GLASGOW 2005

1
Safeguarding Information Intensive Critical
Infrastructures against novel types of emerging
failures
Sandro Bologna ENEA CAMO Modelling and
Simulation Unit CR Casaccia, 00060
Roma bologna_at_casaccia.enea.it
Workshop on Safeguarding National
Infrastructures Integrated Approaches to Failure
in Complex Networks Glasgow, 25-26 August, 2005
2
www.enea.it
3
RISK based approach
Weaknesses magnify threat potential
Actors (environmental conditions, adversaries,
insiders, terrorists, hackers)
Threat x Vulnerabilities Risk
x Impact
Countermeasures
Countermeasures reduces threat potential
Effects magnify the entire problem
Extension of the concept of Risk Assessments to
Critical Infrastrucure (originally elaborated
from Manuel W. Wik Revolution in Information
Affairs)
4
RISK based approach
Weaknesses magnify threat potential
Actors (environmental conditions, adversaries,
insiders, terrorists, hackers)
Threat x Vulnerabilities Risk
x Impact
Countermeasures
ENEA FaMoS MULTIMODELLING APPROACH FOR
VULNERABILITY ANALYSIS AND ASSESSMENT
Countermeasures reduces threat potential
Effects magnify the entire problem
Extension of the concept of Risk Assessments to
Critical Infrastrucure (originally elaborated
from Manuel W. Wik Revolution in Information
Affairs)
5
RISK based approach
Weaknesses magnify threat potential
Actors (environmental conditions, adversaries,
insiders, terrorists, hackers)
ENEA SAFEGUARD approach to reduce threat
potential against existing SCADA
Threat x Vulnerabilities Risk
x Impact
Countermeasures
Countermeasures reduces threat potential
Effects magnify the entire problem
Extension of the concept of Risk Assessments to
Critical Infrastrucure (originally elaborated
from Manuel W. Wik Revolution in Information
Affairs)
6
Layered networks model
Intra-dependency
Cyber-Infrastructure
Physical Infrastructure
7
Three Layers Model for the Electrical
Infrastructure
8
US CANADA BLACK-OUT
Power System Outage Task Force Interim Report
9
General layout of typical control and supervisory
infrastructure of the electrical grid
Physical electrical layer (high-medium voltage)
10
NEW VULNERABILITIES

• Governments and industry organizations have
  recognized that all the automation systems
  collectively referred as SCADA are potential
  targets of attack from hackers, disgruntled
  insiders, cyberterrorists, and others that want
  to disrupt national infrastructures

SCADA networks has moved from proprietary, closed
networks to the arena of information technology
with all its cost and performance benefits and IT
security challenges
A number of efforts are underway to retrofit
security onto existing SCADA networks
11
NEW RISKS TO SCADA

• Adoption of standardized technologies with known
  vulnerabilities
• Connectivity of control systems to other networks
• Constraints on the use of existing security
  technologies and practices due to the old
  technology used
• Insecure remote connections
• Widespread availability of technical information
  about control systems

12
SCADA Security Incidents between 1995 and 2003
(source Eric Byres BCIT)
13
SCADA Security Incidents by Type (source Eric
Byres BCIT)
14
SCADA External security incidents by entry point
(source Eric Byres BCIT)
15
SAFEGUARD ARCHITECTURE
Network global protection
Local nodes protection
16
SAFEGUARD ARCHITECTURE

• At Level 1 identify component failure or attack
  in progress
• Hybrid anomaly detection agents utilise
  algorithms specialised in detecting deviations
  from normality. Signature-based algorithms are
  used to classify failures based on accumulated
  functional behaviour.

High-level agents
Negotiation agent
MMI agent
Low-level agents
Local nodes protection
Diagnosiswrappers
Intrusion Detection wrappers
Hybrid Anomaly Detection agents
Cyber Layer of Electricity Network Home LCCIs
Commands and information
Information only
17
SAFEGUARD ARCHITECTURE
Other LCCIs Foreign Electricity
Networks Telecommunication Networks
-------------------

• At level 2 Correlate different kind of
  information
• Correlation and Topology agents correlate
  diagnosis
• Action agent replaces functions of failed
  components

