563.7 Critical Infrastructure Protection

1
563.7 Critical Infrastructure Protection

• Presented by Carl A. Gunter
• University of Illinois
• Spring 2006

2
Outline

• Complex systems
• Threats to critical infrastructure
• Networked control systems
• The power grid
• Trustworthy Cyber-Infrastructure for Power (TCIP)

3
Outline

• Complex systems
• Threats to critical infrastructure
• Networked control systems
• The power grid
• Trustworthy Cyber-Infrastructure for Power (TCIP)

4
Examples of Systems

• Transportation
• Financial
• Energy
• Human health
• Agricultural health
• Communication
• Cities and fixed infrastructure

5
Presidential Decision Directive 63

• Critical infrastructures are those physical and
  cyber-based systems essential to the minimum
  operations of the economy and government. They
  include, but are not limited to,
  telecommunications, energy, banking and finance,
  transportation, water systems and emergency
  services, both governmental and private.
• Many of the nation's critical infrastructures
  have historically been physically and logically
  separate systems that had little interdependence.
  As a result of advances in information
  technology and the necessity of improved
  efficiency, however, these infrastructures have
  become increasingly automated and interlinked.
• These same advances have created new
  vulnerabilities to equipment failure, human
  error, weather and other natural causes, and
  physical and cyber attacks. Addressing these
  vulnerabilities will necessarily require
  flexible, evolutionary approaches that span both
  the public and private sectors, and protect both
  domestic and international security.

PDD 63 98
6
Interdependency of Systems
Heller 02 from NRC 02
7
Dependency on Network-Based Systems

• Key conclusions form NAIC report
• Dependency on network-based systems is pervasive
  across all sectors. Critical components of our
  national infrastructure rely on a variety of
  network-based systems.
• Each critical sector surveyed identified
  dependency on one or two sectors.
• The answer to the question are we ranking our
  critical infrastructures as to their
  vulnerability to cyber attacks is multi-faceted.
  The degree that any sector is vulnerable is
  dependent upon a number of characteristics type
  of attack, scope of impact, time of attack,
  duration of outage.
• Sound business continuity practices, as well as
  information technology and cyber security best
  practices, provide some protection.

NIAC 04
8
Outline

• Complex systems
• Threats to critical infrastructure
• Networked control systems
• The power grid
• Trustworthy Cyber-Infrastructure for Power (TCIP)

9
For Want of a Nail
For want of a nail the shoe was lost.For want of
a shoe the horse was lost.For want of a horse
the rider was lost.For want of a rider the
battle was lost.For want of a battle the kingdom
was lost.And all for the want of a horseshoe
nail.
10
Identifying Vulnerabilities

• Secure the mechanisms of the Internet
• Improve security and reliability of key
  protocols IP, DNS, BGP.
• Routing address verification, management.
• Management
• Foster trusted DCS and SCADA systems.
• Reduce and remediate software vulnerabilities
• Understand infrastructure interdependency and
  improve physical security of cyber systems and
  telecommunications

National Strategy to Secure Cyberspace 03
11
Impact Assessment
NIAC 04
12
Attacks on the Internet

• Mar 99 Melissa Virus
• infected 1.2 million machines and cost 80M
• Feb 00 DoS attack
• shut down Yahoo, Amazon, ETrade, eBay, CNN.com
• Yahoo costs alone estimated at 116K
• Jul 01 Code Red and Sep 01 Nimda
• Code Red infected 359K computers in less than 14
  hours
• Estimated 3B lost world-wide because of these
  two worms

CSTB 03 IT for Counterterrorism
13
Executive Order

• The information technology revolution has changed
  the way business is transacted, government
  operates, and national defense is conducted.
• Those three functions now depend on an
  interdependent network of critical information
  infrastructures.
• The protection program authorized by this order
  shall consist of continuous efforts to secure
  information systems for critical infrastructure,
  including emergency preparedness communications,
  and the physical assets that support such
  systems.
• Protection of these systems is essential to the
  telecommunications, energy, financial services,
  manufacturing, water, transportation, health
  care, and emergency services sectors.

