A System for Protecting Crutial Things *

Today’s critical infrastructures like the Power Grid are essentially physical processes controlled by computers connected by networks. Once these systems were highly isolated and secure against most security threats. However, in recent years they evolved in several aspects that greatly increased their exposure to cyber-attacks coming from the Internet. Firstly, the computers, networks and protocols in those control systems are no longer proprietary but standard PCs and networks (e.g., wired and wireless Ethernet), and the protocols are often encapsulated on top of TCP/IP. Secondly, these networks are usually connected to the Internet indirectly through the corporate network or to other networks using modems and data links. Therefore these infrastructures have a level of vulnerability similar to other systems connected to the Internet, but the socio-economic impact of their failure can be huge. This scenario, reinforced by several recent incidents, is generating a great concern about the security of these infrastructures, especially at government level. Recently, we proposed a reference architecture to protect critical infrastructures, in the context of the CRUTIAL1 EUIST project [2]. The idea is to model the whole infrastructure as a WAN-of-LANs, where the typical facilities that compose it (like power transformation substations or corporate offices) are modeled as collections of LANs interconnected by a widerarea network (WAN). Using this architecture, we reduce the problem of critical infrastructures protection to the problem of protecting LANs from the WAN or other LANs. In consequence, our model and architecture allow us to deal both with outsider threats (protecting a facility from the Internet) and insider threats (protecting a critical host from other hosts in the same physical facility, by locating them in different LANs). Here, we introduce a device for protecting LANs called CRUTIAL Information Switch (CIS). A fundamental service provided by CIS is the Protection Service, which ensures that the incoming and outgoing traffic in/out of the LAN satisfies the security policy of the infrastructure. However, a CIS can not be a simple firewall since that would put the critical infrastructure at most at the level of security of current (corporate) Internet systems, which is not acceptable since intrusions in those systems are constantly being reported. Instead, the CIS have many distinguished characteristics. Firstly, it has similarities to a distributed firewall, since CIS can be deployed not only on the network border but inside the networks to better