Il Progetto IRRIIS e la protezione delle
infrastrutture critiche informatizzate
ANIPLA
Giornata di studio “La Security nei sistemi di controllo
ed automazione, nelle reti ed infrastrutture”
Milano, 26 giugno 2007
Sandro Bologna
Claudio Balducelli
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 1
IRRIIS
IRRIIS Focus
Dependencies /
Interdependencies
• Information and Communication Technology (ICT)
underpins all LCCIs
• (Inter-)Dependencies between LCCIs are not well
understood up to now
• Danger of cascading, escalating or common cause failures
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 2
IRRIIS
IRRIIS Focus
• Dependencies between critical infrastructures,
especially electricity & telecommunication
• Modelling and simulation of systems of critical
infrastructures
• Enabling cross-sector, cross-border
communication between critical
infrastructures
• Risk assessment and mitigation regarding
dependencies
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 3
IRRIIS
IRRIIS Partners
Technology Provider
• Alcatel-Lucent, France
• Siemens AG, Germany
• Advanced Industrial Systems Ltd.,
Malta
LCCI Stakeholder
• Gruppo Telecom Italia
• Red Eléctrica de España, Spain
• ACEA, Italy
Consultant & Service Provider
• IndustrieanlagenBetriebsgesellschaft mbH, Germany
• Aplicaciones en Informática
Avanzada, Spain
• Fraunhofer Institute Intelligent
Analysis and Information Systems,
Germany
• Fraunhofer Institute Secure
Information Technology, Germany
• Technical Research Centre of
Finland
Research Partners
• Italian National Agency for New
Technology, Energy and the
Environment
• École Nationale Supérieure des
Télécommunications, France
• Centre for Software Reliability at City
University London, Great Britain
• Technical University Dresden,
Germany
• Netherlands Organisation for Applied
Scientific Research
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 4
IRRIIS
MIT Introduction
• MIT is a software system aiming at enhancing
the availability and survivability of LCCIs by
mitigating dependency and interdependency
effects.
• Communication Components.
• Add-On Components.
• Other software resources (Databases,GUI,
Configuration Files, Run-Time Environment, etc.)
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 5
IRRIIS
ITALY BLACK-OUT September 2003
Event tree from UCTE report
NETWORK STATE OVERVIEW & ROOT CAUSES
Pre-incident
network in
n-1 secure
state
AND
Network in
(n-1) state
with
short- term
15’ allowable
overload
2nd tree
flashover
line tripping
1st tree
flashover
line tripping
1
Unsuccessful reclosing of the
Luckmainer line
because of a too
high phase angle
difference
AND
2
Lacking a sense of
urgency regarding the
San Bernardino line
overload and call for
inadequate
countermeasures in
Italy
24 min.
Network in
(n-2) state
with
excessive
overload of
remaining
lines
Separatio
n of Italy
from the
UCTE
main Grid
AND
Italy
disconnected
AND
Tripping of
many power
units
1-2 min.
Legend
Safe network
state
Collapsed
network
Endangered
network state
Event
Disturbed
network state
Root cause
3
Angle instability
and Voltage
collapse in Italy
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 6
IRRIIS
Island
operation
fails due
to unit
tripping
Roma Mini TELCO Black-out
January 2004
NETWORK STATE OVERVIEW & ROOT CAUSES
Pre-incident
TELCO
network in
secure
state
AND
Station
continue
working with
decreased
battery
autonomy
Loss of
power
supply
Trip of main
power
supply
1
Flood on the
apparatus room of
the Telco SGT
station. UPS start
from batteries
AND
2
The battery autonomy
finished as Fire
Brigate was not able to
eliminate water in
time.
4 hours
Many external
Telco services
go down, as
the ACEA data
links between
control centers
AND
The normal
power
supply
from ACEA
was
restarted
Damaged
equipment
replaced
90 min.
AND
Telco
services
restart
3
The full
functionality of the
SGT station is
restored
Legend
Safe network
state
Collapsed
network
Endangered
network state
Event
Disturbed
network state
Root cause
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 7
IRRIIS
Return
to
normal
state
Control Room with MIT WorkStation
LCCI 1
Control Room
MIT WorkStation
MIT WorkStation
Control Room
LCCI 2
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 8
IRRIIS
MIT integration with existing SCADA systems
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 9
IRRIIS
IRRIIS Inter-LCCI Communication Highway
LCCI 2
LCCI 1
MIT integration with existing SCADA systems
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 10
IRRIIS
MIT Add-On Components Functional Requirements
• DETECT AS EARLY AS POSSIBLE the
anomalous status and NOTIFY it to the
dependent infrastructures.
• PROVIDE EARLY WARNING of deteriorating
system conditions to internal and/or external
LCCI operators.
• ESTIMATE the probability of disrupt of his own
LCCI and NOTIFY to the dependent
infrastructures.
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 11
IRRIIS
MIT Add-On Components Requirements
• ASSESS the own infrastructure RISK due to
information about neighbouring status.
• PREVENT incident to mitigate cascading
effects on dependent infrastructures.
• HANDLE THE EMERGENCY if needed by
negotiating coordinate actions
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 12
IRRIIS
Overall MIT architecture
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 13
IRRIIS
MIT Add-On Components
• Internal Assessment
– Tool to extract LCCI functional status
• Risk Assessment
– Risk Estimator
– Incident Knowledge Analyser
• Emergency Management
– Assessment of cascading/escalating effects
– Display of Emergency Management Procedures
– Negotiator
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 14
IRRIIS
Internal Assessment functions
• Information extraction and fusion from different
existing tools and SCADA data bases.
