Paper (W10K)
Sashraf
Article3.pdf
15
The 16th International Scientific Conference eLearning and Software for Education Bucharest, April 23-24, 2020 10.12753/2066-026X-20-030
A MULTIDIMENSIONAL APPROACH TO CYBERSECURITY FOR CRITICAL INFRASTRUCTURES
Petrișor PĂTRAȘCU
“Carol I” National Defence University, Panduri str. No. 68-72, 5th distr., Bucharest, Romania [email protected]
Abstract: In today's society both people's everyday lives and organizations are surrounded by an increasingly digital world. The essential services in a society are provided through critical infrastructure. Their activity will in turn be increasingly dependent on digital technologies. ICT systems are designed and developed on the activity profile of the critical infrastructure sectors, such as the industrial, military, medical or financial sector. Therefore, the cyber security for critical infrastructure has become, as a multidimensional system, a strategic form of protection for a number of states and international organizations. Therefore, many states of the world, on the basis of certain criteria, have identified and designated their national critical infrastructures. Once they have been identified, there have been taken increased security measures, including in the area of cyber security. Cyber-attacks that target critical infrastructures also needs to be considered. Planned targets are analyzed to the smallest detail to find out the vulnerabilities of the attacks. Usually, the cyber-attackers target critical infrastructures in order to obtain the most valuable information and to affect the functionality of the services. In recent years, these types of attacks are characterized by complexity, persistence and advanced techniques, supported by key actors or state-sponsored actors. Cyber attackers are permanently looking to exploit any vulnerability, either it's technical, human or procedural. Therefore, considering these aspects, we can emphasize that establishing a strong security has long exceeded the exclusive assurance of a technical security. Thus, multidimensional is highlighted in several areas of interference based on a holistic approach to cyber security for critical infrastructures.
Keywords: education; cyber security; critical infrastructures.
I. CYBER SECURITY - A PRIORITY FOR CRITICAL INFRASTRUCTURE PROTECTION
From the very beginning of this article, we have considered that it is necessary to emphasize the interdependence between critical infrastructures and cyber security. Why should we write about this interdependence? The simplified answer is that most critical infrastructure sectors are dependent on the services provided by systems and networks, and cyber security has become indispensable to any of these critical infrastructures and a priority over that of a common infrastructure and cyber security has become indispensable and considered as a priority for any of these critical infrastructure sectors. Based on this, an infrastructure can be critical at a certain level and this may be referred to a public or private entity or group of entities at local, national, regional or international levels. In the following article, the term critical infrastructure is regulated at national level on the grounds that these critical infrastructures have been identified and designated by several states of the world, by applying several criteria and thresholds and hence being legally protected. Therefore, a national critical infrastructure provides services that are vital to national security, and when there are factors affecting functionality and normality, the respective infrastructure can generate major damages, with a great impact on human population.
237
16
There are many critical infrastructure sectors such as energy, transportation, finance and banking, telecommunications, public health, water, etc. Therefore, at first sight, we can observe that there is a difference between information and communication technologies (ICT) that ensure the digital functionality of these sectors. Depending on the specificity and particularities of each field of activity, dedicated computer systems, specific applications for certain activities have been designed, tested, developed and exploited, connected through different types of network.
The benefits have led to increased dependence of people on these digital systems, but also to an increase in interest of threat actors with malicious intent. Cyber-attacks on critical infrastructures aim to affect their functionality and generate negative effects or extract particularly valuable information for as long as possible. Therefore, the need and importance of ensuring cyber security for critical infrastructure protection is highlighted as a real priority.
II. A MULTIDIMENSIONAL APPROACH TO CYBER SECURITY
Cyber security for critical infrastructures protection is generally carried out within a complex approach, which involves a sustained effort of human, financial and technological resources. The vital services rendered to society by critical infrastructure attract the attention of several malicious actors, who take full advantage of cyber security vulnerabilities. Currently, in critical infrastructure context there are taken into account cyber space vulnerabilities for the respective infrastructure, envisioning of scenarios with cyber-attacks and the risk assessment elaborated based on a risk assessment methodology necessary for assessing and mitigating the identified risks.
