A Comprehensive Approach to Critical Information Infrastructure Assurance

Transcription

1 A Comprehensive Approach to Critical Information Infrastructure Assurance Euro-Atlantic Symposium on Critical Information Infrastructure Assurance March 2006 Riva San Vitale, Switzerland Professor Saifur Rahman Director Advanced Research Institute Virginia Polytechnic Inst & State University, U.S.A. 1

2 Outline Critical infrastructures and their interdependencies Importance of information and electricity infrastructures Cyber and physical vulnerabilities and cascading failures Historical and new approaches to CIIA 2

3 What are Critical Infrastructures? An infrastructure or asset the destruction of which would have a debilitating impact on the national security and the economic and social welfare of a nation WATER NATURAL GAS TRANSPORTATION ELECTRICITY TELECOM 3

4 Infrastructure Interdependencies 4

5 Two Important Sectors: Critical Information and Electricity Infrastructures Information Oil and gas Banking and finance Transportation Water and sewer Telecommunications Emergency responders Critical government services Electricity Without these two enabling infrastructures, other infrastructures cannot function 5

6 Electricity and Information Infrastructure for Transportation Sector Transportation sector Electricity to power all equipment Real time information gathered and sent by the information infrastructure Traffic camera Traffic lights Traffic light control center Traffic flow detection 6

7 Electricity and Information Infrastructure for Banking and Financial Sector Banking and financial sector Needs electricity to process all transactions All information is maintained and collected in a network ATM Credit card Online transaction 7

8 Dependency of Electric Power Delivery on Information Infrastructure Source: IEEE Power & Energy Magazine, Sep/Oct 2004 CII is necessary for the reliable and secure supply of electricity 8

9 Dependency of Critical Information Services on Electric Power Arial view of the US at night Source: NASA Concentration of ISPs in the US Source: The GeoURL ICBM Address Server 9

10 Types of Vulnerabilities Cyber Physical - natural 10

11 Cyber Vulnerabilities 11

12 Physical Vulnerabilities Natural Hazards: hurricanes, snowstorms, earthquakes, floods System Failures: intentional events, equipment failures, human errors Earthquake Kobe 1995 Japan Major Floods 2002 Europe Hurricane Katrina 2005 USA 12

13 Vulnerabilities and Cascading Failures Indirect effects Physical/ Cyber Attacks Direct effects Electricity outages IT outages Oil & gas outages Water outages Traffic signal outages Telecom outages Business interruptions Delays in Emergency services 13

14 Critical Information Infrastructure Its role in containing Vulnerabilities and minimizing Cascading Failures 14

15 Why assuring CII is important CII is a means to monitor and control the system status and reduce vulnerabilities of other critical infrastructures Electric power systems, natural gas and water supply networks, refineries, etc. are monitored and controlled over an information network called Supervisory Control and Data Acquisition (SCADA) Early warning signals can be generated over this network so that other CI s can be protected 15

16 Information InfrastructureAssurance: An Evolving Discipline Critical Nation s safety and prosperity Pervasive Wherever IT-enabled services exist. Evolving Grows hand-in-hand with technology Cross-disciplinary Computer Science, Electrical Engineering, Business, Law, Math, Social Science, etc. Challenging Attackers, Failures and Targets Complex Interdependencies 16

17 Approaches to Critical Information Infrastructure Assurance Assurance aspects in CII design, evolution, operation and maintenance Business, management, and organizational issues Law, policy, and privacy issues 17

18 Assurance aspects in CII design, evolution, operation and maintenance There is a broad spectrum of security research across several academic disciplines and research groups. For example: Cryptology and cryptography Network security Internet security Intrusion detection Electronic commerce Secure software agents Multicast security Security for wireless systems 18

19 Business, management, and organizational issues Information security is a business and national security issue as well as a matter of management practice Security threats, i.e. fraud, abuse and errors from inside the organization, are potentially dangerous and likely to occur Need to educate employees about Latest developments in information security trends, i.e. viruses, spam, threats When and how to approach law enforcement agencies 19

20 Law, policy, and privacy issues Need the cooperation among government, private sectors and academic organizations Need the development of a broad strategy to promote national or regional awareness/partnership for critical infrastructure security Primary foci are, for example, owners and operators of critical infrastructures and other influential stakeholders in the economy Samples of government policies in the US Security Breach state laws Critical Infrastructure Information Act (2002) 20

21 An Example of Infrastructure Assurance SCADA Systems SCADA Supervisory Control and Data Acquisition Most power system controls are based on SCADA systems. Other applications are: (A) oil & gas operations, (B) water & waste water management systems. Power Gas Water 21

22 Components of a typical SCADA System An old technology with a critical importance SCADA components 1. Master Station (MS) 2. Remote Terminal Units (RTU) 3. Communication links between MS and RTU, e.g. LAN WAN VSAT TCP/IP Wireless Source: 22

23 Traditional SCADA systems on Independent Networks Each infrastructure has its unique & separate SCADA systems Electricity SCADA systems cannot piggyback on that of gas or water Gas network SCADA systems cannot run on other networks Similarly, electricity or gas SCADA systems cannot be shared with that of water supply systems Source: 23

24 Internet-based SCADA systems If a common backbone can be used among various infrastructures, there will be only small additional costs to build an individual SCADA system. Source: IEEE Power & Energy Magazine, March/April

25 Internet-based SCADA systems: Pros and Cons Advantages of using Internet-based SCADA: Wide-area connectivity and pervasive Routability Redundancy and hot standby Integration of IT with automation and monitoring networks Standardization Can login from anywhere in the world Disadvantages: Security concerns Reliability concerns 25

26 Research and Development in CIIA How to secure CII so that it can facilitate the protection and reduce vulnerability of other critical infrastructures 26

27 Thanks for Listening Name: Prof. Saifur Rahman Affiliation: Virginia Tech, USA Phone: (703) Web site: Questions or Comments? 27