Upload
nguyennga
View
213
Download
0
Embed Size (px)
Citation preview
Sandro [email protected]://www.progettoreti.enea.it
SCADA Security Summit 2009Stockholm, October 28, 2009
Protecting Energy Infrastructure
ITALIAN NATIONAL AGENCY FOR NEW TECHNOLOGIES, ENERGY AND SUSTAINABLE ECONOMIC DEVELOPMENT
ENEA’s Critical Infrastructure Protection Program (1/2)
ISTITUTIONAL TASKS–To increase stakeholders’ awareness of
cyber threats and interdependencyissues
–To foster collaboration and joint analysisof these topics with/betweenstakeholders
–To find suitable solutions to managewith these issues
ENEA’s Critical Infrastructure Protection Program (2/2)
RESEARCH OBJECTIVES– To improve resilience of Critical Infrastructures
to failures and cyber attacks• Early detection• Self-awareness and mission fulfilment
– To limit and mitigate cascading effects• Analysis of technological networks vulnerabilities and
reliability• Modelling interdependency• Establishing an integrated simulation platform to
analyse interdependencies and assess the impact of events or failures
• Improving situational awareness and mutual coordination among CIs operators
Projects supporting ENEA’s program• SAFEGUARD "Intelligent Agent Organisation to enhance dependability and survivability of
LCCIs" funded by EU-FP5Partners: QMUL (UK), LiU (SE), AIA (ES), Swisscom (CH)
• SE-TEC "Feasibility Study for a European Network of Secure Test Centres for Reliable ICT-controlled Critical Energy Infrastructures" funded by EU-EPCIPPartners: D’Appolonia (IT), ET-TS (IT)
• IRRIIS "Integrated Risk Reduction of Information-based Infrastructure Systems" funded byEU-FP6Partners: FhG (DE), IABG (DE), TNO (NL), SIEMENS (DE), ALCATEL (FR), TI (IT), ACEA (IT), REE (ES), AIA (ES), ENST (FR), CU (UK), VTT (FI), ETH (CH)
• ASTROM "Assessment of resilience to threats of control and data management systems of electrical transmission network" funded by EU-EPCIPPartners: ERSE (IT), D’Appolonia (IT), BAH (IT), TERNA (IT), ElsagDatamat (IT)
• CRESCO - LAIII "Modeling, Analysis and Simulation of Complex Networks and theirinterdependencies" funded by MIUR-PONPartners: Several Italian Universities
• DIESIS "Design of an Interoperable European federated Simulation Network for Critical Infrastructures" funded by EU-FP7Partners: FhG (DE), CRIAI (IT), ICL (UK), TNO (NL)
• MIA "Definition of a methodology for the assessment of mutual interdependencies between ICT and electricity generation/transmission infrastructures" funded by EU-EPCIPPartners: ERSE (IT), BAH (IT), TERNA (IT), TI (IT), ENEL (IT)
• MICIE "Tool for systematic risk analysis and secure mediation of data exchanged across linkedCI information infrastructures" funded by EU-FP7Partners:Selex Communications (IT), CRAT (IT), IEC (IL), Henri Tudor (LX), iTrust (LX), IRIAM (PL), Un. Roma TRE (IT)
• NEISAS "National and European Information Sharing and Alerting System" funded by EU-EPCIPPartners:BAH(IT), LanditD(UK), NICC(NL), PdCM(IT)
• MOTIA “Modeling Tools for Interdependencies Assessment in ICTsystems" funded by EU-EPCIPPartners:CNIPA (IT), GARR (IT), TI (IT), …….
• Two classes of cyber threats– Indiscriminate attacks–Targeted attacks
• Anomaly detection rationale–Normal behaviour is well known,
anomalous one is not– It is not possible to think about all the
attacks, but we may know the normalbehaviour and detect deviation from it
SAFEGUARD Project: Early Detection of Cyber Attacks
SAFEGUARD ARCHITECTURE
Low
-lev
el a
gen
tsH
igh
-lev
el a
gen
ts
Cyber Layer of Electricity NetworkHome CI
MMI agent
Correlation agent
Action agent
Diagnosiswrappers
Intrusion Detection wrappers
Anomaly Detection agents
Actuators
SAFEGUARD ARCHITECTURE
Cyber Layer of Electricity NetworkHome CI
Negotiation agent
MMI agent
Low
-lev
el a
gen
tsH
igh
-lev
el a
gen
ts
Diagnosiswrappers
Intrusion Detection wrappers
Anomaly Detection agents
At Level 1 – identify component failure or attack in progress
Hybrid anomaly detection agents utilise algorithms specialised in detecting deviations from normality. Signature-based algorithms are used to classify failures based on accumulated functional behaviour.
