Towards Compositional ICT for Critical Infrastructure Protection
Carl Hauser and David Bakken
Washington State University
Pullman, Washington, USA
{chauser,bakken}@wsu.edu
Neeraj Suri
TU Darmstadt
Darmstadt, Germany
Roberto Baldoni
Univ. of Rome “La Sapienza”
Rome, Italy
Abstract
This document suggests a new, compositional approach to ICT for critical infrastructures. It outlines some of the key functional and QoS considerations in the approach and suggests a research agenda meriting consideration by the DSN community and interested funding agencies.
1. Introduction
The information and communication technology (ICT) supporting critical infrastructures (CI-ICT) has historically been built to meet the specific needs of each critical infrastructure. Typically, CI-ICT is:
• Domain-specific: designed primarily for the needs of the domain of the particular CI
• Application-specific: designed primarily to accommodate a fixed and known set of application programs
• Technology-specific: designed to utilize primarily (a subset of) the technologies available when the infrastructure was created
• Topology-specific: designed to support a particular, fixed communications topology between entities in the infrastructure.
• QoS-specific: designed only to support only the quality of service (QoS) and security needed when the system was created
There is widespread recognition in recent years that this approach results in CI-ICT that is expensive, brittle, and that fails to provide adequate support for critical infrastructure protection against both operational and malicious perturbations. Applied and focused research is necessary to extend the state of the art to remove some or all of the limitations outlined above. For example, reducing the application-specific limitation would allow an infrastructure to better support application programs as current ones evolve and new ones are devised. Removing domain-specific limitations would allow CIP R&D to be leveraged
across multiple critical infrastructures, for example to utilize communication overlays onto a power-grip CI.
Removing technology-specific limitations would allow critical infrastructures to better “ride the technology curve,” incorporating new networking, QoS, and cyber-security related technologies as they become available over time. Removing topology-specific limitations would allow a CI to be more readily extended to incorporate new infrastructure assets and to accommodate long-term changes in the patterns of communication. Removing QoS-specific limitations would help provisioning of QoS and security properties, and the tradeoffs between them, to support the needs of current and future applications for a given critical infrastructure.
2. Synergistic CI-ICT
What is needed is a new paradigm, the “synergistic CI-ICT”, where the ICT information infrastructures are still designed to meet the specific CI needs1 on a standalone basis while factoring in extensibility and external interfacing as a design stage guideline. This would be a key philosophical change in the approach to creating CI-ICT. It leverages the fact that information and communication technology evolves much faster than does the technology of CIs such as electric power, water, gas, etc. With a design approach that recognizes the importance of adaptability, CI-ICT would make critical infrastructures themselves more flexible and adaptable. State of the art CI-ICT would enhance the quality of the provided CI services including security and dependability of joint CI and ICT operations.
The ambitious goal to bring critical infrastructures to the point where they can track and take advantage of the state-of-the-art in ICT could well take 2 to 3 decades to accomplish. Getting there first requires
1 It is reality that cost and functionality are and will tend to remain the prime drivers for any CI.
fundamental and applied CI-relevant ICT research. An important part of this focused research is to develop growth-oriented “compositional” middleware frameworks with secure and dependable building blocks, high-level programming support and support tools, validation suites, etc. The approach is to make such ICT usable and deployable by companies whose primary expertise is in their CI domain rather than in the nuances of dependable and secure ICT with QoS—
a relatively uncommon specialty even for ICT companies. The components of these new frameworks must be composable so that dependable, predictable, and secure services can be provided across the varied corporate and governmental entities involved in a given CI.
3. Towards Compositional ICT for CIs
CI-ICT needs to address many factors including 1) interoperability with preexisting, diverse IT infrastructures of the many players involved in CI operations, and 2) the economic and risk cases, along with the technical cases, for non-functional QoS properties such as performance, responsiveness, predictability, security and trust. It appears to be essential to create CI-ICT systems by composing building blocks in order to take advantage of economies of scale and to allow the necessary flexibility to market players. A building block approach also provides re-usable, re-configurable assets for use by people in constructing/reconstructing CI-ICT systems in recovery situations. However, given stringent QoS requirements it is not possible, using today’s technology and methods, to create CI-ICT systems that meet interoperability and QoS requirements by design.
We therefore advocate developing a long term research program directed at creating a “science” for CI-ICT systems and at creating a science of engineering for CI-relevant ICT non-functional properties. The suggested (partial list) research topics in the program should include:
1. Requirements capture for CI-ICT systems, and specification of non-functional properties of systems and systems of systems. This specifically includes specification of both attack and recovery scenarios as part of the design schema.
2. A science of composition—identifying, specifying & reasoning about interfaces for interactions between CIs, CI-ICTs, & their components.
3. Identification, characterization and specification of CI-ICT building blocks for
meeting both functional and QoS requirements of CI-ICT.
4. Metrics and methods for assessment and validation of non-functional properties of compositions of building blocks. Quantification of benefits (economic and technical) would help provide increased confidence in ICT systems.
5. Development of testbeds for (a) essential scientific assessment and (b) confidence building by demonstrating non-intrusive ICT couplings with actual CIs. Apart their technical utility, testbeds provide a forum to refine policy processes, to make explicit the interactions between technological and organizational layers, and to facilitate the community building process2. 6. Methods for relating failures of combined CI
and CI-ICT systems to failures of components or failures of composition.
7. Paradigm shifts such as moving from cyber intrusion-detection to intrusion tolerance and intrusion avoidance.
8. Preventive and reactive CI-ICT mechanisms for detecting, isolating and responding to attacks, disruption or disaster scenarios.
9. Development of secure and resilient computing, communication and middleware technologies to enable response behaviors such as adaptive self-healing and adaptive self-defense by CI-ICT components.
Examples of CI-ICT issues in the electric power grid can be found at [1,2] and in the links at [3].
4. References
[1] Carl Hauser, David Bakken, and Anjan Bose. “A Failure to Communicate: Next-Generation Communication Requirements, Technologies, and Architecture for the Electric Power Grid”, IEEE Power and Energy, 3(2), March/April, 2005, 47–55.
[2] D. Bakken, A. Bose, C. Hauser. EC Efforts in SCADA- Related Research: Selected Projects. Technical Report EECS-GS-008, Washington State University, 20 October, 2006. Available via http://www.gridstat.net/EC/EC- SCADA-CIP-Report.pdf
[3] www.gridstat.net/EC/
2 The high cost of such developments could be shared among initiatives carried out by the EU, the US, Japan, and others.
