity. A shortage in power distribution or
even a blackout will either reduce the general output of the depending CIs or even
make it impossible for the CIs to provide its service. Figure 1.1 shows a schematic
illustration of such dependencies among CIs in multiple domains, which go far
beyond the supply with electric power.
Further, CIs also heavily rely on the exchange of information due to the uprising
digitalization of those infrastructures. Hence, a smooth operation of the communi-
cation infrastructure and a uninterrupted connection to the Internet has become a
core requirement. For example, CIs are using Industrial Control Systems (ICSs)
and Supervisory Control and Data Acquisition (SCADA) systems to remotely
monitor physical systems within their premises and control multiple (even highly
important) processes. If communication is interrupted, those systems might shut
down immediately or simply cannot be reached any more (cf. real-life examples in
Sect. 1.4) and the CI might have to operate the respective systems manually (if this
is possible at all).
Due to these facts, the CIs within a nation or even within a region have
evolved into a highly complex and sensitive infrastructure network with a variety
of interdependencies among them, as illustrated in Fig. 1.1. Thus, incidents within
a single CI can have far-reaching consequences, not only causing damages and
financial losses within that CI but also affecting multiple other infrastructures as
well as society as a whole. For example, a local power outage can cause a cellular
antenna tower to shut down and interrupt the mobile communication network in that
1.2 Security Challenges for Critical Infrastructures 5

area. Such indirect consequences are often referred to as cascading effects and they
impose a major problem. In general, they are hard to identify and thus difficult to
assess as well as to prepare for. Therefore, during a risk analysis or the general risk
management process of a CI, a particular focus lies on cascading effects. Chapter 2
provides more detailed information on how to model and describe the cascading
effects among CIs and how to integrate them into a CI’s risk analysis. To better
illustrate how cascading effects can manifest themselves in real-life, a few examples
of documented incidents over the last two decades follow in Sect. 1.4.

1.2 Security Challenges for Critical Infrastructures

In general, CIs have to face a broad variety of security challenges and threats in
their daily business. These are ranging from natural disasters of various kinds over
technical faults and human failure up to intentional attacks from the physical and the
cyber domain. Depending on the geographical location of a CI, its business domain
and the applied technical equipment, these threats can vary. In other words, a CI
located at the sea (e.g., a sea port) has to deal with different natural disasters than
an infrastructure located in the mountains (e.g., a dam). Further, an infrastructure
from the chemical industry has to deal with other technical threats than an airport or
a telecommunication provider.
Therefore, CI operators and the respective security officers need to become
aware of their individual threat landscape, adapt to the requirements towards risk
management and implement a large collection of security measures to be prepared
against these threats or counter them. In this context, threats stemming from natural
disasters and technical failures are quite static and change slowly (if at all) over time.
However, threats from the cyber domain have increased massively, in particular over
the last decade, and are considered to be highly dynamic due to the rapidly changing
software landscape. In addition to the increasing digitization in CIs, the effects of
a cyber attack can be tremendous (as briefly sketched in the following Sects. 1.4.3
and 1.4.4), such that cyber threats have become a major concern for CI operators.
Section 1.2.1 provides a short overview on the security challenges stemming
from natural disasters and technical failures. A strong focus is here on the security
challenges stemming from cyber threats in Sect. 1.2.2. The information presented
in both sections is coming mainly from well-established threat catalogs, i.e., the
European Anion Agency for Cybersecurity (ENISA) Threat Landscape [20] and the
German Federal Office for Information Security (BSI) IT-Grundschutz Catalog [2].
6 1 Introduction

1.2.1 Natural and Physical Threats

1.2.1.1 Natural Disasters

In the context of the physical domain, natural disasters represent threats with a
potentially very high impact on an entire CI as well as on its environment. Examples
are extreme weather conditions, storms or floods or very high temperatures but
also fires or lightning strikes need to be considered. Whether an infrastructure is
particularly exposed to some specific natural disaster depends on its geographical
location and the environmental conditions.

1.2.1.2 Technical Failures

Critical infrastructures also operate numerous technical equipment, which is

required to keep the services provided by the infrastructure running. These physical
devices can be subject to different potential failures and malfunctions. The reasons
for such a failure can be manifold, ranging from aging of material up to flaws in the
operating software systems or even human failure during operation and maintenance
of those systems. Such failures and malfunctions are usually limited to individual
machinery (or parts thereof), data storage or network connections and can be fixed
or repaired by the operator of the system (or some sub-contractor) in a certain
amount of time.

1.2.1.3 Disruptions and Outages

A special case of a technical failure is a disruption or outage of an essential service

required by the infrastructure to provide its operation. Any CI is depending on
several of such critical services (e.g., power, gas, telecommunication etc.) due to the
high interdependencies and interoperability in today’s supply networks (cf. Fig. 1.1
above). Hence, any incident in one of those supply networks may lead to far reaching
consequences affecting also the CI itself. Although many different reasons can cause
an incident in one of these networks (even a cyber attack, for example), for the
individual infrastructure as a consumer of the service provided by the network, this
can be considered as a technical failure. Such an incident may range from a short-
term loss of the service up to a large-scale network outage affecting the functionality
of a CI for a longer period. In the context of CIs, the outage of the power supply
as well as of communication networks can be seen as major concerns (as briefly
mentioned in Sect. 1.1). Additionally, not only technical but also social networks
need to be considered, such as, for example, the absence of personnel required to
operate the machinery within a CI.
1.2 Security Challenges for Critical Infrastructures 7

1.2.2 Cyber Threats

1.2.2.1 Distributed Denial of Service

With a lot of communication services using the Internet or at least being reachable
from the outside world, shutting down such services by generating a high load of
traffic is nowadays a common attack vector. This is achieved by creating massive
amounts of connection requests targeted at a specific device, which is then no longer
able to perform it tasks due to the continuous handling of the requests. Additionally,
the current trend towards the Internet of Things (IoT), i.e., connecting small devices
to the Internet with low or no security measures installed, makes it much easier for
adversaries to take over control of a huge number of devices and thus creating a
Distributed Denial of Service (DDoS) attack.

1.2.2.2 Malware and Ransomware

In recent years, malicious code and software, i.e., “malware”, has been on the
rise and becoming a major threat for cyber systems. The variety of malware, its
sophistication and the number of systems targeted by it are huge. Hence, it is
very difficult to protect systems from being infected by malware. Additionally, a
wide range of functions can be implemented by malware such that it can tamper
cyber systems on the communication as well as on the operation level. Hence, the
proper functioning of a CI can be affected (as described in Sect. 1.4.4), leading to
a multitude of different effects. In the context of malware, these effects can range
from the retrieval of information by a malicious party up to an injection of fraudulent
information or commends into the communication channel. Ransomware on the
other hand follows a different principle, i.e., it encrypts the entire infected system
or crucial data stored on it and demands a ransom (often some amount of Bitcoin)
in exchange for the decryption key.

