Upload
nguyentu
View
221
Download
3
Embed Size (px)
Citation preview
Security and Dependability Risks ofSecurity and Dependability Risks ofCritical Information Infrastructures
( h B ! i diff t f C h)(or why Bang! is different from Crash)
I i dI i d bb t ib tit ib ti t t I f ti A T h l F t 2008 St M B ll i T V I f ti A T h l F t 2008 St M B ll i T V InspiredInspired byby a a contributioncontribution to: to: Information Assurance Technology Forecast 2008, Steven M. Bellovin, Terry V. Information Assurance Technology Forecast 2008, Steven M. Bellovin, Terry V. Benzel, Bob Blakley, Dorothy E. Denning, Whitfield Diffie, Jeremy Epstein, Paulo Veríssimo. IEEE Security & Benzel, Bob Blakley, Dorothy E. Denning, Whitfield Diffie, Jeremy Epstein, Paulo Veríssimo. IEEE Security & Privacy, vol. 6, no. 1, pp. 10Privacy, vol. 6, no. 1, pp. 10--17, January/February, 2008. [in IEEEexplore]17, January/February, 2008. [in IEEEexplore]
Keynote Speech. SAFECOMP 2011, 30th Int’l Conference on Computer Safety, Reliability and Security. September 2011. Napoli, Italia.
Paulo Esteves VeríssimoPaulo Esteves VeríssimoPaulo Esteves VeríssimoPaulo Esteves VeríssimoFaculdade de Ciências da Univ. de Lisboa, Faculdade de Ciências da Univ. de Lisboa, LaSIGELaSIGE, Portugal, , Portugal, [email protected]@di.fc.ul.pt http://www.di.fc.ul.pt/~pjvhttp://www.di.fc.ul.pt/~pjv
The infrastr ct re sec rit problemThe infrastructure security problem
The old daysThe old daysno interconnection, low digital content
SystemServers
SecurityServer
Client
SystemServers
SecurityServer
PrivateCorporate Network
Network
Critical Infrastr.SCADA Network
Internet
Towards the presentremote control, computerisation, interconnection
SystemServers
SecurityServer
Client
SystemServers
SecurityServer
PrivateCorporate Network
SystemServersD ata
N etw ork
O p era tio nalN etw ork
Corporate Network
Network
Critical Infrastr.SCADA Network
Internet
The infrastr ct re sec rit problemThe infrastructure security problem
The infrastr ct re sec rit problemThe infrastructure security problem
critical infrastructures have today a hybrid composition which reaches the whole geography (electrical, telco, water, gas, oil, transportation):
SCADA systems (Supervisory Control And Data Acquisition) yield the operational ability to supervise, acquire data and control
i t ti t th t d d t i t tinterconnections to the standard corporate intranets
interconnections, often unwittingly, to the Internet
l i l IT b d i f heven classical IT-based infrastructures share some of these problems (e.g. finance network)
Modern CII c ber risk anal sis ke pointsModern CII cyber risk analysis key points
b tt k d i t t CIcyber-attacks are a common denominator to CI operational risk
b tt k t CII (i l t l I t tcyber-attacks to CII (incl. energy, telco, Internet, emergency, etc.) will be a pillar of i-warfare/crime
Th t d l bilitiThreats and vulnerabilities
Internal ExposureFaults/Attacks/Errors/Intrusionsinternal design faultsinternal design faults
SecurityServer
SystemServers
DataServers
Network
InterferenceUncertainty, Error propagation
SecurityServer
SecurityServer
SystemServers
ClientSystemServers
SystemServers
Network
DataNetwork
Operational
PrivateCorporate Network
Internet
pNetwork
Critical Infrastr.SCADA Network
External Exposureexternal attacks, errors, intrusions, to the user edge
SecurityServer
SystemServers
DataServers
Network
InterdependenceInterdependence Error propagation amongst critical infrastructures
System
SecurityServer
D t System
SecurityServer
D t SystemServersData
Network
SystemServersData
Network
SecurityServer
SystemServers
DataNetwork
WirelessNetworkHost A
Host B
Host C
The infrastructure security probleme ast uctu e secu ty p ob e
A simple, yet realistic, intrusionintrusion scenario
The infrastructure security and dependabilityy p yproblem statement
Cyber-Physical Systems place challenging inter-disciplinary problems:
SCADA systems are real-time systems with some fault-tolerance concern classically not designed to be
id l di t ib t d t l dwidely distributed or remotely accessed or open, and designed without security in mind
Risk is not well masteredRisk is not well masteredThreats on current configurations probably risk far more damaging failure scenarios than anticipatedmore damaging failure scenarios than anticipated
Possible conseq encesPossible consequences
fThe perspective of these threats is overwhelming:wrong manoeuvring by inept or malicious users inside the own company's corporate networkscompany s corporate networks
malicious (or disastrously curious) actions from users somewhere in the Internet
targeting computer control units, embedded components and systems, that is, devices connected to operational hardware(e.g., water pumps and filters, electrical power generators and ( g , p p , p gpower protections, dam gates, etc.)
