Abstract
The main aim of this chapter is to identify and explore key issues relating to cyber-attacks on critical national infrastructure. The chapter commences by clarifying the term critical national infrastructure. It then proceeds to highlight the rise in international incidents of cyber-attacks on critical national infrastructure. Vignette case studies, drawn from countries such Australia, USA, Ukraine and the UK are integrated into the analysis for illustrative purposes. The chapter emphasises the need for more attention to be placed on the vulnerabilities of critical national infrastructure in the light of trends such as the convergence of Information Technology and Operational Technology systems and the increasing use of Internet of Things (IoT) devices as a means of bringing systems online. Further, the chapter draws attention to the relatively low entry cost of engaging in cyber-attacks using malware, in contrast to the relatively high cost and logistical complexity of mounting physical attacks on well protected critical national infrastructure sites. One of the main conclusions drawn from the analysis is the extent to which addressing vulnerabilities in critical national infrastructure cyber-systems is likely to involve a wide range of actors, such as State-level emergency planners, manufacturers of IoT devices, and white hat hackers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ACSC (2021) ACSC Annual cyber threat report, July 2020 to June 2021. Published 15 September 2021. Retrieved from https://www.cyber.gov.au/sites/default/files/2021-09/ACSC%20Annual%20Cyber%20Threat%20Report%20-%202020-2021.pdf. Accessed on 30 Nov 2022
Alcaraz C (2019) Secure interconnection of IT-OT networks in industry 4.0. In: critical infrastructure security and resilience, Springer, Cham pp 201–217
Al Hait AAS (2014) Jurisdiction in Cybercrimes: a comparative study. J Law Policy Glob 22:75–84
Almeshekah MH, Spafford EH (2016) Cyber security deception. In: cyber deception, Springer, Cham pp 23–50
Anderson R, Fuloria S (2010) Security economics and critical national infrastructure. In: economics of information security and privacy, Springer, Boston, pp 55–66
Assenza G, Faramondi L, Oliva G, Setola R (2020) Cyber threats for operational technologies. Int J Syst Syst Eng 10(2):128–142
Baballe MA, Hussaini A, Bello MI, Musa US (2022) Online attacks, types of data breach and cyber-attack prevention methods. Curr Trends Inf Technol 12(2):21–26
Badhwar R (2021) CISOs need liability protection. In: The CISO’s transformation, Springer, Cham pp 161–165
Baker T, Shortland A (2022) Insurance and enterprise: cyber insurance for ransomware. Geneva Pap Risk Insur-Issues Pract 1–25
Bērziņš J (2020) The theory and practice of new generation warfare: The case of Ukraine and Syria. J Sl Mil Stud 33(3):355–380
Boes S, Leukfeldt ER (2017) Fighting cybercrime: a joint effort. In: Cyber-physical security, Springer, Cham pp 185–203
Braw E, Brown G (2020) Personalised deterrence of cyber aggression. RUSI J 165(2):48–54
Broadhurst R (2006). Developments in the global law enforcement of cyber‐crime. Policing An Int J 29(3):408–433
Bronk C, Conklin WA (2022) Who’s in charge and how does it work? US cybersecurity of critical infrastructure. J Cyber Policy 7(2):155–174
Canfil JK (2022) The illogic of plausible deniability: why proxy conflict in cyberspace may no longer pay. J Cybersecur 1–16. https://doi.org/10.1093/cybsec/tyac007
Case DU (2016) Analysis of the cyber attack on the Ukrainian power grid. Electr Inf Sharing Anal Cent (E-ISAC) 388(1–29):3
CISC (2022) Cyber and infrastructure security centre. Protecting Australia together. Retrieved from: https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/protecting-australia-together.pdf. Accessed on 30 Nov 2022
