The History Of The Critical Infrastructures

Published Date: 02 Nov 2017

Natural disasters like for example hurricane Katrina (2005), the earthquake followed by the tsunami that affected Fukushima nuclear reactor in Japan (March 2011) and more recently the hurricane Sandy (2012) show us that some essential services can become unavailable causing chaos and difficulties for citizens and the economy. Those examples show us that Critical Infrastructures (CI) are one of the most important technical or industrial systems that have a strong impact on people lives and economy operation worldwide. This type of infrastructures, usually facilities/utilities, provide services that are essential to the the actual society as the services they provide are usually basic inputs to other simple or complex systems. This dependency from services provided by CIs can, in case of an improper operation of the CI, lead to the disruption of other dependent services.

Actually, the media is paying special attention to this type of Infrastructures while the risk of ``traditional" or cyberterrorism attacks increases. Citizens are also becoming aware and concerned about those risks due, e.g. to a recent television series, ‘24 – season seven’, where the fiction character Jack Bauer fights a terrorist group intending to destroy some Critical Infrastructures in the United States of America. Apart from the fiction involved, this TV series, one of the first of this kind, clearly tried to demonstrate how important those infrastructures are and how weak they can be.

Governments from many countries around the world are already aware about the importance of their Critical Infrastructures not only for the well-being of their Citizens but also for the survivability of their nations in terms of economy and defence.

The relevance of the area was first defined by the Administration of the United States of America as,

\begin{quote}

``Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. These systems are so vital, that their incapacity or destruction would have a debilitating impact on the defence or economic security" \cite{Clinton1996}.

\end{quote}

More recently, on February 13, 2013, the President of the United States of America, Barack Obama, issued the Executive Order 13636 ``Improving Critical Infrastructure Cybersecurity" \cite{Obama2013}. In this document, the main defined policy is highlighted in the first section as:

\begin{quote}

``Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards." \cite{Obama2013}

\end{quote}

One important aspect from President Obama Executive Order on ``Improving Critical Infrastructure Cybersecurity" is identified in Section 4 of that document where it is proposed that the Policy of the United States Government should help improve the cyber threat information sharing among private sectors entities that control CIs so that those entities can better fight against cyber threats.

Legislation or encouraging policies to help improve the information sharing among Critical Infrastructures owners has already been issued in other regions like the European Union and Australia. In the United States of America, this type of policies as special relevance as most of the CIs are privately owned. Apart from this ``novelty", the Executive Order \cite{Obama2013} proposes the development of a `Baseline Framework to Reduce Cyber Risk to Critical Infrastructure" that can help to improve, for example, the regulations ISO 27001 (widely used in industry), 800-53 (used within the USA government) or NERC CIP (used in energy sectors). One aspect that can turn to a drawback is stated in the section 8, defining that the adoption of the framework can be done in a voluntary basis. For instance, the information sharing among CIs has higher relevance with the increase in the number of CIs that are willing to exchange threats and risks.

Although the U.S.A. Executive Order 13636 \cite{Obama2013} can be seen as a step forward on the Critical Infrastructure Protection area, the foreseen deadlines for implementation and the voluntary adoption of the frameworks can quickly transform this action in just one more attempt to achieve regulation among heterogeneous and private managed CIs. Apart from this opinion, those initiatives are needed and welcome mainly to allow information sharing initiatives among CIs.

Australian Federal Government also considers that Critical infrastructure are essential for contemporary social Human existence and define it as ``...those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia's ability to conduct national defence and ensure national security." \cite{Government:wf}

As presented in \cite{Government:wf}, the Australian Government as created a national strategy in order to enhance the security and resilience of the critical infrastructures in the country. Critical Infrastructures relevance to modern society can also be highlighted quoting Robert McClelland, former Attorney-General of Australia (from 2007 to 2011):

\begin{quote}

``We are a vibrant, prosperous nation that enjoys the many benefits of modern living. But along with these benefits, there are a range of risks that also must be managed.

These risks – from natural disasters, to equipment failure and crime – can damage or destroy critical infrastructure as well as disrupt the essential services that are provided by these assets, networks and supply chains.

Such an incident could significantly affect all Australians because of our reliance on critical infrastructure, which is of major importance to businesses, governments and communities.

A resilience based approach to critical infrastructure is vital so we can better adapt to change, reduce our exposure to risk and learn from incidents when they occur.

The responsibility for the continuity of critical infrastructure is shared by all governments and by owners and operators."

``... More resilient critical infrastructure will also help to achieve the continued provision of essential services, and support Australia’s national security, economic prosperity and social and community wellbeing. This Strategy encourages and enables critical infrastructure organisations, through a range of initiatives and activities, to better manage both foreseeable and unforeseen or unexpected risks to their critical infrastructure assets, supply chains and networks (the objectives of this Strategy)." \cite{Government:wf}.

\end{quote}

Australia has created an agency named Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience aiming to provide an environment ``where business and government can share vital information on security issues relevant to the protection of our critical infrastructure and the continuity of essential services in the face of all hazards" \cite{TISN2011}. This agency aims to bring together CI owners and operators from multiple sectors including also two Expert Advisory Groups able to provide advice on aspects of critical infrastructure requiring expert knowledge.

