sandro bologna enea – camo modelling and simulation unit cr casaccia, 00060 roma
DESCRIPTION
Safeguarding Information Intensive Critical Infrastructures against novel types of emerging failures. Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma [email protected] .it. - PowerPoint PPT PresentationTRANSCRIPT
Safeguarding Information Intensive Critical Infrastructures against novel types of emerging
failures
Safeguarding Information Intensive Critical Infrastructures against novel types of emerging
failures
Sandro Bologna
ENEA – CAMO Modelling and Simulation Unit
CR Casaccia, 00060 Roma
Sandro Bologna
ENEA – CAMO Modelling and Simulation Unit
CR Casaccia, 00060 Roma
Workshop on Safeguarding National Infrastructures: Integrated Approaches to Failure in Complex Networks
Glasgow, 25-26 August, 2005
www.enea.it
Actors(environmental conditions, adversaries, insiders, terrorists, hackers…)
Weaknessesmagnifythreatpotential
Countermeasuresreducesthreatpotential
Effectsmagnify theentireproblem
Threat x VulnerabilitiesRisk= x Impact Countermeasures
Extension of the concept of Risk Assessments to Critical Infrastrucure(originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
RISK based approach
Actors(environmental conditions, adversaries, insiders, terrorists, hackers…)
Weaknessesmagnifythreatpotential
Countermeasuresreducesthreatpotential
Effectsmagnify theentireproblem
Threat x VulnerabilitiesRisk= x Impact Countermeasures
Extension of the concept of Risk Assessments to Critical Infrastrucure(originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
RISK based approach
ENEA FaMoS MULTIMODELLING APPROACH FOR VULNERABILITY ANALYSIS AND
ASSESSMENT
Actors(environmental conditions, adversaries, insiders, terrorists, hackers…)
Weaknessesmagnifythreatpotential
Countermeasuresreducesthreatpotential
Effectsmagnify theentireproblem
Threat x VulnerabilitiesRisk= x Impact Countermeasures
Extension of the concept of Risk Assessments to Critical Infrastrucure(originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
RISK based approach
ENEA SAFEGUARD approach to reduce threat potential against
existing SCADA
Layered networks model
Physical
Infrastructure
Cyber-
Infrastructure
Organisational Infrastructure
Intra-dependency
Inter-dependenc
y
Three Layers Model for the Electrical InfrastructureThree Layers Model for the Electrical Infrastructure
Electrical ComponentsElectrical Componentsgenerators, transformers, breakers,generators, transformers, breakers,
connecting cables etcconnecting cables etc
Control and supervisory hardware/software components
(Scada/EMS systems)
Electrical Power OperatorsIndependent System Operator
for electricity planning and transmission
Intra-dependency
National Electrical Power Transmission Infrastructure
Telecomunication Infrastructure
Oil/Gas Transport System Infrastructure
Foreign Electrical Transmission Infrastructure
Inter-dependency
US CANADA BLACK-OUTPower System Outage Task Force Interim Report
General layout of typical control and supervisory General layout of typical control and supervisory infrastructure of the electrical grid infrastructure of the electrical grid
Area 1
Area 2Area 3
Substations Loads GeneratorPhysical Network
Physical electrical layer (high-medium voltage)
Control and management layer (SCADA system)
SIA-R
SIA-RSIA-R
CNCCC CC
SIA-C SIA-CSIA-C
Remote Units Control CentresData management
network
WAN (Wide Area Network)
Data Concentrator
Governments and industry organizations have recognized that all the automation systems collectively referred as SCADA are potential targets of attack from hackers, disgruntled insiders, cyberterrorists, and others that want to disrupt national infrastructures
SCADA networks has moved from proprietary, closed networks to the arena of information technology with all its cost and performance benefits and IT security challenges
A number of efforts are underway to retrofit security onto existing SCADA networks