Executive Order on Critical Infrastructure
Protection 2001
14
Research Plans

• Many groups have proposed agendas for research
  related to CIP
• Case study 2004 National Critical Infrastructure
  Protection RD Plan by DHS
• Three strategic goals
• National Common Operating Picture (NCOP)
• Next-Generation architecture with designed-in
  security
• Resilient, self-diagnosing, self-healing systems
• Eight themes to contribute to the strategic goals

15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
Outline

• Complex systems
• Threats to critical infrastructure
• Networked control systems
• The power grid
• Trustworthy Cyber-Infrastructure for Power (TCIP)

19
Modern Control Systems

• Three generations
• Analog control systems
• Technology Electronic feedback amplifiers
• Theory Frequency domain analysis
• Digital control systems
• Technology Digital computers
• Theory Digital control, Kalman filters,
  real-time scheduling
• Networked control systems
• Technology Computer networks
• Technological Framework?
• Theory?

20
UIUC Convergence Lab
P. R. Kumar
21
Typical Components
Sensor Component
Controller Component
Container
Container
Data Out
Data In
Sensor Device
Control Law
Control Out
Control In
Container
Actuator Device
Actuator Component
Etherware framework implements this in testbed
22
SPSO

• Principle of Safety Preserving Security Overrides
• Higher-level security overrides must preserve
  lower-level safety features as far as possible
• Rationale
• Lower-level safety mechanisms provide fail-safe
  guarantees
• E.g. Low level collision avoidance in testbed
• Higher-level security overrides may not preserve
  such guarantees
• E.g. Global supervisor cannot prevent all
  collisions in the testbed

Baliga, Gunter, Kumar 05
23
Testbed Implementation
VisionSensor 1
Supervisor
VisionServer
VisionSensor 2
Controller 1
Legend MessageStream MulticastStream
MessageFilter
Actuator 1
Dukes of Hazard Demo
24
Experiment 1
No Collision Avoidance No Security Override
25
Experiment 2
No Collision Avoidance Security Override enabled
26
Experiment 3
Collision Avoidance enabled No Security Override
27
Experiment 4
Collision Avoidance enabled Security Override
enabled
28
Safety Measure
29
Security Measure
30
Outline

• Complex systems
• Threats to critical infrastructure
• Networked control systems
• The power grid
• Trustworthy Cyber-Infrastructure for Power (TCIP)

31
Power Grid Management

• Principal concerns
• Safety of personnel and the public
• Reliable supply of energy to customers
• Economical operation

• Energy Management System (EMS) tasks
• Generation control and scheduling
• Network analysis
• Operator training

Electrical Engineering Handbook Chap 16
32
(No Transcript)
33
SCADA for an EMS

• Supervisory Control and Data-Acquisition
  Subsystem
• Data acquisition collection, processing,
  monitoring, special calculations, scan
  configuration control
• Supervisory control manual replacement of
  telemetered data, alarm inhibit/enable, reverse
  normal, bypass enter, tag/tag clear
• Alarm display and control

34
User Interface Subsystem

• Functions
• Presentation of system data on visual displays
• Entry of data into the EMS through a keyboard
• Validation of data entry
• Support of supervisory control procedures
• Output of displays to a printer or other channel
• Operator execution control of application
  programs

• Display types
• Menu or index displays
• One-line schematic circuit diagrams
• System overviews
• Substation and generation displays
• Transmission line displays
• Summary displays
• System configuration displays
• Application program displays
• Trend or plot displays
• Disturbance data collection displays
• Historical data storage displays
• Report displays
• Other displays

35
Other Subsystems

• Communications
• Information Management
• Applications
• Generation control

36
Control Areas
A multiple area system is one in which there are
many control areas, each with its own control
system, each normally adjusting its own
generation in response to load changes within its
own area. All the interconnected systems in the
United States and Canada operate on a
multiple-area basis.
37
Operating Objectives