SAFEGUARD ARCHITECTURE
Cyber Layer of Electricity NetworkHome CI
Correlation agent
Action agent
Low
-lev
el a
gen
tsH
igh
-lev
el a
gen
ts
Diagnosiswrappers
Intrusion Detection wrappers
Anomaly Detection agents
Actuators
At level 2: Correlation correlates diagnosisAction agent replaces functions of failed components
SAFEGUARD ARCHITECTURE
Low
-lev
el a
gen
tsH
igh
-lev
el a
gen
tsAt level 3: operator decision supportMMI agent supports the operator in the reconfiguration strategy
Cyber Layer of Electricity NetworkHome CI
MMI agent
Correlation agent
Action agent
Diagnosiswrappers
Intrusion Detection wrappers
Anomaly Detection agents
Actuators
• Events (change of breaker state, alarms, operator actions, etc)
• Numeric Data (voltage, etc)
• Process variables (real-time value of SCADA blocks)
• System health (CPU consuming, memory usage, communication traffic)
Information available on SCADA
SAFEGUARD Agents
• Event Sequence Monitoring Agentrecognizes a process from the sequenceof events it produces
• DataMining Agent monitors the TCP/IP traffic using Data Miningalgorithms looking for anomalies in the values and structure of data packets
• NeuralNetwork Agent validates the data coming from the substations
• Correlation Agent correlates the data coming from the low-level agents
SAFEGUARD added value
• Be notified about unexpected(unknown) events
• Be notified about unusual behaviour of the system or of the operator
• Make the assessment on line (and not post-mortem)!
• Utilities have significant investment in SCADA equipment. SCADA and similar control equipment are designed to have significant lifetimes
• Protection mechanisms should not be developed that require major replacement of existing equipment in the near term
• Because of the limited capabilities of the SCADA processors, protection mechanisms should be implemented as a retrofitted add-on device
SCADA Operational Constraints (1/2)
• Protection mechanisms management should be designed to operate in one or more control centers for disaster recovery and distributed management purposes
• SCADA systems are designed for frequent (near real-time) status updates. Protection mechanisms should not reduce the performance (reading frequency, transmission delay, computation) below an acceptable level
• SCADA protection mechanisms should be designed to address all forms of SCADA protection, including: monitoring data transmission, cryptographic functions, state estimation functions, topology estimation, usage and actions taken by operators, etc
SCADA Operational Constraints (2/2)
RTU Remote Terminal UnitSCADA System Safeguarding SCADA Systems
Safe Bus
Safe Bus API Interface
RTU Remote
Terminal Unit
Safe BusAPI Interface
Actuators Anomaly Detectors
RETROFITTED ADDRETROFITTED ADD--ON SOLUTIONON SOLUTION
Safe BusAPI Interface
RTURemote
Terminal Unit
Correlators
ENEA TESTBED TO EXPERIMENT SCADA SAFEGUARD TECHNOLOGY
Workstation 1Electrical Network
Simulator Data Source
Workstation 2RTUs
emulators
Workstation 3Control Centre
emulatorWorkstation 4
Messages communication
brokerWorkstation 5
Alarms monitoring interface
Workstation 6Disturbance/attacks
generator
Communication Network
Lessons learned from past Events
– EU System disturbance on 4 November 2006• It was triggered neither by technical failure nor by external event
(such as extreme weather conditions)• “No specific attention was given by E.ON Netz to the fact that the
protection devices have different settings on both sides of the Landesbergen-Wehrendorf line although this information was critical due to the very high flow on this line”.
• “In some control areas, re-energization of customers was startedby DSOs without proper knowledge of the situation in the overallUCTE system; some of them started reconnecting customerswithout coordination with their TSOs. This worsened the conditionsfor TSOs action to restore normal system conditions in a controllable way”
– US Blackout on 14 August 2003• “Cellular services were severely disrupted because most antenna
sites were only provisioned with four to six hours of emergencybattery power”.
