1 / 45

Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma

Safeguarding Information Intensive Critical Infrastructures against novel types of emerging failures. Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma bologna@casaccia.enea .it.

breck
Télécharger la présentation

Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safeguarding Information Intensive Critical Infrastructures against novel types of emerging failures Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma bologna@casaccia.enea.it Workshop on Safeguarding National Infrastructures: Integrated Approaches to Failure in Complex Networks Glasgow, 25-26 August, 2005

  2. www.enea.it

  3. RISK based approach Weaknesses magnify threat potential Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) Threat x Vulnerabilities Risk= x Impact Countermeasures Countermeasures reduces threat potential Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)

  4. RISK based approach Weaknesses magnify threat potential Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) Threat x Vulnerabilities Risk= x Impact Countermeasures ENEA FaMoS MULTIMODELLING APPROACH FOR VULNERABILITY ANALYSIS AND ASSESSMENT Countermeasures reduces threat potential Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)

  5. RISK based approach Weaknesses magnify threat potential Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) ENEA SAFEGUARD approach to reduce threat potential against existing SCADA Threat x Vulnerabilities Risk= x Impact Countermeasures Countermeasures reduces threat potential Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)

  6. Organisational Infrastructure Inter-dependency Layered networks model Intra-dependency Cyber-Infrastructure PhysicalInfrastructure

  7. Electrical Power Operators Independent System Operator for electricity planning and transmission Foreign Electrical Transmission Infrastructure Intra-dependency Inter-dependency Control and supervisory hardware/software components (Scada/EMS systems) Electrical Components generators, transformers, breakers, connecting cables etc Telecomunication Infrastructure National Electrical Power Transmission Infrastructure Oil/Gas Transport System Infrastructure Three Layers Model for the Electrical Infrastructure

  8. US CANADA BLACK-OUT Power System Outage Task Force Interim Report

  9. CC Control and management layer (SCADA system) CNC WAN (Wide Area Network) CC Area 1 Area 3 SIA-R SIA-C SIA-R SIA-C SIA-R SIA-C Area 2 Data management network Remote Units Data Concentrator Control Centres Loads Generator Substations Physical Network General layout of typical control and supervisory infrastructure of the electrical grid Physical electrical layer (high-medium voltage)

  10. NEW VULNERABILITIES Governments and industry organizations have recognized that all the automation systems collectively referred as SCADA are potential targets of attack from hackers, disgruntled insiders, cyberterrorists, and others that want to disrupt national infrastructures SCADA networks has moved from proprietary, closed networks to the arena of information technology with all its cost and performance benefits and IT security challenges A number of efforts are underway to retrofit security onto existing SCADA networks

  11. NEW RISKS TO SCADA • Adoption of standardized technologies with known vulnerabilities • Connectivity of control systems to other networks • Constraints on the use of existing security technologies and practices due to the old technology used • Insecure remote connections • Widespread availability of technical information about control systems

  12. SCADA Security Incidents between 1995 and 2003 (source Eric Byres BCIT)

  13. SCADA Security Incidents by Type (source Eric Byres BCIT)

  14. SCADA External security incidents by entry point (source Eric Byres BCIT)

  15. Other LCCIs Foreign Electricity Networks Telecommunication Networks ------------------- Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs) High-level agents Negotiation agent MMI agent Correlation agent Action agent Topology agent Low-level agents Diagnosiswrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Actuators Cyber Layer of Electricity Network Home LCCIs Commands and information Information only SAFEGUARD ARCHITECTURE Network global protection Local nodes protection

  16. SAFEGUARD ARCHITECTURE At Level 1 – identify component failure or attack in progress Hybrid anomaly detection agents utilise algorithms specialised in detecting deviations from normality. Signature-based algorithms are used to classify failures based on accumulated functional behaviour. High-level agents Negotiation agent MMI agent Low-level agents Local nodes protection Diagnosiswrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Cyber Layer of Electricity Network Home LCCIs Commands and information Information only

  17. SAFEGUARD ARCHITECTURE Other LCCIs Foreign Electricity Networks Telecommunication Networks ------------------- At level 2: Correlate different kind of information Correlation and Topology agents correlate diagnosis Action agent replaces functions of failed components T High-level agents Correlation agent Action agent Topology agent Low-level agents Local nodes protection Diagnosiswrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Actuators Cyber Layer of Electricity Network Home LCCIs Commands and information Information only

