450 likes | 638 Views
Safeguarding Information Intensive Critical Infrastructures against novel types of emerging failures. Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma bologna@casaccia.enea .it.
E N D
Safeguarding Information Intensive Critical Infrastructures against novel types of emerging failures Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma bologna@casaccia.enea.it Workshop on Safeguarding National Infrastructures: Integrated Approaches to Failure in Complex Networks Glasgow, 25-26 August, 2005
RISK based approach Weaknesses magnify threat potential Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) Threat x Vulnerabilities Risk= x Impact Countermeasures Countermeasures reduces threat potential Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
RISK based approach Weaknesses magnify threat potential Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) Threat x Vulnerabilities Risk= x Impact Countermeasures ENEA FaMoS MULTIMODELLING APPROACH FOR VULNERABILITY ANALYSIS AND ASSESSMENT Countermeasures reduces threat potential Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
RISK based approach Weaknesses magnify threat potential Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) ENEA SAFEGUARD approach to reduce threat potential against existing SCADA Threat x Vulnerabilities Risk= x Impact Countermeasures Countermeasures reduces threat potential Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
Organisational Infrastructure Inter-dependency Layered networks model Intra-dependency Cyber-Infrastructure PhysicalInfrastructure
Electrical Power Operators Independent System Operator for electricity planning and transmission Foreign Electrical Transmission Infrastructure Intra-dependency Inter-dependency Control and supervisory hardware/software components (Scada/EMS systems) Electrical Components generators, transformers, breakers, connecting cables etc Telecomunication Infrastructure National Electrical Power Transmission Infrastructure Oil/Gas Transport System Infrastructure Three Layers Model for the Electrical Infrastructure
US CANADA BLACK-OUT Power System Outage Task Force Interim Report
CC Control and management layer (SCADA system) CNC WAN (Wide Area Network) CC Area 1 Area 3 SIA-R SIA-C SIA-R SIA-C SIA-R SIA-C Area 2 Data management network Remote Units Data Concentrator Control Centres Loads Generator Substations Physical Network General layout of typical control and supervisory infrastructure of the electrical grid Physical electrical layer (high-medium voltage)
NEW VULNERABILITIES Governments and industry organizations have recognized that all the automation systems collectively referred as SCADA are potential targets of attack from hackers, disgruntled insiders, cyberterrorists, and others that want to disrupt national infrastructures SCADA networks has moved from proprietary, closed networks to the arena of information technology with all its cost and performance benefits and IT security challenges A number of efforts are underway to retrofit security onto existing SCADA networks
NEW RISKS TO SCADA • Adoption of standardized technologies with known vulnerabilities • Connectivity of control systems to other networks • Constraints on the use of existing security technologies and practices due to the old technology used • Insecure remote connections • Widespread availability of technical information about control systems
SCADA Security Incidents between 1995 and 2003 (source Eric Byres BCIT)
SCADA External security incidents by entry point (source Eric Byres BCIT)
Other LCCIs Foreign Electricity Networks Telecommunication Networks ------------------- Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs) High-level agents Negotiation agent MMI agent Correlation agent Action agent Topology agent Low-level agents Diagnosiswrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Actuators Cyber Layer of Electricity Network Home LCCIs Commands and information Information only SAFEGUARD ARCHITECTURE Network global protection Local nodes protection
