Upload
roger-thornton
View
214
Download
0
Embed Size (px)
Citation preview
1st IRRIIS Workshop, April 26th, 2006
Key challenges for Critical Information Infrastructure Protection
1st IRRIIS WorkshopSankt AugustinApril 26th, 2006
Tatiana Roubinchtein, Mechthild Stöwer
Main Problem areas and (inter)dependencies between Critical Infrastructures
Main Problem areas and (inter)dependencies between Critical Infrastructures
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 2
Vulnerability of Critical Infrastructures
• Blackout America North East, August 2003
• Blackout Italy, September 2003
• Crashing of French GSM network, November 2004
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 3
Multiple Events – similar patterns
Multiple interacting contingencies
Low probability event sequence - very difficult to predict
Failures of monitoring, control and protection equipment causes cascading events
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 4
Specific causes
Italian blackout: cross border problem
US blackout: inadequate setting of backup line protection equipment
French GSM Network crash: failed software update
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 5
Economical/political problems• High degree of business interdependencies
• Market restructuring – liberalisation, privatisation, increase of competition conflicting stakeholder’s interests (e.g. private companies, public interests)
• Cost-pressure
• Offshore reliance
• Increasing demand/network loads
• Insufficient political awareness regarding vulnerabilities of CI
• Lack of public research
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 6
Organisational problems
• Missing appropriate business models
• Lack of appropriate risk assessment models
• Lack of appropriate security policies including different (inter)dependend CIs
• Insufficient information sharing
• Insufficient skills of personnel
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 7
Technological problems induced by market forces
• Heterogeneous hardware infrastructure Out-dated legacy system Insuffucient hardware performance
• Transfer of monitoring/control information via public networks
• Usage of open, public available network protocols and standards
• Increasing use of Commercial-off-the-Shelf (COTS) solutions
• (Poorly designed) Connections between control systems and enterprise networks
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 8
Technological problems induced by technological evolution
• Complexity of the new technologies requires appropriate management procedures Intransparent network systems Heterogeneous hardware infrastructure Mix of software solutions
• Complexity of the new technologies causes new vulnerabilities Upgrades hard to retrofit to legacy systems Quality of COTS often insufficient
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 9
Technological problems induced by new risk factors
• Transfer of monitoring/control information via public networks
• No use of appropriate encryption systems for information transfer and storage
• Usage of proprietary network protocols and standards
• Insecure wireless LANs in use
• Missing appropriate authentication procedures
• Missing appropriate software certification
• SCADA and DCS security tools often have “back-door” system access and other known vulnerabilities
• Unpatched components on the PC/SCADA networks
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 10
Deficits within appropriate standard frameworks
• Missing appropriate network models reflecting interdependencies within a CI and other CIs
• No consistent cyber security standards
• Hard to specify and evaluate threats
• Lack of unified mathematical framework with robust tools for modelling, simulation, control and optimisation of time-critical operations
Archivierungsangaben
1st IRRIIS Workshop, April 26th, 2006 Slide 11
Points to be discussed
List of technology problems comprehensive? (missing issues?)
Prioritisation of problem areas
Approaches of technology providers and operators to solve the problems? Significant gaps?
Approaches to solve modelling issues
Evaluation of standardisation activities