Clinton B (1998) A national security strategy for a new century. White House
Colarik A, Janczewski L (2015) Establishing cyber warfare doctrine. J Strateg Secur. Palgrave Macmillan, London 5(1):37–50
Collins S, McCombie S (2012) Stuxnet: the emergence of a new cyber weapon and its implications. J Polic Intell Counter Terrorism 7(1):80–91
Congress (2001) United States Patriot Act (2001). Retrieved from: https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf. Accessed Jan 2023
Conrad SH, LeClaire RJ, O’Reilly GP, Uzunalioglu H (2006) Critical national infrastructure reliability modeling and analysis. Bell Labs Tech J 11(3):57–71
Center for Strategic and International Studies (CSIS) (2018) Economic Impact of Cyber Crim–No Slowing Down. Retrieved from: http://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf. Accessed 30 Nov 2022
Corfield G (2023) Russia–linked hackers behind Royal Mail cyber-attack. Daily telegraph, 12th January 2023. Retrieved from https://www.telegraph.co.uk/business/2023/01/12/russia-linked-hackers-behind-royal-mail-cyber-attack/. Accessed 12th Jan 2023
Council on Foreign Relations (2022) Cyber operations tracker. Retrieved from https://www.cfr.org/cyber-operations/#Glossary. Accessed 12th Dec 2022
Denning DE (2012) Stuxnet: What has changed? Future Int 4(3):672–687
Department of Homeland Security (2022) Critical infrastructure security and resilience research (CISRR) Fact Sheet. Retrieved from: https://www.dhs.gov/science-and-technology/publication/critical-infrastructure-security-resilience-research-fact-sheet#:~:text=Critical%20Infrastructure%20(CRITICAL%20INFRASTRUCTURE)%20consists%20of,or%20public%20health%20or%20safety. Accessed 30 Nov 2022
Dhatrak A, Sarkar A, Gore A, Paygude M, Waghmare M, Sahane H (2020) Cyber security threats and vulnerabilities in IoT. Int Res J Eng Technol 7(03)
Di Pinto A, Dragoni Y, Carcano A (2018) Triton: The first ICS cyber attack on safety instrument systems. In: Proc Black Hat USA Vol 2018, pp 1–26
Donnelly P, Abuhmida M, Tubb C (2022) The drift of industrial control systems to pseudo security. Int J Crit Infrastruct Prot 100535
Duncan S, Carneiro R, Braley J, Hersh M, Ramsey F, Murch R (2022) Cybersecurity: Beyond ransomware: securing the digital food chain. Food Aust 74(1):36–40
Eckert S (2005) Protecting critical infrastructure: the role of the private sector. Guns Butter Political Econ Int Secur 1
Eling M, Elvedi M, Falco G (2022) The economic impact of extreme cyber risk scenarios. North Am Actuarial J 1–15
Ellis R (2020) Letters, power lines, and other dangerous things: the politics of infrastructure security, MIT Press
Europa (2022) Cyber resilience act. Europa. Retrieved from: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act. Accessed on 30th Nov 2022
Europa (2022) EU Directive 2016/ 1148. Retrieved from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN. Accessed on 2nd Jan 2023
Europa (2022) EU Directive 2022/2555. Retrieved from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555&from=EN. Accessed on 2nd Jan 2023
European Union (2020) Directive of the European parliament and of the council on measures for a high common level of cybersecurity across the Union, repealing
Farwell JP, Rohozinski R (2011) Stuxnet and the future of cyber war. Survival 53(1):23–40
Fast Identity Online (FIDO) Alliance (2022) The internet of things IoT. Retrieved from https://fidoalliance.org/internet-of-things. Accessed 15th Dec 2022
Fjäder C (2014) The nation-state, national security, and resilience in the age of globalisation. Resilience 2(2):114–129
Friis K, Lysne O (2021) Huawei, 5G and security: technological limitations and political responses. Dev Chang 52(5):1174–1195
