cyber physical systems security - uranium...

With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme European Commission - Directorate-General Home Affairs

URANIUM

Unified Risk Assessment Negotiation via Interoperability Using Multi-sensor data

URANIUM


Cyber Physical Systems Security (SECANT Security - RO)


URANIUM

Context

• CIs are complex systems with nonlinear behavior

• Physical security still very important

• Physical security isn't limited to guards and some small alarm systems, but it's more and more integrated with IT&C networks and applications and become recognized as generating big data for the organization.

• Technological integration of physical and cyber security

• Modern security models integrate physical security with information and cyber security, with personal security and even with some operational risks control


URANIUM

Physical Security Evolution • Physical security is the center of attention in almost every element of protecting government facilities, business enterprises, and even public gatherings

• Physical security elements could be looked at in four categories: • Physical obstructions that are used to impede access to facilities or assets • Sensors that can warn us of attempts to penetrate our defenses at the perimeter or can protect high-value assets • Guards and other human assets that detect threats, impede access, and respond • Command and control facilities that tie together these defensive methods and assist in the orderly response to particular threats and attacks

• A trend toward a security society


URANIUM

Intelligence • Impossible to “secure” all of the critical components

• The basic elements of fully secured enterprise operations

• sound, comprehensive enterprise protection architecture augmented by a schema of well-documented, well-understood, and routinely practiced business processes; • rigorous system for the detection, analysis of, and, when appropriate, alert to and protection from threats to enterprise operations and systems; • ability to sustain continuity of operations during any conceivable threat; • rapid recovery mechanisms to restore full operations once a threat is controlled: • ability to analyze and apply forensics to determine what happened when an incident occurs and to incorporate lessons learned to improve future risk mitigation processes.

• Intelligence plays a key role in the resilience management


URANIUM

Corelating operational and physical security information in power systems substation monitoring (I)

• Remote monitoring provides near-real-time security information

• Remote monitoring of assets can bring benefits

• synergies between primary system monitoring and security monitoring - health and operational data from the primary system equipment and the communications system devices can provide significant security information. Vice versa, security equipment can provide maintenance information; • economies of scale in combining system monitoring - combining the remote monitoring of the three systems can increase the reliability and effectiveness of all three while also minimizing the direct costs associated with implementing the security measures; • security solutions enhanced by increased monitoring.


URANIUM

Corelating operational and physical security information in power systems substation monitoring (II)

• The need for physical security of substations is becoming more urgent

• As the criticality of assets shift in response to changing power system conditions, remote monitoring of security can be added less expensively

• Some less critical security categories may use remote monitoring as the primary means


URANIUM

Inclusion of remote Monitoring in Security Categories

• It is virtually impossible to fine tuning security solutions so that 'just' meet security requirements for each individual substation

• Different categories of security risks can be developed, and substations can be assigned to these different categories

• Remote monitoring can include:

• Monitoring of specific security equipment.

• Monitoring of the power system characteristics. • Monitoring of the Intelligent Electronic Devices (IEDs) • Monitoring the computer and communications equipment in the substations.


URANIUM

Primary system monitoring

Secondary systems monitoring

Physical Security systems monitoring

Primary / Secondary and Physical Systems Monitoring


URANIUM

Remote monitoring used in security • Monitoring power system and communications equipment for intrusion is as important as monitoring substation facilities. • Monitoring the equipment could permit system operators to take preventive actions on the power system to mitigate the actions of attackers if the nature and extent of attacks are understood • Remote monitoring of certain types of attacks can help avoid or minimize the impact of these attacks. This could include:

• monitoring for (unauthorized) physical removal of equipment • monitoring for (unauthorized) turning equipment on or off • monitoring for (unauthorized) resetting equipment • monitoring for status and health of power system equipment, the control equipment, secondary communication systems to access the control equipment • monitoring for status and health of remote monitoring equipment


URANIUM

Physical Security Risk Management • Physical security - preventing physical access to assets in order to negatively impact them ; • There are different ways to impact an asset (steal, disturb, destroy, indispose, disclose etc.) and different ways to prevent the attack to be successful : • Physical security risk management represent best practice today and could generally result in optimal system of controls that combine deter, detect, delay, intervene and reject: • Automated installations provide information on an attacker presence and actions as the attacks develops, notify key actors and initiate actions to delay and/or reject the attack; • Installations are dimensioned based on risk assessment and attack scenario estimation for each risk that is unacceptable, and could provide information about attack initiation, stage, and control and even could be a base to estimate the attack success likelihood; • Holistic evaluation of attack scenarios and risks could result in an aggregate risk indicator for each critical asset; as the aggregate risk indicator increases, gradual controls could become active and information could be feed in a more general risk table.


