a process for the identification of security risks from...

1

A Process for the Identification of Security Risks from Critical Infrastructure Interdependencies

P. BERAUD1 and A. AHMAD2,3

1Manager, Technical Architecture & Infrastructure Services

Australian Energy Market Operator Ltd Email: [email protected]

2Department of Information Systems University of Melbourne, Australia

Email: [email protected]

3secau – Security Research Centre Edith Cowan University Perth, Western Australia

Abstract Traditional security risk assessment takes a broad asset-based view of organizations. The risk identification process therefore focuses on well-known threats and vulnerabilities to static and discrete assets that fall within the scope of organizational boundaries under investigation. It does not offer a methodology or framework that systematically deals with risks that arise from the complex interdependencies1 between the critical infrastructures4. To support this proposition, this paper conducts a systematic analysis of the security risks resulting from logical, cyber, geographical and physical interdependencies between telecommunications and power infrastructures. The analysis demonstrates that certain security risks arising from interdependencies cannot be identified using the traditional risk identification approach. A process model is then proposed to extend existing risk methodologies to include a systematic identification of the security risks that arise from the interdependencies of infrastructures. Keywords: Critical Infrastructure Protection, Information Security, Security Risk Assessment Introduction National critical infrastructures such as transport, electricity (generation and supply), banking and finance have all benefited from technological advances over the past few decades. The impact of these advances can be seen plainly from the rapid improvement in Western living standards. Western nations that have formally recognized the critical nature of the infrastructures include the US, the European Union and Australia. Change to security arrangements typically begins with a government endorsed directive or program. For example, the U.S Presidential Directive PDD-63 of May 1998, set up a national program for “Critical Infrastructures Protection – CIP (Relyea, 2002).” The European Program for Critical Infrastructure Protection “EPCIP” was created in 2006 under the directive EUCOM (2006) (Fritzon, Ljungkvist, Boin, & Rhinard, 2007). The Australian government also set up a protection program based on the following definition of critical infrastructure: “Those physical facilities, supply chains, information technologies and communication networks that, if destroyed degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation or affect Australia’s

1 Interdependency is a simple concept and is mostly depicted as bidirectional relationship flows. It is a mutualistic form of reliance between two entities. That is, the state of one entity affects that of the other entity and vice versa. 4 A set of systems that exhibits an appreciable level of coupling and produce an appreciable level of services to a broadly valued domain of societal well-being.

2

ability to conduct national defense and ensure national security (Rothery, 2005).” The Australian critical infrastructure protection program covers the following sectors: Banking and Finance, Transportation, Power, Information and Communication, Government and Municipal Services, Emergency Services, Fire Departments, Law Enforcement Agencies, Public Works (Rothery, 2005). Over the past few decades a nexus has developed between physical and cyber infrastructure that has changed the security landscape within which modern organizations operate. Interconnectivity and interdependence within cyber infrastructure and between cyber and physical infrastructure have created a security environment where physical events may have direct cyber impact and conversely, cyber events may have direct physical impact (Dunlevy, 2004). For example, consider the interdependency between power and telecommunications. Power generation and distribution is managed by SCADA (Supervisory Control and Data Acquisition) systems that depend on telecommunication services for data transmission between the systems. At the same time telecommunications rely on electricity to power communications circuitry. An interdependency exists where transport systems such as trams depend on electricity but at the same time the generation and supply of electricity may depend on the transport system, for instance to ferry in the coal, or the fuel needed to run power plants. Current risk management standards, and the vulnerability assessment methodologies they suggest, do not adequately address this new security environment. The application of these standards results in the production of extensive documentation used to measure the type and level of protection for the assets. However, this approach suffers from three major flaws (Brown, Walt, & Barton, 2006; Lee, Gandhi, & Ahn, 2005; National Counter-Terrorism Committee, 2003; Testimony of Joseph M. Weiss, 2007): 1. Lack of a comprehensive methodology and narrow focus – Traditional security risks assessment takes a broad asset-based view of organizations (Shedden, P., Smith, W., & Ahmad, A., 2011). The risk identification process therefore focuses on well-known threats and vulnerabilities to static and discrete assets that fall within the scope of organizational boundaries under investigation. It does not offer a methodology or framework that systematically deals with risks that arise from the complex interdependencies between the critical infrastructures. It effectively fails to take a holistic view of the web of infrastructures. Because of this narrow focus, several critical security risks that are ported from various interconnected infrastructures are not detected.

2. Lack of industry mandated risk methodology –Current critical infrastructure protection strategy does not mandate a uniform framework for risks assessment per sector. Many critical infrastructures are privately owned and operators take various services such as electricity, telecommunications for granted, as part of a suite of services upon which other infrastructures are built. They typically do not concern themselves with risk arising from these services. As such deciding exactly which infrastructure system is critical is left to the individual operator using a risk methodology of its own choosing and design.

3. Reactive approach to security risk assessment – Security risk assessment is often undertaken after the infrastructure is in place and mostly after an incident has already occurred. This approach fails to pro-actively mitigate the current risks in the first place, and also future risks that may arise from the multi-faceted operational environment. This problem is compounded by the efforts required for security risk assessment. The approaches are “heavy-weight”, in that, it requires considerable effort to be expended before any results are seen. For example, according to traditional risk assessment, a large number of assets have to be inventoried. For each asset a range of risks must be identified and all the risks related to all the assets have to be compiled and prioritized in terms of potential impact and probability of occurrence before a single critical security risk can be addressed.