Furnell S, Heyburn H, Whitehead A, Shah JN (2020) Understanding the full cost of cyber security breaches. Comput Fraud Secur 2020(12):6
Fuster GG, Jasmontaite L (2020) Cybersecurity regulation in the European Union: the digital, the critical and fundamental rights. In: The ethics of cybersecurity, Springer, Cham pp 97–115
Garimella PK (2018) IT-OT integration challenges in utilities. In: 2018 IEEE 3rd international conference on computing, communication and security (ICCCS) IEEE, pp199–204
Giannelli C, Picone M (2022) Editorial “Industrial IoT as IT and OT Convergence: Challenges and Opportunities.” IoT 3(1):259–261
Glassberg J (2016) Defending against the ransom ware threat. Powergrid Int 21(8):22–24
Hagerott M (2014) Stuxnet and the vital role of critical infrastructure operators and engineers. Int J Crit Infrastruct Prot 7(4):244–246
Harrop W, Matteson A (2014) Cyber resilience: a review of critical national infrastructure and cyber security protection measures applied in the UK and USA. J Bus Contin Emer Plan 7(2):149–162
Hathaway M, Klimburg A (2012) Preliminary considerations: on national cyber security. Nat Cyber Secur Framework Manual. NATO Coop Cyber Defence Centre of Excellence Tallinn
Hayes K (2021) Ransomware: a growing geopolitical threat. Net Secur 2021(8):11–13
Herrmann D (2019) Cyber espionage and cyber defence. In: information technology for peace and security, Springer Vieweg, Wiesbaden pp 83–106
Hernandez-Castro J, Cartwright A, Cartwright E (2020) An economic analysis of ransomware and its welfare consequences. Roy Soc open sci 7(3):190023
Hobbs A (2021) The colonial pipeline hack: exposing vulnerabilities in us cybersecurity. In: SAGE Business Cases. SAGE Publications: SAGE business cases originals
House of Commons (2017) Post sector report for the house of commons committee on exiting the European Union. Retrieved from: https://www.parliament.uk/globalassets/documents/commons-committees/Exiting-the-European-Union/17-19/Sectoral-Analyses/27-Post-Report.pdf Accessed on16th January 2023
Huddleston J, Ji P, Bhunia S, Cogan J (2021) How vmware exploits contributed to solarwinds supply-chain attack. In: 2021 international conference on computational science and computational intelligence (CSCI) pp 760–765 IEEE
Hunter LY, Albert CD, Garrett E, Rutland J (2022) Democracy and cyberconflict: how regime type affects state-sponsored cyberattacks. J Cyber Policy 7(1):72–94
IBM (2022) Cyber-attacks. Retrieved from: https://www.ibm.com/uk-en/topics/cyber-attack. Accessed on 18th Dec 2022
Izycki E, Vianna EW (2021) Critical infrastructure: A battlefield for cyber warfare?. In: ICCWS 2021 16th international conference on cyber warfare and security, Academic Conferences Limited, p 454
Jacob JT (2022) A potential conflict over Taiwan: a view from India. Wash Q 45(3):147–162
Jones KS, Lodinger NR, Widlus BP, Namin AS, Maw E, Armstrong M (2022) Grouping and determining perceived severity of cyber-Attack consequences: gaining information needed to sonify cyber-attacks. J Multimodal User Interfaces 16(4):399–412
Kalech M (2019) Cyber-attack detection in SCADA systems using temporal pattern recognition techniques. Comput Secur 84:225–238
Kemabonta T (2021) Grid Resilience analysis and planning of electric power systems: The case of the 2021 Texas electricity crises caused by winter storm Uri. Electr J 34(10):107044
Kostyuk N, Kostyuk N, Zhukov YM (2019) Invisible digital front: can cyber attacks shape battlefield events? J Conflict Resolut 63(2):317–347
Lemay A, Fernandeza JM, Knight S (2010) Pinprick attacks, a lesser included case. In: conference on cyber conflict proceedings, Tallinn, Estonia: CCD COE, pp 183–194
Lewis JA (2002) Assessing the risks of cyber terrorism, cyber war and other cyber threats. Center for Strategic and International Studies, Washington, DC, p 12