Up next, the holistic framework of the main security solutions is highlighted in the multidimensional approach to cyber security for critical infrastructure protection (fig. 1).
Fig. 1 The holistic framework of the cyber security solutions for critical infrastructure
The multidimensional approach to cyber security proposes a model based on interference measurements, which together with the logical (technical) security guarantees a high quality security services in the field of critical infrastructure protection. Security solutions converge to a common denominator, namely cyber security for critical infrastructure protection. The five steps of risk management process - corporate risk management strategy; risk assessment; risk acceptance; risk treatment; monitor and review – aim to obtain an efficient balance between the realizing opportunities and minimizing vulnerabilities and losses. Also in this context, risk assessment is an integral part of the security plan for the operator of critical infrastructure and aims at preventing, controlling and reducing the risk of intervention or response in case of security risk, as well as rehabilitation and reconstruction after the manifestation of risk .
Within the framework for the protection of critical infrastructures, the security objectives are met through the decision-making process. Therefore, the quality of the decisions significantly influences the effectiveness of cyber security, and the correlation between the cyberspace and the
238
17
critical infrastructures aims at the applicability of models of decision making under risk and uncertainty.
The legal framework or procedural security consists of national cyber security strategy and cyber security legislation, plus other regulations in the field of critical infrastructure protection, national security or security of computer systems and networks (e.g. transposition of the NIS directive into national law by EU Member States).
The cyber threat to national critical infrastructures is extremely high. By sabotaging a critical infrastructure through cyber-attacks, attackers achieve their ultimate goal. This end state can be seen as a blackout for the supply of electricity, destruction of electronic health records in hospitals, interruption of potable water supply, the blocking of transport system, the affectation telecommunication systems and examples can continue. Considering the targets, the advanced methods, techniques and stages of the attack, as well as the support of some malicious actors, including state-sponsored hacking group responsible for cyber-attacks, vast information resources and sophisticated state-of-the-art technologies, these attacks are identified as being advanced persistent threats (APT).
APTs are created in stages in a tree structure, where each stage is useful for the next stage. The attacks are seemingly legitimate until the final phase, when they launch the critical hit on the intended target causing massive losses . APTs are designed and launched by professional attackers who aim for precise targets that were prepared and analyzed in advance in order to produce a strong impact on national security . Thus, the critical military infrastructures are targeted by the APT, with the purpose to extract a lot of information of great importance to the national security. Given the increased security measures, reaching the final goal represents a strong challenge and a real success for the attackers. The more valuable the information obtained are, the greater the destructive effects of the mission will be.
Last but not least, another aspect that can be brought to your attention is the critical infrastructures of the financial sector. Through APT attacks, malicious actors are targeting internet banking services and digital applications in the banking and finance sector for as long as possible. Thus, banking transactions, payment systems, treasury, insurance, duties and taxes, financial exchange systems, the functionality of the national and commercial banks, the destabilization of the exchange rate and blocking population incomes can be affected. The banking and finance sector is also targeted by attackers seeking to extract large sums of money, through theft or redemption, which in turn can be sources of funding of campaigns based on APT attacks.
The developments of financial technologies or blockchain technologies are also interesting to watch. The question which arises is whether these emerging technologies will be implemented within critical infrastructures. Financial technologies (Fintech) have developed fast, with a variety of definitions of the concept coming from both the academic and specialized publications. Fintech use digital technologies, such as the Internet, mobile computing and data analysis, to enable, innovate or destroy financial services . That’s why emerging technologies play a particularly important role in reforming the banking and finance sector. Moreover, blockchain technologies (BCTs) are already used in several sectors of activity. In agriculture, through BCT the costs are reduced and the trade in agricultural products became more efficient by improving the storage and transport process. In healthcare industry, blockchain technology can ensure medical documents storage and management under high security conditions.
Innovation in blockchain technologies and applications has developed fast, being perceived as disruptive to many traditional actors in various industries. Thus, the unpredictable and boundless direction of BCT create difficulties for by authorities, public institutions and private companies in making strategic decision, including developing and adopting a legislative framework in this regard .
