Security of Critical Information Infrastructures
The rapid evolution of information technologies in the past decades gave information systems an increasingly central role in society. Some of these information systems are now so critical that their disruption or unintended consequences can have detrimental effects on vital societal functions. This chapter clarifies the concept of critical information infrastructures. After a brief introduction to salient characteristics and main functions of critical information infrastructures, the chapter discusses threats and risks critical information infrastructures are confronted with and presents approaches to master these challenges. Recent attacks and disruptions of critical information infrastructures, such as Cambridge Analytica, WannaCry, the Mirai Botnet, and Microsoft Tay, are presented for illustrative purposes. Critical information infrastructures often linger unnoticed and their vital role in society remains unheeded. This chapter provides the foundations required to understand and protect critical information infrastructures so that they can be appropriately managed before adverse consequences manifest.
Unable to display preview. Download preview PDF.
- Adelmeyer, M., & Teuteberg, F. (2018). Cloud Computing Adoption in Critical Infrastructures –Status Quo and Elements of a Research Agenda. In MKWI 2018 Proceedings (pp. 1345–1356). Lüneburg, Germany.Google Scholar
- Dehling, T., & Sunyaev, A. (2014). Secure Provision of Patient-Centered Health Information Technology Services in Public Networks—Leveraging Security and Privacy Features Provided by the German Nationwide Health Information Technology Infrastructure. Electronic Markets, 24(2), 89–99. https://doi.org/10.1007/s12525-013-0150-6.
- Lins, S., Schneider, S., & Sunyaev, A. (2018). Trust is Good, Control is Better: Creating Secure Clouds by Continuous Auditing. IEEE Transactions on Cloud Computing, 6(3), 890–903. https://doi.org/10.1109/TCC.2016.2522411.
- Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies. IEEE Control Systems Magazine, 21(6), 11–25. https://doi.org/10.1109/37.969131.
- Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., … Zhou, Y. (2017). Understanding the Mirai Botnet. In Proceedings of the USENIX Security Symposium (pp. 1092–1110). Vancouver, BC, Canada: USENIX.Google Scholar
- AT&T. (2010, March 9). AT&T Completes 100-Gigabit Ethernet Field Trial. Retrieved December 3, 2018, from https://web.archive.org/web/20100312093317/http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=30623
- Azencott, C.-A. (2018). Machine Learning and Genomics: Precision Medicine Versus Patient Privacy. Philosophical Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences, 376(2128). https://doi.org/10.1098/rsta.2017.0350
- BBC. (2017, May 15). Ransomware Cyber-Attack: Who Has Been Hardest Hit? Retrieved November 11, 2018, from https://web.archive.org/web/20170515161203/https://www.bbc.com/news/world-39919249
- Benlian, A., Kettinger, W. J., Sunyaev, A., & Winkler, T. J. (2018). The Transformative Value of Cloud Computing: A Decoupling, Platformization, and Recombination Theoretical Framework. Journal of Management Information Systems, 35(3), 1–24.Google Scholar
- Bhagat, S., Burke, M., Diuk, C., Filiz, I. O., & Edunov, S. (2016, February 4). Three and a Half Degrees of Separation. Retrieved January 24, 2019, from https://web.archive.org/web/20190101053349/https://research.fb.com/three-and-a-half-degrees-of-separation
- Bharadwaj, A., El Sawy, O., Pavlou, P., & Venkatraman, N. (2013). Digital Business Strategy: Toward a Next Generation of Insights. MIS Quarterly, 37(2), 471–482.Google Scholar
- Bundesamt für Sicherheit in der Informationstechnik. (2014). UP KRITIS: Public-Private Partnership for Critical Infrastructure Protection. Retrieved from https://www.kritis.bund.de/SharedDocs/Downloads/Kritis/EN/UP%20KRITIS.pdf?__blob=publicationFile
- Cadwalladr, C. (2018, March 17). ‘I Made Steve Bannon’s Psychological Warfare Tool’: Meet the Data War Whistleblower. Retrieved November 27, 2018, from https://web.archive.org/web/20180317181454/https://www.theguardian.com/news/2018/mar/17/data-war-whistleblower-christopher-wylie-faceook-nix-bannon-trump
