Robust Real-time Information Infrastructures
advertisement
Robust Real-time Information Infrastructures Simin Nadjm-Tehrani∗ Department of Computer and Information Science, Linköping University SE-581 83 Linköping, Sweden simin@ida.liu.se January 11, 2010 1 Overview This report has been commissioned by the Swedish Civil Contingencies agency (MSB) towards an analysis of research related to the three activity areas civil defence, protection against accidents and crisis preparedness. The focus of the report is on two areas: • Security of critical infrastructures, specially information infrastructures • Reliable and secure communication in disaster scenarios The first area is considered as relevant to the areas of protection against accidents (“skydd mot olyckor”) and crisis preparedness (“krisberedskap”). The second area is considered as relevant to the areas of civil defence (“civilt försvar”) and emergency preparedness (“krisberedskap”). 2 Introduction Reliable and secure communication is at the heart of well being and delivery of critical services in today’s society, making power grids, financial services, transportation, government and defence highly dependent on ICT networks. Regional and national emergencies are characterised by their devastating effect on human lives and the society’s ability to function. Unfortunately, rescue operations and the possibility to re-establish a working society after a disaster is often hampered by the lack of functioning communication infrastructures. While creation of new communication networks to support post-disaster operations is important, it is also relevant to study the nature of the next generation information infrastructures in terms of challenges and opportunities they bring to protection of existing critical infrastructures. A recent analysis [5] reveals that while there are some common concerns there are also fundamental differences in the two areas in question. ∗ The author wishes to thank Mikael Asplund for input arising from cooperation projects, and John Sigholm for input on military requirements. 1 This report starts by presenting the most important messages of the named work, and continues with examination of some emerging areas that are underresearched. These are related to the analysis of challenges in next generation networks, including device networks, pervasive web and convergent communication networks including opportunistic hastily formed networks. The report is organised as follows. Section 2 presents the big picture and the relevance of the chosen subareas. Section 3 presents risks and vulnerabilities in the respective areas, and some trends with respect to security of information infrastructures. Section 4 includes a classification of main challenges addressed by researchers currently, and presents a summary of the approaches actively pursued. Section 5 presents a research outlook within the two chosen subareas. Section 6 proposes a research agenda and emphasises those areas for which no mature solutions exist. Finally section 7 sums up the recommendations, and section 8 concludes the report. 2.1 Critical Information Infrastructures The complexity and interdependencies of critical infrastructures make them vulnerable to faults, attacks and accidents. One adverse condition may have unforeseen consequences in other dependent networks – e.g. distributed electricity generation and trading is increasingly dependent on communication networks, which under adverse circumstances may lead to blackouts as opposed to local outages. Even worse, when a major disaster strikes, such as the hurricane Katrina or the Tsunami in east Asia, large parts of the infrastructure can be completely incapacitated for weeks. In those situations we need to re-establish infrastructures to support rescue operations and the transition back to a normal state. Innovation in information and communication technologies brings higher degrees of adoption and bigger dependence, and at the same time unknown risks and vulnerabilities. Every new technology or application area brings the potential of being misused in unforeseen ways. Economic gain and cyber terrorism provide strong motivations for large scale attacks on networks and their services by targeting vulnerabilities in software or organisations. The main challenge for any new ICT technology in order to provide added value, is built-in security and means to uphold trust relationships amongst the users of a network. However, dealing with security threats is only one dimension of the threat to availability of services. In addition to malicious threats there are several sources of breakdown in system availability, e.g. overloads, crashes, and network partitions (making a subset of nodes unreachable by others). These additional threats could be both the root cause to service outages, and the consequence of attacks. Denial of service (DoS) attacks lead to overloads, overloads lead to crashes and restarts, unauthorised access to assets may lead to withdrawal of a service, reduced service leads to high latency, and lack of timeliness in information transfer leads to sub-optimal decision making. For a timely delivery of critical services to citizens and decision makers, two types of competences are therefore needed: (1) protecting existing information infrastructures so that we can continue to rely on the delivery of information services despite the increasing threat picture, (2) moving forward to study the issue of reliability and security in new networked infrastructures that represent a new paradigm in service delivery. The next generation networks (NGN) have 2 essentially a new character, being of a loosely connected and heterogeneous nature. Communication is in many cases combined with mobility, and generally in networks with several “owners” as opposed to a single owner/administrator. In the coming years we will witness a transition to next generation networks (NGN), including several variants of wireless radio communication. This will inevitably affect the range of technologies deployed in disaster response. Therefore, it is essential to study how the requirements of the first responders is satisfied by the emerging infrastructures. 