Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma

transcript

Safeguarding Information Intensive Critical Infrastructures against novel types of emerging

failures

Safeguarding Information Intensive Critical Infrastructures against novel types of emerging

failures

Sandro Bologna

ENEA – CAMO Modelling and Simulation Unit

CR Casaccia, 00060 Roma

bologna@casaccia.enea.it

Sandro Bologna

ENEA – CAMO Modelling and Simulation Unit

CR Casaccia, 00060 Roma

bologna@casaccia.enea.it

Workshop on Safeguarding National Infrastructures: Integrated Approaches to Failure in Complex Networks

Glasgow, 25-26 August, 2005

www.enea.it

Actors(environmental conditions, adversaries, insiders, terrorists, hackers…)

Weaknessesmagnifythreatpotential

Countermeasuresreducesthreatpotential

Effectsmagnify theentireproblem

Threat x VulnerabilitiesRisk= x Impact Countermeasures

Extension of the concept of Risk Assessments to Critical Infrastrucure(originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)

RISK based approach

ENEA FaMoS MULTIMODELLING APPROACH FOR VULNERABILITY ANALYSIS AND

ASSESSMENT

RISK based approach

ENEA SAFEGUARD approach to reduce threat potential against

existing SCADA

Layered networks model

Physical

Infrastructure

Cyber-

Infrastructure

Organisational Infrastructure

Intra-dependency

Inter-dependenc

Three Layers Model for the Electrical InfrastructureThree Layers Model for the Electrical Infrastructure

Electrical ComponentsElectrical Componentsgenerators, transformers, breakers,generators, transformers, breakers,

connecting cables etcconnecting cables etc

Control and supervisory hardware/software components

(Scada/EMS systems)

Electrical Power OperatorsIndependent System Operator

for electricity planning and transmission

Intra-dependency

National Electrical Power Transmission Infrastructure

Telecomunication Infrastructure

Oil/Gas Transport System Infrastructure

Foreign Electrical Transmission Infrastructure

Inter-dependency

US CANADA BLACK-OUTPower System Outage Task Force Interim Report

General layout of typical control and supervisory General layout of typical control and supervisory infrastructure of the electrical grid infrastructure of the electrical grid

Area 1

Area 2Area 3

Substations Loads GeneratorPhysical Network

Physical electrical layer (high-medium voltage)

Control and management layer (SCADA system)

SIA-RSIA-R

CNCCC CC

SIA-C SIA-CSIA-C

Remote Units Control CentresData management

network

WAN (Wide Area Network)

Data Concentrator

Governments and industry organizations have recognized that all the automation systems collectively referred as SCADA are potential targets of attack from hackers, disgruntled insiders, cyberterrorists, and others that want to disrupt national infrastructures

SCADA networks has moved from proprietary, closed networks to the arena of information technology with all its cost and performance benefits and IT security challenges

A number of efforts are underway to retrofit security onto existing SCADA networks

NEW VULNERABILITIES

1. Adoption of standardized technologies with known vulnerabilities

2. Connectivity of control systems to other networks

3. Constraints on the use of existing security technologies and practices due to the old technology used

4. Insecure remote connections

5. Widespread availability of technical information about control systems

NEW RISKS TO SCADA

SCADA Security Incidents between 1995 and 2003 (source Eric Byres BCIT)

SCADA Security Incidents by Type (source Eric Byres BCIT)

SCADA External security incidents by entry point (source Eric Byres BCIT)

SAFEGUARD ARCHITECTURE

Cyber Layer of Electricity NetworkHome LCCIs

Topology agent

Negotiation agent

MMI agent

Other LCCIsForeign Electricity

NetworksTelecommunication

Networks -------------------

Correlation agent

Action agent

-level ag

Diagnosiswrappers

Intrusion Detection wrappers

Hybrid Anomaly Detection

agents

Actuators

Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs)

Commands and information Information only

Local nodesprotection

Network global protection

Negotiation agent

MMI agent

-level ag

Diagnosiswrappers

agents

At Level 1 – identify component failure or attack in progress

Hybrid anomaly detection agents utilise algorithms specialised in detecting deviations from normality. Signature-based algorithms are used to classify failures based on accumulated functional behaviour.

