Preliminary Interdependency Analysis: An Approach to Support Critical Infrastructure Risk Assessment

We present a methodology, Preliminary Interdependency Analysis (PIA), for analysing interdependencies between critical infrastructure (CI). Consisting of two phases – qualitative analysis followed by quantitative analysis – an application of PIA progresses from a relatively quick elicitation of CI-interdependencies to the building of representative CI models, and the subsequent estimation of any resilience, risk or criticality measures an assessor might be interested in. By design, stages in the methodology are both flexible and iterative, resulting in interacting CI models that are scalable and may vary significantly in complexity and fidelity, depending on the needs and requirements of an assessor. For model parameterisation, one relies on a combination of field data, sensitivity analysis and expert judgement. Facilitated by dedicated software tool support, we illustrate PIA by applying it to a complex case-study of interacting Power (distribution and transmission) and Telecommunications networks in the Rome area. A number of studies are carried out, including: 1) an investigation of how “strength of dependence” between the CIs’ components affects various measures of risk and uncertainty, 2) for resource allocation, an exploration of different, but related, notions of CI component importance, and 3) highlighting the impact of model fidelity on the estimated risk of cascades

Defending the SCADA Network Controlling the Electrical Grid from Advanced Persistent Threats

RÉSUMÉ Les civilisations modernes sont dépendantes des technologies de l'information et des communications. Par ce fait, elles requièrent une alimentation constante en électricité pour assurer leur prospérité. Un siècle de travaux acharnés par des ingénieurs en électronique de puissance permet de garantir la fiabilité des réseaux électriques. Un des outils pour arriver à cette fin est une augmentation de l'automatisation et du contrôle à distance des réseaux électriques. Cette technologie permet aux contrôleurs qui opèrent le réseau électrique d'ajuster automatiquement des paramètres opérationnels pour faire face aux contraintes extérieures au fur et à mesure que ces contraintes évoluent. Par exemple, une augmentation de la demande suite à une vague de froid va automatiquement entraîner une augmentation de l'approvisionnement par l'envoi de commandes à distance pour ouvrir les vannes à la centrale hydroélectrique et faire tourner les turbines plus rapidement. Ceci garanti que le réseau électrique fonctionne toujours à pleine capacité et livre l'énergie électrique avec fiabilité, sans égard aux conditions externes. Paradoxalement, les gains offerts par les systèmes automatisés ont introduit un risque jusqu'alors inconnu à la fiabilité du réseau électrique : les cyber attaques. Pour permettre l'automatisation, les opérateurs de réseaux électriques se sont tournés vers la technologie d'acquisition de données et de supervision, mieux connu sous le nom de système SCADA. De nos jours, la technologie SCADA se base sur du matériel et des logiciels commerciaux comme les communications TCP/IP via Ethernet ou comme le système d'exploitation Windows. Ceci permet aux entités malicieuses de faire usage de leur savoir concernant les techniques offensives qu'ils ont développé pour attaquer les systèmes traditionnels faisant usage de ces technologies. La majorité de ces entités sont des menaces diffuses cherchant principalement à acquérir de la capacité de stockage servant à héberger du contenu illégal, du temps machine pour envoyer du spam ou des mots de passe pour permettre la fraude. Cet objectif est plus facile à atteindre en attaquant des ordinateurs personnels plutôt que des machines d'un réseau SCADA. Toutefois, certains acteurs ciblent délibérément les réseaux SCADA puisque ceux-ci ont le potentiel de causer des dégâts dans le monde physique. Ces acteurs recherchent agressivement les vulnérabilités et persévèrent dans leurs attaques, même face à une amélioration de la capacité défensive du réseau. Ces acteurs se font affubler le qualificatif de menaces persistantes avancées ou APTs. À cause de cette volonté de cibler un réseau spécifique, il est plus difficile de détourner ces attaquants vers d'autres victimes. Si nous souhaitons empêcher ces APTs de s'attaquer aux réseaux SCADA qui contrôlent l'infrastructure critique, nous devons élaborer une stratégie qui ne repose pas sur la réduction complète des vulnérabilités. Un bon nombre de contraintes opérationnelles, comme le mode d'opération 24/7 qui rend la tenue de périodes de maintenance difficile, garantissent qu'il y aura toujours au moins une vulnérabilité potentiellement exploitable par un attaquant. Dans ce contexte, l'objectif de ce projet de recherche est d'aider les