1.2.2.3 Spear Phishing Attacks

Another threat vector that has gained popularity over the last years are phishing
mails. Such emails appear to the recipient as genuine mails but contain either a
link pointing to a malicious website or an attachment (e.g., a Portable Document
File (PDF) or Office document) equipped with some malicious code. In both
cases, the goal of the attacker is to trick the recipient into clicking on the link or
opening the attachment. In this case, a malware or ransomware is loaded onto the
recipient’s system and is then causing additional damage (see also examples in the
following section). In general, such phishing mails are not targeted and sent to a
large number of recipients, which makes it easier for an observant user to identify
the attempt. However, some phishing attacks are more elaborated and targeted to
a certain organization or even to one specific user or a specific user group within
8 1 Introduction

an organization. Such a targeted attack is then called spear phishing attack. In that
case, it is much harder even for a trained user to identify the mail as a phishing
attempt. Still, to craft such an attack, a lot more effort is required. In particular,
social engineering (see the following paragraph) is applied as an important tool in
the preparation phase to tailor the mail and thus the attack to perfectly fit to the
recipients.

1.2.2.4 Social Engineering

With all the technical means available for protecting cyber systems today, the main
cause of incidents in the cyber domain is human failure. Hence, social engineering
approaches [12, 19] try to exploit this concept and trick the person operating a
system to introduce some malicious software into the system. In this way, an
adversary is able to surpass all technological protection mechanism (e.g., firewalls
or intrusion protection systems) and get direct access to the internal networks of an
organization. Since control and protection mechanisms are usually not as strict in
the internal network as they are on the perimeter, this makes social engineering such
a highly critical threat.

1.3 Advanced Persistent Threats (APT)

1.3.1 Characteristics

Among today’s security challenges for CIs, one of the most complex and severe are
Advanced Persistent Threats (APTs). These attacks combine different techniques
and attack strategies from the physical and the cyber domain and are very difficult
to detect. Although there is no common consensus on how to specifically define an
APT due to their variety and diversity, some shared characteristics are commonly
accepted as distinguishing features in relation to other attacks. Among these, an
APT has at least the following characteristics:
1. Targeted: an APT usually aims at a very specific victim and goal. For the victim,
this means that the attack is often “hand-crafted” to fit the particularities of the
target systems, which in turn means that standard technical security precautions
like firewalls, virus scanners or similar are of limited efficacy. With respect to the
attacker’s goal, we can broadly distinguish two classes of APTs, both of which
require distinct modeling and treatment:
• Gaining control over a running service: the adversary’s goal is to take over
the system for as long as s/he can. However, this does not necessarily mean
that the adversary wishes to shut down the targeted system, in particular, if
the system should act as a platform from which further attacks are mounted
1.3 Advanced Persistent Threats (APT) 9

(like a base camp). For example, the APT could aim at limiting bandwidth or
blocking certain content in a multimedia streaming network. In this case, the
attacker’s goal would be to keep the system alive, but at a level that s/he can
maintain or cut down at will. An example of a game model to counteract this
type of APT is FlipIt, which we discuss in Sect. 9.3.
• Hitting a vital target: the purpose of this attack is to shut down the targeted
system or cause at least some permanent damage. Here, unlike in the previous
case, the time spent in the system is of less importance than the point that
the attacker can reach within the system. For example, if the attacker wants
to disrupt a nuclear power reactor, remaining in the systems for any period
of time, no matter how long or short, that lets the adversary cause a nuclear
meltdown or a comparable catastrophe would be the APT goal here. An
example game model designed for defense against this second type of APT
is Cut-The-Rope, discussed in Sect. 9.4.
2. Stealthy and Slow: an additional goal of an APT is often to stay undetected.
While this is not surprising and can be considered as a goal for many attacks,
the distinguishing fact of an APT is the time scale; an APT is hardly an ad hoc
nor quick strike, but rather follows a sophisticated plan of penetration to never
cause much attention and therefore always remain under the radar. The rationale
is to prepare the attack up to a point where it is hardly – if at all – possible to
counteract if the attack is detected.
3. Unbounded resources: budget limits are usually hard to assume reliably for
an APT. Following contemporary findings, most reported cases of successfully
implemented APTs were driven by well organized teams with very high, up
to presumably unlimited, resources. In this context, we often see that the
achievement of the goal (i.e., the infiltration of a system) weighs much higher
than the investment made for this purpose. This is due to the fact that many of
these groups are – or are supposed to be – state sponsored [8]. In this sense, the
economic reasoning of security to be given if an attack is more expensive than
the revenues upon success, this may not apply for an APT.

1.3.2 Life-Cycle

In terms of their chronology and life-cycle as well as by their aforementioned

characteristics, APTs are diverse in the actions they take and strategy they follow.
However, a sequence of steps can be outlined in accordance with [1, 7, 28], which
describes the general modus operandi of an APT. This is called the kill chain.
10 1 Introduction

1.3.2.1 Step 1: Reconnaissance

In the initial step of an APT, an attacker chooses the target system or network of
his attack. Therefore, the attacker starts to “hunt” for potential targets (e.g., IT
systems or pieces of infrastructure with specific vulnerabilities); alternatively, the
attack can already be tailored to a specific organization or sector. If the target system
is identified, the attacker starts to collect as much information available as possible
about it by using open data sources like websites, social media and others. The aim
is to gain detailed knowledge about the target’s infrastructure, e.g., hardware and
software in use, organizational structure, employees and others.

1.3.2.2 Step 2: Initial Compromise

When this information is available, the attacker starts to craft an attack with the aim
to compromise a weak systems within the organization. Therefore, technical as well
as social skills are used. On the technical side, the attackers are looking for known
vulnerabilities in the identified IT systems by searching respective databases, e.g.,
the National Vulnerability Database (NVD) operated by the National Institute of
Standards and Technology (NIST), or crawling the dark web for zero-day exploits
(i.e., vulnerabilities in software, which are yet unknown, and guidelines how to
exploit them). On the social side, the attackers start to identify personnel at the
targeted organization (e.g., security officers, network administrators but also normal
users) and use social engineering (cf. also Sect. 1.2.2) to obtain detailed information
about them. The aim is to find either vulnerable systems within the organization,
which are accessible from the outside, or personnel which can easily be infiltrated.
Therefore, the attackers create emails containing malicious links or documents (i.e.,
spear phishing mails, cf. also Sect. 1.2.2). These emails are specifically tailored to
the targeted person such that there is a high probability that the person will click on
the link or open the document. In this way, a malware is downloaded or an exploit is
created, which can then be used by the attacker to gain access to the targeted system
(cf. also Sect. 1.2.2).

1.3.2.3 Step 3: Establish Foothold

The malware initially loaded onto the target systems in the previous step usually
creates a backdoor for the attacker to install additional software on the system.
This software has some remote administrative functionality, which allows the
attacker to install additional tools (e.g., command and control software) or establish
communication lines (e.g., Virtual Private Network (VPN) tunnels) to the outside
world. The attacker’s communication with the compromised system is in general
stealthy and hard to spot by an administrator, since it usually blends into the normal
network traffic. This makes it more difficult for the organization’s security officers
to detect the attacker’s presence in the internal network.
Visit https://textbookfull.com
now to explore a rich
collection of eBooks, textbook
and enjoy exciting offers!
1.3 Advanced Persistent Threats (APT) 11

1.3.2.4 Step 4: Escalate Privileges

After having established the presence in the compromised system, the attacker
tries to identify additional user accounts with higher privileges (e.g., domain
administrators or accounts used for maintenance or service). Most commonly, key
loggers or network sniffing tools are used to achieve that; however, passwords from
other users can also be exfiltrated from respective databases. In this way, the attacker
can escalate the privileges gained by the initial compromise and gain access to
additional systems and domains in the organization’s network.