Although all three of the above flaws influence the effectiveness of risk assessments, the narrow focus and lack of a comprehensive methodology leads us to hypothesizes that security risks arising from the interdependencies of critical infrastructures are not addressed by traditional security risk assessment

3

methodologies. To test this hypothesis this paper first begins with a background review of the problems of Critical Infrastructures Protection and risk assessment in the context of interdependencies. Particular emphasis is given to discussion of models and frameworks that capture the complexity of activity at the point of interconnection. A multi-factor model that can be used to analyze the various dimensions of interdependencies is chosen. Two interconnected and interdependent infrastructures are then selected for the analysis exercise. Each factor of the model is then applied to the infrastructures in turn to identify interdependencies. Each identified interdependency is examined for potential disruption or integrity compromise. Commentary on the likelihood that risks can be identified by traditional risk assessment follows after which mitigation strategies are then proposed. Finally, the thesis presents a process model that is designed to systematically identify the threats that arise from the infrastructures’ interdependencies including those identified by traditional security risk assessment processes.

Critical Infrastructure Interdependency Frameworks Much of the literature on critical infrastructure interdependencies discusses and/or models the strong relationship between the interdependencies of critical infrastructures, and failures or vulnerabilities observed in those infrastructures (e.g. Chou, C. & Tseng, S., 2010; Casalicchio, E., Setola, R., & Bologna, S., 2010; Eusgeld, I., Nan,C., & Dietz, S., 2011). In 1998, the Galaxy IV satellite failure disrupted 80% of the digital pagers in USA, and in turn affected the health care system. The failure also disrupted cable broadcast and ATM transmission (Little, R.G., 2002). In this case, failures in the Telecommunication sector severely impacted other dependent sectors. Furthermore, incidents in the physical dimension can result in a severe impact in the digital dimension. In July 2001, a Baltimore CSX train derailed in the Howard tunnel. The resulting fire scorched several fibre optic backbones which in turn disrupted Internet services and cell phones communication for several hours (Ratner, 2001). The Transportation and Telecommunication infrastructures exhibited a geographic (proximity) interdependency that incubated vulnerabilities, one of which has now been manifested. Critical infrastructures’ vulnerabilities are exacerbated by the cyber interdependencies that arise. Cyber systems incubate an astronomical number of vulnerabilities because of a range of issues including flawed communications technology, operating systems bugs, and human errors through network device miss-configuration. Those vulnerabilities are effectively ported into the infrastructures because of the cyber interdependencies. In 1999, the inability to control pressure in the Washington Olympic pipeline was due to the failure of its computer control system. The incident resulted in three deaths (Zimmerman, Rae & Restrepo, 2006). It is now know that the August 2003 electric blackout in North America was partly caused by the failure of some of its IT systems (U.S. Secretary of Energy & Minister of Natural Resources Canada, 2004). Some frameworks present in the literature model the possible dimensions of critical infrastructures (Rinaldi et al, 2001), Zimmerman (2004), Little (2002). Of the three, Rinaldi et al (2001) presents and analyzes a conceptual framework for describing infrastructure interdependencies. Using well documented past failures in critical infrastructures, the paper dissected several aspects of the complex interdependencies that arise from the ubiquity of the interconnections. It explored six dimensions (Coupling and Response Behaviour, Environment, Type of Interdependencies, State of Operation, Infrastructure Characteristics, Type of Failure) that are of utmost importance in any critical infrastructure discussion. Other frameworks focus on modeling tools. For example Tony et al (n.d.) develops a Node Removal Impact Problem (NRIP) model for analyses of potential impacts in interconnected and interdependent critical infrastructures. The model’s sole focus is the identification of a vital node in a complex interconnected infrastructure which will then help devise the vital node survivability measures. While the model looks at the topological complexities of the critical infrastructures and consequences that arise from the lost of a vital node, it does not synergistically integrate the infrastructures’ interconnectedness, and also does not look at the infrastructures across all the sectors identified as critical by the various Critical Infrastructure Protection programs. The primary purpose of the model is

4

for the development of modeling and simulation tools (Grubesic & Murrayw). Another model identified in the literature is the Generic Assessment framework, which focuses on the risks from infrastructure interconnection points. This model develops an agent-based simulation tool used for the identification of risks from infrastructures’ physical interconnection points. The model does not present any method for assessing, and analysing in a breadth-wise manner the interdependencies across the full spectrum of sector-wide critical infrastructures. Furthermore, it does not integrate the social, economic, environmental, and political factors that influence critical infrastructures. This model was solely designed for the development of a simulation tool (Brown, Walt, & Barton, 2006). Unlike the above frameworks that do not contribute to the identification of security risks from the infrastructures’ interdependencies, Rinaldi et al (2001) provides a clear and exhaustive elicitation of infrastructure interdependencies that can be used to identify security risks. The framework (figure 1) is a conceptual high-level model that presents six dimensions of interdependency that are subsequently explored, analysed, and dissected. Though the framework does not explicitly attempt to model and analyze security threats that arise from the interdependencies, it does however brings together in a very neat abstract level the factors (technical, legal, economic, business, social/political, legal/regulatory, public policy, health and safety) that influence the operation of critical infrastructures and drive the complexities of the interdependencies observed (Rinaldi, Peerenboom, & Kelly, 2001).

