Transcript SCADA system

Safeguarding Information Intensive Critical
Infrastructures against novel types of emerging
failures
Sandro Bologna
ENEA – CAMO Modelling and Simulation Unit
CR Casaccia, 00060 Roma
[email protected]
Workshop on Safeguarding National Infrastructures:
Integrated Approaches to Failure in Complex Networks
Glasgow, 25-26 August, 2005
www.enea.it
RISK based approach
Actors
(environmental
conditions,
adversaries, insiders,
terrorists, hackers…)
Risk=
Countermeasures
reduces
threat
potential
Weaknesses
magnify
threat
potential
Threat x Vulnerabilities
x Impact
Countermeasures
Effects
magnify the
entire
problem
Extension of the concept of Risk Assessments to Critical Infrastrucure
(originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
RISK based approach
Actors
(environmental
conditions,
adversaries, insiders,
terrorists, hackers…)
Risk=
Weaknesses
magnify
threat
potential
Threat x Vulnerabilities
x Impact
Countermeasures
ENEA FaMoS MULTIMODELLING APPROACH
FOR VULNERABILITY ANALYSIS AND
ASSESSMENT
Countermeasures
reduces
threat
potential
Effects
magnify the
entire
problem
Extension of the concept of Risk Assessments to Critical Infrastrucure
(originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
RISK based approach
Weaknesses
magnify
threat
potential
Actors
(environmental
conditions,
adversaries, insiders,
terrorists, hackers…)
ENEA
SAFEGUARD
approach to
Threat
x Vulnerabilities
reduce threat potential against
Risk=
x Impact
existing SCADA
Countermeasures
Countermeasures
reduces
threat
potential
Effects
magnify the
entire
problem
Extension of the concept of Risk Assessments to Critical Infrastrucure
(originally elaborated from Manuel W. Wik “Revolution in Information Affairs”)
Layered networks model
Intradependency
Organisational
Infrastructure
CyberInfrastructure
Physical
Infrastructure
Interdependency
Three Layers Model for the Electrical Infrastructure
Electrical Power Operators
Independent System Operator
for electricity planning and
transmission
Intra-dependency
Inter-dependency
Control and supervisory
hardware/software components
(Scada/EMS systems)
Electrical Components
Telecomunication
Infrastructure
generators, transformers, breakers,
connecting cables etc
National Electrical Power
Transmission Infrastructure
Foreign Electrical
Transmission
Infrastructure
Oil/Gas Transport
System Infrastructure
US CANADA BLACK-OUT
Power System Outage Task Force Interim Report
General layout of typical control and supervisory
infrastructure of the electrical grid
Control and management layer (SCADA system)
CNC
CC
CC
SIA-C
SIA-C
WAN (Wide Area Network)
SIA-R
SIA-C
SIA-R
SIA-R
Area 1
Area 3
Area 2
Physical electrical layer (high-medium voltage)
Data management
network
Remote Units
Physical Network
Substations
Control Centres
Loads
Data Concentrator
Generator
NEW VULNERABILITIES
Governments and industry organizations have recognized that all the
automation systems collectively referred as SCADA are potential targets of
attack from hackers, disgruntled insiders, cyberterrorists, and others that want
to disrupt national infrastructures
SCADA networks has moved from proprietary, closed networks to the arena of
information technology with all its cost and performance benefits and IT
security challenges
A number of efforts are underway to retrofit security onto existing SCADA
networks
NEW RISKS TO SCADA
1.
Adoption of standardized technologies with known vulnerabilities
2.
Connectivity of control systems to other networks
3.
4.
5.