  18. Other LCCIs Foreign Electricity Networks Telecommunication Networks ------------------- Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs) High-level agents Negotiation agent MMI agent Correlation agent Action agent Topology agent Low-level agents Diagnosiswrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Actuators Cyber Layer of Electricity Network Home LCCIs Commands and information Information only SAFEGUARD ARCHITECTURE Network global protection At level 3: operator decision support MMI agent supports the operator in the reconfiguration strategy Negotiation agent supports to negotiate recovery policies with other interdependent LCCIs. Local nodes protection

  19. An example of Safeguard Agents High-level agents Other LCCIs MMI Negotiation agent Topology agent Correlation agent Action agent0 Correlation agent(s) Action agent(s) Low-level agents EDHD ECHD DMA Wrapperagents Hybrid detector agents Actuator(s) Home LCCI

  20. Event Course Hybrid Detection agent High-level agents Other LCCIs MMI Negotiation agent Topology agent Correlation agent Action agent0 Correlation agent(s) Action agent(s) Low-level agents EDHD ECHD DMA Wrapperagents Hybrid detector agents Actuator(s) Home LCCI

  21. ECHD (Event Course Hybrid Detetector) Agent Prologue • Event Course Hybrid Detector extracts information about a certain process from the sequences of events generated by such process • It could recognize or not sequences of events that it has learned partially with information captured by the expert of the process and partially with an on-field training phase • When it recognize a sequence it associate also an anomaly level to the sequence (timing discordance from the learned one).

  22. ECHD ECHD ECHD ECHD SCADA System Configuration for the Italian Transmission Electrical Network (GRTN-ABB)

  23. SCADA system is instrumented with “Sensors” E(t2) E(t3) E(t4) E(t6) E(t1) E(t5) Start processing of a Telemeasure (t0) RECOGNISING A PROCESS FROM THE SEQUENCE OF EVENTS IT PRODUCES

  24. Data Mining Agent High-level agents Other LCCIs MMI Negotiation agent Topology agent Correlation agent Action agent0 Correlation agent(s) Action agent(s) Low-level agents EDHD ECHD DMA Wrapperagents Hybrid detector agents Actuator(s) Home LCCI

  25. DMA (Data Mining) Agent Prologue • Data Mining is the extraction of implicit, previously unknown, and potentially useful information from data. • A Data Miner is a computer program that sniffs through data seeking regularities or patterns. • Obstructions: noise (the agent intercepts without distinction all that happen in the Net) and computational complexity (as consequence it is impossible the permanent monitoring of the traffic in order to not jeopardize SCADA functionalities)

  26. DMA DMA SCADA System Configuration for the Italian Transmission Electrical Network (GRTN-ABB)

  27. DMA (Data Mining) Agent Use of Data Mining techniques in Safeguard project. • DMA observes TCP packets flowing inside the port utilised by the message broker of the SCADA system emulator. • After a learning phase, DMA should be able discriminate between normal packet sequences and anomalous ones, raising an alarm in the latter case.

  28. Safeguard agents The Safeguard approach( a Middleware on the top of existing SCADA Systems or just a retrofitted add-on device to the existing SCADA)

  29. RETROFITTED ADD-ON SOLUTION RTU Remote Terminal Unit SCADA System Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Safe Bus Safe Bus API Interface Safe Bus API Interface RTU Remote Terminal Unit RTU Remote Terminal Unit

  30. RETROFITTED ADD-ON SOLUTION RTU Remote Terminal Unit SCADA System Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Utilities have significant investment in SCADA equipment. SCADA and similar control equipment are designed to have significant lifetimes. Protection mechanisms should not be developed that require major replacement of existing equipment in the near term. Safe Bus Safe Bus API Interface Safe Bus API Interface RTU Remote Terminal Unit RTU Remote Terminal Unit

  31. RETROFITTED ADD-ON SOLUTION RTU Remote Terminal Unit SCADA System Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Safe Bus Because of the limited capabilities of the SCADA processors, protection mechanisms should be implemented as a retrofitted add-on device. Safe Bus API Interface Safe Bus API Interface RTU Remote Terminal Unit RTU Remote Terminal Unit