2.2 Reliable and secure communication in disasters It lies in the nature of unforeseen events and disasters that they are impossible to characterise in a uniform way. The needs and resources differ drastically depending on circumstances such as the scale of the event, which part of the world is affected, and the type of event (earthquake, flooding, fire, epidemic, etc). However, two important problems can be identified: • the need for a common operational picture • the matching of needs and resources. A US task force from National Security Telecommunications Advisory committee (NSTAC) comprising members from government agencies and ICT industries has prepared reports to the President in 2006 and 2007 dealing with NGN interoperability [46]. Appendices describing various working group activities set out the basic definitions, NGN interdependencies, national security and emergency preparedness requirements (NS/EP), conceived threats, and strategies to meet the NS/EP requirements [45]. In particular, the “Scenarios and User Requirements Working Group” created five scenarios based on which the requirements, analysis of vulnerabilities and threats have been based. These scenarios range over: (1) Continuity of government, (2) Critical government networks, (3) Industry and critical infrastructures, in particular Supervisory Control and Data Aquisition (SCADA) systems, (4) Public safety, and (5) General user needs and requirements during incidents of national significance. One of the key findings of the end-to-end services analysis was that “the fundamental requirements of access, transport, and availability of services must be provided in a manner that assures NS/EP communities receive an appropriate level of service priority among potentially competing users and activities”([45], Appendix F). The military is often one of the key actors in the event of a disaster. In national and major regional emergencies it is among the first to arrive at the scene of emergency, and has a clear role in coordination of the relief work. This is something the armed forces have long experience with. On the other hand, one of the biggest challenges for the military is to be able to participate in collaborative networked environments, such as hastily formed networks for disaster mitigation, while safeguarding valuable information and upholding security requirements. Making changes to the classical information hierarchies for military communication, such as interconnecting information systems with collaboration partners in a hastily formed network, requires new models for trust [35] and access control [8] in the mutual conversation space. Solving the information security equation in such heterogeneous networks is a non-trivial problem. 3 3 Emerging risks and observed trends In 2005 a major study of security-related hard problems was carried out by the INFOSEC Research Council in USA and reviewed by a distinguished panel of researchers. The final report included a hard problems list consisting of eight areas on which research and development needs to be focused in the forthcoming years [32]. Specifically relevant to this report is the third problem: Availability of Time-Critical Systems. This entails availability of information and information services even in resource-constrained, geographically distributed environments, and scenarios in which the access to information services is on demand (ad hoc). 3.1 Familiar threats to service continuity During the past five years the above requirements have been painfully confirmed. First, a number of natural catastrophes such as the Katrina, Asian Tsunami, major flooding, and forest fire incidents have created a catalogue of documented scenarios, in which lack of common operational picture and situation awareness is pointed out as one of the many obstacles to efficient rescue operations [12]. Second, on an everyday basis, we have been confronted with service outages, ranging over incapacitated complete Internet (sub)domain [57], a 100 minute breakdown in a major mail service [47], major Swedish bank’s web access being down for several hours [31], police telephone services crashing in the middle of the night [16], and so on. Third, evidence is mounting that cyber criminality as well as politically motivated actions have the ability to hamper delivery of critical information services, for economic or national interests [63, 52, 66]. Today’s information infrastructure is largely static and wired. The networks are managed centrally or hierarchically [3] by known actors who do not frequently change over time. Although communication problems can occur for particular links, redundancy often prevents network partitions from happening [38]. A recent trend is to put more and more services on top of the Internet[9], which has shown itself to be one of the most reliable information infrastructures even in presence of adverse conditions [34] (although susceptible to frequent misconfiguration problems [39]). One of the biggest challenges here is probably overloads which can be the result of a denial of service attack or the result of legitimate needs which peak at the same time (e.g., major news web sites going down after 9/11). A different illustration of this phenomenon is the adverse effects of TCP when envisaged as the main communication protocol for connecting operation and management units in energy networks during a blackout [10]. Traditionally, many information networks have been proprietary and thus not fitted for integration with other networks. As a response to this, researchers and industry have started to explore the possibility of opening up systems in order to achieve greater resilience. However, this is not without complications [24]. Corporate entities are not willing to share too much information with other actors since it might mean losing the business advantage. Moreover, there are regulations and policies which must be adhered to regarding communication channels. The problem is further complicated by the fact that information needs span across borders, requiring international agreements. 4 3.2 Pervasive web In July 2009 Sophos, a leading IT security company, reported that the number of new infected web pages discovered by the company on a daily basis were double the comparative number from 2007. Also their statistics shows that the samples of unique malware items were doubled compared to the same date one year ago [58]. On 1st January 2010 the web application security consortium (WASC) released its update of current web-based threats based on the data from a distributed open proxy honeypot project launched in 2007. It includes 37 web based attacks and the weaknesses and vulnerabilities that are prerequisite to the attacks. The analysis reveals that the majority of the weaknesses are introduced at the implementation stage and due to improper design decisions [68]. Many security observations now point towards forthcoming vulnerabilities due to the expansion of more powerful communication terminals, such as smart phones, and heterogeneous networks flexibly configured using multiple radio interfaces. With the massive prevalence of social networking (so-called web 2.0) we see unprecedented threats to privacy and new channels for spreading malware - not only primarily targeting these networks, but also as an entry point to critical data and services. 