critical energy resources and their interdependencies alain hubrecht – eccrp abu dhabi, uae –...

Critical Energy Resources and their Interdependencies

Alain Hubrecht – ECCRPAbu Dhabi, UAE – October 3-4, 2010

Workshop on Interdisciplinary Studies in Information Security and Privacy (WISSP10)

Digital Security of Critical Infrastructure Session

• Warfare is evolving, particularly to that of a cyber level

• Control systems (SCADA, DCS…) used in the oil & gas, electrical and energy sectors face new threats

• Telecommunication, banks and information flows are among other critical resources

• Important to protect these resources for the functioning of a society or economy

WISSP10 , October 3-4, 2010 2Alain Hubrecht - ECCRP

Who Am I

• Co-founder of The European Center for Critical Resources Protection (ECCRP)

• 15 years experience in Computer Aided Design and Virtual Reality

• Developed activities in vizualisation and training for complex industrial environment (power plants, electrical grids)

• Worked with leading Oil and Gas and engineering offices worldwide

• High Performance Computing expert for European Commission

• Homeland Security, Peace Support Operations and Critical Infrastructure Protection expert for NATO

• Founder of different start-ups in the IT field






Critical Energy Resources

• Related to energy production, transmission and distribution

• Oil, Natural Gas, Coal, Nuclear, … solar/wind…

3 types:

Physical assets, or anything you can touch Cyber assets (IT components) Data, or things you cannot touch






Physical Assets

• Power Plants(nuclear, coil, gas, oil)• Power Stations (400KV -> 11KV)• High Voltage Lines (400KV -> 11KV)• Refineries• NLG Terminals• Anything Offshore like FPSO, Platforms, Seabed Eq• Pipelines (Oil, Gas)• People (control room operators, engineers, “starters”, …)• Drawings (P&ID, Logical schemas, …)• etc…






Data, Intangible Assets

• Customer database

• SCADA values

• DCS historical values

• Alarm rules, super rules

• Starting Sequences (nuclear reactor, high voltage network…)

• …






Cyber Assets

• Cyber physical assets that control and process the data

• Computer hardware and IT infrastructure (servers, desktop…)

• Network Communication Links (switch, routers, firewalls)

• Specific Industrial devices (PLC, RTU, etc)

• ...

It is these assets which are covered by common cyber security threats

Attacking these assets can have an impact on physical assets and data


Internal Interdependencies

Sorting Physical Assets

• The time to repair or order a new one should be integrated in the loss of production. • Some equipments like crackers or transformers need up to one year to be reordered or manufactured.

Interdependencies

Some other components can produce disastrous domino effects.

• All components (vessels, valves, reservoir, pipes, motors, …) have to be sorted out by the impact they can have on the production in case of loss/break.

first node of interdependencies


Internal Interdependencies

Cascade effects in case of loss of production of a power plant are prevented with solutions like EuroStag, a monitoring software, continuously “sniffing” even the smallest perturbation on the network, and able to correctappearing problems very quickly, before the cascade starts its disaster.

When these assets are part of an international network, involved in an automatic balancing scheme, or integrated in a pool (deregulated market) the consequences can be more complex to handle and solve.

Some solutions exist…


External Interdependencies

A much more complex node of interdependencies however, exists between other critical infrastructures including: telecommunications, finance or transportation.

• Difficult to understand• Different Critical Infrastructure not always handled holistically• Difficult communication between all security infrastructures security initiatives• Damage of a joint attack on all Critical Infrastructures is not well understood yet


External Interdependencies

Interdependencies

Energy - Oil and Gas, Electricity

Telecommunication and Information

Banking and Finance

Water Transportation

Energy - Oil and Gas, Electricity

Highly connected and interdependent infrastructure for business and economic security

Telecommunication and Information


Banking and Finance


Water Essentials and highly dependent infrastructure for health and safety

Transportation Highly connected and interdependent infrastructure for business and economic security


So far….

• Different types of assets (Physical, Data, Cyber)

• Internal dependencies: can be sorted and understood

• External dependencies: hard to understand, not much work done

• Domino effect exists for internal and external dependencies


Europe

• Europe is in the process of developing industrial and legal framework in an attempt to prevent these resources being attacked.

• Other projects are also well on their way to understand these technologies and their implications.


