Security and Dependability Risks of Critical Information ...pjv/talks/verissimo-keynote-safecomp-11.pdf · Security and Dependability Risks of Critical Information Infrastructures

Security and Dependability Risks ofSecurity and Dependability Risks ofCritical Information Infrastructures

( h B ! i diff t f C h)(or why Bang! is different from Crash)

I i dI i d bb t ib tit ib ti t t I f ti A T h l F t 2008 St M B ll i T V I f ti A T h l F t 2008 St M B ll i T V InspiredInspired byby a a contributioncontribution to: to: Information Assurance Technology Forecast 2008, Steven M. Bellovin, Terry V. Information Assurance Technology Forecast 2008, Steven M. Bellovin, Terry V. Benzel, Bob Blakley, Dorothy E. Denning, Whitfield Diffie, Jeremy Epstein, Paulo Veríssimo. IEEE Security & Benzel, Bob Blakley, Dorothy E. Denning, Whitfield Diffie, Jeremy Epstein, Paulo Veríssimo. IEEE Security & Privacy, vol. 6, no. 1, pp. 10Privacy, vol. 6, no. 1, pp. 10--17, January/February, 2008. [in IEEEexplore]17, January/February, 2008. [in IEEEexplore]

Keynote Speech. SAFECOMP 2011, 30th Int’l Conference on Computer Safety, Reliability and Security. September 2011. Napoli, Italia.

Paulo Esteves VeríssimoPaulo Esteves VeríssimoPaulo Esteves VeríssimoPaulo Esteves VeríssimoFaculdade de Ciências da Univ. de Lisboa, Faculdade de Ciências da Univ. de Lisboa, LaSIGELaSIGE, Portugal, , Portugal, [email protected]@di.fc.ul.pt http://www.di.fc.ul.pt/~pjvhttp://www.di.fc.ul.pt/~pjv

The infrastr ct re sec rit problemThe infrastructure security problem

The old daysThe old daysno interconnection, low digital content

SystemServers

SecurityServer

Client

SystemServers

SecurityServer

PrivateCorporate Network

Network

Critical Infrastr.SCADA Network

Internet

Towards the presentremote control, computerisation, interconnection

SystemServers

SecurityServer

Client

SystemServers

SecurityServer


SystemServersD ata

N etw ork

O p era tio nalN etw ork

Corporate Network

Network


Internet



critical infrastructures have today a hybrid composition which reaches the whole geography (electrical, telco, water, gas, oil, transportation):

SCADA systems (Supervisory Control And Data Acquisition) yield the operational ability to supervise, acquire data and control

i t ti t th t d d t i t tinterconnections to the standard corporate intranets

interconnections, often unwittingly, to the Internet

l i l IT b d i f heven classical IT-based infrastructures share some of these problems (e.g. finance network)

Modern CII c ber risk anal sis ke pointsModern CII cyber risk analysis key points

b tt k d i t t CIcyber-attacks are a common denominator to CI operational risk

b tt k t CII (i l t l I t tcyber-attacks to CII (incl. energy, telco, Internet, emergency, etc.) will be a pillar of i-warfare/crime

Th t d l bilitiThreats and vulnerabilities

Internal ExposureFaults/Attacks/Errors/Intrusionsinternal design faultsinternal design faults

SecurityServer

SystemServers

DataServers

Network

InterferenceUncertainty, Error propagation

SecurityServer

SecurityServer

SystemServers

ClientSystemServers

SystemServers

Network

DataNetwork

Operational


Internet

pNetwork


External Exposureexternal attacks, errors, intrusions, to the user edge

SecurityServer

SystemServers

DataServers

Network

InterdependenceInterdependence Error propagation amongst critical infrastructures

System

SecurityServer

D t System

SecurityServer

D t SystemServersData

Network

SystemServersData

Network

SecurityServer

SystemServers

DataNetwork

WirelessNetworkHost A

Host B

Host C

The infrastructure security probleme ast uctu e secu ty p ob e

A simple, yet realistic, intrusionintrusion scenario

The infrastructure security and dependabilityy p yproblem statement

Cyber-Physical Systems place challenging inter-disciplinary problems:

