automation, process control and scada systems in critical ... · automation technologies (1)...

Automation, Process Control and SCADA Systems in Critical Infrastructures –

Future Threats and Requirements

Hans Honecker

Federal Office for Information Security

SCADA and Process Control Security Summit8/9 September 2008

H. Honecker 8/9 September 2008 Slide 2

Contents

The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions


Brief Introduction

Federal Office for Information Security (BSI) The BSI at a glance Focus of activities Co-operations


The BSI at a Glance

Independent and neutral authority for IT security High level federal public agency

within the area of responsibility of the Federal Ministry for the Interior

Founded in 1991unique as a public agency in comparison to other European establishments

Staff: around 500 employees Budget: 60 million €


Focus of Activities

Internet security Secure e-government IT baseline protection National / international security co-operation Cryptographic innovation Biometrics Security from eavesdropping Awareness campaign on IT security Certification and approval Protection of critical infrastructures



Contents


Critical Infrastructures ...

Critical Infrastructures are organisations and facilities of major importance to the community whose failure or impairment would cause

a sustained shortage of supplies, significant disruptions to public order, or other dramatic consequences

(2006)

In short: Critical infrastructures provide indispensable and essential goods and services to society and economy.


Critical Infrastructure Sectors

1. Transportation2. Energy3. Hazardous materials4. IT and telecommunications5. Finance and insurance6. Services (incl. health care, emergency and rescue

services)

7. Public administration and justice system8. Other (e.g. media, buildings)


Overall-Experience„Pizza Otto Stagioni“

Energy IT and Telecommunications

Finance and InsuranceTransportation

Services

HazardousMaterials

Public Administration

Other


... and Critical Processes

... by running Critical Processes. These processes are indispensable for society and economy heavily (and growing) interdependent and complex at risk by

- by technical or human failure- natural disaster- attacks- breakdown or failure of critical processes of other infrastructures

Critical Infrastructures provide indispensable and essential goods and services to society and economy...


Interdependent ProcessesInfrastructure Sectors

IT and telecommunications

other

finance and insurance

transportation

public administration,

justice

hazardous materials

energy

services and supply


IT and telecommunications

other

finance and insurance

transportation

public administration,

justice

hazardous materials

energy

services and supply

Interdependent ProcessesInfrastructure Sectors


... and Critical Processes

by running Critical Processes. These processes are indispensable for society and economy heavily (and growing) interdependent (through their process infrastructure) at growing risk by

- by technical or human failure- natural disaster- attacks- breakdown or failure of critical processes of other infrastructures

Critical infrastructures provide indispensable and essential goods and services to society and economy...

Critical Processes need to be kept robust and resilient



Contents


Critical Processes and IT-based Automation Technologies (1)

Holistic approach necessary

All critical processes dealing with physical process objects use automation, process control and/or SCADA technologies (we will use “SCADA” for all three in this talk)[ SCADA = Supervisory Control And Data Acquisition]

All critical processes depend on electricity - most very straight - which in turn depends on “SCADA” technology

“SCADA”-technologies as “archetype” for discussion of challenges on process and infrastructure layers, proposals for future developments

Critical processes need to be kept robust and resilient...


Critical Processes and IT-based Automation Technologies (2)

“SCADA”-technologies are present in

electricity generation and distribution gas and water supply many process infrastructures of other critical infrastructures

used in a wide range and different layers of processes production processes distribution processes control processes

with extremely different process objects tangible goods energy (electricity, gas, oil, ...) measurement data, information, ...

AND make extensive use of components based on information technology


IT-based Automation (“SCADA”) Technologies Operating Conditions ...

IT-based AutomationTechnology

Standard InformationTechnology (local use)

Continuous operation Operation during businesshours

Top priority for availability Top priority for confidentialityand integrity

(Physical) process has priority Information security has priority

Patching difficult or impossible Patching “state of the art”

Specialised IT serves to controlphysical processes

Standardised IT serves toprocess data and information

... compared to standard information technology:



Contents


Future Threats

To be considered for planning of, building or rebuilding CI (Critical Infrastructures)

important from the viewpoint of CI Protection (CIP)(possible consequences of failures or malfunctions) growing interconnection between process infrastructures of same

type (e.g. electricity distribution grids) increasing dependencies and interdependencies of different critical

processes increasing complexity of critical processes

DISCLAIMER: We do not (or less) consider current threats (in this talk!) We assume state of the art (2008) IT-security implemented


Technical failures / malfunctions in general: Malfunctions of process specific “IT” can totally screw up

processes (e.g. hardware, software or configuration errors) Example: Programming errors in a DCS added to the heaviness of

US Blackout 2003 malfunctions on the network layer endanger process infrastructures

(be it malfunctions specific to “SCADA” or not) side effects (e.g. “reduced functionality modes” on any layer) backfiring patches or updates (if patching feasible at all)

Human errors operating errors Example (continued): Human Errors also added to the heaviness of

US Blackout 2003 Example: Human Errors added to the EU Blackout November 2006

Category: Technical Failures and Human Errors


Increase in number and weight / heaviness Side effects with cumulative impact

e.g. long lasting heat and drought cooling problems in energy generation and operation of IT shortage in energy supply AND higher demand

Flooding, earth quakes, volcanoes ... e.g. Japanese nuclear power plant Yellow Stone National Park? Maria Laach?

Far-fetched threats? E.g., what about solar activity? What about a “direct hit” by a solar storm?

Loss of communication means (satellite and terrestrial communication)?

Loss or temporary unavailability of electricity grid?

