Survivability of Critical Infrastructure Systems*

Survivability of Critical Infrastructure Systems*

John Knight

Department of Computer Science

University of Virginia

*Joint work with the University of Colorado and the University of California, Davis.

January 30, 2001 Survivability of Critical Infrastructure Systems 2



Outline

n Domain Analysis:

– Services Provided And Core Information Systems– Threats and Vulnerabilities

n Survivability Architectures:

– System Architectural Concepts– Application Reconfiguration

n Security of Survivability Mechanisms

n Prototyping System/Testbed

n Comprehensive Survivability—Overview of Willow (U. Col, U. Va, UCD):

– Generalized Timeline– Generalized Recovery


Sponsors

n DARPA

n U.S. Air Force

n Microsoft

n NASA

Domain Analysis


Critical Infrastructure


Application Interdependence

Power GenerationAnd Distribution

Telecommunications

Finance


Application Domains

n Financial systems—World-Wide Networks:

– Payment System, Fedwire– CHIPS, SWIFT, ACH’s– Credit Cards, Debit Cards, Smart Cards– Equities, Treasuries, Futures, Options, Foreign Exchange

n Electric Power—Highly Automated System:

– Regional Networks, National Networks, National Databases– Generation And Distribution Control, Equipment Monitoring

n Freight Rail:

– Four Companies Serve Entire Country– Very Sophisticated Systems:– Critical Infrastructure Application


Freight Rail

n Four Companies Serve Entire Country

n Very Sophisticated Computer Systems:

– Real-time Move Authority

– Real-time Locomotive and Car Monitoring

– Real-time Switching

– Scheduling

– Customer Interaction

n Critical Information System


Example - CSX Corporation

n Large East-Coast Freight Rail System

n 430,000 Employees In 1960 - 28,000 Employees Now

n Difference Is Information Technology

n “Just In Time” Is Essence Of Transport

– Partially In Effect

– Growing And Considered Essential

n Intermodal System Expanding

n Network-Wide Payload Scheduling and Management


CSX Carloads (Thousands)

n Agricultural Products 254

n Automotive 367

n Chemicals 408

n Coal 1,711

n Food & Consumer 161

n Forest Products 443

n Intermodal 980

n Metals 227

n Minerals 428

n Phosphates and Fertilizers 511


CSX System Characteristics

n Operates In 20 States, 31,365 Miles Of Track

n 2,773 Locomotives, 97,504 Freight Cars

n ALL Controlled From Jacksonville, FL:

– Train Assembly And Dispatch

– Real-Time Recording Of Equipment Locations

– Switching/Signaling


CSX Computer Systems

n Operations Center:

– 150 VAX-Based Information Displays

– Real-Time Signal And Status, Voice Comm.

n Data Center:

– Mainframe Based Database Systems

– Five Terabytes Of Data– 109 Access/Day, 12-15% Updates

– 2,400 MIPS Of Processor Capacity


The Future

n Positive Train Separation:

– Moving Block vs. Fixed Block– Differential GPS & Inertial System To Track Trains

– Real-Time Sequence Of Move Authorizations

– Major Demonstration:

• Portland (OR) -> Hincle -> Blaine

n Precision Train Control:

– Power Distributed Throughout Train

– Electronic Braking

– Traintalk System - “Train by Wire”


Rail Network Management

n New Control Center Capabilities (Redundancy, Automation, Flexibility)

n Cargo Prioritization

n Network-Wide “Just In Time” Capability

n Elimination Of Most Track-Side Equipment

n Elimination Of Location-Relay Mechanism

n Much Greater Efficiency

n Much Faster Average Transport


System Summary


A Visible Problem

n Presidential Commission:

– http://www.pccip.gov/

n Defense Science Board Study:

n National Research Council Committee:

– http://www.nap.edu/catalog/6161.html

n Various Armed Services Committees And Studies

n See Also http://www.cs.virginia.edu/survive


Threats To Service

n Errors by Operators

n Errors in Operational Procedures

n Software Faults

n Software Design Degradation

n Changes in Environmental Conditions

n Hardware Degradation Faults

n Hardware Design Faults

AND

n Malicious Attacks


World-Wide Problem


And It’s a Dangerous World

Survivability Architectures


System-Wide Survivability

n Serious Problems Are Rarely Local, E.G.:

