protecting energy infrastructure - sans · protecting energy infrastructure italian national agency...

Sandro [email protected]://www.progettoreti.enea.it

SCADA Security Summit 2009Stockholm, October 28, 2009

Protecting Energy Infrastructure

ITALIAN NATIONAL AGENCY FOR NEW TECHNOLOGIES, ENERGY AND SUSTAINABLE ECONOMIC DEVELOPMENT

ENEA’s Critical Infrastructure Protection Program (1/2)

ISTITUTIONAL TASKS–To increase stakeholders’ awareness of

cyber threats and interdependencyissues

–To foster collaboration and joint analysisof these topics with/betweenstakeholders

–To find suitable solutions to managewith these issues

ENEA’s Critical Infrastructure Protection Program (2/2)

RESEARCH OBJECTIVES– To improve resilience of Critical Infrastructures

to failures and cyber attacks• Early detection• Self-awareness and mission fulfilment

– To limit and mitigate cascading effects• Analysis of technological networks vulnerabilities and

reliability• Modelling interdependency• Establishing an integrated simulation platform to

analyse interdependencies and assess the impact of events or failures

• Improving situational awareness and mutual coordination among CIs operators

Projects supporting ENEA’s program• SAFEGUARD "Intelligent Agent Organisation to enhance dependability and survivability of

LCCIs" funded by EU-FP5Partners: QMUL (UK), LiU (SE), AIA (ES), Swisscom (CH)

• SE-TEC "Feasibility Study for a European Network of Secure Test Centres for Reliable ICT-controlled Critical Energy Infrastructures" funded by EU-EPCIPPartners: D’Appolonia (IT), ET-TS (IT)

• IRRIIS "Integrated Risk Reduction of Information-based Infrastructure Systems" funded byEU-FP6Partners: FhG (DE), IABG (DE), TNO (NL), SIEMENS (DE), ALCATEL (FR), TI (IT), ACEA (IT), REE (ES), AIA (ES), ENST (FR), CU (UK), VTT (FI), ETH (CH)

• ASTROM "Assessment of resilience to threats of control and data management systems of electrical transmission network" funded by EU-EPCIPPartners: ERSE (IT), D’Appolonia (IT), BAH (IT), TERNA (IT), ElsagDatamat (IT)

• CRESCO - LAIII "Modeling, Analysis and Simulation of Complex Networks and theirinterdependencies" funded by MIUR-PONPartners: Several Italian Universities

• DIESIS "Design of an Interoperable European federated Simulation Network for Critical Infrastructures" funded by EU-FP7Partners: FhG (DE), CRIAI (IT), ICL (UK), TNO (NL)

• MIA "Definition of a methodology for the assessment of mutual interdependencies between ICT and electricity generation/transmission infrastructures" funded by EU-EPCIPPartners: ERSE (IT), BAH (IT), TERNA (IT), TI (IT), ENEL (IT)

• MICIE "Tool for systematic risk analysis and secure mediation of data exchanged across linkedCI information infrastructures" funded by EU-FP7Partners:Selex Communications (IT), CRAT (IT), IEC (IL), Henri Tudor (LX), iTrust (LX), IRIAM (PL), Un. Roma TRE (IT)

• NEISAS "National and European Information Sharing and Alerting System" funded by EU-EPCIPPartners:BAH(IT), LanditD(UK), NICC(NL), PdCM(IT)

• MOTIA “Modeling Tools for Interdependencies Assessment in ICTsystems" funded by EU-EPCIPPartners:CNIPA (IT), GARR (IT), TI (IT), …….

• Two classes of cyber threats– Indiscriminate attacks–Targeted attacks

• Anomaly detection rationale–Normal behaviour is well known,

anomalous one is not– It is not possible to think about all the

attacks, but we may know the normalbehaviour and detect deviation from it

SAFEGUARD Project: Early Detection of Cyber Attacks

SAFEGUARD ARCHITECTURE

Low

-lev

el a

gen

tsH

igh

-lev

el a

gen

ts

Cyber Layer of Electricity NetworkHome CI

MMI agent

Correlation agent

Action agent

Diagnosiswrappers

Intrusion Detection wrappers

Anomaly Detection agents

Actuators



Negotiation agent

MMI agent

Low

-lev

el a

gen

tsH

igh

-lev

el a

gen

ts

Diagnosiswrappers



At Level 1 – identify component failure or attack in progress

Hybrid anomaly detection agents utilise algorithms specialised in detecting deviations from normality. Signature-based algorithms are used to classify failures based on accumulated functional behaviour.



Correlation agent

Action agent

Low

-lev

el a

gen

tsH

igh

-lev

el a

gen

ts

Diagnosiswrappers



Actuators

At level 2: Correlation correlates diagnosisAction agent replaces functions of failed components


Low

-lev

el a

gen

tsH

igh

-lev

el a

gen

tsAt level 3: operator decision supportMMI agent supports the operator in the reconfiguration strategy


MMI agent

Correlation agent

Action agent

Diagnosiswrappers



Actuators

• Events (change of breaker state, alarms, operator actions, etc)

• Numeric Data (voltage, etc)

• Process variables (real-time value of SCADA blocks)

• System health (CPU consuming, memory usage, communication traffic)

Information available on SCADA

SAFEGUARD Agents

• Event Sequence Monitoring Agentrecognizes a process from the sequenceof events it produces

• DataMining Agent monitors the TCP/IP traffic using Data Miningalgorithms looking for anomalies in the values and structure of data packets

• NeuralNetwork Agent validates the data coming from the substations

• Correlation Agent correlates the data coming from the low-level agents

SAFEGUARD added value

• Be notified about unexpected(unknown) events

• Be notified about unusual behaviour of the system or of the operator

• Make the assessment on line (and not post-mortem)!

• Utilities have significant investment in SCADA equipment. SCADA and similar control equipment are designed to have significant lifetimes

• Protection mechanisms should not be developed that require major replacement of existing equipment in the near term

• Because of the limited capabilities of the SCADA processors, protection mechanisms should be implemented as a retrofitted add-on device

SCADA Operational Constraints (1/2)

• Protection mechanisms management should be designed to operate in one or more control centers for disaster recovery and distributed management purposes

• SCADA systems are designed for frequent (near real-time) status updates. Protection mechanisms should not reduce the performance (reading frequency, transmission delay, computation) below an acceptable level

• SCADA protection mechanisms should be designed to address all forms of SCADA protection, including: monitoring data transmission, cryptographic functions, state estimation functions, topology estimation, usage and actions taken by operators, etc

SCADA Operational Constraints (2/2)

RTU Remote Terminal UnitSCADA System Safeguarding SCADA Systems

Safe Bus

Safe Bus API Interface

RTU Remote

Terminal Unit

Safe BusAPI Interface

Actuators Anomaly Detectors

RETROFITTED ADDRETROFITTED ADD--ON SOLUTIONON SOLUTION

Safe BusAPI Interface

RTURemote

Terminal Unit

Correlators

ENEA TESTBED TO EXPERIMENT SCADA SAFEGUARD TECHNOLOGY

Workstation 1Electrical Network

Simulator Data Source

Workstation 2RTUs

emulators

Workstation 3Control Centre

emulatorWorkstation 4

Messages communication

brokerWorkstation 5

Alarms monitoring interface

Workstation 6Disturbance/attacks

generator

Communication Network

ENEA Safeguard SCADA Testing Facility

Lessons learned from past Events

– EU System disturbance on 4 November 2006• It was triggered neither by technical failure nor by external event

(such as extreme weather conditions)• “No specific attention was given by E.ON Netz to the fact that the

protection devices have different settings on both sides of the Landesbergen-Wehrendorf line although this information was critical due to the very high flow on this line”.

• “In some control areas, re-energization of customers was startedby DSOs without proper knowledge of the situation in the overallUCTE system; some of them started reconnecting customerswithout coordination with their TSOs. This worsened the conditionsfor TSOs action to restore normal system conditions in a controllable way”

– US Blackout on 14 August 2003• “Cellular services were severely disrupted because most antenna

sites were only provisioned with four to six hours of emergencybattery power”.

