Automation, Process Control and SCADA Systems in Critical Infrastructures Future Threats and Requirements

Transcription

1 Automation, Process Control and SCADA Systems in Critical Infrastructures Future Threats and Requirements Hans Honecker Federal Office for Information Security SCADA and Process Control Security Summit

2 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 2

3 Brief Introduction Federal Office for Information Security (BSI) The BSI at a glance Focus of activities Co-operations Slide 3

4 The BSI at a Glance Independent and neutral authority for IT security High level federal public agency within the area of responsibility of the Federal Ministry for the Interior Founded in 1991 unique as a public agency in comparison to other European establishments Staff: around 500 employees Budget: 60 million Slide 4

5 Focus of Activities Internet security Secure e-government IT baseline protection National / international security co-operation Cryptographic innovation Biometrics Security from eavesdropping Awareness campaign on IT security Certification and approval Protection of critical infrastructures Slide 5

6 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 6

7 Critical Infrastructures... Critical Infrastructures are organisations and facilities of major importance to the community whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order, or other dramatic consequences (2006) In short: Critical infrastructures provide indispensable and essential goods and services to society and economy. Slide 7

8 Critical Infrastructure Sectors 1. Transportation 2. Energy 3. Hazardous materials 4. IT and telecommunications 5. Finance and insurance 6. Services (incl. health care, emergency and rescue services) 7. Public administration and justice system 8. Other (e.g. media, buildings) Slide 8

9 Overall-Experience Pizza Otto Stagioni Services Finance and Insurance Transportation Public Administration Hazardous Materials Energy Other IT and Telecommunications Slide 9

10 ... and Critical Processes Critical Infrastructures provide indispensable and essential goods and services to society and economy by running Critical Processes. These processes are indispensable for society and economy heavily (and growing) interdependent and complex at risk by - by technical or human failure natural disaster attacks breakdown or failure of critical processes of other infrastructures Slide 10

11 Interdependent Processes Infrastructure Sectors public administration, justice IT and telecommunications hazardous materials other finance and insurance energy transportation services and supply Slide 11

12 Interdependent Processes Infrastructure Sectors public administration, justice IT and telecommunications hazardous materials other finance and insurance energy transportation services and supply Slide 12

13 ... and Critical Processes Critical infrastructures provide indispensable and essential goods and services to society and economy... by running Critical Processes. These processes are indispensable for society and economy heavily (and growing) interdependent (through their process infrastructure) at growing risk by - by technical or human failure natural disaster attacks breakdown or failure of critical processes of other infrastructures Critical Processes need to be kept robust and resilient Slide 13

14 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 14

15 Critical Processes and IT-based Automation Technologies (1) Critical processes need to be kept robust and resilient... Holistic approach necessary All critical processes dealing with physical process objects use automation, process control and/or SCADA technologies (we will use SCADA for all three in this talk) [ SCADA = Supervisory Control And Data Acquisition] All critical processes depend on electricity - most very straight - which in turn depends on SCADA technology SCADA -technologies as archetype for discussion of challenges on process and infrastructure layers, proposals for future developments Slide 15

16 Critical Processes and IT-based Automation Technologies (2) SCADA -technologies are present in electricity generation and distribution gas and water supply many process infrastructures of other critical infrastructures used in a wide range and different layers of processes production processes distribution processes control processes with extremely different process objects tangible goods energy (electricity, gas, oil,...) measurement data, information,... AND make extensive use of components based on information technology Slide 16

17 IT-based Automation ( SCADA ) Technologies Operating Conditions compared to standard information technology: IT-based Automation Technology Standard Information Technology (local use) Continuous operation Operation during business hours Top priority for availability Top priority for confidentiality and integrity (Physical) process has priority Information security has priority Patching difficult or impossible Patching state of the art Specialised IT serves to control Standardised IT serves to physical processes process data and information Slide 17

18 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 18

19 Future Threats To be considered for planning of, building or rebuilding CI (Critical Infrastructures) important from the viewpoint of CI Protection (CIP) (possible consequences of failures or malfunctions) growing interconnection between process infrastructures of same type (e.g. electricity distribution grids) increasing dependencies and interdependencies of different critical processes increasing complexity of critical processes DISCLAIMER: We do not (or less) consider current threats (in this talk!) We assume state of the art (2008) IT-security implemented Slide 19

20 Category: Technical Failures and Human Errors Technical failures / malfunctions in general: Malfunctions of process specific IT can totally screw up processes (e.g. hardware, software or configuration errors) Example: Programming errors in a DCS added to the heaviness of US Blackout 2003 malfunctions on the network layer endanger process infrastructures (be it malfunctions specific to SCADA or not) side effects (e.g. reduced functionality modes on any layer) backfiring patches or updates (if patching feasible at all) Human errors operating errors Example (continued): Human Errors also added to the heaviness of US Blackout 2003 Example: Human Errors added to the EU Blackout November 2006 Slide 20

21 Category: Disasters and Natural Phenomenons Increase in number and weight / heaviness Side effects with cumulative impact e.g. long lasting heat and drought cooling problems in energy generation and operation of IT shortage in energy supply AND higher demand Flooding, earth quakes, volcanoes... e.g. Japanese nuclear power plant Yellow Stone National Park? Maria Laach? Far-fetched threats? E.g., what about solar activity? What about a direct hit by a solar storm? Loss of communication means (satellite and terrestrial communication)? Loss or temporary unavailability of electricity grid? Slide 21

