Hybrid Risk Management for Utility Networks

Transcription

1 Hybrid Risk Management for Utility Networks Hermann de Meer Computer Networks and Computer Communications Lab (CNACC) University of Passau

2 CNACC: Introduction People Prof. Dr.-Ing. Hermann de Meer 11 PhD students/ras Research IT-security/functional safety Risk analysis in critical infrastructures Analysis of security implications induced by networking (e.g., smart grid) Energy systems Intelligent demand-response mechanisms in smart grids Trade-off-analysis of energy efficiency/performance/security Virtualization 2

3 ACM SIGCOMM e-energy Conference Univ. Passau (2010), Columbia Univ. (2011), IMDEA Univ. Carlos III Madrid (2012), UC Berkeley (2013), Univ. Cambridge (2014) UK, IBM Research India at Bangalore (2015). Topics cover the whole energy systems environment Sensing, monitoring and management of energy systems Energy-efficient computing and communication Distribution and transmission network control techniques Modeling, control, and architectures for renewable energies Smart grid communication architectures and protocols Privacy and security of smart grid infrastructure 3

4 Power Grid Smart Grid Power grid evolves into a smart grid Integration and interdependence of power network with information and communication technology (ICT) Extension of the grid using decentralized, renewable energy sources Power network with public IT networks (e.g., the Internet) Combination of both networks leads to a network of networks Interdependence of networks New network has previously unknown, new properties Combined network forms a new complex system Fusion of IT and power network generates new challenges 4

5 Motivation (1/2) Power failure in north eastern US in 2003 Causes Effects Software errors in monitoring systems Overload and failure of IT backup systems Lack of risk awareness Outdated supply network infrastructure Poor communication More than 55 million people without electricity Failure of public telecommunications/utility networks Estimated costs: 6 billion $ (Photos: Huffington Post, 2003) 5

6 Motivation (2/2) Dragonfly malware infection (announced April 30 th 2014) Causes Hacking websites of control system software vendors Infection and later distribution of software packages Infection of industrial systems by remote access trojans (RATs) Has been launched since 2011 minimum with significant virulances Effects Capabilities: Gather information, such as passwords, screenshots Backdoor Estimated costs: could well cause a significant amount of damage * How can such catastrophic failures be prevented? *Adam Kujawa, head of malware intelligence at Malwarebytes (Graphic: Symantec, 2014) 6

7 Risk Assessment (1/4) Power/communication networks are critical infrastructures Constant availability not optional, but mandatory Disturbances are economically, socially and politically-administratively catastrophical Risk assessment in smart grids enormously challenging Possible error propagation between ICT and energy network Various sources of error: Accidents/human error Defects in hardware/software Deliberate attacks (physical/it-based) Large-scale, long-term failures must be prevented! 7

8 Risk Assessment (2/4) The need for new risk assessments tailored for interconnected utility networks is already known: ENSIA: Security Aspects of Smart Grid Propose that there at least is a risk management in smart grids: Align cyber-security to the organization s overall IT strategy based on the defined risk profile Establish a rigorous, on-going risk management process However, the solutions proposed in this document are either very abstract and underspecified, or based on legacy best practices Concluding, the risk management by ENSIA does not address all risks in networked utilities in detail 8

9 Risk Assessment (3/4) NIST: Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security Risk management also proposed, but only considering legacy risk sources E.g., no consideration of risk caused by interconnection No special metrics that include all risk sources and the possibilities of failure propagation between different networks Current risk assessment approaches have to be re-thought A new, solid foundation for risk assessment is needed 9

10 Risk Assessment (4/4) Legacy risk assessments have been used for a long time These approaches focus either on utility or control network Control network Combined networked Utility network utility infrastructure Integrity problems Network of networks Physical infrastructure Previously isolated Uncontrolled access threats Failure propagation Phishing, social Reliability problems Mutual dependence of engineering networks Misuse of infrastructure Future How smart to deal utilities with are these networked, new threats? not isolated! 10

11 Possible Solutions Resilient implementation of networked utilities requires: Novel risk evaluation approaches Integration, interaction and interdependency of utility and ICT network Analysis of risk origins such as the human factor for the networks New risk metrics for interconnected utility infrastructure networks Robust communication infrastructures Awareness of all involved entities/persons System-wide strategies to deal with multiple threat sources in both control & utility network 11