opérateurs de réseaux électriques à défendre leur réseau SCADA contre les menaces persistantes avancées. Pour atteindre cet objectif, nous visons à mieux comprendre comment le comportement des menaces persistantes avancées se manifeste dans un réseau SCADA et à développer, en se basant sur des preuves expérimentales, de nouveaux outils et techniques pour se défendre contre les comportements attendus. En analysant les travaux antérieurs, on reconnaît que la vraie nature d'un réseau SCADA est de servir de boucle de contrôle pour le réseau électrique. Une conséquence directe est que tout attaquant qui obtient accès au réseau SCADA peut altérer l'état du réseau électrique à sa guise. Si un APT voudrait poursuivre ce but, la recherche actuelle en sécurité des réseau SCADA ne parviendrait pas à prévenir cette attaque puisqu'elle n'est pas orientée vers stopper les attaquants hautement qualifiés. Ceci rend les réseaux SCADA invitants pour les états engagés dans une compétition agressive. Malgré cela, aucun cyber incident majeur causant des dégâts physiques n'est répertorié à ce jour. En se basant sur cette observation, nous avons développé un modèle d'attaque pour le comportement d'un APT dans un réseau SCADA qui n'implique pas nécessairement des dommages massifs dans le monde physique. Ainsi, nous avons introduit le scénario d'attaque par trou d'aiguilles, notre première contribution majeure, dans lequel un attaquant cause de petits dégâts qui s'accumulent sur une longue période pour éviter d'être détecté. À partir de ce scénario, nous avons développé une stratégie consistant à augmenter la capacité de surveillance, c'est-à-dire de renforcer la puissance de la détection, pour prévenir l'utilisation de ce scénario d'attaque par les APTs. En se basant sur notre intuition que la détection d'intrusion par anomalie sera particulièrement efficace dans le contexte hautement régulier d'un réseau SCADA, l'utilisation de cette technique est favorisée. Pour tester les capacités de notre détecteur, nous devons adresser le problème du manque d'infrastructures expérimentales adaptées à la recherche en sécurité des réseaux SCADA. Une revue de la littérature montre que les approches expérimentales courantes ne sont pas appropriées pour générer des données réseau avec une haute fidélité. Pour résoudre ce problème, nous avons introduit le concept du Carré de sable ICS, notre deuxième contribution majeure, qui utilise une approche hybride combinant la haute fidélité des résultats de l'émulation et le facteur d'échelle et le faible coût de la simulation pour créer un montage expérimental capable de produire des données réseau de haute fidélité, adaptées à l'usage expérimental. Finalement, nous avons été en mesure de tester une implémentation d'un système de détection d'intrusion par anomalies, notre troisième contribution majeure, en utilisant le Carré de sable ICS. En utilisant des caractéristiques simples, il est possible de détecter du trafic de commandement et contrôle dans un réseau SCADA, ce qui force les attaquant à utiliser pour leurs opérations routinières de maintenance de complexes canaux cachés dont la bande passante est limitée. Ceci atteste de la validité de notre intuition selon laquelle la détection par anomalie est particulièrement efficace dans les réseaux SCADA, revitalisant par le fait même une technique de défense qui a longtemps été délaissée à cause de sa piètre performance dans les réseaux corporatifs typiques. La somme de ces contributions représente une amélioration significative de l'état de la défense des réseaux SCADA contre les menaces persistantes avancées, incluant les menaces en provenance des services de renseignement étatiques. Ceci contribue à une augmentation de la fiabilité des infrastructure critiques, et des réseaux électriques en particulier, face à un intérêt grandissant de la part des cyber attaquants.----------ABSTRACT Modern civilization, with its dependency on information technology, require a steady supply of electrical power to prosper. A century of relentless work by power engineers has ensured that the power grid is reliable. One of tools they used to achieve that goal is increased automation and remote control of the electrical grid. This technology allows the controllers supervising the power grid to automatically adjust operational parameters to meet external constraints as they evolve. A new surge in demand from a cold night will trigger an automated increase in supply. Remote control commands will be sent to open sluice gates at the hydroelectric plant to make turbines spin faster and generate more power. This ensures the electric grid always functions at peak efficiency and reliably deliver power no matter what the external conditions are. Paradoxically, the gains provided by the automated systems invited a previously unknown risk to the reliability of power