If we turn our attention to all sectors of critical infrastructure, some of the critical infrastructures have industrial control system (ICS), specific to operational technology (OT) and are managed through SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems provide a graphical user interface for operators to easily observe the status of a system, to receive alerts or to enter system adjustments to manage the process under control. They have long life cycles and limited security applied engineering . In terms of security, SCADA are closed systems, located
239
18
on secure isolated segment and isolated from public, but in reality, networks rarely appear in isolation, being interconnected. Interconnections between SCADA network segments and other network segments are protected by a set of controls to protect against cyber security risks, but sometimes security controls may be completely missing.
ICT administrative technologies is another part of critical infrastructures, based on dedicated systems, which, if they don’t have a solid security, become vulnerable and may contribute to impairing usability of the respective infrastructure.
Cyber attackers continue to manifest a particular interest for the defense critical infrastructures. Cyberspace provide opportunities for a broad range of attack techniques. The magnitude of the hostile actions carried out in cyberspace turned it into an operational environment. In this case, the protection of critical infrastructures must be addressed both from the perspective of cyber security and cyber defense. ICT systems are made up of physical devices adapted to the operational environment that are used by specialized military personnel and are designed to carry out assigned missions. As a rule, the armed forces of several states have started to develop defense information networks based on the levels of classified information.
III. EDUCATION
A particularly important role for cyber security of critical infrastructures is the promotion of the security culture through education. The approach of education should be seen from two directions. The first direction involves the education of those responsible for cyber security, and the second direction refers to the education of the users.
Following the outlined approach, from the perspective of cyber security professionals responsible for critical infrastructure, the importance and the usefulness of the transdisciplinary expertise of the cyber security professionals are clearly highlighted. Thus, in figure 2 the transdisciplinary expertise is based on three basic pillars, namely: cyber security, critical infrastructure protection and the activity profile of critical infrastructure.
Fig. 2 The pillars of transdisciplinary expertise
On the evolution of cyberspace, the prerogatives of a Chief Information Officer (CIO) have
been extended from IT security to cyber security. Therefore, CIOs should have knowledge of all regulations in the field, must focus on training course providing general awareness of cyber security,
240
19
must ensure that appropriate tools are used to mitigate cyber security risks and has to undertake a detailed assessment of cyber security frameworks and standards .
Also CIOs must constantly relate to decision makers and key function holders, such as representatives from legal and financial fields or field of the security of classified information and security liaison officer (SLO) for the protection of critical infrastructure. On the very same lines, SLO must have a higher level of knowledge and skills in cyber security compared to other users. The skills are acquired during the training period, through programmers and courses offered by universities in the two fields: cyber security and critical infrastructure protection. Subsequently, the training can be improved through various courses approved by the employer. The SLO must also cooperate whenever necessary with the cyber security officer. There may also be the possibility that in the organizational structure of an entity for critical infrastructure protection, the two positions may be merged into one, and the level of knowledge and skills should be in both areas of interest in respect with job requirements. Ideally would be that the critical infrastructure activity is added to the two fields above mentioned.
On the very same lines, SLO make suggestions and recommendations on the change to critical infrastructure architecture in light of strengthening the functional safety and operational security of that infrastructure, under the conditions of an in-depth analysis or simulation of threat scenarios .
All studies to date have shown that a large part of cyber threats come as a result of vulnerabilities provided by internal users. Therefore, promoting the culture of cyber security through education is and will remain a feasible solution in order to ensure effective cyber security. Analyzing this aspect, the solutions for reducing vulnerabilities are affordable, and should be taken seriously and without superficiality. These solutions can be implemented through good practice guides, courses, eLearning platforms, awareness campaigns, etc.