Limba T, Plėta T, Agafonov K, Damkus M (2019) Cyber security management model for critical infrastructure
Lukasik SJ, Goodman SE, Longhurst DW (2020) Protecting critical infrastructures against cyber-attack. Routledge
Maglaras LA, Kim KH, Janicke H, Ferrag MA, Rallis S, Fragkou P, Cruz TJ (2018) Cyber security of critical infrastructures. Ict Express 4(1):42–45
Maglaras L, Ferrag MA, Derhab A, Mukherjee M, Janicke H, Rallis S (2019) Threats, protection and attribution of cyber attacks on critical infrastructures. arXiv preprint arXiv:1901.03899
Maillart JB (2019) The limits of subjective territorial jurisdiction in the context of cybercrime. In: Era Forum 19(3):375–390, Springer Berlin Heidelberg
Maillart T, Zhao M, Grossklags J, Chuang J (2017) Given enough eyeballs, all bugs are shallow? Revisiting eric raymond with bug bounty programs. J Cybersecur 3(2):81–90
Mamman A, Kamoche K, Rees C (2021) Attitudes to Globalization in the Public, Private and NGO Sectors. In: Baba Abugre J, Osabutey ELC, Sigué SP (eds) Business in Africa in the era of digital technology. Springer, London, pp 157–174
Martinelli F, Mercaldo F, Santone A (2022) A method for intrusion detection in smart grid. Procedia Comput Sci 207:327–334
Mcginthy JM, Michaels AJ (2019) Secure industrial internet of things critical infrastructure node design. IEEE Int Things J 6(5):8021–8037
Microsoft (2022) The hunt for NOBELIUM, the most sophisticated nation-state attack in history. Retrieved from: https://www.microsoft.com/en-us/security/blog/2021/11/10/the-hunt-for-nobelium-the-most-sophisticated-nation-state-attack-in-history/. Accessed on 18 Nov 2022
Microsoft (2022) Microsoft digital defense report 2022. Retrieved from: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bUvv?culture=en-usandcountry=us Accessed on 19 Nov 2022
Miller T, Staves A, Maesschalck S, Sturdee M, Green B (2021) Looking back to look forward: lessons learnt from cyber-attacks on industrial control systems. Int J Crit Infrastruct Prot 35:100464
Murray G, Johnstone MN, Valli C (2017) The convergence of IT and OT in critical infrastructure. In: The Proceedings of 15th Australian information security management conference, Edith Cowan University, Perth, Western Australia. pp 149–155
Miller B, Rowe D (2012) A survey SCADA of and critical infrastructure incidents. In: Proceedings of the 1st annual conference on research in information technology, pp 51–56
Milone M (2003) Hacktivism: securing the national infrastructure. Knowl Technol Policy 16(1):75–103
National Institute of Standards and Technology (NIST). (2008). Guide to General Server Security. Retrieved from: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf Accessed on 12th Dec 2022
Nazir S, Patel S, Patel D (2021) Autoencoder based anomaly detection for SCADA networks. Int J Artifi Intell Mach Learn (IJAIML) 11(2):83–99
Neigel AR, Claypoole VL, Waldfogle GE, Acharya S, Hancock GM (2020) Holistic cyber hygiene education: accounting for the human factors. Comput Secur 92:101731
Nguyen T, Wang S, Alhazmi M, Nazemi M, Estebsari A, Dehghanian P (2020) Electric power grid resilience to cyber adversaries: state of the art. IEEE Access 8:87592–87608
OECD (2008) Protection of ‘Critical Infrastructure’ and the role of investment policies relating to national security. Retrieved from http://www.oecd.org/daf/inv/investment-policy/40700392.pdf Accessed on 27 Nov 2022
Office for National Statistics. (2022). Nature of fraud and computer misuse in England and Wales: year ending March 2022. Retrieved from: https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/articles/natureoffraudandcomputermisuseinenglandandwales/yearendingmarch2022#:~:text=An%20estimated%2061%25%20of%20fraud,England%20and%20Wales%20(CSEW). Accessed 3 Jan 2023