NEW VULNERABILITIES
1. Adoption of standardized technologies with known vulnerabilities
2. Connectivity of control systems to other networks
3. Constraints on the use of existing security technologies and practices due to the old technology used
4. Insecure remote connections
5. Widespread availability of technical information about control systems
NEW RISKS TO SCADA
SCADA Security Incidents between 1995 and 2003 (source Eric Byres BCIT)
SCADA Security Incidents by Type (source Eric Byres BCIT)
SCADA External security incidents by entry point (source Eric Byres BCIT)
SAFEGUARD ARCHITECTURE
Cyber Layer of Electricity NetworkHome LCCIs
Topology agent
Negotiation agent
MMI agent
Other LCCIsForeign Electricity
NetworksTelecommunication
Networks -------------------
Correlation agent
Action agent
Low
-level ag
en
tsH
igh
-level ag
en
ts
Diagnosiswrappers
Intrusion Detection wrappers
Hybrid Anomaly Detection
agents
Actuators
Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs)
Commands and information Information only
Local nodesprotection
Network global protection
SAFEGUARD ARCHITECTURE
Cyber Layer of Electricity NetworkHome LCCIs
Negotiation agent
MMI agent
Low
-level ag
en
tsH
igh
-level ag
en
ts
Diagnosiswrappers
Intrusion Detection wrappers
Hybrid Anomaly Detection
agents
Commands and information Information only
Local nodesprotection
At Level 1 – identify component failure or attack in progress
Hybrid anomaly detection agents utilise algorithms specialised in detecting deviations from normality. Signature-based algorithms are used to classify failures based on accumulated functional behaviour.
SAFEGUARD ARCHITECTURE
Cyber Layer of Electricity NetworkHome LCCIs
Topology agent
Other LCCIsForeign Electricity
NetworksTelecommunication
Networks -------------------
Correlation agent
Action agent
Low
-level ag
en
tsH
igh
-level ag
en
ts
Diagnosiswrappers
Intrusion Detection wrappers
Hybrid Anomaly Detection
agents
Actuators
Commands and information Information only
Local nodesprotection
T
At level 2: Correlate different kind of information
Correlation and Topology agents correlate diagnosis
Action agent replaces functions of failed components
SAFEGUARD ARCHITECTURE
Cyber Layer of Electricity NetworkHome LCCIs
Topology agent
Negotiation agent
MMI agent
Other LCCIsForeign Electricity
NetworksTelecommunication
Networks -------------------
Correlation agent
Action agent
Low
-level ag
en
tsH
igh
-level ag
en
ts
Diagnosiswrappers
Intrusion Detection wrappers
Hybrid Anomaly Detection
agents
Actuators
Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs)
Commands and information Information only
Local nodesprotection
Network global protection
At level 3: operator decision supportMMI agent supports the operator in the reconfiguration strategy Negotiation agent supports to negotiate recovery policies with other interdependent LCCIs.
An example of Safeguard Agents
Home LCCI
Wrapperagents
Actuator(s)
Hybrid detector agents
Topology agent
Correlation agent
Action agent0
Negotiation agent
MMI
Other LCCIs
Correlation agent(s)
Action agent(s)
Low
-level agents
Hig
h-l
evel agents
ECHD DMA EDHD
Event Course Hybrid Detection agent
Home LCCI
Wrapperagents
Actuator(s)
Hybrid detector agents
Topology agent
Correlation agent
Action agent0
Negotiation agent
MMI
Other LCCIs
Correlation agent(s)
Action agent(s)
Low
-level agents
Hig
h-l
evel agents
ECHD DMA EDHD
ECHD (Event Course Hybrid Detetector) Agent
Prologue
Event Course Hybrid Detector extracts information about a certain process from the sequences of events generated by such process
It could recognize or not sequences of events that it has learned partially with information captured by the expert of the process and partially with an on-field training phase
When it recognize a sequence it associate also an anomaly level to the sequence (timing discordance from the learned one).