• “The state of Michigan scrambled to locate additional fuel supplies for telephone central office backup generators in anticipation of an extended loss of power”

Interdependency and Cascading Effects

• To mitigate interdependency and cascading effects we need:– To improve situational awareness– To support collaboration– To support risk assessment

• IRRIIS MIT technology is– A communication “platform” for automated

information sharing– A set of additional tools to support risk

assessment and risk sharing related tointerdependency

IRRIIS Project: Mitigation of Interdependency and Cascading Effects

• Internal assessment– To provide the operator with a clear and as much as

possible thorough (and useful!) picture of his own CI– To get information needed by “neighbouring” CIs about

the infrastructure status

• Risk assessment – To correlate the internal status of the CI with the status

of “neighbouring” CIs– To estimate the probability of occurrence of undesirable

event based on both internal and “neighbouring” status– To share risk information with interested “neighbouring”

CIs

• Emergency management – To support the operator during an emergency.– To support the local CI operator in the negotiation

process with operators of the “neighbouring” CIs during an emergency.

IRRIIS MIT Add-On Components

OPERATOR

OPERATOR

Ext

erna

l Com

mun

icat

or

Inte

rnal

Com

mun

icat

orE

xternal Com

municator

Internal Com

municator

Working in normal condition

Working in normal condition

Installation of IRRIIS MIT Add-On Components

Control Room with MIT WorkStation

LCCI 1

LCCI 2

MIT WorkStationMIT WorkStation

Control Room

Control Room

Electrical RE

(Risk Estimator)

MIT Communication components

ACEA Electrical Control Room

TelecomControl RoomElectrical

Simulator(Sincal)

Routing algorithmSIMCIP

Electrical MIT

Telco RE

(Risk Estimator)

The experimentation environment

TEST BED

SCADA Emulator

TECHNOLOGY TO BE TESTEDTelco MIT

• Implementation of a National Infrastructure Simulation and Analysis Center open to contribution from other subjects involved in the area

•It supports modeling and simulation activities to be used for the purpose of interdependency analysis and assessment of cascading effects

ENEA Integrated Simulation Platform

ENEA’s Platform Architecture

Knowledge base

-on Tools

Diesis Middleware

End-User Interface

Results Presentation

Scenarios configuration

Domain Simulators

ModelsRepository (3rd parties)

ScenariosRepository

InterdepModel

Repository

Hardware Communication Layer

Simulators Output Results

Scenarios deployment and design interface

Sim

ulat

ors

Scen

ario

sSe

tup

Pres

enta

tion

Add-on Tools

Interdependency Simulators

Repositories

Interoperable SimulationMiddleware

Cisia Ciab SimcipScenario expert

Decision Maker

Available Domain Specific Simulators

• Sincal (Electrical Networks Simulator)

• eAgora (Electrical Networks Simulator)

• Powerworld (Electrical Networks Simulator)

• Psat (Electrical Networks Simulator to be used withinMatlab)

• NS2 (Telco Networks Simulator)

• Open Track (Rail Networks Simulator)


Knowledge base

-on Tools

Diesis Middleware

End-User Interface



Domain Simulators


ScenariosRepository

InterdepModel

Repository




Sim

ulat

ors

Scen

ario

sSe

tup

Pres

enta

tion

Add-on Tools


Repositories



Decision Maker

Available Network Data (1/2)

• Electric power transmission network (Overall ItalianNetwork)

• Electric power transmission network (Detailed Lazio,Region 380 – 120 kV)

• Railway network – Rome area

• Telecommunication network – Rome area

• Highway and road network – Lazio Region

• Internet worldwide network

• Gas pipeline – Italy

Available Network Data (2/2)

