IN THIS LECTURE…More on infrastructureControl systems• SCADA systemsDigital Infrastructure• The internet as infrastructure• Resilience of the internet
CONTROL SYSTEMSIT is used for monitoring and controlling infrastructure in manyindustries • Oil and Gas • Air Traffic Controls and Railways • Power Generation and Transmission • Water Management • Manufacturing • Production Plants Infrastructure is inherently distributed, and therefore so are the systems that control and monitor it
TYPES OF CONTROL SYSTEMAutomated system/ Programmable Logic Controllers (PLCs)• logic embedded into components• Often a low level building block for larger systemsSupervisory Control and Data Acquisition (SCADA)• Extend automated systems to allow remote monitoring and control• Data flow to other systems often automated• Typically used where components are not in one locationDistributed Control System (DCS)• Similar to SCADA but monitoring and control embedded across the system, and so lacks the hierarchy of SCADA
CONTROL SYSTEMSManufacturing Execution Systems• Extends SCADA with batch processesEnergy Management Systems• A type of SCADA system used for electricity management and controlBuilding Control Systems• Control the lighting, heating, energy usage, and security of a building
SCADASCADA is normally a software package designed to displayinformation, log data and show alarms • Programmable logic units control infrastructure components • Data acquisition by remote terminal units • Data sent to control centre • Control Centre monitors system, and issues commandsHardly talked about until recently, now a major concern • Reliability • Security
SCADA SECURITYSecurity issues are arising because of a changing contextNo longer able to rely on security by obscurity• Until recently, SCADA systems were mainly proprietary. • Now progressively reliant on standard IT technologies (Microsoft Windows, TCP/IP, web browsers, wireless technologies, etc.)No longer able to rely on security by isolation• Until recently, SCADA systems were isolated networks. But now: • Direct connections to vendors for maintenance, stock ordering etc. • Connected to enterprise systems, which in turn are on the Internet. • Workers connecting their laptops to the internet. • Some SCADA systems connected directly to the internet.
SCADA SECURITYInfrastructure providers very good at physical security, but often havelittle appreciation of IT securityStandard security tools and techniques can be used, although thereare some complexities • For example, It may not be possible to install anti-virus protection on process control systems, owing to the lack of processor power on legacy systems, the age of operating systems or the lack of vendor certification. • Security testing on process control systems must also be approached with extreme caution – security scanning can seriously affect the operation of many control devices. • There are sometimes few opportunities to take the systems off- line for routine testing, patching and maintenance.
SCADA DEPENDABILITYThere is a great deal of concern about the dependability ofSCADA systems• Poorly designed or engineered systems may not be reliable• Vulnerable to cyber-attackSCADA systems will be key targets in any cyber attack• STUXNETExtreme concern (paranoia?) shown by UK and USA abouthackers in Russia and China
DIGITAL INFRASTRUCTUREForms of digital infrastructure• Public and Private Cable Networks• Mobile networks• Satellite and broadcast services• Data Centres• The Internet• CloudsInformation technology has a complex status as infrastructure. It ismore complex than most, if not all other forms of infrastructure.• Hard – physical systems• Soft – protocols, layers of abstraction, services, etc.• Infrastructure as “a relation” (S.L. Star)
THE INTERNET ASINFRASTRUCTUREThe internet is a key infrastructure for modern society• Certainly critical to the economy• Other infrastructures coming to rely on itThe internet is often taken for granted. The common assumptionis that the internet is dependable.• The myth of the “bombproof” network• The myth of the “free/open” system
INCIDENTSIt is straightforward to divert traffic away from its properdestination by announcing invalid routes.• 2008, Pakistan advertises invalid routes for YouTube, bringing it down for a couple hours.• 2010, China Telecom advertises a number of invalid routes, effectively hijacking 15% of Internet addresses for 18 minutes.Exploitation of latent bugs in BGP (Border Gateway Protocol)• August 2010, an experiment triggers a bug in some routers, causing their neighbours to terminate BGP sessions, and for many routes to be lost.