Such mishandling may cause severe damageto people, economy, and environment
How probable are successful cyber attacks p yto critical operations?
Ine itable ThreatsInevitable Threats
use of COTSincreased and widespread vulnerabilities
CII interconnectioninterference and interdependencep
pervasiveness of network connectivityincreased exposure to external attacksincreased exposure to external attacks
Conventional Software Vulnerabilitiesi iever increasing Number of Vulnerabilities
(Source: IBM xForce)
Vulnerability Exploit Cycle
Novice Intruders Automated
past and present Increased likelihood of:
- small scale, average severity intrusions
massive scale high severity intrusions
Crude Exploit
Use CrudeExploit Tools
Scanning/ExploitTools Developed
Widespread Use Intruders Begin
- massive scale, high severity intrusions
Crude ExploitTools Distributed
Widespread Use of Automated
Scanning/Exploit Tools
Intruders Begin Using New Types
of Exploits
AdvancedIntrudersDiscover
VulnerabilityVulnerability
Vulnerability Exploit Cycle
Novice Intruders Automated
present and futureIncreased likelihood of:
- small scale, high severity targeted intrusions
Crude Exploit
Use CrudeExploit Tools
Scanning/ExploitTools Developed
Widespread Use Intruders BeginCrude ExploitTools Distributed
Widespread Use of Automated
Scanning/Exploit Tools
Intruders Begin Using New Types
of Exploits
AdvancedIntrudersDiscover
VulnerabilityVulnerability
Attack sophistication vs. attacker expertisep p
High
ToolsBot
packet spoofing
Tools“stealth” / advanced scanning techniques
Nets
Embedded malicious
sweepers
sniffers
packet spoofing denial of service
www attacks
DDOS attacks
malicious code
disabling auditsback doors
GUIautomated probes/scans
network mgmt. diagnostics
password cracking
exploiting known vulnerabilities
hijacking sessionsburglaries
Low password guessing
self-replicating code
password cracking
Attackers
1980 1985 1990 1995 2000 20xx…
(Source: Adapted from Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002. (CERT)
Attack sophistication vs. attacker expertisep p
High
ToolsBot
packet spoofing
Tools“stealth” / advanced scanning techniques
Nets
Embedded malicious
TARGETED TARGETED ATTACKSATTACKS
sweepers
sniffers
packet spoofing denial of service
www attacks
DDOS attacks
malicious code
Required Required
disabling auditsback doors
GUIautomated probes/scans
network mgmt. diagnostics
Attacker Attacker expertiseexpertise
password cracking
exploiting known vulnerabilities
hijacking sessionsburglaries
AvailableAvailableAttack Attack
sophisticationsophistication
Low password guessing
self-replicating code
password cracking
Attackers
(Source: Adapted from Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002. (CERT)
1980 1985 1990 1995 2000 20xx…
Specific real-time and embedded systems (RTE) p y ( )security problems
Common Threats
Common Sources of Threats
Common goals of Attacks
Common myths and misconceptionsCommon myths and misconceptions
Common myths and misconceptionsy p
Common misconceptionspw.r.t SCADA systems Sec&Dep
( )Real-time and embedded (RTE) systems, having a closed and proprietary nature, do not suffer security problemsproblems
REALITY: security by obscurity never lead to secure designs; RTE systems are increasingly interconnected and their internals known; recent studies showed many impacted control systems
Control s stem protocols are attackableControl system protocols are attackable
Th t it i ibl t d tt k t th t ll h tThreat: it is possible to send attack messages to the controller host trying to find and exploit some (known or unknown) vulnerabilities
Is it really possible with a closed and hidden software?Legacy software is not security-aware!
