Workshop on Interdisciplinary Studies in Information Security and Privacy
(WISSP10)
Digital Security of Critical Infrastructure Session
Critical Energy Resources and their
Interdependencies
Alain Hubrecht – ECCRP
Abu Dhabi, UAE – October 3-4, 2010
Who Am I
• Warfare is evolving, particularly to that of a cyber level
• Co-founder of The European Center for Critical Resources Protection (ECCRP)
• Control systems (SCADA, DCS…) used in the oil & gas, electrical and energy
face
new threats
•sectors
15 years
experience
in Computer Aided Design and Virtual Reality
••Telecommunication,
and information
flows are
among industrial
Developed activitiesbanks
in vizualisation
and training
for complex
other
critical resources
environment
(power plants, electrical grids)
••Important
to protect
resources
the functioning
of aworldwide
society or economy
Worked with
leadingthese
Oil and
Gas andforengineering
offices
• High Performance Computing expert for European Commission
• Homeland Security, Peace Support Operations and Critical Infrastructure
Protection expert for NATO
• Founder of different start-ups in the IT field
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
2
Critical Energy Resources
• Warfare is evolving, particularly to that of a cyber level
Relatedsystems
to energy
production,
transmission
and
••Control
(SCADA,
DCS…)
used in the
oildistribution
& gas, electrical and energy
sectors face new threats
• Oil, Natural Gas, Coal, Nuclear, … solar/wind…
• Telecommunication, banks and information flows are among
other critical resources
3 types:
• Important to protect these resources for the functioning of a society or economy
 Physical assets, or anything you can touch
 Cyber assets (IT components)
 Data, or things you cannot touch
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
3
Physical Assets
• Warfare is evolving, particularly to that of a cyber level
Power Plants(nuclear,
coil,DCS…)
gas, oil)used in the oil & gas, electrical and energy
••Control
systems (SCADA,
•sectors
Power face
Stations
new(400KV
threats -> 11KV)
• High Voltage Lines (400KV -> 11KV)
Refineries
••Telecommunication,
banks and information flows are among
•other
NLG critical
Terminals
resources
• Anything Offshore like FPSO, Platforms, Seabed Eq
Pipelines to
(Oil,
Gas)these resources for the functioning of a society or economy
••Important
protect
• People (control room operators, engineers, “starters”, …)
• Drawings (P&ID, Logical schemas, …)
• etc…
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
4
Data, Intangible Assets
• Warfare is evolving, particularly to that of a cyber level
Customer
database
••Control
systems
(SCADA, DCS…) used in the oil & gas, electrical and energy
sectors face new threats
• SCADA values
• Telecommunication, banks and information flows are among
•other
DCS critical
historical
values
resources
Alarm rules,
super rules
••Important
to protect
these resources for the functioning of a society or economy
• Starting Sequences (nuclear reactor, high voltage network…)
•…
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
5
Cyber Assets
• Warfare is evolving, particularly to that of a cyber level
Cyber physical
thatDCS…)
control used
and process
data electrical and energy
••Control
systemsassets
(SCADA,
in the oilthe
& gas,
sectors face new threats
• Computer hardware and IT infrastructure (servers, desktop…)
• Telecommunication, banks and information flows are among
•other
Network
Communication
critical
resources Links (switch, routers, firewalls)
Specific Industrial
(PLC, RTU,
••Important
to protectdevices
these resources
for etc)
the functioning of a society or economy
• ...
It is these assets which are covered by common cyber security threats
Attacking these assets can have an impact on physical assets and data
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
6
Internal Interdependencies
Sorting Physical Assets
• All components (vessels, valves, reservoir, pipes, motors, …) have to
be sorted out by the impact they can have on the production in
case of loss/break.
• The time to repair or order a new one should be integrated in the
loss of production.
• Some equipments like crackers or transformers need up to one year to be
reordered or manufactured.
Interdependencies
Some other components can produce disastrous domino effects.
first node of interdependencies
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
7
Internal Interdependencies
Some solutions exist…
Cascade effects in case of loss of production of a power plant are prevented
with solutions like EuroStag, a monitoring software, continuously “sniffing” even
the smallest perturbation on the network, and able to correct
appearing problems very quickly, before the cascade starts its disaster.
When these assets are part of an international network, involved in an automatic
balancing scheme, or integrated in a pool (deregulated market) the
consequences can be more complex to handle and solve.
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
8
External Interdependencies
A much more complex node of interdependencies however, exists between
other critical infrastructures including: telecommunications, finance or
transportation.
• Difficult to understand
• Different Critical Infrastructure not always handled holistically
• Difficult communication between all security infrastructures security initiatives
• Damage of a joint attack on all Critical Infrastructures is not well understood yet
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
9
External Interdependencies
Interdependen Energy - Oil
cies
and Gas,
Electricity
Energy - Oil
and Gas,
Electricity
Telecommunic
ation and
Information
Banking and
Finance
Water
Transportation
Highly connected
and interdependent
infrastructure for
business and
economic security
Telecommunic
ation and
Information
Banking and
Finance
Highly connected
and interdependent
infrastructure for
business and
economic security
Highly connected
and interdependent
infrastructure for
business and
economic security
Essentials and
highly dependent
infrastructure for
health and safety
Water
Transportation
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
Highly connected
and interdependent
infrastructure for
business and
economic security
10
So far….
