Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Automation, Process Control and SCADA Systems in Critical Infrastructures –
Future Threats and Requirements
Hans Honecker
Federal Office for Information Security
SCADA and Process Control Security Summit8/9 September 2008
H. Honecker 8/9 September 2008 Slide 2
Contents
The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions
H. Honecker 8/9 September 2008 Slide 3
Brief Introduction
Federal Office for Information Security (BSI) The BSI at a glance Focus of activities Co-operations
H. Honecker 8/9 September 2008 Slide 4
The BSI at a Glance
Independent and neutral authority for IT security High level federal public agency
within the area of responsibility of the Federal Ministry for the Interior
Founded in 1991unique as a public agency in comparison to other European establishments
Staff: around 500 employees Budget: 60 million €
H. Honecker 8/9 September 2008 Slide 5
Focus of Activities
Internet security Secure e-government IT baseline protection National / international security co-operation Cryptographic innovation Biometrics Security from eavesdropping Awareness campaign on IT security Certification and approval Protection of critical infrastructures
H. Honecker 8/9 September 2008 Slide 6
The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions
Contents
H. Honecker 8/9 September 2008 Slide 7
Critical Infrastructures ...
Critical Infrastructures are organisations and facilities of major importance to the community whose failure or impairment would cause
a sustained shortage of supplies, significant disruptions to public order, or other dramatic consequences
(2006)
In short: Critical infrastructures provide indispensable and essential goods and services to society and economy.
H. Honecker 8/9 September 2008 Slide 8
Critical Infrastructure Sectors
1. Transportation2. Energy3. Hazardous materials4. IT and telecommunications5. Finance and insurance6. Services (incl. health care, emergency and rescue
services)
7. Public administration and justice system8. Other (e.g. media, buildings)
H. Honecker 8/9 September 2008 Slide 9
Overall-Experience„Pizza Otto Stagioni“
Energy IT and Telecommunications
Finance and InsuranceTransportation
Services
HazardousMaterials
Public Administration
Other
H. Honecker 8/9 September 2008 Slide 10
... and Critical Processes
... by running Critical Processes. These processes are indispensable for society and economy heavily (and growing) interdependent and complex at risk by
- by technical or human failure- natural disaster- attacks- breakdown or failure of critical processes of other infrastructures
Critical Infrastructures provide indispensable and essential goods and services to society and economy...
H. Honecker 8/9 September 2008 Slide 11
Interdependent ProcessesInfrastructure Sectors
IT and telecommunications
other
finance and insurance
transportation
public administration,
justice
hazardous materials
energy
services and supply
H. Honecker 8/9 September 2008 Slide 12
IT and telecommunications
other
finance and insurance
transportation
public administration,
justice
hazardous materials
energy
services and supply
Interdependent ProcessesInfrastructure Sectors
H. Honecker 8/9 September 2008 Slide 13
... and Critical Processes
by running Critical Processes. These processes are indispensable for society and economy heavily (and growing) interdependent (through their process infrastructure) at growing risk by
- by technical or human failure- natural disaster- attacks- breakdown or failure of critical processes of other infrastructures
Critical infrastructures provide indispensable and essential goods and services to society and economy...
Critical Processes need to be kept robust and resilient
H. Honecker 8/9 September 2008 Slide 14
The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions
Contents
H. Honecker 8/9 September 2008 Slide 15
Critical Processes and IT-based Automation Technologies (1)
Holistic approach necessary
All critical processes dealing with physical process objects use automation, process control and/or SCADA technologies (we will use “SCADA” for all three in this talk)[ SCADA = Supervisory Control And Data Acquisition]
All critical processes depend on electricity - most very straight - which in turn depends on “SCADA” technology
“SCADA”-technologies as “archetype” for discussion of challenges on process and infrastructure layers, proposals for future developments
Critical processes need to be kept robust and resilient...
H. Honecker 8/9 September 2008 Slide 16
Critical Processes and IT-based Automation Technologies (2)
“SCADA”-technologies are present in
electricity generation and distribution gas and water supply many process infrastructures of other critical infrastructures
used in a wide range and different layers of processes production processes distribution processes control processes
with extremely different process objects tangible goods energy (electricity, gas, oil, ...) measurement data, information, ...
AND make extensive use of components based on information technology
H. Honecker 8/9 September 2008 Slide 17
IT-based Automation (“SCADA”) Technologies Operating Conditions ...
