Key challenges for Critical Information
Infrastructure Protection
Main Problem areas and (inter)dependencies
between Critical Infrastructures
1st IRRIIS Workshop
Sankt Augustin
April 26th, 2006
Tatiana Roubinchtein, Mechthild Stöwer
1st IRRIIS Workshop, April 26th, 2006
Vulnerability of Critical Infrastructures
• Blackout America North East, August 2003
• Blackout Italy, September 2003
Archivierungsangaben
• Crashing of French GSM network, November 2004
1st IRRIIS Workshop, April 26th, 2006
Slide 2
Multiple Events – similar patterns
Archivierungsangaben
Multiple interacting contingencies
Low probability event sequence - very difficult to
predict
Failures of monitoring, control and protection
equipment causes cascading events
1st IRRIIS Workshop, April 26th, 2006
Slide 3
Specific causes
Italian blackout: cross border problem
US blackout: inadequate setting of backup line
protection equipment
Archivierungsangaben
French GSM Network crash: failed software update
1st IRRIIS Workshop, April 26th, 2006
Slide 4
Archivierungsangaben
Economical/political problems
• High degree of business interdependencies
• Market restructuring – liberalisation, privatisation,
increase of competition conflicting stakeholder’s
interests (e.g. private companies, public interests)
• Cost-pressure
• Offshore reliance
• Increasing demand/network loads
• Insufficient political awareness regarding
vulnerabilities of CI
• Lack of public research
1st IRRIIS Workshop, April 26th, 2006
Slide 5
Archivierungsangaben
Organisational problems
• Missing appropriate business models
• Lack of appropriate risk assessment models
• Lack of appropriate security policies including
different (inter)dependend CIs
• Insufficient information sharing
• Insufficient skills of personnel
1st IRRIIS Workshop, April 26th, 2006
Slide 6
Technological problems induced by
market forces
• Heterogeneous hardware infrastructure
Archivierungsangaben
 Out-dated legacy system
 Insuffucient hardware performance
• Transfer of monitoring/control information via public
networks
• Usage of open, public available network protocols and
standards
• Increasing use of Commercial-off-the-Shelf (COTS)
solutions
• (Poorly designed) Connections between control
systems and enterprise networks
1st IRRIIS Workshop, April 26th, 2006
Slide 7
Technological problems induced by
technological evolution
• Complexity of the new technologies requires
appropriate management procedures
Archivierungsangaben
 Intransparent network systems
 Heterogeneous hardware infrastructure
 Mix of software solutions
• Complexity of the new technologies causes new
vulnerabilities
 Upgrades hard to retrofit to legacy systems
 Quality of COTS often insufficient
1st IRRIIS Workshop, April 26th, 2006
Slide 8
Technological problems induced by new
risk factors
• Transfer of monitoring/control information via public networks
• No use of appropriate encryption systems for information
transfer and storage
• Usage of proprietary network protocols and standards
• Insecure wireless LANs in use
Archivierungsangaben
• Missing appropriate authentication procedures
• Missing appropriate software certification
• SCADA and DCS security tools often have “back-door” system
access and other known vulnerabilities
• Unpatched components on the PC/SCADA networks
1st IRRIIS Workshop, April 26th, 2006
Slide 9
Archivierungsangaben
Deficits within appropriate standard
frameworks
• Missing appropriate network models reflecting
interdependencies within a CI and other CIs
• No consistent cyber security standards
• Hard to specify and evaluate threats
• Lack of unified mathematical framework with robust
tools for modelling, simulation, control and
optimisation of time-critical operations
1st IRRIIS Workshop, April 26th, 2006
Slide 10
Archivierungsangaben
Points to be discussed
List of technology problems comprehensive? (missing
issues?)
Prioritisation of problem areas
Approaches of technology providers and operators to
solve the problems? Significant gaps?
Approaches to solve modelling issues
Evaluation of standardisation activities
1st IRRIIS Workshop, April 26th, 2006
Slide 11