Quantifying availability in SCADA environments using the cyber security metric MFC Anis Ben Aissa Université de Tunis El Manar Ecole Nationale d’Ingénieurs de Tunis +216-98-692-415
Latifa Ben Arfa Rabai
Robert K. Abercrombie, Frederick T. Sheldon
Université de Tunis
Oak Ridge National Laboratory Oak Ridge, TN 37831 USA SIEMENS Industry US CS VS Industrial Security Services
Institut Supérieur de Gestion de Tunis
[email protected]
[email protected]
ABSTRACT SCADA systems are distributed Networks over large geographic areas that aim to monitor and control industrial processes from remote areas or central location. They are used in the management of critical infrastructures such as electricity and energy systems, water distribution, and oil production. Availability of SCADA systems has become a basic issue to assure the safety and the security. In this paper, we propose a new cyber measure for quantifying the availability through the Mean Failure Cost “MFC”. We introduce a new metric called Cyber Econometric Availability “CEA” Based on Availability classical formula and the MFC measure. The new metric offers a computational infrastructure that allows an analyst to estimate the availability of a system in terms of the loss that each stakeholder stands to sustain as a result of security breakdowns.
General Terms Measurement, Economics, Reliability, Security.
Keywords Availability, Security measures, Dependability, Security requirements, Threats.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for thirdparty components of this work must be honored. For all other uses, contact the Owner/Author. Copyright is held by the owner/author(s). CISR '14, Apr 08-10 2014, Oak Ridge, TN, USA ACM 978-1-4503-2812-8/14/04. http://dx.doi.org/10.1145/2602087.2602103
[email protected] [email protected]
Ali Mili College of Computing Sciences New Jersey Institute of Technology Newark NJ 07102-1982 USA +1 973-596-5215
[email protected]
1. INTRODUCTION The architecture of SCADA systems is based on internet connection and wireless technologies that makes it more vulnerable to the new security challenges including internal and external cyber attacks. Examples of SCADA security incidents [1]: - In 2000, Vitek Boden a disgruntled employee has gained unauthorized access into a compromised management system in Australia. As a consequence, millions of litres of raw sewage have been spilled out into local parks and rivers, pumps failed to start or stop when specified, and alarms failed to be reported. - In 2006, an overload of network traffic cause a failure of a number of reactor recirculation pumps in the Browns Ferry nuclear plant in Alabama, US. - In 2009, Chinese and Russian spies have penetrated in the U.S electrical power grid, and have left disruptive software programs using network mapping tools. The Critical infrastructure of SCADA systems needs to be available at all times. Continuous availability requires strong security processes to protect against cyber attacks. The remainder of this paper is organized as follows: in section II, we start by providing background on SCADA systems. In section III, we present the mean failure cost metric as a measure for security. In section IV, we introduce a new metric to quantify availability called Cyber Econometric Availability. We end this paper by a description of the proposed measure, and its advantages to classical formula.
2. BACKGROUND ON SCADA SYSTEM The IEEE standard C37.1-2007 defines SCADA as: "A system operating with coded signals over communication channels so as to provide control of RTU equipment. The supervisory system may be combined with a data acquisition system by adding the use of coded signals over communication
channels to acquire information about the status of the RTU equipment for display or for recording functions".
2.1 SCADA Architecture The SCADA system consists of several components that communicate with each other. Based on several studies such as [2,3] that have focused on SCADA architecture, we propose the following classification:
dependability, such as reliability, availability, safety, since it makes no distinction about what causes the potential loss/ cost. Finally, it makes no distinction between reliability and safety, since it captures (over a continuum of costs) all potential losses, regardless of whether they stem from failing a high stake / low probability requirement (safety) or from a medium stake/ medium probability requirement (reliability). The Mean Failure Cost is defined as:
2.1.1 Hardware SCADA Components
Corporate network segment: it operates in the same way as a general ICT network, thus, it performs the same operations such as e-mail-communication, requiring an Internet connection and marketing. SCADA network segment: it contains servers, workstations, Human Machine Interface and historian. Field devices segment: this segment contains three types of fields which are PLCs, RTUs and IEDs.
2.1.2 Software SCADA components
Software components integrate [2,3]: Protocols: some of these protocols are common and found in general ICT which are TCP and UDP. While some are unique and only found within industrial networks such as CIP, ModBus, Fieldbus, DNP3 and Profibus. Operating systems: Current SCADA system uses common Windows NT software.
2.1.3 SCADA communication components
As discussed in [2,3], communication links integrates: Physical connection includes optical fiber, radio, satellite, etc. SCADA networks are connected to the Internet through a gateway. Logical connection: current SCADA uses standard logical network topologies which means the way in which information circulate through physical links.
