563'3 Critical Infrastructure Protection

1
563.3 Critical Infrastructure Protection

• Carl A. Gunter
• University of Illinois
• Fall 2007

2
Outline

• Complex systems
• Threats to critical infrastructure
• The power grid
• Secure Intelligent Electronic Devices (SIEDs)

3
Outline

• Complex systems
• Threats to critical infrastructure
• The power grid
• Secure Intelligent Electronic Devices (SIEDs)

4
Examples of Systems

• Transportation
• Financial
• Energy
• Human health
• Agricultural health
• Communication
• Cities and fixed infrastructure

5
Presidential Decision Directive 63

• Critical infrastructures are those physical and
  cyber-based systems essential to the minimum
  operations of the economy and government. They
  include, but are not limited to,
  telecommunications, energy, banking and finance,
  transportation, water systems and emergency
  services, both governmental and private.

PDD 63 98
6
Interdependence

• Many of the nation's critical infrastructures
  have historically been physically and logically
  separate systems that had little interdependence.
  As a result of advances in information
  technology and the necessity of improved
  efficiency, however, these infrastructures have
  become increasingly automated and interlinked.
• These same advances have created new
  vulnerabilities to equipment failure, human
  error, weather and other natural causes, and
  physical and cyber attacks. Addressing these
  vulnerabilities will necessarily require
  flexible, evolutionary approaches that span both
  the public and private sectors, and protect both
  domestic and international security.

7
(No Transcript)
8
Dependency on Network-Based Systems

• Key conclusions form NAIC report
• Dependency on network-based systems is pervasive
  across all sectors. Critical components of our
  national infrastructure rely on a variety of
  network-based systems.
• Each critical sector surveyed identified
  dependency on one or two sectors.
• The answer to the question are we ranking our
  critical infrastructures as to their
  vulnerability to cyber attacks is multi-faceted.
  The degree that any sector is vulnerable is
  dependent upon a number of characteristics type
  of attack, scope of impact, time of attack,
  duration of outage.
• Sound business continuity practices, as well as
  information technology and cyber security best
  practices, provide some protection.

NIAC 04
9
Outline

• Complex systems
• Threats to critical infrastructure
• The power grid
• Secure Intelligent Electronic Devices (SIEDs)

10
For Want of a Nail
For want of a nail the shoe was lost.For want of
a shoe the horse was lost.For want of a horse
the rider was lost.For want of a rider the
battle was lost.For want of a battle the kingdom
was lost.And all for the want of a horseshoe
nail.
11
Identifying Vulnerabilities

• Secure the mechanisms of the Internet
• Improve security and reliability of key
  protocols IP, DNS, BGP.
• Routing address verification, management.
• Management
• Foster trusted DCS and SCADA systems.
• Reduce and remediate software vulnerabilities
• Understand infrastructure interdependency and
  improve physical security of cyber systems and
  telecommunications

National Strategy to Secure Cyberspace 03
12
Impact Assessment
NIAC 04
13
Attacks on the Internet

• Mar 99 Melissa Virus
• infected 1.2 million machines and cost 80M
• Feb 00 DoS attack
• shut down Yahoo, Amazon, ETrade, eBay, CNN.com
• Yahoo costs alone estimated at 116K
• Jul 01 Code Red and Sep 01 Nimda
• Code Red infected 359K computers in less than 14
  hours
• Estimated 3B lost world-wide because of these
  two worms

CSTB 03 IT for Counterterrorism
14
Executive Order

• The information technology revolution has changed
  the way business is transacted, government
  operates, and national defense is conducted.
• Those three functions now depend on an
  interdependent network of critical information
  infrastructures.
• The protection program authorized by this order
  shall consist of continuous efforts to secure
  information systems for critical infrastructure,
  including emergency preparedness communications,
  and the physical assets that support such
  systems.
• Protection of these systems is essential to the
  telecommunications, energy, financial services,
  manufacturing, water, transportation, health
  care, and emergency services sectors.

Executive Order on Critical Infrastructure
Protection 2001
15
Research Plans

• Many groups have proposed agendas for research
  related to CIP
• Case study 2004 National Critical Infrastructure
  Protection RD Plan by DHS
• Three strategic goals
• National Common Operating Picture (NCOP)
• Next-Generation architecture with designed-in
  security
• Resilient, self-diagnosing, self-healing systems
• Eight themes to contribute to the strategic goals

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
Outline

• Complex systems
• Threats to critical infrastructure
• The power grid
• Secure Intelligent Electronic Devices (SIEDs)

20
Basic Structure of the Electric Grid
21
Objectives of Operation

• Balance power generation and demand continuously
• Balance reactive power supply and demand to
  maintain scheduled voltages
• Monitor flows over transmission lines and other
  facilities to ensure that thermal (heating)
  limits are not exceeded
• Keep the system in a stable condition

22
Objectives of Operation (Cont)

• Operate the system so that it remains in a
  reliable condition even if a contingency occurs,
  such as the loss of a key generator or
  transmission facility (the N-1 criterion)
• Plan, design, and maintain the system to operate
  reliably
• Prepare for emergencies