Constraints on the use of existing security technologies and
practices due to the old technology used
Insecure remote connections
Widespread availability of technical information about control
systems
SCADA Security Incidents between 1995 and 2003 (source Eric Byres BCIT)
SCADA Security Incidents by Type (source Eric Byres BCIT)
SCADA External security incidents by entry point (source Eric Byres BCIT)
SAFEGUARD ARCHITECTURE
Low-level agents
High-level agents
Other LCCIs
Foreign Electricity Networks
Telecommunication Networks
-------------------
Safeguard agent Architecture for
Large Complex Critical Infrastructures (LCCIs)
Negotiation
agent
Correlation
agent
Topology
agent
Diagnosis
wrappers
Network global
protection
MMI
agent
Intrusion
Detection
wrappers
Action
agent
Hybrid Anomaly
Detection
agents
Actuators
Cyber Layer of Electricity Network
Home LCCIs
Commands and
information
Information only
Local nodes
protection
SAFEGUARD ARCHITECTURE
At Level 1 – identify component failure or attack in progress
Low-level agents
High-level agents
Hybrid anomaly detection agents utilise algorithms specialised in
detecting deviations from normality. Signature-based algorithms
Negotiation
MMI
are used toagent
classify failures based on accumulated
functional
agent
behaviour.
Diagnosis
wrappers
Intrusion
Detection
wrappers
Hybrid Anomaly
Detection
agents
Cyber Layer of Electricity Network
Home LCCIs
Commands and
information
Information only
Local nodes
protection
SAFEGUARD ARCHITECTURE
Other LCCIs
Foreign Electricity Networks
AtTelecommunication
level 2: Correlate
different
Networks
-------------------
kind of information
Low-level agents
High-level agents
Correlation and Topology agents correlate diagnosis
T
Action agent replaces functions of failed components
Correlation
agent
Topology
agent
Diagnosis
wrappers
Intrusion
Detection
wrappers
Action
agent
Hybrid Anomaly
Detection
agents
Actuators
Cyber Layer of Electricity Network
Home LCCIs
Commands and
information
Information only
Local nodes
protection
SAFEGUARD ARCHITECTURE
Low-level agents
High-level agents
Other LCCIs
Foreign Electricity Networks
Telecommunication Networks
-------------------
Safeguard agent Architecture for
Large Complex Critical Infrastructures (LCCIs)
Negotiation
agent
Network global
protection
MMI
agent
Correlation
agent
Topology
agent
Action
agent
At level 3: operator decision support
MMI agent supports the operator in the reconfiguration strategy
Local nodes
DiagnosisagentIntrusion
Anomaly
Negotiation
supports to Hybrid
negotiate
recoveryActuators
policies with other
protection
wrappers
Detection
Detection
interdependent
LCCIs.
wrappers
agents
Cyber Layer of Electricity Network
Home LCCIs
Commands and
information
Information only
An example of Safeguard Agents
Negotiation
agent
Topology
agent
Correlation
Correlation
agent
agent(s)
Wrapper
agents
Action
Action
agent0
agent(s)
detectorEDHD Actuator(s)
ECHD Hybrid
DMA
agents
Home LCCI
Low-level agents
MMI
High-level agents
Other LCCIs
Event Course Hybrid Detection
agent
Negotiation
agent
Topology
agent
Correlation
Correlation
agent
agent(s)
Wrapper
agents
Action
Action
agent0
agent(s)
detectorEDHD Actuator(s)
ECHD Hybrid
DMA
agents
Home LCCI
Low-level agents
MMI
High-level agents
Other LCCIs
ECHD (Event Course Hybrid
Detetector) Agent
Prologue

Event Course Hybrid Detector extracts information about a certain
process from the sequences of events generated by such process


It could recognize or not sequences of events that it has learned
partially with information captured by the expert of the process
and partially with an on-field training phase
When it recognize a sequence it associate also an anomaly level
to the sequence (timing discordance from the learned one).
SCADA System Configuration for the
Italian Transmission Electrical
Network (GRTN-ABB)
ECHD
ECHD
ECHD
ECHD
RECOGNISING A PROCESS
FROM THE SEQUENCE OF
EVENTS IT PRODUCES
SCADA system is instrumented with “Sensors”
E(t2)
E(t3)
E(t6)
E(t1)
E(t4)
E(t5)
Start processing of a
Telemeasure (t0)
Data Mining Agent
Negotiation
agent
Topology
agent
Correlation
Correlation
agent
agent(s)
Wrapper
agents
Action
Action
agent0
agent(s)
detectorEDHD Actuator(s)
ECHD Hybrid
DMA
agents
Home LCCI
Low-level agents
MMI
High-level agents
Other LCCIs
DMA (Data Mining) Agent
Prologue

Data Mining is the extraction of implicit, previously unknown, and
potentially useful information from data.