MFC = ST ° DP ° IM ° PT Where:
2.2 Security issues on SCADA system The CIA triad (confidentiality, integrity and availability) is one of the core principles of information security. In 2013, based on the extensive literature analysis, the Information Assurance & Security (IAS) Octave has been developed and proposed as an extension of the CIA-traid. The IAS Octave includes confidentiality, integrity, availability, privacy, authenticity & trustworthiness, non-repudiation, accountability and auditability. The importance of security requirements depends on the nature/role of the system. The requirements in SCADA systems are different and focus on health, safety, environment factors and operational availability/reliability.
3. THE MEAN FAILURE COST AS A MEASURE OF SECURITY In [5,6,7], Ben Aissa et al introduce a value-based metric that quantifies the security of a computing system by the statistical mean of the random variable that represents for each stakeholder, the amount of loss that results from security threats and system vulnerabilities. This metric, which we call the Mean Failure Cost (MFC), varies by stakeholder, and takes into account the variance of the stakes that a stakeholder has in meeting each security requirement. Also, it can be extended beyond security to capture other aspects of
ST: The stake matrix filled by stakeholders according to the stakes they have in satisfying individual requirements; it is composed of the list of stakeholders and the list of security requirements. Each cell expressed in dollars monetary terms and it represents loss incurred and/or premium placed on requirement. ST (Hi, Rj): Is the stake that stakeholders Hi has in meeting requirement Rj. DP: The dependency matrix is filled in by the system architect (i.e., cyber security operations and system administrators) according to how each component contributes to meet each requirement; each cell represents probability of failure with respect to a requirement given that a component has failed. DP (Rj, Ck): The probability that the system fails to meet requirement Rj if component Ck is compromise. IM: The impact matrix (IM) is filled by analysts according to how each component is affected by each threat; each cell represents probability of compromising a component given that a threat has materialized, it depends on the target of each threat, likelihood of success of the threat. IM (Ck, Th): The probability that Component Ck is compromised if Threat Th has materialized. PT: The vector of threat characterizes the threat situation by assigning to each threat category the probability that this threat will materialize over a unitary period of operation time.
4. MFC AS A MEASURE OF AVAILABILITY Availability is a measure of the amount of time a system or component performs its specified function. Availability is related to reliability, but different than reliability. Reliability measures how frequently the system fails; availability measures the percentage of time the system is in its operational state. To calculate availability, both the Mean Time Between Failure (MTBF) and the Mean Time To Recovery (MTTR) need to be known. The MTTR is a measure of how long, on average, it takes to restore the system to its operational state after a failure. If both the MTTF and the MTTR are known, availability can be calculated using the following formula:
Avail
MTBF MTBF MTTR
We noticed that the formula of availability has some downsides:
Independence with respect stakeholders.
Independence of the components which have failed to ensure the availability. Independence of threats which have caused the unavailability. In this section we propose to quantify the availability through the MFC. We will compare the advantage of the new formula to the original formula. MFC is generally a formula used for measuring security of systems and it can be extended to measure a single attribute of dependability which is the mean failure cost of availability. We suppose that the availability is decomposable and we consider that the MFC has the same definition and presented by the following formula:
MFC ST ' DP ' IM PT ( n 1)
(1h )
( h p ) ( p 1)
We consider a system S, we let H1, H2, H3…Hk the stakeholders and C1, C2, C3…Ck the components of system.
ST′: Is an extension of the stakes matrix, in which we consider the availability requirement as a column vector. So the ST′ present the stake of stakeholder Hi for availability attribute (table 1). Table 1: Stakes Matrix
H1 …Hi…
Stakeholders
k h 1
AVAIL P(C ) 1 AVAIL k 1
k
5. CYBER ECONOMETRIC AVAILABILITY The availability as already defined in a previous section by the ratio which expresses the functional system time in relation to that desired to be. The unavailability is not necessarily a failure in the system, but it can includes active preventive and/or corrective maintenance. Indeed, the unavailability ensures overall failure and incontinuity of operation. That‟s means having a system available for a period T is having a guarantee of reliability for this period. Availability of a system is defined as the ratio of time, say Avail, that the system is operational. If we want to redefine availability in value-oriented terms, we may want to consider three factors: • The gain, per unit of time, achieved by stakeholder K from the system being operational; we denote this by G(K). If we consider an airline reservation system and let K be an airline company, then G(K) represents the average income gained from sales completed per unit of operational time. • The loss, per unit of time, incurred by stakeholder K from the system being down; we denote this by MFC(K). If we consider an airline reservation system and let K be an airline company, then MFC(K) represents lost business, lost productivity , lost customer loyalty , etc, caused by downtime.