3.3 Embedded or mobile devices In 2008 Indiana university researchers demonstrated that viruses can be spread among unprotected network equipment such as routers and firewalls surprisingly fast, with most of the tens of thousands of routers exposed becoming infected within 48 hours [44]. University of Cambridge computer scientist Ross Anderson was quoted as saying: ”the study exposes a more significant problem in that all electronics, including phones, routers, and even microwaves, are being built with software that could potentially become infected”. Mobile phones are no longer being solely used as a communication end point device, but also as devices for remote sensing and control, tokens for identification, and pervasive network element e.g. for relaying health data, electricity metering information, payment terminals, etc. Kaspersky Lab resources on analysis of viruses have identified 106 new families of malware for mobile devices with 514 variants by September 2009, an increase of over 200% over the past two years [1]. 3.4 Interoperability or security? The first responder community uses a wide variety of communication devices ranging over analog and digital professional mobile radio (PMR), Satellite networks, GSM/UMTS, WiFi/Wimax and specialised radio for Marine and Airborne communications. The question is whether one can extend the reach of the first responders without increasing risks of data integrity breach or service outages. Trade-offs between these two requirements need to be studied. A recent draft report by the European Telecommunications Standards Institute (ETSI) studies the potential benefits and challenges introduced by bringing reconfigurable radio systems (RRS), and software based dynamic spectrum management for application into the public safety domain [20]. For example, they 5 Table 1: Challenges for existing infrastructures (from [5]) Challenge Emerging solutions Complexity and interdependencies Modelling and risk analysis Transition from managed/regulated to Peer-to-peer technologies, selfunmanaged/unregulated managing systems Heterogeneity Standardised protocols, overlay networks, Software-defined and cognitive radio Organised threats with economic mo- Hardening, intrusion tolerance, divertives or adversary disruptions sity, partial rejuvenation consider as one of many options a scenario in which: “Dynamic spectrum allocation can be based on the concept of spectrum sharing with commercial providers. In case of emergency, commercial providers will shut down their communication systems and free their spectrum bands. Public Safety RRS nodes will be able communicate and transmit in these spectrum bands for the duration of the emergency crisis.” As well as organizational issues involved in such envisaged scenario the report identifies clear technical challenges for ad hoc cognitive radio networks to meet requirements in terms of reliability and timing. The report also points out security as another area which has to be addressed in convergent networks. Although public safety shares many of the operational requirements with the defence domain, the broad range of actors (fire-fighters, medical personnel, volunteers) implies that there are also differences to be resolved in terms of security requirements. 4 4.1 Research activities Protection of existing critical infrastructures The research community has focused on four main challenges in the area of information infrastructure protection in recent years, summarised in table 1. Interdependencies among different infrastructures is a key aspect which makes protecting these systems a complicated task. For a nice overview we refer to Rinaldi et al. [53], as well as the outcomes from recent European projects [33, 14]. In order to fully understand these interdependencies it is clear that we need to provide good models of system behaviour, both under normal circumstances and in the event of crises [40]. The transition from static, managed networks to dynamic networks with little or no central control has already started. Peer-to-peer technologies are being used to share data, stream multimedia and to manage computing capacity. Such networks have proven to be resilient to failures and overloads, but they cannot easily provide absolute service guarantees. In addition, an increasing proportion of the network traffic is going through the wireless medium, using a wide variety of radio standards (e.g. GPRS, HSDPA, WiMAX, Wi-Fi). This brings new challenges of mobility, resource allocation and heterogeneity. Heterogeneity in the technical communication platforms brings two aspects 6 to this equation. The multiplicity of communication technologies will bring a much needed diversity, but at the same time demands dealing with interoperability [51]. Solving these issues is as much an organisational problem as it is technical. Agreeing on standards between different countries and major corporations takes time and is affected by non-technical criteria. Although the awareness of the risks associated with attacks and accidents to critical infrastructures may have been poor in the past [49], the large volume of research in recent years is a clear indication that this is no longer the case. There are still many tough problems to solve, partly because new threats appear and partly because the systems themselves are changing and evolving. 