1

A Comprehensive Approach to Critical InformationInfrastructure Assurance

Professor Saifur Rahman Director

Euro-Atlantic Symposium on Critical Information Infrastructure Assurance

2323--24 March 200624 March 2006Riva San Vitale, Riva San Vitale, SwitzerlandSwitzerland

Advanced Research InstituteVirginia Polytechnic Inst & State University, U.S.A.

www.ari.vt.edu

2

Outline

• Critical infrastructures and their interdependencies

• Importance of information and electricity infrastructures

• Cyber and physical vulnerabilities and cascading failures

• Historical and new approaches to CIIA

3

What are Critical Infrastructures?

An infrastructure or asset the destruction of which would have a debilitating impact on the national security and

the economic and social welfare of a nation

TELECOMELECTRICITY

NATURAL GASWATER

TRANSPORTATION

4

Infrastructure Interdependencies

5

Two Important Sectors: Critical Information and Electricity Infrastructures

Oil and gasBanking and finance

TransportationWater and sewer

TelecommunicationsEmergency responders

Critical government services

Without these two enabling infrastructures, other infrastructures cannot function

InformationElectricity

6

Electricity and Information Infrastructure for Transportation Sector

Transportation sector• Electricity to power all equipment• Real time information gathered and sent by the information

infrastructure

Traffic flow detection

Traffic lights

Traffic light control center

Traffic camera

7

Credit card

Electricity and Information Infrastructure for Banking and Financial Sector

Banking and financial sector• Needs electricity to process all transactions• All information is maintained and collected in a network

ATM Online transaction

8

Dependency of Electric Power Delivery on Information Infrastructure

Source: IEEE Power & Energy Magazine, Sep/Oct 2004

CII is necessary for the reliable and secure supply of electricity

9

Arial view of the US at nightSource: NASA

Dependency of Critical Information Services on Electric Power

Concentration of ISPs in the USSource: The GeoURL ICBM Address Server

10

Types of Vulnerabilities

Cyber Physical - natural

11

Cyber Vulnerabilities

12

Physical Vulnerabilities

Natural Hazards: hurricanes, snowstorms, earthquakes, floods

System Failures: intentional events, equipment failures, human errors

Earthquake Kobe 1995 Japan

Major Floods2002 Europe

Hurricane Katrina2005 USA

13

Oil & gas outages

Water outages

Traffic signal outages

Telecom outages

Business interruptions

Delays in Emergency services

Vulnerabilities and Cascading Failures

Physical/Cyber

Attacks

Direct effects

Indirect effects

Electricity outages

IToutages

14

Critical Information Infrastructure

Its role in containing Vulnerabilities and minimizing Cascading Failures

15

Why assuring CII is important

CII is a means to monitor and control the system status and reduce vulnerabilities of other critical infrastructures

Electric power systems, natural gas and water supply networks, refineries, etc. are monitored and controlled over an information network called Supervisory Control and Data Acquisition (SCADA)

Early warning signals can be generated over this network so that

other CI’s can be protected

16

Information InfrastructureAssurance: An Evolving Discipline

Critical – Nation’s safety and prosperity

Pervasive – Wherever IT-enabled services exist.

Evolving – Grows hand-in-hand with technology

Cross-disciplinary –Computer Science, Electrical Engineering, Business, Law, Math, Social Science, etc.

Challenging – Attackers, Failures and Targets

Complex Interdependencies

17

Approaches to Critical Information Infrastructure Assurance

• Assurance aspects in CII design, evolution, operation and maintenance

• Business, management, and organizational issues

• Law, policy, and privacy issues

18

Assurance aspects in CII design, evolution, operation and maintenance

There is a broad spectrum of security research across several academic disciplines and research groups. For example:

• Cryptology and cryptography

• Network security

• Internet security

• Intrusion detection

• Electronic commerce

• Secure software agents

• Multicast security

• Security for wireless systems

19

Business, management, and organizational issues

Information security is a business and national security issue as well as a matter of management practice

Security threats, i.e. fraud, abuse and errors from inside the organization, are potentially dangerous and likely to occur

Need to educate employees about • Latest developments in information security trends, i.e. viruses, spam,

threats

• When and how to approach law enforcement agencies

20

Law, policy, and privacy issues

Need the cooperation among government, private sectors and academic organizations

Need the development of a broad strategy to promote national or regional awareness/partnership for critical infrastructure security• Primary foci are, for example, owners and operators of critical

infrastructures and other influential stakeholders in the economy

Samples of government policies in the US• Security Breach state laws

www.crowell.com/pdf/SecurityBreachTable.pdf

• Critical Infrastructure Information Act (2002) www.fas.org/sgp/crs/RL31762.pdf

21

An Example of Infrastructure AssuranceSCADA Systems

SCADA – Supervisory Control and Data AcquisitionMost power system controls are based on SCADA systems.

Other applications are: (A) oil & gas operations, (B) water & waste water management systems.

Power Gas Water

22

Components of a typical SCADA SystemAn old technology with a critical importance

SCADA components1. Master Station (MS)2. Remote Terminal Units (RTU)3. Communication links between MS and RTU, e.g.

LANWANVSATTCP/IPWireless

Source: www.ucos.com

23

Traditional SCADA systems on Independent Networks

Each infrastructure has its unique & separate SCADA systems• Electricity SCADA systems cannot piggyback on that of gas or water• Gas network SCADA systems cannot run on other networks• Similarly, electricity or gas SCADA systems cannot be shared with

that of water supply systems

Source: www.keymile.com

24

Internet-based SCADA systems

If a common backbonecan be used among various infrastructures, there will be only small additional costs to build an individual SCADA system.

Source: IEEE Power & Energy Magazine, March/April 2005

25

Internet-based SCADA systems: Pros and Cons

Advantages of using Internet-based SCADA:

• Wide-area connectivity and pervasive

• Routability

• Redundancy and hot standby

• Integration of IT with automation and monitoring networks

• Standardization

• Can login from anywhere in the world

Disadvantages:

• Security concerns

• Reliability concerns

26

Research and Development in CIIA

How to secure CII so that it can facilitate the protection and reduce vulnerability of other critical infrastructures

27

Thanks for Listening

Name: Prof. Saifur RahmanAffiliation: Virginia Tech, USAPhone: (703) 528-5500Email: srahman@vt.eduWeb site: www.ari.vt.edu

Questions or Comments?