Final Report. Study on Critical Dependencies of Energy, Finance and Transport Infrastructures on ICT Infrastructure. European Commission

Transcription

1 Finance and Transport s on ICT Final Report On Study on Critical Dependencies of Energy, Finance and Transport s on ICT On behalf of the European Commission DG Justice, Freedom and Security Version V1.0 - submitted Last Update: 10/08/2009 Industrieanlagen-Betriebsgesellschaft (IABG) mbh Berlin Office Alt Moabit Berlin Germany Dr. Stephan Gottwald ( gottwald@iabg.de

2 Finance and Transport s on ICT History Version Edited by Date Remark 1.0 Dr. Stephan Gottwald Final Version Final Report Version - Status: V1.0 - submitted 2 / 137

3 Finance and Transport s on ICT Table of Content Executive Summary Introduction Background Objectives and Main Purpose of the Study Project Embedding Approach and Methodology Key Terms Selection Criteria and Process Modelling Identifying European Critical s Identifying high ICT-dependent ECI ICT Threats and Vulnerabilities Critical Technical Objects and Processes Sector Energy s Sub-sector Electricity Sub-sector Gas Sub-sector Oil Sector Finance s Sub-Sector Securities Transactions Sub-Sector Payment Systems Sector Transport s Sub-sector Air Traffic Sub-sector Waterways Sub-sector Railways Sub-sector Road Critical ICT Dependencies Sector Energy s Sub-Sector Electricity Sub-sector Gas Sub-sector Oil Sector Finance s...54 Final Report Version - Status: V1.0 - submitted 3 / 137

4 Finance and Transport s on ICT Sub-sector Securities Transactions Sub-sector Payment Systems Sector Transport s Sub-sector Air Traffic Sub-sector Waterways Sub-sector Railways Sub-sector Road Secure Private Network Electronic Highway SWIFTNet SIAnet Summary of Sectoral Findings Relevant Risks, Threats and Vulnerabilities Overview ICT-Threats Current ICT Threats Relevant ICT Threats and Vulnerabilities Existing Protection Strategies Standards Generic IT Security Standards Sector-Specific IT Security Standards in Energy s Sector-Specific IT Security Standards in Finance s Sector-Specific IT security standards in Transport s Best Practises Sector Energy s Sector Finance s Sector Transport s Synergies, Conclusions and Trends Standards Best Practises Conclusions Trends Information and Communication Technology Final Report Version - Status: V1.0 - submitted 4 / 137

5 Finance and Transport s on ICT Sector Energy s Sector Finance s Sector Transport s Policy Lines Approach Main Categories for Policy Lines Identified Threats and Risks as Policy Drivers Identified Trends as Policy Drivers Future Policy lines Stakeholder Involvement General Approach Interviews and other bilateral contacts Workshops and Presentations Dissemination Activities A Annex A.1 Abbreviations A.2 References A.3 Catalogue of Current ICT-Threats A.4 Catalogue of IT Security related Standards in Transport s A.5 Preparatory document of Validation / Final Workshop A.5.1 Invitation of Validation Workshop A.5.2 Agenda Validation Workshop A.5.3 Project Incentive Paper A.5.4 Invitation of Final Workshop A.5.5 Agenda Final Workshop Final Report Version - Status: V1.0 - submitted 5 / 137

6 Finance and Transport s on ICT Executive Summary Executive Summary The overall objective of this Study on Critical Dependencies of Energy, Finance and Transport on ICT was to identify and assess the dependency of important, but very different EU-wide infrastructures on information and communication technology, the involved threats, vulnerabilities and risks, and their protections strategies to mitigate the effects of an ICT infrastructure disruption. As a total 9 separate sub-sectors have to be analysed; concentration to the issues of major importance had been a guiding principle to this study. We introduced a methodology which prescinds from single point / single event analysis and follows an impartial but systematic view on infrastructures based on generic models for each (sub-)sector representing the main technical objects and core processes. These models are "European" as they neither rely nor base on national peculiarities. All models have been carefully developed and intensively discussed with different stakeholders from different countries. In the electricity sub-sector the generic model is oriented at but not limited to the UCTE region, in order to take regard of its special complexity. All events, which interfere with the frequency / load control processes between control blocks can cause cross-border damage, which - in the worst case - results in black-outs affecting larger areas. Most critical are the coordination process and other large infrastructure assets. The gas infrastructure includes a pipeline network, which is operated by TSOs, who execute a capacity and pressure control supporting compressor stations and storage. Any failure is in principle a cross-border incident. However, due to the large volumes of gas stored in the pipeline network, there is a large and in our eyes sufficient time frame for repair. Thus, it is difficult to imagine ICT-related scenarios, which lead to criticalities in terms of large or catastrophic hazards although the ICT dependency of some objects and processes is considered as high. The analysis of the oil infrastructure focuses on refineries and the pipeline connections from the outlets of terminals / refineries to other refineries, chemical plants, or other major outlets. Any interruption of this pipeline infrastructure may have a cross-border impact. The interruption of a refinery will have an impact on the supply with oil products. As the location of refineries is very heterogeneous across EU-countries, most of the oil products are distributed by different transport modes and considerable quantities of oil products are stored in tank farms and in transport facilities along the distribution chain, it seems very unlikely that the interruption of one refinery cannot be substituted by other refineries and corresponding transport means and thus could trigger high cross-border damages in the supply with oil products. Due to the volumes of oil and derived products stored in pipelines, tank farms and in transport facilities, there is a large and in our eyes sufficient time frame for repair and / or establishment of alternative supply. Thus, it is difficult to imagine scenarios leading to criticalities in terms of large or catastrophic hazards, although the ICT dependency of some objects and processes is considered as high. The sub-sector securities transactions of the financial sector covers all tasks from making an order to buy or sell securities by participating banks up to the settlement of the securities and the money between banks involved in the contract. The core processes are highly dependent Final Report Version - Status: V1.0 - submitted 6 / 137

7 Finance and Transport s on ICT Executive Summary on the ICT infrastructure. On the other hand it is expected that impacts from the disruption of these systems will not belong to the hazard categories large or catastrophic as economic loss is limited. In the payment sub-sector the vast majority of interbank cross-border payment transactions in the Euro-countries are processed using one of two specialised platforms on behalf of the Eurosystem (cooperation of the European Central Bank and the national central banks of the Euro-countries) or the Euro Banking Association. The core processes relying on these payment systems are highly dependent on ICT infrastructures. But again for these systems it is expected that impacts from their disruption will not belong to the hazard categories large or catastrophic. The transport sub-sectors air traffic, waterways, railroad and road have in common that complex systems are used for the control and security of traffic flow. Most critical objects and processes which are possibly carried out across borders are related to these processes and systems. Their level of dependency on ICT infrastructures is very high. Especially in the air traffic sub-sector the air traffic management system and process are sensitive. But also interlocking systems in the sub-sector railroad and tunnel control systems are ICT dependent critical objects with international importance. As a result from modelling and dependency analysis it can be concluded, that there are highly ICT-dependent European Critical s in the sectors energy and transport and core business processes in the finance sector that are also extremely ICT-dependent. Each sub-sector has its dedicated IT-systems and LANs the core processes highly rely on. Different approaches exist to connect to regional access points and other business partners using wide area networks (WAN) which are provided either by the CI providers themselves, by specialised secure private networks which offer connection and messaging services within the regarded sub-sector, or network services from telecom providers and in few cases also internet providers. A first risk estimation of identified critical ICT in terms of appraising probability and vulnerability of new ICT threats was performed which led to the result that there are only a few major risks regarding critical ICT components. The highest risks are seen in organisational shortcomings and human errors. All sectors invest a lot in build-up and operation of redundant ICT systems; however development and application of degradation modes and the extended use of early warning systems is currently primarily applied to the energy sector. These experiences should be shared with other sub-sectors to strengthen their security measures. Generally there is a high level of collaboration actions within sub-sectors and also growing cross-sector activities. Long-term experiences in training and exercises in the finance sector should yield to encourage and strengthen similar plans and activities in other sectors. Mapping possible policy measures against the identified main risks and expected future trends and relating them to already existing or started policies yields to policy lines which should be reinforced. From the study perspective, policy measures should focus on early warning and CERT-systems, test centres, (joint) training and exercising, exploitation of best practises findings and experiences and the development respectively adaption of supportive standards. Final Report Version - Status: V1.0 - submitted 7 / 137

8 Finance and Transport s on ICT Executive Summary The development of sub-sector specific models and the analysis of ICT dependencies have been accompanied by a multiplicity of different experts and stakeholders on a national and European level in various interviews and during an international validation workshop. Final results of this study were presented on a fully booked final workshop on June 8 th in Brussels. Structure of the final report After an introduction to background, purpose and implementation of the study in section 1, the methodological approach is outlined. Main results of generic models and identified critical technical objects and processes are documented in section 3. Section 4 states the results of critical ICT dependencies analysis for each sub-sector. The first part of section 5 provides an overview of existing and on-going work considering critical information infrastructure protection in the European Union and at single member state level, followed by identifying and separating current ICT threats from all general existing threats. Mapping of these current IT threats to extracted critical ICT and analysis of vulnerabilities is documented in the second part of section 5. Section 6 gives an overview of existing protection strategies particularly existing or applied standards and best practises. In section 7 synergies regarding existing protection strategies are elaborated and first appraisals given which is followed by a conclusion of accomplished work and a comprehension of overall analysis result. For future assessments and policies trends with impacts on ICT dependencies are documented. Finally, in section 8 existing policy lines are analysed and assessed with regard to study results and recommendation for further actions given. The last section 9 describes our approach and activities for a continuous and effective stakeholder involvement in the study. Final Report Version - Status: V1.0 - submitted 8 / 137

9 Finance and Transport s on ICT Introduction 1 Introduction 1.1 Background Since the mid 1990ies, protection of critical infrastructures has increasingly been recognised as a field of potential and possibly rising risks. Failure of core backbone systems of our societies such as energy, transportation, vital supplies like water and food, the financial and the healthcare system to name only a few incorporate the potential of massively degrading the well-being of population and environment, the functioning of the industry and economy the freedom and capability of governments to act Compared to the related potential risks involved, there have been huge deficiencies in theoretical understanding of phenomena, practical preventive and reactive measures, and required national and international coordination and cooperation. Following some preliminary research work and the request of the European Council, the European Commission (EC) issued a communication on a European Programme for Critical Protection (EPCIP) in December 2006, setting out principles, processes and instruments for its implementation which were to be supplemented by relevant sector-specific communications. An EU framework proposed within this communication has meanwhile been established, consisting i. a. of a procedure for the identification and designation of European Critical s (ECI) and a common approach to the assessment of the needs to improve the protection of such infrastructures measures designed to facilitate the implementation of EPCIP including an EPCIP Action Plan, the Critical Warning Information Network (CIWIN), the use of CIP expert groups at EU level, CIP information sharing processes and the identification and analysis of interdependencies. In parallel, a strategy for a secure information society is being developed pointing out that security and resilience of communication and information networks are potential contributions to ECPIP. Against this background the commission tendered a series of studies in the second half of One of these has been awarded under the title Study on critical dependencies of energy, finance and transport infrastructures on ICT infrastructures ; see [EU_SC_2007, EU_SCA1_2007, EU_SCA1_2007]. This study started in August This report documents the final results achieved by mid May, It updates the preliminary results laid down in the interim report of January, 2009 and regards the amendments requested by the European Commission. Additionally, new policy initiatives (see [EU_DIR_ECI_2008, EU_COM_CIIP_2009]) were taken into account as far as it was possible due to already completed work packages. Final Report Version - Status: V1.0 - submitted 9 / 137