1.3.2.5 Step 5: Internal Reconnaissance

Besides looking for user accounts with a higher security level on the initially
compromised system, the attacker also scans the network for other important
systems, domains or networks. In this way, the attacker obtains an overview on
the network structure and the systems running in the organization. This information
allows him to identify additional vulnerabilities and load malware to exploit them
via the command and control tools installed in Step 2. Since the attacker is now
operating within the organization’s network, he has additional capabilities to exploit
vulnerabilities of systems, which would not be accessible from the outside world
(i.e., from the general Internet).

1.3.2.6 Step 6: Move Laterally

If the internal reconnaissance was successful and the attacker was able to identify
other vulnerable infrastructure in the network, he will start compromising those
other systems by performing Steps 2, 3 and 4 on them. In short, the attacker will
exploit the detected vulnerabilities to gain a foothold in the new system, then install
command and control software therein to finally escalate privileges on the newly
compromised systems. As one reason for moving laterally is to gain access to more
important systems in the organization, the risk of being detected by an administrator
or security officer can be another reason for an attacker to move to a different system.

1.3.2.7 Step 7: Maintain Presence

With the attacker obtaining control over an increased number of systems in the
organization’s network, he is able to establish multiple communication channels
to the outside world to maintain his connection to the remote command and control
tools. This leaves him with additional capabilities to operate in the network even if
one of the existing channels is discovered and closed or if his presence is detected
and removed from one system. At this point, it is extremely difficult to completely
remove the presence of the attacker from the organization’s network.
12 1 Introduction

1.3.2.8 Step 8: Complete Mission

When the attacker has reached its final target, i.e., a specific server or (industrial)
control system, and gained control over it, the last phase starts. In case of an
(industrial) control system, the attacker can gain or already has gained enough
privileges on the device due to the malware and exploits installed in the previous
steps to perform any desired task (e.g., switch off a transformer substation as
happened in the example of the Ukraine described in Sect. 1.4.3). In case the attacker
wants to exfiltrate specific data hosted on a server, he can achieve that via the
communication channels established in the previous steps. Since an organization
usually handles a lot of data going in and out of its network, it is difficult to identify
data exfiltration at that point. The attacker has the opportunity to use various tools
to obfuscate the source or destination of the data stream, to encrypt the payload or
hide the data in a standard data stream.

1.3.2.9 Step 9: Cover Tracks

After completing the mission, the attacker erases all traces of his presence in
the system. However, the attacker might also leave some backdoors, tools and
communication channels operational to be able to return and compromise the
organization again.

1.4 Selected Real-Life Incidents

In the following, we will present a list of a few selected and well documented attacks
on CIs. We neither claim this list to be complete nor covering the most severe cases
that ever existed, and there might be an undocumented black-count. Nonetheless,
the examples in the next sections shall illustrate how past incidents caused failures
within a CI and furthermore point out the direct consequences of those incidents
as well as on the aforementioned cascading effects. We will loosely distinguish
between natural and man-made causes as well as unintentional and intentional
causes. The examples shall give an idea how vulnerabilities within CIs could look
like and which potential cascading effects a single incident might have.

1.4.1 The Blackout in Italy (2003)

In 2003, Italy experienced a major blackout on Sunday, September 28th, starting

shortly after 3:30 in the morning and lasting for several hours [30]. The blackout
had far-reaching consequences for various infrastructures all over Italy as well as the
Italian population and caused a financial damage of over 1.100 million Euros [26].
The blackout was caused by a series of events resulting in an overload of several
main power lines coming from Switzerland, France, Austria and Slovenia. The
1.4 Selected Real-Life Incidents 13

initial event was a tree flashover at the Swiss 380 kV line “Mettlen-Lavorgo”,
which caused the tripping of this important supply line [30]. With the failure of the
“Mettlen Lavorgo” line, other 380 kV power lines took over the load while several
attempts for re-closing the line were executed. As a result of the balancing attempt,
one of those lines, the “Sils-Soazza” line, which is the closest to the “Mettlen-
Lavorgo” line, also suffered an overload. This overload was acceptable for 15
minutes according to operational standards (and according to expert opinions) for
such an emergency. During that period, several countermeasures (i.e., reducing the
power consumption for about 300 MW) were implemented in Italy and Switzerland
to restore the agreed schedule [30]. However, these measures were not sufficient
and about 25 minutes after the outage of the “Mettlen-Lavorgo” line, also the “Sils-
Soazza” line tripped.
The loss of two important power lines had a strong impact on the remaining
connections to France, Austria and Slovenia, causing them to collapse almost
immediately after the outage of the “Sils-Soazza” line [30]. As a result, the Italian
power grid was isolated from the European grid. This affected the network in
Northern Italy as instability phenomena and overloads happened, resulting in an
unsatisfactory low voltage level in the entire Italian network. Although frequency
control measures were set in place automatically, turbine tripping, underfrequency
relay opening, loss of excitation and other incidents caused the outage of several
generating units, which should cushion the effects from the overload [30]. The result
was a drop of the frequency below the 47.5 Hz threshold and the blackout of the
entire network.
The recovery process started immediately, such that the northern part of the
Italian network was back online about 5 hours after the blackout, the central part
about 7 hours and main Italy about 13 hours after the blackout happened. As the last
part, the island of Sicily was energized about 18 hours after the initial events [30].

1.4.2 The Transportation Gridlock in Switzerland (2005)

In 2005, the entire Swiss railway service was shut down for three hours due to
human misjudgment and maintenance work. Over 200.000 commuters were affected
and got stuck either on the trains or at the train stations; the shutdown caused a
financial damage of over five million Swiss Francs [27].
In the late afternoon of June 22nd 2005, two power lines “Amsteg – Steinen”
in the central Swiss Kanton Uri were switched off due to construction work at the
tracks at that time [13]. This switch off was planned and checked about a week
before the incident and according to existing documentation, the remaining power
line was supposed to handle the additional load without problems. However, the two
lines could not be switched back on after the construction work was completed and
the additional third line could not hold the overload.
It has to be noted at this point that the Swiss railway operates their own power
grid, including power plants and the distribution network. Due to the special
14 1 Introduction

topology of the Swiss railway power grid, the power line “Amsteg – Steinen” is
crucial since it connects three of the main power plants of the Swiss railway operator
with the rest of the network. After the third line tripped due to the overload, the
Kantons Uri and Tessin were cut off the remaining grid, which caused an overload
of the power grid and the shutdown of three power plants in this region [13]. Hence,
a blackout occurred in this region and the railway operator started the recovery
process to bring them back online.
On the remaining side of the network, the power loss was supposed to be
compensated via connections to the power grid of the German railway operator.
Due to the resulting heavy load, those connections failed; at this point, the Swiss
railway operator was also selling electricity to neighboring countries. Since the
operators were mainly occupied with recovering from the first blackout in the
Kantons Uri and Tessin, the problems with the connections to the German power
grid stayed unobserved. Those issues combined caused also a blackout in the
remaining network.