The European Commission is also committed to enhance security on CIs. The Directorate-General of the European Commission in charge of the policy area known as ``Home Affairs" define CIs as - ``Critical infrastructure is an essential asset for the maintenance of vital societal functions. Damage to the critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have negative consequences for the security of the EU and the well-being of its citizens" \cite{EUHomeAffairsWeb}. This Directorate-general also states that ``Reducing the vulnerabilities of critical infrastructure is one of the major objectives of the EU. An adequate level of protection must be ensured and the detrimental effects of disruptions on the society and citizens must be limited as far as possible." \cite{EUHomeAffairsWeb}.

The European Council that took place on 17-18 June 2004, asked the European Commission to prepare a strategy in order to improve the protection of critical infrastructure. In response, on 20 October 2004, the Commission published the communication "Critical infrastructure protection in the fight against terrorism". \cite{Commission:2004tz}

In the scope of the European Program for the Protection of Critical Infrastructure (EPCIP) 11 sectors were identified as CIs by the publication of a green paper \cite{Commission:2005vm} and reenforced with the communication from the commission in 2006 \cite{Commission:2006p14915}.

An important element of the EPCIP program is the 2008 Directive on European Critical Infrastructures \cite{Commission:2008uh} as it establishes a procedure for identifying and designating European Critical Infrastructures (ECI) and a common approach to improve the protection of such infrastructures. Currently, the Directive's scope is limited to the energy and transport sectors. In EPCIP the initial responsibility for the protection of CI is a national responsibility but a distinction is made between national and European CI (an infrastructure than is considered critical for more than one Member State of the Union). The dependency that exist among Critical Infrastructures is also under attention from the European Commission. Knowing the important role that the exchange of information about threats and vulnerabilities as on protecting CIs, an information network as been created for that role - Critical Infrastructure Warning Information Network (CIWIN) \cite{Commission:2008uh}. CIWIN has two main objectives. The establishment of an electronic forum for the purpose of exchanging information on the protection of CI and the development of a rapid alert system for the delivery of early warnings for member states to inform the Commission in regarding risks and threats.

Beyond the measures adopted by the European Union, Portugal also demonstrates a strong interest in the field of ​​critical infrastructures protection. One example of this interests is the development of the Innovation Network on Security and Critical Infrastructure Protection - NET-SCIP, with the main goal to develop comparative advantages for Portugal in new security technologies and services for the protection of critical infrastructures \cite{NET-SCIP2011}. Sharing strong similarities with other International initiatives, NET-SCIP ``is currently gathering the scientific community, the private sector and the main government agencies with the goal of developing comparative advantages for Portugal in new security technologies and services for the protection of critical infrastructures." \cite{NET-SCIP2011}.

From the above, it is clear that CIs are one of the most ICT dependent areas of contemporary societies where we should ensure the highest security levels.

It is also important to mention that, along time, Critical Infrastructures have grown not only in importance but also in complexity. One key aspect of that growth is that CIs are now become dependent on each others outputs (interdependency). From the field of fault tolerant computing we know that a complex system that depends on multiple interacting components is exposed to a high risk of failure mainly due to the risk of failure of each individual and to some other side effects that a single failure can cause.

The efforts made in the Critical Infrastructure Protection area are increasing, especially after ``Stuxnet". ``Stuxnet" is an computer worm and it was the first malware reported in 2010, specifically targeting control systems as the ones used in many existing critical infrastructures.

As most viruses and worms,``Stuxnet" exploited some vulnerabilities that were unknown at the time of the attack in order to replicate and spread itself among the exploitable equipments but the main goal of this worm is to attack is to make changes in industrial control systems by reprogramming the programmable logic controllers (PLCs) to make them work as the the attacker intended hiding those changes from the system operator" \cite{Falliere:2011vl}.

``Stuxnet" is harmless when he is spreading and when he is in the latent state at the infected equipments. At the time of the attack ``Stuxnet" was not detectable by any anti-virus software since we can hardly see abnormal behaviours on the infected equipment.The actual impact of the worm started when he targeted the control system and started to make changes in the PLCs. The media and some articles (\cite{doi:10.1080/00396338.2011.555586}, \cite{6060208}, \cite{Sheng:2011jc}) reported attacks occurred in the Islamic Republic of Iran where it is said that more than sixty thousand computers computers were infected. It is also mentioned that this work damaged centrifuges used to enrich uranium at Iran’s nuclear plant. It is mentioned that the attack has impact of the centrifuges causing them to switch back and forth between high and low speeds at intervals for which the machines were not designed \cite{Falliere:2011vl}. None of this events were confirmed by Iranian government that only admitted the infection but believing in the media, most experts say that ``Stuxnet" has managed to achieve a successful attack.

Infections like ``Stuxnet" are starting to grown leading to the need of different approaches to protect CIs. One of the approaches is to evaluate trust and reputation on the CI services and also on dependent services in order take measures and/or to alert the CI operator when the trust on the information received from the services decreases.

The scope of the work of this thesis is motivated by the identification of the main issues concerning information exchanged among Critical Infrastructures and its applicability to improve interdependency models able to help protecting the those Infrastructures.