– Wide-area Environmental Stress

– Common-mode Software Failure

– Coordinated, Parallel Malicious Attacks

– Cascading Equipment Failures

n System-wide Survivability Properties:

– Coordinated Approach to Meeting Dependability Requirements

– Recovery Above the Node Level


Complex Architectural Problem


Approach—New Type Of Network

n System Architectures to Support:

– Operational Survivability

n Application Architectures to Support:

– Operational Reconfiguration Requirements

n Survivability Analysis—How Good Are the Defenses?

n Security:

– Of the Applications Themselves

– Of the System Architectural Elements That Support Survivability


Critical Information Systems

Function f

Function g

Function h

Local Database


Survivability As Control

Control Function

“Sensor” Signals “Actuator” Commands

From Sensors To Actuators


Specification And Implementation

SurvivabilitySpecification

Error DetectionState

Sensor/Actuator Implementation


Non-Local Error Detection

Object-Oriented Database

Network Control

Code Synthesis

FSM’s

NetworkTopology

SurvivabilitySpec. - Z

Data Synthesis

Security of Survivability Mechanisms


Survivability Architecture

Control Server

InfrastructureNetwork


The Malicious Host Problem

Protection of software entities from (potentially) malicious execution environments

– Intelligent tampering

– Impersonation


Summary of Approach

n A Framework to Handle the Malicious Host

Problem in a Network Environment

n A Theoretical Foundation and Complexity

Bounds

n An Automated Toolkit


Assertions

§ Successful Tampering/impersonation Attacks Should Require Program/system Analysis

§ Program/system Analysis Should Be Difficult

§ The Analysis Difficulty Should Be Supported by Theory and Sound Metrics


Solution Framework

• Diversity• Spatial• Temporal

• Program Manipulation• Increase the Analysis

Difficulty of Individual Programs

P

P’ P’’

timeP P’ P’’


Solution Architecture

Control Server

P1

P2

P3

Pn

Code Manipulator

Code Manipulator

P

Pn+1

Infrastructure Network


Obstructing Analysis

§ Dynamic Analysis (e.g. execution simulation)

§ Static Analysis§ Control-flow Analysis

§ Data-flow Analysis


Analysis Complexity

§ Control-flow Transformations§ Restructure Static Control Transfers

§ Add Additional Control Transfers

§ Data-flow Transformations§ Pervasive Aliasing

Control-flow & Data-flow

Prototyping System


Prototyping System Goals

n Provide Vehicle for Experimentation, Evaluation and Demonstration

n Support:

– Arbitrary Network Topology– Arbitrary Number of Hosts– Arbitrary Number of Nodes Per Host

n Based on COTS Software and Hardware, E.G., Windows 2000

n Allow Variety of Demonstration Applications

n Implement Architectural Ideas

n Comprehensive Symptom Injection Mechanism, Including:– Coordinated Parallel Attacks– Cascading Failures


RAPTOR Modeling System

n Arbitrary network topologies

n Large model support

n Demonstration:

– FedWire payment sys.

– 10 000 banks

– Terrorist bombs

– Coordinated attacks

n Windows 2000 platform

n Available for download soon

Vulnerabilities

NetworkTopology

NodeSemantics

Symptoms

Network Model

Visualization

Run-timeinput

Modelspecification


Typical Example System

FederalReserve

Money Center Banks

Local Banks

Payment Request Generator

10,000 Node Model

The Willow System


NetworkSensors A

ctua

tors

Network State &Analysis Model

SelfHealing

TolerateAnticipated

Faults

PlannedPostureChange

SystemUpdate

SystemDeployment

External Input

Dimensions of Survivability


Survivability ArchitectureLogical View

Reactive

ActiveControl

ActiveControl

Proactive

ActiveManagement

ActiveManagement

NewPostures

NewPostures

CommandsCommands

Operator

Administrator

Intelligence

Analysis

Development

Trust boundary

DuringAttack

Beforeand

AfterAttack


Conclusion

n Survivability Is A Complex But Essential System Property

n A Key Element Is Non-Maskable Faults

n Achieved Much Of The Time By Fault Tolerance

n Willow:

– Extends Error Detection To External State

– Extends Error Recovery To Posturing And Deployed Software

– Generalizes The Time Frame Of Both


New Computer Science BuildingAt UVA

Documents

Survivability of Critical Infrastructure Systems*