"These backend protocols are often based upon standards that pre-date Windows," Graham wrote in his blog. "They are horribly insecure because few people in the SCADA industry k h 'b ff fl ' i "know what a 'buffer-overflow' is."
physorg.com “Hole Found in Protocol Handling Vital National Infrastructure”
Common misconceptions (2)Common misconceptions (2)
S t l t f il i l i t dSome control system failure scenarios always existed but are extremely improbable
REALITY: true only under the stochastic perspective ofREALITY: true only under the stochastic perspective of accidental failures; the intruder will unbalance probability distribution on his favour; if it can happen, it will happen!
A t ti t l h li bl d t thAutomatic control much more reliable and correct than human control
REALITY: fairly doubtful if system not fault tolerant; absolutelyREALITY: fairly doubtful if system not fault-tolerant; absolutely invalid if system not secure
RTE control loops with feasible R/T schedules are palways timely
REALITY: fairly doubtful if system not fault-tolerant; absolutely i lid if t tinvalid if system not secure
Control s stem protocols are attackableControl system protocols are attackable
“Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have.…Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable.”
- Ganesh Devarajan Security Researcher Tipping Point Inc.Unraveling SCADA Protocols: Using Sulley Fuzzer@ DEFCON-15 (Aug 2007)@ DEFCON 15 (Aug. 2007)
Common misconceptions (3)Common misconceptions (3)
Private modem lines are secureREALITY: security by obscurity take II; default passwords…
PC ith t LAN i t f i tiPC with two LAN interfaces is a secure separation between SCADA and Intranet/Internet
REALITY: Instead it is a “sure” way for the hacker to bridge inREALITY: Instead, it is a sure way for the hacker to bridge in between
Firewalls will do to protect an RTE systemREALITY: Useful, but incomplete coverage; blind to high-level command and control language, semantics, interactions
I t i d t ti ill d t t ll i t i i RTE tIntrusion detection will detect all intrusions in RTE systREALITY: Useful, but incomplete coverage; false and omitted alarms, whichever worse; human reaction driven, may lead toalarms, whichever worse; human reaction driven, may lead to control instability
Classical Firewalls are attackableClassical Firewalls are attackable
Let’s look at the number of serious firewallLet s look at the number of serious firewall vulnerabilities reported between 2005-2007
Ano DoS Intrusion DoS+Intrusion
2008 3 3 6
2007 21 15 36
2006 8 15 23
Source: National Vulnerability Database (USA)
2005 11 9 20
Source: National Vulnerability Database (USA) (http://nvd.nist.gov/)The table does not present all reported vulnerabilities
0.60
The table does not present all reported vulnerabilitiesThe trend has continued in the recent years
Common misconceptions (4)Common misconceptions (4)
SSecurity techniques are an obstacle in RTE systems, which have to make progress at the pace of the environment sometimes be fast and remain availableenvironment, sometimes be fast, and remain available
REALITY: RTE systems must above all be correct; insecurity is not an acceptable tradeoff, since it may mean high losses
Fail-safe mechanisms of the control devices prevent intrusions from leading to catastrophic failures
REALITY: true only for some local devices; use of COTS increasingly invalidates this; impossible to define 100% coverage for fail-safe mechanisms and yet allow human manoeuvre; high-y ; glevel system controls may be deceived
Common misconceptions (5)Common misconceptions (5)
RTE t t h t d t tRTE system operators are honest and competentREALITY: takes just one exception to do damage, but even if all system operators were honest and competent, whoever is usingsystem operators were honest and competent, whoever is using their computer accounts may not be
Denial syndrome: “After all, RTE systems are secure and safe, nothing really serious has ever happened!”