• Different types of assets (Physical, Data, Cyber)
• Internal dependencies: can be sorted and understood
• External dependencies: hard to understand, not much work done
• Domino effect exists for internal and external dependencies
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
11
Europe
• Europe is in the process of developing industrial and legal
framework in an attempt to prevent these resources being
attacked.
• Other projects are also well on their way to understand these
technologies and their implications.
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
12
Europe
Three streams of information from EU
• Council directives and reports
• Framework Program Calls from European Commission
•FP7 -> ICT -> Security ->Energy
• Founded Projects
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
13
Europe
European Union
• Council Directive 2008/114/EC :
“On the identification and designation of European Critical Infrastructures and
the assessment of the need to improve their protection”
• Only two critical infrastructures defined:
• Energy (Electricity, Oil, Gas)
• Transport (Road, Rail, Air, Inland Waterways, ports)
• In comparison, the Department of Homeland Security in USA has defined 18
Critical Infrastructures and key Resources Sectors (Banking and Finance,
Chemical, Energy, Transportation, Information Technology, Water, Emergency
Services, Communications, …)
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
14
Europe
European Union - EPCIP
European Program for Critical Infrastructures Protection (DG Home Affairs)
•Budget: 10m€/year
•Not mandatory to be transnational
•Focus on policy and support scheme
•2 calls since 2005, next one in November 2010
Achievements:
-Discussions between countries
-2008 directive (see previous page), next version in 2012
-Cross sectorial group, 2006-2009, 60 experts, no results.
-Question was: what are the real issues?
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
15
Europe
European Commission
• 2007-2008: Seventh Framework Program (FP7) first call
• Among others, joint call on Information and Communication Technologies
Security
• Two Areas with different topics:
1. Pervasive and Trusted Network and Service Infrastructures/Critical
Infrastructures Protection
2. Security Systems Integration, Interconnectivity and interoperability
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
16
Europe
European Commission
Topics:
• Technology building blocks for creating, monitoring and managing secure,
resilient, and always available information infrastructures that link critical
Infrastructures
• ICT support for first responders in crisis occurring in Critical Infrastructures
• Optimized situational awareness through intelligent surveillance of
Interconnected transport or energy infrastructures
• etc…
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
17
Europe
European Commission
•FP7 2007-2013 (total of 6.4 billions Euros)
•
Latest round (call) of financial support just released
•
Multiples areas (health, food, space, nanotechnologies, …)
•
Two of those areas are Security and Energy
•
Call still open until 2nd of December 2010
•Under Security, two activites related to critical infrastructures:
• SEC-2011.2.2-1 : Protection of Critical Infrastructures against
Electromagnetic Attacks
• SEC-2011.2.5.1 : Cyber Attacks Against Critical Infrastructures
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
18
Europe
European Projects (UE related)
• Project ESCoRTS (Security of Control and Real Time systems)
 SCADA best practice on security, cyber security tastings facilities etc
• Project VIKING
 Investigate SCADA vulnerability, increase awareness for CIP. Etc
• Project EURACOM
 Protection of energy supply for European interconnected energy networks
• Project ESTEC
 Assess feasibility of a European Network SCADA security test centres
• A few others national project (Ex. ASTROM, AFTER – Italy)
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
19
Europe
Non UE related
• CPNI (Center for the Protection of National Infrastructures)
• United Kingdom
• Works closely with counterpart centers and institutes in USA
• Similar centers in Australia, Canada and NZ
• Provide security advice to national infrastructures
• All sort of activities around CIP
• Generally, information released by CIP is closed/private
• BSI (Federal Office for Information Security)
• Germany
• One of their studies areas is Security of Critical Infrastructure and Internet
• EuroScie (Scada and Control System Environment)
• Switzerland
• etc…
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
20
NATO
• NATO Industrial Advisory Group (NIAG)
• NIAG influences industrial system requirements and
development
• Currently they have two researches areas:
1. Risk assessment and contingency planning for interconnected
transport or energy networks
2. Modelling and Simulation for training
• CCDCOE (Cooperative Cyber Defence Centre of Excellence)
• Based in Estonia, launched in 2008
• Four core areas of research
• One of them is Critical Information Infrastructure Protection
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
21
ECCRP
• Founded in 2009
• Will be located in an old World War II bunker in Brussels
• First center to provide security awareness and defense capabilities for these
resources with the help of Virtual Reality.
• Will ensures everyone understands the risks associated with Critical Infrastructure
Protection
Virtual Reality
Industrial Safety
ECCRP
Homeland Security
IT Security
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
22
ECCRP
Electricity
Water
Supply
Oil & Gas
SCADA
PCN
…
…
Telecommunicatio
n
Banking
Information
TDM
VOIP
MPLS
…
SwiftNet
X.25
…
WWW
…
VisioSpace
Virtual Reality, Virtual Machines and
Virtual Networks
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
23
ECCRP
• Combine all critical infrastructures together, not only energy (SCADA related)
• Use Virtual 3D Reality to modelize cities, countries and infrastructures
• Provide training and demonstration to both VIPs and specialists
• Best of Breed Trainings given by international experts in different fields
• Creation of an International Advisory Board
• Brussels center is a concept center. Possibility to open similar centers in other
part of the world
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
24
Conclusion
• Critical Energy Resources : different types of assets
• Internal and external interdependencies
• Lots of initiatives from European Union, National Countries or NATO
• Few combine all critical infrastructures together
• ECCRP will be the first center to use Virtual Reality
• Still lots to do…
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
25
Questions
Question?
contact@eccrp.com
WISSP10 , October 3-4, 2010
Alain Hubrecht - ECCRP
26