4.2 Reliable communication in disaster scenarios The infrastructures that will be needed in the event of an emergency cannot be carefully planned and modelled beforehand. They will emerge spontaneously, and will rapidly change over time. Such systems are not intended to replace current systems for everyday use since they are in many ways suboptimal. Their strength is the fact that they can be deployed when the other communication networks have failed. Hastily Formed Networks (HFN) is a term coined by the Naval Postgraduate School in California, USA [18]. These networks are quickly mobilised and organised to coordinate massive responses. Other characteristics are that they are networks with no common authority but all the same must cooperate and collaborate during a massive as well as distributed response to often a chaotic and completely surprising situation. These networks also have to cope with insufficient resources and lack of infrastructure. Their effectiveness rests on the quality of the conversation spaces established in the beginning. An experience report by Steckler et al. [60] from the aftermath of hurricane Katrina shows that the wireless medium could be very effective when quickly establishing a network. The reported networks were still mostly managed in a way similar to wired networks. Creating and using ad hoc networks might have decreased the effort needed to set up and manage. However, this is not a mature technology and there are many challenges which do not exist in wired/cellular networks [67]. For example, there is a lack of global knowledge (decisions need to be taken based on a local view), the wireless medium needs to be shared between nodes that have not agreed beforehand on when and how to communicate, and communication disruptions are much more likely to occur [7]. In a disaster response scenario it is probable that there will be many mobile nodes involved whose movements are neither centrally coordinated nor predictable. In such mobile ad hoc networks (MANET), routing becomes a key challenge since the best route to a node changes continuously and may not even exist at some points in time. That is, network partitions are common and must be dealt with. Just as time is an important factor in current information infrastructures (i.e. rapid discovery leads to faster containment and recovery from blackouts), it will be equally important in HFN. These networks will, for example, be used to rapidly disseminate information on spread of damage, injuries and threats to lives. However, as opposed to fixed networks where overloads and partitions can be dealt with using redundancy and some basic level of differentiation, intermittently connected networks are harder to tackle. There are five main technical challenges that make reliable and timely communication difficult in post-disaster communication, summarised in Table 2. 7 Table 2: Challenges for disaster response infrastructures (from [5]) Challenge Emerging solutions Disconnectivity as a norm Store-and-forward techniques, Delaytolerant network (DTN) protocols Resource constraints Quality-of-service enforcement techniques including prioritisation, Optimisation Infeasibilty to centrally manage Distributed gossip-style and P2P protocols Heterogeneity Overlay networks, DTN bundles, Software-defined radio Security: less organised opportunistic Reputation-based systems, Selfishthreats or adversary disruptions resistant protocols, Distributed intrusion detection Considerable research has been devoted to each of these subjects separately, but more research is needed to solve the problems collectively. Unfortunately, all of them will be present in a large crisis situation. In section 5.2 we will return to these challenges and their research outlook. 5 Research outlook In this section we briefly review the solutions that are emerging in each of the areas described in tables 1 and 2, and extend with areas that have become more relevant since the tables were compiled [5]. 5.1 Critical infrastructures We believe that the coming years will provide a wide range of solutions addressing the security and reliability of information infrastructures. Stakeholders in the protection of critical infrastructures have a clear interest in participating in the dissemination activities of the 45 European FP7 projects in the security area launched in the first phase of the program (the results of which cannot be fully reflected in a short report). In addition, the ICT-security projects will contribute with partial solutions to the information infrastructure equation, among them DIESIS [19] providing simulation platforms for e-infrastructures, FORWARD [23] bringing about a collective knowledge on the security threat landscape, threat detection and prevention, and WOMBAT [69] creating a live repository of actual and current threats to information infrastructures on a global basis. In the US network and information security arena a major concentration of competence is I3P: Institute for Information Infrastructure Protection, a large consortium of US universities, national labs and non-profit organisation, led by Dartmouth College. It helps to shape the US cyber security agenda, and acts as a forum for building research and work groups for analysis of national information infrastructure issues [30]. I3P researchers have regular formal and informal meetings with European researchers on issues of common interest. 8 Complexity and interdependencies The research on modelling of critical infrastructures will continue to be an active field for many years. It is important to understand that there are many levels at which modelling can be done. They range from Guimera and Amaral’s models of airport connections [26] to Svendsen and Wolthusen’s generic graph-based analysis of resource flows [62]. We will definitely see more research of this kind, and models will become more detailed and hopefully good tools will be developed to manage them. The EU FP7 project CRUTIAL [14] was completed in 2009 as one of the major efforts in this direction, with the focus on electric power infrastructures. Events organised by the International CRIS Institute [13] and the regular CRITIS conferences have become a forum for dissemination of studies on information infrastructures, as well as the interactions between those and other infrastructures. From centralised/managed to decentralised The set of solutions will also cover the migration to less centralised and more heterogeneous networks. This entails reusing some non-centralised solutions in new contexts; for example, the potential convergence of P2P technologies - that were originally intended for wired infrastructures - with the mobile ad hoc scenarios. Also we see a potential for the cross-fertilisation of the autonomic computing field and adaptive/selfmanaging systems in the context of complex systems such as critical infrastructures. New dimensions may emerge by addition of mobile partially wired systems, e.g. vehicular area networks (VANET) with connections to road side infrastructure. As an example, the EU FP6 project HIDENETS [29] addressed multihop VANET, that can potentially become part of a modern society’s information infrastructure. Heterogeneity Within the defence sector one of the possible ways to deal with heterogeneity is the migration from conventional static radio platforms to systems incorporating reconfigurable software-defined radio (SDR) technology. The change in paradigm for military radio communication is not only a potential money-saver, but also expected to help the adopting countries to engage in multinational cooperation, such as international disaster relief operations, by utilising SDR bridging techniques between common and nation-specific waveforms. Replacing legacy radio platforms with modern SDR-based units, conforming to international standards, gives considerable tactical and operative advantages. The capability to share information is crucial to the effectiveness and success of a cooperative mission [2]. It also makes communication more cost effective, by being able to procure commercial off-the-shelf (COTS) equipment at a significantly lower price than developing own equipment. Since the late 1990s the US Depart of Defense has spent a great deal of time and resources on research and development of the SDR-based Joint Tactical Radio System (JTRS) [42], which is planned as the next-generation voice-anddata radio for use by the U.S. military in field operations after 2010. In Europe, similar techniques are being considered in the European Defence Agency joint research project European Secured Software Defined Radio Referential (ESSOR). However, the deployment of these emerging information infrastructures has to be preceded by tackling the technical interoperability problem. Moreover, adherence to NS/EP requirements, in particular trade-offs with security will need to be studied and verified, as noted by the recent ETSI draft report [20]. 9 Security and dependability Means for achieving resilience or dependability can be broadly divided in proactive or reactive approaches, and experience shows that both are required. Proactive protection includes hardware redundancy [28], defence-in-depth, diversity and active replication, transparent software recovery [64], etc. Reactive mechanisms will need to cover the events that cannot be prevented. One of the main research areas in this context is that of intrusion detection systems [41, 36], where researchers are trying to tackle an almost intractable challenge in detecting significant intrusions without also producing vast amounts of false alarms. A new parameter that affects all the available arsenal for enhancing dependability is awareness of restricted energy resources. So, several existing solutions may have to be re-examined in the light of the energy-efficiency requirements. 5.2 Communication in disaster area networks Disconnectivity A consequence of mobile wireless networks with resource constraints are network partitions. It will not be feasible for such a network to keep all nodes connected at all times. Network partitions do not only occur in wireless networks, fault-tolerant distributed systems research has dealt with network partitions in such cases for a long time [17, 55]. However, in those works, disconnectivity is considered an exception and usually a rare event. This view on connectivity prevails even in research on MANET since most researchers assume dense networks with random mobility models leading to fairly connected networks. However, recent research emphasises that real-life mobility models imply that for some applications a contemporaneous path between nodes cannot be assumed; see for example Kuiper and Nadjm-Tehrani [37], Fiore et al. [22] and Nelson et al. [43]. Although connectivity is quickly improving with maturity of new technologies, this requires the existence of in-place infrastructure. Satellite communication can bring high-bandwidth connectivity to stations with special-purpose antennas or low-bandwidth connectivity to completely mobile terminals, however these will probably not become so widespread that everyone will have such a device. To what extent future VANET will have to rely on a fixed infrastructure is still an open question. An alternative is to devise protocols based on a store-and-forward principle so that mobility is leveraged as a means to disseminate data in the (partition-tolerant) network[25, 59, 56]. Resource constraints Store-and-forward is not as easy as just storing all data packets that are received, and forwarding them when the opportunity arises. Due to the scarceness of energy and bandwidth, protocols will need to limit their transmissions and make sure that (1) packets are only disseminated if needed (i.e. have highest utility) and (2) once a packet is transmitted, it indeed has a chance of making the hop (and subsequent hops); otherwise the network resources are wasted to no avail [15]. The problem of resource-aware delay-tolerant protocols has been studied, for example by Haas and Small [27], Balasubramanian et al. [6], Asplund and Nadjm-Tehrani [4] and Sandulescu and Nadjm-Tehrani [56]. The key problem is deciding which packets are worthwhile to forward to neighbouring nodes, and when. Infeasibility to centrally manage The above approaches to optimising resource usage assume a high degree of knowledge about node movements. In 10 a post-disaster scenario, this is not possible. Even the participants and operational clusters in a rescue operation are not known in advance. After the Katrina storm, the American Red Cross alone organised approximately 250.000 (volunteer) rescue workers [7]. This was a magnitude more than they had ever dealt with previously. Together with the fact that the situation is constantly changing, this means that nobody will have an up-todate global view of what is going on. Thus, ideally some communication protocols will need to function without knowledge of network topology, node addresses, node movements, traffic demands, etc. Heterogeneity This challenge bears some resemblence to the diversity issue in critical infrastructures. While in existing infrastructures too we see the technical diversity, the focus there is on reliable service to an individual or an organisation. In emergency scenarios, however, we aim for collaboration among diversified organisations. There will be actors from many different parts of the society such as the police, military, fire fighters, medical personnel, volunteers, etc. These actors need to cooperate but they will probably not have trained together, they will have different technical equipment (ranging from specialpurpose hardware such as the TETRA system [65], to commercial off the shelf non-standardised products). One of the most challenging problems in a disaster scenario is to achieve both technical interoperability and social interoperability amongst the network of networks. A potential approach to achieving technical interoperability is the