Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Safeguarding Information Intensive Critical Infrastructures against novel types of emerging failures Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma [email protected] Workshop on Safeguarding National Infrastructures: Integrated Approaches to Failure in Complex Networks Glasgow, 25-26 August, 2005 www.enea.it RISK based approach Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) Risk= Countermeasures reduces threat potential Weaknesses magnify threat potential Threat x Vulnerabilities x Impact Countermeasures Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”) RISK based approach Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) Risk= Weaknesses magnify threat potential Threat x Vulnerabilities x Impact Countermeasures ENEA FaMoS MULTIMODELLING APPROACH FOR VULNERABILITY ANALYSIS AND ASSESSMENT Countermeasures reduces threat potential Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”) RISK based approach Weaknesses magnify threat potential Actors (environmental conditions, adversaries, insiders, terrorists, hackers…) ENEA SAFEGUARD approach to Threat x Vulnerabilities reduce threat potential against Risk= x Impact existing SCADA Countermeasures Countermeasures reduces threat potential Effects magnify the entire problem Extension of the concept of Risk Assessments to Critical Infrastrucure (originally elaborated from Manuel W. Wik “Revolution in Information Affairs”) Layered networks model Intradependency Organisational Infrastructure CyberInfrastructure Physical Infrastructure Interdependency Three Layers Model for the Electrical Infrastructure Electrical Power Operators Independent System Operator for electricity planning and transmission Intra-dependency Inter-dependency Control and supervisory hardware/software components (Scada/EMS systems) Electrical Components Telecomunication Infrastructure generators, transformers, breakers, connecting cables etc National Electrical Power Transmission Infrastructure Foreign Electrical Transmission Infrastructure Oil/Gas Transport System Infrastructure US CANADA BLACK-OUT Power System Outage Task Force Interim Report General layout of typical control and supervisory infrastructure of the electrical grid Control and management layer (SCADA system) CNC CC CC SIA-C SIA-C WAN (Wide Area Network) SIA-R SIA-C SIA-R SIA-R Area 1 Area 3 Area 2 Physical electrical layer (high-medium voltage) Data management network Remote Units Physical Network Substations Control Centres Loads Data Concentrator Generator NEW VULNERABILITIES Governments and industry organizations have recognized that all the automation systems collectively referred as SCADA are potential targets of attack from hackers, disgruntled insiders, cyberterrorists, and others that want to disrupt national infrastructures SCADA networks has moved from proprietary, closed networks to the arena of information technology with all its cost and performance benefits and IT security challenges A number of efforts are underway to retrofit security onto existing SCADA networks NEW RISKS TO SCADA 1. Adoption of standardized technologies with known vulnerabilities 2. Connectivity of control systems to other networks 3. 4. 5. Constraints on the use of existing security technologies and practices due to the old technology used Insecure remote connections Widespread availability of technical information about control systems SCADA Security Incidents between 1995 and 2003 (source Eric Byres BCIT) SCADA Security Incidents by Type (source Eric Byres BCIT) SCADA External security incidents by entry point (source Eric Byres BCIT) SAFEGUARD ARCHITECTURE Low-level agents High-level agents Other LCCIs Foreign Electricity Networks Telecommunication Networks ------------------- Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs) Negotiation agent Correlation agent Topology agent Diagnosis wrappers Network global protection MMI agent Intrusion Detection wrappers Action agent Hybrid Anomaly Detection agents Actuators Cyber Layer of Electricity Network Home LCCIs Commands and information Information only Local nodes protection SAFEGUARD ARCHITECTURE At Level 1 – identify component failure or attack in progress Low-level agents High-level agents Hybrid anomaly detection agents utilise algorithms specialised in detecting deviations from normality. Signature-based algorithms Negotiation MMI are used toagent classify failures based on accumulated functional agent behaviour. Diagnosis wrappers Intrusion Detection wrappers Hybrid Anomaly Detection agents Cyber Layer of Electricity Network Home LCCIs Commands