Figure 1 (adapted from Rinaldi (2001))

Interdependency Factors Rinaldi (2001) identifies four factors that contribute to interdependencies – physical cyber, logical and geographic. To assist in explaining these factors, the following is a simple case study: The CSX Transport Case “On Wednesday, July 18, 2001, at 3:08 p.m., eastbound CSX1 freight train L-412-16 derailed 11 of its 60 cars while passing through the Howard Street Tunnel in Baltimore, Maryland. Four of the 11 derailed cars were tank cars: 1 contained tripropylene, a flammable liquid; 2 contained hydrochloric acid; and 1 contained di(2-ethylhexyl) phthalate, which is a plasticizer and an environmentally hazardous substance.The derailed tank car containing tripropylene was punctured, and the escaping tripropylene ignited. The fire spread to the contents of several adjacent cars, creating heat, smoke, and fumes that restricted access to the tunnel for several days. A 40-inchdiameter water main directly above the tunnel broke in the hours following the accident and flooded the tunnel with millions of gallons of water. Five emergency responders sustained minor injuries while involved with the on-site emergency. Total costs associated with the accident, including response and clean-up costs, were estimated at about $12 million” (National Transportation Safety Board, 2008).

5

The resulting fire scorched several fibre optic backbones thus disrupting major voice and data communication traffic. Thousands of Verizon Communication Inc, and WorldCom Inc customers were seriously affected by the outage. Internet, data communication, and cell phones services were disrupted from Washington to New York including U.S State Department e-mail communication services with the American embassy in Zambia, Africa. The Archdiocese of Baltimore lost e-mail communications with 162 parishes and 10 schools (Ratner, 2001). Physical Interdependency According to Rinaldi (2001), a physical interdependency is “a physical linkage between the inputs and outputs of two agents: a commodity produced or modified by one infrastructure (an output) is required by another infrastructure for it to operate (an input).” This is a physical reliance on input and output flow from one infrastructure to another. For example, transportation and telecommunication infrastructures have physical interdependencies. The transportation infrastructure delivers large and heavy telecommunication equipments like fibre optic cables, and communication devices to the Telecom sector while at the same time, it uses services provided by the telecom infrastructure to operate control centres, switches, track goods and ensure business availability. Relating it to the CSX train accident; the state of the railroad (whether the railroad is able to deliver large chunk of new fibre optic cables) directly influences the state of the telecom (whether telecom services are available for the railroad’s control centres and switches) and vice versa. Geographic Interdependency Infrastructures are geographically interdependent if “a local environmental event can create state changes in all of them. A geographic interdependency occurs when elements of multiple infrastructures are in close spatial proximity.” (Rinaldi et al, 2001). A local environmental event affects multiple infrastructures due to spatial proximity. Elements of the transportation (CSX rail tracks, switches, railcars), and telecom (fibre optic cable, backbone routers) infrastructures are installed in the Howard tunnel. Damages to telecom fibre optic cables are due to the close proximity between the elements of the transportation and telecommunication infrastructures. Cyber Interdependency A cyber interdependency “connects infrastructures to one another via electronic, informational links; the outputs of the information infrastructure are inputs to other infrastructure, and the ‘commodity’ passed between the infrastructures is information.” A cyber interdependency is based on information flow between the infrastructures. The management of control centres, switches, and railcars depends on the flow of information as well as the management of fibre optic backbone routers, provisioning, and activation of telecom services. Perturbation of information flow in either the transportation (CSX transportation railroad) or telecommunications (fibre optic cables) will have severe impacts on many critical infrastructures. Logical Interdependency According to Rinaldi et al (2001), a logical interdependency exists between two infrastructures if “the state of each depends on the state of other via a mechanism that is not physical, cyber, or geographic connection. It is closely likened to a control schema that links an agent in one infrastructure to an agent in another infrastructure without any direct physical, cyber or geographic connection.” The logical factor defines the dependency that arises between infrastructures, and is neither physical, cyber, nor geographic. The decisions to lay fibre optic cables and build rail tracks through the Howard tunnel may be influenced by many factors (cost/economic, social, environmental, political etc.). The transportation and telecommunication infrastructures have a logical interdependency that is not physical, cyber or geographic.