• Water supply – Italy

• Seismology map - Italy

• Landslide liability – Italy

• Rivers, hydrological basins – Italy

• Different scenarios to be used in the “what if” activities


Knowledge base

-on Tools

Diesis Middleware

End-User Interface



Domain Simulators


ScenariosRepository

InterdepModel

Repository




Sim

ulat

ors

Scen

ario

sSe

tup

Pres

enta

tion

Add-on Tools


Repositories



Decision Maker

Available Interdependency Simulators

• SimCIP from EU-FP6 IRRIIS Project

• DIESIS from EU-FP7 DIESIS Project (under development)

SimCIP Interdependency Simulation Environment (EU-FP6 IRRIIS)

Siemens Sincal(Continuos Electrical Simulator)

(1) loading a scenario (2) setting the failures to be simulated(3) starting a simulation

(4) SimCIP interactswith NS2 simulator and gets results.

(4) SimCIPinteracts withSincal simulator and gets results.

(5) Simulationresults are

stored for resultsanalisys

EXPERIMENTER

NS2(Telecom Simulator)

SimCIPDiscrete Event

Simulator

Scenario evolutions designed and executed withinSimCIP simulation environment

Components searching panel

Events log panel

Visualization controls

Networks state visualisation graph

Panel used to define sequence of events (scenario)

DIESIS Federated Simulation Paradigm

FCM

Sim AFM A

Sim BFM B

Sim CFM C

Sim DFM D

IONT B

IONT A IONT C

IONT D

FONT

Scena

rio de

finitio

n layer

(KBS)

Federa

tedsim

ulatio

n layer

FCM Federated Control Module

FM Federated manager

Sim CI domain simulator

IONT: Infrastructure ONTology

FONT: Federation ONTologyWorld ONTology (WONT) template

WONT

DIESIS Federated Simulation ParadigmProof Of Concept

FCM

Railway

Electric

Flooding

Telco

CI networks (IONT instances)

CI networks interconnections (FONT)


Knowledge base

-on Tools

Diesis Middleware

End-User Interface



Domain Simulators


ScenariosRepository

InterdepModel

Repository




Sim

ulat

ors

Scen

ario

sSe

tup

Pres

enta

tion

Add-on Tools


Repositories



Decision Maker

Available Add-on Tools

• Network Topology Analysis Tools (NAT)

• Leontief Simulation Tool

• Leontief Stochastic Chains Tool

• Multi Infrastructure Map for the Evaluation of the Impact of Crisis Scenarios (MIMESIS)

• Electrical Networks Reconfiguration Tool

• Telco Networks Simulator based on fluid dynamics approach

• Network Reliability Analyzer

Networks Analysis Tools (http://www.progettoreti.enea.it//nat)

Leontief Model

In the middle of last century, the nobel prize Leontief, introduced his celebrated matrices or tables to quantify economic sectors production dependencies.A typical example of five interdependent sectors is reported hereafter. In the picture nodes represent the sectors and arcs non trivial Leontief coefficients.

0.0 0.1 0.0 0.2 0.00.3 0.0 0.5 0.1 0.20.1 0.3 0.0 0.2 0.00.0 0.1 0.5 0.0 0.30.1 0.0 0.3 0.2 0.0

Time-dependentinoperabilities

ENEA-Leontief simulation tool

Since Leontief pioneering works in 50’, a lot of efforts have been devoted to provide simple models to predict macroscopic evolutions of interdependent networks. In this perspective, simple I/O models have been introduced based on Inoperabilities.

Extensions of such I/O models have been also positively explored by introducing stochasticity and inner structure macrosectors.

Plain Leontief Non interactingNets Interacting Global Net

ENEA – Leontief Stochastic Chain Tool

A

BC

• To improve resilience of Critical Infrastructures is a multidimensional problem

• Modeling and simulation capacity, exploiting also commercial simulation tools, is necessary to understand the multidimensional problem of vulnerabilities, interdependencies, and cascading effects

• Realistic Testing Environments are necessary to experiment the technological solutions addressing cyber threats and cascading effects

• Strategies/guidelines to implement exhaustive experimentation sessions must be implemented

• A thorough assessment of the benefits of the solution should be carried out through exhaustive experimentation activities

Final considerations

protecting energy infrastructure - sans · protecting energy infrastructure italian national agency...

Documents