https://www.dagstuhl.de/12502

December 9 – 12 , 2012, Dagstuhl Seminar 12502

Securing Critical Infrastructures from Targeted Attacks

Organizers

Marc C. Dacier (Symantec Research Labs – Sophia Antipolis, FR)
Frank Kargl (Uni Twente, NL & Uni Ulm, DE)
Alfonso Valdes (University of Illinois – Urbana Champaign, US)

For support, please contact

Dagstuhl Service Team

Documents

Dagstuhl Report, Volume 2, Issue 12 Dagstuhl Report
List of Participants
Dagstuhl Seminar Schedule [pdf]

Summary

The last years have highlighted the fact that our ICT security precautions in many critical infrastructure (CI) systems are clearly insufficient, especially if considering targeted attacks carried out by resourceful and motivated individuals or organizations. Critical infrastructures, like energy or water provisioning, transportation, telecommunication, or health support are relying to an ever-larger extent on ICT, often being monitored or controlled in a semi or fully automated way. Disruption of these control processes could turn out to be disastrous, especially as many of these systems are cyber-physical systems that interact with the real world through sensors and actuators and can thus have a direct influence on the physical world not mediated by the common sense of a human being.

Rendering ICT systems in such critical infrastructure unusable or malfunctioning can cause huge economical damages or even endanger human lives. Some examples: it is reported by the Institute for Science and International Security (ISIS) in December 2010 that the Stuxnet malware actually damaged around 1000 Uranium enrichment centrifuges in the Iranian enrichment facility in Natanz (which was possibly its goal). If the same would happen in a European Uranium enrichment facility, the economical damage would be significant and danger to population due to failure of systems could not be ruled out completely. In 2000, an insider attack on a sewage treatment facility in Queensland, Australia caused millions of liters of raw sewage to spill out into local parks and rivers. The CIP Vigilance Blog collects a long list of such issues

Similar argumentation can be applied to other forms of control systems like Intelligent Transport Systems, modern health systems, Smart electric grids, and many more. The advanced metering infrastructures (AMI) now being deployed in some form on the electric grids of many countries offers potential benefits in terms of reduction of peak load, which in turn enables green house gas reduction and various economic benefits. However, it introduces potentially hundreds of millions of computationally limited networked endpoints outside of a defensible physical or electronic perimeter. Moreover, smart grids may be subject to attacks that do not require an adversary to compromise a device, whether a smart meter on a residence or a phasor measurement unit (PMU) that contributes to wide area measurement or state estimation. Real-time price signals communicated to smart meters may induce volatility, and if spoofed may lead to destabilizing load fluctuation. Spoofing of GPS signals can cause PMUs to lose synchronization, resulting in threats to real-time control and corrupt grid state estimation.

There are many challenges involved in this, especially the heterogeneity of the systems that often involve legacy and proprietary system where not even all specification might be available to security engineers. High dependability and availability requirements of such systems often do not allow fast update cycles in case of security vulnerabilities are disclosed. The trend to use more COTS hardware and software in such systems creates problems and opportunities at the same time. A problem is that all malware that is available in such systems suddenly also becomes available to attackers on Critical Infrastructure ICT and that a lot of known vulnerabilities become exploitable. On the pro side, many established security mechanisms like firewalls, Intrusion Detection Systems, or OS security mechanisms like malware scanners can be applied. However, you often need to specifically adjust them for the new domain (e.g., by having SCADA specific signatures for an IDS). At the same time, the different (dependability) requirements and different applications in Critical Infrastructure Systems often require new or updated approaches, e.g., regarding security updating or security testing methodologies.

The research community has taken up this challenge, as can be seen by the emergence of specific research projects (e.g., EU projects like ReSIST, IRIIS, VIKING, SERSCIS, INSPIRE, CRUTIAL, CRISALIS), and regular contributions on the topic at conferences and workshop (RAID, DIMVA, CCS, LEET, IEEE SSP, NDSS, Usenix Security, etc.). The US Department of Homeland Security and Department of Energy fund numerous projects under programs such as the National SCADA Test Bed (NSTB) and Cyber Security for Energy Delivery Systems (CSEDS). However, we identified that the research community would benefit from being better connected, having identified a clear list of major research challenges, and knowing to what extent they have been addressed so far. Stemming from this motivation, we proposed this Dagstuhl research seminar with the goal to bring together leading researchers both from academia and industry to discuss and evaluate the state of the art and to highlight where sufficient solutions exist today, where better alternatives need to be found, and also to give directions where to look for such alternatives.

One of the most important aspects was to identify whether security challenges and solutions apply to all different areas of CI, be it water, electricity, gas, transport, health-support, public safety infrastructures, or tele-communication. Our initial expectation was that there would be clusters of domains with very similar profiles on the one hand, but also large differences between clusters. This, however, was not clear previously, as many security researchers focused on specific areas or specific aspects of security.

Beyond, during the seminar we also focused on the question how targeted attacks on CI differ from ubiquitous unspecific attacks by malware or occasional hackers. As the later do not focus specifically on CI, they will typically not create large-scale damages --- if damages occur, this is typically the consequence of computer systems being down. In contrast, the Stuxnet example illustrates how targeted malware can be injected into target systems in a very stealthy way and can cause subtle damage that can go unnoticed for a long time. Consequently, security countermeasures, reactions, and forensic methods have to differ as well. However, the research community has just started to address the area of targeted attacks.

Dagstuhl Seminar Series

Classification

  • Security / Cryptology

Keywords

  • Critical Infrastructures
  • Industrial Control Systems
  • SCADA
  • Security
  • Targeted Attacks

Documentation

In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.

 

Download overview leaflet (PDF).

Publications

Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.