T
High-level agents
Correlation agent
Action agent
Topology agent
Low-level agents
Local nodes protection
Diagnosiswrappers
Intrusion Detection wrappers
Hybrid Anomaly Detection agents
Actuators
Cyber Layer of Electricity Network Home LCCIs
Commands and information
Information only
18
SAFEGUARD ARCHITECTURE
Network global protection
At level 3 operator decision support MMI agent
supports the operator in the reconfiguration
strategy Negotiation agent supports to negotiate
recovery policies with other interdependent LCCIs.
Local nodes protection
19
An example of Safeguard Agents
High-level agents
Other LCCIs
MMI
Negotiation agent
Topology agent
Correlation agent
Action agent0
Correlation agent(s)
Action agent(s)
Low-level agents
EDHD
ECHD
DMA
Wrapperagents
Actuator(s)
Hybrid detector agents
Home LCCI
20
Event Course Hybrid Detection agent
High-level agents
Other LCCIs
MMI
Negotiation agent
Topology agent
Correlation agent
Action agent0
Correlation agent(s)
Action agent(s)
Low-level agents
EDHD
ECHD
DMA
Wrapperagents
Actuator(s)
Hybrid detector agents
Home LCCI
21
ECHD (Event Course Hybrid Detetector) Agent

• Prologue
• Event Course Hybrid Detector extracts information
  about a certain process from the sequences of
  events generated by such process
• It could recognize or not sequences of events
  that it has learned partially with information
  captured by the expert of the process and
  partially with an on-field training phase
• When it recognize a sequence it associate also an
  anomaly level to the sequence (timing discordance
  from the learned one).

22
SCADA System Configuration for the Italian
Transmission Electrical Network (GRTN-ABB)
23
RECOGNISING A PROCESS FROM THE SEQUENCE OF EVENTS
IT PRODUCES
24
Data Mining Agent
High-level agents
Other LCCIs
MMI
Negotiation agent
Topology agent
Correlation agent
Action agent0
Correlation agent(s)
Action agent(s)
Low-level agents
EDHD
ECHD
DMA
Wrapperagents
Actuator(s)
Hybrid detector agents
Home LCCI
25
DMA (Data Mining) Agent

• Prologue
• Data Mining is the extraction of implicit,
  previously unknown, and potentially useful
  information from data.
• A Data Miner is a computer program that sniffs
  through data seeking regularities or patterns.
• Obstructions noise (the agent intercepts without
  distinction all that happen in the Net) and
  computational complexity (as consequence it is
  impossible the permanent monitoring of the
  traffic in order to not jeopardize SCADA
  functionalities)

26
SCADA System Configuration for the Italian
Transmission Electrical Network (GRTN-ABB)
27
DMA (Data Mining) Agent

• Use of Data Mining techniques in Safeguard
  project.
• DMA observes TCP packets flowing inside the port
  utilised by the message broker of the SCADA
  system emulator.
• After a learning phase, DMA should be able
  discriminate between normal packet sequences and
  anomalous ones, raising an alarm in the latter
  case.