SCADA systems are real-time systems with some fault-tolerance concern classically not designed to be

id l di t ib t d t l dwidely distributed or remotely accessed or open, and designed without security in mind

Risk is not well masteredRisk is not well masteredThreats on current configurations probably risk far more damaging failure scenarios than anticipatedmore damaging failure scenarios than anticipated

Possible conseq encesPossible consequences

fThe perspective of these threats is overwhelming:wrong manoeuvring by inept or malicious users inside the own company's corporate networkscompany s corporate networks

malicious (or disastrously curious) actions from users somewhere in the Internet

targeting computer control units, embedded components and systems, that is, devices connected to operational hardware(e.g., water pumps and filters, electrical power generators and ( g , p p , p gpower protections, dam gates, etc.)

Such mishandling may cause severe damageto people, economy, and environment

How probable are successful cyber attacks p yto critical operations?

Ine itable ThreatsInevitable Threats

use of COTSincreased and widespread vulnerabilities

CII interconnectioninterference and interdependencep

pervasiveness of network connectivityincreased exposure to external attacksincreased exposure to external attacks

Conventional Software Vulnerabilitiesi iever increasing Number of Vulnerabilities

(Source: IBM xForce)

Vulnerability Exploit Cycle

Novice Intruders Automated

past and present Increased likelihood of:

- small scale, average severity intrusions

massive scale high severity intrusions

Crude Exploit

Use CrudeExploit Tools

Scanning/ExploitTools Developed

Widespread Use Intruders Begin

- massive scale, high severity intrusions

Crude ExploitTools Distributed

Widespread Use of Automated

Scanning/Exploit Tools

Intruders Begin Using New Types

of Exploits

AdvancedIntrudersDiscover

VulnerabilityVulnerability

Vulnerability Exploit Cycle

Novice Intruders Automated

present and futureIncreased likelihood of:

- small scale, high severity targeted intrusions

Crude Exploit

Use CrudeExploit Tools

Scanning/ExploitTools Developed

Widespread Use Intruders BeginCrude ExploitTools Distributed

Widespread Use of Automated

Scanning/Exploit Tools

Intruders Begin Using New Types

of Exploits

AdvancedIntrudersDiscover

VulnerabilityVulnerability

Attack sophistication vs. attacker expertisep p

High

ToolsBot

packet spoofing

Tools“stealth” / advanced scanning techniques

Nets

Embedded malicious

sweepers

sniffers

packet spoofing denial of service

www attacks

DDOS attacks

malicious code

disabling auditsback doors

GUIautomated probes/scans

network mgmt. diagnostics

password cracking

exploiting known vulnerabilities

hijacking sessionsburglaries

Low password guessing

self-replicating code

password cracking

Attackers

1980 1985 1990 1995 2000 20xx…

(Source: Adapted from Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002. (CERT)

Attack sophistication vs. attacker expertisep p

High

ToolsBot

packet spoofing

Tools“stealth” / advanced scanning techniques

Nets

Embedded malicious

TARGETED TARGETED ATTACKSATTACKS

sweepers

sniffers

packet spoofing denial of service

www attacks

DDOS attacks

malicious code

Required Required

disabling auditsback doors

GUIautomated probes/scans

network mgmt. diagnostics

Attacker Attacker expertiseexpertise

password cracking

exploiting known vulnerabilities

hijacking sessionsburglaries

AvailableAvailableAttack Attack

sophisticationsophistication

Low password guessing

self-replicating code

password cracking

Attackers

(Source: Adapted from Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002. (CERT)

1980 1985 1990 1995 2000 20xx…

Specific real-time and embedded systems (RTE) p y ( )security problems

Common Threats

Common Sources of Threats

Common goals of Attacks

Common myths and misconceptionsCommon myths and misconceptions

Common myths and misconceptionsy p

Common misconceptionspw.r.t SCADA systems Sec&Dep

( )Real-time and embedded (RTE) systems, having a closed and proprietary nature, do not suffer security problemsproblems

REALITY: security by obscurity never lead to secure designs; RTE systems are increasingly interconnected and their internals known; recent studies showed many impacted control systems

Control s stem protocols are attackableControl system protocols are attackable

Th t it i ibl t d tt k t th t ll h tThreat: it is possible to send attack messages to the controller host trying to find and exploit some (known or unknown) vulnerabilities

Is it really possible with a closed and hidden software?Legacy software is not security-aware!

