Security of Critical Networked Infrastructures Marcelo Masera

1
Security of Critical Networked InfrastructuresM
arcelo Masera

• March 2007

2
Policy context

• European Programme for CIP (EPCIP) DG JLS
• Green paper, November 2005
• Policy package, December 2006
• A strategy for a Secure Information Society
  DG INFSO
• Communication, May 2006
• European Critical Energy and Transport
  Infrastructures DG TREN
• January 2007

3
Security Assessment Governance
Gather and share security data
Two main challenges security information
exchange and security assessment
4
Assessing and measuring security
System architecture
InSAW
Assets
Security Policy (ISO 17799)
Vulnerabilities
Threats
Data sources
Loss
Attacks
Security Failures
Security Objectives
Security Requirements
Protection Profile (ISO 15408)
System production and deployment
5
InSAW methodology
Profiling and Pre-Assessment
System
New data
Vulnerability Assessment
Risk Assessment
System security status
Threat Assessment
Attack Assessment
Decision making on countermeasures and other
risk management actions
6
InSAW data representations

• Formal representation of Vulnerabilities,
  Threats, Attacks, dependencies, etc.
• Updatable with new information

7
InSAW Attack process models

• Identification phase
• Qualification of target
• E.g. Discovery of input points (e.g. IP
  addresses)
• Detection of transactions accepted by the target
• Exploration of possible transactions
• E.g. Probing and detection of potential
  vulnerabilities
• Determination of potential successful attacks
  patterns
• Exploitation phase
• Preparation of exploit
• E.g. Assemblage of injection vector and payload
• Running of the exploit
• E.g. Injection of the exploit
• If unsuccessful, try with different exploit

8
Attack trees
Example DoS attack against web server (fragment)
Top event Threat completes attack
Basic event Threat perform attack steps
9
Security data

• Fundamental for carrying out security assessment
• Issues
• Scarce data due to technological innovation
• Need to share and exchange
• Sources
• Real world experience
• Simulation in labs (e.g. for single systems)
• Gaming exercises (e.g. for infrastructures)

10
Security of Next Generation Networks

• Initial activities
• Related to ETSI TISPAN (Telecommunications and
  Internet converged Services and Protocols for
  Advanced Networking) work on Security
  requirements, architecture, Threat/risk analysis
  and countermeasures
• Policy support
• DG INFSOs Critical Information Infrastructure
  Protection
• Criteria for European level issues
• Laboratory
• Demonstration of vulnerabilities/countermeasures
• Reference security-relevant architectures
• Link with ESTIs Protocol and Testing Competence
  Centre (PTCC) ?

11
SCADA Cybersecurity lab

• Uses
• Test of systems for the identification of
  vulnerabilities
• Test of maintenance policies (e.g. patching)
• Test of security policies (e.g. firewall rules)
• Simulation of attacks and test of countermeasures
• Comparison of different architectures with
  alternative technical components and assurance
  levels
• Verification of standards (e.g. protocols)

12
Application Cybersecurity of Power station
13
Application Power station control system
14
Simulation of attacks
15
Attack paths simulated
Viral Infection
Distributed DoS
Intrusion
Web server DoS
16
Infrastructure modelling and simulation

• Project VITA Vital Infrastructure Threats and
  Assurance
• Objectives
• demonstrate impacts of energy network disruption
  in a cross border scenario
• evaluate secondary and cascading effects into
  dependent critical infrastructures (e.g.
  telecommunications, health system etc.)
• Partners IABG, Qinetiq, TNO, FOI, REE, IBBE, PM,
  JRC
• Threat taxonomy
• Gaming exercise (May 2006)

17
VITA the gaming environment
Vignettes
Gaming environment
18
VITA exercise map
19
VITA exercise interactions
Maintenance Crews
Gas / Generation Units
Power System Model
Transport (Road)
Internal Telecomm
TSO Vitaland
TSO Ativia
Weather
Public Telecomm
Civil Protection Police
Crisis Management CPP Ativia
Media
Crisis Management Vitaland
International Co-Ordination
End Users Railway Health Service.....
Terrorist
Detailed Physical Model OTS
Physical interdependence modeled for VITA
purpose
Simplified Physical Models developed within VITA
Relationship between roles played by DEMOKRIT
Role Player Included in DEMOCRIT
Interface between physical model and DEMOKRIT
players
Event propagation
Global event trigger
20
SecNet-IE

• A Platform for Information Exchange on the
  Security of Critical Networked Infrastructures
• Dealing with sensitive information
• Connecting private and public actors
• Distributed network
• Implementing the Traffic Light Protocol (TLP)

21
SecNet-IE communication
Security item
Label message
Send message
Contact Point Send
Contact Point Receive
Security Item identified
Message labelled red, amber, green, white
Message compiled for sending
Message ready for sending
Sending message
Receiving acknowledgement

• The originator labels the message using TLP, to
  indicate what further dissemination, if any, can
  be undertaken by the recipient

22
SecNet-IE messages

• Red
• personal for named recipients
• Ex threats, attacks, warnings
• Amber
• Limited distribution
• Ex vulnerabilities, risk scenarios
• Green
• Community wide
• Ex case studies, practices
• White
• Unlimited
• Ex awareness raising

23
SecNet-IE tasks

• Formalisation of TLP
• Formalisation of the data/metadata models and
  processes
• e.g. using ISO/IEC 11179, Metadata registries
• Design of a tentative architecture
• Development of a prototype
• Collaboration with the European Working Group on
  SCADA and Control Systems Information Exchange
  (E-SCSIE)

24
Thanks