david lund david lund consultants ltd safety critical systems club - 21 st april 2015

Safety and Security Risks in IT Infrastructurewith respect to the Safety of Critical National Infrastructure

David LundDavid Lund Consultants LtdSafety Critical Systems Club - 21st April 2015

Context – Critical National Infrastructure

The government defines the UK's national infrastructure (NI) as “facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends”It identifies nine areas as NI: energy, transport, water, communications, food, health care, emergency services, financial services and government itself.For each area a sector resilience plan is published and updated annually. The plans are HMG classified documents although a summary is made available to the public.Most of the sector plans refer to their dependence on communications.


Natural Hazards and Infrastructure (HMG) -Communications Infrastructure Mobile communications towers are exposed on higher ground to wind storms and debris which could cause a tower to collapse. Additionally, exposed structures have increased ice formation, which in turn increases the towers‟ vulnerability to high winds. BS8100 provides a design standard for communications towers within the mobile and broadcast industry. Factors taken into account are the life-time of the structure, the geographic location i.e. vulnerability to hazards, and consideration of other infrastructure in the area. Hence, mobile communication towers are designed to withstand wind, debris and other natural hazards and as a result are rarely disrupted by the weather in the UKNo mention of the IT infrastructure that supports!!


Natural Hazards and Infrastructure (HMG) -Energy Infrastructure Electrical equipment such as transformers and circuit breakers are vulnerable to temperature extremes, which can lead to power outages. The design standard IEC 61936-1:2010 provides common rules for the design and the erection of electrical power installations so as to provide safety and proper functioning for the use intended. IEC 61936-1 specifies a temperature range within which component parts of the electricity network should be designed to operate, for example outdoor components should function at ambient air temperatures of between -25oC and 40oC as calculated over a 24 hour period. Recorded extreme UK temperatures remain within this range, thus components designed to this standard would be expected to continue to operate during periods of extreme weather in the UK. In addition, critical circuits will have two levels of redundancy so that in the event of any minor faults the service will remain operational. No mention of the IT infrastructure that supports!!


In 2010 the Parliamentary Office of Science and Technology issued a note that examined this interdependency. They cited these incidents:

The Cumbrian Floods in 2009 destroyed a bridge carrying 312 fibre optic circuits serving 40,000 people, including police and local businesses. Disruption to the transport sector due to the collapsed bridge was compounded by the loss of communications.Many infrastructure components rely on precise time signals to synchronize with other assets. Dependence on signals from Global Positioning System (GPS) satellites is now a widespread SPFIn April 2010, a faulty anti-virus update, supplied by the McAfee software company, crashed thousands of computers running an identical version of the Microsoft Operating System.


The POST report also gave a hypothetical illustration that a systems approach is required


The Cabinet Office issued a policy document in 2010 that specifies a criticality scale for disruption of NIThe highest in Cat 5 which is used for where there would be along term impactCat 4 would impact provision of services to millions of peopleCat 3 impacts thousands of people – regionalThe impact is assessed using 3 dimensions – economic, life, loss of service. The greater of the 3 is used to set criticality


IT infrastructure is only referred to indirectly in the Sector Resilience Plans:

Communications – need to comply with CESG standards for security – mostly IT related – service prioritization – protection of data centresEmergency services – communications (data, radio, satellite, control centres)Energy – communications, severe space weather, cyber attack (control systems)Hazardous sites – control systemsHealth - Civil nuclear – comply with standards – now looking at “beyond reasonably foreseeable” eventsWater – communications – flow management, monitoring systems


Natural Hazards and Infrastructure (HMG): Eight Considerations for Regulated Sectors -