12 HyRiM: Project Facts HyRiM = Hybrid Risk Management for Utility Networks EU FP7-research project (Call FP7-SEC ) Runtime: 36 months ( ) Cooperation between 7 project partners Austrian Institute of Technology Lancaster University ETRA Investigación y Desarrollo, S.A. Akhela S.R.L. Suministros Especiales Alginetenses, Coop. V. Linz AG Universität Passau 12

13 HyRiM: Project Facts Analysis of organizational / human factors Monitoring of data & power network perimeter Monitoring and protection of SCADA systems (Figure: Föderprogramm E-Energy des BMWi) 13

14 HyRiM: Overview The goal of HyRiM is to extend current risk management approaches to utility networks HyRiM will focus on the interconnection points between control networks and individual utility networks Providing a quantitative approach to support decision makers Assessing the potential threats and their cascading effects Main objectives of the project Develop and evaluate hybrid risk metrics Assess and categorize security risks in interconnected utility infrastructure networks Provide foundations for novel protection mechanisms 14

15 HyRiM: Goals (1/4) Analysis of organizational/human factors Uncertainty of employees due to lack of security/safety standardization and emerging working paradigms, such as bring your own device or mobile working lead to new threats Goals Consideration of the human factor by studying the sociological and economic effects on the different networks Special focus on the usage on personally owned digital/communication devices and how it might comprise security of a control network Definition of security architectures and guidelines to mitigate threats related to human and organizational (including cyber) risk 15

16 HyRiM: Goals (2/4) Monitoring and protection of SCADA systems Utility providers are often unaware of the sensitivity of control networks leading to an underestimation their importance and a lack of security Goals Evaluation of interdependent utility network infrastructures and attacks targeted specifically at utility network controls Classification of attacks against SCADA systems (e.g., threats of smart phones, USB sticks) Development of tools and methods for risk assessment, which extend existing methodologies towards the handling of new threats (e.g., Advanced Persistent Threats) arising in interconnected SCADA networks 16

17 HyRiM: Goals (3/4) Monitoring of data & power network perimeter Interconnection of utility facilities can open new attack vectors exploitable from unprotected remote locations Goals Combination of monitoring and surveillance of the extended perimeter Enhancing network and infrastructure surveillance systems using novel, on-demand technologies in the extended perimeter of utility networks Development of self-diagnostic systems for detecting errors in utility infrastructures Classification and recommendations for IT-based protection systems according to applicability and effectiveness in utility networks 17

18 HyRiM: Goals (4/4) Development of hybrid risk metrics To be able to perform a system-wide risk analysis covering control and utility networks, novel risk assessment approaches are required Goals Hybrid risk metrics are based on the combination and interrelation of risks in the power and the ICT/control networks Based on the application of a mathematical framework to provide a basis for quantitative risk assessment Development of analytical methods/metrics for risk assessment Hybrid risk metrics will allow both the assessment and categorization of security risks in interconnected utility infrastructure networks 18

19 Further Research There are still open questions remaining: 1) How can the reliability of the communication infrastructure be guaranteed? Networked utility infrastructures more and more depend on automated processes relying on IP data exchange Therefore, reliable communication is becoming increasingly important in utility networks However, achieving reliable communication is an important challenge Strategies for reliable message delivery have to be taken In dedicated and public networks (e.g. the Internet) Usage of new technologies to achieve reliability (e.g. virtualization) 19

20 Further Research There are still open questions remaining: 2) How can the regulatory challenges in an interconnected ICT- and utility-network be met? Currently lack of standards and best practices stretching across both ICT and power grid domains Different standards developed at different times with unequal maturity, development speed and domains Interoperability and interchangeability are essential prerequisites for a functional smart grid. Without them, interaction of different vendors would be rendered completly impossible. 20

21 Further Research There are still open questions remaining: 3) What is the influence of interconnecting utility networks on their functional safety? Combining ICT and utility networks adds a direct link between IT security and safety E.g. can the manipulation of SCADA systems directly influence control systems used in power plants Utility networks often a critical infrastructure, which in case of failures endanger the environment as well as human lives How can the additional information available in networked utilities be used to increase safety? 21

22 Conclusion Future scenarios are not fully foreseeable Increasing integration of IT and supply networks Increasing dependence between network components problematic Incomplete analysis of risks and threats Currently no sufficient protection Utility network control systems not designed for use in IT networks No sound strategy in the event of a black-outs Comprehensive risk analysis of the smart grid required! Protection of both ICT and power networks necessary! Emergency plans for the smart grid in case of disasters! 22