28
The Safeguard approach( a Middleware on the top
of existing SCADA Systems or just a retrofitted
add-on device to the existing SCADA)
29
RETROFITTED ADD-ON SOLUTION
RTU Remote Terminal Unit
SCADA System
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Safe Bus
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
30
RETROFITTED ADD-ON SOLUTION
RTU Remote Terminal Unit
SCADA System
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Utilities have significant investment in SCADA
equipment. SCADA and similar control equipment
are designed to have significant
lifetimes. Protection mechanisms should not be
developed that require major replacement of
existing equipment in the near term.
Safe Bus
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
31
RETROFITTED ADD-ON SOLUTION
RTU Remote Terminal Unit
SCADA System
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Safe Bus
Because of the limited capabilities of the SCADA
processors, protection mechanisms should be
implemented as a retrofitted add-on device.
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
32
RETROFITTED ADD-ON SOLUTION
SCADA System
RTU Remote Terminal Unit
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Safe Bus
SCADA systems are designed for frequent (near
real-time) status updates. Protection mechanisms
should not reduce the performance (reading
frequency, transmission delay, computation) below
an acceptable level.
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
33
HOW SAFEGUARD MIGHT SUPPORT MANAGING MAJOR
SYSTEMS OUTAGE
34
ITALY BLACK-OUT
(From UCTE Interim Report)
NETWORK STATE OVERVIEW ROOT CAUSES
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
Event tree from UTCE report
35
ITALY BLACK-OUT
(From UCTE Interim Report)
NETWORK STATE OVERVIEW ROOT CAUSES
In SAFEGUARD system Correlator agent intercepts
anomalies and failures inside the sequence of
events and Action agent try to re-execute the
unsuccessful commands.
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
36
(From UCTE Interim Report)
NETWORK STATE OVERVIEW ROOT CAUSES
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
SAFEGUARD might help to recognize the anomaly
state and call for adequate countermeasures
37
COORDINATIONS PROBLEMS BETWEEN SYSTEM
OPERATORS (From UCTE Interim Report)
In this specific case ETRANS needs as corrective
measures which are necessary to comply with the
N-1 rule, also action to be undertaken in the
Italian system. This was confirmed by the check
list available to the ETRANS operators, which
explicitly mentions that, in case of loss of
Mettlen-Lavorgo, the operator should call GRTN,
inform GRTN about the loss of the line, request
for the pumping to be shut down, generation to be
increased in Italy. This clause is mentioned in
Italian on the ETRANS checklist for this incident.
38
(From UCTE Interim Report)
SAFEGUARD makes available a Negotiation Agent in
duty for coordination among different operators
In this specific case ETRANS needs as corrective
measures which are necessary to comply with the
N-1 rule, also action to be undertaken in the
Italian system. This was confirmed by the check
list available to the ETRANS operators, which
explicitly mentions that, in case of loss of
Mettlen-Lavorgo, the operator should call GRTN,
inform GRTN about the loss of the line, request
for the pumping to be shut down, generation to be
increased in Italy. This clause is mentioned in
Italian on the ETRANS checklist for this incident.
39
US CANADA BLACK-OUT
Power System Outage Task Force Interim Report
40
US CANADA BLACK-OUT
The State Estimation tool, doesnt work in the
regular way because a critical information (a
line connection status) is not correctly acquired
by the SCADA system. The data utilized by the
State Estimator could be corrupted by an attack
or by a fault inside SCADA system
On August 14 at about 1215 EDT, MISOs
state estimator produced a solution with a high
mismatch (outside the bounds of acceptable
error). This was traced to an outage of
Cinergys Bloomington-Denois Creek 230-kV
linealthough it was out of service, its status
was not updated in MISOs state estimator.
41
US CANADA BLACK-OUT
Task Force Interim Report
A SAFEGUARD anomaly detection agent has the duty
to verify the correctness level of the data that
must be used by the State Estimator. If the
State Estimation tool knows what data can be
considered good or bad it has the capability
to furnish a more correct state of the network.
42
US CANADA BLACK-OUT
2A) 1414 EDT FE alarm and logging
software failed. Neither FEs control room
operators nor FEs IT EMS support personnel
were aware of the alarm failure. The Alarm
system of FirstEnergy electrical Company doesnt
work correctly and the operators are not aware of
this situation
43
US CANADA BLACK-OUT
Task Force Interim Report
2A) 1414 EDT FE alarm and logging
software failed. Neither FEs control room
operators nor FEs IT EMS support personnel
were aware of the alarm failure. Safeguard
Correlator agent could detect failures inside
Alarm system correlating the sequences of signals
flowing from RTUs towards Control Centres.
44
CONCLUSIONS
INCREASING NEED TO TRANSFORM TODAYS CENTRALISED,
DUMB NETWORKS INTO SOMETHING CLOSER TO SMART,
DISTRIBUTED CONTROL NETWORKS
INCREASING NEED OF INTELLIGENT DATA
INTERPRETATION TO CAPTURE NOVELTIES AND PROVIDE
OPERATORS WITH EARLY WARNINGS.
MULTI-AGENT SYSTEM TECHNOLOGY, COMBINED WITH
INTELLIGENT SYSTEMS, CAN BE USED TO AUTOMATE THE
FAULT DIAGNOSIS ACTIVITY AND TO SUPPORT OPERATORS
IN THE RECOVERY POLICIES.
SAFEGUARD MULTI-AGENT SYSTEM TECHNOLOGY CAN WORK
IN AN AUTONOMOUS MANNER AS AN ADD-ON SYSTEM,
INTERACTING BOTH WITH THEIR ENVIRONMENT AND WITH
ONE-OTHER
45
International Workshop on Complex Network and
Infrastructure Protection CNIP 2006 March
28-29, 2006 - Rome, Italy http//ciip.casaccia.en
ea.it/cnip/