Europe

Three streams of information from EU

• Council directives and reports

• Framework Program Calls from European Commission•FP7 -> ICT -> Security ->Energy

• Founded Projects


Europe

European Union

• Council Directive 2008/114/EC : “On the identification and designation of European Critical Infrastructures and the assessment of the need to improve their protection”

• Only two critical infrastructures defined:• Energy (Electricity, Oil, Gas)• Transport (Road, Rail, Air, Inland Waterways, ports)

• In comparison, the Department of Homeland Security in USA has defined 18 Critical Infrastructures and key Resources Sectors (Banking and Finance, Chemical, Energy, Transportation, Information Technology, Water, Emergency Services, Communications, …)


Europe

European Union - EPCIP

European Program for Critical Infrastructures Protection (DG Home Affairs)

•Budget: 10m€/year•Not mandatory to be transnational•Focus on policy and support scheme•2 calls since 2005, next one in November 2010

Achievements:-Discussions between countries-2008 directive (see previous page), next version in 2012-Cross sectorial group, 2006-2009, 60 experts, no results.-Question was: what are the real issues?


Europe

European Commission

• 2007-2008: Seventh Framework Program (FP7) first call

• Among others, joint call on Information and Communication Technologies Security

• Two Areas with different topics:

1. Pervasive and Trusted Network and Service Infrastructures/Critical Infrastructures Protection

2. Security Systems Integration, Interconnectivity and interoperability


Europe

Topics:

• Technology building blocks for creating, monitoring and managing secure, resilient, and always available information infrastructures that link critical Infrastructures

• ICT support for first responders in crisis occurring in Critical Infrastructures

• Optimized situational awareness through intelligent surveillance of Interconnected transport or energy infrastructures

• etc…

European Commission


Europe

European Commission

•FP7 2007-2013 (total of 6.4 billions Euros)

• Latest round (call) of financial support just released

• Multiples areas (health, food, space, nanotechnologies, …)

• Two of those areas are Security and Energy

• Call still open until 2nd of December 2010

•Under Security, two activites related to critical infrastructures:

• SEC-2011.2.2-1 : Protection of Critical Infrastructures against Electromagnetic Attacks

• SEC-2011.2.5.1 : Cyber Attacks Against Critical Infrastructures


Europe

• Project ESCoRTS (Security of Control and Real Time systems) SCADA best practice on security, cyber security tastings facilities etc

• Project VIKING Investigate SCADA vulnerability, increase awareness for CIP. Etc

• Project EURACOM Protection of energy supply for European interconnected energy networks

• Project ESTEC Assess feasibility of a European Network SCADA security test centres

• A few others national project (Ex. ASTROM, AFTER – Italy)

European Projects (UE related)


Europe

• CPNI (Center for the Protection of National Infrastructures)• United Kingdom• Works closely with counterpart centers and institutes in USA• Similar centers in Australia, Canada and NZ• Provide security advice to national infrastructures• All sort of activities around CIP• Generally, information released by CIP is closed/private

• BSI (Federal Office for Information Security)• Germany• One of their studies areas is Security of Critical Infrastructure and Internet

• EuroScie (Scada and Control System Environment)

• Switzerland

• etc…

Non UE related


NATO

• NATO Industrial Advisory Group (NIAG)• NIAG influences industrial system requirements and

development• Currently they have two researches areas:

1. Risk assessment and contingency planning for interconnected transport or energy networks

2. Modelling and Simulation for training

• CCDCOE (Cooperative Cyber Defence Centre of Excellence)• Based in Estonia, launched in 2008• Four core areas of research• One of them is Critical Information Infrastructure Protection


ECCRP

• Founded in 2009

• Will be located in an old World War II bunker in Brussels

• First center to provide security awareness and defense capabilities for these resources with the help of Virtual Reality.

• Will ensures everyone understands the risks associated with Critical Infrastructure Protection

ECCRPIT Security

Virtual Reality

Homeland SecurityIndustrial Safety


ECCRP

ElectricityWater Supply

Oil & Gas …Telecommunicatio

nBanking Information

SCADAPCN…

TDMVOIPMPLS

…

SwiftNetX.25…

WWW…

Virtual Reality, Virtual Machines and Virtual Networks

VisioSpace


ECCRP

• Combine all critical infrastructures together, not only energy (SCADA related)

• Use Virtual 3D Reality to modelize cities, countries and infrastructures

• Provide training and demonstration to both VIPs and specialists

• Best of Breed Trainings given by international experts in different fields

• Creation of an International Advisory Board

• Brussels center is a concept center. Possibility to open similar centers in other part of the world


Conclusion

• Critical Energy Resources : different types of assets

• Internal and external interdependencies

• Lots of initiatives from European Union, National Countries or NATO

• Few combine all critical infrastructures together

• ECCRP will be the first center to use Virtual Reality

• Still lots to do…


Questions

Question?

[email protected]

critical energy resources and their interdependencies alain hubrecht – eccrp abu dhabi, uae –...

Documents

critical resources important

oil gas

alain hubrecht eccrp

economy wissp10

energy sectors

data slide

energy production

critical infrastructures