6

A Security Risk Analysis of Interdependent Infrastructures The purpose of this section is to demonstrate that security risks from interdependencies may not be identified by traditional security risk assessment. To this end interdependency factors from Rinaldi et al (2001) are systematically applied to an electrical station that uses telecommunications for power management. The example that follows is modeled on the infrastructure of the city of Porto-Novo and Cotonou in Republic of Benin, a country in West Africa. Figure 2 shows of two sites, a central electric station (‘Cotonou’) and a remote electric substation (‘Porto-Novo’). Supervisory systems centrally coordinate data acquisition and processing between the Master Transmission Unit (MTU) and the Remote Terminal Unit (RTU). They are also used to summarize the processed data, and present it in various report formats for operators and management. The MTU reads and instructs various control functions to several field data gathering devices and control units. Some of the master transmission unit function includes: “read” electricity measured flow from control units, “read” alarms condition and acts upon it, “send” adjustments set points to control units, “set” various alarms level. The remote terminal unit performs data acquisition by scanning various field inputs at the Porto-Novo electric substation. The gathered data is then sent to the master transmission unit for processing. The RTU is used to control the state of the electrical equipments at the substation. It also translates between analogue and digital signals, and then sends the data to the SCADA systems at the control centre site. It can perform functions like opening and closing a switch or valve, measuring and regulating pressure in a pipe. In this case it connects to the SCADA systems using radio signals to two different Internet Service Providers (ISPs). The MTU communicates with the remote terminal unit using long distance telecommunication infrastructure. The communication is predominantly a fibre optic cable that runs from Cotonou to Porto-Novo, and terminates at the fibre optic backbone (FBI) intersection as depicted on the diagram. Two telecom operators own and operate the fibre optic communication links. In this scenario, they are called “ISP A” and “ISP B”. The two electric stations (Cotonou and Porto-Novo) have a subscription to the services of both ISP A and B for redundancy purposes. From the central site (Cotonou) each ISP provides a direct Ethernet connection for the use of their services, and the connections are facilitated through a device called router with two Ethernet ports as depicted. Ethernet port A connects to ISP A and Ethernet port B connect to ISP B. At the Porto-Novo electric substation site, each ISP offers access to the services through a packet radio communication. The remote terminal is then connected to radio transmission devices. Radio transmission device “A” is connected to ISP A and radio device transmission “B” is connected to ISP B. Both ISP (A&B) radio devices “transmit/receive” equipments share the same communication tower as shown on the diagram. From the radio “transmit/receive” equipments, each ISP has a fibre optic cable connection to the main fibre optic backbone called “FBI”, which is installed under a bridge. The Porto-Novo electric substation site also has a wireless device for corporate users’ access. The analysis in this paper focuses only on the remote terminal unit (RTU) single asset at the substation site. The paper now describes some of the components that make up the infrastructure.

7

FIGURE 2: Example of SCADA Systems

The above figure shows the SCADA (Supervisory Control and Data Acquisition) Systems that are a set of computer systems used for monitoring and controlling the electric power generation and supply. A router connects the central control site (generation station) to different electric substations. The connection facilitates data communication between the SCADA systems and possibly hundreds of electric substation systems. A wireless access point device allows mobile access to the network or systems on the network (SCADA and corporate systems) without the need of a physical cable, attached to the infrastructure. A fibre optical backbone (FBI) interconnect provides a fast and reliable interconnection between different sites. The fibre optic backbone in this case hangs under a bridge (physical structure connecting two locations possibly separated by river). For redundancy and failure risk mitigation, this case uses two ISPs whereby the primary link to the central control site is through ISP A and the backup link is through ISP B. Note that ISP A&B share the fibre backbone interconnect, which in turn hangs under a bridge. Identification of Security Risks from the Interdependencies The paper now investigates each interdependency in turn by first establishing the existence of interdependency and then presenting a scenario from which security risks can be identified.

Physical Interdependency Recall that a physical interdependency is defined as “a physical linkage between the inputs and outputs of two agents: a commodity produced or modified by one infrastructure (an output) is required by another infrastructure for it to operate (an input)”.

8

Control/Data Signals and Information Links

Telecommunications Factor

Telecommunications infrastructure relays control and data signals used to detect and manage equipment connected at each edge of the infrastructure. The telecommunications network also provides the various information links to establish the routes to be taken by data (information) to reach specific destinations. The telecom network carries control signals and data between the RTU and the MTU.

Electrical System Factor

The RTU uses the control and data signals opening/close electrical switches. The RTU also sends the data it gathers from various monitoring devices at the site to the MTU.

Potential Issues Arising from Interdependency

1. Disruption of the Telecommunications link can impact the electrical network. Communication between the MTU and RTU will be lost resulting in the inability to open/close switches (essential to managing power).

2. Data gathered by the RTU cannot be sent to the MTU so status information will not be available at the centralized monitoring station.

TABLE 1A: Physical Interdependency

Electricity Supply

Electrical System Factor

The Porto-Novo electric substation generates and supplies electricity. The station in tandem with the Cotonou station controls the generation, supply and distribution of electricity.

Telecommunications Factor

The telecommunications network uses electricity generated by the substation to power its own network switches and telecommunications equipments. For example the radio transmission devices installed at the telecom tower and in the premises of the substation are powered by electricity generated by Porto-Novo substation site.

Potential Issues Arising from Interdependency

A disruption in the electricity supply can have an impact on the telecommunications network. If the substation is unable to produce enough electricity to power the telecommunications equipments, then the telecommunications network will also be unable to provide communication services to manage the electrical network.

TABLE 1B: Physical Interdependency

Tables 1A and 1B identify a physical interdependency between the telecommunication infrastructure and the asset under investigation (in this case the RTU). The electric substation produces the electricity for powering the telecom equipments and the telecom equipments produce the data signal for transporting the gathered data between RTU and MTU. This interdependency comes from the reliance on the inputs and outputs produced by both infrastructures. A state change in the telecommunication infrastructure can result in a state in the electrical infrastructure and vice versa.