delivery: cyber attacks. In order to achieve automation, utility operators have turned to Supervisory Control and Data Acquisition, or SCADA, technology. In this era, SCADA technology is built on top of commercial off the shelf hardware and software such as TCP/IP over Ethernet networks and Windows operating system. This enables malicious entities to leverage their pre-existing knowledge of offensive techniques known to work on these platform to attack the SCADA networks controlling critical infrastructure. Of those entities, the majority are unfocused attackers searching for commodity assets such as storage capacity to store illegal materials, processing power to send spam or credentials to enable fraud. However, some actors are deliberatively targeting the SCADA networks for their ability to cause damage in the physical realm. These actors aggressively search for vulnerabilities and are stubborn in the face of an increase in defensive measures and are dubbed advanced persistent threats, or APTs. As such, it is more difficult to turn them away. If we want to prevent these advanced persistent threats from preying on the SCADA networks controlling our critical infrastructure, we need to devise a defense that does not rely on completely removing vulnerabilities. A number of operational constraints, such as the need to operate 24/7 precluding the opening of maintenance windows, ensure that there will always be a vulnerability that can be exploited by an attacker. In that light, the goal of this research project is to is to help power grid operators defend their SCADA networks against advanced persistent threats. To achieve that goal we aim to better understand how the behaviour of advanced persistent threats will manifest itself in a SCADA network and to develop, based on evidence derived from experiments, new tools and techniques to defeat the expected behaviour. By analyzing prior work, we recognize that the true nature of SCADA networks is to serve as a basic control loop for the electric grid. A direct consequence is that any attacker gaining access to the SCADA network could send the grid into any state he wishes. We also showed that, should advanced persistent threats attempt to pursue this goal, current research in SCADA security would not provide significant help, not being focused on preventing the exploitation of SCADA network by skilled attackers. This makes SCADA networks attractive to nation states engaged in aggressively competitive behaviour. However, no evidence of major cyber incidents causing physical damage is forthcoming. From that observation, we developed an attacker model for advanced persistent threat behaviour in SCADA networks that did not necessarily involve causing massive physical damage. So, we introduced the pinprick attack scenario, our first major contribution, in which an attacker causes small amounts of damage that accumulate over time in order to stay under the radar. From this scenario, we developed a strategy of increasing the capability of surveillance, or boosting the radar so to speak, in order to prevent advanced persistent threats from using this scenario. The use of anomaly-based intrusion detection was favored based on our intuition that it would prove very effective in the highly regimented context of SCADA networks. To test the capability of our detector, we needed to address the lack of experimental infrastructure suitable for network security. However, a study of the literature shows that current experimental approaches are not appropriate to generate high fidelity network data. To solve this problem, we introduced the ICS sandbox concept, our second major contribution, that used a hybrid approach combining the high fidelity results of emulation and the scalability and cost reduction of simulation to create an experimental setup able to produce high fidelity network data sets for experimentation. Finally, we were able to test an implementation of anomaly-based intrusion detection, our third major contribution, using the ICS sandbox. Using only simple features, it was possible to detect command and control traffic in a SCADA network and push attackers to use complex covert channels with limited bandwidth to perform their routine maintenance operations. This attests to the validity of our intuition that anomaly-based detection is particularly effective in SCADA network, revivifying a defensive technique that suffers from poor performance in typical corporate networks. The sum of these contributions represent a significant improvement in the defense of SCADA networks against advanced persistent threats, including threats from nation state sponsored intelligence agencies. This contributes to the increased reliability of critical infrastructure, and of the electrical grid in particular, in the face of an increasing interest by cyber attackers

