Security Economics and Critical National Infrastructure

  • Ross Anderson
  • Shailendra Fuloria
Conference paper


There has been considerable effort and expenditure since 9/11 on the protection of ‘Critical National Infrastructure’ against online attack. This is commonly interpreted to mean preventing online sabotage against utilities such as electricity,oil and gas, water, and sewage - including pipelines, refineries, generators, storage depots and transport facilities such as tankers and terminals. A consensus is emerging that the protection of such assets is more a matter of business models and regulation - in short, of security economics - than of technology. We describe the problems, and the state of play, in this paper. Industrial control systems operate in a different world from systems previously studied by security economists; we find the same issues (lock-in, externalities, asymmetric information and so on) but in different forms. Lock-in is physical, rather than based on network effects, while the most serious externalities result from correlated failure, whether from cascade failures, common-mode failures or simultaneous attacks. There is also an interesting natural experiment happening, in that the USA is regulating cyber security in the electric power industry, but not in oil and gas, while the UK is not regulating at all but rather encouraging industry’s own efforts. Some European governments are intervening, while others are leaving cybersecurity entirely to plant owners to worry about. We already note some perverse effects of the U.S. regulation regime as companies game the system, to the detriment of overall dependability.


Homeland Security Security Economic Industrial Control System Information Warfare Idaho National Laboratory 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    American Petroleum Institute: Security vulnerability assessment methodology for the petroleum and petrochemical industries, second edition (2004). http://www.npradc. org/docs/publications/newsletters/SVA_2nd_Edition.pdfGoogle Scholar
  2. 2.
    Anderson, R.: Security economics resource page (2010). Scholar
  3. 3.
    Anderson, R.: Security Engineering – A Guide to Building Dependable Distributed Systems. Wiley (2008)Google Scholar
  4. 4.
    Anderson, R.: Security Engineering – A Guide to Building Dependable Distributed Systems, chapter 26. Wiley (2008)Google Scholar
  5. 5.
    Anderson, R.:Why information security is hard – an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pp. 358–365. (2001)Google Scholar
  6. 6.
    Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security economics and European policy. In: M.E. Johnson (ed.) Managing Information Risk and the Economics of Security, pp. 55–80. Springer, New York (2008)Google Scholar
  7. 7.
    Byres, E.J.: Network secures process control. Tech Magazine, Instrumentation Systems and Automation Society (1998)Google Scholar
  8. 8.
    Byres, E.J., Lowe, J.: The myths and facts behind cyber security risks for industrial Ccntrol systems. BCIT (2003)Google Scholar
  9. 9.
    CBC Digital Archives: The great northeastern blackout of 1965. http://archives. Scholar
  10. 10.
    Denning, D.: Information Warfare and Security. Addison-Wesley (1999)Google Scholar
  11. 11.
    Department of Homeland Security: Roadmap to secure control systems in the energy sector. Department of Energy (2008). Scholar
  12. 12.
    Department of Homeland Security: Recommended practice for patch management of control systems (2008). PatchManagementRecommendedPractice_Final.pdfGoogle Scholar
  13. 13.
    Fink, R., Spencer, D., Wells, R.: Lessons learned from cyber security assessments of SCADA and energy management systems. US Department of Energy (2006)Google Scholar
  14. 14.
    Gutmann, P.: Auckland’s power outage, or Auckland – your Y2K test site (1998). www.cs. Scholar
  15. 15.
    Hoge, W.: Britain convicts 6 of plot to black out London. New York Times, 3 July (1997)Google Scholar
  16. 16.
    Lookabaugh, D., Sicker, T.: Security and lock-in. In: L.J. Camp and S. Lewis (eds.) Economics of Information Security, pp. 225–246. Kluwer Academic Publishers (2004)Google Scholar
  17. 17.
    Melton, R., Fletcher, T., Early, M.: System protection profile – industrial control systems. NIST (2004). SPP-ICSv1.0.pdfGoogle Scholar
  18. 18.
    Meserve, J.: Sources – staged cyber attack reveals vulnerability in power grid. CNN, 26 Sep (2007). htmlGoogle Scholar
  19. 19.
    Paller, A.: CIA confirms cyber attack caused Multi-city power outage. SANS Newsbites 10(5) (2008)Google Scholar
  20. 20.
    PJM Media: Black Start Service Working Group – MRC Update (2009). Scholar
  21. 21.
    Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: IEEE Symposium on Security and Privacy, pp. 281– IEEE Computer Society (2008)Google Scholar
  22. 22.
    Safire, W.: The farewell dossier. New York Times, 2 February (2004)Google Scholar
  23. 23.
    Weiss, J.: Electric Power 2008 – is NERC CIP Compliance a Game? Control Global Community (2008)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Computer LaboratoryCambridge University  

Personalised recommendations