IT-based AutomationTechnology
Standard InformationTechnology (local use)
Continuous operation Operation during businesshours
Top priority for availability Top priority for confidentialityand integrity
(Physical) process has priority Information security has priority
Patching difficult or impossible Patching “state of the art”
Specialised IT serves to controlphysical processes
Standardised IT serves toprocess data and information
... compared to standard information technology:
H. Honecker 8/9 September 2008 Slide 18
The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions
Contents
H. Honecker 8/9 September 2008 Slide 19
Future Threats
To be considered for planning of, building or rebuilding CI (Critical Infrastructures)
important from the viewpoint of CI Protection (CIP)(possible consequences of failures or malfunctions) growing interconnection between process infrastructures of same
type (e.g. electricity distribution grids) increasing dependencies and interdependencies of different critical
processes increasing complexity of critical processes
DISCLAIMER: We do not (or less) consider current threats (in this talk!) We assume state of the art (2008) IT-security implemented
H. Honecker 8/9 September 2008 Slide 20
Technical failures / malfunctions in general: Malfunctions of process specific “IT” can totally screw up
processes (e.g. hardware, software or configuration errors) Example: Programming errors in a DCS added to the heaviness of
US Blackout 2003 malfunctions on the network layer endanger process infrastructures
(be it malfunctions specific to “SCADA” or not) side effects (e.g. “reduced functionality modes” on any layer) backfiring patches or updates (if patching feasible at all)
Human errors operating errors Example (continued): Human Errors also added to the heaviness of
US Blackout 2003 Example: Human Errors added to the EU Blackout November 2006
Category: Technical Failures and Human Errors
H. Honecker 8/9 September 2008 Slide 21
Increase in number and weight / heaviness Side effects with cumulative impact
e.g. long lasting heat and drought cooling problems in energy generation and operation of IT shortage in energy supply AND higher demand
Flooding, earth quakes, volcanoes ... e.g. Japanese nuclear power plant Yellow Stone National Park? Maria Laach?
Far-fetched threats? E.g., what about solar activity? What about a “direct hit” by a solar storm?
Loss of communication means (satellite and terrestrial communication)?
Loss or temporary unavailability of electricity grid?
Category: Disasters and Natural Phenomenons
H. Honecker 8/9 September 2008 Slide 22
Category: Attacks
Risk of external cyber attacks hacking (e.g. successful external pen test of a US-based
electricity provider straight through into the control system) attacks by Trojan horses
targeted to Process Control Network (PCN): worst, if successful untargeted: high risk of collateral damage
attacks through maintenance channels (notebooks, connections) collateral damage of untargeted attacks
Risk of internal attacks disgruntled employees, subcontractors or maintenance personnel attacks through hacked systems of process partners backdoors on “SCADA”, network, or server hardware layer side effects of security testing
H. Honecker 8/9 September 2008 Slide 23
Reminder: Critical Processes need to be kept robust and resilient
Critical Processes depend on other Critical Processes all: on energy, information- and telecommunications processes many: on financial processes, transportation processes almost all: on some interconnected processes on process layer
? Can today’s Critical Processes sufficiently handle malfunctions or failures of processes they depend on?
Critical Processes should handle dependency issues run core functionality as long as possible (graceful degradation) swiftly recover full functionality after failures in connected
processes
Category: Dependencies
H. Honecker 8/9 September 2008 Slide 24
The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions
Contents
H. Honecker 8/9 September 2008 Slide 25
Future Requirements (all Layers)
New or further development of technologies for use in CI Aspects to be considered at all layers of technology and
integration technologies: ! long term maintenance and service; open migration paths! robustness and resilience as important design criteria! options for minimisation (for security issues and for ...)! ... inbuilt graceful degradation (keep up core functionality)! minimisable energy consumption (to operate during blackouts)! avoid functionality which can endanger process and automation
infrastructures or do not contribute to the process! explicit suitability for specific use in Critical Processes and
automation infrastructures (at least qualified by manufacturers)
H. Honecker 8/9 September 2008 Slide 26
Future Requirements
Layers of technology to be considered for future use of “SCADA” technologies in Critical Process Infrastructures:
process specific applications and applications software standard software (databases, analysis, visualisation, ...) operating systems (on servers, terminals, process specific
hardware, ...) hardware (servers, terminals, process specific, ...) network technology and architecture organisation and process architecture (not discussed further)
(many efforts have to be mirrored on organisational layer) (some processes might gracefully degradate to manual operation
or organisational driven process backups)
H. Honecker 8/9 September 2008 Slide 27