10 Finance and Transport s on ICT Introduction 1.2 Objectives and Main Purpose of the Study Nearly all sectors in our modern society and economy rely on ICT infrastructures. This study focuses on the dependencies of three main sectors: energy distribution (e. g., electricity, gas and oil), transport (e. g., air traffic, waterways, railways and road) and banking and finance. ICT infrastructures are rapidly becoming the nervous system of our modern information society. They enable essential services and key resources, including for instance the supply of electricity or water. They provide services supporting business processes and financial markets, and assists in the control of many critical processes, such as chemical processing plants. The main ICT network is obviously the Internet. Because of its ease of integration and lowcost of use, an ever stronger dependency of other critical infrastructures and systems on the Internet has developed and continues to develop. While the use of ICT infrastructures provides many opportunities and increases functional capabilities, the large increase in interconnected devices and information flows also increases the vulnerability of other critical infrastructures when exposed to cyber threats and to failures of the ICT infrastructures. As a consequence, infrastructures and systems in Europe become ever more fragile and may fail faster than ever before due to a major technological collapse of an ICT infrastructure or system. Beside the growing cross-sector dependencies, interconnected and interdependent infrastructures and systems have grown well beyond national borders. A failure in one country might have detrimental effects on critical components in an entirely different sector in another country. There exist a number of critical infrastructures in the European Union which, if disrupted or destroyed, would affect other Member States. ICT is one such infrastructure. Critical infrastructures with a trans-national dimension should be identified and designated as European Critical s (ECI). Neither the EU governments nor the European Commission have at present a comprehensive consolidated view on what dependencies on ICT infrastructures are critical to the European Union and why. Cross-sector and cross-border dependencies on ICT infrastructures are insufficiently understood. Getting to grips with these dependencies is an important step towards identifying (criteria for and/or components of) European Critical Communication and Information s. This study is recognised as one of many building blocks in a process of analysis, assessment, proposed solutions and their implementation. It will provide a systematic methodology for the assessment of the dependency of critical infrastructures (CIs) on ICT. It will demonstrate the capabilities of this method for the sample sectors of energy, transportation and finance and their sub-sectors. It will develop, try to reach agreement and establish definitions of criticality together with the CI providers and stakeholders. It will provide rules on how to reduce the huge spectrum of ICT threats, of sub-sectors and of components to those expected to bear severely critical potential. It will seek commonalities in the risk spectrum and procedures across the different subjected CIs. And it will derive recommendations of typical security measures as decision support for stakeholders as well as for EU policy initiatives. Final Report Version - Status: V1.0 - submitted 10 / 137

11 Finance and Transport s on ICT Introduction Accordingly, target groups will be the European Commission CI providers/ operators of the 3 sectors governments and subordinate governmental organisations with responsibility for CIP in the member states (e. g., BBK and BSI in Germany). To achieve these objectives, a specific approach and methodology has been developed, consisting of a set of corresponding logically, technically and temporally interconnected work packages (Figure 1). WP1 WP2 WP3 WP4 WP5 WP6 WP7 WP8 WP9 Develop and agree on infrastructure and dependency models of the three infrastructures sectors Systematically define and derive the critical ICT dependencies Identifying relevant threats and vulnerabilities Arrange appropriate stakeholder involvement Identify existing systems and strategies Derive synergies and criteria Provide decision support guidelines and assess them against technological, economical and policy trends and obstacles Recommend policy initiatives Project Management & Reporting Final Report Version - Status: V1.0 - submitted 11 / 137

12 Finance and Transport s on ICT Introduction WP1: WP1: Modelling Modelling of of three three sectors sectors WP9: WP9: Project Project Management WP2: WP2: Critical Critical ICT ICT Dependencies Dependencies WP5: WP5: Existing Existing systems systems and strategies and strategies WP3: Threats, Vulnerabilities, Risks WP3: Threats, Vulnerabilities, Risks WP6: WP6: Synergies Synergies & & Criteria Criteria WP7: Decision support WP7: Decision support WP4: WP4: Stakeholder Involvement WP8: Policy Initiatives WP8: Policy Initiatives Figure 1: Overall Structure of Methodology and Work Packages A general challenge of the study is to cover and reflect the extremely complex structure of the energy, transport and finance sectors at European level and to address its various aspects like physical structure, functional structure, organisation, responsibilities, etc., in an appropriate manner within the given budget and time constraints. Beyond that, there is a broad range of opinions among stakeholders about the estimation of vulnerability and criticality of infrastructures ranging from neglecting to exaggerating potential threats and their impacts. Therefore we introduce a methodology with a clear and independent view on infrastructures and comprehensible as well as traceable criteria. One of the key features of our methodology is to create appropriate, generic models for the three sectors of energy, transportation and finance (including their sub-sectors) as a baseline for a clear and common understanding of the structure of these sectors representing major structures and characteristics. These models prescind from single point / single event analysis and follow an impartial but systematic view on infrastructures. They are "European" as they neither rely nor base on national peculiarities. For each sub-sector two generic models have been elaborated: one reflecting the tangible assets, the generic technical architecture (except the Finance sector) and one covering the processes. Final Report Version - Status: V1.0 - submitted 12 / 137

13 Finance and Transport s on ICT Introduction The term processes enfolds the sub-section s intangibles like knowledge, transaction relationships consumer information, contracts, consumption profiles and terms of security culture. All models have been carefully developed and intensively discussed with different stakeholders from different countries. To address the specific characteristics of the different sub-sectors we have created corresponding models for the following sub-sectors (Figure 2) Electricity Gas Oil Air Traffic Waterways Railroad Road Securities Transaction Payment ICT Figure 2: Subdivision of Sectors and their (potential) ICT-Dependencies 1.3 Project Embedding The study is closely related to others, tendered in same time frame (second half of 2007): Risk Governance of European Critical s in the ICT and energy sectors Feasibility study: European network of secure test centres for reliable ICT-controlled critical energy Stock-taking of existing critical infrastructure protection activities and two other studies in August, 2008: Study to define sectoral criteria to identify European Critical s in the ICT sector, focussing on internet, fixed and mobile telecommunication Study on measures to analyse and improve European emergency preparedness in the field of fixed and mobile telecommunication and the internet Final Report Version - Status: V1.0 - submitted 13 / 137

14 Finance and Transport s on ICT Introduction At reporting date the last two studies did not start but the first ones ran in parallel for a couple of months. It was the common understanding of the EC and the project team of this study that these running projects are correlated in many respects: Application of models for CIs including technical terms and definitions Usage of same resources, e. g., the threat taxonomy Stakeholder involvement Mutual information and - where possible - the mutual use of study findings and intermediate results The project managers of the concerned studies were inspired to get in contact and to exchange all necessary and useful information about methodology, definitions, taxonomies, etc. directly on a working level. In fact, project managers of this ICT dependency project and of the studies on feasibility of test centres and on risk governance mutually attended project s interim workshops and took an active part in a common workshop, organized by the EC with the CIP expert group (see section 9). Further activities on the CIP matter have been launched and/or are under way in form of different programmes and activities of the EC, including those of JLS (CIPS and ISEC) and other related directorates like TREN, the Preparatory Actions for Security Research (PASR), and in the research Framework Programmes 6 and 7 (ICT and SEC). Due to this wide variety of actions, events, related papers, etc., the mutual exchange and resulting improvement of project results was limited. Nevertheless, this study was influenced as far as possible by those experiences and results mainly based on personal contacts and relationships. Final Report Version - Status: V1.0 - submitted 14 / 137

15 Finance and Transport s on ICT Approach and Methodology 2 Approach and Methodology Within this section we provide a systematic methodology for the assessment of the dependency of CIs on ICT. We demonstrate the capabilities of this method for the focussed sectors of energy, transportation and finance and their sub-sectors. For at least a decade, the analysis of interdependencies between various (critical) infrastructures and information and communication technology has been a challenge and an ongoing task in various research programmes, studies and projects at national, European, US and international level. Although there is a great wealth of existing findings, it is the general challenge within this study and the basis of our approach to strictly focus on European Critical s (ECI) and their ICT-Dependencies which concludes that a failure or malfunction of any (to be identified) ICT- leads to an outage or malfunction of such an ECI Prevailing, state-of-the-art and prospective ICT-threats referring to the above identified ICT-infrastructures Existing practises like early warning systems, protection strategies, counter measures, etc. to mitigate vulnerabilities Conclusions (e. g., cross-sector and cross-border synergies) and recommendations for decision support, guidelines, further policy lines, Therefore, it is one of the first steps to build up an abstract, generic model of the surveyed European critical infrastructure sectors as a prerequisite for further ICT-dependency analysis. Additionally, for a common understanding a definition and description of key terms is necessary. 2.1 Key Terms In the last few years, various definitions of key terms around the question What is a (European) critical infrastructure? have been put forward. This situation reflects the ongoing tasks and processes at national as well at European and international level. Within the European Union a first milestone was set with the presentation of a Green Paper on a European Programme for Critical Protection [EU_GP_EPCIP_2005] by the Commission of the European Communities at the end of 2005 as it contains i. a. a description of CIP terms and definitions such as critical, European critical, Impact etc. In preparation of the Council Directive on the identification and designation of European Critical s and the assessment of the need to improve their protection [EU_DIR_ECI_2008] which meanwhile has been adopted by the Council of the European Union, CIP terms and definitions have slightly changed. The main definitions are as follows: Final Report Version - Status: V1.0 - submitted 15 / 137