A Data Miner is a computer program that sniffs through data
seeking regularities or patterns.
Obstructions: noise (the agent intercepts without distinction all
that happen in the Net) and computational complexity (as
consequence it is impossible the permanent monitoring of the
traffic in order to not jeopardize SCADA functionalities)
SCADA System Configuration for the
Italian Transmission Electrical
Network (GRTN-ABB)
DM
A
DM
A
DMA (Data Mining) Agent
Use of Data Mining techniques in Safeguard project.


DMA observes TCP packets flowing inside the port utilised
by the message broker of the SCADA system emulator.
After a learning phase, DMA should be able discriminate
between normal packet sequences and anomalous ones,
raising an alarm in the latter case.
The Safeguard approach
( a Middleware on the top of existing SCADA Systems or
just a retrofitted add-on device to the existing SCADA)
Safeguard
agents
RETROFITTED ADD-ON SOLUTION
SCADA System
RTU Remote Terminal Unit
Safeguarding SCADA
Systems
Correlators
Actuators
Safe Bus API Interface
Safe Bus
Safe Bus
API Interface
RTU
Remote
Terminal Unit
Safe Bus
API Interface
RTU
Remote
Terminal Unit
Anomaly Detectors
RETROFITTED ADD-ON SOLUTION
SCADA System
RTU Remote Terminal Unit
Safeguarding SCADA
Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Utilities have significant investment
Safe in
BusSCADA equipment.
SCADA and similar control equipment are designed to
have significant lifetimes.
Safe Bus
API Interface
Safe Bus
API Interface
Protection mechanisms should not be developed that
RTU in the
RTU
require major replacement
of existing equipment
Remote
Remote
near
term.
Terminal
Unit
Terminal Unit
RETROFITTED ADD-ON SOLUTION
SCADA System
RTU Remote Terminal Unit
Safeguarding SCADA
Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Safe Bus
Because of the limited capabilities of the SCADA
processors, protection mechanisms should be
implemented as a retrofitted add-on device.
RTU
RTU
Safe Bus
API Interface
Remote
Terminal Unit
Safe Bus
API Interface
Remote
Terminal Unit
RETROFITTED ADD-ON SOLUTION
RTU Remote Terminal
UnitSystem
SCADA
Safeguarding SCADA
Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Safe Bus
SCADA systems are designed for frequent (near realtime) status updates. Protection mechanisms should not
reduce the performance (reading frequency, transmission
delay, computation) below an acceptable RTU
level.
RTU
Safe Bus
API Interface
Remote
Terminal Unit
Safe Bus
API Interface
Remote
Terminal Unit
HOW SAFEGUARD
MIGHT SUPPORT
MANAGING MAJOR
SYSTEMS OUTAGE
(From UCTE Interim Report)
ITALY BLACK-OUT
NETWORK STATE OVERVIEW & ROOT CAUSES
Pre-incident
network in
n-1 secure
state
Island
operations
fails due to
unit tripping
1-2 minutes
24 minutes
Event tree from UTCE report
(From UCTE Interim Report)
ITALY BLACK-OUT
NETWORK STATE OVERVIEW & ROOT CAUSES
Pre-incident
network in
n-1 secure
state
In SAFEGUARD system Correlator agent intercepts
Island
anomalies and failures inside the sequence of events and
operations
Action agent try to re-execute the unsuccessful commands.
fails due to
unit tripping
(From UCTE Interim Report)
NETWORK STATE OVERVIEW & ROOT CAUSES
Pre-incident
network in
n-1 secure
state
Island
operations
fails due to
unit tripping
SAFEGUARD might help to recognize the
anomaly state and call for adequate
countermeasures
COORDINATIONS PROBLEMS BETWEEN SYSTEM
OPERATORS
(From UCTE Interim Report)
In this specific case ETRANS needs as corrective measures which are
necessary to comply with the N-1 rule, also action to be undertaken in
the Italian system.