"These backend protocols are often based upon standards that pre-date Windows," Graham wrote in his blog. "They are horribly insecure because few people in the SCADA industry k h 'b ff fl ' i "know what a 'buffer-overflow' is."

physorg.com “Hole Found in Protocol Handling Vital National Infrastructure”

Common misconceptions (2)Common misconceptions (2)

S t l t f il i l i t dSome control system failure scenarios always existed but are extremely improbable

REALITY: true only under the stochastic perspective ofREALITY: true only under the stochastic perspective of accidental failures; the intruder will unbalance probability distribution on his favour; if it can happen, it will happen!

A t ti t l h li bl d t thAutomatic control much more reliable and correct than human control

REALITY: fairly doubtful if system not fault tolerant; absolutelyREALITY: fairly doubtful if system not fault-tolerant; absolutely invalid if system not secure

RTE control loops with feasible R/T schedules are palways timely

REALITY: fairly doubtful if system not fault-tolerant; absolutely i lid if t tinvalid if system not secure

Control s stem protocols are attackableControl system protocols are attackable

“Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have.…Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable.”

- Ganesh Devarajan Security Researcher Tipping Point Inc.Unraveling SCADA Protocols: Using Sulley Fuzzer@ DEFCON-15 (Aug 2007)@ DEFCON 15 (Aug. 2007)


Private modem lines are secureREALITY: security by obscurity take II; default passwords…

PC ith t LAN i t f i tiPC with two LAN interfaces is a secure separation between SCADA and Intranet/Internet

REALITY: Instead it is a “sure” way for the hacker to bridge inREALITY: Instead, it is a sure way for the hacker to bridge in between

Firewalls will do to protect an RTE systemREALITY: Useful, but incomplete coverage; blind to high-level command and control language, semantics, interactions

I t i d t ti ill d t t ll i t i i RTE tIntrusion detection will detect all intrusions in RTE systREALITY: Useful, but incomplete coverage; false and omitted alarms, whichever worse; human reaction driven, may lead toalarms, whichever worse; human reaction driven, may lead to control instability

Classical Firewalls are attackableClassical Firewalls are attackable

Let’s look at the number of serious firewallLet s look at the number of serious firewall vulnerabilities reported between 2005-2007

Ano DoS Intrusion DoS+Intrusion

2008 3 3 6

2007 21 15 36

2006 8 15 23

Source: National Vulnerability Database (USA)

2005 11 9 20

Source: National Vulnerability Database (USA) (http://nvd.nist.gov/)The table does not present all reported vulnerabilities

0.60

The table does not present all reported vulnerabilitiesThe trend has continued in the recent years


SSecurity techniques are an obstacle in RTE systems, which have to make progress at the pace of the environment sometimes be fast and remain availableenvironment, sometimes be fast, and remain available

REALITY: RTE systems must above all be correct; insecurity is not an acceptable tradeoff, since it may mean high losses

Fail-safe mechanisms of the control devices prevent intrusions from leading to catastrophic failures

REALITY: true only for some local devices; use of COTS increasingly invalidates this; impossible to define 100% coverage for fail-safe mechanisms and yet allow human manoeuvre; high-y ; glevel system controls may be deceived


RTE t t h t d t tRTE system operators are honest and competentREALITY: takes just one exception to do damage, but even if all system operators were honest and competent, whoever is usingsystem operators were honest and competent, whoever is using their computer accounts may not be

Denial syndrome: “After all, RTE systems are secure and safe, nothing really serious has ever happened!”