16 Finance and Transport s on ICT Approach and Methodology "critical infrastructure means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions [EU_DIR_ECI_2008] "European critical infrastructure ( ) means critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This includes effects resulting from cross-sector dependencies on other types of infrastructure [EU_DIR_ECI_2008] For the purpose of on hand study, this leads to the following conclusions and derivation of CI selection criteria (see summary in subsection 2.1.1): Only those CI are considered where disruption or destruction leads to significant transnational impact (Selection-Criteria 1) Even large-area impacts of CI failures, outages etc. which remain in one Member State are out of scope of the present study. Cross-cutting criteria are needed for appraising the impact significance within each sector resp. Sub-sector. Definition and usage of cross-cutting criteria for ECI are still in discussion and also subject to other envisaged studies, e. g. Risk governance of ECI in the ICT & energy sector. On the other hand, results achieved so far by elaboration of the EC-Directive or by [EU_TREN_2007] and [BMI_PESG_2007] could or should not be used for several reasons (restricted access, non-availability during inception phase of this study). For this, we identify the criticality of processes and technical assets by means of hazard categories. Criticality is defined as the impact, the loss or a significant reduction of functionality which processes or technical assets will have. The hazard categories consist of 5 discrete values in the range between negligible to catastrophic (Table 1) for which the impacts must be defined. Hazards may have different kinds of impacts like number of human casualties (injuries, and fatalities) restricted ability of governments and public authorities to act economic losses (all direct losses like restoration of technical assets or lost turnover as well as subsequent or indirect losses e.g. caused by environmental impacts public effects (restrictions in daily life and loss of public order) The subsequent hazard category table is used for defining criticality criteria. Further analysis and considerations focus only on those hazards with the impact categories large and catastrophic (Selection-Criteria 2). Final Report Version - Status: V1.0 - submitted 16 / 137

17 Finance and Transport s on ICT Approach and Methodology Aspect Hazard Category Human casualties Restricted governmental ability to act negligible low medium large catastrophic No consequences Slight restrictions Slightly reduced wellbeing Few reductions Few casualties Limited restrictions Many casualties or some fatalities Considerable restrictions Many fatalities Inability to act Economic damages Up to 10 Mio Mio 100 Mio 1 Bil 1 10 Bil More than 10 Bil Public effects Slight restrictions Few reductions Local riots Regional loss of public order Nation wide loss of public order Table 1 : Hazard Categories As shown in the above table thresholds are given in order to categorize economic losses. There is a wide discussion wherefrom to derive such values and how to treat them in further analysis. Given thresholds are mainly influenced by experiences and detailed discussions and reconcilements with governmental and industrial stakeholders from the German electricity sector during compilation of [BMI_PESG_2007]. Due to its geographical position, Germany is one of the main European nations providing critical infrastructures with a high potential of cross-border impacts in case of larger failures or disruptions. Therefore, after consulting with the European Commission (see [EU_ICTDEP_2008]), we decided to transfer this approach from [BMI_PESG_2007] to this study and to work with the adapted thresholds shown above. As a matter of course application of these absolute values to single, (much) smaller member states would lead to distortions in the evaluation of impacts and identification of CI 1. Summarizing, it follows from Table 1 that all ECI are considered where failure or outage leads to at least one of the above listed impacts large or catastrophic, e. g., an overall economic damage of more than 1 Bil. Two important parameters which influence these impacts are mean time to repair (MTTR) and mean time between failure (MTBF) [ITSM_2004]. MTTR is an indicator for the amount of loss that is usually non-linearly correlated, i. e., a short time of disruption or failure causes 1 In these cases an approach using smaller or relative values (like percentages of GDP of the MS) should be useful. Final Report Version - Status: V1.0 - submitted 17 / 137

18 Finance and Transport s on ICT Approach and Methodology certain damage but it usually increases progressively the longer the critical service is off 2. MTBF is a measure for robustness and availability. Usually, MTTR is shorter in those cases where failures occur more frequently, as there is a larger awareness and preparedness Selection Criteria and Process As pointed out in the above section, the large number assets, systems, etc. which (or parts thereof) are classified as a critical infrastructure has to be filtered for the purpose of this study. For this, the following selection criteria are used Selection Criteria 1: Only those CI are considered where disruption or destruction leads to a significant transnational impact Selection Criteria 2: The impact of a disruption or destruction of a CI must apply to the hazard categories large or catastrophic. Due to the limited time and resources of the project, and the complexity of the subject matter on the other hand, a rather pragmatic methodology had to be applied, mainly based on preexisting information, and on close cooperation with stakeholders. The analysis process followed the following approach: Use of existing material Application of the team expert knowledge Bilateral and multilateral discussions between team members and CI Stakeholders Participation in several related workshops Validation of interim results in a stakeholder workshop Review of interim results by the European Commission Refinement of results and amendment of the outstanding chapters summarising and concluding chapters 2 Power cuts for a few minutes can be buffered easily, however long-lasting black-outs cause production downtimes Final Report Version - Status: V1.0 - submitted 18 / 137

19 Finance and Transport s on ICT Approach and Methodology 2.2 Modelling As stated above, it is a fundamental prerequisite for the analysis of ICT-dependencies to have a common understanding about the structure of each individual (sub)sector, covering and reflecting its extreme complexity within given budget and time constraints. Therefore several steps are defined and performed to reduce complexity within each sector as well as general ICT-dependencies to identify and extract By ICT vulnerable ECI : 1. Designing abstract models of the CI sectors and skip all non-eci 2. Extracting all ECI that are highly ICT-dependent 3. Identifying critical ICT infrastructure (with respect to ECI selected above) 4. Identifying relevant ICT threats 5. Analysing and estimating vulnerabilities taking into account existing protection strategies Identifying European Critical s To face the challenge of reducing complexity without neglecting main characteristics of each sector, generic abstract models are elaborated for each Sub-sector in a twofold approach: Each (sub)sector is analysed with respect to its general technical architecture, its core technical objects and other tangible assets. Special focus lies on characteristics of physical, cross-border connections. Sector-specific core processes are identified which cover all major infrastructure services. As far as necessary this enfolds also responsibilities, knowledge, transactional relationships etc. for distinct process steps and other intangible assets. In Figure 3 technical objects and processes are illustrated as a starting point of the whole approach in the upper and lower left corner. Different sectors are labelled by different background colours (energy light brown, transport blue; finance - yellow) 3. 3 Within the finance sector there are no technical objects comparable to those in the other sectors. Final Report Version - Status: V1.0 - submitted 19 / 137

20 Finance and Transport s on ICT Approach and Methodology Figure 3: Approach for identifying highly ICT-dependent ECI To identify relevant ECI in the focussed sectors, all identified technical objects and processes which do not match the selection criteria defined in section 2.1 are filtered out. These objects are symbolically crossed out in the above figure Identifying high ICT-dependent ECI The next step in our approach is to identify those ECI within each sector which highly depend on ICT, i. e., a breakdown of such an ICT-system (or a relevant component of it) leads to a critical impact, a significant malfunction or a complete blackout with large or catastrophic impacts in more than one member state of the EU. Thus, all identified critical technical objects and processes are examined with respects to their underlying ICT-systems which themselves can be distinguished between internal and external ICT systems and infrastructures (see Figure 4). This difference is made as many CI providers maintain their own IT-systems as well as their own (physical) communication lines and communication systems. Figure 4: ICT - Final Report Version - Status: V1.0 - submitted 20 / 137

21 Finance and Transport s on ICT Approach and Methodology Analysing the dependencies of an IT-system (e. g., SCADA-system) in more detail, it has to be pointed out that these systems themselves rely on diverse other internal and external communication systems, infrastructures and services. Finally, in case of long term malfunctions further, more qualitative dependencies have to be considered, e. g., software updates of SCADA. Therefore, in the end all ICT-dependencies have to be added up which leads to the following results: ECI (technical objects and process) that highly depend on ICT ECI (technical objects and process) that have no or less critical ICT-dependencies and which can be omitted for further analysis (crossed out in red colour in Figure 3). ICT-Systems the failures of which do not have a high impact on ECI (crossed out in red colour in Figure 3). ICT-Systems the failures of which have a high impact on ECI but are used redundantly, i. e., there are two (or even more) different IT- or communication systems a specific ECI relies on (crossed out in yellow colour in Figure 3). 4 After this reduction process, relevant elements with significant impact on society and economics are identified ICT Threats and Vulnerabilities Proceeding within our approach relevant ICT-threats, vulnerabilities and (existing) protections strategies with respect to extracted ECI are considered (see Figure 5). For this, existing IT threat catalogues [see BSI_GS_Cat_2008] are used which allocate known ICT threats to five general cause categories Force Majeure Organisational Shortcomings Human Failure Technical Failure Deliberate Acts 4 For further statements a more detailed (sector-specific) analysis considering dependencies as well as threats and vulnerabilities is necessary. Final Report Version - Status: V1.0 - submitted 21 / 137

22 Finance and Transport s on ICT Approach and Methodology As these catalogues contain about 430 single threats it is necessary as well as appropriate to focus on The current internet threat situation Innovative technologies and new trends in ICT amplifying existing threats. These statements can be derived from analysis, Figure 5 : Derivation of relevant ICT threats observation and current issues of various national and international ICT security agencies, public authorities and research institutes such as [ENISA_PECCA_2008, GTISC_ECTR_2008, BSI_LAGE_2009, BSI_LAGE_Q1_2008, BSI_LAGE_Q4_2008, BERR_2008, SYM_STR_2009]. Combinations of these approaches lead to a more practical and significant appreciation of current ICT threats for the purpose of the study at hand. Based on these derived and adjusted catalogues of current threats all relevant IT and communication systems and infrastructures that are already identified as critical with respect to sector-specific ECI are examined regarding their vulnerability 5. Herewith probabilities of occurrences are taken into account which in case of deliberate acts are mainly influenced by the necessary effort to run such an ICT attack compared to the effort to disrupt an ECI in a conventional way. Furthermore, it must be considered that all ICT threats usually do not have an unlimited impact on relevant ICT systems as existing organisational, technical and other protection strategies are implemented. Analysis of existing protection strategies follows a twofold approach: Comparable to a topdown-approach common ICT related security standards including respective guidelines, specifications, etc. are gathered. On the other hand best practises tested and applied within various companies and institutions were identified. The whole ICT-relevant approach for this study is illustrated in Figure 6. 5 Based on existing material and experiences (no individual risk assessment has been compiled) Final Report Version - Status: V1.0 - submitted 22 / 137

23 Finance and Transport s on ICT Approach and Methodology Figure 6 : Approach for identifying ICT-vulnerable ECI Finally, model and analysis results are compared between sub-sector-specific and sectorspanning ones. Common ICT dependencies and ICT vulnerabilities are explored and existing protection strategies are gathered and examined. Special focus is laid on existing best practises and their application in different sectors and strength. The analysis and assessment of policy lines has been organised by viewing them from different perspectives. First of all, the main categories of policy lines are identified, and broken down into a set of policy measures supporting the policy line. These main categories of policy lines are schematically mapped against the identified main ECI vulnerabilities and risks and against identified trends expected in ICT and in the individual CI Finally a summary is given and a comparison of measures recommended vs. existing best practices. From there, recommendations can be drawn as to which important policy measures are lacking existing practice today and which should specifically be reinforced. Final Report Version - Status: V1.0 - submitted 23 / 137

