a comprehensive approach to critical information ... comprehensive approach to critical information...
TRANSCRIPT
1
A Comprehensive Approach to Critical InformationInfrastructure Assurance
Professor Saifur Rahman Director
Euro-Atlantic Symposium on Critical Information Infrastructure Assurance
2323--24 March 200624 March 2006Riva San Vitale, Riva San Vitale, SwitzerlandSwitzerland
Advanced Research InstituteVirginia Polytechnic Inst & State University, U.S.A.
www.ari.vt.edu
2
Outline
• Critical infrastructures and their interdependencies
• Importance of information and electricity infrastructures
• Cyber and physical vulnerabilities and cascading failures
• Historical and new approaches to CIIA
3
What are Critical Infrastructures?
An infrastructure or asset the destruction of which would have a debilitating impact on the national security and
the economic and social welfare of a nation
TELECOMELECTRICITY
NATURAL GASWATER
TRANSPORTATION
4
Infrastructure Interdependencies
5
Two Important Sectors: Critical Information and Electricity Infrastructures
Oil and gasBanking and finance
TransportationWater and sewer
TelecommunicationsEmergency responders
Critical government services
Without these two enabling infrastructures, other infrastructures cannot function
InformationElectricity
6
Electricity and Information Infrastructure for Transportation Sector
Transportation sector• Electricity to power all equipment• Real time information gathered and sent by the information
infrastructure
Traffic flow detection
Traffic lights
Traffic light control center
Traffic camera
7
Credit card
Electricity and Information Infrastructure for Banking and Financial Sector
Banking and financial sector• Needs electricity to process all transactions• All information is maintained and collected in a network
ATM Online transaction
8
Dependency of Electric Power Delivery on Information Infrastructure
Source: IEEE Power & Energy Magazine, Sep/Oct 2004
CII is necessary for the reliable and secure supply of electricity
9
Arial view of the US at nightSource: NASA
Dependency of Critical Information Services on Electric Power
Concentration of ISPs in the USSource: The GeoURL ICBM Address Server
10
Types of Vulnerabilities
Cyber Physical - natural
11
Cyber Vulnerabilities
12
Physical Vulnerabilities
Natural Hazards: hurricanes, snowstorms, earthquakes, floods
System Failures: intentional events, equipment failures, human errors
Earthquake Kobe 1995 Japan
Major Floods2002 Europe
Hurricane Katrina2005 USA
13
Oil & gas outages
Water outages
Traffic signal outages
Telecom outages
Business interruptions
Delays in Emergency services
Vulnerabilities and Cascading Failures
Physical/Cyber
Attacks
Direct effects
Indirect effects
Electricity outages
IToutages
14
Critical Information Infrastructure
Its role in containing Vulnerabilities and minimizing Cascading Failures
15
Why assuring CII is important
CII is a means to monitor and control the system status and reduce vulnerabilities of other critical infrastructures
Electric power systems, natural gas and water supply networks, refineries, etc. are monitored and controlled over an information network called Supervisory Control and Data Acquisition (SCADA)
Early warning signals can be generated over this network so that
other CI’s can be protected
16
Information InfrastructureAssurance: An Evolving Discipline
Critical – Nation’s safety and prosperity
Pervasive – Wherever IT-enabled services exist.
Evolving – Grows hand-in-hand with technology
Cross-disciplinary –Computer Science, Electrical Engineering, Business, Law, Math, Social Science, etc.
Challenging – Attackers, Failures and Targets
Complex Interdependencies
17
Approaches to Critical Information Infrastructure Assurance
• Assurance aspects in CII design, evolution, operation and maintenance
• Business, management, and organizational issues
• Law, policy, and privacy issues
18
Assurance aspects in CII design, evolution, operation and maintenance
There is a broad spectrum of security research across several academic disciplines and research groups. For example:
• Cryptology and cryptography
• Network security
• Internet security
• Intrusion detection
• Electronic commerce
• Secure software agents
• Multicast security
• Security for wireless systems
19
Business, management, and organizational issues
Information security is a business and national security issue as well as a matter of management practice
Security threats, i.e. fraud, abuse and errors from inside the organization, are potentially dangerous and likely to occur
Need to educate employees about • Latest developments in information security trends, i.e. viruses, spam,
threats
• When and how to approach law enforcement agencies
20
Law, policy, and privacy issues
Need the cooperation among government, private sectors and academic organizations
Need the development of a broad strategy to promote national or regional awareness/partnership for critical infrastructure security• Primary foci are, for example, owners and operators of critical
infrastructures and other influential stakeholders in the economy
Samples of government policies in the US• Security Breach state laws
www.crowell.com/pdf/SecurityBreachTable.pdf
• Critical Infrastructure Information Act (2002) www.fas.org/sgp/crs/RL31762.pdf
21
An Example of Infrastructure AssuranceSCADA Systems
SCADA – Supervisory Control and Data AcquisitionMost power system controls are based on SCADA systems.
Other applications are: (A) oil & gas operations, (B) water & waste water management systems.
Power Gas Water
22
Components of a typical SCADA SystemAn old technology with a critical importance
SCADA components1. Master Station (MS)2. Remote Terminal Units (RTU)3. Communication links between MS and RTU, e.g.
LANWANVSATTCP/IPWireless
Source: www.ucos.com
23
Traditional SCADA systems on Independent Networks
Each infrastructure has its unique & separate SCADA systems• Electricity SCADA systems cannot piggyback on that of gas or water• Gas network SCADA systems cannot run on other networks• Similarly, electricity or gas SCADA systems cannot be shared with
that of water supply systems
Source: www.keymile.com
24
Internet-based SCADA systems
If a common backbonecan be used among various infrastructures, there will be only small additional costs to build an individual SCADA system.
Source: IEEE Power & Energy Magazine, March/April 2005
25
Internet-based SCADA systems: Pros and Cons
Advantages of using Internet-based SCADA:
• Wide-area connectivity and pervasive
• Routability
• Redundancy and hot standby
• Integration of IT with automation and monitoring networks
• Standardization
• Can login from anywhere in the world
Disadvantages:
• Security concerns
• Reliability concerns
26
Research and Development in CIIA
How to secure CII so that it can facilitate the protection and reduce vulnerability of other critical infrastructures
27
Thanks for Listening
Name: Prof. Saifur RahmanAffiliation: Virginia Tech, USAPhone: (703) 528-5500Email: [email protected] site: www.ari.vt.edu
Questions or Comments?