and information Information only Local nodes protection SAFEGUARD ARCHITECTURE Other LCCIs Foreign Electricity Networks AtTelecommunication level 2: Correlate different Networks ------------------- kind of information Low-level agents High-level agents Correlation and Topology agents correlate diagnosis T Action agent replaces functions of failed components Correlation agent Topology agent Diagnosis wrappers Intrusion Detection wrappers Action agent Hybrid Anomaly Detection agents Actuators Cyber Layer of Electricity Network Home LCCIs Commands and information Information only Local nodes protection SAFEGUARD ARCHITECTURE Low-level agents High-level agents Other LCCIs Foreign Electricity Networks Telecommunication Networks ------------------- Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs) Negotiation agent Network global protection MMI agent Correlation agent Topology agent Action agent At level 3: operator decision support MMI agent supports the operator in the reconfiguration strategy Local nodes DiagnosisagentIntrusion Anomaly Negotiation supports to Hybrid negotiate recoveryActuators policies with other protection wrappers Detection Detection interdependent LCCIs. wrappers agents Cyber Layer of Electricity Network Home LCCIs Commands and information Information only An example of Safeguard Agents Negotiation agent Topology agent Correlation Correlation agent agent(s) Wrapper agents Action Action agent0 agent(s) detectorEDHD Actuator(s) ECHD Hybrid DMA agents Home LCCI Low-level agents MMI High-level agents Other LCCIs Event Course Hybrid Detection agent Negotiation agent Topology agent Correlation Correlation agent agent(s) Wrapper agents Action Action agent0 agent(s) detectorEDHD Actuator(s) ECHD Hybrid DMA agents Home LCCI Low-level agents MMI High-level agents Other LCCIs ECHD (Event Course Hybrid Detetector) Agent Prologue Event Course Hybrid Detector extracts information about a certain process from the sequences of events generated by such process It could recognize or not sequences of events that it has learned partially with information captured by the expert of the process and partially with an on-field training phase When it recognize a sequence it associate also an anomaly level to the sequence (timing discordance from the learned one). SCADA System Configuration for the Italian Transmission Electrical Network (GRTN-ABB) ECHD ECHD ECHD ECHD RECOGNISING A PROCESS FROM THE SEQUENCE OF EVENTS IT PRODUCES SCADA system is instrumented with “Sensors” E(t2) E(t3) E(t6) E(t1) E(t4) E(t5) Start processing of a Telemeasure (t0) Data Mining Agent Negotiation agent Topology agent Correlation Correlation agent agent(s) Wrapper agents Action Action agent0 agent(s) detectorEDHD Actuator(s) ECHD Hybrid DMA agents Home LCCI Low-level agents MMI High-level agents Other LCCIs DMA (Data Mining) Agent Prologue Data Mining is the extraction of implicit, previously unknown, and potentially useful information from data. A Data Miner is a computer program that sniffs through data seeking regularities or patterns. Obstructions: noise (the agent intercepts without distinction all that happen in the Net) and computational complexity (as consequence it is impossible the permanent monitoring of the traffic in order to not jeopardize SCADA functionalities) SCADA System Configuration for the Italian Transmission Electrical Network (GRTN-ABB) DM A DM A DMA (Data Mining) Agent Use of Data Mining techniques in Safeguard project. DMA observes TCP packets flowing inside the port utilised by the message broker of the SCADA system emulator. After a learning phase, DMA should be able discriminate between normal packet sequences and anomalous ones, raising an alarm in the latter case. The Safeguard approach ( a Middleware on the top of existing SCADA Systems or just a retrofitted add-on device to the existing SCADA) Safeguard agents RETROFITTED ADD-ON SOLUTION SCADA System RTU Remote Terminal Unit Safeguarding SCADA Systems Correlators Actuators Safe Bus API Interface Safe Bus Safe Bus API Interface RTU Remote Terminal Unit Safe Bus API Interface RTU Remote Terminal Unit Anomaly Detectors RETROFITTED ADD-ON SOLUTION SCADA System RTU Remote Terminal Unit Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Utilities have significant investment Safe in BusSCADA equipment. SCADA and similar control equipment are designed to have significant lifetimes. Safe Bus API Interface Safe Bus API Interface Protection mechanisms should not be developed that RTU in the RTU require major replacement of existing equipment Remote Remote near term. Terminal Unit Terminal Unit