Osawa J (2017) The escalation of state sponsored cyberattack and national cyber security affairs: is strategic cyber deterrence the key to solving the problem? Asia-Pac Rev 24(2):113–131
Osei-Kyei R, Tam V, Ma M, Mashiri F (2021) Critical review of the threats affecting the building of critical infrastructure resilience. Int J Disaster Risk Reduction 60:102316
Paul K (2021) Solar Winds hack was work of ‘at least 1000 engineers’. The guardian. Retrieved from: http://www.theguardian.com/technology/2021/feb/23/solarwinds-hack-senate-hearing-microsoft. Accessed Dec 2022
Peisert, Sean, Bruce Schneier, Hamed Okhravi, Fabio Massacci, Terry Benzel, Carl Landwehr, Mohammad Mannan, Jelena Mirkovic, Atul Prakash, James Bret Michael. Perspectives on the solar winds incident. IEEE Secur Privacy 19(2):7–13
Peters A, Jordan A (2019) Countering the cyber enforcement gap: Strengthening global capacity on cybercrime. J Nat Secur Law Policy 10:487–495
Pérez-Martínez MM, Carrillo C, Rodeiro-Iglesias J, Soto B (2021) Life cycle assessment of repurposed waste electric and electronic equipment in comparison with original equipment. Sustain Prod Consumption 27:1637–1649
Radvanovsky R, McDougall A (2018) Critical infrastructure: homeland security and emergency preparedness. CRC Press
Reeder JR, Hall T (2021) Cybersecurity’s Pearl Harbor moment. Cyber Defense Rev 6(3):15–40
Rees J (2022) The internet of things and terrorism: a cause for concern. In: privacy, security and forensics in the internet of things (IoT). Springer, Cham, pp 197–202
Rees J, Montasari R (2022) The Impact of the Internet and cyberspace on the rise in terrorist attacks across the US and Europe. In: disruption, ideation and innovation for defence and security. Springer, Cham, pp 135–148
Rid T (2012) Cyber war will not take place. J Strateg Stud 35(1):5–32
Ridley G (2011) National security as a corporate social responsibility: critical infrastructure resilience. J Bus Ethics 103(1):111–125
Sembiring Z (2020) Stuxnet threat analysis in SCADA (supervisory control and data acquisition) and PLC (Programmable logic controller) systems. J Comput Sci Inf Technol Telecomm Eng 1(2):96–103
Semwal P, Handa A (2022) Cyber-attack detection in cyber-physical systems using supervised machine learning. In: handbook of big data analytics and forensics, Springer, Cham pp 131–140
Serra KLO, Sanchez-Jauregui M (2021) Food supply chain resilience model for critical infrastructure collapses due to natural disasters. Bri Food J
Shahzad A, Lee M, Xiong NN, Jeong G, Lee YK, Choi JY, Ahmad I (2016) A secure, intelligent, and smart-sensing approach for industrial system automation and transmission over unsecured wireless networks. Sensors 16(3):322
Serpanos D, Wolf M (2018) Industrial internet of things. In: internet-of-things (IoT) Systems, Springer, Cham pp 37–54
Sharif MHU, Mohammed MA (2022) A literature review of financial losses statistics for cyber security and future trend. World J Adv Res Rev 15(1):138–156156
Silverman D, Hu YH, Hoppa M (2020) A study on vulnerabilities and threats to SCADA devices. J Colloquium Inf Syst Secur Edu 7(1):8
Simmons C, Ellis C, Shiva S, Dasgupta D, Wu Q (2009) AVOIDIT: a cyber attack taxonomy. University of Memphis. Technical report CS-09-003
Smith DC (2021) Cybersecurity in the energy sector: are we really prepared? J Energy Nat Res Law 39(3):265–270
Smith S (2022) Out of gas: a deep dive into the colonial pipeline cyberattack. In: SAGE Business Cases SAGE Publications, Ltd. Retrieved from https://doi.org/10.4135/9781529605679. Accessed on 16 Jan 2023
Straub J (2021) Defining, evaluating, preparing for and responding to a cyber Pearl Harbor. Technol Soc 65:101599