23
Interconnectivity
Edison Electric Institute 03
24
The 2003 Blackout

• Started August 14 around 4pm and lasted about 4
  days
• 50 million people were affected
• Total costs were estimated at more than 5 billion
  US dollars
• Computer failures involved but not sole cause

25
Control Systems, Computers, and Digital Networks

• Control systems are replacing electro-mechanical
  devices with networked computers
• Improved flexibility, reduced cost
• Trend in power distribution network Advanced
  Meter Infrastructure (AMI)
• Trend in power substations Intelligent
  Electronic Devices (IEDs) and Supervisory Control
  and Data Acquisition (SCADA)

26
IntelliGrid Environments
27
Outline

• Complex systems
• Threats to critical infrastructure
• The power grid
• Secure Intelligent Electronic Devices (SIEDs)

28
Networked Computers in Aircraft

• Current design isolates aircraft and provides two
  semi-isolated subsystems, one for control and one
  for entertainment
• Next generation will link entertainment network
  to Internet
• Future link the control system to the enterprise
  network.

Nick Multari Boeing/FAA
29
Generations of Networked Computers in Aircraft
No Computers
No Computers
Computer Control
30
Tradeoffs in Security and Performance

• Benefits
• Monitor airline health
• Update onboard information
• Update parts
• Drawbacks
• Enterprise network is typically attached to the
  Internet so the airplane control system may have
  broad exposure to attack
• Design issues about connecting devices that work
  in real-time to the Internet

31
Networked Computers in Power Substations
Scott Mix NERC/Kema
32
Power Substation Comm (Under Development)
33
Secure IEDs (SIEDs)

• A SIED is an IED that has sufficient security
  capabilities to be on the Internet
• Some (most?) IEDs currently produced are designed
  to handle some exposure
• Many experts fear this exposure advocate
  isolating IEDs or hiding them behind a perimeter
• This latter approach has many drawbacks
• Sacrifices potential defense in depth
• Mediated access increases complexity
• Access control decisions complicated
• SIEDs provide greatest defense and flexibility

34
SIED Project

• Use stock platforms Unix, Vista
• Use stock security protocols and software
  whenever possible SSL, IPsec, etc.
• Take account of the special demands on SIEDs
  within the IEC 61850 architecture

35
IEC 61850 Vision

• IEC 61850 offers an interoperation foundation for
  power substations
• Anticipated benefits
• Savings in configuration, setup, and maintenance
• New functions not possible with hard wires
• Reduced equipment costs by sharing

36
SIED Network Design Strategy
37
Core Design Challenge
No security / networking design has demonstrated
this contrasting combination of features
Authenticated Reliable Authorized Encrypted
Seconds and Megabits
Authenticated Reliable
38
IEC61850 Protocol Stack
ACSI Core Services
SMV
GOOSE
MMS (ISO/IEC 9506)
Application
ISO Presentation (ISO 9576)ASN.1 (ISO/IEC
8824/8825)
Presentation
ISO Session (ISO 8327)
Session
Transport
ISO Transport (ISO/IEC 8073)Transport Class 0
ISO Adapter (RFC 1006)
TLS (RFC 2246)
TCP (RFC 793)
IP (RFC 791)ARP (RFC 826)
Network
Data Link
Logical Link Control (ISO 8802), 802-3 Ethertype
Media Access Control (ISO 8803)
39
Experimental IEC61850 Protocol Stack
SMV
GOOSE
ACSI Core Services
Application
Web Services
Presentation
XML/SOAP
Transport
HTTP
TLS (RFC 2246)
IPsec
IPsec
TCP (RFC 793)
UDP
UDP
IP (RFC 791)ARP (RFC 826)
Network
IP
IP
Data Link
Logical Link Control (ISO 8802), 802-3 Ethertype
Media Access Control (ISO 8803)
40
Secure and Reliable LAN Multicast
Security Hub
1. SIED sets up tunnel to MR and negotiates
session keys 2. SIED sends message to hub using
its session key 3. Hub multicasts it to intended
recipients using their session keys
Zhang Grier Gunter King
41
Target Demonstration

• 100 SIEDs on a 1Gbps LAN
• lt4ms for substation multicast with typical
  substation traffic
• 500 Kbps and 25ms for technical support to SIEDs
  under no attack
• Gateway provides no protections except throttling
• Under full attack from Internet, internal
  substation operations are unaffected

42
Physical Architecture
43
Preliminary Test Results
44
Summary on SIEDs

• Control systems that exploit the Internet are
  likely in the future
• Secure end systems will be able to make the most
  of this development
• SIEDs are a potentially feasible concept for
  power substations
• Learn more about the SIED Project at
• http//seclab.uiuc.edu/sied

45
Conclusions

• Critical infrastructure protection is challenged
  by the increasing interdependence and automation
  of systems
• A diverse range of measures are required to
  provide suitable protection
• The power grid is a good case study in CIP and is
  important in its own right
• Secure IEDs can improve the protection level
  while aiding convenience