Category: Disasters and Natural Phenomenons


Category: Attacks

Risk of external cyber attacks hacking (e.g. successful external pen test of a US-based

electricity provider straight through into the control system) attacks by Trojan horses

targeted to Process Control Network (PCN): worst, if successful untargeted: high risk of collateral damage

attacks through maintenance channels (notebooks, connections) collateral damage of untargeted attacks

Risk of internal attacks disgruntled employees, subcontractors or maintenance personnel attacks through hacked systems of process partners backdoors on “SCADA”, network, or server hardware layer side effects of security testing


Reminder: Critical Processes need to be kept robust and resilient

Critical Processes depend on other Critical Processes all: on energy, information- and telecommunications processes many: on financial processes, transportation processes almost all: on some interconnected processes on process layer

? Can today’s Critical Processes sufficiently handle malfunctions or failures of processes they depend on?

Critical Processes should handle dependency issues run core functionality as long as possible (graceful degradation) swiftly recover full functionality after failures in connected

processes

Category: Dependencies



Contents


Future Requirements (all Layers)

New or further development of technologies for use in CI Aspects to be considered at all layers of technology and

integration technologies: ! long term maintenance and service; open migration paths! robustness and resilience as important design criteria! options for minimisation (for security issues and for ...)! ... inbuilt graceful degradation (keep up core functionality)! minimisable energy consumption (to operate during blackouts)! avoid functionality which can endanger process and automation

infrastructures or do not contribute to the process! explicit suitability for specific use in Critical Processes and

automation infrastructures (at least qualified by manufacturers)


Future Requirements

Layers of technology to be considered for future use of “SCADA” technologies in Critical Process Infrastructures:

process specific applications and applications software standard software (databases, analysis, visualisation, ...) operating systems (on servers, terminals, process specific

hardware, ...) hardware (servers, terminals, process specific, ...) network technology and architecture organisation and process architecture (not discussed further)

(many efforts have to be mirrored on organisational layer) (some processes might gracefully degradate to manual operation

or organisational driven process backups)


Future RequirementsApplication Layer

Process specific applications and application software should be largely platform independent (with regard to operating

systems and database layer) ensure robustness and resilience of processes,

inter alia against failures or malfunctions provide modes for operation during crisis or

under extreme conditions (graceful degradation) completely document any communication relationship

needed or used by the application be open to independent analysis of security, safety and

correctness (in particular with regard to availability)


Future RequirementsStandard Software

Standard software for databases, data analysis or visualisation etc. should

provide secure installation (e.g. no standard passwords) be minimisable (only install needed functionality)

no functionality not needed for specific processes e.g. no DRM, multimedia, hidden databases, ... no “reduced functionality modes” feasible and configurable patch and update mechanisms

communication strictly restricted to the process needs inter alia: only to explicitly specified systems, no “phone home”

offering needed standard functionality without security risks many more


Future RequirementsOperating Systems

Servers, most terminals are / many process specific hardware is running on an operating system layer. We need

functionality minimisable to systems needs feasible methods for system hardening and patching long term availability (corresponding to lifetime of the

infrastructure of the Critical Process, might be decades) no functionality that could put Critical Processes at risk

no “phone home”, no DRM, hidden services, multimedia, ... no “reduced functionality mode” (yes, I know I repeat myself :-)

many moreIn short: Operating systems customisable to infrastructure

requirements


Future RequirementsHardware

Servers, terminals, process specific hardware etc. used in “SCADA” systems running Critical Processes should be

physically robust (where necessary) against industrial (e.g. electromagnetic) environment environmental or external influence (e.g. solar storms, EMP ...)

provide hardware based modes for minimised operation low power consumption (for crisis and long term energy shortage) battery buffered or emergency (low) power supply operation support graceful degrading the process to core functionality mode

long term availability easy replacement (e.g. for quick disaster recovery) many more


Future RequirementsNetwork Technologies (1/2)

Network architectures based on standard network technology often provide the communication infrastructure of “SCADA” based process infrastructures (this is the “N” in PCN)

Architectural view: “SCADA” systems may be attacked using network layer Network connects at least partly unpatched systems Failures on network layer endanger “SCADA” systems

Network defence is necessary for higher layers! strict separation of “SCADA” networks from other networks! restriction of communication to necessary connections


Future RequirementsNetwork Technologies (2/2)

Network defence necessary for higher layers! strict separation of “SCADA” networks from other networks! restriction of communication to necessary connections

? What about technology?

Future requirements to network technologies: restrictive network operation as an (additional?) basic

network operation principle (including simple hardware layer and port based approach)

feasible management of restrictive network operation (easy configuration of necessary connections, deny all other)

including restrictive switching, port security ...



Contents


Transfer to other IT-supported Technology Areas

1. Many requirements can be transferred to other technology areas where IT is used for operating Critical Processes, inter alia:

Process specific applications: platform independence, resilience, graceful degradation, known communication, ...

Operating systems: minimisable functionality and feasible system hardening, long term availability, no “phone home”,...

Network layer: defence of Critical Processes on network layer, restricted communication as network operation principle; feasible management of restricted network operation, hardware features

2. Many future requirements seem also valid for less critical processes.



Contents


Conclusions

Today’s process infrastructures can (at large) be built as secure, safe and resilient as necessary.

To keep up with increasing threats and growing complexity and interconnection of CI, we need to enhance robustness and inbuilt resilience security characteristics

of all technology areas and layers.We can only achieve this in co-operation between

process owners and operators, integrators of technologies, manufacturers, distributors and vendors.


Contact

Federal Office for Information Security (BSI)

Hans HoneckerGodesberger Allee 185-18953175 Bonn

Tel.: +49 (0)228 99-9582-5149Fax: +49 (0)228 99-10-9582-5149

[email protected]

automation, process control and scada systems in critical ... · automation technologies (1)...

Documents