REALITY: serious things have already happened, best knowncase is Stuxnet but the bottom of the iceberg is much bigger butcase is Stuxnet, but the bottom of the iceberg is much bigger, butremains classified in many countries
Net orked Control S stems threatsNetworked Control Systems: threats
Feedback Control
FIREWALL
Command
G
ProtectionDevice
AVRMonitoring Data
RVRGenerator
g
How possible are intrusions?SCADA Cyber Security under fire
Can an attacker manipulate a SCADA data stream toCan an attacker manipulate a SCADA data stream to precipitate a large-scale outage?
Previous studies suggest this is possiblegg p
Past events reinforce this conclusion (US/Canada blackout)
“…FE did not respond to the loss of its transmission lines b it did t h ffi i t i f ti i i ht t lbecause it did not have sufficient information or insight to reveal the need for action”
Source: US-Canada Power System Outage Task Force: “Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations”Blackout in the United States and Canada: Causes and Recommendations
Recent studies (TCIP project) indicate black-out could have been caused by cyber-attackers
Can such malicious activity be detected while the attack is in progress?
A ( ) h d blA (very) hard problem
A concrete e ampleA concrete example
... the digital-electrical connection...
A Hierarchical Voltage Regulation exampleg g pCrutial project
l hcontrol the generator towards
the set point
defineset points
A t ti V lt R l t (AVR)Automatic Voltage Regulator (AVR)
Generator
setsetpoint
ControllerC t lControl
variables
and intr sions ha e happened!... and, intrusions have happened!
Nuclear plant under attack! (January’03)uc ea p a u de a ac ( y )
Slammer worm penetrated controlsystems of nuclear power central inOhio. Caused two critical monitoringsystems to stop.
Davis-BesseNuclear Plant
I t t
(0) Slammer worm(1) Well configured
firewall Internet stops worm
(4) Worm overloadscontrol networks causing6hour stop of twosupervisory systems(2) Worm enters unprotected
supplier network
supervisory systems
Supplier(3) Worm propagates to SCADA networkthro gh n monitored T1 linkSupplier through un-monitored T1 link
Insider ThreatInsider Threat
Stuxnet worm (2010)( )
sophisticated piece of computer malware designed to sabotage g gindustrial processes controlled by Siemens SIMATIC WinCC, S7 and PCS 7 control systems
d b th k d i lused both known and previously unknown vulnerabilities to spread; evaded state-of-the-practice security technologiespractice security technologies
self-replicates and spreads in a number of ways: removable drives; LANs; network shares; database servers;
updates itself through a peer-to-peer mechanism within a LAN
Sim lation of c ber attackSimulation of cyber attack (mar 07)
2007, EUA, DoE Idaho Lab:simulated attack, network based, as if from the Internet, againsta power generatora power generator.
attack shook and destroyed generator
State of play: The present!State of play: The present!
Basic security and dependability engineering requiredto place electrical critical information infrastructures (CII) at leastat the resilience level of commercial ICT systemsat the resilience level of commercial ICT systems
deadline : NOW
Constraints:Constraints:requires combined computer and electrical engineeringknowledgeknowledge
some current IT Sec techniques can negatively affect RTE system operation (availability, timeliness,...)
But this is not enough…g
Insight on the f t reInsight on the future
Why don’t we have more accidents?
How much time have we?
Where do we go from here?
Where do e go from here?Where do we go from here?
Strategic Cyber Defense for g yCritical Infrastructures
Usual approaches:Perimeter Defense?
Why not secure “borders” (e.g. CII boundaries) better?
Better intrusion detection, firewalling, ...?
Better InfoSec policies?
Strategic Cyber Defense for g yCritical Infrastructures
P i t D f l i h l i thPerimeter Defense alone is hopeless given the “open virtual border” situation depicted W d l t diWe need complementary paradigms:Defense in depthGraceful degradationWe need technologies fulfilling these paradigms for CII protectionAutomatic remediationIntrusion tolerance and self healingAdaptive securityp y
A research grand-challenge for architecting g g gCritical Information Infrastructures
Make CII withstand continued combinations of faults and intrusions in an automated way
what do we need?what do we need?