1.4.3 The Attack on the Ukrainian Power Grid (2015)

The Ukrainian power grid fell victim to a major cyber attack in 2015, when hackers
managed to gain access to the critical systems of three major power distribution
companies (so called “oblenergos”) in the Ukraine. They caused a large power
outage in most parts of the country, which lasted for about six hours and left
approximately 225.000 households without electricity by switching off about 30
substations [14, 18]. The attack is seen as an APT, since it was very well prepared
by the adversaries as well as highly sophisticated (cf. also Sect. 1.3 for details on
the characteristics of an APT). Further, the 2015 attack is also known the first cyber
attack that directly caused power outages.
The attack applied six adversarial techniques over a time period of several
months (cf. also Fig. 1.2) to prepare and execute the attack. With these techniques,
the attackers followed the main steps of the ICS Cyber Kill Chain [1] (which
are also reflected in the individual steps of an APT as described in Sect. 1.3).
The attack started with an analysis of open source information about the three
power distributors followed by a serious of spear phishing attacks on them. Those
attacks were particularly targeted at the power providers by using information from
openly available sources (e.g., on Remote Terminal Unit (RTU) and ICS vendors
used in these companies) and social media (e.g., on senior personnel working in
these companies) [18]. The targets received crafted emails with word documents
including an exploit to install the BlackEnergy 3 malware [29] on the system.
This malware provides several tools to an attacker, starting from simple network
scanning up to key logging and remote desktop functionality, which enable a hostile
takeover of the infected system and the potential to infiltrate the network the system
is connected to.
1.4 Selected Real-Life Incidents 15

spear phishing

tools credential
& tech theft

control
VPN access
& operate

workstation remote

Fig. 1.2 Illustration of the steps during the hack of the Ukranian power grid [18]

Using the capabilities of the BlackEnergy 3 malware, the adversaries started

gain a foothold in the infected infrastructures. This was achieved by collecting user
credentials (account name and password) from various users in the systems and, in
this way, escalate their privileges in the infected infrastructures, e.g., by identifying
administrators and exfiltrating their passwords or by tampering the authentication
functionalities of the system. In this way, the adversaries were able to use genuine
user accounts and follow standard ways of communication in the networks, which
made it more difficult to identify them as malicious parties.
One possibility used by the adversaries to get access to the ICS was to use VPN
tunnels from the business network to the ICS network. This was achieved mainly
because the VPN connections did not use two-factor authentication, which made it
easier for the adversaries to gain access remotely. Additionally, the adversaries were
able to control systems in the ICS network due to a remote access functionalities,
which were natively built into the ICS systems, and firewall not blocking these
commands [14].
In this way, the adversaries finally gained access to the command and control
systems in the distribution networks, which allowed them to manipulate their
operation and shut them down remotely. In detail, the adversaries developed on the
one hand applications to communicate with the Distribution Management System
(DMS) environments operated by the organizations and on the other hand malicious
firmware for the serial-to-ethernet devices used by the power distributors [18].
Random documents with unrelated
content Scribd suggests to you:
Smith, Sydney. The Lily of the Valley, op. 14. Arranged.
Spohr, L. Romanze in A. (M.F. 22).
— Barcarolle from 3 Duettinos op. 135. (8695).
— Larghetto in G. (M.F. 92).

Squire, W. H. Gavotte sentimentale.

— Reverie.
— Serenade in A.
— Bourrée. Op. 24.
— Meditation. Op. 25.
Strelezki, A. “L’Absence”, Mélodie.
— Mélodie réligieuse.
— 4ième Menuet à l’Antique. (M.F. 103).

Struss, Fritz. 2 Characteristic Pieces. Op. 12.

No. 1. Gondoliera.

Sutcliffe, W. Andante in E.
Tartini, G. Larghetto (G minor). (Jensen, V. 6).
Thomas, Emile. Air de Ballet.
— Danse Lente.
— Sanssouci Valse.
— Polka.
— Danse rustique.
Light salon pieces in simple rhythms.
— Sonatine en Ut (C).
Tschaïkowsky, P. Album of Favourite Pieces:—
1. Mazurka; 2. Sweet Dream; 3. Neapolitan Song; 4.
Autumn Song; 5. Barcarolle; 6. Andante cantabile; 7.
Chant sans paroles; 8. Troïka; 9. Christmas. Edited and
partly arranged by Fr. Hermann. (7590).
Nos. 1, 6, 7, 8 and 9 belong to II.
— Chanson triste. (M.F. 85).
 — Chant sans Paroles. (M.F. 27).
Valle de Paz, E. del. Op. 29, No. 2. Minuet.
Veracini, A. Sonata in A minor. (G. Jensen.) (7416).
Veracini, F. M. Minuet. (Jensen, V. 5).
— Sarabanda e Danza rustica. (Moffat.) (7589).

Volkmann, R. Musical Picture Book. Arranged by F.

Hermann:—
No. 4. On the Lake. (M.F. 62).
No. 6. The Shepherd. (M.F. 64).
Weber, C. M. von. Lonely. (Krug.)
— Maienblümchen. (F. Hermann). (M.F. 105).
— Sonatina in C for 4 hands, arranged. (Abert.) (11765).
Witting, C. Andante alla Siciliana.
Wolfermann, A. Fantasia No. 1 in G, No. 2 in G.
Melodious pieces, containing excellent practice.
— Romance. No. 1 of 3 pieces.

Step III. First five Positions.

Palaestra. A Collection of Pieces, Sonatas, Suites, and

Concert Pieces, for Violin Solo with Pianoforte
Accompaniment: arranged in progressive order, carefully
marked and annotated by Ernst Heim:—
Book Va. Pieces with change from first to fourth position,
by Lachner, Gurlitt, Hofmann, and Moffat. Piece with
change from first to fifth position, by Lully. (11475a).
Book Vb. Pieces up to the fifth position, by Spohr,
Geminiani, Mozart, and Handel. (11475b).
Book Vc. Supplement to Books A and B. Pieces by Liszt,
Jensen, Heller, Gade, and David. (11475c).
Palaestra, a collection of graduated pieces, revised by
Ernst Heim, offers the most suitable material for the
 study of style and phrasing; each book corresponds in
difficulty with the same book of his Violin Duets.
“Arena”, see page 124, and his Violin Studies, “Gradus
ad Parnassum”, see page 114.
Album de Danses. Vols. 1 and 2, containing some of the
most celebrated dances by Johann and Josef Strauss.
(7319a, b).
Album pour Violon et Piano. 15 Vols. Arranged by F.
Hermann. (7322 a-n).
A number of favourite pieces, such as Rubinstein’s “Melody
in F”, Raff’s “Cavatina”, etc., are contained in these
books, the majority being suited to III, but a few to the
next Step.
Arensky, A. Serenade in G. (M.F. 102).
Bach, J. S. Air and Gavotte (from the Orchestral Suite in D).
(Jensen, V. 1).
— Andante. (Sonata in A minor, No. 3.) (Jensen, V. 13).
— Concertos in A minor and E minor.
— Largo from a flute Sonata. (Jensen, V. 20).
— Siciliano from a flute Sonata. (Jensen, V. 21).
— Sonata in G minor. (7434).
— 3 Tonsätze, arr. von H. Henkel. (1. Berceuse; 2.
Sarabande; 3. Toccata.) (7326).
Barthélemon, E. H. Sonata in E minor. (7421).
Batiste, E. Voix céleste. (M.F. 70).
Becker, J. Romance. (M.F. 42).
Beethoven-Album. (Arranged by F. Hermann). (7329).
Beethoven. 2 Romances in G and F. (Jensen, V. 10, 11).
(7331).
Two of the choicest gems of violin literature. One of the
best and clearest editions is that fingered and edited by
G. Jensen.
Benda, Franz. 8th Sonata in A minor. (7433).
Bennet, W. Sterndale. Overture, “Parisina”. (8671a).
— Overture, “The Naïades”. (8671b).
— Overture, “The Wood Nymphs”. (8671c).

