Advertisement

Security of Critical Information Infrastructures

  • Tobias Dehling
  • Sebastian Lins
  • Ali SunyaevEmail author
Chapter

Abstract

The rapid evolution of information technologies in the past decades gave information systems an increasingly central role in society. Some of these information systems are now so critical that their disruption or unintended consequences can have detrimental effects on vital societal functions. This chapter clarifies the concept of critical information infrastructures. After a brief introduction to salient characteristics and main functions of critical information infrastructures, the chapter discusses threats and risks critical information infrastructures are confronted with and presents approaches to master these challenges. Recent attacks and disruptions of critical information infrastructures, such as Cambridge Analytica, WannaCry, the Mirai Botnet, and Microsoft Tay, are presented for illustrative purposes. Critical information infrastructures often linger unnoticed and their vital role in society remains unheeded. This chapter provides the foundations required to understand and protect critical information infrastructures so that they can be appropriately managed before adverse consequences manifest.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

Recommended Reading

  1. Adelmeyer, M., & Teuteberg, F. (2018). Cloud Computing Adoption in Critical Infrastructures –Status Quo and Elements of a Research Agenda. In MKWI 2018 Proceedings (pp. 1345–1356). Lüneburg, Germany.Google Scholar
  2. Dehling, T., & Sunyaev, A. (2014). Secure Provision of Patient-Centered Health Information Technology Services in Public Networks—Leveraging Security and Privacy Features Provided by the German Nationwide Health Information Technology Infrastructure. Electronic Markets, 24(2), 89–99.  https://doi.org/10.1007/s12525-013-0150-6.
  3. Lins, S., Schneider, S., & Sunyaev, A. (2018). Trust is Good, Control is Better: Creating Secure Clouds by Continuous Auditing. IEEE Transactions on Cloud Computing, 6(3), 890–903.  https://doi.org/10.1109/TCC.2016.2522411.
  4. Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies. IEEE Control Systems Magazine, 21(6), 11–25.  https://doi.org/10.1109/37.969131.