REALITY: serious things have already happened, best knowncase is Stuxnet but the bottom of the iceberg is much bigger butcase is Stuxnet, but the bottom of the iceberg is much bigger, butremains classified in many countries

Net orked Control S stems threatsNetworked Control Systems: threats

Feedback Control

FIREWALL

Command

G

ProtectionDevice

AVRMonitoring Data

RVRGenerator

g

How possible are intrusions?SCADA Cyber Security under fire

Can an attacker manipulate a SCADA data stream toCan an attacker manipulate a SCADA data stream to precipitate a large-scale outage?

Previous studies suggest this is possiblegg p

Past events reinforce this conclusion (US/Canada blackout)

“…FE did not respond to the loss of its transmission lines b it did t h ffi i t i f ti i i ht t lbecause it did not have sufficient information or insight to reveal the need for action”

Source: US-Canada Power System Outage Task Force: “Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations”Blackout in the United States and Canada: Causes and Recommendations

Recent studies (TCIP project) indicate black-out could have been caused by cyber-attackers

Can such malicious activity be detected while the attack is in progress?

A ( ) h d blA (very) hard problem

A concrete e ampleA concrete example

... the digital-electrical connection...

A Hierarchical Voltage Regulation exampleg g pCrutial project

l hcontrol the generator towards

the set point

defineset points

A t ti V lt R l t (AVR)Automatic Voltage Regulator (AVR)

Generator

setsetpoint

ControllerC t lControl

variables

and intr sions ha e happened!... and, intrusions have happened!

Nuclear plant under attack! (January’03)uc ea p a u de a ac ( y )

Slammer worm penetrated controlsystems of nuclear power central inOhio. Caused two critical monitoringsystems to stop.

Davis-BesseNuclear Plant

I t t

(0) Slammer worm(1) Well configured

firewall Internet stops worm

(4) Worm overloadscontrol networks causing6hour stop of twosupervisory systems(2) Worm enters unprotected

supplier network

supervisory systems

Supplier(3) Worm propagates to SCADA networkthro gh n monitored T1 linkSupplier through un-monitored T1 link

Insider ThreatInsider Threat

Stuxnet worm (2010)( )

sophisticated piece of computer malware designed to sabotage g gindustrial processes controlled by Siemens SIMATIC WinCC, S7 and PCS 7 control systems

d b th k d i lused both known and previously unknown vulnerabilities to spread; evaded state-of-the-practice security technologiespractice security technologies

self-replicates and spreads in a number of ways: removable drives; LANs; network shares; database servers;

updates itself through a peer-to-peer mechanism within a LAN

Sim lation of c ber attackSimulation of cyber attack (mar 07)

2007, EUA, DoE Idaho Lab:simulated attack, network based, as if from the Internet, againsta power generatora power generator.

attack shook and destroyed generator

State of play: The present!State of play: The present!

Basic security and dependability engineering requiredto place electrical critical information infrastructures (CII) at leastat the resilience level of commercial ICT systemsat the resilience level of commercial ICT systems

deadline : NOW

Constraints:Constraints:requires combined computer and electrical engineeringknowledgeknowledge

some current IT Sec techniques can negatively affect RTE system operation (availability, timeliness,...)

But this is not enough…g

Insight on the f t reInsight on the future

Why don’t we have more accidents?

How much time have we?

Where do we go from here?

Where do e go from here?Where do we go from here?

Strategic Cyber Defense for g yCritical Infrastructures

Usual approaches:Perimeter Defense?

Why not secure “borders” (e.g. CII boundaries) better?

Better intrusion detection, firewalling, ...?

Better InfoSec policies?

Strategic Cyber Defense for g yCritical Infrastructures

P i t D f l i h l i thPerimeter Defense alone is hopeless given the “open virtual border” situation depicted W d l t diWe need complementary paradigms:Defense in depthGraceful degradationWe need technologies fulfilling these paradigms for CII protectionAutomatic remediationIntrusion tolerance and self healingAdaptive securityp y

A research grand-challenge for architecting g g gCritical Information Infrastructures

Make CII withstand continued combinations of faults and intrusions in an automated way

what do we need?what do we need?