AUTOMATIC SECURITYAUTOMATIC SECURITY
Designing Trusted-Trustworthyg g ycomputing systems in a Nut Shell
t t t t P ti T l ti F lt dwe want systems to operate through faults and attacks in a seamless manner, in an
Preventing, Tolerating Faults and Intrusions
automatic way
we want systems to endure the fact that operating conditions
Handling Increasing Attack Severityfact that operating conditions
and environments are more uncertain and/ or hostile
t t t b
Severity
we want systems to be deployed in unattended manner
Resisting Continued Attacks
we want systems to attain very high levels of assurance Validating, Assessing Fault/Attack
Assumptions
Designing Trusted-Trustworthyg g ycomputing systems in a Nut Shell
t t t t P ti T l ti F lt dwe want systems to operate through faults and attacks in a seamless manner, in an
Preventing, Tolerating Faults and Intrusions
automatic way
we want systems to endure the fact that operating conditions
Handling Increasing Attack Severity
Handbooks in Information Systems, Volume 4,
Information Assurance Security and Privacy Services H Raofact that operating conditions and environments are more uncertain and/ or hostile
t t t b
SeverityInformation Assurance, Security and Privacy Services, H. Rao& S. Uphadhyaya (Ed’s), Elsevier 2009, Chap. 22:
I t i R ili t Middl D i d V lid ti Pwe want systems to be deployed in unattended manner
Resisting Continued AttacksIntrusion-Resilient Middleware Design and Validation. P. Verissimo, M. Correia, N. Neves, P. Sousa.
we want systems to attain very high levels of assurance Validating, Assessing Fault/Attack
Assumptions
CRUTIALCRUTIAL Critical Utility InfrastructurAL ResilienceSTREP Project FP6-2004-IST-4-027513Coordinator: CESI RICERCA SpACoordinator: CESI RICERCA SpAJanuary 2006 - December 2008
ResilientResilient distributeddistributed powerpower controlcontrol inin spitespite ofof threatsthreats toto thetheinformationinformation andand controlcontrol infrastructuresinfrastructures
Visioninformationinformation andand controlcontrol infrastructuresinfrastructures
ProvideProvide modelling approaches for understanding andmastering the various interdependencies among power,
Objectives control, communication and information infrastructures
InvestigateInvestigate distributeddistributed architecturesarchitectures enablingenabling dependabledependablecontrolcontrol andand managementmanagement ofof thethe infrastructureinfrastructurecontrolcontrol andand managementmanagement ofof thethe infrastructureinfrastructure
Power control Power control infrastructuresinfrastructuresModelsModels
A chitect esA chitect esEvaluationsEvaluations
infrastructuresinfrastructures
127
ArchitecturesArchitecturesEvaluationsEvaluations
IntroductionThe architecture for• The architecture for CRUTIAL is based on the concept of a WAN-of-LANs
Substation BPLCControlNetwork
Substation A
– Each LAN represents a critical infrastructure facility
– A non-trusted WAN i t t ll LAN
Substation B
Station Network
PP
C1
PLC
CIS
PLCNetwork
C2Process Network
Utility Network
interconnect all LANs
• At the gates of each LANs there is a protection device called CIS (CRUTIAL
CISWAN
CorporateNetwork
CIS
Site
Site
Site
Site
Information Switch)– It enforces fine-grained
security policies– It is highly dependable
Network
CISSite
Internet
CIS
Telco
Substation CHistorian Network
g y p(intrusion-tolerant)
• CII as a WAN-of LANs:– only CIS are dedicated
preserves legacy devices
Historian
129EC, Brusssels, March 2007
– preserves legacy devices
Architectural devices in CRUTIAL• Weak assumptions: hostile and incompletely defined
Facility
Weak assumptions: hostile and incompletely defined interconnection environment
y
Facility
PP
Modemserver
PSTN
LocalNetwork
PP
P
CIS hostile environment
Node
Node
N d
hostile environment
CISWAN
LocalNetwork
CIS
Node
Node
Node
Network
CIS
Internet
CIS
CIS
Node
133EC, Brusssels, March 2007