SAFEGUARD ARCHITECTURE At Level 1 – identify component failure or attack in progress Hybrid anomaly detection agents utilise algorithms specialised in detecting deviations from normality. Signature-based algorithms are used to classify failures based on accumulated functional behaviour. High-level agents Negotiation agent MMI agent Low-level agents Local nodes protection Diagnosiswrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Cyber Layer of Electricity Network Home LCCIs Commands and information Information only
SAFEGUARD ARCHITECTURE Other LCCIs Foreign Electricity Networks Telecommunication Networks ------------------- At level 2: Correlate different kind of information Correlation and Topology agents correlate diagnosis Action agent replaces functions of failed components T High-level agents Correlation agent Action agent Topology agent Low-level agents Local nodes protection Diagnosiswrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Actuators Cyber Layer of Electricity Network Home LCCIs Commands and information Information only
Other LCCIs Foreign Electricity Networks Telecommunication Networks ------------------- Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs) High-level agents Negotiation agent MMI agent Correlation agent Action agent Topology agent Low-level agents Diagnosiswrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Actuators Cyber Layer of Electricity Network Home LCCIs Commands and information Information only SAFEGUARD ARCHITECTURE Network global protection At level 3: operator decision support MMI agent supports the operator in the reconfiguration strategy Negotiation agent supports to negotiate recovery policies with other interdependent LCCIs. Local nodes protection
An example of Safeguard Agents High-level agents Other LCCIs MMI Negotiation agent Topology agent Correlation agent Action agent0 Correlation agent(s) Action agent(s) Low-level agents EDHD ECHD DMA Wrapperagents Hybrid detector agents Actuator(s) Home LCCI
Event Course Hybrid Detection agent High-level agents Other LCCIs MMI Negotiation agent Topology agent Correlation agent Action agent0 Correlation agent(s) Action agent(s) Low-level agents EDHD ECHD DMA Wrapperagents Hybrid detector agents Actuator(s) Home LCCI
ECHD (Event Course Hybrid Detetector) Agent Prologue • Event Course Hybrid Detector extracts information about a certain process from the sequences of events generated by such process • It could recognize or not sequences of events that it has learned partially with information captured by the expert of the process and partially with an on-field training phase • When it recognize a sequence it associate also an anomaly level to the sequence (timing discordance from the learned one).
ECHD ECHD ECHD ECHD SCADA System Configuration for the Italian Transmission Electrical Network (GRTN-ABB)
SCADA system is instrumented with “Sensors” E(t2) E(t3) E(t4) E(t6) E(t1) E(t5) Start processing of a Telemeasure (t0) RECOGNISING A PROCESS FROM THE SEQUENCE OF EVENTS IT PRODUCES
Data Mining Agent High-level agents Other LCCIs MMI Negotiation agent Topology agent Correlation agent Action agent0 Correlation agent(s) Action agent(s) Low-level agents EDHD ECHD DMA Wrapperagents Hybrid detector agents Actuator(s) Home LCCI
DMA (Data Mining) Agent Prologue • Data Mining is the extraction of implicit, previously unknown, and potentially useful information from data. • A Data Miner is a computer program that sniffs through data seeking regularities or patterns. • Obstructions: noise (the agent intercepts without distinction all that happen in the Net) and computational complexity (as consequence it is impossible the permanent monitoring of the traffic in order to not jeopardize SCADA functionalities)
DMA DMA SCADA System Configuration for the Italian Transmission Electrical Network (GRTN-ABB)
DMA (Data Mining) Agent Use of Data Mining techniques in Safeguard project. • DMA observes TCP packets flowing inside the port utilised by the message broker of the SCADA system emulator. • After a learning phase, DMA should be able discriminate between normal packet sequences and anomalous ones, raising an alarm in the latter case.