URANIUM

SANDIA’s threats analysis framework Six-step process is used • Create an adversary sequence diagram (ASD) for all asset locations. • Perform a scenario analysis • Conduct a path analysis, which provides PA ( likelihood of attack) and PI (probability of interruption of service) • Determine system effectiveness, PE (probability the security system is effective against attack). • Complete a neutralization analysis, if appropriate, which provides PN (probability of neutralisation). • If system effectiveness (or risk) is not acceptable, draw up recommendation and performes upgrades.

Risk Equation for the Malevolent Threat R = PA * (1 - PE) * C

where: R = risk associated with the adversary attack; PA = likelihood of the attack (threat potential); PE = probability the security system is effective against the attack; protection system effectiveness in meeting its protection objectives; (1 – PE) = probability that the adversary attack is successful causing undesired events (also, the probability that the security system is not effective against the attack); vulnerability; and C = consequence of loss.


URANIUM

Early warning in physical security • Assessment of the physical security effectiveness of an organization basically relays on the evaluation of the attack probability (PA) and the capability of the physical security system to interrupt that attack (PI) • There are two important parameters that characterize an attack: real time detection probability and success probability • Apart from this “classical” approach a new way may be foreseen: the physical security early warning • Why?

• To avoid an attack (so avoiding undesired consequences and unnecessary costs); • To gain valuable time to better prepare a response to an attack; • To sustain and contribute to the arising the security level and the physical security overall awareness; • To prevent subsequent consequences; • To use alternative operational solutions.

• How? • By evaluation and identification of the critical assets and setting warning scope and indicators; • By monitoring and periodical assessment of the existing physical security system; • By “listening” for additional data; • By data merging and providing early warnings.


URANIUM

Early warning in physical security

• Once identified, each critical asset is analyzed in order to establish:

• the attack sequences identification • the existing physical security controls description • the attack sequence and control matching • scroll indicator of the sequence • attack success likelihood

Assets

identification

Assets

classification

Physical Security System

Monitoring / Assessment

YES

Physical Security System

Design & Implementation

NO

Attack success

likelihood in limit?

(PE = ?)

Issue

Early

Warning

• The outcomes of the Phisical Security Systems (PSS) early warning mechanism are : • physical security pre-alerts/warnings for the relevant stakeholders; • requirements for system design updates in order to cope with current or expected threats; • requirements for re-evaluation and identification of the critical assets; • updates of the warning thresholds.


URANIUM

Early warning in distributed security systems - a System-of-Systems approach • “system of systems " refers to a collection of systems , each dedicated to a task, by combining their resources and capabilities lead to a more complex system " which gives more functionality and performance than the sum of the constituent systems • In a Physical Security Systems - SoS approach, each of the component PSS operate independently and is a data source for the SoS as well as a data receiver • Beyond the individually reported data (alarms, incident information etc) – collected and processed in order to build a common operational picture, additional information - which locally may not be critical - will be collected and it may become critical at the SoS level • Starting from a super - set of critical assets to be protected and an associated set of physical security in-place measures, emerging new properties of the global SoS may produce new data valuable for early warnings

PSS 1asset 1;1, asset 1;2… asset 1;n



PSS masset m;1, asset m;2… asset m;n

PSS –

SoS

Bridge

Physical Security

System Monitoring /

Assessment

YES

NO

Attack success

likelihood in limit?

(PE = ?)

Thresholds updates

Issue

Early

Warning Stakeholders

Design and operational updates recommendations


URANIUM

Conclusions • Physical Security Systems information could improve general operation risk image • Physical Security, Cyber Security and Operational Information correlation improve CI’s security and reduces costs • Adversary Sequence Diagram could be used for early warning of an attack • A System of Systems approach could be used for a CI Security Early Warning System

TA CISIApro DSS

sensors

District Emergency

Control room

Risk Visualization

Demand/Response

Control room

Risk Visualization


URANIUM


URANIUM


THANK YOU

SECANT Security Company 15, Poiana Florilor Street, Ap.9, District 4, Bucuresti, Romania Phone.: 031 432 8215; Fax.: 031 432 8216

cyber physical systems security - uranium...

Documents