24 Finance and Transport s on ICT Critical Technical Objects and Processes 3 Critical Technical Objects and Processes 3.1 Sector Energy s The energy sector consists of following sub-sectors: Electricity Gas Oil The energy infrastructures under study are limited to the region of the EU. Energy supplies which originate from inside the EU (for example coal production which is used in power plants) or which are supplied from outside of the EU (like gas and oil) are not subject of this study Sub-sector Electricity The electricity sector in the EU is divided into separate synchronised regions, each with its own characteristics. In this study generic model build-up is mainly influenced by the UCTE region (Figure 7), which comprises the majority of the EU Member States and displays more complex characteristics than other electricity systems in the EU (The generic model itself represents also main structures in other regions). Figure 7 : Interconnected Electricity Systems in Europe (source: UCTE). Final Report Version - Status: V1.0 - submitted 24 / 137

25 Finance and Transport s on ICT Critical Technical Objects and Processes In 1999 the UCTE was established as a TSO organisation. It developed from a club of companies (established as UCPTE in 1951) to a system watchdog association. In 1995 the power systems of Poland, the Czech Republic, Slovakia and Hungary were in a condition to meet the UCTE security and control standards and the CENTREL area was synchronised with and incorporated into the UCTE system. In 1996 the Romanian and Bulgarian electricity systems could comply with the UCTE policies and were synchronised. As a result, a large synchronised region has been established in Europe, managing considerable power flows. In particular, the integration of the former CENTREL led to new power flows. With their large generation capacities, Poland, Slovakia and the Czech Republic became the main net exporters in the region. The main net energy flows are from Poland via the Czech Republic to Germany, Austria and Slovakia and from Slovakia to Hungary. Figure 8: Physical electricity exchanges in the UCTE region (source: UCTE) The UCTE electricity system is composed of the network interconnection and interaction of control areas whose boundaries mostly comply with country boundaries. A TSO (transmission system operator) oversees the operation of the electricity system within the control area and coordinates his activities with neighbouring control areas. The transmission system in one control area consists of transmission lines of voltage levels between 110 and 400kV. Each control area typically has several interconnections with the transmission grids of neighbouring areas (so called tie lines ), typically of voltage levels between 220 and 400kV, sometimes also on 110kV. These generic power system objects are shown in Figure 10. Final Report Version - Status: V1.0 - submitted 25 / 137

26 Finance and Transport s on ICT Critical Technical Objects and Processes The initial purpose of the UCTE was the mutual support of the control areas to increase maintaining system stability through access in order to reserve capacities and synchronous operation. The main processes are the load and frequency control and corresponding communication between the control areas (Figure 9). However, nowadays the initial orientation of the interconnected network operation at frequency and load control has to cope with increasing bulk power transfers triggered by market liberalisation, which are beyond the original design of the intermeshed network in the UCTE area and cause increasing problems with network capacity and dynamics. Network dynamics are becoming a critical factor for the proper operation of the electricity sector in Europe, and it displays a novel and complex structure. But since network dynamics are beyond the control of current frequency and load control processes and underlying control systems, this criticality is not investigated in this study. Figure 9: UCTE control blocks and control areas (source: UCTE) In principle, each control block acts as a self-sustaining system, which interacts with the other control areas in a self-organising way (there is no central control) through the coordination and frequency / load control processes. All events which disturb these processes can cause cross-border damages which range from the disconnection of power system areas from the synchronous UCTE areas to non-supply of electricity (black-out). The reasons for the interruption of the load / frequency control can lie in the process itself, or in failures in the technical objects or other processes. It is obvious that the non-supply of electricity would be the major cause of damage. The most severe cross-border incident happened on 4 November, 2006, when the initial switching-off Final Report Version - Status: V1.0 - submitted 26 / 137

27 Finance and Transport s on ICT Critical Technical Objects and Processes of a tie-line over the river Ems (Germany) caused a cascading effect across Europe, which lead not only to the disconnection of the system but to black-outs which left 15m households without power. A rough estimation of the economic damage, which is based on higher average consumption values and a higher black-out time than actually were prevailing, gives a figure of some 220m EURO as the value of the loss 6. This value is still far from the large hazard categories. Though coordination itself can be re-established within a short time, failures in the coordination between TSOs can trigger severe consequences for the frequency load control between control areas, which lead to cascading effects and possible separation of the UCTE area. The example of the November 4 th, 2006, incident shows that failures caused by the coordination process lead to cascading effects concerning the frequency / load control processes. But the MTTR of the coordination and frequency / load control processes in general is short enough to most likely not lead to the large or catastrophic hazard categories 7. But there are underlying technical objects whose failure can interrupt the frequency / load control process which will definitely cause large damages. The exchange between the physical and the commercial area is mainly composed by the scheduling of power plants, lines and interconnectors. There is no direct access to the control systems of the electricity infrastructure. Usually, an interruption of the scheduling information does not create large damage in the commercial world, because most schedules are long-term oriented. Also, in cases of non-service (black-outs) caused by the electricity system, the damage on the customer side is much higher (cf. the estimate of 8-16/kWh) than the commercial losses per non-sold kwh. 6 The estimation is based on the following assumptions: Average household consumption of 4000kWh/a Black-out for the total time 2 hours (The UCTE investigation report states that normal conditions were reached in less than 2 hours [UCTE_2006]) Lost load for 15m households for 2 hours: kwh Value of lost load: 16/kWh (A meta study conducted by Frontier Economics resulted in a range of 8-16/kWh value of lost load [FE_2008]) 7 The separated regions were back to synchronous operation after 38 minutes and normal operation was regained in less than 2 hours. Final Report Version - Status: V1.0 - submitted 27 / 137

28 Finance and Transport s on ICT Critical Technical Objects and Processes Figure 10: Power System Generic Objects and Processes Sub-sector Gas The European gas infrastructure is supplied mainly by gas imports through transit pipelines and LNG tanker ships. Transit pipelines and LNG facilities feed the gas via interconnection points into the European high pressure transit / transport pipelines which together with gas storage facilities constitute a highly interconnected network. Within this network, the pressure level is regulated by compressor stations. Most sections of the European pipelines as well as the storage facilities are operated country-wide by national TSOs with control and dispatch rooms. The sections are interconnected by interconnection points, which commonly consist of export stations, measuring the gas flows for commercial purposes. Through decompression stations the gas is fed into medium pressure and eventually to low pressure networks to which consumers are connected. The generic system is shown in Figure 11. Contrary to the electricity system, the European gas infrastructure is designed to transport gas from the entry of supplies (LNG terminals, transit pipeline interconnection points) to the consumer. The main obligation of the TSO is to execute a capacity and pressure control in the pipeline network with support of the compressor stations and storage which is appropriate to satisfy user demand. Since the transport of gas in the European gas networks takes place across borders, any failure is in principal a cross-border incident. This is different to the principles of the electricity Final Report Version - Status: V1.0 - submitted 28 / 137

29 Finance and Transport s on ICT Critical Technical Objects and Processes system, where each control area in principle is self-sustaining and is self-organising with the other control areas in order to benefit from the synergies. Failures in the appropriate capacity and pressure control processes lead to lower transport volumes of gas, generally reducing the cross-border deliveries to the end users. Failures can be caused within the process itself or through failures in other processes or technical objects. Due to the large volumes of gas stored in the pipeline network and the remaining pressure, the MTTR, in case of object or process failures, is considerably longer in general than in the power sector which requires a real-time frequency / load control process. Therefore, it is difficult to elaborate scenarios of object or process failures (Figure 11) which lead to large or catastrophic hazard categories (apart from the lack of gas supply by the few producing countries, which is hardly caused by ICT problems). Failures in metering gas flows in the export stations may cause severe commercial problems, but the metering at the export stations can be substituted by metering in other nodes of the gas grid. Any interruption of gas flows due to commercial reasons is caused by a deliberate company decision (which is similar to the interruptions of the supply of Russian gas in the winter 2008/2009), but not by any ICT vulnerability of the infrastructure. Interruptions in the coordination process itself do not lead to severe reductions of transport capacity because the coordination process can be re-established within short periods. Failures in the capacity / pressure control process itself may lead to losses in transport capacity, but in principle the control operations can be done locally on site as well (which only is somewhat less efficient). Though LNG terminals are entry points into the gas supply, the interruption of one LNG facility can easily be met with other supply routes and facilities. And since the LNG facilities are not interconnected with each other, a widespread failure is rather unlikely. Final Report Version - Status: V1.0 - submitted 29 / 137

30 Finance and Transport s on ICT Critical Technical Objects and Processes Network Area B Medium Pressure Regional (100m 1 bar) Export Station Inter-connector Transit / Transport High Pressure Export Station Inter-connector Capacity / Pressure Control Capacity Order Data base TSO Control and Dispatch Coordination Exchange (EEX) Decentral Controls TSO Control and Dispatch Balancing / Accounting Capacity / Pressure Control Data base Trading Wholesale Decentral Controls Export Station Inter-connector Transit / Transport High Pressure Export Station Inter-connector Dispatching Medium Pressure Regional (100m 1 bar) Decentral Controls Meter Readings Data base Local Distribution ( mbar) Decentral Controls Trading Retail Generic Gas System Objects Network Area A Generic Gas System and Commercial Processes Commercial World Figure 11: Gas System Generic Objects and Processes Sub-sector Oil The European oil infrastructure consists mainly of points of entry which encompass oil terminals 8 and transit pipelines, which deliver across borders crude oil by pipeline and other transport means to refineries, petrochemical plants, which deliver oil products by pipeline or other transport means to tank farms, to outlets like airports, and to final users. The oil sub-sector differs from the other energy sub-sectors in terms of storage, transmission and distribution since oil and its products can be transported and stored more easily and cheaply than gas and electricity. The oil infrastructure includes three major features: (i) In contrast to the electricity and gas sector, the transport and distribution of oil and refined products can be assured by many different infrastructures: pipelines, short-sea shipping, inland waterways, railways and road transport. This encompasses the down-stream transport of crude oil from the entry of supplies (oil terminals, transit pipeline interconnection points) to refineries or oil products from refineries to chemical plants, and the distribution to other outlets and final users. 8 Around 80% of the European oil import is brought by tankers. Final Report Version - Status: V1.0 - submitted 30 / 137