• “The state of Michigan scrambled to locate additional fuel supplies for telephone central office backup generators in anticipation of an extended loss of power”
Interdependency and Cascading Effects
• To mitigate interdependency and cascading effects we need:– To improve situational awareness– To support collaboration– To support risk assessment
• IRRIIS MIT technology is– A communication “platform” for automated
information sharing– A set of additional tools to support risk
assessment and risk sharing related tointerdependency
IRRIIS Project: Mitigation of Interdependency and Cascading Effects
• Internal assessment– To provide the operator with a clear and as much as
possible thorough (and useful!) picture of his own CI– To get information needed by “neighbouring” CIs about
the infrastructure status
• Risk assessment – To correlate the internal status of the CI with the status
of “neighbouring” CIs– To estimate the probability of occurrence of undesirable
event based on both internal and “neighbouring” status– To share risk information with interested “neighbouring”
CIs
• Emergency management – To support the operator during an emergency.– To support the local CI operator in the negotiation
process with operators of the “neighbouring” CIs during an emergency.
IRRIIS MIT Add-On Components
OPERATOR
OPERATOR
Ext
erna
l Com
mun
icat
or
Inte
rnal
Com
mun
icat
orE
xternal Com
municator
Internal Com
municator
Working in normal condition
Working in normal condition
Installation of IRRIIS MIT Add-On Components
Control Room with MIT WorkStation
LCCI 1
LCCI 2
MIT WorkStationMIT WorkStation
Control Room
Control Room
Electrical RE
(Risk Estimator)
MIT Communication components
ACEA Electrical Control Room
TelecomControl RoomElectrical
Simulator(Sincal)
Routing algorithmSIMCIP
Electrical MIT
Telco RE
(Risk Estimator)
The experimentation environment
TEST BED
SCADA Emulator
TECHNOLOGY TO BE TESTEDTelco MIT
• Implementation of a National Infrastructure Simulation and Analysis Center open to contribution from other subjects involved in the area
•It supports modeling and simulation activities to be used for the purpose of interdependency analysis and assessment of cascading effects
ENEA Integrated Simulation Platform
ENEA’s Platform Architecture
Knowledge base
-on Tools
Diesis Middleware
End-User Interface
Results Presentation
Scenarios configuration
Domain Simulators
ModelsRepository (3rd parties)
ScenariosRepository
InterdepModel
Repository
Hardware Communication Layer
Simulators Output Results
Scenarios deployment and design interface
Sim
ulat
ors
Scen
ario
sSe
tup
Pres
enta
tion
Add-on Tools
Interdependency Simulators
Repositories
Interoperable SimulationMiddleware
Cisia Ciab SimcipScenario expert
Decision Maker
Available Domain Specific Simulators
• Sincal (Electrical Networks Simulator)
• eAgora (Electrical Networks Simulator)
• Powerworld (Electrical Networks Simulator)
• Psat (Electrical Networks Simulator to be used withinMatlab)
• NS2 (Telco Networks Simulator)
• Open Track (Rail Networks Simulator)
ENEA’s Platform Architecture
Knowledge base
-on Tools
Diesis Middleware
End-User Interface
Results Presentation
Scenarios configuration
Domain Simulators
ModelsRepository (3rd parties)
ScenariosRepository
InterdepModel
Repository
Hardware Communication Layer
Simulators Output Results
Scenarios deployment and design interface
Sim
ulat
ors
Scen
ario
sSe
tup
Pres
enta
tion
Add-on Tools
Interdependency Simulators
Repositories
Interoperable SimulationMiddleware
Cisia Ciab SimcipScenario expert
Decision Maker
Available Network Data (1/2)
• Electric power transmission network (Overall ItalianNetwork)
• Electric power transmission network (Detailed Lazio,Region 380 – 120 kV)
• Railway network – Rome area
• Telecommunication network – Rome area
• Highway and road network – Lazio Region
• Internet worldwide network
• Gas pipeline – Italy
Available Network Data (2/2)
• Water supply – Italy
• Seismology map - Italy
• Landslide liability – Italy
• Rivers, hydrological basins – Italy
• Different scenarios to be used in the “what if” activities
ENEA’s Platform Architecture
Knowledge base
-on Tools
Diesis Middleware
End-User Interface
Results Presentation
Scenarios configuration
Domain Simulators
ModelsRepository (3rd parties)
ScenariosRepository
InterdepModel
Repository
Hardware Communication Layer
Simulators Output Results
Scenarios deployment and design interface
Sim
ulat
ors
Scen
ario
sSe
tup
Pres
enta
tion
Add-on Tools
Interdependency Simulators
Repositories
Interoperable SimulationMiddleware
Cisia Ciab SimcipScenario expert
Decision Maker
Available Interdependency Simulators
• SimCIP from EU-FP6 IRRIIS Project
• DIESIS from EU-FP7 DIESIS Project (under development)
SimCIP Interdependency Simulation Environment (EU-FP6 IRRIIS)
Siemens Sincal(Continuos Electrical Simulator)
(1) loading a scenario (2) setting the failures to be simulated(3) starting a simulation
(4) SimCIP interactswith NS2 simulator and gets results.