1. Reporting on resilience. As society increasingly becomes risk averse and prioritises security of supply and resilience, consideration should be given to the incorporation of a specific resilience section in infrastructure owners‟ annual reports. 2. Vulnerable site monitoring schemes. Consideration should be given to establishing a monitoring and reporting system for the most vulnerable critical infrastructure in each sector. 3. Business Continuity Management (BS25999). Consideration should be given on the best means to drive up adoption of BS25999, or equivalent standards, and the benefits of external auditing or review. 4. Inconsistent standards. Consideration should be given to assessing and monitoring actual standards of infrastructure resilience and how to share such information within and across sectors. 5. Formalising innovative funding initiatives. Consideration should be given to co-ordination of research initiatives on resilience across sectors. 6. Improving resilience business cases. Consideration should be given to the evaluation and weighting of corporate reputational, social and environmental benefits of building resilience within infrastructure cost benefit analyses and investment decisions. 7. Exemption clauses in service standards. Consideration should be given to the appropriateness and role of exemption clauses or limitations of liability in service and performance standards as an incentive to build resilience. 8. Data impact on financing redundancy. Consideration should be given to: (a) how high probability low impact event data is used in assessing the probability of low likelihood, high impact events, and the need to build resilience for such events, and (b) the greater value of building redundancy within the network rather than protection of sites for a single hazard.

IT Infrastructure – Safety & Security Risks

The Cabinet Office for the CNI sees the response to the risks as mainly an issue of resilience of physical assets – and potential harm to people is acknowledged

However many of the sectors rely on IT infrastructure which must also be resilient

The exception is the response to cyber risks which by implication are all IT infrastructure related.


Use of “threats” to show commonality between safety and securityOnly interested in Threats (causes) to IT infrastructure todayHazardous event examples: emergency services = location of assets unknown (LA), energy = GRID uncontrollable, hazardous sites = control room out of action (Buncefield), civil nuclear = location of fuel elements unknown, water = monitoring system failures, government = criminal records not available.


Threats/causesControl measures


Threats/CausesRandom failures – natural causes – physical component failing

Reasonably well understood for IT infrastructure

“Random” failures – caused by interactions that are too complex to analyse/test

Unforeseeable events?? Having occurred they can often be mitigated.

Random failures – caused by human mistakesHumans assumed unreliable

Systematic failures – bugs / wrong requirementsHaving occurred they usually get fixed.

(Lack of) CapacityOften not addressed in IT infrastructure design – accompanied by thinking that “we have sized it for the maximum load”

(Loss of) IntegrityAt the low level IT infrastructure integrity is good - memory, disks, communications protocols. At the high level it will depend on the Application

Failures will occur – be prepared


Threats/Causes – security relatedLoss of confidentiality Modification of dataDenial of Service


Control measuresImpact of control measures

Reduce likelihood of failure (unavailability and data corruption) – (MTBF)Reduce recovery time – (MTTR)

Predict statistical distribution of MTBF and MTTR – long tails existPlan and exercise the plan for recoveryMeasure MTBF and MTTRCommunicate to Application “owner” what is to be expected.Effective event/incident management – identification, resolution, problem management, known error handling, change managementWhere there are unknowns (known errors, problems) in the IT Infrastructure – declare them.


Control measures – security related

See CESG documentationPatch system software including LAN switches and routersUse anti-virus systemsAnalyse event logsMinimise access to systemsDon’t trust anyone – use digital signaturesHave an effective recovery plan


Guidance on setting up IT infrastructure and servicesITIL (IT Infrastructure Library) – controlled by AXELOS (HMG-Capita) – ISO20000

Covers security but not safetyITIL expects security to be designed in, transitioned and operatedThere should be a security manager

A new “process” is required which covers safetyMany aspects are already covered under other processes but it needs to be drawn togetherWould follow the standard Plan-Do-Check-Act approach


In the HMG document: “Keeping the Country Running: Natural Hazards and Infrastructure”

david lund david lund consultants ltd safety critical systems club - 21 st april 2015

Documents

uks national infrastructure

towers vulnerability

mobile communication

design standard iec

emergency services

financial services

essential services

security risks