use of overlays such as delay-tolerant networks [21, 48]. Moreover, software defined radio facilitates implementing bridging techniques as discussed in Section 4.1. Obtaining social interoperability on top of a given information infrastructure is a multi-disciplinary challenge. Forum for Public Safety Communication (PSC) in Europe [50] has been formed as a continuation of an earlier FP6 project with the mission to “foster, by consensus building, excellence in the development and use of public safety communications and information management systems to improve the provision of public safety services” in Europe. It organises meetings to discuss the needs and advances in the emergency response with a special interest in the ICT area. A collection of links to recent and current EU research projects with a bearing on communication and emergency response can be found on the PSC Forum’s web pages [50]. Within emergency response communication infrastructures in the EU funded projects we find a number of ongoing projects that have relevance to the current report: CHORIST (Integrating communications for enhanced environmental risk management and citizens safety), SAFER (Services and applications for emergency response), SCORE (Service of coordinated operational emergency and rescue using EGNOS - the Geostationary Navigation Overlay Service launched in 2009), SECRICOM (Seamless Communication for Crisis Management), and STRAW [61] which is a short term security active watch project whose areas of interest include protection of networks and crisis management. Further research on technical and organisational interoperability to meet Swedish requirements needs to align itself to the results that will be disseminated by these ongoing projects. 11 Security In a major national emergency some of the actors may even be adversarial themselves, wanting to disrupt or eavesdrop on communication. This brings us to the security challenge. How to solve the trust issue in a hastily formed network is an open problem. Bad or selfish behaviour can be punished (e.g., by not allowing such nodes to participate in the network) if it is detected. Knowledge about misbehaving nodes can also be shared with others using reputation based systems (e.g., Buchegger and Le Boudec [11]). However, such systems create new problems with false accusations and identity spoofing. Specific security solutions to suit the Swedish NS/EP requirements have to be preceded by an analysis of the requirements and their ranking; in particular characterisation of the scenarios where hastily formed networks need to be deployed. In relation to web 2.0 security, a recent Sophos security report indicates large cyber criminality funnelled to social networking sites [58]. At the same time we observe a considerable body of research appearing at conferences like ISCRAM which promote the use of community and social networks in rescue communication. These information services are embraced due to their popularity and familiarity of large sectors of the population. However, they are just as vulnerable as the traditional infrastructures, as indicated e.g. by the recent insider compromise at Twitter [54]. In the 2009 Malware summary compiled at the FORWARD workshop in May 2009, this area was considered as one of the highest ranking threats, thereby justifying increased research attention. 6 Proposed research agenda The short summary of the research outcomes and outlooks above clearly indicates that the problems related to critical information infrastructures and communications for disaster management are: • of a multi-sector nature, and common to all developed countries in the world • difficult to solve in small isolated research projects • require major resources not only for generation of new knowledge, but even fo continuous awareness of the rapid technological developments and international research outcomes • technically multi-disciplinary, ranging over advances in software technology, networking, dependability, security, and performance optimisation in distributed systems It is essential that the research community contributing to knowledge applicable for MSB interests is part of an international network of excellence in order that major international research outcomes can be leveraged towards tools that benefit Swedish first responders. Furthermore, the analysis above indicates two related needs: (1) A high degree of technical competence among those vested with the responsibility of setting up reliable and secure communicatition in NS/EP situations. This calls 12 for increased emphasis on university education in the fields of security and dependability of networked infrastructures. (2) A mere focus on technical development will not be adequate to achieve the intended collaboration results in an NS/EP scene. Interdisciplinary research that encompasses both technical and non-technical (human resources and organisational aspects) will be required. In what follows we list a few areas, that have received less attention in the current research as described in section 5. These may deserve some attention in the forthcoming three year period of MSB research agenda. In the areas of information security and critical information infrastructures we see a few emergent areas to which a large body of research has not been devoted so far: the reliance on web services, wireless (infrastructure-less) communication, social networking, and pervasive embedded devices. The emergence of “internet of things” with more embedded devices being connected to provide networked services creates dependencies in several sectors, such as financial services, water monitoring and management, electricity trading and distributed generation and metering, public transportation networked vehicles. This calls for more attention to security and reliability of such embedded devices before they become fully pervasive. In relation to convergent wireless networks for disaster response, there is much more to be done to leverage the potential of such communication infrastructures as envisioned in the NSTAC report from 2007 [46]. Work is needed both on the technical interoperability issues, reliability and timeliness studies, and resistance to threats and disruptive vulnerabilities. The European project FORWARD summary in the critical systems WG considered the extension of the critical infrastructures with multi-hop wireless communication and next generation networks (making a smart phone equivalent to a desktop computational device) as one of the highest ranking source of threats after insider and human factor threats. Smart phones also appeared as one of the highest ranking threats in the May FORWARD workshop in the “smart environments” session. In this proposal for research agenda we would like to add the topic of security and trust for adhoc networks with intermittent connectivity. Opportunistic networks are hard to “harden” with the classical authentication, identification and authorisation principles. Resource-efficient real-time anomaly detection and mitigation is an open research area that is begining to attract more attention in the field. 