1st IRRIIS Workshop, April 26th, 2006 Key challenges for Critical Information Infrastructure Protection 1st IRRIIS Workshop Sankt Augustin April 26th,

1st IRRIIS Workshop, April 26th, 2006

Key challenges for Critical Information Infrastructure Protection

1st IRRIIS WorkshopSankt AugustinApril 26th, 2006

Tatiana Roubinchtein, Mechthild Stöwer

Main Problem areas and (inter)dependencies between Critical Infrastructures

Main Problem areas and (inter)dependencies between Critical Infrastructures

Archivierungsangaben

1st IRRIIS Workshop, April 26th, 2006 Slide 2

Vulnerability of Critical Infrastructures

• Blackout America North East, August 2003

• Blackout Italy, September 2003

• Crashing of French GSM network, November 2004



Multiple Events – similar patterns

Multiple interacting contingencies

Low probability event sequence - very difficult to predict

Failures of monitoring, control and protection equipment causes cascading events



Specific causes

Italian blackout: cross border problem

US blackout: inadequate setting of backup line protection equipment

French GSM Network crash: failed software update



Economical/political problems• High degree of business interdependencies

• Market restructuring – liberalisation, privatisation, increase of competition conflicting stakeholder’s interests (e.g. private companies, public interests)

• Cost-pressure

• Offshore reliance

• Increasing demand/network loads

• Insufficient political awareness regarding vulnerabilities of CI

• Lack of public research



Organisational problems

• Missing appropriate business models

• Lack of appropriate risk assessment models

• Lack of appropriate security policies including different (inter)dependend CIs

• Insufficient information sharing

• Insufficient skills of personnel



Technological problems induced by market forces

• Heterogeneous hardware infrastructure Out-dated legacy system Insuffucient hardware performance

• Transfer of monitoring/control information via public networks

• Usage of open, public available network protocols and standards

• Increasing use of Commercial-off-the-Shelf (COTS) solutions

• (Poorly designed) Connections between control systems and enterprise networks



Technological problems induced by technological evolution

• Complexity of the new technologies requires appropriate management procedures Intransparent network systems Heterogeneous hardware infrastructure Mix of software solutions

• Complexity of the new technologies causes new vulnerabilities Upgrades hard to retrofit to legacy systems Quality of COTS often insufficient



Technological problems induced by new risk factors

• Transfer of monitoring/control information via public networks

• No use of appropriate encryption systems for information transfer and storage

• Usage of proprietary network protocols and standards

• Insecure wireless LANs in use

• Missing appropriate authentication procedures

• Missing appropriate software certification

• SCADA and DCS security tools often have “back-door” system access and other known vulnerabilities

• Unpatched components on the PC/SCADA networks



Deficits within appropriate standard frameworks

• Missing appropriate network models reflecting interdependencies within a CI and other CIs

• No consistent cyber security standards

• Hard to specify and evaluate threats

• Lack of unified mathematical framework with robust tools for modelling, simulation, control and optimisation of time-critical operations



Points to be discussed

List of technology problems comprehensive? (missing issues?)

Prioritisation of problem areas

Approaches of technology providers and operators to solve the problems? Significant gaps?

Approaches to solve modelling issues

Evaluation of standardisation activities

Documents

1st IRRIIS Workshop, April 26th, 2006 Key challenges for Critical Information Infrastructure Protection 1st IRRIIS Workshop Sankt Augustin April 26th,