Secure Critical National Infrastructures

1.1.1     Problem

Interconnection through digital communication networks is of primary importance, today, in many distributed heterogeneous environments where people and things, besides services and data, have to be protected against injuries and damages. This is the case, for instance, of critical infrastructures designed for energy, gas, and water distribution, transportation systems, and air traffic control, but, even with different characteristics, the same is also true for other application domains, such as Industrial Process Measurement and Control (IPCM), Supervision, Control and Data Acquisition (SCADA), Distributed Control (DC), Metering, Monitoring and Diagnostic (MMD), Networked Electronic Control and Sensing (NECS), and Distributed Automation (DA) systems.

Although peculiarities can be identified for each scenario (and network), a set of common security characteristics exists, which allows us to consider these systems as belonging to a single broad class. With a slight abuse of terminology, we will call this class either Industrial Networks or Industrial Automation Control Systems (IACSs) in the following.

Figure 1

In the past, IACSs were mainly conceived as isolated systems, but, nowadays, because of the ever growing demand of both highly ubiquitous computing services and location-independent access to ICT resources, they are more and more connected to all kinds of Desktop and Business Computing Systems (DBCS) and often to the Internet, as Figure 1 shows for a typical situation.

In the case of the picture, the IACS communication infrastructure (the three rightmost blocks) can access the Internet through a DBCS network: dashed lines inside each block may represent different kinds of media (i.e., Ethernet cables, phone lines, fiber optics, radio and WiFi links) and proper equipment (routers, gateways, modems, access points and so on). The key point, however, is that the IACS infrastructure is directly interfaced to a physical system (i.e., the controlled process, automation plant, and so on), through its sensors and actuators, while this does not occur in the case of DBCS.

The traditional isolation and some characteristics of IACS, such as the widespread adoption of special-purpose proprietary hardware (h/w), software (s/w), and applications, were often sufficient to prevent them from being concerned with serious security problems affecting their ICT infrastructure (security by insulation and obfuscation). In a modern scenario such as the one in Figure 1, instead, the careful management of interconnections is mandatory, since accessibility and openness, besides introducing many appealing advantages, also expose legacy IACS to the same security threats usually experienced by DBCS.

Despite the fact that they often share similar interconnection and communication technologies, IACS and DBCS also exhibit deep differences that cannot be ignored when dealing with their security. Table 1 summarizes some main aspects that are relevant in this case and have to be taken carefully into account both in the design and management of such systems.

Table 1: Main differences between DBCS and IACS

1.1.2   Goal and objectives

This project aims at providing a holistic approach to implement the three well known lines of defense depicted in Figure 2. All these lines require both offline (design and analysis) and runtime activities (operation and monitoring), and their integration, i.e. their joint management. All these activities obviously rely on data which must be gathered from the running system to feed the analysis and design tools, whose output shall be transferred to the real systems as configuration changes and updates, as

Figure 2 highlights: to this purpose, a strong relation to data sharing and situation awareness addressed in a previous section  is set.

Moreover, as Table 1 states, IACS often rely on devices with low resources, but also have real-time requirements. These conflicting requirements must be carefully taken into account before adding security controls, either software or hardware: their performance must be carefully evaluated in order to guarantee that they do not negatively affect functional requirements.

On the real system side monitoring tools and infrastructures are also needed for the early detection of deviations from the expected behavior, anomalies and attacks. In summary, the following three research lines will be addressed:

Figure 3
  1. analysis tools running on system models, eventually gathered from the running counterpart;
  2. runtime monitoring and data management architectures, tools and methodologies;
  3. performance analysis of software and devices for security, in order to guarantee that their introduction in the system does not negatively affect performance.    

1.1.3   Methodology

Analysis

Figure 4: Verification of access control policies implementation

Many methodologies can be used for the security analysis, e.g. simulation, emulation, formal methods, each one giving a different tradeoff between precision (detail level) of the analysis and size of the addressed (sub-)system. As an example, Figure 4 depicts an industrial system analyzed to check whether its high level access control policies are satisfied by the system itself,      whereas      Figure 5 depicts the analysis of interdependencies in a power grid. Many kinds of analysis, with many complementary purposes can be useful, and deserve to be carried out.  But all of them share a common need: the model, i.e. a suitable data structure able to keep all the details on the system needed by the analysis purposes and algorithms and, last but not least, the real (or design) data to feed the model. The latter is a huge problem because such a feeding can’t be done by hand, but requires as much as possible (semi-)automated techniques able to extract the system description by the running system itself and/or other data sources, such as information and data produced during the design phase of the system, e.g. network topology, devices configurations, users’ rights and so on and so forth. The so obtained system model could also be used as the basis of a cyber range, to safely check the system resilience to real cyber-attacks, i.e. to hopefully show that the security controls work as expected.    