9

TABLE 1C: Identified Risks from Physical Interdependencies

Security Threats &Risks

Interdependencies Security Risk Scenario Risk Control

Example Threats

Natural disaster or Malicious Act

Potential Risks

The central electric station Cotonou is unable to control the Porto-Novo electric substation due to natural disaster or a malicious act on the telecommunication infrastructure

Telecommunications data / control Link (Table 1A)

Electrical Power (Table 1B)

1. The telecommunications tower is smashed by a car. (Availability attack)

2. A flood collapses the bridge under which the fibre cables are laid. (Availability attack)

3. Lightning incapacitates power generation facility (Availability attack)

a) Since ISPs A & B share the same telecom tower, the radio transmission devices for both ISP will be damaged. Communication links will be lost between the RTU and the MTU.

b) Both service providers rely on the concentration of fibre optic cables under the bridge for communication between Porto-Novo and Cotonou. If a flood collapses the bridge then communication will be severed between the city of Porto-Novo and Cotonou and as a result the MTU will be unable to control the RTU.

c) Widespread loss of power may result in the loss of telecommunications coverage essential to control (e.g. mobile tower outage)

Change the backup link to satellite communication. With satellite link, the backup link can use an independently powered satellite dish installed at the premises of the Porto-Novo electric substation. In the case the primary link through ISP B or the tower fails, the backup link through the satellite can automatically be activated for uninterrupted operation between the RTU and the MTU.

Verdict on Traditional Risk assessment

As compared to traditional risk assessment, the process would have looked at the RTU in isolation thus protecting it against physical threats like sabotage, power supply voltage control or the loss of telecommunication transport through the ISP A. The process would have failed to investigate the risks that come from the physical interdependencies, which would have highlighted the shared telecommunication tower used by both Internet service providers. Traditional risk assessment would have also missed the concentration of fibre optic cable (the FBI intersection) under the city bridge. Should a flood collapse the bridge, the telecommunication will lose its ability to provide the transport signal required by the electrical systems, and in turn will sever the communication link between the RTU and the MTU. The narrow focus of traditional risk assessment does not look at the interdependencies; it rather looks at the asset in isolation.

10

Cyber Interdependency A cyber interdependency exists if it “connects infrastructures to one another via electronic, informational links; the output of the information infrastructure are inputs to other infrastructure, and the “commodity” passed between the infrastructures is information.”

Information Links and Data

Information Infrastructure Factor (information as “commodity”)

The information links and data are created by the various electronic equipments that are part of the telecommunication and electrical infrastructures. For example the RTU gathers monitoring information from various sensors at the substation. The telecommunications network provides various information links to establish paths between various electronic equipments. The RTU and the MTU depend on the information links in the telecommunication network infrastructure for delivery of data and control signals. Furthermore, the reliability and availability of the signals and data depend on several electronic devices that are installed between the RTU and the MTU. Information also passes from the public telecommunications network into the control system via a Wireless Access Point (WAP). The MTU and the RTU effective operation depends on the state (broken, routing loop etc…) of the information infrastructure, which in turn depends on the telecommunication equipments maintaining that state (note that this equipment is ultimately powered by the electrical infrastructure).

Potential issues arising from the interdependency

A routing loop occurs when an information link connects to itself such that a packet is circling among devices forever.

A B CPacket will loop here endlessly

Link between B & C fails

For example, consider the above figure showing three nodes A, B and C. Under normal operation the link to C from A is through the path: A-B-C. If a routing loop occurs, node A thinks that the path to C is through node B, at the same time node B thinks that the path to C is through A. In this case, whenever data destined for node C arrives at either node A or B, it will loop endlessly between A and B. The Porto-Novo substation features a Wireless Access Point (WAP), which allows information from the Telecommunications Network to be relayed into the electrical control system.

TABLE 2A: Cyber Interdependencies

Deliberation There is a cyber interdependency between the RTU and the information infrastructure.

Justification

The electrical control infrastructure (MTU-RTU) is connected to the telecommunications via information links. The electrical control infrastructure outputs information into the telecommunications infrastructure. The converse is true with WAP. The telecommunications infrastructure outputs information (from the Net) into the electrical control infrastructure)

TABLE 2B: Cyber Interdependencies Deliberation

11

TABLE 3: Identified Risks from Cyber Interdependencies

2 Logical separation is possible through a technique in telecommunication called Virtual Local Area Network (VLAN) which effectively separates data traffic between each configured VLAN, and allows access between VLANs only if configured to do so.


Interdependencies

Security Risk Scenario Risk Control

Threats

Information tampering,

Unauthorised access

Denial of service attacks,

Routing loops

Risks

1. Data sent between MTU and RTU is tampered with on the way.

2. The RTU is flooded with thousands of service requests.

3. Data sent between the RTU and MTU flows in circle and never reach each other.

1. Information infrastructure links

2. Wireless Access Point (WAP)

1. An outsider or a disgruntled employee accesses the functionalities of the RTU. 2. Routing protocols used by the information infrastructure have no loop avoidance capability or no loop avoidance mechanism built into the information infrastructure a) Since there is a wireless device at the Porto-Novo substation a disgruntled employee or an outsider can connect to the wireless access point, map the SCADA networks, and in turn gain unauthorised access to the RTU by sending it control instructions. b) A routing loop in the telecommunication network will sever communication between the RTU and MTU even though there is a backup link through ISP B. Devices connected to ISP A will still think that they are alive and continue sending the data to each other using the created information links, but because there is a loop the data will never reach its destination. c) A denial of service attack can be launched against the RTU to congest up the link or simply flood it to a point that the RTU becomes unable to service any proper service requests from the monitoring sensors or the MTU.