22 Category: Attacks Risk of external cyber attacks hacking (e.g. successful external pen test of a US-based electricity provider straight through into the control system) attacks by Trojan horses targeted to Process Control Network (PCN): worst, if successful untargeted: high risk of collateral damage attacks through maintenance channels (notebooks, connections) collateral damage of untargeted attacks Risk of internal attacks disgruntled employees, subcontractors or maintenance personnel attacks through hacked systems of process partners backdoors on SCADA, network, or server hardware layer side effects of security testing Slide 22

23 Category: Dependencies Reminder: Critical Processes need to be kept robust and resilient Critical Processes depend on other Critical Processes all: on energy, information- and telecommunications processes many: on financial processes, transportation processes almost all: on some interconnected processes on process layer? Can today s Critical Processes sufficiently handle malfunctions or failures of processes they depend on? Critical Processes should handle dependency issues run core functionality as long as possible (graceful degradation) swiftly recover full functionality after failures in connected processes Slide 23

24 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 24

25 Future Requirements (all Layers) New or further development of technologies for use in CI Aspects to be considered at all layers of technology and integration technologies: long term maintenance and service; open migration paths robustness and resilience as important design criteria options for minimisation (for security issues and for...)... inbuilt graceful degradation (keep up core functionality) minimisable energy consumption (to operate during blackouts) avoid functionality which can endanger process and automation infrastructures or do not contribute to the process! explicit suitability for specific use in Critical Processes and automation infrastructures (at least qualified by manufacturers)!!!!!! Slide 25

26 Future Requirements Layers of technology to be considered for future use of SCADA technologies in Critical Process Infrastructures: process specific applications and applications software standard software (databases, analysis, visualisation,...) operating systems (on servers, terminals, process specific hardware,...) hardware (servers, terminals, process specific,...) network technology and architecture organisation and process architecture (not discussed further) (many efforts have to be mirrored on organisational layer) (some processes might gracefully degradate to manual operation or organisational driven process backups) Slide 26

27 Future Requirements Application Layer Process specific applications and application software should be largely platform independent (with regard to operating systems and database layer) ensure robustness and resilience of processes, inter alia against failures or malfunctions provide modes for operation during crisis or under extreme conditions (graceful degradation) completely document any communication relationship needed or used by the application be open to independent analysis of security, safety and correctness (in particular with regard to availability) Slide 27

28 Future Requirements Standard Software Standard software for databases, data analysis or visualisation etc. should provide secure installation (e.g. no standard passwords) be minimisable (only install needed functionality) no functionality not needed for specific processes e.g. no DRM, multimedia, hidden databases,... no reduced functionality modes feasible and configurable patch and update mechanisms communication strictly restricted to the process needs inter alia: only to explicitly specified systems, no phone home offering needed standard functionality without security risks many more Slide 28

29 Future Requirements Operating Systems Servers, most terminals are / many process specific hardware is running on an operating system layer. We need functionality minimisable to systems needs feasible methods for system hardening and patching long term availability (corresponding to lifetime of the infrastructure of the Critical Process, might be decades) no functionality that could put Critical Processes at risk no phone home, no DRM, hidden services, multimedia,... no reduced functionality mode (yes, I know I repeat myself :-) many more In short: Operating systems customisable to infrastructure requirements Slide 29

30 Future Requirements Hardware Servers, terminals, process specific hardware etc. used in SCADA systems running Critical Processes should be physically robust (where necessary) against industrial (e.g. electromagnetic) environment environmental or external influence (e.g. solar storms, EMP...) provide hardware based modes for minimised operation low power consumption (for crisis and long term energy shortage) battery buffered or emergency (low) power supply operation support graceful degrading the process to core functionality mode long term availability easy replacement (e.g. for quick disaster recovery) many more Slide 30

31 Future Requirements Network Technologies (1/2) Network architectures based on standard network technology often provide the communication infrastructure of SCADA based process infrastructures (this is the N in PCN) Architectural view: SCADA systems may be attacked using network layer Network connects at least partly unpatched systems Failures on network layer endanger SCADA systems Network defence is necessary for higher layers! strict separation of SCADA networks from other networks! restriction of communication to necessary connections Slide 31

32 Future Requirements Network Technologies (2/2) Network defence necessary for higher layers! strict separation of SCADA networks from other networks! restriction of communication to necessary connections? What about technology? Future requirements to network technologies: restrictive network operation as an (additional?) basic network operation principle (including simple hardware layer and port based approach) feasible management of restrictive network operation (easy configuration of necessary connections, deny all other) including restrictive switching, port security... Slide 32

33 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 33

34 Transfer to other IT-supported Technology Areas 1. Many requirements can be transferred to other technology areas where IT is used for operating Critical Processes, inter alia: Process specific applications: platform independence, resilience, graceful degradation, known communication,... Operating systems: minimisable functionality and feasible system hardening, long term availability, no phone home,... Network layer: defence of Critical Processes on network layer, restricted communication as network operation principle; feasible management of restricted network operation, hardware features 2. Many future requirements seem also valid for less critical processes. Slide 34

35 Contents The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions Slide 35

36 Conclusions Today s process infrastructures can (at large) be built as secure, safe and resilient as necessary. To keep up with increasing threats and growing complexity and interconnection of CI, we need to enhance robustness and inbuilt resilience security characteristics of all technology areas and layers. We can only achieve this in co-operation between process owners and operators, integrators of technologies, manufacturers, distributors and vendors. Slide 36

37 Contact Federal Office for Information Security (BSI) Hans Honecker Godesberger Allee Bonn Tel.: +49 (0) Fax: +49 (0) Slide 37