Bibiliography

  1. Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., … Zhou, Y. (2017). Understanding the Mirai Botnet. In Proceedings of the USENIX Security Symposium (pp. 1092–1110). Vancouver, BC, Canada: USENIX.Google Scholar
  2. AT&T. (2010, March 9). AT&T Completes 100-Gigabit Ethernet Field Trial. Retrieved December 3, 2018, from https://web.archive.org/web/20100312093317/http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=30623
  3. Azencott, C.-A. (2018). Machine Learning and Genomics: Precision Medicine Versus Patient Privacy. Philosophical Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences, 376(2128).  https://doi.org/10.1098/rsta.2017.0350
  4. BBC. (2017, May 15). Ransomware Cyber-Attack: Who Has Been Hardest Hit? Retrieved November 11, 2018, from https://web.archive.org/web/20170515161203/https://www.bbc.com/news/world-39919249
  5. Benlian, A., Kettinger, W. J., Sunyaev, A., & Winkler, T. J. (2018). The Transformative Value of Cloud Computing: A Decoupling, Platformization, and Recombination Theoretical Framework. Journal of Management Information Systems, 35(3), 1–24.Google Scholar
  6. Bhagat, S., Burke, M., Diuk, C., Filiz, I. O., & Edunov, S. (2016, February 4). Three and a Half Degrees of Separation. Retrieved January 24, 2019, from https://web.archive.org/web/20190101053349/https://research.fb.com/three-and-a-half-degrees-of-separation
  7. Bharadwaj, A., El Sawy, O., Pavlou, P., & Venkatraman, N. (2013). Digital Business Strategy: Toward a Next Generation of Insights. MIS Quarterly, 37(2), 471–482.Google Scholar
  8. Bundesamt für Sicherheit in der Informationstechnik. (2014). UP KRITIS: Public-Private Partnership for Critical Infrastructure Protection. Retrieved from https://www.kritis.bund.de/SharedDocs/Downloads/Kritis/EN/UP%20KRITIS.pdf?__blob=publicationFile
  9. Cadwalladr, C. (2018, March 17). ‘I Made Steve Bannon’s Psychological Warfare Tool’: Meet the Data War Whistleblower. Retrieved November 27, 2018, from https://web.archive.org/web/20180317181454/https://www.theguardian.com/news/2018/mar/17/data-war-whistleblower-christopher-wylie-faceook-nix-bannon-trump
  10. Cadwalladr, C., & Graham-Harrison, E. (2018, March 17). Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach. Retrieved November 26, 2018, from https://web.archive.org/web/20180317131012/https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election
  11. CERT-EU. (2017). WannaCry Ransomware Campaign Exploiting SMB Vulnerability (Security Advisory No. 2017–012). Retrieved from https://cert.europa.eu/static/SecurityAdvisories/2017/CERTEU-SA2017-012.pdf
  12. Council of the European Union. (2008). Council Directive 2008/114/EC on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve Their Protection. Official Journal of the European Union, L 345(75). Retrieved from https://publications.europa.eu/en/publication-detail/-/publication/ba51b03f-66f4-4807-bf7d-c66244414b10/language-en
  13. Egan, M. J. (2007). Anticipating Future Vulnerability: Defining Characteristics of Increasingly Critical Infrastructure-like Systems. Journal of Contingencies and Crisis Management, 15(1), 4–17.  https://doi.org/10.1111/j.1468-5973.2007.00500.x
  14. Fekete, A. (2011). Common Criteria for the Assessment of Critical Infrastructures. International Journal of Disaster Risk Science, 2(1), 15–24.  https://doi.org/10.1007/s13753-011-0002-y
  15. Gallagher, R., & Moltke, H. (2018, June 25). The NSA’s Hidden Spy Hubs In Eight U.S. Cities. Retrieved December 3, 2018, from https://web.archive.org/web/20180625121805/https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/
  16. Harašta, J. (2018). Legally Critical: Defining Critical Infrastructure in an Interconnected World. International Journal of Critical Infrastructure Protection, 21, 47–56.  https://doi.org/10.1016/j.ijcip.2018.05.007
  17. Hess, T., Matt, C., Benlian, A., & Wiesböck, F. (2016). Options for Formulating a Digital Transformation Strategy. MIS Quarterly Executive, 15(2).Google Scholar
  18. International Organization for Standardization. (2004). Conformity Assessment – Vocabulary and General Principles (Vol. 03.120.20; 01.040.03). Retrieved from http://www.iso.org/iso/catalogue_detail.htm?csnumber=29316
  19. Issenberg, S. (2015, November 12). Cruz-Connected Data Miner Aims to Get Inside U.S. Voters’ Heads. Retrieved November 27, 2018, from https://web.archive.org/web/20171125135309/https://www.bloomberg.com/news/features/2015-11-12/is-the-republican-party-s-killer-data-app-for-real-
  20. Janita. (2016, November 9). DDoS Attack Halts Heating in Finland Amidst Winter. Retrieved December 6, 2018, from https://web.archive.org/web/20161109214609/http://metropolitan.fi/entry/ddosattack-halts-heating-in-finland-amidst-winter