Education and training are fundamental in achieving the success of critical infrastructure security and creating a functional resilience program, involving state officials, owners of critical infrastructure, response personnel directly responsible for emergency response situations and even the public, where appropriate. Education and training are strengthened through practice, which is beneficial in terms of time and educational resources. Thus, the practice exercises lead may include a series of discussions and simulations of events that can affect critical infrastructure . According to the Certification of Cyber Security skills of ICS / SCADA professionals developed by ENISA, one of the relevant recommendations for the public and private sectors is the development of a simulation environment both for training and assessment of practical skills .
The simulation exercises for an event involving one or more critical infrastructures can be classified into prevention-specific exercises, reaction-specific exercises or complex set of exercises which simulates both the prevention and the response to crisis situations. Each of the three exercises has particular features. In any type of exercise, one of the scenarios can be created based on a cyber- attack. Thus, the simulation exercises related to cyber security can be part of one of the three types of exercises, or they can be built on specific case management scenarios.
Regarding the critical infrastructure, the users of ICS or IT system security should dispose of a cyber security best practices guide for a good cyber hygiene. This guide should contain a common set of practices with useful information and lessons learned in order to guide users as well as possible and to overcome certain barriers approach that exist between IT users and ICS users. Even if multiple systems are not connected to the Internet, cyber hygiene is extremely important and has a significant contribution in eliminating vulnerabilities.
Cyber hygiene might be compared with personal hygiene, and once integrated into an organization, it will become a daily routine that includes regular checks in order to minimize risks . Regarding critical infrastructures, cyber hygiene refers to the practices that users must undertake in order to maintain system health and improve cyber security. Because of a proper cyber hygiene, technological systems can operate in normal parameters and devices and data integrity cannot be compromised.
241
20
IV. CONCLUSION
People often make a mistake when they think that the cyber security of critical infrastructures represents the cyber security for industrial control systems. It is very important for each sector to own critical infrastructure, and ICS-based sectors, such as energy, transport, drinking water supply sectors, are only part of the national critical infrastructure. All other critical infrastructures depend on ICT systems that are being applied in non-industrial or military sectors.
Also, in terms of critical industrial infrastructure, knowledge area for ICS professionals is much narrower than that of IT professionals, requiring industrial processes, engineering and IT knowledge.
This article highlights a multidimensional approach to cyber security for critical infrastructures. In order to achieve the highest possible security standards, together with the technical security, it is necessary to consider solutions such as risk management, optimization decisions and not least education of both users and cyber security professionals.
Reference Text and Citations
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management- inventory/rm-process, found on 02.02.2020.
http://legislatie.just.ro/Public/DetaliiDocumentAfis/146253, found on 03.02.2020. L. Huang, Q. Zhu, Adaptive Strategic Cyber Defense for Advanced Persistent Threats in Critical Infrastructure
Networks, ACM SIGMETRICS Performance Evaluation Review, 2019. P. Pătrașcu, Cybernetic actions on critical infrastructures in the military field, Bulletin of " Carol I" National
Defence University, 2019. H. Gimpel, D. Rau, M. Röglinger, Understanding FinTech start-ups – a taxonomy of consumer-oriented service
offerings, 2017, https://link.springer.com/article/10.1007/s12525-017-0275-0. L. Ge, C. Brewster, J. Spek, A. Smeenk, J. Top, Blockchain for Agriculture and Food, Wageningen Economic
Research, 2017. S. Hopkins, E.Kalaimannan, Towards establishing a security engineered SCADA framework, Journal of Cyber
Security Technology, 2019, https://www.researchgate.net/publication/331869908. https://www.bitsight.com/blog/analyzing-cios-roles-responsibilities-cybersecurity, found on 05.02.2020. D. Roman, F. Repez, E.V. Popa, Infrastructura critică – Reglementări legislative și de planificare a protecției, Ed.
CTEA, 2017, p.110. https://www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure-Security-Resilience-110819-
508v2.pdf, found on 05.02.2020. https://www.enisa.europa.eu/news/enisa-news/enisa2019s-recommendations-for-certifying-ics-scada-professionals,
found on 05.02.2020. https://www.enisa.europa.eu/publications/cyber-hygiene, found on 05.02.2020.
242
Copyright of eLearning & Software for Education is the property of Carol I National Defence University and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