Figure 5: Analysis of Interdependencies in Critical Infrastructures

Runtime monitoring and data management

The classical approaches used by Intrusion Detection Systems, and security/privacy monitoring in the broader sense, can be nowadays integrated and attuned to new network paradigms such as Software Defined Networks (SDN) and Network Functions Virtualization (NFV) whose flexibility also allows to pervasively  spread almost everywhere in the system data management and analysis also relying on Artificial Intelligence and Machine Learning. These new paradigms can be also used for rapid prototyping and smooth migration from virtual to real (parts of the) system as well as to monitor and control resources and data management and protection. Figure 6 recalls some of the new flexible and agile network implementation and management paradigms. Moreover, such a flexible approach can also be used to acquire/store/manage information about the system characteristics, useful to feed the system model of Figure 3.

In practice these new network paradigms can help both the security, privacy and performability of the running system and its off-line management through its model, allowing also a smooth migration from a protoype system, relying on a set of virtual nodes and devices, possibly automatically generated from the system model, to the real system.

Figure 6: New flexible and agile network implementation and  management paradigms    

     Performance analysis

In IACS performances are sometimes constrained by lacks of computational power and network bandwidth thus, before adding security controls and devices, their performance must be carefully checked against the overall (sub-)system performance requirements.

In the recent past, some steps toward the standardization and certification of the functional behavior of security devices has been done. The same should be now done on the performance side, by developing guidelines, and procedures, hopefully enabling security engineers and system managers to develop and carry out their own test on the devices they plan to deploy in their systems. In fact, these devices are too complex and used in many different contexts in order to give performance figures valid once and for all. Thus making available methodologies allowing (skilled) users to carry out their own performance measures, fine-tuned on their peculiar requirements and traffic profiles is becoming a mandatory goal. At the same time, these measurement/certification facilities can be made available by widespread institutions, where customer can (be helped to) carry out the right test on their security devices, without the need of setting a measurement framework at their own premises.

Figure 7 shows the hardware setup to measure the performance of a firewall able to make deep packet inspection of Modubs packets. As a side result, the complete functional block diagram of the device has been obtained.

Figure 7: Industrial firewall characterisation and performance evaluation

     Privacy preservation

In the complex structure of IACSs, there is a large amount of (personal) data that users and systems are using, sharing and storing in IACS’ services and databases, sometimes without being aware of the privacy violations and risks.  The adoption of the General Data Protection Regulation (GDPR) imposes IACSs to comply with its provisions for processing personal data. Therefore, IACSs have to be built in line with GDPR’s provisions, i.e., following the privacy-by-design principle. In this view, one of the emerging technical solutions, for designing adequate fine-grained mechanisms that take into account legal requirements, such as the data usage purpose, user consent, and the data retention period enforcing, is to integrate into IACS architecture a GDPR-based Access Control system. Indeed, this mechanism leverages the role of the Access Control System to not only rule access to the resources and data, but also to manage the privacy rights according to the “confidentiality and integrity” and “accountability” principles. In figure a newly conceived framework for developing GDPR-Based Access Control Systems is provided. It implements an Agile GDPR-based Authorization Development Life Cycle (ADLC) that can be used for designing, implementing, and testing a domain-dependent GDPR-Based Access Control Systems, that can be easily integrated into the IACS environment.

  • A Life Cycle for Authorization Systems Development in the GDPR Perspective. Said Daoudagh, Eda Marchetti. ITASEC 2020: 128-140
  • A Privacy-By-Design Architecture for Indoor Localization Systems. Paolo Barsocchi, Antonello Calabrò, Antonino Crivello, Said Daoudagh, Francesco Furfari, Michele Girolami and Eda Marchetti. QUATIC 2020: 358-366

Figure 8: Implementation of an Agile GDPR-based Authorization Development Life Cycle

Risk transfer.

Regarding risk management from an economic point of view, IACS’ cyber risk can be partly transferred to an Insurance Company by means of an ad hoc cyber insurance contract. In general, cyber insurance improves standards for best practices (including GDPR accomplishment) as insurers seek benchmark security levels for risk management decision making.

This solution needs to be explored because IACSs provide unique challenges to the cyber insurance industry: impact of cyber attacks are really difficult to estimate, IACSs are exposed to long tale risks that is, events with low frequency and high costs. Sometimes they reach very high levels called ‘extreme events’; in particular, we refer to the ‘black-swan’ events, which are highly improbable, hard to predict, and have devasting consequences. In this context, Extreme Value Theory (EVT) could help to predict the distribution of such events, but this solution needs to be improved.

Finally, assessing the distribution of adverse events can help IACSs to set aside an amount of capital, to face them (with an estimated confidence level) by investing in cybersecurity: a suitable risk metric could be Cyber Value at Risk.

1.1.4  Impact

The coordination of model based analysis with run time monitoring and data gathering and a deep knowledge of performance of each security device added to the system, all relying on the sophisticated data gathering and sharing (interacting also with the cybersecurity platform), will provide the core basis of a holistic management of security in cyber physical systems and critical infrastructures, where the all three lines of research work together in a coordinated fashion.

In particular, analysis will allow early prevention of security issues, data gathering and monitoring will help the early detection phase as well as in forensic analysis, whereas the deep knowledge of devices for security will lead to the best choice when performance is an issue, and in heterogeneous legacy systems in general.

All these topics have partially      been addressed in current and past European Project, as well as in research contracts with small, medium and large private enterprises.