31 Finance and Transport s on ICT Critical Technical Objects and Processes (ii) (iii) The storage of crude oil and oil products in tank farms allocated along the downstream chain. The processing of crude oil to oil products in refineries. The infrastructure is not an interconnected network as this is the case in the electricity or gas sector, but constitutes a heterogeneous and complex structure of different transport modes, refineries and different products. The generic objects and processes are shown in Figure 12. Since tank trucks and tank wagons for the road and rail transport of gasoline or fuel oil are independent objects, their failures are single events with very limited damage. Therefore, this down-stream infrastructure is excluded from becoming critical in the context of this study. The oil terminals, tank farms, refineries, and pipelines, which are concentrated in the Amsterdam-Rotterdam-Antwerp (ARA) area, handle some 17% of the European oil imports. The ARA area plays a major role for the oil supply of the European market and its interruption is critical for the European market. But in the European oil infrastructure, which is anyhow quite heterogeneous in the location of infrastructure objects across countries and in the different multiple transport modes, the collection of oil terminals, tank farms, refineries and pipelines of the type of ARA Complexes constitutes singular objects than generic objects of the European oil infrastructure. Due to its singularity a separate analysis of these technical objects is recommended. Therefore, the analysis of critical objects and processes focuses on refineries, the pipeline connections from the outlets of the terminals / refineries to other refineries, petrochemical plants, or outlets like airports. Any interruption of this pipeline infrastructure has a crossborder impact, which can be caused by failures in the objects or processes. For example, the interruption of the Trans-Alpine-Pipeline, which feeds among others the refinery in Ingolstadt, Germany, would cause a daily loss in the gross margin of the refinery of some The interruption of a refinery will have an impact on the supply with oil products. Since the location of refineries is very heterogeneous across countries in the EU and since most of the oil products are distributed by different transport modes and since considerable quantities of oil products are stored in tank farms and in the transport facilities along the distribution chain, it seems very unlikely that the interruption of one refinery cannot be substituted by transport means in the distribution chain. But on the other hand it cannot be excluded that the interruption of a refinery can lead to large damages. Another hazard would be a pipeline leak which could cause an oil spill with large environmental damage. Due to the volumes of oil / products stored in the pipeline and storage, the MTTR in case of object or process failures is considerably longer in general than in the power sector which 9 Assumptions: Throughput bpd Gross margin 7,99USD/barrel Exchange rate 1,37USD/EUR Source: Petroplus Annual Report 2007 [RM_2007] Final Report Version - Status: V1.0 - submitted 31 / 137

32 Finance and Transport s on ICT Critical Technical Objects and Processes requires a real-time frequency / load control process. Therefore, it is difficult to elaborate scenarios of object or process failures which lead to large or catastrophic hazard categories. Figure 12: Oil Sector Generic Objects and Processes Final Report Version - Status: V1.0 - submitted 32 / 137

33 Finance and Transport s on ICT Critical Technical Objects and Processes 3.2 Sector Finance s After intensive discussions with different stakeholders from the finance sector, for this study the sector is structured into the following two sub-sectors: securities transactions, payment systems The sub-sector securities transactions covers all tasks from making an order to buy or to sell securities (shares, bonds, derivates) by participating banks up to the settlement of the securities and the money between banks involved in the contract based on this order. The sub-sector payment systems also covers clearing and settlement tasks, but the starting points for these are rather payment transactions instead of trading of securities. International business is an important part of the business within the two sub-sectors securities transactions and payment systems. Therefore cross-border transactions (between European and also with Non-European countries) are common within these sub-sectors Sub-Sector Securities Transactions Different market places exist in Europe for trading securities like shares, bonds and derivates. In addition also different service providers exist for the execution of the corresponding clearing and settlement related services. Therefore there is not only one single model explaining the properties of the workflow within the sub-sector securities transactions in Europe. For this reason an abstract model will be used in the study to explain the characteristics for the sub-sector. The steps trading, clearing and settlement must be executed completely in order to finalise a single transaction. In the following the major tasks belonging to these steps are listed. Trading Market places offer the trading of securities. This can be done either by traditional floor trading or by electronic trading systems. The following tasks are (among others) part of the trading system: Receiving orders for selling or buying securities. Price determination (either by specialists or based on an open order book). Matching corresponding orders. Final Report Version - Status: V1.0 - submitted 33 / 137

34 Finance and Transport s on ICT Critical Technical Objects and Processes Clearing The provider offering the clearing service is acting as a central counterparty (CCP) for the two parties (banks) involved in a transaction. No bilateral agreement is reached between the two parties of a transaction. Instead, both parties have got an agreement with the CCP. The following tasks are (among others) part of the CCP: Verification of trade-related information. Risk management. Netting (i.e. the summation of single buy and sell positions of a participating bank). Settlement The settlement is the final step to finish a transaction. It is usually performed by a central securities depository (CSD) (and in addition usually also mirrored by the participating banks by debiting and crediting the securities accounts of their customers). The following tasks are (among others) part of the CSD: Debiting the securities from the seller's bank. Debiting the corresponding money from the buyer's bank. Crediting the securities to the buyer's bank. Crediting the corresponding money to the seller's bank. For the actual transfer of the corresponding money from the buyer's bank to the seller's bank the CSD usually uses a system specialised on money settlement like TARGET2 (settlement of the money in cooperation with Central Banks). This system will be described as part of the sub-sector payment systems. The following figure gives an overview for the abstract model of the securities transactions sub-sector: Final Report Version - Status: V1.0 - submitted 34 / 137

35 Finance and Transport s on ICT Critical Technical Objects and Processes order (sell) contract note Trading Location -trading - trading data order (buy) contract note Bank A -seller's bank - disposition settlement confirm, risk data CCP -clearing - disposition settlement confirm, risk data delivery instruction delivery confirmation Bank B -buyer's bank - securities debit CSD -securities settlement - securities credit payment advice payment confirmation money credit -money settlement - ex. TARGET2 money debit Figure 13: Abstract Model for the Sub-sector Securities Transactions The detailed analysis of all objects and processes of the sub-sector securities transactions shows that they all have a transnational dimension in the sense, that their malfunction or disruption will probably affect cross-border transactions. Nevertheless no objects and processes of this sub-sector are part of the ECI. This is due to the fact, that the impact (in this case the economic damage) of their malfunction or disruption is not expected to reach the hazard category large. The following reasons shall support the argument, that a malfunction or disruption of the objects and processes of this sub-sector will not have an impact of a hazard category higher than medium: Netting is performed for the single positions of the trades of a bank within the clearing process. This results in a relatively small amount of money to be transferred between banks (as part of the settlement) compared to the large sum of all trades processed within a given timeframe. If clearing is not available for some time due to the disruption of the systems, it can be done later after the systems work again properly. The transfer of money between the participating banks is done in some kind of a virtual closed circle. If the settlement of money between banks is disrupted, no money is lost. The amount to be settled which is not transferred to the receiving bank stays rather with the sending bank. The settlement can be done later after the systems work again properly. The impact (economic damage) is only the loss of some interest rates (on the amount which cannot be transferred) by the receiving bank. On the Final Report Version - Status: V1.0 - submitted 35 / 137

36 Finance and Transport s on ICT Critical Technical Objects and Processes other hand the sending bank has got the opportunity to gain some extra interest rates on this amount. If clearing and/or settlement are disrupted for some time this may lead of course to a situation where also the trading of securities must be interrupted. The corresponding market place could not be used for some time. In this case participants could (at least for major securities) use other market places to trade their securities. This would lead to some kind of loss of fees for the provider of this market place, which is expected to be rather small compared to the amount relevant for the hazard categories. A liquidity risk does exist for the total market, if clearing and/or settlement cannot be performed due to some disruption of the systems. This can be solved by central banks using central bank money. As a result it is not likely at all that an interruption of the mentioned objects and processes would lead to an impact of the hazard category large or catastrophic (i.e. loss of more than 1 Bil. Euro). Value at risk computations of one major service provider led to estimation of damages of less than 100 Mil. Euro. Final Report Version - Status: V1.0 - submitted 36 / 137

37 Finance and Transport s on ICT Critical Technical Objects and Processes Sub-Sector Payment Systems As part of the processing of a payment transaction the following tasks can be done by a payment system Clearing: Verification of payment transaction related information, Risk management, Netting, i.e. the summation of single payment transactions of a participating bank. Settlement: Debiting the corresponding money from the sending bank. Crediting the corresponding money to the receiving bank. Which tasks are exactly performed during the processing of a payment transaction depends on the payment system. Since the introduction of the Euro different systems for the processing of cross-border transactions have been established. Under these the major two platforms are the following: TARGET2 (Trans-European Automated Real Time Gross Settlement Express Transfer) of the Eurosystem (combination of the European Central Bank (ECB) and the national central banks of the Euro-countries). EBA-Clearing with the systems EURO1, STEP1 and STEP2 of the Euro Banking Association (EBA). Further payment systems exist, but the vast majority of interbank cross-border Euro payment transactions are processed using one of these platforms. Therefore only these two platforms will be considered further within this study. TARGET2 TARGET2 is a singled shared platform for the processing of cross-border Euro payment transactions. It is operated jointly by the national banks of France (Banque de France), Germany (Deutsche Bundesbank) and Italy (Banca d'italia) on behalf of the Eurosystem. After finalization of the migration to TARGET2 in Mai 2008, all national central banks of the Euro-countries are part of TARGET2. In addition nearly all national banks of other European countries with another currency as Euro are also part of TARGET2. The European Central Bank (ECB) is also part of TARGET2. From a technical point of view TARGET2 is a single shared platform, but from a legal point of view it is a collection of different TARGET2 system components. Each central bank being part of TARGET2 has got its own TARGET2 client system. A Bank which wants to use the TARGET2 system for the processing of cross-border payment transactions must become a participant of the system. There are different ways how a bank can participate in TARGET2. The following figure gives an overview: Final Report Version - Status: V1.0 - submitted 37 / 137

38 Finance and Transport s on ICT Critical Technical Objects and Processes Bank a indirect participant Bank b indirect participant Bank 1 Bank 2 direct direct participant participant Germany Country 2 group of banks Bank 3 Bank 3-1 direct affiliated participant bank multi-addressee access Bank 3-2 affiliated bank Country n RTGS account Target2-bbk Bundesbank RTGS account Target2-cb2 Central Bank 2... RTGS account Target2-cbn Central Bank n Target2-SSP (Single Shared Platform) Figure 14: Architecture of the System TARGET2 for the real time gross Settlement of payment Transactions For the consideration of TARGET2 within this study the precise way of how a bank participates is not relevant. Therefore only the case of direct participants will be regarded further. To be a direct participant of TARGET2 the bank needs a so called RTGS account with one of the national banks which is part of the TARGET2 system. The business relationship exists exclusively between the participating bank and the corresponding national bank and not with the TARGET2 system. The national bank provides the RTGS account of the participating bank within its client system of TARGET2. For processing payment transactions the TARGET2 system offers a real time gross settlement, i.e. payment transactions are processed continuously during the business day and finalized immediately (if the RTGS account of the payer contains the needed funds to cover the transaction). Example: If bank 1 wants to pay an amount to bank 2, it sends a corresponding payment order to the national bank which holds its RTGS account. Within TARGET2 the amount of the payment transaction is debited to the RTGS account of bank 1 and credited to the RTGS account of the receiving bank 2. The receiving bank 2 is informed about the incoming payment by the national bank, which holds the RTGS account of bank 2. Besides the processing of cross-border payment transactions TARGET2 offers further services to its participating banks like the management of reserves and limits. In addition to the processing of (cross-border) interbank payment transactions TARGET2 can also be used for the processing of (high-value or very urgent) individual payment transactions. Final Report Version - Status: V1.0 - submitted 38 / 137