Bériot, C. de. 6me Air varié. (7335).

— 7me Air varié. (7338).
— 12 Mélodies Italiennes. 2 Bks. (7334a, b).
— La Verginella. (M.F. 87).

Blagrove, Stanley. Rêverie.

Borch, Gaston. Berceuse in G. Op. 50.
— Romance in G. Op. 57. (11326).
Borders, W. Morceau à l’Irlandaise. Op. 87.
— Romance and Bolero. Op. 88. Duo Concertante.
Borghi, L. Sonata No. 2, in A major. (7413).
— Sonata No. 4, in G minor. (7414).
Brahms, J. Op. 39. Walzer. (9402).
— Ungarische Tänze. 4 Bks.).
Simplified arrangement by F. Hermann.
Brauer, Max. Meditation on “Little Study”, by Schumann
(Ernst Heim).
Burgmüller. Nocturne. (M.F. 91).
Campagnoli. Etude. (Hermann, C.V.M. 3).
Chamber Music. Edited by H. Holmes. A selection from the
Solo Sonatas of Corelli, Tartini, Bach and Handel. (8679).
Chopin, F. Mazurka. (M.F. 34).
— Marche funèbre. (M.F. 89).
Corelli, A. 12 Sonatas. Op. 5 (Gustav Jensen). Bound, with
Portrait. (7354*).
 Part I. (Sonatas 1 to 6). (7354a).
Part II. (Sonatas 7 to 12). (7354b).
The accompaniments to these beautiful Sonatas are the
work of a true artist, who, with all the technical
resources at his command, worked in reverential spirit
with regard to the style and character of the old Master.
The accompaniments are varied and very interesting in
their wealth of contrapuntal device and figuration. The
careful way in which all the ornaments are written out,
and the bowing and fingering add still further to the
value of this fine edition.
The same work in Score by Joachim and Chrysander:—
Livre III. Op. 5, Parte Prima: 6 Sonate a Violino Solo e
Violone, o Cembalo. Parte Seconda: Preludii,
Allemande, Correnti, Gighe, Sarabande, Gavotte e
Follia a Violino Solo e Violone, o Cembalo. (4936c).
— Follia con variazioni. (G. Jensen). (7419).
After a lapse of two centuries the study of Corelli is still
indispensable. The above new edition has been
admirably done by G. Jensen, who has availed himself
of the ornaments as played by Corelli.
Danbé, J. Mazurka de Salon.
David, Ferd. 6 Salonstücke. Op. 24. Revised by Fr. Hermann.
(7349).
— Op. 30. “Bunte Reihe”. (F. Hermann). (7363a, b). 24
pieces in two books.
No. 1 is an attractive Scherzo. No. 5, a graceful Gondellied.
No. 16, a good wrist study, No. 24, an equally good
staccato leggiero study. In others, the keys of 5 and 6
sharps and flats are freely used.
— Romance in F sharp major (original key).
— Romance in F major (transposed).
— Scherzo. (M.F. 2).
— Ungarisch. Op. 30, No. 19. (Fr. Hermann).
De-Angelis, G. Andante religioso. Op. 7.
 — Biondina. Mélodie. Op. 10.
— Petite Légende.

Del Valle de Paz, E. 3 Capricci. Op. 15. (7362).

— Op. 28, No. 1. Sérénade Italienne.
— Op. 32, Album. (Improvisation, Tarantelle, Melodie,
Adieu, Serenatella, Canzonetta amorosa, Bourrée,
Mazurka.) (7364).
Delibes, L. “Sylvia”. Introduction and Valse Lente.
— “Sylvia”. Barcarolle and Pizzicati. Arranged by M.
Marsick.
Dobrzynski, I. F. Les Larmes. (M.F. 104).
Dunkler, E. Morceau de Salon, revised by Hermann. (M.F.
48).
Dussek. Op. 69, No. 1. Sonata in B♭. (E. Thomas.) (7360).
A very favourite work.
Dvorak. Op. 15. Ballade. (7365).
Ellerton. Duo in D minor. Op. 56. (8675).
Ersfeld, C. Op. 15. Romance in B♭. (7373).
Gabriel-Marie. Sérénade Badine.
Gade, N. W. Op. 6. Sonata in A. (7369).
— Op. 21. Sonata in D minor. (7374).
Geminiani, F. Sonatas No. 1 in A major (7401), No. 2 in B
minor (7402), No. 8 in D minor (7411).
— Selected Sonata movements. (7412).
German, Edward. Song without Words. (11441).
— Saltarelle. (7370).
— Three Dances from “Henry VIII”.

Godard, B. Berceuse de “Jocelyn”.

Goltermann. Op. 13. 2 Salon Pieces. (Les Adieux and Le
Rêve.) (1996).
— Berceuse.
Gounod, C. Serenade. (M.F. 72).
— Meditation on Bach’s 1st Prelude. (M.F. 118).
Grieg, E. Christmas Song, arr. by F. Hermann. (M.F. 110).
Guillaume. Op. 4. Mélancolie; Romance.
Gurlitt, C. Op. 134. Sonatinas:— No. 1, in A major (7372a);
No. 2, in F (7372b).
True and unsophisticated melody distinguish these two
Sonatinas. The Andante of the first is particularly fine.
Handel. Largo. Aria, “Ombra mai fu”, arr. by R. Hofmann.
— Sonatas in A (7422), in G minor (7426), in D (7427), in E
(7377).
— Suites Nos. 1 and 2. (Jensen). (7378a, b).
These Suites belong to II except for a bar in each.
Hartog. “Home, sweet home”. Variations. (7380).
— Berceuse, Ier Morceau de Salon.
Hauser, M. Le Désir. (M.F. 4).
— Le Rêve. (M.F. 11).
— Barcarolle. (M.F. 54).
— Hungarian Dance.
— 6 Songs without Words. (7506).
Melodious and characteristic salon pieces.
Haydn. Variations “Gott erhalte Franz den Kaiser”. (Thomas).
Heller & Ernst. Pensées fugitives. (Fr. Hermann):—
Bk. I. (Passé, Souvenir, Romance, Lied, Agitato, &c.).
(7386a).
Bk. II. (Rêverie, Un Caprice, Inquiétude, Prière pendant
l’orage, Intermezzo, and Thème original et variations).
 (7386b).
Brilliant and fanciful. Very grateful drawing room pieces.

