Too many people mean different things when they talk about cyber-security, ranging from a#acks on single Supervisory Control And Data Acquisi"on (SCADA) systems to cyber-a#acks on sovereign states. These cyber-a#acks cannot be treated with the same tools, nor by the same organisa"ons. In the case of cyber-a#acks on industrial systems, and against cri"cal infrastructures, it is mostly a technical problem to be addressed by engineers, while in the case of cyber-a#acks on sovereign states it must be regarded as an act of warfare that should be handled by the intelligence services.
Among the many different data sources we may refer to is the Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) Incident response summary report 2009-2011 covering sectors spanning energy, water, dams, nuclear, chemical, government and cri"cal infrastructure. The nine reported incidents in 2009 increased to 41 in 2010 and last year rose to 198 . These incidents highlight the ac"vity of sophis"cated threat actors and their ability to gain access to system networks, avoid detec"on and use advanced techniques to maintain a presence. There is no ‘silver bullet’ solu"on on the horizon.
For the second category, cyber-a#acks on sovereign states, a group of na"ons publicly developed and published their na"onal cyber-security strategies (NCSS), including Australia, Canada, the US, France and Germany. The first and most important problem is the lack of a
SECURITY & DEFENCE AGENDA
Maurizio Martellini is Secretary General of the Landau Network
- Centro Volta (LNCV), Professor of Theore"cal Physics at the University of Insubria, Como, Italy, and member of the Pugwash General Conferences. He has published in the fields of fundamental physics in specialised journals and authored about one hundred ar"cles on na"onal, interna"onal and geopoli"cal affairs.
He is a member of the Scien"fic Council of Limes and The Italian Review of Geopoli"cs. As Secretary General of LNCV, Martellini organises Interna"onal conferences, schools and workshops, and edits publica"ons. His fields of research and analysis are: methods in theore"cal and nuclear physics; global issues concerning energy efficiency; military conversion (dual-use technologies); management and disposal of radioac"ve waste;
scien"fic and technological aspects concerning interna"onal security; chemical, biological, radiological and nuclear (CBRN) disarmament; arms control and non-prolifera"on issues;
common understanding of the term cyber-security. The absence of a mutually understood defini"on can cause confusion when discussing interna"onal approaches to global cyber-threats. The term ‘a#ack’ in the cyber-domain and the concept of ‘cyber-deterrence’ are also problema"c.
The military have started to use the term ‘cyber-war’, but it has nothing to do with conven"onal war or with the Cold War’s nuclear menace, known as Mutual Assured Destruc"on (MAD). This is because the ini"ators of a cyber-a#ack remain largely unknown, opera"ng under the umbrella of a sovereign state or supported by a rogue state. On August 10 this year The Washington Post reported: “The Pentagon has proposed that military cyber-specialists be given permission to take ac"on outside its computer networks to defend cri"cal US computer systems to prevent the poten"al for a cyber-a#ack to damage power sta"ons, water-treatment plants and other cri"cal systems — a move that officials say would set a significant precedent.” It is clear that cyber-war is now an instrument of the sovereign state.
There are too many interests riding on this new subject, but very li#le concrete progress.
Every year the number of cyber-incidents grows. Security strategies are confused and different industries providing cyber-technologies push to sell their products without a global vision of the problem. Over the years, the rise of our interconnected, interdependent society combined with terrorist a#acks and natural disasters has posed new challenges to the cri"cal infrastructure protec"on community. It is "me to move from the concept of
‘fortress’ to the concept of ‘resilience’.
An acceptable defini"on of the Fortress is “an approach in which every acceptable precau"on is taken to disaster-proof a system or service”. And an acceptable defini"on of Resilience is “the ability of a system or service to resist the effects of a disrup"ve event, or to recover from the effects of a disrup"ve event to a normal or near-normal state", according to ENISA. The requirement for resilience is based on the premise that protec"ve, preven"ve, and deterrent safeguards will not always be effec"ve (i.e. successful in keeping out a threat) and therefore will require response, recovery, and restora"ve ac"on.
The classifica"on of all possible threats and scenarios has been covered in different projects, but these have always been overtaken by the reality (Stuxnet and Fukushima are just the two most popular examples). To classify all possible cyber and physical threats is an endless job that has historically shown its limits and works only for a short "me.
Many of the failures in cri"cal systems are due to failure of the assump"ons in the command-and-control paradigm. The command-and-control paradigm normally used is supported by four flawed assump"ons:
i) a focus on average condi"ons and par"cular "me and space scales;
ii) a belief that problems arising from different causes in these systems do not interact;
iii) an expecta"on that change will be incremental and linear;
iv) an assump"on that keeping the system in some par"cular state will maximise the
An alterna"ve approach based on resilience assumes instead that cri"cal systems behave as complex systems able to adapt to different circumstances. The resilience of a system can be enhanced through the appropriate combina"on of security measures to address inten"onal and accidental incidents, business con"nuity prac"ces to deal with disrup"ons and ensure the con"nua"on of essen"al services, and emergency management planning to ensure adequate response procedures are in place to deal with unforeseen disrup"ons and natural disasters.
Moving from the fortress to the resilience approach requires changes in all aspects of the systems, both technical and organisa"onal. Iden"fying and improving all aspects of the system’s opera"on for a large complex infrastructure is a challenging task because a “large complex infrastructure” is in fact a concatena"on of many different sub-systems "ed together by a variety of physical and procedural connec"ons. This will become more and more challenging with the increasing penetra"on of systems-of-systems. While specific problems will require specific exper"se, the common characteris"c of all these large, complex problems is that they require a mul"disciplinary approach.
At present the European Commission, through the European Network and Informa"on Security Agency (ENISA), is very ac"ve in establishing scien"fic founda"ons for the concept of resilience applied to Cri"cal Informa"on Infrastructures (CII), and also possible metrics.
Last but not least, there are conceptual similari"es between the interna"onal community’s efforts to secure dual-use intangibles (like exper"se and sensi"ve knowledge) and cyber-security. Consequently, it could be interes"ng to explore the adop"on of interna"onal codes of conduct developed for the cyber-domain, for instance, in sensi"ve CBRN areas.
SECURITY & DEFENCE AGENDA
Where cyber-security is heading
67
Original Photo Source:Quizzle