Architecture, Services and Protocols for CRUTIAL

This document describes the complete specification of the architecture, services and protocols of the project CRUTIAL. The CRUTIAL Architecture intends to reply to a grand challenge of computer science and control engineering: how to achieve resilience of critical information infrastructures (CII), in particular in the electrical sector. In general lines, the document starts by presenting the main architectural options and components of the architecture, with a special emphasis on a protection device called the CRUTIAL Information Switch (CIS). Given the various criticality levels of the equipments that have to be protected, and the cost of using a replicated device, we define a hierarchy of CIS designs incrementally more resilient. The different CIS designs offer various trade offs in terms of capabilities to prevent and tolerate intrusions, both in the device itself and in the information infrastructure. The Middleware Services, APIs and Protocols chapter describes our approach to intrusion tolerant middleware. The CRUTIAL middleware comprises several building blocks that are organized on a set of layers. The Multipoint Network layer is the lowest layer of the middleware, and features an abstraction of basic communication services, such as provided by standard protocols, like IP, IPsec, UDP, TCP and SSL/TLS. The Communication Support layer features three important building blocks: the Randomized Intrusion-Tolerant Services (RITAS), the CIS Communication service and the Fosel service for mitigating DoS attacks. The Activity Support layer comprises the CIS Protection service, and the Access Control and Authorization service. The Access Control and Authorization service is implemented through PolyOrBAC, which defines the rules for information exchange and collaboration between sub-modules of the architecture, corresponding in fact to different facilities of the CII’s organizations. The Monitoring and Failure Detection layer contains a definition of the services devoted to monitoring and failure detection activities. The Runtime Support Services, APIs, and Protocols chapter features as a main component the Proactive-Reactive Recovery service, whose aim is to guarantee perpetual correct execution of any components it protects.Project co-funded by the European Commission within the Sixth Frame-work Programme (2002-2006

JTIT

kwartalni

Managed access dependability for critical services in wireless inter domain environment

The Information and Communications Technology (ICT) industry has through the last decades changed and still continues to affect the way people interact with each other and how they access and share information, services and applications in a global market characterized by constant change and evolution. For a networked and highly dynamic society, with consumers and market actors providing infrastructure, networks, services and applications, the mutual dependencies of failure free operations are getting more and more complex. Service Level Agreements (SLAs) between the various actors and users may be used to describe the offerings along with price schemes and promises regarding the delivered quality. However, there is no guarantee for failure free operations whatever efforts and means deployed. A system fails for a number of reasons, but automatic fault handling mechanisms and operational procedures may be used to decrease the probability for service interruptions. The global number of mobile broadband Internet subscriptions surpassed the number of broadband subscriptions over fixed technologies in 2010. The User Equipment (UE) has become a powerful device supporting a number of wireless access technologies and the always best connected opportunities have become a reality. Some services, e.g. health care, smart power grid control, surveillance/monitoring etc. called critical services in this thesis, put high requirements on service dependability. A definition of dependability is the ability to deliver services that can justifiably be trusted. For critical services, the access networks become crucial factors for achieving high dependability. A major challenge in a multi operator, multi technology wireless environment is the mobility of the user that necessitates handovers according to the physical movement. In this thesis it is proposed an approach for how to optimize the dependability for critical services in multi operator, multi technology wireless environment. This approach allows predicting the service availability and continuity at real-time. Predictions of the optimal service availability and continuity are considered crucial for critical services. To increase the dependability for critical services dual homing is proposed where the use of combinations of access points, possibly owned by different operators and using different technologies, are optimized for the specific location and movement of the user. A central part of the thesis is how to ensure the disjointedness of physical and logical resources so important for utilizing the dependability increase potential with dual homing. To address the interdependency issues between physical and logical resources, a study of Operations, Administrations, and Maintenance (OA&M) processes related to the access network of a commercial Global System for Mobile Communications (GSM)/Universal Mobile Telecommunications System (UMTS) operator was performed. The insight obtained by the study provided valuable information of the inter woven dependencies between different actors in the delivery chain of services. Based on the insight gained from the study of OA&M processes a technological neutral information model of physical and logical resources in the access networks is proposed. The model is used for service availability and continuity prediction and to unveil interdependencies between resources for the infrastructure. The model is proposed as an extension of the Media Independent Handover (MIH) framework. A field trial in a commercial network was conducted to verify the feasibility in retrieving the model related information from the operators' Operational Support Systems (OSSs) and to emulate the extension and usage of the MIH framework. In the thesis it is proposed how measurement reports from UE and signaling in networks are used to define virtual cells as part of the proposed extension of the MIH framework. Virtual cells are limited geographical areas where the radio conditions are homogeneous. Virtual cells have radio coverage from a number of access points. A Markovian model is proposed for prediction of the service continuity of a dual homed critical service, where both the infrastructure and radio links are considered. A dependability gain is obtained by choosing a global optimal sequence of access points. Great emphasizes have been on developing computational e cient techniques and near-optimal solutions considered important for being able to predict service continuity at real-time for critical services. The proposed techniques to obtain the global optimal sequence of access points may be used by handover and multi homing mechanisms/protocols for timely handover decisions and access point selections. With the proposed extension of the MIH framework a global optimal sequence of access points providing the highest reliability may be predicted at real-time