39 Finance and Transport s on ICT Critical Technical Objects and Processes In addition to credit institutions also other systems can use the TARGET2 system for the settlement of large cross-border payment transactions. For this the system must participate in TARGET2 as a so called ancillary system. EBA-Clearing The Euro Banking Association (EBA) was founded 1985 by commercial banks. Today it has got about 190 members. EBA-clearing is a private sector provider of payment systems founded by EBA. The following payment systems are offered by EBA-clearing: EURO1: system for single high-value cross-border or domestic payment transactions in Euro between huge commercial banks operating in the European Union. This payment system includes the clearing and settlement of the transactions. The ECB is used as settlement bank. STEP1: system for single cross-border payment transactions in Euro between commercial banks. This payment system includes the clearing and settlement. Banks which are direct participants of the EURO1 system are used as settlement bank. STEP2: system for bulk cross-border or domestic payment transactions in Euro in the sense of a pan-european automated clearing house. This payment system does not include the settlement. Settlement is rather done using TARGET2. From the point of view of the intentions of this study the differences between the payment systems offered by EBA-clearing are of no concern. The processing of transactions with respect to the information and communication infrastructure is almost identical. For this reason only EURO1 will be considered further in this study. The following figure gives an overview for the clearing and settlement of payment transactions using the EURO1 system: Final Report Version - Status: V1.0 - submitted 39 / 137

40 Finance and Transport s on ICT Critical Technical Objects and Processes Target2 Central Bank A RTGS account Bank 1 money transfer ECB RTGS account EBA money transfer Central Bank B RTGS account Bank 2 payment information about order incoming payment payment order (short-amount after cut-off) EBA EURO1 information about incoming payment (long-amount after cut-off) information about settlement finalization information about settlement finalization Bank 1 (short after cut-off) copy payment message payment message Bank 2 (long after cut-off) country A country B Figure 15: Clearing and settlement of Payment Transactions using EBA EURO1 Currently the EURO1 system has 66 participating banks and 63 sub-participants. A subparticipant is a subsidiary of a participating bank which is connected directly to the system. The sub-participant can use the EURO1 system autonomously but under the single liquidity position of the participating bank. The EURO1 system acts as clearing house for the payment transactions. If a transaction shall be processed by EURO1 a copy of the corresponding payment message will be sent to the EURO1 system. Incoming payment messages are processed individually. The EURO1 system manages debit and credit caps for its participating banks. If processing of a payment message would violate the debit cap of the sender or the credit cap of the receiver, the message will not be processed directly but queued for later processing. Otherwise the incoming payment message is processed directly and the amount is virtually debited to the sender and virtually credited to the receiver (clearing and disposition). By this a netting of the single positions of a participating bank is performed, but no actual money is transferred at this time. At a special cut-off time all positions of the participating banks are settled. For the final settlement a bank which is short after cut-off must transfer the netting amount to EBA. For this the bank gives a corresponding payment order to the central bank of its country. This central bank transfers the money to the account of EBA at the ECB. The ECB informs EBA about the incoming payment. EBA distributes the incoming money of all short banks to the banks which are long after cut-off and transfers the resulting money to these banks. For this it gives corresponding payment orders to the ECB. The ECB transfers the money accordingly to the central banks of the countries of the receiving banks. These national banks than inform the receiving banks about the incoming payment. Final Report Version - Status: V1.0 - submitted 40 / 137

41 Finance and Transport s on ICT Critical Technical Objects and Processes For transferring the money between the participating central banks TARGET2 is used. Critical Objects and Processes With the exception of the systems of a single bank all processes of the sub-sector payment systems have a transnational dimension in the sense, that their malfunction or disruption will probably affect cross-border transactions. Nevertheless no objects and processes of this sub-sector are part of the ECI. This is due to the fact, that the impact (in this case the economic damage) of their malfunction or disruption is not expected to reach the hazard category large. The argumentation why it is not expected that a disruption of the systems and processes will lead to an impact of the hazard category large or catastrophic is similar to the discussion for the sub-sector securities transactions at the end of paragraph In addition, if the settlement of cross-border payment transactions cannot be done using the mentioned payment systems above for some longer time, the former system of correspondent banks can be used again in the mean time to counterfeit any possibly arising liquidity risk of the participating banks. This system of correspondent banks can work using traditional ICT like fax or telephone. This would lead to an increase of transaction time and of course of transaction costs, but at least settlement could be performed between banks again. Final Report Version - Status: V1.0 - submitted 41 / 137

42 Finance and Transport s on ICT Critical Technical Objects and Processes 3.3 Sector Transport s Objects and processes in the transport sector can be related to the planning, construction and operation phases. In this study the operational aspects in the transport infrastructure are considered. The sector transport consists of following sub-sectors: Air Traffic Waterways Railways Road. The model for the transport sector is structured as a meta model with corresponding subsector models which are derived from the meta model. Figure 16 shows the meta model for the transport sector. Figure 16: Meta Model for Transport Sector On the metalevel, the following objects of the transport sector can be identified: Trans-shipment complex: This is the location, where passengers get on the transportation means. Also the goods are shipped here. An airport is an example. Transported passengers and goods: The passengers relate to one of the most important criterion of the transport sector, namely loss of life. Final Report Version - Status: V1.0 - submitted 42 / 137

43 Finance and Transport s on ICT Critical Technical Objects and Processes Transportation means: The transportation means are the vehicles, which are used during transportation. In the case of airways this would be an airplane. Transportation media: Transportation media are the main criteria for subdividing the transport sector (air traffic, road, waterways, rail) Energy supply: Objects of the transportation sector (trans-shipment complex, transportation means and transportation media) usually have components for energy supply. These components will not be taken into account in further analyses, as the question of energy supply will be discussed in the energy sector. Operating equipment: Objects of the transportation sector (trans-shipment complex, transportation means and transportation media) have operating equipment. Also internal ICT systems are considered as oprating equipment. In this sense an onboard computer on an airplane is a piece of operating equipment. Control system: The control system acts on a higher level, in order to coordinate the safe oparation of objects. A typical example is an air traffic management system which coordinates air traffic. On the meta level. the following processes of the transport sector can be identified: Processing of trans-shipment procedures. This process takes place in the transshipment complex. It is related to transportation means (e. g., airplane) and transported passengers/goods (e. g., check-in procedure for passengers) Protection of the objects. This process relates to several areas: - Environmental damage including fire and flooding. - Access control for security purposes or against terrorist attacks Operation of the objects. This can be related to a trans-shipment complex or transportation means. The airport or airplane operation of an are examples for this process. Handling of man-made disasters, here usually after an incident. This process includes: - Search and rescue of victims. - Environmental disasters (e. g., averages on sea of oil tankers or accidents on the road with chemicals) - Firefighting, e. g., on a ship Information supply for the public. This can be for different purposes, e. g., information about time schedules, but also to inform passengers about conditions of transport media (e. g., road conditions) Maintenance, which addresses many kinds of objects in the transport sector. It is a regular process and assures safe operation. Control. This process includes the coordination of several objects and includes - Data retrieval from objects, e. g., positioning of the objects Final Report Version - Status: V1.0 - submitted 43 / 137

44 Finance and Transport s on ICT Critical Technical Objects and Processes - Evaluation of the situation - Communication to the objects for control purposes These objects and processes are valid for most of the transportation sub-sectors which will be discussed in detail in subsequent chapters. The consideration of hazard criteria shows that for the entire transport sector the most critical objects and processes are the systems for controlling traffic flow and the control process which may be carried out across borders Sub-sector Air Traffic Passengers and limited amounts of cargo can be transported via air traffic very quickly over long distances, but it is an expensive method due to high energy use. The increasing air traffic density in Europe (and elsewhere) makes the very precise control of air traffic necessary. Table 2 shows considered critical objects and processes for the airways sub-sector. Object or Process Hazard category Trans national dimension Relevance Aircraft Loss of life possible No No Airport Loss of life possible No No Airport operating system No large or catastrophic hazard expected No No Airspace No large or catastrophic hazard expected No No Airport facilities No large or catastrophic hazard expected No No Aircraft equipment No large or catastrophic hazard expected No No Air traffic control No large or catastrophic hazard expected No No Air traffic management system Processing of trans shipment procedures Loss of life possible Yes Yes No large or catastrophic hazard expected No No Airport operation No large or catastrophic hazard expected No No Information supply to the public No large or catastrophic hazard expected No No Final Report Version - Status: V1.0 - submitted 44 / 137

45 Finance and Transport s on ICT Critical Technical Objects and Processes Object or Process Hazard category Trans national dimension Relevance Aircraft operation Loss of life possible No No Protection of airports and aircrafts Loss of life possible No No Maintenance of aircrafts Loss of life possible No No Emergency procedures Loss of life possible No No Air traffic management Loss of life possible Yes Yes Table 2: Critical Objects and Processes for the Air Traffic Sub-sector. The following critical objects and processes can be identified in the sub-sector air traffic: Air traffic management system, which is a complex IT-system. Air traffic management process. It consists of: - Aerodrome control: This sub-process controls the movements of aircrafts on the ground. - Approach control: This sub-process controls the movement of aircrafts in the neighbourhood of the airport - Area control: This sub-process controls the movements of aircrafts between airports in higher altitude Sub-sector Waterways Naval vehicles can transport large quantities of non-perishable goods with little personnel over long distances. Sea transport is the most energy-efficient way of transport. The control of water transport is mainly carried out locally without significant cross border communication. International Maritime Organisation established ship routing systems like traffic separation schemes in crowded shipping areas (e.g. Baltic Sea), and the number of collisions or groundings has been dramatically reduced. Vessel traffic services are important for short sea shipping in coastal areas. These services range from the provision of simple information (e.g. position of other traffic) to management of traffic within a port. An exception for vessel traffic services considering two countries is the Öresund area between Sweden and Denmark. However the services in the Oresund area are provided by a single system without any (transnational) coordination between the Swedish and Danish authorities. Final Report Version - Status: V1.0 - submitted 45 / 137

