http://www.dagstuhl.de/12502

09. – 12. Dezember 2012, Dagstuhl Seminar 12502

Securing Critical Infrastructures from Targeted Attacks

Organisatoren

Marc C. Dacier (Symantec Research Labs – Sophia Antipolis, FR)
Frank Kargl (Uni Twente, NL & Uni Ulm, DE)
Alfonso Valdes (University of Illinois – Urbana Champaign, US)

Auskunft zu diesem Dagstuhl Seminar erteilt

Dagstuhl Service Team

Dokumente

Dagstuhl Report, Volume 2, Issue 12 Dagstuhl Report
Teilnehmerliste
Gemeinsame Dokumente
Programm des Dagstuhl Seminars [pdf]

Summary

The last years have highlighted the fact that our ICT security precautions in many critical infrastructure (CI) systems are clearly insufficient, especially if considering targeted attacks carried out by resourceful and motivated individuals or organizations. Critical infrastructures, like energy or water provisioning, transportation, telecommunication, or health support are relying to an ever-larger extent on ICT, often being monitored or controlled in a semi or fully automated way. Disruption of these control processes could turn out to be disastrous, especially as many of these systems are cyber-physical systems that interact with the real world through sensors and actuators and can thus have a direct influence on the physical world not mediated by the common sense of a human being.

Rendering ICT systems in such critical infrastructure unusable or malfunctioning can cause huge economical damages or even endanger human lives. Some examples: it is reported by the Institute for Science and International Security (ISIS) in December 2010 that the Stuxnet malware actually damaged around 1000 Uranium enrichment centrifuges in the Iranian enrichment facility in Natanz (which was possibly its goal). If the same would happen in a European Uranium enrichment facility, the economical damage would be significant and danger to population due to failure of systems could not be ruled out completely. In 2000, an insider attack on a sewage treatment facility in Queensland, Australia caused millions of liters of raw sewage to spill out into local parks and rivers. The CIP Vigilance Blog collects a long list of such issues

Similar argumentation can be applied to other forms of control systems like Intelligent Transport Systems, modern health systems, Smart electric grids, and many more. The advanced metering infrastructures (AMI) now being deployed in some form on the electric grids of many countries offers potential benefits in terms of reduction of peak load, which in turn enables green house gas reduction and various economic benefits. However, it introduces potentially hundreds of millions of computationally limited networked endpoints outside of a defensible physical or electronic perimeter. Moreover, smart grids may be subject to attacks that do not require an adversary to compromise a device, whether a smart meter on a residence or a phasor measurement unit (PMU) that contributes to wide area measurement or state estimation. Real-time price signals communicated to smart meters may induce volatility, and if spoofed may lead to destabilizing load fluctuation. Spoofing of GPS signals can cause PMUs to lose synchronization, resulting in threats to real-time control and corrupt grid state estimation.

There are many challenges involved in this, especially the heterogeneity of the systems that often involve legacy and proprietary system where not even all specification might be available to security engineers. High dependability and availability requirements of such systems often do not allow fast update cycles in case of security vulnerabilities are disclosed. The trend to use more COTS hardware and software in such systems creates problems and opportunities at the same time. A problem is that all malware that is available in such systems suddenly also becomes available to attackers on Critical Infrastructure ICT and that a lot of known vulnerabilities become exploitable. On the pro side, many established security mechanisms like firewalls, Intrusion Detection Systems, or OS security mechanisms like malware scanners can be applied. However, you often need to specifically adjust them for the new domain (e.g., by having SCADA specific signatures for an IDS). At the same time, the different (dependability) requirements and different applications in Critical Infrastructure Systems often require new or updated approaches, e.g., regarding security updating or security testing methodologies.

The research community has taken up this challenge, as can be seen by the emergence of specific research projects (e.g., EU projects like ReSIST, IRIIS, VIKING, SERSCIS, INSPIRE, CRUTIAL, CRISALIS), and regular contributions on the topic at conferences and workshop (RAID, DIMVA, CCS, LEET, IEEE SSP, NDSS, Usenix Security, etc.). The US Department of Homeland Security and Department of Energy fund numerous projects under programs such as the National SCADA Test Bed (NSTB) and Cyber Security for Energy Delivery Systems (CSEDS). However, we identified that the research community would benefit from being better connected, having identified a clear list of major research challenges, and knowing to what extent they have been addressed so far. Stemming from this motivation, we proposed this Dagstuhl research seminar with the goal to bring together leading researchers both from academia and industry to discuss and evaluate the state of the art and to highlight where sufficient solutions exist today, where better alternatives need to be found, and also to give directions where to look for such alternatives.

One of the most important aspects was to identify whether security challenges and solutions apply to all different areas of CI, be it water, electricity, gas, transport, health-support, public safety infrastructures, or tele-communication. Our initial expectation was that there would be clusters of domains with very similar profiles on the one hand, but also large differences between clusters. This, however, was not clear previously, as many security researchers focused on specific areas or specific aspects of security.

Beyond, during the seminar we also focused on the question how targeted attacks on CI differ from ubiquitous unspecific attacks by malware or occasional hackers. As the later do not focus specifically on CI, they will typically not create large-scale damages --- if damages occur, this is typically the consequence of computer systems being down. In contrast, the Stuxnet example illustrates how targeted malware can be injected into target systems in a very stealthy way and can cause subtle damage that can go unnoticed for a long time. Consequently, security countermeasures, reactions, and forensic methods have to differ as well. However, the research community has just started to address the area of targeted attacks.

Dagstuhl Seminar Series

Classification

  • Security / Cryptology

Keywords

  • Critical Infrastructures
  • Industrial Control Systems
  • SCADA
  • Security
  • Targeted Attacks

Buchausstellung

Bücher der Teilnehmer 

Buchausstellung im Erdgeschoss der Bibliothek

(nur in der Veranstaltungswoche).

Dokumentation

In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.

 

Download Übersichtsflyer (PDF).

Publikationen

Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von
Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.