Topology agent

Networks -------------------

Correlation agent

Action agent

-level ag

Diagnosiswrappers

agents

Actuators

At level 2: Correlate different kind of information

Correlation and Topology agents correlate diagnosis

Action agent replaces functions of failed components

Topology agent

Negotiation agent

MMI agent

Networks -------------------

Correlation agent

Action agent

-level ag

Diagnosiswrappers

agents

Actuators

Safeguard agent Architecture for Large Complex Critical Infrastructures (LCCIs)

Network global protection

At level 3: operator decision supportMMI agent supports the operator in the reconfiguration strategy Negotiation agent supports to negotiate recovery policies with other interdependent LCCIs.

An example of Safeguard Agents

Home LCCI

Wrapperagents

Actuator(s)

Hybrid detector agents

Topology agent

Correlation agent

Action agent0

Negotiation agent

Other LCCIs

Correlation agent(s)

Action agent(s)

-level agents

evel agents

ECHD DMA EDHD

Event Course Hybrid Detection agent

Home LCCI

Wrapperagents

Actuator(s)

Topology agent

Correlation agent

Action agent0

Negotiation agent

Other LCCIs

Action agent(s)

-level agents

evel agents

ECHD DMA EDHD

ECHD (Event Course Hybrid Detetector) Agent

Prologue

Event Course Hybrid Detector extracts information about a certain process from the sequences of events generated by such process

It could recognize or not sequences of events that it has learned partially with information captured by the expert of the process and partially with an on-field training phase

When it recognize a sequence it associate also an anomaly level to the sequence (timing discordance from the learned one).

SCADA System Configuration for the Italian Transmission

Electrical Network (GRTN-ABB)

ECHDECHD

Start processing of a Telemeasure (t0)

E(t2)E(t3)

E(t5)E(t6) E(t4)

RECOGNISING A PROCESS RECOGNISING A PROCESS FROM THE SEQUENCE OF FROM THE SEQUENCE OF

EVENTS IT PRODUCESEVENTS IT PRODUCES

SCADA system is instrumented with “Sensors”

Data Mining Agent

Home LCCI

Wrapperagents

Actuator(s)

Topology agent

Correlation agent

Action agent0

Negotiation agent

Other LCCIs

Action agent(s)

-level agents

evel agents

ECHD DMA EDHD

DMA (Data Mining) Agent

Prologue

Data Mining is the extraction of implicit, previously unknown, and potentially useful information from data.

A Data Miner is a computer program that sniffs through data seeking regularities or patterns.

Obstructions: noise (the agent intercepts without distinction all that happen in the Net) and computational complexity (as consequence it is impossible the permanent monitoring of the traffic in order to not jeopardize SCADA functionalities)

SCADA System Configuration for the Italian Transmission

Electrical Network (GRTN-ABB)

DMA (Data Mining) Agent

Use of Data Mining techniques in Safeguard project.

DMA observes TCP packets flowing inside the port utilised by the message broker of the SCADA system emulator.

After a learning phase, DMA should be able discriminate between normal packet sequences and anomalous ones, raising an alarm in the latter case.

The Safeguard approach( a Middleware on the top of existing SCADA

Systems or just a retrofitted add-on device to the existing SCADA)

Safeguardagents

RTU Remote Terminal UnitSCADA System Safeguarding SCADA Systems

Safe Bus

Safe Bus API Interface

RTU Remote Terminal

Actuators Anomaly Detectors

RETROFITTED ADD-ON SOLUTIONRETROFITTED ADD-ON SOLUTION

RTURemote

Terminal Unit

Correlators

RTU Remote Terminal UnitSCADA SystemSafeguarding SCADA

Systems

Safe Bus

RTU Remote Terminal

RTURemote

Terminal Unit

Correlators

Utilities have significant investment in SCADA equipment. SCADA and similar control equipment

are designed to have significant lifetimes.

Protection mechanisms should not be developed that require major replacement of existing

equipment in the near term.

Systems

Safe Bus

RTU Remote Terminal

RTURemote

Terminal Unit

Correlators

Because of the limited capabilities of the SCADA processors, protection mechanisms should be implemented as a retrofitted add-on device.

Systems

Safe Bus

RTU Remote Terminal

RTURemote

Terminal Unit

Correlators

SCADA systems are designed for frequent (near real-time) status updates. Protection mechanisms

should not reduce the performance (reading frequency, transmission delay, computation) below

an acceptable level.