SCADA System Configuration for the Italian Transmission
Electrical Network (GRTN-ABB)
ECHD
ECHDECHD
ECHD
Start processing of a Telemeasure (t0)
E(t1)
E(t2)E(t3)
E(t5)E(t6) E(t4)
RECOGNISING A PROCESS RECOGNISING A PROCESS FROM THE SEQUENCE OF FROM THE SEQUENCE OF
EVENTS IT PRODUCESEVENTS IT PRODUCES
SCADA system is instrumented with “Sensors”
Data Mining Agent
Home LCCI
Wrapperagents
Actuator(s)
Hybrid detector agents
Topology agent
Correlation agent
Action agent0
Negotiation agent
MMI
Other LCCIs
Correlation agent(s)
Action agent(s)
Low
-level agents
Hig
h-l
evel agents
ECHD DMA EDHD
DMA (Data Mining) Agent
Prologue
Data Mining is the extraction of implicit, previously unknown, and potentially useful information from data.
A Data Miner is a computer program that sniffs through data seeking regularities or patterns.
Obstructions: noise (the agent intercepts without distinction all that happen in the Net) and computational complexity (as consequence it is impossible the permanent monitoring of the traffic in order to not jeopardize SCADA functionalities)
SCADA System Configuration for the Italian Transmission
Electrical Network (GRTN-ABB)
DMA
DMA
DMA (Data Mining) Agent
Use of Data Mining techniques in Safeguard project.
DMA observes TCP packets flowing inside the port utilised by the message broker of the SCADA system emulator.
After a learning phase, DMA should be able discriminate between normal packet sequences and anomalous ones, raising an alarm in the latter case.
The Safeguard approach( a Middleware on the top of existing SCADA
Systems or just a retrofitted add-on device to the existing SCADA)
Safeguardagents
RTU Remote Terminal UnitSCADA System Safeguarding SCADA Systems
Safe Bus
Safe Bus API Interface
RTU Remote Terminal
Unit
Safe Bus API Interface
Actuators Anomaly Detectors
RETROFITTED ADD-ON SOLUTIONRETROFITTED ADD-ON SOLUTION
Safe Bus API Interface
RTURemote
Terminal Unit
Correlators
RTU Remote Terminal UnitSCADA SystemSafeguarding SCADA
Systems
Safe Bus
Safe Bus API Interface
RTU Remote Terminal
Unit
Safe Bus API Interface
Actuators Anomaly Detectors
RETROFITTED ADD-ON SOLUTIONRETROFITTED ADD-ON SOLUTION
Safe Bus API Interface
RTURemote
Terminal Unit
Correlators
Utilities have significant investment in SCADA equipment. SCADA and similar control equipment
are designed to have significant lifetimes.
Protection mechanisms should not be developed that require major replacement of existing
equipment in the near term.
RTU Remote Terminal UnitSCADA SystemSafeguarding SCADA
Systems
Safe Bus
Safe Bus API Interface
RTU Remote Terminal
Unit
Safe Bus API Interface
Actuators Anomaly Detectors
RETROFITTED ADD-ON SOLUTIONRETROFITTED ADD-ON SOLUTION
Safe Bus API Interface
RTURemote
Terminal Unit
Correlators
Because of the limited capabilities of the SCADA processors, protection mechanisms should be implemented as a retrofitted add-on device.
RTU Remote Terminal UnitSCADA SystemSafeguarding SCADA
Systems
Safe Bus
Safe Bus API Interface
RTU Remote Terminal
Unit
Safe Bus API Interface
Actuators Anomaly Detectors
RETROFITTED ADD-ON SOLUTIONRETROFITTED ADD-ON SOLUTION
Safe Bus API Interface
RTURemote
Terminal Unit
Correlators
SCADA systems are designed for frequent (near real-time) status updates. Protection mechanisms
should not reduce the performance (reading frequency, transmission delay, computation) below
an acceptable level.