Remove the wireless access point from the network or separate it from the control network by physical (air gap) or logical means2. Other security measures such as the use of strong encryption or authentication can be used. For the routing loop, advanced routing protocols (link-state protocols for example) have mechanisms built in to prevent routing loop. Another mechanism for preventing routing loops in the information infrastructure is to configure what is called a “static route” to a “Null” interface in the routers that are part of the information infrastructure. The information infrastructure can use advanced routing protocols immune to routing loop or implement the null interface mechanism. Another mitigation technique could be to configure the RTU such that if it does not receive packets from the MTU for specific amount of times of after a certain number of trials, to automatically switch to the backup link instead of waiting for the information infrastructure to activate the backup link.


Traditional risk assessment may have mitigated wireless security related issues to the corporate network but may not have not looked at the security issues arising from the presence of the wireless access point on the same local network as the RTU. Furthermore, looking at the asset in isolation may not have highlighted any issue relating to wireless devices sharing the same corporate network with control devices (RTU/MTU). Furthermore, traditional security risk assessment tends not to look at the information infrastructure and mitigate potential routing loops in the infrastructure. The process is unlikely to have the information infrastructure as part of the analysis scope because it is looking at the RTU in isolation.

12

Logical Interdependency A logical interdependency exists between two infrastructures if “the state of each depends on the state of other via a mechanism that is not physical, cyber, or geographic connection. It is closely likened to a control schema that links an agent in one infrastructure to an agent in another infrastructure without any direct physical, cyber or geographic connection.”

Political and Environment Factors Control Schema Description

The ISPs as well as the electricity corporation are organizational entities that operate within an economic, social, and political environment. They are bound by certain laws and regulations that govern the environment in which they operate. Environmental policies in the city of Porto-Novo affect the way the Porto-Novo substation operates as well as how the ISPs configure towers and install fibre optic cables under the bridge. Economic or political factors at city, regional or state levels will affect the operational environment of ISP in Porto-Novo. All of the above influence organizations and in turn influence how data is transported between the RTU and the MTU devices. The operators at the electric substations manage the configuration of the RTU and MTU. Part of the configuration depends on the configuration parameters supplied by the ISP in order to be able to transport the signals and data. The electric substation in turn powers the telecom equipments and the correct operation of the substation ensures that the equipments are supplied with the correct voltage input. Operators can send control commands (decrease or increase voltage output level) to the RTU at the substation which in turn supplies electricity to the telecommunication equipments. Note that there are emergency procedures to follow in case of accidents at the substation or fire at the telecommunication shared tower.

Issues/Problems Poor operator training can lead to incorrect configuration of the RTU and in turn may sever the communication link between the MTU and the RTU or send the wrong signals (possibly due to incorrect data format). An untrained operator can send dangerous commands to the RTU to shutdown equipments at the substation or the operator might not follow proper emergency and backup procedures in case of failure of the device. For example should the ISP B operator supply outdated or incorrect parameters for the backup link, that backup connection will never activate in case the primary link fails. Should the operators configure the devices incorrectly using the unsuitable signals or data format at the RTU, the telecommunication network might transport the data but the MTU will not understand the format and the data might be discarded.

Deliberation There a logical interdependency between the asset under investigation and the telecommunication infrastructure.

Justification As identified in “Control Schema Description” section.

TABLE 4: Logical Interdependencies

13

TABLE 5: Identified Risks from Logical Interdependencies

The fourth and last interdependency deals with the geographic factor of the devices under investigation. It is defined as: “Infrastructures are geographically interdependent if a local environmental event can create state changes in all of them. A geographic interdependency occurs when elements of multiple infrastructures are in close spatial proximity.” The scenario presented in this chapter does not exhibit a geographic interdependency between the electric system and that of the telecommunication one. From the above analysis, the application of just a few of the interdependency factors demonstrates that there are threats that could not be identified by traditional risk assessment process.


Interdependencies Security Risk Scenario Risk Control

Threats Political Environmental Device mis-configuration Risks 1. Cancellation of the ISP operating license 2. Mis-configuration of RTU parameters

Logical Interdependencies (political/economical)

A political decision can shut down the operation of the two Internet service providers. For example cancellation of the two ISP license to operate in the city of Porto-Novo. That decision may be due to several reasons that may be out of the scope of a single RTU analysis but the requirements come down to the criticality of the device under investigation. Interestingly, the above can be related to an event that happened in Republic of Benin whereby a newly elected government cancelled the operational licenses of all the Internet services providers country-wide except for the national telecommunication company. The event led to an outage of Internet and other related services for over three months with several critical services severed for thousands of customers.

The redundant link for the RTU (ISP B) can be subscribed through the national telecommunication company to mitigate the risk that the government might cancel private operating licenses. To reduce the risk of mis-configuration of devices, operational training for staff will help avoid the problem. Mandated emergency procedures that fit the operational environment of the device under investigation will also be useful.


Traditional security risk assessment typically does not look at the political and environmental factors that could constitute a threat to the RTU operation.

14

A Process Model to Identify Security Risk from Interdependencies The previous section analysed several critical infrastructure interdependencies. The chapter also applied the interdependencies to two select infrastructures to demonstrate that there are risks arising from the interdependencies that are not identifiable by the traditional security risk processes. This section aims to provide a new process model that can serve as an input to traditional security risk assessment process. Advanced Model for Risks Assessment To help identify the requirements and semantics for a new risk process model, this thesis first illustrates the relationship between the above four important artefacts. A simple UML notation as shown in figure 3 outlines the relationships described above. The relationships among the various components are described in table 5 (Lee, Gandhi, & Ahn, 2005).