Architectural devices in CRUTIAL• Intrusion tolerance for trust
Facility
• Intrusion tolerance for trust
y
Facility
PP
Modemserver
PSTN
LocalNetwork
PP
P
CIS hostile environment
Node
Node
N d
CISWAN
LocalNetwork
CIS
Node
Node
Node
Network
CIS
Internet
CIS
CIS
Node
134EC, Brusssels, March 2007
Architectural devices in CRUTIALT t d/t t th i t f t t d
Facility
• Trusted/trustworthy services out of non-trusted comps
y
Facility
PP
Modemserver
PSTN
LocalNetwork
PP
P
CIS hostile environment
Node
Node
N d
hostile environmentTrusted/worthy servicesout of non-trusted comps
CISWAN
LocalNetwork
CIS
Node
Node
Node
WAN
Network
CIS
Internet
CIS
CIS
Node
135EC, Brusssels, March 2007
CRUTIAL Reference Architecture•Crutial Information Switches (CIS):
Facility
Crutial Information Switches (CIS):• appliances controlling the info flow•CIS can be replicated (F&I Tol)•CIS cooperate to implement services
b f CIS b t dy
Facility
PP
Modemserver
PSTN
•a number of CIS can be corrupted
LocalNetwork
PP
P
CIS hostile environment
Node
Node
N d
hostile environmentTrusted/worthy servicesout of non-trusted comps
CISWAN
LocalNetwork
CIS
Node
Node
Node
WAN
Network
CIS
Internet
CIS
CIS
Node
136EC, Brusssels, March 2007
Net orked Control S stem re isitedNetworked Control System revisited
I’
remember that the firewall can be attacked and
Feedback Control
I’m Malicious
!
compromised !!
FIREWALL
Command
G
ProtectionDevice
AVRMonitoring Data
RVRGenerator
g
CIS Intrusion ToleranceNon-replicated caseNon-replicated case
CIS
I’m Malicious
! CISIncomingTraffic
StationComputer
Invalidmessage
(e g MMS)
ControlNetwork
p(e.g., MMS)
142EC, Brusssels, March 2007
CIS Intrusion ToleranceReplicated case
I’m Malicious
CISReplicated caseMalicious
!
Invalid
CISIncoming
Invalidmessage
CIS
Traffic
IncomingTraffic
StationComputer
The station computer cannot accept amessage approved by a single CIS
CIS
TrafficReplicator(e.g., HUB)
ControlNetwork
p
replica (it can be faulty)
143EC, Brusssels, March 2007
CIS Intrusion ToleranceAn abstract solution
CISAn abstract solution
CISIncoming TrustedCIS
Traffic
Traffic
f+1
VoterStation
Computer
CIS
TrafficReplicator(e.g., HUB) Control
Network
p
144EC, Brusssels, March 2007
f = max. number of faulty CIS replicas
Intrusion-Tolerant Firewalls• Intrusion-tolerant Firewall
A li t d FW ll d CIS hi h i t k t t ki i t t li ti l l ti d– A replicated FW, called CIS, which inspects packets taking into account application level semantics and organizational policies
• Fundamental Assumption: each replica is different and fails independently– A message only passes through the firewall if the majority of the replicas approve it (2 out of 3 in the demo)
CIS Signed message
I i CIS x = dP(V f)/dt
message
IncommingTraffic
HUB HUB
CIS
Controller
x = dP(V,f)/dt
HUB
CIS
Generator
145EC, Brusssels, March 2007
Generator
CIS Intrusion Tolerance
H t b ild th t t d t ?• How to build the trusted voter?– Another machine: single point of failure– Station computer:Station computer:
• We cannot modify the application software;• Its is undesirable to replicate the traffic going to the LAN
CIS Replicas:– CIS Replicas:• Threshold signatures can be used to put trust on a set of
servers, but it’s too costly;• Another option is taking a detour wormholes or trusted• Another option is taking a detour… wormholes, or trusted-
trustworthy components
146EC, Brusssels, March 2007
Cheap CIS Intrusion TolerancePolicy
CIS enforcementMessage voting is made
outside the wormhole
CIS forwards
IncomingStation
ComputerCIS
W
wormhole messages after a random delay
Traffic
HUB HUB
CIS
ControlNetworkCIS
WCIS gives message to W that returns a
ballot
WStation computers use IPsec so they
ballot
If f+1 votes are presented to
147EC, Brusssels, March 2007
only accept messages with MAC
are presented to W, it produces a message MAC 2f+1 replicas
4 ITCIS with Proactive and4. ITCIS with Proactive and Reactive Recovery (ITCIS-PRR)
CISI’m
Malicious!
