Abstract
There has been considerable effort and expenditure since 9/11 on the protection of ‘Critical National Infrastructure’ against online attack. This is commonly interpreted to mean preventing online sabotage against utilities such as electricity,oil and gas, water, and sewage - including pipelines, refineries, generators, storage depots and transport facilities such as tankers and terminals. A consensus is emerging that the protection of such assets is more a matter of business models and regulation - in short, of security economics - than of technology. We describe the problems, and the state of play, in this paper. Industrial control systems operate in a different world from systems previously studied by security economists; we find the same issues (lock-in, externalities, asymmetric information and so on) but in different forms. Lock-in is physical, rather than based on network effects, while the most serious externalities result from correlated failure, whether from cascade failures, common-mode failures or simultaneous attacks. There is also an interesting natural experiment happening, in that the USA is regulating cyber security in the electric power industry, but not in oil and gas, while the UK is not regulating at all but rather encouraging industry’s own efforts. Some European governments are intervening, while others are leaving cybersecurity entirely to plant owners to worry about. We already note some perverse effects of the U.S. regulation regime as companies game the system, to the detriment of overall dependability.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
American Petroleum Institute: Security vulnerability assessment methodology for the petroleum and petrochemical industries, second edition (2004). http://www.npradc. org/docs/publications/newsletters/SVA_2nd_Edition.pdf
Anderson, R.: Security economics resource page (2010). http://www.cl.cam.ac.uk/~rja14/econsec.html
Anderson, R.: Security Engineering – A Guide to Building Dependable Distributed Systems. Wiley (2008)
Anderson, R.: Security Engineering – A Guide to Building Dependable Distributed Systems, chapter 26. Wiley (2008)
Anderson, R.:Why information security is hard – an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pp. 358–365. (2001)
Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security economics and European policy. In: M.E. Johnson (ed.) Managing Information Risk and the Economics of Security, pp. 55–80. Springer, New York (2008)
Byres, E.J.: Network secures process control. Tech Magazine, Instrumentation Systems and Automation Society (1998)
Byres, E.J., Lowe, J.: The myths and facts behind cyber security risks for industrial Ccntrol systems. BCIT (2003)
CBC Digital Archives: The great northeastern blackout of 1965. http://archives. cbc.ca/economy_business/energy/topics/874/
Denning, D.: Information Warfare and Security. Addison-Wesley (1999)
Department of Homeland Security: Roadmap to secure control systems in the energy sector. Department of Energy (2008). http://www.controlsystemsroadmap.net/
Department of Homeland Security: Recommended practice for patch management of control systems (2008). http://csrp.inl.gov/Documents/ PatchManagementRecommendedPractice_Final.pdf
Fink, R., Spencer, D., Wells, R.: Lessons learned from cyber security assessments of SCADA and energy management systems. US Department of Energy (2006)
Gutmann, P.: Auckland’s power outage, or Auckland – your Y2K test site (1998). www.cs. auckland.ac.nz/~pgut001/misc/mercury.txt
Hoge, W.: Britain convicts 6 of plot to black out London. New York Times, 3 July (1997)
Lookabaugh, D., Sicker, T.: Security and lock-in. In: L.J. Camp and S. Lewis (eds.) Economics of Information Security, pp. 225–246. Kluwer Academic Publishers (2004)
Melton, R., Fletcher, T., Early, M.: System protection profile – industrial control systems. NIST (2004). www.isd.mel.nist.gov/projects/processcontrol/ SPP-ICSv1.0.pdf
Meserve, J.: Sources – staged cyber attack reveals vulnerability in power grid. CNN, 26 Sep (2007). http://edition.cnn.com/2007/US/09/26/power.at.risk/index. html
Paller, A.: CIA confirms cyber attack caused Multi-city power outage. SANS Newsbites 10(5) (2008)
PJM Media: Black Start Service Working Group – MRC Update (2009). www.pjm.com/Media/committees-groups/working
Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: IEEE Symposium on Security and Privacy, pp. 281– IEEE Computer Society (2008)
Safire, W.: The farewell dossier. New York Times, 2 February (2004)
Weiss, J.: Electric Power 2008 – is NERC CIP Compliance a Game? Control Global Community (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this paper
Cite this paper
Anderson, R., Fuloria, S. (2010). Security Economics and Critical National Infrastructure. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_4
Download citation
DOI: https://doi.org/10.1007/978-1-4419-6967-5_4
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-6966-8
Online ISBN: 978-1-4419-6967-5
eBook Packages: Computer ScienceComputer Science (R0)