  21. Karnouskos, S. (2011). Stuxnet Worm Impact on Industrial Cyber-Physical System Security. In Proceedings of the 37th Annual Conference of the IEEE Industrial Electronics Society. Melbourne, Australia: IEEE.Google Scholar
  22. Kozlowska, H. (2018, April 4). The Cambridge Analytica Scandal Affected Nearly 40 Million More People Than We Thought. Retrieved November 11, 2018, from https://web.archive.org/web/20180404234449/https://qz.com/1245049/the-cambridge-analytica-scandal-affected-87-million-people-facebook-says/
  23. Lansing, J., Benlian, A., & Sunyaev, A. (2018). `Unblackboxing’ Decision Makers’ Interpretations of IS Certifications in the Context of Cloud Service Certifications. Journal of the Association for Information Systems, 19(11).Google Scholar
  24. Lins, S., Grochol, P., Schneider, S., & Sunyaev, A. (2016). Dynamic Certification of Cloud Services: Trust, but Verify! IEEE Security and Privacy, 14(2), 67–71.Google Scholar
  25. Lins, S., Schneider, S., & Sunyaev, A. (2018). Trust is Good, Control is Better: Creating Secure Clouds by Continuous Auditing. IEEE Transactions on Cloud Computing, 6(3), 890–903.  https://doi.org/10.1109/TCC.2016.2522411
  26. Lloyd. (2018, January 23). Failure of a Top Cloud Service Provider Could Cost US Economy $15 Billion. Retrieved December 6, 2018, from https://web.archive.org/web/20180511091302/https://www.lloyds.com/news-and-risk-insight/press-releases/2018/01/failure-of-a-top-cloud-service-provider-could-cost-us-economy-$15-billion
  27. Mackay, M., Baker, T., & Al-Yasiri, A. (2012). Security-Oriented Cloud Computing Platform for Critical Infrastructures. Computer Law & Security Review, 28(6), 679–686.  https://doi.org/10.1016/j.clsr.2012.07.007
  28. Martin, K. (2016). Understanding Privacy Online: Development of a Social Contract Approach to Privacy. Journal of Business Ethics, 137(3), 551–569.  https://doi.org/10.1007/s10551-015-2565-9
  29. National Institutes of Standards and Technology. (2002). Federal Information Security Management Act of 2002. (National Institutes of Standards and Technology, Ed.). Gaithersburg, USA: National Institutes of Standards and Technology. Retrieved from http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
  30. Neff, G., & Nagy, P. (2016). Talking to Bots: Symbiotic Agency and the Case of Tay. International Journal of Communication, 10(0). Retrieved from https://ijoc.org/index.php/ijoc/article/view/6277
  31. Newman, L. H. (2016, December 14). Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion. Retrieved December 6, 2018, from https://web.archive.org/web/20161215005048/https://www.wired.com/2016/12/yahoo-hack-billion-users/
  32. Nicander, L. (2010). Shielding the Net – Understanding the Issue of Vulnerability and Threat to the Information Society. Policy Studies, 31(3), 283–300.  https://doi.org/10.1080/01442871003615935
  33. Nissenbaum, H. (2010). Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford, CA, USA: Stanford University Press.Google Scholar
  34. Ouyang, M. (2014). Review on Modeling and Simulation of Interdependent Critical Infrastructure Systems. Reliability Engineering & System Safety, 121, 43–60.  https://doi.org/10.1016/j.ress.2013.06.040
  35. Perlroth, N. (2016, September 22). Yahoo Says Hackers Stole Data on 500 Million Users in 2014. Retrieved December 6, 2018, from https://web.archive.org/web/20160922192732/https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html
  36. Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies. IEEE Control Systems Magazine, 21(6), 11–25.  https://doi.org/10.1109/37.969131
  37. Sunyaev, A., & Schneider, S. (2013). Cloud Services Certification. Communications of the ACM, 56(2), 33–36.  https://doi.org/10.1145/2408776.2408789
  38. Theoharidou, M., Kotzanikolaou, P., & Gritzalis, D. (2010). A Multi-Layer Criticality Assessment Methodology Based on Interdependencies. Computers & Security, 29(6), 643–658.  https://doi.org/10.1016/j.cose.2010.02.003
  39. Travers, J., & Milgram, S. (1977). An Experimental Study of the Small World Problem. In S. Leinhardt (Ed.), Social Networks (pp. 179–197). Academic Press.  https://doi.org/10.1016/B978-0-12-442450-0.50018-3
  40. Trist, E. (1981). The Evolution of Socio-Technical Systems. In Perspectives in Organization Design and Behavior (pp. 32–47). London, UK: John Wiley.Google Scholar
  41. US Department of Homeland Security. (2016). Automated Indicator Sharing (AIS). Retrieved from https://web.archive.org/web/20160326161554/https://www.dhs.gov/ais.

Copyright information

© Springer Fachmedien Wiesbaden GmbH, ein Teil von Springer Nature 2019

Authors and Affiliations

  1. 1.Institute of Applied Informatics and Formal Description Methods, Department of Economics and Management, Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.Karlsruher Institut für TechnologieKarlsruheGermany

Personalised recommendations