Sullivan JE, Kamensky D (2017) How cyber-attacks in Ukraine show the vulnerability of the US power grid. Electr J 30(3):30–35
Thomas J (2018) Individual cyber security: Empowering employees to resist spear phishing to prevent identity theft and ransomware attacks. Thomas JE (2018). Individual cyber security: Empowering employees to resist spear phishing to prevent identity theft and ransomware attacks. Int J Bus Manag 12(3):1–23
Thomas K, Li F, Zand A, Barrett J, Ranieri J, Invernizzi L, Bursztein E (2017) Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In: proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1421–1434
Tsvetanov T, Slaria S (2021) The effect of the colonial pipeline shutdown on gasoline prices. Econ Lett 209:110122
United Kingdom Government. Terrorism Act 2000. Retrieved from: https://www.legislation.gov.uk/ukpga/2000/11/part/III/crossheading/offences. Accessed on 16th Jan 2023
Van de Weijer SG, Leukfeldt R, Bernasco W (2019) Determinants of reporting cybercrime: a comparison between identity theft, consumer fraud, and hacking. Eur J Criminol 16(4):486–508
Van der Meer S (2020) How states could respond to non-state cyber-attackers. Clingendael Policy Brief. Retrieved from: https://www.clingendael.org/sites/default/files/2020-06/Policy_Brief_Cyber_non-state_June_2020.pdf. Accessed on 16th Jan 2023
Warfield D (2012) Critical infrastructures: IT security and threats from private sector ownership. Inf Secur J Glob Perspect 21:127–136
Weiss M, Biermann F (2021) Cyberspace and the protection of critical national infrastructure. J Econ Policy Reform 1–18
Weiss J (2016) Aurora generator test. Handbook of SCADA/Control Systems Security 107
Watson FC, CISM C, ECSA A (2017). Petya/NotPetya: why it is nastier than wannacry and why we should care.ISACA 6:1-6
White House Archives (2013) Presidential policy directive PPD21. Presidential policy directive: Critical infrastructure security and resilience. Retrieved from: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil. Accessed on 30th Nov 2022
White House Archives (2020) Executive order on securing the United States bulk-power system EO 13920. Retrieved from: https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/. Accessed on 16th Jan 2023
White House Archives (2021) Executive Order on improving the nation’s cybersecurity EO 14028. Retrieved from: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/. Accessed on 16th Jan 2023
Wolff ED, Growley KM, Gruden MG (2021) Navigating the solarwinds supply chain attack. Procurement Lawyer 56(2):3–11
Yadav G, Paul K (2019) Assessment of SCADA system vulnerabilities. In: 2019 24th IEEE international conference on emerging technologies and factory automation (ETFA), pp 1737–1744 IEEE
Yılmaz EN, Gönen S (2018) Attack detection/prevention system against cyber attack in industrial control systems. Comput Secur 77:94–105
Young S (2022) Moving the U.S. government toward zero trust cybersecurity principles Retrieved from: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf. Accessed on 30 Dec 2022
Yuste J, Pastrana S (2021) Avaddon ransomware: an in-depth analysis and decryption of infected systems. Comput Secur 109:102388
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Rees, J., Rees, C.J. (2023). Cyber-Security and the Changing Landscape of Critical National Infrastructure: State and Non-state Cyber-Attacks on Organisations, Systems and Services. In: Montasari, R. (eds) Applications for Artificial Intelligence and Digital Forensics in National Security. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-031-40118-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-40118-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40117-6
Online ISBN: 978-3-031-40118-3
eBook Packages: Computer ScienceComputer Science (R0)