46 Finance and Transport s on ICT Critical Technical Objects and Processes Beyond shipping over long distances (like transcontinental shipping) and short sea shipping in coastal areas, inland navigation plays a certain role in international transport. But the criticality is not considered very high. An accident on the inland waterways could block the waterway, causing some financial loss, which can affect other countries, like it happened on the Rhine in early March After this accident the Rhine River was blocked for nearly a week. According to the German Association for inland navigation the financial loss was only about 2 million euro, which is far below the defined limit of 1 billion euro. From the control point of view national waterways like Rhine Main Danube Canal have completely a local character because they connect two points inside national borders and are controlled by a national control system, without any control coordination with other control systems across Europe. The European Commission issued several projects to promote a better use of rivers and canals for freight transport across Europe. In this context information systems for inland navigation has been established, known as RIS - River Information Services 10. Examples are ELWIS in Germany, DoRIS in Danube countries. RIS are planned to be used internationally, for example for customs and border procedures. However the interoperability of vessel traffic services (VTS) for inland navigation across countries is still to be implemented. Table 3 shows the considered objects and processes for the waterways sub-sector. Object or Process Hazard category Trans national dimension Relevance Vessel Loss of life possible No No Harbour No large or catastrophic hazard expected No No Port facilities No large or catastrophic hazard expected No No Vessel equipment No large or catastrophic hazard expected No No Waterway No large or catastrophic hazard expected No No Waterway equipment No large or catastrophic hazard expected No No VTIMS Vessel traffic management information system Loss of life possible No No 10 see COMMISSION REGULATION (EC) No 414/2007 Final Report Version - Status: V1.0 - submitted 46 / 137

47 Finance and Transport s on ICT Critical Technical Objects and Processes Object or Process Hazard category Trans national dimension Relevance VTIMS (for inland navigation) No large or catastrophic hazard expected Yes No Port management system No large or catastrophic hazard expected No No Processing of the transhipment procedures No large or catastrophic hazard expected No No Harbour operation No large or catastrophic hazard expected No No Vessel operation Loss of life possible No No Protection of the harbour Loss of life possible No No Average handling Loss of life possible No No Information supply to the public Vessel traffic services (for maritime control ) Vessel traffic services (for inland navigation) No large or catastrophic hazard expected No No Loss of life possible No No No large or catastrophic hazard expected Yes No Table 3: Critical Objects and Processes for the Waterways Sub-sector. No critical objects and processes can be identified in the sub-sector waterways. The only exception can be the oil port of Rotterdam in The Netherlands, because the oil supply of the continent depends on this port and any failure could cause some economic damage Sub-sector Railways The rail transport is the most energy efficient method on land. Although there are a large number of different regulations for rail transport within the European community it plays a major role for freight and passenger transport. The control systems for rail traffic distinguish between operation systems and interlocking systems. The operation system focuses on disposition while the interlocking system addresses security aspects. Table 4 shows the considered objects and processes for the sub-sector railways. Final Report Version - Status: V1.0 - submitted 47 / 137

48 Finance and Transport s on ICT Critical Technical Objects and Processes Object or Process Hazard category Trans national dimension Relevance Train Loss of life possible No No Railway station Loss of life possible No No Railway station equipment No large or catastrophic hazard expected No No Onboard equipment for trains No large or catastrophic hazard expected No No Railway network No large or catastrophic hazard expected No No Railway network elements Loss of life possible No No Interlocking system Loss of life possible Yes Yes Railway station operating system Operational control system Processing of the transhipment procedures Information supply for the public Operation of railway stations No large or catastrophic hazard expected No No No large or catastrophic hazard expected Yes No No large or catastrophic hazard expected No No No large or catastrophic hazard expected No No No large or catastrophic hazard expected No No Operation of trains Loss of life possible No No Protection of railway stations and trains Operational control process Loss of life possible No No No large or catastrophic hazard expected Yes No Interlocking process Loss of life possible Yes Yes Table 4: Critical Objects and Processes for the Railway Sub-sector. The following critical objects and processes can be identified in the sub-sector railroad: Final Report Version - Status: V1.0 - submitted 48 / 137

49 Finance and Transport s on ICT Critical Technical Objects and Processes Interlocking system, a complex system which controls the railway network elements for security purposes. Interlocking process, consisting of the following sub-processes - Route pretest - Route locking - Route release - Protection handling. This includes, e. g., flank protection for trains. - Signalling Sub-sector Road A large amount of transport is taking place on the road, although it is not very energy efficient and is the main source of noise and air pollution in cities. The main reason for the importance of the road is its flexibility. Road transport is usually necessary for other kinds of transport. For example freight is often brought to a sea port by trucks. Control of road traffic usually takes place locally without cross border communication. Rare cases for cross border interaction can be seen in some tunnels, which will be focused on in this document. While the hazardous accidents in tunnels play a significant role bridges are relatively uncritical in this context. Table 5 shows the considered objects and processes for the road sub-sector. Object or process Hazard category Trans national dimension Relevance Road No large or catastrophic hazard expected No No Motor vehicle No large or catastrophic hazard expected No No Road terminal Loss of life possible No No Road terminal facilities No large or catastrophic hazard expected No No Motor vehicle equipment Loss of life possible No No Operational system control No large or catastrophic hazard expected No No Traffic routing system Loss of life possible No No Section (tunnel) control systems Loss of life possible Yes Yes Final Report Version - Status: V1.0 - submitted 49 / 137

50 Finance and Transport s on ICT Critical Technical Objects and Processes Object or process Hazard category Trans national dimension Relevance Tunnel facilities No large or catastrophic hazard expected No No Toll systems No large or catastrophic hazard expected No No Road facilities No large or catastrophic hazard expected No No Processing of the transshipment procedures Operation of the road terminal Operation of motor vechiles Information retrieval for the public Protection of road terminals and motor vechiles No large or catastrophic hazard expected No No No large or catastrophic hazard expected No No Loss of life possible No No No large or catastrophic hazard expected No No Loss of life possible No No Traffic routing Loss of life possible No No Emergency procedures Loss of life possible No No Section (tunnel) control Loss of life possible Yes Yes Table 5: Critical Objects and Processes for the Road Sub-sector. The following critical objects and processes can be identified in the sub-sector road: Section control system for (cross-border) bridges or tunnels Section control process for (cross-border) bridges or tunnels Final Report Version - Status: V1.0 - submitted 50 / 137

51 Finance and Transport s on ICT Critical ICT Dependencies 4 Critical ICT Dependencies In this chapter European critical infrastructures as identified in the above section are examined concerning their ICT dependencies. For further analysis, better comparison and summary conclusion a rudimental structuring of the ICT sector is necessary, bringing together general surveys as well as adequate details for further analysis of ICT threats and vulnerabilities. It is important to note that this general issue is currently subject to various activities on an EU level. One of the key considerations in this context is the ARECI Study [EU_INFSO_2008], which provides a framework for comprehensive consideration of the relevant aspects of ICT infrastructures by the introduction of the Eight Ingredients. Another important reference is the provision of six specific ICT based services described in the EPCIP documents, which currently serve as a sub-sector definition. After careful consideration of the most relevant suggestions in this respect, we came to the conclusion that none of those can be directly applied to the subject of this study. Instead we used a synthesis of the basic ideas and adapted it to an effective approach for the specific objectives. IT System / Service Communication System Qualitative ICT- Dependencies internal external Dependency x Process Control / SCADA System x Trading System x x Clearing System x x Settlement System x Payment System x Messaging Service x File Transfer Service x x x x LAN (own) x WAN (public) WAN (private) x Fixed / Landline telecommunication x Mobile telecommunication Radio Communication x Internet x Leased line Satellite communication (own link) x Broadcasting x Secure Private Network x HW maintenance (replacement incl.) x SW updates and upgrades x SW support (hotline, remote access,...) Table 6 : Categories of ICT Dependencies It is assumed that ECI rely on a set of typical IT systems, i. e. joined software systems that run on (private) application servers somewhere in the domain of the ECI provider (marked internal in adjoining table). Additionally, dedicated (vital) software services are used which essentially rely on external (i. e., beyond the responsibility and domain of an ECI provider) IT systems and services. Another partition of the ICT sector comprises a set of typical communication systems representing services which are mainly characterised by exchange of data, voice communication and underlying networks. In this approach, the internet is regarded as a communication system on which end user services (i. e., http, ftp) are based upon. Some of the communication services listed in Table 6 rely on IT infrastructures within the domain of the ECI provider. Therefore, the communication service WAN is listed twice: WAN (private) denotes private and selfoperated network infrastructures that are common practice in focussed sectors and WAN (public) relying on public communication lines. In some sub-sectors IT systems and services highly rely on dedicated secure private networks which themselves are based ob various physical communication lines. As these networks play an important part in communication infrastructure of some sectors major ones are described in more detail in sub-section 4.4. Final Report Version - Status: V1.0 - submitted 51 / 137

52 Finance and Transport s on ICT Critical ICT Dependencies At this stage interdependencies between different communication services (e. g., reliance on common network backbone, mapping of WAN on fixed telecommunication lines) are neglected. As already pointed out in section qualitative ICT dependencies are listed which basically represent maintenance and support services for software and hardware producers. For the identification of critical ICT infrastructure the dependencies of critical technical objects and processes to ICT according to the above mentioned categories have to be determined direct and indirect dependencies (e. g., process depends on SCADA-system which relies on WAN to remote stations / sensors) have to be added up all ICT dependencies have to be assessed regarding the impact they have in case of their failure For this, evaluation categories as pointed out in Table 7 are introduced: ICT Dependency H L HR LR Description High dependency Low dependency High dependency and redundant system / process available Low dependency and redundant system / process available Table 7: Evaluation Categories of ICT Dependencies Assessing the concrete ICT dependency of a technical object or process as H or L indicates that a malfunction or breakdown of this ICT service highly resp. lowly entails a negative impact on the availability of the technical object or process. However, in most cases there are redundancies reducing the impacts of a (single) failure of the object or process in question. These redundancies can vary on many levels, ranging from hot standby down to relative simple degradation modes providing a minimum of functionality in emergency cases. To cover these facts we have introduced a simplified redundancy mode in terms of HR or LR to indicate that there is one ore more redundant function(s) which replaces or mitigates malfunction of the primary ICT System Here other ICT systems and processes are focussed on; redundancy within the same ICT system (e. g., redundant hardware or replication systems) is disregarded at this point (for further analysis, see section 6.2 Existing Protection Strategies - Best Practises) Final Report Version - Status: V1.0 - submitted 52 / 137

