A Methodology for the Evaluation of the Security Risks of

Internet-based Remote Control Applications of Utilities

M.Masera, M.Hohenadel, A.Abjani G.Dondossola, G.Mauri

Institute for the Protection and Security of the Citizen CESI
http://cybersecurity.jrc.it http://www.cesi.it/
http://www.jrc.cec.eu.int

CIP Workshop – Frankfurt 29/30.09.03

 Issues
Utilities ponder the use of Internet for remote services
– Economic opportunities, technical challenges

Open questions:
– How to deal with security?
• policy
• standards
– Appropriate SCADA / RT technologies?
– Business culture?
• control variables as information assets
• new business and technical requirements

CIP Workshop – Frankfurt 29/30.09.03 2

 Case study
Remote Control of Primary
Substations

PI 1

PC Linux A
PI 2 Gateway

Hub/Switch A
Field
Hub/Switch
PI 3 Firewall
Hub/Switch B

LAN

... PC Linux B
Gateway

Primary Substation

CIP Workshop – Frankfurt 29/30.09.03 3

 Case study: technologies
TCP/IP based communications
– IEC 60870-5-104, TASE 2.0 =► telecontrol (power transmission)
LAN communications at primary substations
– IEC 61850, UCA =►from data acquisition to information management

Concerns:
– Industrial LAN emerging standards (IEC, UCA) neither ready for
Internet, nor security-enabled
– Typical security tools (firewalls, IDS) not designed for industrial LANs
with RT functionality

CIP Workshop – Frankfurt 29/30.09.03 4

 Risk assessment

Framework:
– ISO/IEC 17799: security management in organisations
– Common Criteria (ISO/IEC 15408): security of products

– Risk-based approach:
• Understanding, analysing and managing capabilities and
potential impairments
=►need for methodology
• Linking security with business processes and engineering
=►need for common concepts: assets, vulnerabilities, threats

CIP Workshop – Frankfurt 29/30.09.03 5

 Methodologies

Mainly oriented toward business/organisational

information systems
– OCTAVE (CERT/CMU)
– CORAS (IST)
No well-known method for industrial applications
– Should support integrated design, not only a posteriori
– Should support whole life-cycle, not just design-
development
– Should support updating/upgrading

CIP Workshop – Frankfurt 29/30.09.03 6

 Risk attributes

Risk Assessment
Risk & Management

System Threats

Dependability attributes Assets Threat agent

Integrity Confidentiality
Availability
Privacy
Accountability Event / Loss categories
Objective Harm to persons
Safety
Loss of Privacy
Error mode/ Loss of business assets/
Vulnerabilities Attack method Economic loss

Multidimensional, dynamic problem

CIP Workshop – Frankfurt 29/30.09.03 7

 Methodology proposed

1. Identify and evaluate assets (information, software, infrastructure, services)

2. Identify and evaluate vulnerabilities
3. Identify and evaluate potential threats, and their motivation
4. Identify and evaluate potential attack methods and the losses they might provoke
5. Verify the consistency of the whole by correlating the attacks retained more likely and
significant with the assets that might be affected. State the set of security failures that
are significant for the case at issue.
6. Establish the security objectives and the functional and assurance requirements

Based on check-lists (eventually could be used as knowledge repository)

Corresponds to “Undertake a risk assessment” in ISO/IEC 17799, and “Security
environment-Security objectives” in CC

CIP Workshop – Frankfurt 29/30.09.03 8

 Assets
•The physical infrastructure
– e.g. computing and communications equipment – incl. Internet
•Software assets
– both in the public and private spaces
•Information assets:
– From the Remote Control Centre to the primary substation:
• Control commands: signals that provide the control orders/parameters;
• Configuration parameters: signals for setting protection thresholds, time delays, protection
strategies;
• Information requests: demand of information to the primary substation;
• Maintenance order and software transfer: software updates on the field equipment.
– From the Primary Substations to the Remote Control Centre:
• Information provision: provision of information to the control centre
• Events: information supplied when the field configuration changes;
• Alarms: events upon variation with higher priority;
• Periodic values: normal field measurements;
• Maintenance software reception: acceptance of software maintenance orders.
•Services