Availability
ST’
The DP′ present the set of events of failure of the components Ck which present a full space of availability as:
• AVAIL: The availability value
The stake of stakeholder Hi for the availability attribute
Using these quantities and the MFC, we can define a valueoriented version of availability named Cyber Econometric Availability as:
CEA( K ) ( AVAIL G( K )) (1 AVAIL) MFC ( K ) so:
Hn
CEA( K ) ( AVAIL G( K )) ( AVAIL MFC ( K )) 5.1.1 Illustration: An SCADA system application
DP′: Is an extension of the dependency matrix, in which we consider the availability as a line vector (table 2). Table 2: Dependency Matrix
Components
DP’
Availability
C1
…Ck… Probability of unavailability. Caused by the component Ck
Ch-1
No Failure Probability of availability
We have applied the new formula on SETG2 system (company of electric power and natural gas). In our case of study “STEG Company”, the number of failures is very high and the mean time between failures is around 182,5 hours. The maintenance teams need around 3hour to repair the system. Applying the classic formula of the availability for one hour:
Avail
MTBF 182,5 98,382% MTBF MTTR 182,5 3
The classical formula of availability is inadequate to define if the system is profitable or not. The ratio Avail of the availability of a system has a value in [0, 1].
2
www.steg.com.tn
If:
6. CONCLUSION
The SCADA systems have a critical infrastructure characterized by interdependencies (physical, cyber, geographic, and logical) and complexity (collections of interacting components). Therefore, high availability is needed for all stakeholders in system. The classical formula based on time between failure and time to recovery doesn‟t satisfy the dependences of system: stakeholders, components and threats.
Avail=1: the percentage of availability of the system is 100% (high level of availability). Avail=1: The system is unavailable Avail in ] 0,1[: the system is not guaranteed to be available. In all three cases the value of Avail doesn‟t give us an idea of the system profitability. To make the rate of availability more significant we have applied the formula of Cyber Econometric Availability to steg company. We have simplify our study on 4 stakeholders (Maintenance personnel, System Administrator, Technical staff and Controllers). In this abstract, we will not explain in details the steps that allows us to calculate CSE for stakeholders. We are interested by explain the infrastructure needed it to apply the formula for scada systems. Table 3 show the MFC, Gain and CEA for the stakeholders selected. Table 3: Cyber Econometric Availability Stakeholders
MFC ($/hour)
Gain ($/hour)
CEA ($/hour)
Maintenance Personnel
6436,946
340,15
104,149
System Administrator
3735,156
197,83
60,434
Technical staff
3218,473
170,07
52,074
Controllers
11739,258
620,34
420,361
The new formula Cyber Econometric Availability “CEA” evaluate the availability of the system in terms of the gain/loss ($/hour of operation) that each stakeholder stands to sustain as a result of availability breakdowns. If:
CEA (K) =G(K): the system is available with an average of 100% gain per unit of time ). CEA (K) = MFC (K): the system is unavailable and the MFC (k) is the average loss per unit of time. (Avail-1)×MFC< CEA (K) < 0: The system is available but not profitable. Avail×G(K) > CEA(K) > 0 : The system is available and profitable. In the list selected, all stakeholders are profitable but if we choose other stakeholders witch gain is based on electric power like monitoring companies it can be not profitable
In this paper we presented a new measure named Cyber Econometric Availability where we have redefined the availability of system as an econometric measure for all stakeholders in system.
7. REFERENCES [1] Bill Miller, and Dale C. Rowe, “A Survey of SCADA and Critical Infrastructure Incidents,” Proceedings of 13th conference SIGITE/RITI, 2012. [2] V.M. Igure, S.A. Laughter and R.D. Williams, „Security issues in SCADA networks‟, Computers & Security, (2006) Vol. 25 (7), pp. 498-506. [3] Mariana Hentea, “Improving Security for SCADA Control Systems”, Interdisciplinary Journal of Information, Know ledge, and Management Volume 3, 2008. [4] A. Nicholson, S. Webber, S. Deyer, T. Patel and H. Janicke, „SCADA security in the light of Cyber-Warfare‟, Computers & security, (2012) , Vol. 31, pp. 418-136. [5] Anis Ben Aissa, Robert K. Abercrombie, Frederick. T. Sheldon, and Ali Mili, “Quantifying Security Threats and Their Potential Impact: A Case Study,” in Innovation in Systems and Software Engineering: A NASA journal, 2010. [6] M. Jouini, A. Ben Aissa, L. Ben Arfa Rabai, A. Mili, "Towards quantitative measures of Information Security: A Cloud Computing case study ", International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3), pp. 248-262 (2012). [7] Latifa Ben Arfa Rabai,Mouna jouini, Anis Ben Aissa and A. Mili, “A cybersecurity model in cloud computing environments,” Journal of King Saud University - Computer and Information Sciences, Sciences Direct, Volume 25, Issue 1, January 2013, Pages 63–75.