RebootNow!
CIS
IncommingTraffic
CISController
x = dP(V,f)/dt
HUB HUBCIS
Generator
CIS
148EC, Brusssels, March 2007
Concl sionsConclusions
Computer Sec&Dep cannot be an after thoughtComputer Sec&Dep cannot be an after thoughtbuilt it in, don’t bolt it on!hackers competitors criminals and terrorists will nothackers, competitors, criminals and terrorists will not wait till you’re ready
Cyber-Physical infrastructures are a key pointy y y pcomputer security no longer a realm of ICT syst.
Bang! is different from Crasha cyber-borne catastrophe may “never” happen, but “if” it happens cost may be tremendous in materialif” it happens, cost may be tremendous, in material and immaterial assets (devices and image)
Concl sionsConclusions
Computer Sec&Dep cannot be an after thoughtComputer Sec&Dep cannot be an after thoughtbuilt it in, don’t bolt it on!hackers competitors criminals and terrorists will nothackers, competitors, criminals and terrorists will not
wait till you’re ready
Cyber-Physical infrastructures are a key pointy y y pcomputer security no longer a realm of ICT syst.
Bang! is different from Crasha cyber-borne catastrophe will rarely happen, but when it happens cost may be tremendous inwhen it happens, cost may be tremendous, in material and immaterial assets (devices and image)
Some referencesSome references:
Hi hl A il bl I t i T l t S i ith P ti R ti RHighly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery . Paulo Sousa, Alysson Bessani, Miguel Correia, Nuno Ferreira Neves, Paulo Veríssimo. IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 4, pp. 452-465, Apr. 2010.pp , p
Intrusion-Resilient Middleware Design and Validation. Paulo Veríssimo, Miguel Correia, Nuno Ferreira Neves, Paulo Sousa. Information Assurance, Security andPrivacy Services (Handbooks in Information Systems, volume 4), Emerald GroupPublishing Limited, pp. 615-678, 2009.
Designing Modular and Redundant Cyber Architectures for Process Control: Lessonslearned. Paulo Veríssimo, Alysson Bessani, Miguel Correia, Nuno Ferreira Neves Paulo Sousa Proceedings of the 42nd Hawaii International Conference forNeves, Paulo Sousa. Proceedings of the 42nd Hawaii International Conference for the Systems Sciences (HICSS-42), Waikoloa, Hawaii, January 2009.
The CRUTIAL Way of Critical Infrastructure Protection. Alysson Bessani, Paulo Sousa, Miguel Correia, Nuno Ferreira Neves, Paulo Veríssimo. IEEE Security andSousa, Miguel Correia, Nuno Ferreira Neves, Paulo Veríssimo. IEEE Security andPrivacy, vol. 6, no. 6, pp. 44-51, Nov/Dec 2008.
The CRUTIAL Reference Critical Information Infrastructure Architecture: A Blueprint. Paulo Veríssimo, Nuno Ferreira Neves, Miguel Correia. International Journal ofSystem of Systems Engineering, vol. 1, n. 1/2, pp 78-95, 2008.
«It’s been long since a padlock was enough to get you security ...»g y y
Thank youPaulo Veríssimo
Univ. Lisbon, Portugalhttp://www.di.fc.ul.pt/~pjv