Modelling and Design of Resilient Networks under Challenges

Communication networks, in particular the Internet, face a variety of challenges that can disrupt our daily lives resulting in the loss of human lives and significant financial costs in the worst cases. We define challenges as external events that trigger faults that eventually result in service failures. Understanding these challenges accordingly is essential for improvement of the current networks and for designing Future Internet architectures. This dissertation presents a taxonomy of challenges that can help evaluate design choices for the current and Future Internet. Graph models to analyse critical infrastructures are examined and a multilevel graph model is developed to study interdependencies between different networks. Furthermore, graph-theoretic heuristic optimisation algorithms are developed. These heuristic algorithms add links to increase the resilience of networks in the least costly manner and they are computationally less expensive than an exhaustive search algorithm. The performance of networks under random failures, targeted attacks, and correlated area-based challenges are evaluated by the challenge simulation module that we developed. The GpENI Future Internet testbed is used to conduct experiments to evaluate the performance of the heuristic algorithms developed

Application of service composition mechanisms to Future Networks architectures and Smart Grids

Aquesta tesi gira entorn de la hipòtesi de la metodologia i mecanismes de composició de serveis i com es poden aplicar a diferents camps d'aplicació per a orquestrar de manera eficient comunicacions i processos flexibles i sensibles al context. Més concretament, se centra en dos camps d'aplicació: la distribució eficient i sensible al context de contingut multimèdia i els serveis d'una xarxa elèctrica intel·ligent. En aquest últim camp es centra en la gestió de la infraestructura, cap a la definició d'una Software Defined Utility (SDU), que proposa una nova manera de gestionar la Smart Grid amb un enfocament basat en programari, que permeti un funcionament molt més flexible de la infraestructura de xarxa elèctrica. Per tant, revisa el context, els requisits i els reptes, així com els enfocaments de la composició de serveis per a aquests camps. Fa especial èmfasi en la combinació de la composició de serveis amb arquitectures Future Network (FN), presentant una proposta de FN orientada a serveis per crear comunicacions adaptades i sota demanda. També es presenten metodologies i mecanismes de composició de serveis per operar sobre aquesta arquitectura, i posteriorment, es proposa el seu ús (en conjunció o no amb l'arquitectura FN) en els dos camps d'estudi. Finalment, es presenta la investigació i desenvolupament realitzat en l'àmbit de les xarxes intel·ligents, proposant diverses parts de la infraestructura SDU amb exemples d'aplicació de composició de serveis per dissenyar seguretat dinàmica i flexible o l'orquestració i gestió de serveis i recursos dins la infraestructura de l'empresa elèctrica.Esta tesis gira en torno a la hipótesis de la metodología y mecanismos de composición de servicios y cómo se pueden aplicar a diferentes campos de aplicación para orquestar de manera eficiente comunicaciones y procesos flexibles y sensibles al contexto. Más concretamente, se centra en dos campos de aplicación: la distribución eficiente y sensible al contexto de contenido multimedia y los servicios de una red eléctrica inteligente. En este último campo se centra en la gestión de la infraestructura, hacia la definición de una Software Defined Utility (SDU), que propone una nueva forma de gestionar la Smart Grid con un enfoque basado en software, que permita un funcionamiento mucho más flexible de la infraestructura de red eléctrica. Por lo tanto, revisa el contexto, los requisitos y los retos, así como los enfoques de la composición de servicios para estos campos. Hace especial hincapié en la combinación de la composición de servicios con arquitecturas Future Network (FN), presentando una propuesta de FN orientada a servicios para crear comunicaciones adaptadas y bajo demanda. También se presentan metodologías y mecanismos de composición de servicios para operar sobre esta arquitectura, y posteriormente, se propone su uso (en conjunción o no con la arquitectura FN) en los dos campos de estudio. Por último, se presenta la investigación y desarrollo realizado en el ámbito de las redes inteligentes, proponiendo varias partes de la infraestructura SDU con ejemplos de aplicación de composición de servicios para diseñar seguridad dinámica y flexible o la orquestación y gestión de servicios y recursos dentro de la infraestructura de la empresa eléctrica.This thesis revolves around the hypothesis the service composition methodology and mechanisms and how they can be applied to different fields of application in order to efficiently orchestrate flexible and context-aware communications and processes. More concretely, it focuses on two fields of application that are the context-aware media distribution and smart grid services and infrastructure management, towards a definition of a Software-Defined Utility (SDU), which proposes a new way of managing the Smart Grid following a software-based approach that enable a much more flexible operation of the power infrastructure. Hence, it reviews the context, requirements and challenges of these fields, as well as the service composition approaches. It makes special emphasis on the combination of service composition with Future Network (FN) architectures, presenting a service-oriented FN proposal for creating context-aware on-demand communication services. Service composition methodology and mechanisms are also presented in order to operate over this architecture, and afterwards, proposed for their usage (in conjunction or not with the FN architecture) in the deployment of context-aware media distribution and Smart Grids. Finally, the research and development done in the field of Smart Grids is depicted, proposing several parts of the SDU infrastructure, with examples of service composition application for designing dynamic and flexible security for smart metering or the orchestration and management of services and data resources within the utility infrastructure