1. Risks or Threats: There are existing risks to infrastructures. With the increasing interconnectedness of the infrastructures, the risks are also increasing unabated. Some of the risks are not captured by the traditional risks assessment because of the narrow focus of the processes. A more advanced model for risk assessment is needed to address the issue.

2. Interdependencies: Infrastructures have interdependencies. Interdependencies can be influenced by political, economical, environmental, and social factors. As the state of most critical infrastructures is now intertwined, the interdependencies are ubiquitous. This effectively creates risks that were not foreseen before. An infrastructure’s interdependency increases the risks to the infrastructure (thus a more advanced risk assessment model is needed to identify the risks that arise from it).

3. Infrastructures: As defined in this paper, an infrastructure is the set of systems that exhibits a level of coupling and produces an appreciable level of services to a broadly valued domain of societal well-being. When infrastructures are interdependent, risks to the infrastructures are increased. Furthermore infrastructures exhibit vulnerabilities, that if exploited, can adversely impact their operation.

4. Vulnerabilities: These are the weaknesses (flaws) exhibited by the infrastructures. These flaws can be exploited if not addressed. Risk control strategies must be devised to avoid/reduce the impact of exploiting vulnerabilities.

FIGURE 3: UML Representation – Threats & Interdependencies

15

As can be seen from the above figure, the first block (outlined in red) represents traditional risks assessment modeling while the larger block represents the proposed advanced risks assessment model, which incorporates the interdependencies at its core.

ID Name Description

1 Infrastructure Infrastructure has one or more interdependencies Infrastructure has one or more vulnerabilities

2 Interdependencies Interdependency increases the risks (threats) to infrastructure.

3 Vulnerabilities

Vulnerabilities are found in infrastructure. The vulnerabilities are exploited by the threats. The existence or identification of a threat does not automatically translate into vulnerability in infrastructure. The infrastructure might not be vulnerable to that specific threat.

4 Threats Threats exploit vulnerabilities Threats are made against infrastructure

TABLE 6: UML Representation - Flows Description

From the analysis of the identified relationships, each component identified in the UML relationship diagram is represented below. The relationship flows from one to the other component are also exactly represented as identified in the UML representation. The below representation does not change any type of relationship nor does it add or remove any new component. It is an exact match of the UML representation with only one difference. Each component is now assigned to a single dimension which is refered to as a layer. Each layer interacts with any other layer as identified in the UML representation. The result is a four-layer process as shown in figure 4.

FIGURE 4: Risk Assessment Process Model

To systematically identify threats from interdependencies including those from the traditional risk assessment, the process starts from known threats (traditional risk assessment) in the threats’ layer, and then an identification of the infrastructure vulnerabilities to that particular threat is performed. The vulnerabilities are then assigned to the vulnerability layer. The next major step is to identify all the interdependencies of the infrastructure under investigation and list them under the interdependencies’

16

layer. For each interdependency factor identified, all the risks that could arise from that factor are identified and listed under the threats’ layer. The above process is applied to the interdependency factors discussed in the previous sections of this chapter and is presented in figure 5. Note that the existence or identification of a threat does not automatically translate to vulnerability in infrastructure. The asset under investigation might not be vulnerable to that specific threat. Moreover, a new threat identified from the interdependencies could exploit an existing vulnerability, a vulnerability that may have been identified through traditional risk assessment.

FIGURE 5: Sample Application of the New Process Model

Figure 4 above, depicts as sample application to the case study used in this paper. As demonstrated on the above process model figure, it is possible to use the four layers to identify systematically threats that arise from the interdependencies in critical infrastructures. Conclusion This paper points out the existence of critical security risks arising from interdependencies between critical infrastructures that are not readily identifiable by traditional risk identification processes. The paper conducted a systematic analysis of the interdependencies between two select infrastructures (telecommunication and electricity) using four dimensions (logical, cyber, geographic, and physical). A series of critical security risk scenarios arising from these interdependencies were identified. Commentary followed these scenarios on the likelihood that they would be identified by traditional risk assessments. Further, mitigation strategies were proposed. The primary contribution of this thesis is the security risk analysis of the interdependencies between electricity and telecommunication infrastructures. The analysis was conducted in a systematic way using a multi-factor interdependency model and a standard set of security risks (confidentiality, integrity availability). These scenarios can be used as the beginning of a more comprehensive checklist of risks to address in the particular case of electricity & telecommunications interdependencies. The thesis then presented a simple process model designed to systematically identify risks arising from infrastructures’ interdependencies including those identified by traditional security risk assessment processes. Extending the traditional risk assessment methodology to include this model will make neglecting risks arising from interdependencies less likely.

17

References Ahmad, A., and Ruighaver, T. (2002), A Top-Down Approach Towards Translating Organizational

Security Policy Directives to System Audit Configuration, Proceedings of the 17th IFIP TC 11 International Conference on Information Security, Cairo, Egypt, 7-9 May, 2002.

Alberts, Christopher J.; Behrens, Sandra G.; Pethia, Richard D.; Wilson, William R. (1999).