AUTOMATIC SECURITYAUTOMATIC SECURITY

Designing Trusted-Trustworthyg g ycomputing systems in a Nut Shell

t t t t P ti T l ti F lt dwe want systems to operate through faults and attacks in a seamless manner, in an

Preventing, Tolerating Faults and Intrusions

automatic way

we want systems to endure the fact that operating conditions

Handling Increasing Attack Severityfact that operating conditions

and environments are more uncertain and/ or hostile

t t t b

Severity

we want systems to be deployed in unattended manner

Resisting Continued Attacks

we want systems to attain very high levels of assurance Validating, Assessing Fault/Attack

Assumptions

Designing Trusted-Trustworthyg g ycomputing systems in a Nut Shell

t t t t P ti T l ti F lt dwe want systems to operate through faults and attacks in a seamless manner, in an

Preventing, Tolerating Faults and Intrusions

automatic way

we want systems to endure the fact that operating conditions

Handling Increasing Attack Severity

Handbooks in Information Systems, Volume 4,

Information Assurance Security and Privacy Services H Raofact that operating conditions and environments are more uncertain and/ or hostile

t t t b

SeverityInformation Assurance, Security and Privacy Services, H. Rao& S. Uphadhyaya (Ed’s), Elsevier 2009, Chap. 22:

I t i R ili t Middl D i d V lid ti Pwe want systems to be deployed in unattended manner

Resisting Continued AttacksIntrusion-Resilient Middleware Design and Validation. P. Verissimo, M. Correia, N. Neves, P. Sousa.

we want systems to attain very high levels of assurance Validating, Assessing Fault/Attack

Assumptions

CRUTIALCRUTIAL Critical Utility InfrastructurAL ResilienceSTREP Project FP6-2004-IST-4-027513Coordinator: CESI RICERCA SpACoordinator: CESI RICERCA SpAJanuary 2006 - December 2008

ResilientResilient distributeddistributed powerpower controlcontrol inin spitespite ofof threatsthreats toto thetheinformationinformation andand controlcontrol infrastructuresinfrastructures

Visioninformationinformation andand controlcontrol infrastructuresinfrastructures

ProvideProvide modelling approaches for understanding andmastering the various interdependencies among power,

Objectives control, communication and information infrastructures

InvestigateInvestigate distributeddistributed architecturesarchitectures enablingenabling dependabledependablecontrolcontrol andand managementmanagement ofof thethe infrastructureinfrastructurecontrolcontrol andand managementmanagement ofof thethe infrastructureinfrastructure

Power control Power control infrastructuresinfrastructuresModelsModels

A chitect esA chitect esEvaluationsEvaluations

infrastructuresinfrastructures

127

ArchitecturesArchitecturesEvaluationsEvaluations

IntroductionThe architecture for• The architecture for CRUTIAL is based on the concept of a WAN-of-LANs

Substation BPLCControlNetwork

Substation A

– Each LAN represents a critical infrastructure facility

– A non-trusted WAN i t t ll LAN

Substation B

Station Network

PP

C1

PLC

CIS

PLCNetwork

C2Process Network

Utility Network

interconnect all LANs

• At the gates of each LANs there is a protection device called CIS (CRUTIAL

CISWAN

CorporateNetwork

CIS

Site

Site

Site

Site

Information Switch)– It enforces fine-grained

security policies– It is highly dependable

Network

CISSite

Internet

CIS

Telco

Substation CHistorian Network

g y p(intrusion-tolerant)

• CII as a WAN-of LANs:– only CIS are dedicated

preserves legacy devices

Historian

129EC, Brusssels, March 2007

– preserves legacy devices

Architectural devices in CRUTIAL• Weak assumptions: hostile and incompletely defined