Robustness of hierarchical spatial critical infrastructure networks

PhD ThesisThe economic state and wellbeing of a nation is dependent upon the critical infrastructure networks that deliver resources, goods and services. However, these are increasingly exposed to a number of hazards, both natural and man-made, which threaten to disrupt their ability to function. It is essential that in order to develop long-term strategic plans of infrastructure provision we are able to understand their current robustness to such hazards. The robustness of critical infrastructure networks has typically been investigated from a topological perspective as a means of simplifying the complexities associated with their analysis. Such work has led to many studies suggesting critical infrastructures exhibit a topological structure, from random to exponential degree distributions. However, often such analysis ignores the explicit spatial characteristics of the node and edge assets. Furthermore, the very nature of topological analysis means that flows/movements that take place over such networks cannot be considered. This work addresses these weaknesses by extending traditional topological analysis to consider emergent properties critical infrastructure networks exhibit when considering higher-order connectivity and flows. An analysis of a suite of synthetic networks with a spectrum of topologies alongside real infrastructure spatial networks, in terms of their basic topology and high-order connectivity, shows that a number of critical infrastructure networks seem to be better characterised as hierarchical networks. Subsequent failure modelling reveals that such hierarchical networks responded in a dramatically different manner to perturbations; complete failure occurring approximately 19 and 34 percent sooner for random and targeted failures compared to random networks. Such poor robustness is further exacerbated when flow simulation modelling over the resulting hierarchical networks is undertaken, revealing particular sensitivity to cascading failures from spatial hazards. In light of these results, it is suggested that it is essential to improve the robustness of critical infrastructure networks that exhibit a hierarchical spatial organisation.School of Civil Engineering and Geosciences, Newcastle University

Proceedings of the Second International Mobile Satellite Conference (IMSC 1990)

Presented here are the proceedings of the Second International Mobile Satellite Conference (IMSC), held June 17-20, 1990 in Ottawa, Canada. Topics covered include future mobile satellite communications concepts, aeronautical applications, modulation and coding, propagation and experimental systems, mobile terminal equipment, network architecture and control, regulatory and policy considerations, vehicle antennas, and speech compression