CIP Workshop – Frankfurt 29/30.09.03 9


Vulnerability Category
1. Inherent Design/Architecture
2. Behavioural Complexity
3. Adaptability and Manipulation
4. Operation
5. Indirect/Non-physical exposure
6. Direct physical exposure
7. Supporting facilities/ infrastructures
CIP Workshop – Frankfurt 29/30.09.03
Vulnerabilities
Sources
Uniqueness of object or process (lack of in-service
experience)
• Completed with other
Singularity (single point of failure)
Centralisation (of control, data)
models, f.i. Genesis-
Separability (easy to isolate) Introduction-Location
Homogeneity (multiple but identical instances, COTS) by Landwehr et al.
Sensitivity (to input variations or to abnormal use)
Predictability (of external behaviour)
Rigidity (difficult to modify the system but also to adapt)
• Developed with
Malleability (easy to modify) technical
Gullibility (easy to fool) vulnerabilities
Near to capacity limits
Lack of recoverability
Lack of self-awareness (self monitoring)
Difficulty of management (to configure and maintain)
Complacency (poor procedures, human factors, insider)
Electronic accessibility
Transparency (system information open and public)
Physical accessibility
Electromagnetic susceptibility
Dependency
10
 Threats
Motivation /
Impairment

Means
Threat
(attack,
agent
failure mode)
insider outsider IT
system
authorised non-authorised
actor actor

No globally recognised model

Influences from many fields: law enforcement, defence, technical security
Need to consider malicious and accidental events

CIP Workshop – Frankfurt 29/30.09.03 11

 Attacks, loss
Threat motivation Description

Fraud Deceiving or misrepresenting of

business data
Disruption of data Disturbance of computing operations
processing operation at a local node
Confidential information Revelation of confidential business
disclosure information
Information assets integrity Alteration of the correctness of critical
compromise data assets
Loss
Communications Quality- Disturbance of the communications
of-Service deterioration infrastructure Harm to persons Personal injuries, health

Privacy Abuse of personal information

Business assets Process degradation

Process disruption
Financial detriment
Damage to business image
Damage of assets
Attacks/accidents check list Disclosure of confidential business information

CIP Workshop – Frankfurt 29/30.09.03 12

 Summary

Assets Risk & Security

Information
Organisational Vulnerabilities
Malicious/Accidental Sources
Security Policy Threats (vulnerabilities,
(7799, OCTAVE) threat profiles)
Loss Attacks

Security Failures

Security Security
Objectives Requirements Risk
Analysis
Security Target Methods
(CC) (CORAS)
System architecture
Protection Profile

CIP Workshop – Frankfurt 29/30.09.03 13

 Attacks / accidents
1 An internal authorised user abuses the access privileges for reading information he/she has neither need nor the right to know.

2 An internal authorised user abuses the access privileges for modifying data

3 An internal authorised user illegitimately transfers confidential information to a third party.

4 An internal user modifies, deletes or makes unavailable a proof of activities. The same or another user can repudiate as a consequence the commission of
information-related actions.
5 An internal user gains unauthorised access to the system or to information, breaching the access control or the authentication systems.

6
An external non-authorized actor steals the identity of an internal user to gain his/her access privileges, by electronic means or by social engineering.

7 An external non-authorized actor gains access to data read/write points by hacking the software infrastructure/ applications.

8 An external non-authorised actor gains access to data during data exchange over the communications infrastructure

9 An external non-authorized actor gains access to communications by impersonating an authorised user

10 An external actor carries out a denial-of-service attack

11 An external actor provokes the overload of the internal communication or data processing resources.

12 An external actor tricks internal users into interacting with spurious external systems. Legitimate system services are spoofed.

13 An external non-authorised actor impersonates a legitimate source of information and deceives a legitimate receiver

14 Malicious software violates the integrity of the operating system or the application software.

15 Data packet loss in external communication link due to malicious interference

16
Delays in the transmission of data packets during the external communication link due to accidental causes that provoke a diminution in bandwidth

17 Routing errors in the transmission of data packets during the external communication link due to accidental causes

CIP Workshop – Frankfurt 29/30.09.03 14