Facility

Weak assumptions: hostile and incompletely defined interconnection environment

y

Facility

PP

Modemserver

PSTN

LocalNetwork

PP

P

CIS hostile environment

Node

Node

N d

hostile environment

CISWAN

LocalNetwork

CIS

Node

Node

Node

Network

CIS

Internet

CIS

CIS

Node


Architectural devices in CRUTIAL• Intrusion tolerance for trust

Facility

• Intrusion tolerance for trust

y

Facility

PP

Modemserver

PSTN

LocalNetwork

PP

P


Node

Node

N d

CISWAN

LocalNetwork

CIS

Node

Node

Node

Network

CIS

Internet

CIS

CIS

Node


Architectural devices in CRUTIALT t d/t t th i t f t t d

Facility

• Trusted/trustworthy services out of non-trusted comps

y

Facility

PP

Modemserver

PSTN

LocalNetwork

PP

P


Node

Node

N d

hostile environmentTrusted/worthy servicesout of non-trusted comps

CISWAN

LocalNetwork

CIS

Node

Node

Node

WAN

Network

CIS

Internet

CIS

CIS

Node


CRUTIAL Reference Architecture•Crutial Information Switches (CIS):

Facility

Crutial Information Switches (CIS):• appliances controlling the info flow•CIS can be replicated (F&I Tol)•CIS cooperate to implement services

b f CIS b t dy

Facility

PP

Modemserver

PSTN

•a number of CIS can be corrupted

LocalNetwork

PP

P


Node

Node

N d

hostile environmentTrusted/worthy servicesout of non-trusted comps

CISWAN

LocalNetwork

CIS

Node

Node

Node

WAN

Network

CIS

Internet

CIS

CIS

Node


Net orked Control S stem re isitedNetworked Control System revisited

I’

remember that the firewall can be attacked and

Feedback Control

I’m Malicious

!

compromised !!

FIREWALL

Command

G

ProtectionDevice

AVRMonitoring Data

RVRGenerator

g

CIS Intrusion ToleranceNon-replicated caseNon-replicated case

CIS

I’m Malicious

! CISIncomingTraffic

StationComputer

Invalidmessage

(e g MMS)

ControlNetwork

p(e.g., MMS)


CIS Intrusion ToleranceReplicated case

I’m Malicious

CISReplicated caseMalicious

!

Invalid

CISIncoming

Invalidmessage

CIS

Traffic

IncomingTraffic

StationComputer

The station computer cannot accept amessage approved by a single CIS

CIS

TrafficReplicator(e.g., HUB)

ControlNetwork

p

replica (it can be faulty)


CIS Intrusion ToleranceAn abstract solution

CISAn abstract solution

CISIncoming TrustedCIS

Traffic

Traffic

f+1

VoterStation

Computer

CIS

TrafficReplicator(e.g., HUB) Control

Network

p


f = max. number of faulty CIS replicas

Intrusion-Tolerant Firewalls• Intrusion-tolerant Firewall

A li t d FW ll d CIS hi h i t k t t ki i t t li ti l l ti d– A replicated FW, called CIS, which inspects packets taking into account application level semantics and organizational policies

• Fundamental Assumption: each replica is different and fails independently– A message only passes through the firewall if the majority of the replicas approve it (2 out of 3 in the demo)

CIS Signed message

I i CIS x = dP(V f)/dt

message

IncommingTraffic

HUB HUB

CIS

Controller

x = dP(V,f)/dt

HUB

CIS

Generator


Generator

CIS Intrusion Tolerance

H t b ild th t t d t ?• How to build the trusted voter?– Another machine: single point of failure– Station computer:Station computer:

• We cannot modify the application software;• Its is undesirable to replicate the traffic going to the LAN

CIS Replicas:– CIS Replicas:• Threshold signatures can be used to put trust on a set of

servers, but it’s too costly;• Another option is taking a detour wormholes or trusted• Another option is taking a detour… wormholes, or trusted-

trustworthy components


Cheap CIS Intrusion TolerancePolicy

CIS enforcementMessage voting is made

outside the wormhole

CIS forwards

IncomingStation

ComputerCIS

W

wormhole messages after a random delay

Traffic

HUB HUB

CIS

ControlNetworkCIS

WCIS gives message to W that returns a

ballot

WStation computers use IPsec so they

ballot

If f+1 votes are presented to


only accept messages with MAC

are presented to W, it produces a message MAC 2f+1 replicas

4 ITCIS with Proactive and4. ITCIS with Proactive and Reactive Recovery (ITCIS-PRR)

CISI’m

Malicious!