RETROFITTED ADD-ON SOLUTION SCADA System RTU Remote Terminal Unit Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Safe Bus Because of the limited capabilities of the SCADA processors, protection mechanisms should be implemented as a retrofitted add-on device. RTU RTU Safe Bus API Interface Remote Terminal Unit Safe Bus API Interface Remote Terminal Unit RETROFITTED ADD-ON SOLUTION RTU Remote Terminal UnitSystem SCADA Safeguarding SCADA Systems Correlators Actuators Anomaly Detectors Safe Bus API Interface Safe Bus SCADA systems are designed for frequent (near realtime) status updates. Protection mechanisms should not reduce the performance (reading frequency, transmission delay, computation) below an acceptable RTU level. RTU Safe Bus API Interface Remote Terminal Unit Safe Bus API Interface Remote Terminal Unit HOW SAFEGUARD MIGHT SUPPORT MANAGING MAJOR SYSTEMS OUTAGE (From UCTE Interim Report) ITALY BLACK-OUT NETWORK STATE OVERVIEW & ROOT CAUSES Pre-incident network in n-1 secure state Island operations fails due to unit tripping 1-2 minutes 24 minutes Event tree from UTCE report (From UCTE Interim Report) ITALY BLACK-OUT NETWORK STATE OVERVIEW & ROOT CAUSES Pre-incident network in n-1 secure state In SAFEGUARD system Correlator agent intercepts Island anomalies and failures inside the sequence of events and operations Action agent try to re-execute the unsuccessful commands. fails due to unit tripping (From UCTE Interim Report) NETWORK STATE OVERVIEW & ROOT CAUSES Pre-incident network in n-1 secure state Island operations fails due to unit tripping SAFEGUARD might help to recognize the anomaly state and call for adequate countermeasures COORDINATIONS PROBLEMS BETWEEN SYSTEM OPERATORS (From UCTE Interim Report) In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system. This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of MettlenLavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident. (From UCTE Interim Report) SAFEGUARD makes available a Negotiation Agent in duty for coordination among different operators In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system. This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of MettlenLavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident. US CANADA BLACK-OUT Power System Outage Task Force Interim Report US CANADA BLACK-OUT The “State Estimation” tool, doesn’t work in the regular way because a critical information (a line connection status) is not correctly acquired by the SCADA system. The data utilized by the State Estimator could be corrupted by an attack or by a fault inside SCADA system On August 14 at about 12:15 EDT, MISO’s state estimator produced a solution with a high mismatch (outside the bounds of acceptable error). This was traced to an outage of Cinergy’s Bloomington-Denois Creek 230-kV line—although it was out of service, its status was not updated in MISO’s state estimator. US CANADA BLACK-OUT Task Force Interim Report A SAFEGUARD anomaly detection agent has the duty to verify the correctness level of the data that must be used by the State Estimator. If the State Estimation tool knows what data can be considered “good” or “bad” it has the capability to furnish a more correct state of the network. US CANADA BLACK-OUT 2A) 14:14 EDT: FE alarm and logging software failed. Neither FE’s control room operators nor FE’s IT EMS support personnel were aware of the alarm failure. The Alarm system of FirstEnergy electrical Company doesn’t work correctly and the operators are not aware of this situation US CANADA BLACK-OUT Task Force Interim Report 2A) 14:14 EDT: FE alarm and logging software failed. Neither FE’s control room operators nor FE’s IT EMS support personnel were aware of the alarm failure. Safeguard Correlator agent could detect failures inside Alarm system correlating the sequences of signals flowing from RTUs towards Control Centres. CONCLUSIONS INCREASING NEED TO TRANSFORM TODAY’S CENTRALISED, DUMB NETWORKS INTO SOMETHING CLOSER TO SMART, DISTRIBUTED CONTROL NETWORKS INCREASING NEED OF INTELLIGENT DATA INTERPRETATION TO CAPTURE NOVELTIES AND PROVIDE OPERATORS WITH EARLY WARNINGS. MULTI-AGENT SYSTEM TECHNOLOGY, COMBINED WITH INTELLIGENT SYSTEMS, CAN BE USED TO AUTOMATE THE FAULT DIAGNOSIS ACTIVITY AND TO SUPPORT OPERATORS IN THE RECOVERY POLICIES. SAFEGUARD MULTI-AGENT SYSTEM TECHNOLOGY CAN WORK IN AN AUTONOMOUS MANNER AS AN ADD-ON SYSTEM, INTERACTING BOTH WITH THEIR ENVIRONMENT AND WITH ONE-OTHER International Workshop on Complex Network and Infrastructure Protection CNIP 2006 March 28-29, 2006 - Rome, Italy http://ciip.casaccia.enea.it/cnip/