HOW SAFEGUARD MIGHT SUPPORT

MANAGING MAJOR SYSTEMS OUTAGE

Pre-incident network in n-1 secure state

Island operations fails due to unit tripping

NETWORK STATE OVERVIEW & ROOT CAUSES

Event tree from UTCE report

ITALY BLACK-OUT(From UCTE Interim Report)

24 minutes

1-2 minutes

In SAFEGUARD system Correlator agent intercepts anomalies and failures inside the sequence of events and

Action agent try to re-execute the unsuccessful commands.

ITALY BLACK-OUT(From UCTE Interim Report)

SAFEGUARD might help to recognize the anomaly state and call for adequate

countermeasures

(From UCTE Interim Report)

In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system.

This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of Mettlen-Lavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident.

COORDINATIONS PROBLEMS BETWEEN SYSTEM OPERATORS

In this specific case ETRANS needs as corrective measures which are necessary to comply with the N-1 rule, also action to be undertaken in the Italian system.

This was confirmed by the check list available to the ETRANS operators, which explicitly mentions that, in case of loss of Mettlen-Lavorgo, the operator should call GRTN, inform GRTN about the loss of the line, request for the pumping to be shut down, generation to be increased in Italy. This clause is mentioned in Italian on the ETRANS checklist for this incident.

SAFEGUARD makes available a Negotiation Agent in duty for

coordination among different operators

US CANADA BLACK-OUTPower System Outage Task Force Interim Report

The “State Estimation” tool, doesn’t work in the regular way because a critical information (a line connection status) is not correctly acquired by the SCADA system.

The data utilized by the State Estimator could be corrupted by an attack or by a fault inside SCADA system

On August 14 at about 12:15 EDT, MISO’s stateestimator produced a solution with a high mismatch(outside the bounds of acceptable error).This was traced to an outage of Cinergy’sBloomington-Denois Creek 230-kV line—althoughit was out of service, its status was notupdated in MISO’s state estimator.

US CANADA BLACK-OUT

A SAFEGUARD anomaly detection agent has the duty to verify the correctness level of the data that must be used by the State Estimator. If the State Estimation tool knows what data can be considered “good” or “bad” it has the capability to furnish a more correct state of the network.

US CANADA BLACK-OUTTask Force Interim Report

2A) 14:14 EDT: FE alarm and logging softwarefailed. Neither FE’s control room operatorsnor FE’s IT EMS support personnel wereaware of the alarm failure.

The Alarm system of FirstEnergy electrical Company doesn’t work correctly and the operators are not aware of this situation

US CANADA BLACK-OUT

2A) 14:14 EDT: FE alarm and logging softwarefailed. Neither FE’s control room operatorsnor FE’s IT EMS support personnel wereaware of the alarm failure.

Safeguard Correlator agent could detect failures inside Alarm system correlating the sequences of signals flowing from RTUs towards Control Centres.

US CANADA BLACK-OUTTask Force Interim Report

CONCLUSIONSCONCLUSIONS

INCREASING NEED TO TRANSFORM TODAY’S CENTRALISED, DUMB NETWORKS INTO SOMETHING CLOSER TO SMART, DISTRIBUTED CONTROL NETWORKS

SAFEGUARD MULTI-AGENT SYSTEM TECHNOLOGY CAN WORK IN AN AUTONOMOUS MANNER AS AN ADD-ON SYSTEM, INTERACTING BOTH WITH THEIR

ENVIRONMENT AND WITH ONE-OTHER

MULTI-AGENT SYSTEM TECHNOLOGY, COMBINED WITH INTELLIGENT SYSTEMS, CAN BE USED TO AUTOMATE THE FAULT DIAGNOSIS ACTIVITY AND TO SUPPORT

OPERATORS IN THE RECOVERY POLICIES.

INCREASING NEED OF INTELLIGENT DATA INTERPRETATION TO CAPTURE NOVELTIES AND PROVIDE OPERATORS WITH EARLY WARNINGS.

International Workshop on

Complex Network and Infrastructure Protection

CNIP 2006

March 28-29, 2006 - Rome, Italy

http://ciip.casaccia.enea.it/cnip/

Sandro Bologna ENEA – CAMO Modelling and Simulation Unit CR Casaccia, 00060 Roma

Documents