Heller, Stephen. Rondeau. (M.F. 88).

Henkel, H. Gavotte moderne. Op. 81.
Movements from the works of Great Masters. The following
may be taken in this Step:—
Beethoven. Allegretto, (7387 f): Haydn. Nachtwächter
Menuett. (7387 c): Marschner. Tanzmusik. (7387i):
Monsigny, Chaconne. (7387 m): Mozart. All’Ongarese.
(7387 g): Mozart. Minuet. (7387 e): Rameau. Chaconne
and Musette. (7387 k).
Herrmann, E. Op. 12. Barcarolle. (8678).
Hoffmann, J. Bolero.—Danse des sorcières.—Zingaresca,
Morceau caractéristique.—Robin Adair. Fantaisie brillante.
Hofmann, Richard. Short Study (Kleine Studie). Op. 110, No.
2.
Holländer, V. Polonaise. (11501).
Hurlstone. W. Sonata in D minor. (7507).
Ireland, John. Berceuse.
Jensen, A. Träumerei.
As arranged by Wilhelm; this makes a fine solo for the
fourth string.
— Serenade (Ständchen). Arranged by Hermann. (M.F.
58).
— Wanderbilder. Nos. 7, 10 and 11. (2129 a, b).
Jensen, G. Op. 25. Suite in A minor. (8680).
Prélude from the same.
Barcarolle from the same.
— Op. 28. Three Pieces.
— Op. 31. 3 Morceaux Caractéristiques. (7394).
 — Op. 36. 2nd Romance in B♭.
— Op. 38. Berceuse.

Kayser. 36 Elementary and Progressive Studies. Op. 20

(introductory to those of Kreutzer), revised by E. Heim.
Book III. (7397 c).
Kjerulf, H. Frühlingslied. (M.F. 75).
Kreuz. E. “Frühlingsgedanken.” Op. 9. (7510).
— Four Pieces. Op. 28. (7517).
— Cavatina in E♭. Op. 44. No. 1.
— Sérénade napolitaine. Op. 44, No. 3.
— Le rêve. Morceau. Op. 45. No. 3.
Kücken, F. 6 Duos. (8681 a-f).
Kuhlau. Op. 88. 4 Sonatinas. Nos. 2, 3 and 4. (7399).
Lachner, Ignaz. Morceaux de Salon. Op. 93:— No. 1.
Nocturne.
Leclair, J. M. Andante, Gavotta e Minuetto. (Jensen, V. 18).
— Sarabanda and Tambourino. (Jensen, V. 4).
— Tambourin. (Hermann, C.V.M. 8).
— Sonate IV. (G. Jensen). (7245).
Le Jeune, A. Coronation March.
Loeschhorn, A. A Child’s Dream (Des Kindes Traum).
Characteristic piece, arranged by Ernst Heim.
Loew, J. Albumblatt. (M.F. 6).
Lully, J. B. Gavotte in D minor. (Hermann, C.V.M. 10).
Mac Cunn, Hamish. Op. 30. “Highland Memories”, Suite of 3
Scottish Scenes: “By the Burnside”, “On the Loch” and
“Harvest Dance”. (7520).
Three interesting and quite uncommon pieces.
 — Three Romantic Pieces. Op. 27. No. 1. L’Espérance. No.
2. Sérénade. No. 3. Rêve d’amour.
Mackenzie, A. C. Op. 37, Nos. 3 and 4 “Benedictus” and
“Zingaresca”.
Mallard, C. “Sehnsucht und Hoffnung”.
March Album. Bks. 3 and 4. Edited by Hermann. (8686c, d).
Martini, G. B. Siciliana. (Jensen, V. 15).
Matras, Maud. Ballade. Op. 8. (7534).
Mendelssohn. Op. 4. Adieu à Berlin. (8683).
Moffat, Alfred. La Gracieuse. Mazurka.
— Légende.
— Mazurka hongroise.
— Fantasia on Scottish Melodies.
Molique, B. 6 Morceaux Caractéristiques. Op. 41. (Ernst
Heim). (11562).
— Op. 47. 6 Mélodies. 2 Books. (9405a, b).
No. 6 is especially piquant.
Monsigny. Rigaudon. (7387d).
Moszkowski, M. Op. 8. 5 Valses. (7527)
— Op. 21. Album Espagnol. (7529).
Arranged by E. Thomas from the piano duets.
— Op. 23. “From Foreign Parts”. (E. Thomas). (7531)
— Mélodie. (M.F. 1).
Mozart, W. A. 18 Sonatas.
Mozart’s sonatas, although presenting no special technical
difficulties, require great delicacy and refinement in
rendering. Nos. 8, in C, 11, in G, and 18, in F, might be
first studied.
— Andante, Minuet and Rondo (Haffner Serenade). (7418).
— Larghetto, from clarionet Quintet. (Jensen. V. 14).
 — Andante in E♭ (Sonata in B♭). (7324b).
— Adagio, edited by E. Heim. (11567).
— Adagio. (M.F. 94).
Nicodé, J. L. Barcarolle. (M.F. 31).
Noskowski, S. Op. 23. Cracovienne Mélancolique. (M.F. 77).
— Op. 27. Cracovienne in A. (M.F. 74).
Papini, Guido. Trois Morceaux de Salon. (8685):—
No. 1. Gavotte. No. 2. Romance sans Paroles. No. 3.
Scherzettino.
Papini’s compositions belong to the better class of salon
music, being especially melodious and attractive.
Pfeiffer, G. Op. 77. Gigue dans le genre ancien. (Thomas).
(11630).
Pitt, Percy. Canzonetta. Op. 8, No. 1.
Pleyel. Op. 44. (Hermann). (7544).
Pugnani, G. Sonata in E. (7404).
Raff, Joachim. Pastorale. Op. 85. No. 2.
— Chanson suisse. (M.F. 106).

Renard, F. Berceuse. (M.F. 44).