(4) SimCIPinteracts withSincal simulator and gets results.
(5) Simulationresults are
stored for resultsanalisys
EXPERIMENTER
NS2(Telecom Simulator)
SimCIPDiscrete Event
Simulator
Scenario evolutions designed and executed withinSimCIP simulation environment
Components searching panel
Events log panel
Visualization controls
Networks state visualisation graph
Panel used to define sequence of events (scenario)
DIESIS Federated Simulation Paradigm
FCM
Sim AFM A
Sim BFM B
Sim CFM C
Sim DFM D
IONT B
IONT A IONT C
IONT D
FONT
Scena
rio de
finitio
n layer
(KBS)
Federa
tedsim
ulatio
n layer
FCM Federated Control Module
FM Federated manager
Sim CI domain simulator
IONT: Infrastructure ONTology
FONT: Federation ONTologyWorld ONTology (WONT) template
WONT
DIESIS Federated Simulation ParadigmProof Of Concept
FCM
Railway
Electric
Flooding
Telco
CI networks (IONT instances)
CI networks interconnections (FONT)
ENEA’s Platform Architecture
Knowledge base
-on Tools
Diesis Middleware
End-User Interface
Results Presentation
Scenarios configuration
Domain Simulators
ModelsRepository (3rd parties)
ScenariosRepository
InterdepModel
Repository
Hardware Communication Layer
Simulators Output Results
Scenarios deployment and design interface
Sim
ulat
ors
Scen
ario
sSe
tup
Pres
enta
tion
Add-on Tools
Interdependency Simulators
Repositories
Interoperable SimulationMiddleware
Cisia Ciab SimcipScenario expert
Decision Maker
Available Add-on Tools
• Network Topology Analysis Tools (NAT)
• Leontief Simulation Tool
• Leontief Stochastic Chains Tool
• Multi Infrastructure Map for the Evaluation of the Impact of Crisis Scenarios (MIMESIS)
• Electrical Networks Reconfiguration Tool
• Telco Networks Simulator based on fluid dynamics approach
• Network Reliability Analyzer
Leontief Model
In the middle of last century, the nobel prize Leontief, introduced his celebrated matrices or tables to quantify economic sectors production dependencies.A typical example of five interdependent sectors is reported hereafter. In the picture nodes represent the sectors and arcs non trivial Leontief coefficients.
0.0 0.1 0.0 0.2 0.00.3 0.0 0.5 0.1 0.20.1 0.3 0.0 0.2 0.00.0 0.1 0.5 0.0 0.30.1 0.0 0.3 0.2 0.0
Since Leontief pioneering works in 50’, a lot of efforts have been devoted to provide simple models to predict macroscopic evolutions of interdependent networks. In this perspective, simple I/O models have been introduced based on Inoperabilities.
Extensions of such I/O models have been also positively explored by introducing stochasticity and inner structure macrosectors.
Plain Leontief Non interactingNets Interacting Global Net
ENEA – Leontief Stochastic Chain Tool
A
BC
• To improve resilience of Critical Infrastructures is a multidimensional problem
• Modeling and simulation capacity, exploiting also commercial simulation tools, is necessary to understand the multidimensional problem of vulnerabilities, interdependencies, and cascading effects
• Realistic Testing Environments are necessary to experiment the technological solutions addressing cyber threats and cascading effects
• Strategies/guidelines to implement exhaustive experimentation sessions must be implemented
• A thorough assessment of the benefits of the solution should be carried out through exhaustive experimentation activities
Final considerations