RebootNow!

CIS

IncommingTraffic

CISController

x = dP(V,f)/dt

HUB HUBCIS

Generator

CIS


Concl sionsConclusions

Computer Sec&Dep cannot be an after thoughtComputer Sec&Dep cannot be an after thoughtbuilt it in, don’t bolt it on!hackers competitors criminals and terrorists will nothackers, competitors, criminals and terrorists will not wait till you’re ready

Cyber-Physical infrastructures are a key pointy y y pcomputer security no longer a realm of ICT syst.

Bang! is different from Crasha cyber-borne catastrophe may “never” happen, but “if” it happens cost may be tremendous in materialif” it happens, cost may be tremendous, in material and immaterial assets (devices and image)

Concl sionsConclusions

Computer Sec&Dep cannot be an after thoughtComputer Sec&Dep cannot be an after thoughtbuilt it in, don’t bolt it on!hackers competitors criminals and terrorists will nothackers, competitors, criminals and terrorists will not

wait till you’re ready

Cyber-Physical infrastructures are a key pointy y y pcomputer security no longer a realm of ICT syst.

Bang! is different from Crasha cyber-borne catastrophe will rarely happen, but when it happens cost may be tremendous inwhen it happens, cost may be tremendous, in material and immaterial assets (devices and image)

Some referencesSome references:

Hi hl A il bl I t i T l t S i ith P ti R ti RHighly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery . Paulo Sousa, Alysson Bessani, Miguel Correia, Nuno Ferreira Neves, Paulo Veríssimo. IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 4, pp. 452-465, Apr. 2010.pp , p

Intrusion-Resilient Middleware Design and Validation. Paulo Veríssimo, Miguel Correia, Nuno Ferreira Neves, Paulo Sousa. Information Assurance, Security andPrivacy Services (Handbooks in Information Systems, volume 4), Emerald GroupPublishing Limited, pp. 615-678, 2009.

Designing Modular and Redundant Cyber Architectures for Process Control: Lessonslearned. Paulo Veríssimo, Alysson Bessani, Miguel Correia, Nuno Ferreira Neves Paulo Sousa Proceedings of the 42nd Hawaii International Conference forNeves, Paulo Sousa. Proceedings of the 42nd Hawaii International Conference for the Systems Sciences (HICSS-42), Waikoloa, Hawaii, January 2009.

The CRUTIAL Way of Critical Infrastructure Protection. Alysson Bessani, Paulo Sousa, Miguel Correia, Nuno Ferreira Neves, Paulo Veríssimo. IEEE Security andSousa, Miguel Correia, Nuno Ferreira Neves, Paulo Veríssimo. IEEE Security andPrivacy, vol. 6, no. 6, pp. 44-51, Nov/Dec 2008.

The CRUTIAL Reference Critical Information Infrastructure Architecture: A Blueprint. Paulo Veríssimo, Nuno Ferreira Neves, Miguel Correia. International Journal ofSystem of Systems Engineering, vol. 1, n. 1/2, pp 78-95, 2008.

«It’s been long since a padlock was enough to get you security ...»g y y

Thank youPaulo Veríssimo

Univ. Lisbon, Portugalhttp://www.di.fc.ul.pt/~pjv

Documents

Security and Dependability Risks of Critical Information ...pjv/talks/verissimo-keynote-safecomp-11.pdf · Security and Dependability Risks of Critical Information Infrastructures