  32. RETROFITTED ADD-ON SOLUTION SCADA System RTU Remote Terminal Unit Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Safe Bus SCADA systems are designed for frequent (near real-time) status updates. Protection mechanisms should not reduce the performance (reading frequency, transmission delay, computation) below an acceptable level. Safe Bus API Interface Safe Bus API Interface RTU Remote Terminal Unit RTU Remote Terminal Unit

  33. HOW SAFEGUARD MIGHT SUPPORT MANAGING MAJOR SYSTEMS OUTAGE

  34. (From UCTE Interim Report) ITALY BLACK-OUT 1-2 minutes 24 minutes NETWORK STATE OVERVIEW & ROOT CAUSES Pre-incident network in n-1 secure state Island operations fails due to unit tripping Event tree from UTCE report

  35. (From UCTE Interim Report) ITALY BLACK-OUT NETWORK STATE OVERVIEW & ROOT CAUSES In SAFEGUARD system Correlator agent intercepts anomalies and failures inside the sequence of events and Action agent try to re-execute the unsuccessful commands. Pre-incident network in n-1 secure state Island operations fails due to unit tripping

  36. (From UCTE Interim Report) NETWORK STATE OVERVIEW & ROOT CAUSES Pre-incident network in n-1 secure state Island operations fails due to unit tripping SAFEGUARD might help to recognize the anomaly state and call for adequate countermeasures

  37. COORDINATIONS PROBLEMS BETWEEN SYSTEM OPERATORS (From UCTE Interim Report) In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system. This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of Mettlen-Lavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident.

  38. (From UCTE Interim Report) SAFEGUARD makes available a Negotiation Agent in duty for coordination among different operators In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system. This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of Mettlen-Lavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident.

  39. US CANADA BLACK-OUT Power System Outage Task Force Interim Report

  40. US CANADA BLACK-OUT The “State Estimation” tool, doesn’t work in the regular way because a critical information (a line connection status) is not correctly acquired by the SCADA system. The data utilized by the State Estimator could be corrupted by an attack or by a fault inside SCADA system On August 14 at about 12:15 EDT, MISO’s state estimator produced a solution with a high mismatch (outside the bounds of acceptable error). This was traced to an outage of Cinergy’s Bloomington-Denois Creek 230-kV line—although it was out of service, its status was not updated in MISO’s state estimator.

  41. US CANADA BLACK-OUT Task Force Interim Report A SAFEGUARD anomaly detection agent has the duty to verify the correctness level of the data that must be used by the State Estimator. If the State Estimation tool knows what data can be considered “good” or “bad” it has the capability to furnish a more correct state of the network.

  42. US CANADA BLACK-OUT 2A) 14:14 EDT: FE alarm and logging software failed. Neither FE’s control room operators nor FE’s IT EMS support personnel were aware of the alarm failure. The Alarm system of FirstEnergy electrical Company doesn’t work correctly and the operators are not aware of this situation

  43. US CANADA BLACK-OUT Task Force Interim Report 2A) 14:14 EDT: FE alarm and logging software failed. Neither FE’s control room operators nor FE’s IT EMS support personnel were aware of the alarm failure. Safeguard Correlator agent could detect failures inside Alarm system correlating the sequences of signals flowing from RTUs towards Control Centres.

  44. CONCLUSIONS INCREASING NEED TO TRANSFORM TODAY’S CENTRALISED, DUMB NETWORKS INTO SOMETHING CLOSER TO SMART, DISTRIBUTED CONTROL NETWORKS INCREASING NEED OF INTELLIGENT DATA INTERPRETATION TO CAPTURE NOVELTIES AND PROVIDE OPERATORS WITH EARLY WARNINGS. MULTI-AGENT SYSTEM TECHNOLOGY, COMBINED WITH INTELLIGENT SYSTEMS, CAN BE USED TO AUTOMATE THE FAULT DIAGNOSIS ACTIVITY AND TO SUPPORT OPERATORS IN THE RECOVERY POLICIES. SAFEGUARD MULTI-AGENT SYSTEM TECHNOLOGY CAN WORK IN AN AUTONOMOUS MANNER AS AN ADD-ON SYSTEM, INTERACTING BOTH WITH THEIR ENVIRONMENT AND WITH ONE-OTHER

  45. International Workshop on Complex Network and Infrastructure Protection CNIP 2006 March 28-29, 2006 - Rome, Italy http://ciip.casaccia.enea.it/cnip/

More Related