Future RequirementsApplication Layer
Process specific applications and application software should be largely platform independent (with regard to operating
systems and database layer) ensure robustness and resilience of processes,
inter alia against failures or malfunctions provide modes for operation during crisis or
under extreme conditions (graceful degradation) completely document any communication relationship
needed or used by the application be open to independent analysis of security, safety and
correctness (in particular with regard to availability)
H. Honecker 8/9 September 2008 Slide 28
Future RequirementsStandard Software
Standard software for databases, data analysis or visualisation etc. should
provide secure installation (e.g. no standard passwords) be minimisable (only install needed functionality)
no functionality not needed for specific processes e.g. no DRM, multimedia, hidden databases, ... no “reduced functionality modes” feasible and configurable patch and update mechanisms
communication strictly restricted to the process needs inter alia: only to explicitly specified systems, no “phone home”
offering needed standard functionality without security risks many more
H. Honecker 8/9 September 2008 Slide 29
Future RequirementsOperating Systems
Servers, most terminals are / many process specific hardware is running on an operating system layer. We need
functionality minimisable to systems needs feasible methods for system hardening and patching long term availability (corresponding to lifetime of the
infrastructure of the Critical Process, might be decades) no functionality that could put Critical Processes at risk
no “phone home”, no DRM, hidden services, multimedia, ... no “reduced functionality mode” (yes, I know I repeat myself :-)
many moreIn short: Operating systems customisable to infrastructure
requirements
H. Honecker 8/9 September 2008 Slide 30
Future RequirementsHardware
Servers, terminals, process specific hardware etc. used in “SCADA” systems running Critical Processes should be
physically robust (where necessary) against industrial (e.g. electromagnetic) environment environmental or external influence (e.g. solar storms, EMP ...)
provide hardware based modes for minimised operation low power consumption (for crisis and long term energy shortage) battery buffered or emergency (low) power supply operation support graceful degrading the process to core functionality mode
long term availability easy replacement (e.g. for quick disaster recovery) many more
H. Honecker 8/9 September 2008 Slide 31
Future RequirementsNetwork Technologies (1/2)
Network architectures based on standard network technology often provide the communication infrastructure of “SCADA” based process infrastructures (this is the “N” in PCN)
Architectural view: “SCADA” systems may be attacked using network layer Network connects at least partly unpatched systems Failures on network layer endanger “SCADA” systems
Network defence is necessary for higher layers! strict separation of “SCADA” networks from other networks! restriction of communication to necessary connections
H. Honecker 8/9 September 2008 Slide 32
Future RequirementsNetwork Technologies (2/2)
Network defence necessary for higher layers! strict separation of “SCADA” networks from other networks! restriction of communication to necessary connections
? What about technology?
Future requirements to network technologies: restrictive network operation as an (additional?) basic
network operation principle (including simple hardware layer and port based approach)
feasible management of restrictive network operation (easy configuration of necessary connections, deny all other)
including restrictive switching, port security ...
H. Honecker 8/9 September 2008 Slide 33
The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions
Contents
H. Honecker 8/9 September 2008 Slide 34
Transfer to other IT-supported Technology Areas
1. Many requirements can be transferred to other technology areas where IT is used for operating Critical Processes, inter alia:
Process specific applications: platform independence, resilience, graceful degradation, known communication, ...
Operating systems: minimisable functionality and feasible system hardening, long term availability, no “phone home”,...
Network layer: defence of Critical Processes on network layer, restricted communication as network operation principle; feasible management of restricted network operation, hardware features
2. Many future requirements seem also valid for less critical processes.
H. Honecker 8/9 September 2008 Slide 35
The BSI Critical Infrastructures and Critical Processes Critical Processes and IT-based automation technologies Future Threats Future Requirements Transfer to other IT-supported technology areas Conclusions
Contents
H. Honecker 8/9 September 2008 Slide 36
Conclusions
Today’s process infrastructures can (at large) be built as secure, safe and resilient as necessary.
To keep up with increasing threats and growing complexity and interconnection of CI, we need to enhance robustness and inbuilt resilience security characteristics
of all technology areas and layers.We can only achieve this in co-operation between
process owners and operators, integrators of technologies, manufacturers, distributors and vendors.
H. Honecker 8/9 September 2008 Slide 37
Contact
Federal Office for Information Security (BSI)
Hans HoneckerGodesberger Allee 185-18953175 Bonn
Tel.: +49 (0)228 99-9582-5149Fax: +49 (0)228 99-10-9582-5149