INCIDENTSVulnerability of cables• Undersea cables near Alexandria in Egypt were cut in December 2008.Dependence on electrical power.• A large power outage in Brazil in November 2009 caused significant disruption, though it lasted only four and a half hoursThe internet appears to have been resilient during major disasters• 9/11 Terror Attacks• Hurricane Katrina• Tohoku EarthquakeBut we don’t have good information about why and how.
ENISA STUDY Inter‐X: Resilience of the Internet Interconnection Ecosystem Chris Hall Richard Clayton Ross Anderson Evangelos Ouzouni
ENISA STUDY Inter‐X: Resilience of the Internet Interconnection Ecosystem Chris Hall Richard Clayton Ross Anderson Evangelos Ouzouni “It does appear likely that the Internet could suffer systemic failure, leading perhaps to local failures and system‐wide congestion”
THREATSFailure of the infrastructure on which the internet depends• Power transmission system• Human infrastructure needed to maintain it (for example if pandemic flu causes millions of people to stay at home out of fear of infection).Cascading technical failures• Perhaps during changeover from IPv4 to IPv6• Common‐mode failures involving updates to popular makes of router (or PC) may also fall under this heading.A coordinated attack• A capable opponent disrupts the BGP fabric by broadcasting thousands of bogus routes, either via a large AS or from a large number of compromised routers.
THREATSMarket failure• Internet Transit may not be a viable business.Economic issues – “The tragedy of the commons”• Increasing resilience benefits everyone, but requires coordinated action. E.g improving BGP is costly and must be done at an individual level.Regulatory failure• Misinformed/over regulation, and under regulation can lead to problems (related to above two issues)
CAN WE PROTECT AND ASSURETHE INTERNET?The fist stage of protecting and assuring any critical infrastructureis to take stock of and understand its components.• But this is very difficult in the case of the internet.Each AS/ISP has an NOC (Network Operation Centre) but there isno NOC for the internet as a whole• There is no map of physical connections – their location, capacity, etc.;• There is no map of traffic and traffic volume• there is no map of the interconnections between ASs
WHY THE LACK OFINFORMATION?• The complexity and scale of the Internet would make this an immense task, and potentially very costly. • An AS level topology is possible, but we would ideally have something at the router level. • We would ideally also like to understand interdependencies with the power network.• The internet is constantly growing in size and evolving (e.g. the rise of CDNs)• The routing system is dynamic, so very difficult to model.• Some of the information is sensitive • Gathering this information could be a security risk • The information will have commercial sensitivity, for example traffic levels.• There is a lack of good metrics available.
RECOMMENDATIONSThe report makes four recommendations1. We need a better understanding of failure• Incident Investigation • An independent body should thoroughly investigate all major incidents and report publicly on the causes, effects and lessons to be learned. Incident correlation and analysis may lead to assessment and forecast models.• Data Collection of Network Performance Measurements • Consistent, long-term data collection
RECOMMENDATIONS2. Further research into resilience • Research into Resilience Metrics and Measurement Frameworks • Development and Deployment of Secure Inter‐domain Routing • Research into AS Incentives that Improve Resilience
RECOMMENDATIONS3 . The promotion of good practice • Promotion and Sharing of Good Practice on Internet Interconnections • Independent Testing of Equipment and Protocols • Conduct Regular Cyber Exercises on the Interconnection Infrastructure
RECOMMENDATIONS4. That policy makers become more engages • Plan for transit market failure • Debate traffic prioritisation • Work towards a reliance certification scheme
KEY POINTSInfrastructure is often controlled and monitored by IT systems• SCADA systems are the common type• Government organisations such as the CPNI are concerned about the vulnerability of these systems to failures and attackDigital technologies are becoming critical infrastructure in theirown right• The Internet is becoming increasingly critical.• The resilience of the internet is not a given.