Safeguard agents The Safeguard approach( a Middleware on the top of existing SCADA Systems or just a retrofitted add-on device to the existing SCADA)
RETROFITTED ADD-ON SOLUTION RTU Remote Terminal Unit SCADA System Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Safe Bus Safe Bus API Interface Safe Bus API Interface RTU Remote Terminal Unit RTU Remote Terminal Unit
RETROFITTED ADD-ON SOLUTION RTU Remote Terminal Unit SCADA System Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Utilities have significant investment in SCADA equipment. SCADA and similar control equipment are designed to have significant lifetimes. Protection mechanisms should not be developed that require major replacement of existing equipment in the near term. Safe Bus Safe Bus API Interface Safe Bus API Interface RTU Remote Terminal Unit RTU Remote Terminal Unit
RETROFITTED ADD-ON SOLUTION RTU Remote Terminal Unit SCADA System Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Safe Bus Because of the limited capabilities of the SCADA processors, protection mechanisms should be implemented as a retrofitted add-on device. Safe Bus API Interface Safe Bus API Interface RTU Remote Terminal Unit RTU Remote Terminal Unit
RETROFITTED ADD-ON SOLUTION SCADA System RTU Remote Terminal Unit Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Safe Bus SCADA systems are designed for frequent (near real-time) status updates. Protection mechanisms should not reduce the performance (reading frequency, transmission delay, computation) below an acceptable level. Safe Bus API Interface Safe Bus API Interface RTU Remote Terminal Unit RTU Remote Terminal Unit
(From UCTE Interim Report) ITALY BLACK-OUT 1-2 minutes 24 minutes NETWORK STATE OVERVIEW & ROOT CAUSES Pre-incident network in n-1 secure state Island operations fails due to unit tripping Event tree from UTCE report
(From UCTE Interim Report) ITALY BLACK-OUT NETWORK STATE OVERVIEW & ROOT CAUSES In SAFEGUARD system Correlator agent intercepts anomalies and failures inside the sequence of events and Action agent try to re-execute the unsuccessful commands. Pre-incident network in n-1 secure state Island operations fails due to unit tripping
(From UCTE Interim Report) NETWORK STATE OVERVIEW & ROOT CAUSES Pre-incident network in n-1 secure state Island operations fails due to unit tripping SAFEGUARD might help to recognize the anomaly state and call for adequate countermeasures
COORDINATIONS PROBLEMS BETWEEN SYSTEM OPERATORS (From UCTE Interim Report) In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system. This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of Mettlen-Lavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident.
(From UCTE Interim Report) SAFEGUARD makes available a Negotiation Agent in duty for coordination among different operators In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system. This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of Mettlen-Lavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident.
US CANADA BLACK-OUT Power System Outage Task Force Interim Report
US CANADA BLACK-OUT The “State Estimation” tool, doesn’t work in the regular way because a critical information (a line connection status) is not correctly acquired by the SCADA system. The data utilized by the State Estimator could be corrupted by an attack or by a fault inside SCADA system On August 14 at about 12:15 EDT, MISO’s state estimator produced a solution with a high mismatch (outside the bounds of acceptable error). This was traced to an outage of Cinergy’s Bloomington-Denois Creek 230-kV line—although it was out of service, its status was not updated in MISO’s state estimator.
US CANADA BLACK-OUT Task Force Interim Report A SAFEGUARD anomaly detection agent has the duty to verify the correctness level of the data that must be used by the State Estimator. If the State Estimation tool knows what data can be considered “good” or “bad” it has the capability to furnish a more correct state of the network.
US CANADA BLACK-OUT 2A) 14:14 EDT: FE alarm and logging software failed. Neither FE’s control room operators nor FE’s IT EMS support personnel were aware of the alarm failure. The Alarm system of FirstEnergy electrical Company doesn’t work correctly and the operators are not aware of this situation
US CANADA BLACK-OUT Task Force Interim Report 2A) 14:14 EDT: FE alarm and logging software failed. Neither FE’s control room operators nor FE’s IT EMS support personnel were aware of the alarm failure. Safeguard Correlator agent could detect failures inside Alarm system correlating the sequences of signals flowing from RTUs towards Control Centres.
CONCLUSIONS INCREASING NEED TO TRANSFORM TODAY’S CENTRALISED, DUMB NETWORKS INTO SOMETHING CLOSER TO SMART, DISTRIBUTED CONTROL NETWORKS INCREASING NEED OF INTELLIGENT DATA INTERPRETATION TO CAPTURE NOVELTIES AND PROVIDE OPERATORS WITH EARLY WARNINGS. MULTI-AGENT SYSTEM TECHNOLOGY, COMBINED WITH INTELLIGENT SYSTEMS, CAN BE USED TO AUTOMATE THE FAULT DIAGNOSIS ACTIVITY AND TO SUPPORT OPERATORS IN THE RECOVERY POLICIES. SAFEGUARD MULTI-AGENT SYSTEM TECHNOLOGY CAN WORK IN AN AUTONOMOUS MANNER AS AN ADD-ON SYSTEM, INTERACTING BOTH WITH THEIR ENVIRONMENT AND WITH ONE-OTHER
International Workshop on Complex Network and Infrastructure Protection CNIP 2006 March 28-29, 2006 - Rome, Italy http://ciip.casaccia.enea.it/cnip/