This was confirmed by the check list available to the ETRANS
operators, which explicitly mentions that, in case of loss of MettlenLavorgo, the operator should call GRTN, inform GRTN about the loss of
the line, request for the pumping to be shut down, generation to be
increased in Italy. This clause is mentioned in Italian on the ETRANS
checklist for this incident.
(From UCTE Interim Report)
SAFEGUARD makes available a
Negotiation Agent in duty for
coordination among different operators
In this specific case ETRANS needs as corrective measures which are
necessary to comply with the N-1 rule, also action to be undertaken in
the Italian system.
This was confirmed by the check list available to the ETRANS
operators, which explicitly mentions that, in case of loss of MettlenLavorgo, the operator should call GRTN, inform GRTN about the loss of
the line, request for the pumping to be shut down, generation to be
increased in Italy. This clause is mentioned in Italian on the ETRANS
checklist for this incident.
US CANADA BLACK-OUT
Power System Outage Task Force Interim Report
US CANADA BLACK-OUT
The “State Estimation” tool, doesn’t work in the regular way
because a critical information (a line connection status) is not
correctly acquired by the SCADA system.
The data utilized by the State Estimator could be corrupted
by an attack or by a fault inside SCADA system
On August 14 at about 12:15 EDT, MISO’s state
estimator produced a solution with a high mismatch
(outside the bounds of acceptable error).
This was traced to an outage of Cinergy’s
Bloomington-Denois Creek 230-kV line—although
it was out of service, its status was not
updated in MISO’s state estimator.
US CANADA BLACK-OUT
Task Force Interim Report
A SAFEGUARD anomaly detection agent has the
duty to verify the correctness level of the data
that must be used by the State Estimator.
If the State Estimation tool knows what data can
be considered “good” or “bad” it has the
capability to furnish a more correct state of the
network.
US CANADA BLACK-OUT
2A) 14:14 EDT: FE alarm and logging software
failed. Neither FE’s control room operators
nor FE’s IT EMS support personnel were
aware of the alarm failure.
The Alarm system of FirstEnergy electrical Company
doesn’t work correctly and the operators are not
aware of this situation
US CANADA BLACK-OUT
Task Force Interim Report
2A) 14:14 EDT: FE alarm and logging software
failed. Neither FE’s control room operators
nor FE’s IT EMS support personnel were
aware of the alarm failure.
Safeguard Correlator agent could detect
failures inside Alarm system correlating the
sequences of signals flowing from RTUs
towards Control Centres.
CONCLUSIONS
INCREASING NEED TO TRANSFORM TODAY’S CENTRALISED, DUMB NETWORKS
INTO SOMETHING CLOSER TO SMART, DISTRIBUTED CONTROL NETWORKS
INCREASING NEED OF INTELLIGENT DATA INTERPRETATION TO CAPTURE
NOVELTIES AND PROVIDE OPERATORS WITH EARLY WARNINGS.
MULTI-AGENT SYSTEM TECHNOLOGY, COMBINED WITH INTELLIGENT SYSTEMS,
CAN BE USED TO AUTOMATE THE FAULT DIAGNOSIS ACTIVITY AND TO SUPPORT
OPERATORS IN THE RECOVERY POLICIES.
SAFEGUARD MULTI-AGENT SYSTEM TECHNOLOGY CAN WORK IN AN
AUTONOMOUS MANNER AS AN ADD-ON SYSTEM, INTERACTING BOTH WITH THEIR
ENVIRONMENT AND WITH ONE-OTHER
International Workshop on
Complex Network and Infrastructure Protection
CNIP 2006
March 28-29, 2006 - Rome, Italy
http://ciip.casaccia.enea.it/cnip/