• Total generation of the interconnection as a
  whole must be matched, moment to moment, to the
  total prevailing customer demand.
• This in itself is achieved by the self-regulating
  forces of the system.
• Total generation of the interconnected system is
  to be allocated among the participating control
  areas so that each area follows its own load
  changes and maintains scheduled power flows over
  its interties with neighboring areas.
• This objective is achieved by area regulation.
• Within each control area, its share of total
  system generation is to be allocated among
  available area generating sources for optimum
  area economy, consistent with area security and
  environmental considerations.
• This objective is achieved by economic dispatch,
  supplemented as required by security and
  environmental dispatch.

38
IntelliGrid Environments
39
Outline

• Complex systems
• Threats to critical infrastructure
• Networked control systems
• The power grid
• Trustworthy Cyber-Infrastructure for Power (TCIP)

40
Smart, Responsive, and Self-Healing Grid

• Building the Energy Internet, The Economist,
  March 11, 2004.
• More and bigger blackouts lie ahead, unless
  todays dumb electricity grid can be transformed
  into a smart, responsive and self-healing digital
  network

Economist 04
41
TCIP Center

• NSF/DHS/DOE CyberTrust Center scale activity
  Trusted Cyber Infrastructure for Power (TCIP)
• Lead UIUC, other participants include Cornell,
  Dartmouth, and Washington State University

42
Present Infrastructure
- Peer coordinators may exchange information for
broad model - Degree of sharing may change over
time
10s of control areas feed data to coordinator
Coordinator
- State estimator creates model from RTU/IED data
- 1000s of RTU/IEDs - Monitor and control
generation and transmission equipment
ControlArea
Photos courtesy of John D. McDonald, KEMA Inc.
43
Infrastructure Complexity
Edison Electric Institute 03
44
Challenges

• Cross Cutting Issues
• Large-scale, rapid propagation of effects
• Need for adaptive operation
• Need to have confidence in trustworthiness of
  resulting approach

45
Barriers

• Inability to deliver accurate and timely
  monitoring and control data
• Inability to share data in a trustworthy manner
• Lack of situational awareness
• Rapid propagation of errors, failures, attacks
• Inability to adapt to changing environmental,
  fault, attack, and emergency situations

46
Architecture of the Power Grid
Technical challenges motivated by domain specific
problems in
Must be addressed by developing science in
Secure and Reliable Computing Base
Trustworthy infrastructure for data collection
and control
Wide-Area Trustworthy Information Exchange
Quantitative Validation
47
Fundamental Scientific Challenges

• Embedded computing base to enforce trust
  properties
• Efficient, timely and secure measurement and
  aggregation mechanisms
• Adaptable performance/security policies for
  normal, attack, and emergency condition
• Scalable, tunable, inter-domain authorization
• Fundamental principles for security in emergency
  conditions
• Security metrics, multi-scale abstractions for
  measurement-based attacks models to emulate real
  power grid scenarios

48
Control Center (EMS)
Control Center (EMS)
Level 3 (Enterprise)
Secure Languages (DAL)
Trust Negotiation
Secure Information Distribution
LAN
LAN
Public/Private Internet
AAA Control
Dedicated Links M/W, Fiber, Dialup, Leased
Lines, etc)
Vendor
Operator
Dedicated Links M/W, Fiber, Dialup, Leased
Lines, etc)
QoS Mgnt
Secure and Timely Data Collection, Aggregation,
and Monitoring
Level 2 (Substation)
RTU
Switched Ethernet LAN
Level 1 (IED)
IEDs
QoS Mgnt
Secure Tunable Hardware
Sensors
Level 0 (Sensors and actuators)
49
Inter-Domain Protocols
50
Sources of Interest

• Computer Science and Telecommunications Board
  (CTSB) IT board associated with the NRC
• Department of Homeland Security (DHS)
  Cabinet-level body in charge of CIP for the U.S.
• National Infrastructure Advisory Council (NIAC)
  DHS council
• Computer Emergency Response Team (CERT) Center
  at CMU