Skip to main content

Security Economics and Critical National Infrastructure

  • Conference paper
  • First Online:
Economics of Information Security and Privacy

Abstract

There has been considerable effort and expenditure since 9/11 on the protection of ‘Critical National Infrastructure’ against online attack. This is commonly interpreted to mean preventing online sabotage against utilities such as electricity,oil and gas, water, and sewage - including pipelines, refineries, generators, storage depots and transport facilities such as tankers and terminals. A consensus is emerging that the protection of such assets is more a matter of business models and regulation - in short, of security economics - than of technology. We describe the problems, and the state of play, in this paper. Industrial control systems operate in a different world from systems previously studied by security economists; we find the same issues (lock-in, externalities, asymmetric information and so on) but in different forms. Lock-in is physical, rather than based on network effects, while the most serious externalities result from correlated failure, whether from cascade failures, common-mode failures or simultaneous attacks. There is also an interesting natural experiment happening, in that the USA is regulating cyber security in the electric power industry, but not in oil and gas, while the UK is not regulating at all but rather encouraging industry’s own efforts. Some European governments are intervening, while others are leaving cybersecurity entirely to plant owners to worry about. We already note some perverse effects of the U.S. regulation regime as companies game the system, to the detriment of overall dependability.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. American Petroleum Institute: Security vulnerability assessment methodology for the petroleum and petrochemical industries, second edition (2004). http://www.npradc. org/docs/publications/newsletters/SVA_2nd_Edition.pdf

    Google Scholar 

  2. Anderson, R.: Security economics resource page (2010). http://www.cl.cam.ac.uk/~rja14/econsec.html

    Google Scholar 

  3. Anderson, R.: Security Engineering – A Guide to Building Dependable Distributed Systems. Wiley (2008)

    Google Scholar 

  4. Anderson, R.: Security Engineering – A Guide to Building Dependable Distributed Systems, chapter 26. Wiley (2008)

    Google Scholar 

  5. Anderson, R.:Why information security is hard – an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pp. 358–365. (2001)

    Google Scholar 

  6. Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security economics and European policy. In: M.E. Johnson (ed.) Managing Information Risk and the Economics of Security, pp. 55–80. Springer, New York (2008)

    Google Scholar 

  7. Byres, E.J.: Network secures process control. Tech Magazine, Instrumentation Systems and Automation Society (1998)

    Google Scholar 

  8. Byres, E.J., Lowe, J.: The myths and facts behind cyber security risks for industrial Ccntrol systems. BCIT (2003)

    Google Scholar 

  9. CBC Digital Archives: The great northeastern blackout of 1965. http://archives. cbc.ca/economy_business/energy/topics/874/

    Google Scholar 

  10. Denning, D.: Information Warfare and Security. Addison-Wesley (1999)

    Google Scholar 

  11. Department of Homeland Security: Roadmap to secure control systems in the energy sector. Department of Energy (2008). http://www.controlsystemsroadmap.net/

    Google Scholar 

  12. Department of Homeland Security: Recommended practice for patch management of control systems (2008). http://csrp.inl.gov/Documents/ PatchManagementRecommendedPractice_Final.pdf

    Google Scholar 

  13. Fink, R., Spencer, D., Wells, R.: Lessons learned from cyber security assessments of SCADA and energy management systems. US Department of Energy (2006)

    Google Scholar 

  14. Gutmann, P.: Auckland’s power outage, or Auckland – your Y2K test site (1998). www.cs. auckland.ac.nz/~pgut001/misc/mercury.txt

    Google Scholar 

  15. Hoge, W.: Britain convicts 6 of plot to black out London. New York Times, 3 July (1997)

    Google Scholar 

  16. Lookabaugh, D., Sicker, T.: Security and lock-in. In: L.J. Camp and S. Lewis (eds.) Economics of Information Security, pp. 225–246. Kluwer Academic Publishers (2004)

    Google Scholar 

  17. Melton, R., Fletcher, T., Early, M.: System protection profile – industrial control systems. NIST (2004). www.isd.mel.nist.gov/projects/processcontrol/ SPP-ICSv1.0.pdf

    Google Scholar 

  18. Meserve, J.: Sources – staged cyber attack reveals vulnerability in power grid. CNN, 26 Sep (2007). http://edition.cnn.com/2007/US/09/26/power.at.risk/index. html

    Google Scholar 

  19. Paller, A.: CIA confirms cyber attack caused Multi-city power outage. SANS Newsbites 10(5) (2008)

    Google Scholar 

  20. PJM Media: Black Start Service Working Group – MRC Update (2009). www.pjm.com/Media/committees-groups/working

    Google Scholar 

  21. Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: IEEE Symposium on Security and Privacy, pp. 281– IEEE Computer Society (2008)

    Google Scholar 

  22. Safire, W.: The farewell dossier. New York Times, 2 February (2004)

    Google Scholar 

  23. Weiss, J.: Electric Power 2008 – is NERC CIP Compliance a Game? Control Global Community (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ross Anderson .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer Science+Business Media, LLC

About this paper

Cite this paper

Anderson, R., Fuloria, S. (2010). Security Economics and Critical National Infrastructure. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-1-4419-6967-5_4

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4419-6966-8

  • Online ISBN: 978-1-4419-6967-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics