cs5032 lecture 20: dependable infrastructure 2
TRANSCRIPT
CRITICAL INFRASTRUCTURE2DR JOHN ROOKSBY
IN THIS LECTURE…
More on infrastructure
Control systems
• SCADA systems
Digital Infrastructure
• The internet as infrastructure
• Resilience of the internet
CONTROL SYSTEMS
IT is used for monitoring and controlling infrastructure in many industries
• Oil and Gas• Air Traffic Controls and Railways • Power Generation and Transmission• Water Management• Manufacturing• Production Plants
Infrastructure is inherently distributed, and therefore so are the systems that control and monitor it
TYPES OF CONTROL SYSTEM
Automated system/ Programmable Logic Controllers (PLCs)
• logic embedded into components
• Often a low level building block for larger systems
Supervisory Control and Data Acquisition (SCADA)
• Extend automated systems to allow remote monitoring and control
• Data flow to other systems often automated
• Typically used where components are not in one location
Distributed Control System (DCS)
• Similar to SCADA but monitoring and control embedded across the system, and so lacks the hierarchy of SCADA
CONTROL SYSTEMS
Manufacturing Execution Systems
• Extends SCADA with batch processes
Energy Management Systems
• A type of SCADA system used for electricity management and control
Building Control Systems
• Control the lighting, heating, energy usage, and security of a building
SCADA
SCADA is normally a software package designed to display information, log data and show alarms
• Programmable logic units control infrastructure components• Data acquisition by remote terminal units• Data sent to control centre• Control Centre monitors system, and issues commands
Hardly talked about until recently, now a major concern
• Reliability• Security
SCADA SECURITYSecurity issues are arising because of a changing context
No longer able to rely on security by obscurity
• Until recently, SCADA systems were mainly proprietary.
• Now progressively reliant on standard IT technologies (Microsoft Windows, TCP/IP, web browsers, wireless technologies, etc.)
No longer able to rely on security by isolation
• Until recently, SCADA systems were isolated networks. But now: • Direct connections to vendors for maintenance, stock ordering etc.• Connected to enterprise systems, which in turn are on the Internet.• Workers connecting their laptops to the internet.• Some SCADA systems connected directly to the internet.
SCADA SECURITYInfrastructure providers very good at physical security, but often have little appreciation of IT security
Standard security tools and techniques can be used, although there are some complexities
• For example, It may not be possible to install anti-virus protection on process control systems, owing to the lack of processor power on legacy systems, the age of operating systems or the lack of vendor certification.
• Security testing on process control systems must also be approached with extreme caution – security scanning can seriously affect the operation of many control devices.
• There are sometimes few opportunities to take the systems off-line for routine testing, patching and maintenance.
SCADA DEPENDABILITY
There is a great deal of concern about the dependability of SCADA systems
• Poorly designed or engineered systems may not be reliable
• Vulnerable to cyber-attack
SCADA systems will be key targets in any cyber attack
• STUXNET
Extreme concern (paranoia?) shown by UK and USA about hackers in Russia and China
MOVING ON…
DIGITAL INFRASTRUCTUREForms of digital infrastructure
• Public and Private Cable Networks
• Mobile networks
• Satellite and broadcast services
• Data Centres
• The Internet
• Clouds
Information technology has a complex status as infrastructure. It is more complex than most, if not all other forms of infrastructure.
• Hard – physical systems
• Soft – protocols, layers of abstraction, services, etc.
• Infrastructure as “a relation” (S.L. Star)
THE INTERNET AS INFRASTRUCTURE
The internet is a key infrastructure for modern society
• Certainly critical to the economy
• Other infrastructures coming to rely on it
The internet is often taken for granted. The common assumption is that the internet is dependable.
• The myth of the “bombproof” network
• The myth of the “free/open” system
INCIDENTS
It is straightforward to divert traffic away from its proper destination by announcing invalid routes.
• 2008, Pakistan advertises invalid routes for YouTube, bringing it down for a couple hours.
• 2010, China Telecom advertises a number of invalid routes, effectively hijacking 15% of Internet addresses for 18 minutes.