Ries. Romance. (M.F. 9).
Ritter. Operatic Duets. The following can be taken in this
Step:—Sonnambula, (9407c); La Favorite, (9407d); Lucia
di Lammermoor, (9407e); Zampa, (9407f); Zauberflöte,
(9407g); Lohengrin, (9407h); Tannhäuser, (9407i);
Oberon, (9407k); Taming of the Shrew, (9407l); Flying
Dutchman, (9407m); Fra Diavolo (9407a).
Rode, P. Op. 10. Air Varié. (Jensen V. 12). (8691).
Roeckel, J. L. Croquis musicaux.
No. 4. Thème dansant. No. 5. Dans la barque.
Rubinstein, A. 3 Salon Pieces, Op. 11, edited by E. Heim:
Allegro appassionato. (7562a).
Andante. (7562b).
Allegro. (7562c).
— Romance (E flat). (M.F. 37).
— Mélodie. (M.F. 41).
— Russian Songs. (M.F. 67).
— Barcarolle. (M.F. 107).
Saint-George, G. Désir.
— Canzonetta.
Scharwenka, X. Op. 20. Tone Pictures. (9408).
— Danse Polonaise. (M.F. 23).
Scholtz, H. 3 Albumblätter. (M.F. 47).
Schubert, F. Sonatine, Op. 137, No. 2, in A minor. Revue et
doigtée par Emile Thomas.
— Ave Maria. Arr. by Emile Thomas.
Schubert, F. (of Dresden). L’Abeille (The Bee).
— Allegretto grazioso. (M.F. 83).
Schumann. Op. 94. 3 Romances. (7581).
— Abendlied. (M.F. 3).
— Op. 102. 5 Stücke im Volkston. (7583).
— Op. 113. Märchenbilder. (7584).
— Warum. (M.F. 90).
Simonetti, A. Rêverie.
Somervell, Arthur. Whims. (No. 3 of 3 Original Pieces).
Somis, G. B. Adagio and Allegro. (7403).

Spohr, L. Barcarole. (M.F. 30).

— Alla Tedesca. (M.F. 39).
Squire, W. H. Serenade. Op. 15. (7122 b).
— Op. 26. Humoresque.
— Gavotte humoristique. (7586).
Strelezki, A. Appassionata.
— “Asphodel”, Chant sans paroles.
— Cavatina en Ré majeur.
— Romanza in E flat.
— En Valsant.
Struss, Fritz. 2 Characteristic Pieces. Op. 12:— No. 2. Idylle.
Sutcliffe, W. Romance.
Svendsen, J. S. Op. 26. Romance in G. (7587).
Tartini. Andante Cantabile (8th Sonata). (Jensen. V. 8).
— Giga in D. (Jensen. V. 9).
— Sonatas Nos. 4 and 10 of Op. 1. (7407).
— Sonata No. 8 in C minor. (7408).
— Sonata in C major, and Giga in D. (7409).
— Pastorale. Hermann, C.V.M.2).
Thirlwall. Favourite Airs, with Variations:—
No, 6. Old English Song (Malibran’s Favourite). (9412 f).
Good study for the bow.
Thomas, Emile. 1ère Fantasie sur les Airs écossais.
— 2de Fantasie sur les Airs écossais.
— Danse Sicilienne.
— Danse des Fées.
— Légende.
— Méditation réligieuse.
Thomé, F. Op. 25. Simple Aveu.
Tschaïkowsky. Andante Cantabile. (M.F. 45).
— Romance, (M.F. 81).
 — Troika. (M.F. 76).
— Album of Favourite Pieces:— 1. Mazurka. 2. Sweet
Dream. 3. Neapolitan Song. 4. Autumn Song. 5.
Barcarolle. 6. Andante cantabile. 7. Chant sans paroles.
8. Troïka. 9. Christmas. Edited and partly arranged by
Fr. Hermann. (7590).
Nos. 2. 3. 4. and 5 III.
Veracini, F. M. Concert Sonata in E minor. (7424).
Vivaldi, A. Sonata in A. (7423).
Vieuxtemps, H. Op. 40. No. 1. Romance in F.
Volkmann, R. Hungarian Sketch. (M.F. 38).
— The Knights. (M.F. 46).
— Musical Picture Book (arranged by Hermann). Nos. 2,
“The Postillion”: 3. The Russians are coming: 5. “The
Cuckoo and the Wanderer”.
Wagner, R. Album-Leaf. (8699).
— Rienzi’s Prayer. (M.F. 65).
— Spinning Song (from Flying Dutchman). (M.F. 68).

Walger, Carl. Serenade.

Weber, C. M. von. Invitation à la Valse. (Thomas).
Wieniawski. Op. 12. No. 2. Chanson polonaise. (7494).
— “Kuyawiak”, 2de Mazurka. (7493).
— Gigue. (7492).
Effective and brilliant pieces. No. 1 of Op. 12 belongs to IV.
Wilhelmj, A. Walter’s Preislied (from the “Meistersinger”).
Wüerst, R. Op. 25. Two Romances.
Wurm, Marie. Estera Gavotte. (M.F. 79).

Step IV. All Positions.