• Use the previous information to evaluate the
current functional status of the LCCI.
• Predict the possible future states, based on the
actual state and the future scheduled events.
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 15
IRRIIS
Internal Assessment Workflow
Data Collection
Translation
Scheduled
events
Monitoring
alarms
Monitoring
data
Alarm
analysis
Data Analysis
…SMD
AMA
Functional status
calculation
CFS
SE
Status prediction
Tools interfacing
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 16
IRRIIS
RE
SMD: Standardised Monitoring Data
AMA: Analysed Monitoring Alarms
SE: Scheduled Events
CFS: Current functional Status
NFFS: Near Future Functional Status
IFI: Information FIltring
RE: Risk Estimator
IFI
Scheduled
Events DB
NFFS
MIT GUI
Monitoring
tools
Data Output
Internal Assessment Benefits
• Provide the local operator with a unique picture
about the current and future internal LCCI state,
allowing him to enable or disable information
sharing with the neighbouring LCCIs.
• Provide input for neighbouring LCCIs about the
local infrastructure status.
• Provide input for neighbouring LCCIs about the
future predicted infrastructure states.
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 17
IRRIIS
Incident Knowledge Analyser functions




It will be able to assess and fuse information from
multiple databases containing past incidences.
It will check immediately whether on-going
failures are notified as causes of major incidents
in the past.
It will extract possible known cascading effects of
on-going failures.
It will store new incidents.
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 18
IRRIIS
Incident Knowledge Analyser
1/1
Power short
1/1
in 150KV-10KV
transformer station
Rabbits
dogs
1/2
7/7
1/1
switch room
for high voltage
destroyed
fire
1/2
trains
affected
1/7
no power
locally
households
affected
1/7
1/1
1/1
fire in
distribution
station
4/4
High
temperature
weakening
of cables
4/4
outage of
antennas
no mobile
phone
Rabbit or dogs makes power short in 150KV-10KV
transformer station. 10000 households affected. | local,
medium impact in the Eindhoven area | happenend in:
Veldhonen (Netherland), started 2003-08-13 at 13:00, ended
2003-08-13 at 18:00
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 19
IRRIIS
Incident Knowledge Analyser Benefits
• Each LCCI operator can make the most of the available
knowledge about all the known disruptions, being
warned if an on-going failure already happened in the
past and led to disruption of operation even if that
occurred in other LCCIs (in fact, not all the LCCIs must
have experienced the same failures and the related
disruptions).
• LCCI can make the most of findings by other sources, for
example research or training outcomes.
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 20
IRRIIS
Risk Estimator functions
• Reasoning about the states of processes and
services, mainly focusing on the services to be
exchanged with other LCCIs.
• Estimating the levels of risks associated to
services exchanges with other LCCIs.
• Working on a service-process model of the LCCIs
by making use of a fuzzy rules-based mechanism.
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 21
IRRIIS
Visualisation of the levels of risks associated
to the services
LCCI internal state
estimation
After external &
internal states
correlation
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 22
IRRIIS
Risk Estimator workflow and relations with other
add-on components
INTELLIGENCE
INPUTS
Internal
status
table
External
status
table
Historical
status
facts
IA
ISR
IKA
Current
State
DB
IA:
ISR:
IKA:
DEMP:
GUI:
Estimated
State
DB
OUTPUTS
Rule Based
Correlation
Module
Expert
Rules
DB
Rule
Editor
Maps of
Risks
Maps of
Risks
GUI
DEMP
LEGEND
Internal Assesment
Information Subscriber & Reader
Incident Knowledge Analyser
Display of Emergency Management Procedures
Graphical User Interface
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 23
IRRIIS
Risk Estimator Benefits
• Make operators more aware about the global LCCIs
state, correlating local LCCI and external LCCIs states.
• Give to the LCCIs operators schematic pictures
evidencing the potential risks to loss internal and
external services.
• Improve coordination between the LCCI operator and
the neighbouring LCCIs.
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 24
IRRIIS
Proposed DEMONSTRATION Logic Set up
Ambiente di simulazione (SimCIP)
Agent / Scenario
Behaviours
GUI
Logger
Ambiente reale
(Sistemi SCADA)
Fault /
Attack
Tool
MIT LCCI 1
Middleware
LAMPSSys RTI
Telecom
Simulator
Analysis 3
Analysis 2
Analysis 1
Tool 2
Tool 1
Electricity
Simulator
Communication Component
Add-on Component
LCCI
1
Data
LCCI
2
Data
Middleware
MIT LCCI 2
Comunicazione nell’ambiente reale
Comunicazione nell’ambiente simulato
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 25
IRRIIS
Proposed TESTBED Physical Configuration
MIT 1
Electrical LCCI
SimCIP
Electricity
Simulator
Tool 1
Tool 2
Analysis 1, 2, 3 ..
Logger
GUI
Fault /Attack
Tool
LAMPSSys RTI
Agent / Scenario
Behaviours
LCCI
Data
Com
Simulator
MIT 2
TeleCommunication LCCI
GdS: “La Security nei sistemi di controllo e automazione, nelle reti e infrastrutture”
San Felice (MI), 26 giugno 2007 - Pagina 26
IRRIIS