Exploitation of latent bugs in BGP (Border Gateway Protocol)
• August 2010, an experiment triggers a bug in some routers, causing their neighbours to terminate BGP sessions, and for many routes to be lost.
INCIDENTSVulnerability of cables
• Undersea cables near Alexandria in Egypt were cut in December 2008.
Dependence on electrical power.
• A large power outage in Brazil in November 2009 caused significant disruption, though it lasted only four and a half hours
The internet appears to have been resilient during major disasters
• 9/11 Terror Attacks
• Hurricane Katrina
• Tohoku Earthquake
But we don’t have good information about why and how.
ENISA STUDY
Inter‐X: Resilience of the Internet Interconnection Ecosystem
Chris HallRichard ClaytonRoss AndersonEvangelos Ouzouni
ENISA STUDY
Inter‐X: Resilience of the Internet Interconnection Ecosystem
Chris HallRichard ClaytonRoss AndersonEvangelos Ouzouni
“It does appear likely that the Internet could suffer systemic failure, leading perhaps to local failures and system‐wide
congestion”
THREATSFailure of the infrastructure on which the internet depends
• Power transmission system
• Human infrastructure needed to maintain it (for example if pandemic flu causes millions of people to stay at home out of fear of infection).
Cascading technical failures
• Perhaps during changeover from IPv4 to IPv6
• Common‐mode failures involving updates to popular makes of router (or PC) may also fall under this heading.
A coordinated attack
• A capable opponent disrupts the BGP fabric by broadcasting thousands of bogus routes, either via a large AS or from a large number of compromised routers.
THREATS
Market failure
• Internet Transit may not be a viable business.
Economic issues – “The tragedy of the commons”
• Increasing resilience benefits everyone, but requires coordinated action. E.g improving BGP is costly and must be done at an individual level.
Regulatory failure
• Misinformed/over regulation, and under regulation can lead to problems (related to above two issues)
CAN WE PROTECT AND ASSURE THE INTERNET?
The fist stage of protecting and assuring any critical infrastructure is to take stock of and understand its components.
• But this is very difficult in the case of the internet.
Each AS/ISP has an NOC (Network Operation Centre) but there is no NOC for the internet as a whole
• There is no map of physical connections – their location, capacity, etc.;
• There is no map of traffic and traffic volume
• there is no map of the interconnections between ASs
WHY THE LACK OF INFORMATION?• The complexity and scale of the Internet would make this an immense
task, and potentially very costly.
• An AS level topology is possible, but we would ideally have something at the router level.
• We would ideally also like to understand interdependencies with the power network.
• The internet is constantly growing in size and evolving (e.g. the rise of CDNs)
• The routing system is dynamic, so very difficult to model.
• Some of the information is sensitive
• Gathering this information could be a security risk• The information will have commercial sensitivity, for example
traffic levels.• There is a lack of good metrics available.
RECOMMENDATIONS
The report makes four recommendations
1. We need a better understanding of failure
• Incident Investigation
• An independent body should thoroughly investigate all major incidents and report publicly on the causes, effects and lessons to be learned. Incident correlation and analysis may lead to assessment and forecast models.
• Data Collection of Network Performance Measurements
• Consistent, long-term data collection
RECOMMENDATIONS
2. Further research into resilience
• Research into Resilience Metrics and Measurement Frameworks
• Development and Deployment of Secure Inter‐domain Routing
• Research into AS Incentives that Improve Resilience
RECOMMENDATIONS
3 . The promotion of good practice
• Promotion and Sharing of Good Practice on Internet Interconnections
• Independent Testing of Equipment and Protocols• Conduct Regular Cyber Exercises on the Interconnection
Infrastructure
RECOMMENDATIONS
4. That policy makers become more engages
• Plan for transit market failure• Debate traffic prioritisation• Work towards a reliance certification scheme
KEY POINTS
Infrastructure is often controlled and monitored by IT systems
• SCADA systems are the common type
• Government organisations such as the CPNI are concerned about the vulnerability of these systems to failures and attack
Digital technologies are becoming critical infrastructure in their own right
• The Internet is becoming increasingly critical.
• The resilience of the internet is not a given.