7 Recommendations To summarise the suggestions in section 5 and 6, we would like to see more research in the direction of: • Specific interdependency studies for Swedish critical infrastructures; specifically, the impact of electricity outages and blackouts on information infrastructures • The impact of information infrastructure blackouts on emergency management and disaster response in Sweden; specifically, the optimal use of existing communication infrastructures and convergence thereof in disaster area cooperations. 13 From a technical point of view the following areas are under-researched internationally and strong Swedish research is likely to have a national and international impact: • Web 2.0 security, social networks and adverse impacts of lack of security in their use within emergency management • Scalability and security of communication in intermittently-connected networks, technical interoperability of NGN and hastily formed networks • Smart phone vulnerabilities and mitigation of threats • Heterogeneous networks bridged with software-based radio, and their threats and mitigations • Early warning and anomaly detection based on predictive models, specially in machine-to-machine networks and SCADA systems • Vulnerabilities of emergent information infrastructures for power generation, trading, and distribution with a focus on embedded software 8 Concluding remarks This report has almost entirely focused on technical issues, and risks arising from technical solutions. As it has been mentioned earlier, service continuity and cooperation is almost always dependent on both functioning technical systems and human/organisational processes. Also the long term health of the critical infrastructures and effective communication at times of crises is highly dependent on maintained levels of competence, academic/professional education and research studies with both academic and commercial participants. The international dimension has been recently demonstrated in the major initiatives launched within the European security research programs. Also, meetings such as the joint conference between Europe and Homeland security legislators, actors and researchers in October 2009 help to establish channels for cooperation and technical exchange and should be encouraged and supported. References [1] A. Gostev. Mobile Malware Evolution: An Overview, Part 1, September 2009. (Accessed 6 January 2010)). http://www.viruslist.com/en/analysis?pubid=204792080. [2] C. Adams. Information sharing raises more questions than answers. AFCEA Signal Magazine, May 2008. [3] M. Amin. Toward self-healing energy infrastructure systems. IEEE Computer Applications in Power, 14(1):20–28, Jan. 2001. [4] M. Asplund and S. Nadjm-Tehrani. A partition-tolerant manycast algorithm for disaster area networks. In In proceedings of 28th International Symposium on Reliable Distributed Systems (SRDS’09). IEEE Computer Society, September 2009. 14 [5] M. Asplund, S. Nadjm-Tehrani, and J. Sigholm. Emerging information infrastructures: Cooperation in disasters. In R. Setola and S. Geretshuber, editors, Proceedings of the 3rd International Workshop on Critical Information Infrastructures Security (CRITIS’08), volume 5508 of Lecture Notes in Computer Science, pages 258–270. Springer-Verlag Berlin Heidelberg, 2009. [6] A. Balasubramanian, B. Levine, and A. Venkataramani. DTN routing as a resource allocation problem. SIGCOMM Comput. Commun. Rev., 37(4):373–384, 2007. [7] J. C. Becker. The opportunities and limits of technology in non profit disaster response. Keynote speech at the ISCRAM conference, Washington, May 2008. [8] A. Bengtsson and L. Westerdahl. Access control in a coalition system. Technical Report FOI-R–2393–SE, Swedish Defence Research Agency, Dec. 2007. [9] K. Birman. Technology challenges for virtual overlay networks. IEEE Transactions on Systems, Man, and Cybernetics—Part A: Systems and Humans, 31(4):319–327, 2001. [10] K. Birman, J. Chen, E. Hopkinson, R. Thomas, J. Thorp, R. Van Renesse, and W. Vogels. Overcoming communications challenges in software for monitoring and controlling power systems. Proceedings of the IEEE, 93(5):1028–1041, May 2005. [11] S. Buchegger and J.-Y. Le Boudec. Self-policing mobile ad hoc networks by reputation systems. IEEE Communications Magazine, 43(7):101–107, 2005. [12] Committee on Homeland Security and Governmental Affairs. Hurricane Katrina: A nation still unprepared, Executive summary. http://www.gpoaccess.gov/serialset/creports/katrinanation.html. [13] CRIS. The International Institute for Critical Infrastructures. http://www.cris.vt.edu/. [14] CRUTIAL. European FP6 project. http://crutial.cesiricerca.it/. [15] C. Curescu and S. Nadjm-Tehrani. A Bidding Algorithm for Optimised Utility-based Resource Allocation in Ad hoc Networks. IEEE Transactions on Mobile Computing, 7(12):1397–1414, 2008. [16] Dagens Nyheter. Polisens riksväxel kollapsade. http://www.dn.se/nyheter/polisens-riksvaxel-kollapsade-1.443027. [17] S. B. Davidson, H. Garcia-Molina, and D. Skeen. Consistency in a partitioned network: a survey. ACM Computing Surveys, 17(3):341–370, 1985. [18] P. J. Denning. Hastily formed networks. Commun. ACM, 49(4):15–20, 2006. [19] DIESIS. European FP7 project. http://www.diesis-project.eu/. 