53 Finance and Transport s on ICT Critical ICT Dependencies 4.1 Sector Energy s Sub-Sector Electricity The frequency and load control process is based on SCADA systems which are operated through the TSO control room. In general, the SCADA works with WAN on the remote objects. In addition, these objects can also be peripherally operated by personnel on site which receives information through communication lines. The coordination process between the TSOs of control areas mainly takes place through an electronic highway, which is implemented as a secure private network (see also subsection 4.4.1). In addition, voice and communication can take place through mobile/landline telecommunication and or internet. The frequency / load control processes could also be interrupted by failures in the SCADA systems, causing incorrect switching of lines and/or transformers, which might lead to overloads and cross-border cascading effects, triggering in the worst case separations of the interconnected system and black-outs. But in this case any cascading effects and separation of the system would occur only accidentally, because the SCADA system itself does not know which lines and transformers are critical in a current state of the overall system to trigger the worst case Sub-sector Gas The capacity and pressure control process is based on SCADA systems which are operated through the TSO control room. In general, the SCADA works with WAN or satellite links on the remote objects. In addition, these objects can also be peripherally operated by personnel on site which receives information through communication lines. The coordination of the capacity and pressure control process takes place through communication lines between the TSO control rooms. Though for example incorrect signals may lead to shutting down valves / compressors, the redundancy and independency of on-site controls and sensors in conjunction with sufficient lead times give sufficient signals to all control levels to prevent larger damage Sub-sector Oil The refinery control process is based on process control systems which are operated through the refinery control room. Depending on the design, the process control systems are run separately as an island grid or are connected to open systems. In general, the process control systems are supported by separate, independent emergency shut down systems which minimize the consequences of emergency situations. The volume control process of pipelines is based on SCADA systems which are operated through the TSO control room. In general, SCADA works with WAN or satellite links on the remote objects. In addition, these objects can also be peripherally operated by personnel onsite who receive information through communication lines. Final Report Version - Status: V1.0 - submitted 53 / 137

54 Finance and Transport s on ICT Critical ICT Dependencies Due to the characteristics of the oil infrastructure, which does no constitute an interconnected network, the SCADA and communication systems are generally operated separately for each transmission pipeline and storage facility. There is no need for the coordination of volume control processes as in the electricity and gas infrastructures. Though, for example, incorrect signals may lead to shutting down valves / pumps and eventually interrupt a pipeline, the redundancy and independency of on-site controls and sensors in conjunction with sufficient lead times give sufficient signals to all control levels to prevent larger damages. 4.2 Sector Finance s The sub-sectors of the finance sector do not contribute to the ECI, as described in the finance sector models. As already described, impacts from malfunction or disruption of the systems and processes of these sub-sectors are not expected to belong to the hazard categories large or catastrophic, although their systems and processes are of importance for the functioning of the finance sector Sub-sector Securities Transactions As described in paragraph the objects of the sub-sector securities transactions correspond to the relevant IT systems. Any malfunction or disruption of a system immediately affects the performance of the corresponding process. Therefore the possibility of any disruption of the systems is minimised by a complete redundant system design and an architecture, which guarantees high availability of the backend systems. Furthermore different providers of such systems exist in Europe. For example different market places do exist for trading securities. The type of connection from a participant to these systems can be chosen by the participant (e.g. other banks) up to its needs (leased lines, Internet, ). For the settlement systems the participants can be connected using the SWIFT network which offers a network for the exchange of transaction messages between organisations of the finance sector (see section for details on SWIFTNet) Sub-sector Payment Systems In this paragraph the ICT dependencies for the payment system TARGET2 and the systems supported by EBA-Clearing are considered. Of course each of the payment processes highly depends on the related systems. Any malfunction or disruption of a system immediately affects the performance of the corresponding process. A redundancy between two IT systems is only available, if both corresponding payment systems can be used for a given payment transaction. Final Report Version - Status: V1.0 - submitted 54 / 137

55 Finance and Transport s on ICT Critical ICT Dependencies The overall system TARGET2 consists out of two regional systems which are operated in two different regions in Europe. Each of these regional systems can operate the complete TARGET2 system on its own. At any time one of the regional systems acts as the productive (live) TARGET2 system. The other regional system is used at that time as test and training system. In case of a breakdown of the regional system acting as productive TARGET2 system, the other regional system can take over the task without any relevant delay. In any case the two regional systems exchange their role of being the productive system or of being the back-up system periodically. For the connection of the participating banks to the TARGET2 system the SWIFT network is used (see sub-section for details on SWIFTNet). The payment systems EURO1 and STEP1 are operated by two systems at different sites. For the connection of the participating banks the payment systems EURO1 and STEP1 are using the SWIFT network. For the payment system STEP2 of EBA-Clearing a similar architecture exists. For the communication between the participating banks and the host systems of EBA-clearing the network for the STEP2 system is based on the SIA-SSB network of the Italian provider SIA- SSB. SIA-SSB network also offers a highly available, reliable and fault tolerant network (see subsection 4.4.3). The process cross-border payment of the model for the sub-sector payment systems depends highly on the given payment systems TARGET2, EURO1, STEP1 or STEP2. But this does not mean that this process depends redundantly on these systems. For a given concrete payment transaction it depends on the nature of the transaction which payment system can be used. For large cross-border payment transactions there is some redundancy between the TARGET2 system and the EURO1 system of EBA-Clearing. If two banks are participants (direct or indirect) of both systems, they can use either of these two payment systems for a payment transaction between them. Nevertheless EURO1 cannot be used in all cases as a back-up in case of non-availability of TARGET2, since TARGET2 may also be necessary for the final settlement within EURO1. For the processing of a single payment transaction to be processed using STEP1 the banks can also use TARGET2. On the other hand the payment system STEP2 is operated for processing bulk payments. These cannot be processed by any of the other mentioned payment systems. 4.3 Sector Transport s The dependency of traffic control systems and processes on ICT infrastructures is very high. The dependency covers the following ICT systems: SCADA system used for the control process Messaging services are used for data transfer between control systems but it can be replaced by file transfer services. Final Report Version - Status: V1.0 - submitted 55 / 137

56 Finance and Transport s on ICT Critical ICT Dependencies A LAN is usually the basis for SCADA systems used in the traffic sector Radio communication is a common data transfer mean between control systems and transportation means. In some cases it can be replaced, e. g., in air traffic, by satellite communication. The details of the sub-sectors are shown in following chapters Sub-sector Air Traffic The following dependencies can be identified: High dependency on the SCADA system High dependency on the LAN system on which the SCADA system is based High dependency on messaging services for data transfer between control systems which can be replaced by file transfer services. High dependency on radio connection to the aircrafts The satellite connection is considered as fallback level Communication via landline telecommunication is the norm but can be replaced, e. g., by mobile telecommunication Sub-sector Waterways No critical objects or processes are identified in the sub-sector waterways which fulfil the hazard criteria Sub-sector Railways The following dependencies can be identified: High dependency on the SCADA system High dependency on the LAN system on which the SCADA system is based High dependency on radio communication to trains, which can often be replaced by mobile telecommunication Sub-sector Road The following dependencies can be identified: High dependency from the SCADA system High dependency on the LAN system on which the SCADA system is based Final Report Version - Status: V1.0 - submitted 56 / 137

57 Finance and Transport s on ICT Critical ICT Dependencies Low dependency on the landline telecommunication 4.4 Secure Private Network As presented above in various sectors core business processes depend and rely on secure private networks which therefore have to be focussed as a main critical ICT infrastructure. To make this a bit more tangible three secure private networks are presented whose influence on critical processes is shown in following subsections Electronic Highway Within the electricity sub-sector UCTE has established a communication network for data exchange among transmission system operators (TSOs) which is called Electronic Highway. Principles and minimum requirements of this communication network are part of the UCTE Operation Handbook [UCTE_2004] which are detailed in a confidential document entitled Electronic Highway Technical Reference Manual. The Electronic Highway is designed for the following data exchange services (which are defined and detailed within [UCTE_2004]). Real-time data exchange (e.g. switch / unit status, active power, voltage, alarms,..) to help monitoring and coordinating system operation (data for real-time control application are not recommended) primary scope and highest priority File transfer (e.g. transmission schedules, planning data...) /Messaging for operational person-to-person or automated application-toapplication data exchange The Electronic Highway is a private network that operates under the responsibility of the member TSO and two UCTE Network Operation Centres. It is designed as a high available (> 99.8%), reliable and redundant network based on physical connections and dedicated communication infrastructure between TSO. All network components and for all point-to-point connections physical redundancy is implemented. Network Operation Centres are operational on a 24 h / 7 day basis. Direct connections to the Internet are not allowed SWIFTNet Analysis and modelling of the financial sector led to the conclusion that core business processes and the global financial market highly dependent on an information and communication infrastructure especially for and between cross-national and global market participants. The bigger financial institutions are the more they are internationally linked. Final Report Version - Status: V1.0 - submitted 57 / 137

58 Finance and Transport s on ICT Critical ICT Dependencies These ICT-Dependencies exist regardless of the criticality of each process itself and existing protection strategies. Therefore the following section describes the leading global communication network provider SWIFT 12 for financial institutions. 13 SWIFT is a co-operative company owned by banks and financial institutes which provides the proprietary communication platform SWIFTNet and standardised messaging services (payments, treasury, securities, trade messages). This includes secure exchange of proprietary data while ensuring its confidentiality and integrity and excludes management of any accounts (no payment or settlement system) or funds transfer. SWIFT develops standards for financial message format and content and cooperates with international organisations. According to own statement SWIFT connects more than financial institution and corporate customers in 209 countries and delivers millions of messages each day. SWIFTNet has a service availability of % (which means less than 10 min downtime per year). As a large number of systemically important payment systems depend on SWIFT, the central banks of G-10 agreed to co-operative oversee SWIFT with The National Bank of Belgium as lead overseer. Together with the annual reports, SWIFT publishes special reports 14 that provide information about the security and reliability controls that SWIFT implements. Technical Architecture new US EU SWIFT operates a distributed network architecture with currently two operation centres (a third will be established in 2009). All network connections are based on a multi-vendor secure IP network using IPSec and VPN technology and relying on worldwide physical networks provided by AT&T, Colt, Orange Business Services and BT Infonet. US US US EU EU EU Asia Asia Figure 17: SWIFT Operating Centres (source: SWIFT) 12 SWIFT = Society for Worldwide Interbank Financial Telecommunication 13 The following paragraphs are based on [SWIFT_2008, SWIFT_2009] 14 A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit ) represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. Final Report Version - Status: V1.0 - submitted 58 / 137

59 Finance and Transport s on ICT Critical ICT Dependencies According to customer requirements regarding performance (less than messages per day up to > per day) and resilience different connectivity options (dialup, permanent, primary, backup-line, network partner(s)) are supported, which can be summarized in brief by the following Figure 18. Figure 18: SWIFT multi-vendor secure IP Network (SIPN) (source: SWIFT) Protection Strategies According to SWIFT s slogan failure is not an option the company has a strong security policy which encompasses Broad range of resilient client connectivity packages Multiple access networks and managed fully redundant backbone Multiple operating and customer support centres on different continents Business continuity plans across all operations which are tested & audited SIAnet SIAnet is a secure private network in the finance sector operated by SIA-SSB Group, a merger from two Italian private companies 15. Starting in the 1980s as an interbank network provider in Italy it now offers a.o. connectivity and networking services to 592 nodes thereof 169 in 22 countries. SIAnet also offers access services to SWIFTNet. According to own statements SIAnet had a network availability in 2007 of 99.99%. As one of the major services SIA-SSB operates the system EBA STEP2 which enables the reachability of banks in the context of SEPA, wherever they are located. 15 The following paragraphs are based on [SIA_2009] Final Report Version - Status: V1.0 - submitted 59 / 137