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0. Networked Systems Survivability Program, Software Engineering Institute, Carnegie Mellon University.

Asa Fritzon, K. L., Arjen Boin, Mark Rhinard, (2007). Protecting Europe's Critical Infrastructure:

Problems and Prospects. Journal of Contingencies adn Crisis Management, 15(1), 30-41. Brown, T., Walt, B., & Barton, D. (2006). Assessing Infrastructure Interdependencies: The Challenge of Risk Analysis for Complex Adaptive Systems. Casalicchio, E., Setola, R., and Bologna, S., (2010) A Two-Stage Approach to Simulate

Interdependent Critical Infrastructures," COMPENG, pp.76-78, 2010 Complexity in Engineering. Chou, C. and Tseng, S., (2010) Collection and Analysis of Critical Infrastructure Interdependency

Relationships, Journal of computing in civil engineering, 24, 6: 539-547. Dunlevy, C. (2004). The Nexus between Cyber and Physical Security. INTERSEC, pp.353-356. Eusgeld, I., Nan,C., Dietz, S., 'System-of-systems' approach for interdependent critical infrastructures,

Reliability Engineering & System Safety, In Press, Available online 5 January 2011. Grubesic, T. H., & Murrayw, A. T. Vital Nodes, Interconnected Infrastructures, and the Geographies of

Network Survivability. Hill, L.B.; Pemberton, J.M. (1995) Information Security: An overview and resource guide for

information managers, ARMA Records Management Quarterly, 29,.1:125-128. Lee, S.-W., Gandhi, R. A., & Ahn, G.-J. (2005). Security Requirements Driven Risk Assessment for

Critical Infrastructure Information Systems. Paper presented at the Symposium on Requirements Engineering for Information Security (SREIS 05). Retrieved 12th September 2008,

Little, R. G. (2002). Controlling Cascading Failure: Understanding the Vulnerabilities of Interconnected

Infrastructures. Journal of Urban Technology, 9(1), 109-123. Little, R. G. (2002). Toward More Robust Infrastructure: Observations on Improving the Resilience and

Reliability of Critical Systems. Paper presented at the Proceedings of the 36th Hawaii International Conference on System Sciences (HICSS'03). Retrieved 30th December 2008,

League, Sarah J., (1997) Critical Infrastructure Protection - The Cyber/ Information Dimension: Report

on National Infrastructure Coordination Initiatives (Abstract), 13th Annual Computer Security Applications Conference (ACSAC '97). IEEE, pp.118-120.

Lukasik, S.J.; Greenberg, L.T.; Goodman, S.E., (1998) Protecting an Invaluable and Ever-Widening

Infrastructure. Communications of the ACM, 41,.6, :11-16. Mike Rothery (2005). Critical infrastructure protection and the role of emergency services. The

Australian Journal of Emergency Management, 20(2). National Counter-Terrorism Committee (NCTC), (2003) Critical Infrastructure Protection in Australia.

Trusted Information Sharing Network (for Critical Infrastructure Protection). URL: http://www.cript.gov.au/www/CriptHome.nsf/0/CF33E0FF183F9F56CA256CF6007C220E?OpenDocument, [ Accessed: 27 January 2004].

18

National Transportation Safety Board (2008). Railroad Accident Brief (No. NTSB/RAB-04/08). Washington: NTSB.

Ratner, A. (2001, July 20, 2001). Fiber optic cables in tunnel damaged; flood knocks out phone

service. Baltimore Sun. Retrieved 23rd January 2009, from http://www.baltimoresun.com/news/local/bal-email19,0,2261351.story?coll=bal-home-headlines.

Relyea, H. C. (2002). E-gov: introduction and overview. Retrieved 20th February 2009 Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, Understanding, and Analyzing

Critical Infrastructure Interdependencies. IEEE Control Systems Magazine. Rees, J., Bandyopadhyay, S., Spafford, E. H., (2003) PFIRES: A Policy Framework for Information

Security. Communications of the ACM, 46, 7, :101-106. Scotti, Anthony J., (1986) How Terrorist Choose Their Targets’, Executive Safety and International

Terrorism: A Guide for Travellers. New Jersey: Prentice-Hall, pp.32-48. Shedden, P., Smith, W., Ahmad, A., (2010) Information Security Risk Assessment: Towards a

Business Practice Perspective, Proceedings of the 8th Information Security Management Conference (pp. 127-138), Perth, Australia: Edith Cowan University. 30 Nov – 2nd Dec, 2010.

Smith, Andrew J. (2002) Combating Terrorism. Military Review, Jan-Feb 2002. U.S. Secretary of Energy, & Minister of Natural Resources Canada (2004). Final Report on the August

14, 2003 Blackout in the United States and Canada: Causes and Recommendations. Wood, C.C. (1995) Writing InfoSec Policies, Computers & Security, 14, pp.667-674. Zimmerman, R. (2004). Decision-Making and the Vulnerability of Interdependent Critical Infrastructure:

Center for Risk and Economic Analysis of Terrorism Events. University of Southern California. Zimmerman, R., & Restrepo, C. E. (2006). Information Technology (IT) and Critical Infrastructure Interdependencies for Emergency Response. Paper presented at the Proceedings of the 3rd International ISCRRAM Conference (B. Van de Walle and M. Turoff, eds.). Retrieved 11th December 2008,

a process for the identification of security risks from...

Documents