HOW SAFEGUARD MIGHT SUPPORT
MANAGING MAJOR SYSTEMS OUTAGE
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
NETWORK STATE OVERVIEW & ROOT CAUSES
Event tree from UTCE report
ITALY BLACK-OUT(From UCTE Interim Report)
24 minutes
1-2 minutes
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
In SAFEGUARD system Correlator agent intercepts anomalies and failures inside the sequence of events and
Action agent try to re-execute the unsuccessful commands.
NETWORK STATE OVERVIEW & ROOT CAUSES
ITALY BLACK-OUT(From UCTE Interim Report)
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
SAFEGUARD might help to recognize the anomaly state and call for adequate
countermeasures
NETWORK STATE OVERVIEW & ROOT CAUSES
(From UCTE Interim Report)
In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system.
This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of Mettlen-Lavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident.
COORDINATIONS PROBLEMS BETWEEN SYSTEM OPERATORS
(From UCTE Interim Report)
In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system.
This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of Mettlen-Lavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident.
SAFEGUARD makes available a Negotiation Agent in duty for
coordination among different operators
(From UCTE Interim Report)
US CANADA BLACK-OUTPower System Outage Task Force Interim Report
The “State Estimation” tool, doesn’t work in the regular way because a critical information (a line connection status) is not correctly acquired by the SCADA system.
The data utilized by the State Estimator could be corrupted by an attack or by a fault inside SCADA system
On August 14 at about 12:15 EDT, MISO’s stateestimator produced a solution with a high mismatch(outside the bounds of acceptable error).This was traced to an outage of Cinergy’sBloomington-Denois Creek 230-kV line—althoughit was out of service, its status was notupdated in MISO’s state estimator.
US CANADA BLACK-OUT
A SAFEGUARD anomaly detection agent has the duty to verify the correctness level of the data that must be used by the State Estimator. If the State Estimation tool knows what data can be considered “good” or “bad” it has the capability to furnish a more correct state of the network.
US CANADA BLACK-OUTTask Force Interim Report
2A) 14:14 EDT: FE alarm and logging softwarefailed. Neither FE’s control room operatorsnor FE’s IT EMS support personnel wereaware of the alarm failure.
The Alarm system of FirstEnergy electrical Company doesn’t work correctly and the operators are not aware of this situation
US CANADA BLACK-OUT
2A) 14:14 EDT: FE alarm and logging softwarefailed. Neither FE’s control room operatorsnor FE’s IT EMS support personnel wereaware of the alarm failure.
Safeguard Correlator agent could detect failures inside Alarm system correlating the sequences of signals flowing from RTUs towards Control Centres.
US CANADA BLACK-OUTTask Force Interim Report
CONCLUSIONSCONCLUSIONS
INCREASING NEED TO TRANSFORM TODAY’S CENTRALISED, DUMB NETWORKS INTO SOMETHING CLOSER TO SMART, DISTRIBUTED CONTROL NETWORKS
SAFEGUARD MULTI-AGENT SYSTEM TECHNOLOGY CAN WORK IN AN AUTONOMOUS MANNER AS AN ADD-ON SYSTEM, INTERACTING BOTH WITH THEIR
ENVIRONMENT AND WITH ONE-OTHER
MULTI-AGENT SYSTEM TECHNOLOGY, COMBINED WITH INTELLIGENT SYSTEMS, CAN BE USED TO AUTOMATE THE FAULT DIAGNOSIS ACTIVITY AND TO SUPPORT
OPERATORS IN THE RECOVERY POLICIES.
INCREASING NEED OF INTELLIGENT DATA INTERPRETATION TO CAPTURE NOVELTIES AND PROVIDE OPERATORS WITH EARLY WARNINGS.
International Workshop on
Complex Network and Infrastructure Protection
CNIP 2006
March 28-29, 2006 - Rome, Italy
http://ciip.casaccia.enea.it/cnip/