15 [20] ETSI. European telecommunications standards institute, radio systems, system aspects for public safety, draft etsi tr 102 733 v0.0.1.1, 2009-10. [21] S. Farrell and V. Cahill. Delay- and Disruption-Tolerant Networking. Artech House, Inc. Norwood, MA, USA, 2006. [22] M. Fiore, J. Harri, F. Filali, and C. Bonnet. Vehicular mobility simulation for VANETs. In Proceedings of the 40th Annual Simulation Symposium (ANSS), pages 301–309, 2007. [23] FORWARD. European FP7 project. http://www.ict-forward.eu/. [24] A. A. Ghorbani and E. Bagheri. The state of the art in critical infrastructure protection: a framework for convergence. International Journal of Critical Infrastructures, 4:215–244(30), March 2008. [25] M. Grossglauser and D. Tse. Mobility increases the capacity of ad hoc wireless networks. IEEE/ACM Transactions on Networking, 10(4):477– 486, Aug. 2002. [26] R. Guimera and L. Amaral. Modeling the world-wide airport network. The European Physical Journal B - Condensed Matter, 38:381–385(5), Mar. [27] Z. J. Haas and T. Small. Evaluating the capacity of resource-constrained DTNs. In Proceedings of the 2006 international conference on Wireless communications and mobile computing (IWCMC), pages 545–550, New York, NY, USA, 2006. ACM. [28] A. A. Helal, B. K. Bhargava, and A. A. Heddaya. Replication Techniques in Distributed Systems. Kluwer Academic Publishers, Norwell, MA, USA, 1996. [29] HIDENETS. European FP6 project. http://www.hidenets.aau.dk/. [30] I3P. Institute for Information Infrastructure Protection. www.thei3p.org. [31] IDG. Swedbank nere i fem timmar. http://www.idg.se/2.1085/1.97232. [32] INFOSEC Research Council. INFOSEC Research Council, Hard problems list. http://www.cyber.st.dhs.gov/docs/IRC Hard Problem List.pdf. [33] IRIIS. European FP6 project. http://www.irriis.org/. [34] T. L. Jefferson. Using the internet to communicate during a crisis. VINE, 36:139–142(4), Apr. 2006. [35] D. Kostoulas, R. Aldunate, F. Pena-Mora, and S. Lakhera. A natureinspired decentralized trust model to reduce information unreliability in complex disaster relief operations. Advanced Engineering Informatics, 22(1):45–58, Jan. 2008. [36] C. Krügel and W. K. Robertson. Alert verification: Determining the success of intrusion attempts. In Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA). German Informatics Society, 2004. 16 [37] E. Kuiper and S. Nadjm-Tehrani. Mobility models for uav group reconnaissance applications. In Proceedings of the International Conference on Wireless and Mobile Communications (ICWMC), 2006. [38] C. Labovitz, A. Ahuja, and F. Jahanian. Experimental study of internet stability and backbone failures. In Digest of Papers Fault-Tolerant Computing, Twenty-Ninth Annual International Symposium on, pages 278–285, June 1999. [39] C. Labovitz, R. Wattenhofer, S. Venkatachary, and A. Ahuja. Resilience characteristics of the internet backbone routing infrastructure. In Proceedings of the Third Information Survivability Workshop, 2000. [40] J. Laprie, K. Kanoun, and M. Kaniche. Modeling interdependencies between the electricity and information infrastructures. Lecture Notes in Computer Science, 4680:54, 2007. [41] J. McHugh, A. Christie, and J. Allen. Defending yourself: the role of intrusion detection systems. IEEE Software, 17(5):42–51, Sept.–Oct. 2000. [42] J. Melby. Jtrs and the evolution toward software-defined radio. In MILCOM 2002, pages 1286–1290, Oct. 2002. [43] S. C. Nelson, I. Albert F. Harris, and R. Kravets. Event-driven, rolebased mobility in disaster recovery networks. In Proceedings of the second workshop on Challenged networks (CHANTS), pages 27–34, New York, NY, USA, 2007. ACM. [44] New Scientists. Wifi routers are vulnerable to viruses. http://www.newscientist.com/article/mg19626356.400-wifi-routers-arevulnerable-to-viruses.html. [45] NSTAC. National security telecommunications advisory committee, next genrations networks task force, report to president on emergency communications and interoperability, appendices. [46] NSTAC. National security telecommunications advisory committee, report to president on emergency communications and interoperability. [47] PCworld. Google 100 minute outage. http://www.pcworld.com/article/171350/Googles Gmail Outage A Familiar Feeling.html. [48] T. Plagemann, K. Skjelsvik, M. Puzar, O. Drugan, V. Goebel, and E. Munthe-Kaas. Cross-layer overlay synchronization in sparse manets. In Proceedings of the 5th International ISCRAM Conference, 2008. [49] Presidents Commission on Critical Infrastructure Protection. Protecting Americas Infrastructures, 1997. [50] PSC Forum. Public Safety Communication Forum, Europe. www.psceurope.eu/. [51] ReSIST. Deliverable D12 resilience-building technologies: State of knowledge, chapter 2. http://www.resistnoe.org/Publications/Deliverables/D12-StateKnowledge.pdf, Sept. 2006. 17 [52] Reuters. Chinese cyber-spying seen growing against http://www.reuters.com/article/idUSTRE5AI5UZ20091120. U.S. [53] S. Rinaldi, J. Peerenboom, and T. Kelly. Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine, 21(6):11–25, Dec. 2001. [54] Risks Forum. Twitter Apparently Hacked, Volume 25: Issue 88, Saturday 26 December, 2009. http://catless.ncl.ac.uk/Risks/25.88.html#subj5. [55] Y. Saito and M. Shapiro. Optimistic replication. ACM Comput. Surv., 37(1):42–81, 2005. [56] G. Sandulescu and S. Nadjm-Tehrani. Adding Redundancy to Replication in Window-aware Delay-tolerant Routing. Journal Of Communications, Special Issue in Delay Tolerant Networks, Architecture, and Applications, 2010. [57] Softpedia. Secure SE Zone goes down due to missing dot. http://news.softpedia.com/news/Secure-SE-Zone-Goes-Down-Due-toMissing-Dot-124268.shtml. [58] Sophos. Security threat report, July http://www.infosectoday.com/Articles/Security Threat 2009.htm. 2009. [59] T. Spyropoulos, K. Psounis, and C. S. Raghavendra. Spray and wait: an efficient routing scheme for intermittently connected mobile networks. In Proceedings of the SIGCOMM Workshop on Delay-tolerant networking (WDTN), pages 252–259, New York, NY, USA, 2005. ACM. [60] B. Steckler, B. L. Bradford, and S. Urrea. Hastily formed networks for complex humanitarian disasters. http://www.hfncenter.org/cms/KatrinaAAR, Sept. 2005. [61] STRAW. Security Technology Active Watch. project.eu/. http://www.straw- [62] N. Svendsen and S. Wolthusen. Analysis and statistical properties of critical infrastructure interdependency multiflow models. In Proceedings of the IEEE SMC Information Assurance and Security Workshop (IAW), pages 247–254, 2007. [63] Symantec. Rogue security software, Technical report, October 2009. http://www.symantec.com/business/theme.jsp?themeid=threatreport. [64] D. Szentivanyi and S. Nadjm-Tehrani. Middleware support for fault tolerance. In Q. Mahmoud, editor, Middleware for Communications. John Wiley & Sons, 2004. [65] TETRA Association. association.com. Terrestial trunked radio. http://www.tetra- [66] The Wall Street Journal. Hackers Stole IDs for http://online.wsj.com/article/SB125046431841935299.html. 18 Attacks. [67] C. Tschudin, P. Gunningberg, H. Lundgren, and E. Nordström. Lessons from experimental MANET research. Ad Hoc Networks, 3(2):221–233, 2005. [68] WASC. Web application security, Threat classification, January 2009. http://projects.webappsec.org/Threat-Classification. [69] WOMBAT. European FP7 project. http://www.wombat-project.eu/. 19