Palaestra. A Collection of Pieces, Sonatas, Suites, and
Concert Pieces for Violin solo with Pianoforte
accompaniment; arranged in progressive order, carefully
marked and annotated by E. Heim:—
Book VIa. Pieces up to the sixth position, by Max Brauer,
C. Gurlitt, and J. S. Bach. (11476a).
Book VIb. Pieces up to the seventh position, by E. Thomas,
R. Orlando Morgan, and J. Hoffmann. (11476b).
Book VIc. Supplement to Book A and B. Pieces by C.
Ersfeld, C. Gurlitt, B. Molique, M. Hauser, and A.
Strelezki. (11476c).
Book VIIa. Pieces up to the thirteenth position by A.
Strelezki, P. Rode, de Angelis, and A. Moffat. (11477a).
Book VIIb. Pieces up to the thirteenth position by
Beethoven, Baillot, de Angelis, and G. Papini. (11477b).
Book VIIc. Supplement to Books A and B. Pieces by
Molique, Mazas, and de Bériot. (11477c).
Palaestra, a collection of graduated pieces, revised by
Ernst Heim, offers the most suitable material for the
study of style and phrasing; each book corresponds in
difficulty with the same book of his Violin Duets,
“Arena”, see page 125 and his Violin Studies, “Gradus
ad Parnassum”, see page 115.
Bach, J. S. Aria from the Suite for Orchestra, arranged as a
Concert Piece on the fourth string by Ernst Heim.
Bache, F. E. Romance. Op. 21. (7664).
Baillot, P. Rondo sur un Air Moldavien. (Hermann, C.V.M.4).
Becker, A. Op. 20. Adagio. (2078).
Beer-Walbrunn. Op. 3. Short Fantasia in G min. (2930).
Beethoven. 6 Quartets. Op. 18. F, G, D, C minor. A and B
flat. Arranged by F. Hermann. (7341-6).
Beethoveniana. 3 Bks. Extracts from the pianoforte Sonatas,
arranged for violin and piano by F. Hermann. (7330a-c).
Bériot, C. de. Op. 32. 2nd Concerto in B minor.
— Op. 100. Scène de Ballet (E. Heim).
Bortniansky. Adoration. (M.F. 111).
Coleridge-Taylor, S. Op. 9. Two Romantic Pieces, “Lament”
and “Merry-making”. (7352).
— Op. 14. Legend (from the Concertstück), (7353).
Of decided originality; for musically gifted students only.
— Valse-Caprice. Op. 23. (7358).
— Danse nègre, from “African Suite.” Op. 35. (6100d).
— A Negro Love-Song. Op. 35, No. 2. (7359b).
Corelli. Adagio and Allegro. (Hermann, C.V.M. 1).
Cui, César. Berceuse.
Danbé, J. Berceuse.
David, Ferd. Etude. (M.F. 36).
De-Angelis, G. Pensée mélancolique. Op. 8.
Ernst. Elegy. (7366).
Field. Nocturnes (Hermann). (2128).
Fleurs des Opéras. Tannhäuser. (Courvoisier). (7470).
Goltermann, G. Berceuse. (M.F. 109).
Gounod. Faust. Potpourri by R. Hofmann. (5445 c).
Gurlitt, C. Op. 105. Ouverture des Marionettes. (7371).
— Op. 137. “Commedietta” Ouverture. (8676).
Grieg, E. Op. 8. Sonata in F.
— Op. 13. Sonata in G minor (7522).
— Op. 45. Sonata in C minor.
Three of the freshest and most poetical of modern sonatas.
Hartog, Henri. Prière, 3me Morceau de Salon.
— Réverie, 2d Morceau de Salon.
Hauser, M. Chanson de Berceau. (M.F. 53).
— Ungarisch. (M.F. 71).
Haydn. Andante. (M.F. 97).
Heller, Stephen. Feuillet d’Album. Transcrit par h. W. Ernst.
(E. Heim).
Henselt, A. Chant d’amour. (M.F. 29).
Hiller, F. Zur Guitarre. (M.F. 49).
Hoffmann, J. Bourrée; Gavotte.
Hofmann, Richard. Potpourris on Popular Melodies from
classical and modern Operas and Oratorios, arranged by
R. Hofmann:—
Wagner. Der fliegende Holländer. (5438 c).
Wagner. Lohengrin. (5439 c).
Wagner. Rienzi. (5440 c).
Wagner. Tannhäuser. (5441 c).
Rossini. Il Barbiere di Seviglia. (5442 c).
Rossini. Guillaume Tell. (5443 c).
Auber. Masaniello. (5444 c).
Gounod. Faust. (5445 c).
— 8 Vortragsstücke. Op. 103:— No. 2. Barcarola. 3. Aria.
4. Bolero. 6. Zigeunertanz. 7. Cavatina. 8. Perpetuum
mobile.
Holländer, G. Op. 50. Waldmärchen.
Jensen, Gustav. Op. 39. Capriccio.
Jensen, G. Bolero in D minor.
Kalliwoda, J. W. Op. 237. Ländler. (M.F. 57).
Kreuz, E. Op. 20. Barcarolle, from Concerto.
Lassen, E. Liederstrauss. (M.F. 50).
Belongs to III, except the opening on the G string.
Leclair. “Le Tombeau”. Sonata. (7428).
Molique, B. 6 melodies. Op. 36. (Ernst Heim). (11561).
Moffat, A. Melodie amoureuse.
— Punchinello. Gavotte.
Morgan, R. Orlando. Ballade. Op. 28.
Moszkowski, M. Op. 17, No. 2. Minuet (E. Thomas).
— Op. 23. “Les Nations” (arranged by Nachèz). (7530).
A less difficult arrangement by E. Thomas is also published.
(7531).
— Valse brillante. Arranged by Emile Thomas. (7532).
Mozart, W. A. Adagio and Rondo. (7420).
Noskowski, S. Dumka. Op. 29. (Emile Thomas.)
— Zingaresca. Op. 27. (M.F. 80).
— Les Larmes. Op. 36, No. 1.
Palmer, G. A Dream. Nocturne.
Papini, G. Deux Airs Suédois. (11622).
Parkyns, Beatrice. Berceuse.
Popper, D. Romance. (7548).
Rachmaninoff, S. Romance in D minor.
— Hungarian Dance.
Raff, Joachim. Six Morceaux. Op. 85:—No. 1, Marcia; No. 3,
Cavatina; No. 4, Scherzino; No. 5, Canzona; No. 6,
Tarantella.
These pieces dedicated to the late Ludwig Straus are gems
of violin literature. The Cavatina is one of the most
popular violin pieces.
— Méditation. (M.F. 25).
— Op. 73, 78, 128, 129, 145. 5 Sonatas. (2568 a-e).
Some movements of these fine Sonatas belong to V.
Reger, Max. Op. 1. Sonata in D minor. (7535).
 Op. 3. Sonata in D major. (7536).
Rode. Concerto No. 7.
Rubinstein, A. Op. 13. Sonata in G.
One of the composer’s most genial works.
— Sonata in D. Op. 18. (7564).
Saint-George, G. Chant sans Paroles.
Sauret, E. Souvenir d’Orient. 6 Morceaux, Op. 63:—
Book 1. Souvenir de Constantinople. Danse et Ronde.
(11694 a).
Book 2. La Revue, Gondoliera et A Péra. (11694 b).
Interesting pieces, full of oriental colouring.
— Morceaux caractéristiques. Op. 47:—
No. 1, Canzona; No. 2, Impromptu.
— Scènes Villageoises. Op. 50. 5 Morceaux de Salon:—
No. 1, Le Matin; No. 2, Pastorale; No. 3, Vieille chanson;
No. 4, Danse; No. 5, Idylle.
Scharwenka, Xaver. Op. 3. Cinq Danses polonaises.
Arranged by G. Holländer:—
No. 2 (F sharp minor); No. 3 (D major).
Nos. 1, 4 and 5 belong to V.
— Phantasiestück. (M.F. 33).
Schubert. Op. 70, 159, 160 and 162.
Schumann. Op. 105 and 121, Sonatas in A minor and D
minor. (7579, 7580).
— Op. 73. Fantasiestück.

Simonetti, A. Mazurka.
Sinding. Op. 10. Suite. (2477).
— Op. 27. Sonata in E major. (2826).
— Op. 30. Romance. (2827).
 — Op. 61. 4 Pieces. 3 Bks. (3050 a-c).
Sinding’s compositions rank among the finest works by
modern Scandinavian composers. The Suite Op. 10,
resembles in style the “Holberg” Suite by Grieg.

Sitt, Hans. Op. 71. No. 1. Romance.

— Op. 71. No. 2. Nocturne.
— Op. 71, No. 3. Scherzo-Tarantelle.
Sjögren. Op. 19. Sonata in G minor. (2215).
This composer is a highly talented member of the modern
Scandinavian School.
Smetana. 2 Salon-Pieces. (2634 a-b).
Fine and characteristic pieces of the famous Czechian
master.
Somervell, Arthur. 3 Original Pieces:—
No. 1, Romance; No. 2, Barcarolle.
Spohr, L. Op. 2. Concerto in D minor.
— Op. 135. Three Duettinos. (No. 2, Scherzo; 3.
Sarabande). (8695).
The Barcarolle, No. 1, belongs to II.
— Op. 95. Duet in G minor. (9409).
— Op. 112. Duet in E. (9410).
— Op. 113. Hamburg Sonata. (9411).
— 3 Adagios from the Violin Concertos (Fr. Hermann).
(11705).

Stanford, Villiers. Légende.

Strelezki, A. Romanza in F.
— Serenade. Op. 191, No. 4. (Thomas).

Sutcliffe, W. Gavotte Romantique.

Thirlwall. Favourite Airs, with Variations:—
No. 1. English Air. (9412 a).