- Cadwalladr, C., & Graham-Harrison, E. (2018, March 17). Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach. Retrieved November 26, 2018, from https://web.archive.org/web/20180317131012/https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election
- CERT-EU. (2017). WannaCry Ransomware Campaign Exploiting SMB Vulnerability (Security Advisory No. 2017–012). Retrieved from https://cert.europa.eu/static/SecurityAdvisories/2017/CERTEU-SA2017-012.pdf
- Council of the European Union. (2008). Council Directive 2008/114/EC on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve Their Protection. Official Journal of the European Union, L 345(75). Retrieved from https://publications.europa.eu/en/publication-detail/-/publication/ba51b03f-66f4-4807-bf7d-c66244414b10/language-en
- Egan, M. J. (2007). Anticipating Future Vulnerability: Defining Characteristics of Increasingly Critical Infrastructure-like Systems. Journal of Contingencies and Crisis Management, 15(1), 4–17. https://doi.org/10.1111/j.1468-5973.2007.00500.x
- Fekete, A. (2011). Common Criteria for the Assessment of Critical Infrastructures. International Journal of Disaster Risk Science, 2(1), 15–24. https://doi.org/10.1007/s13753-011-0002-y
- Gallagher, R., & Moltke, H. (2018, June 25). The NSA’s Hidden Spy Hubs In Eight U.S. Cities. Retrieved December 3, 2018, from https://web.archive.org/web/20180625121805/https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/
- Harašta, J. (2018). Legally Critical: Defining Critical Infrastructure in an Interconnected World. International Journal of Critical Infrastructure Protection, 21, 47–56. https://doi.org/10.1016/j.ijcip.2018.05.007
- Hess, T., Matt, C., Benlian, A., & Wiesböck, F. (2016). Options for Formulating a Digital Transformation Strategy. MIS Quarterly Executive, 15(2).Google Scholar
- International Organization for Standardization. (2004). Conformity Assessment – Vocabulary and General Principles (Vol. 03.120.20; 01.040.03). Retrieved from http://www.iso.org/iso/catalogue_detail.htm?csnumber=29316
- Issenberg, S. (2015, November 12). Cruz-Connected Data Miner Aims to Get Inside U.S. Voters’ Heads. Retrieved November 27, 2018, from https://web.archive.org/web/20171125135309/https://www.bloomberg.com/news/features/2015-11-12/is-the-republican-party-s-killer-data-app-for-real-
- Janita. (2016, November 9). DDoS Attack Halts Heating in Finland Amidst Winter. Retrieved December 6, 2018, from https://web.archive.org/web/20161109214609/http://metropolitan.fi/entry/ddosattack-halts-heating-in-finland-amidst-winter
- Karnouskos, S. (2011). Stuxnet Worm Impact on Industrial Cyber-Physical System Security. In Proceedings of the 37th Annual Conference of the IEEE Industrial Electronics Society. Melbourne, Australia: IEEE.Google Scholar
- Kozlowska, H. (2018, April 4). The Cambridge Analytica Scandal Affected Nearly 40 Million More People Than We Thought. Retrieved November 11, 2018, from https://web.archive.org/web/20180404234449/https://qz.com/1245049/the-cambridge-analytica-scandal-affected-87-million-people-facebook-says/
- Lansing, J., Benlian, A., & Sunyaev, A. (2018). `Unblackboxing’ Decision Makers’ Interpretations of IS Certifications in the Context of Cloud Service Certifications. Journal of the Association for Information Systems, 19(11).Google Scholar
- Lins, S., Grochol, P., Schneider, S., & Sunyaev, A. (2016). Dynamic Certification of Cloud Services: Trust, but Verify! IEEE Security and Privacy, 14(2), 67–71.Google Scholar
- Lins, S., Schneider, S., & Sunyaev, A. (2018). Trust is Good, Control is Better: Creating Secure Clouds by Continuous Auditing. IEEE Transactions on Cloud Computing, 6(3), 890–903. https://doi.org/10.1109/TCC.2016.2522411
- Lloyd. (2018, January 23). Failure of a Top Cloud Service Provider Could Cost US Economy $15 Billion. Retrieved December 6, 2018, from https://web.archive.org/web/20180511091302/https://www.lloyds.com/news-and-risk-insight/press-releases/2018/01/failure-of-a-top-cloud-service-provider-could-cost-us-economy-$15-billion
- Mackay, M., Baker, T., & Al-Yasiri, A. (2012). Security-Oriented Cloud Computing Platform for Critical Infrastructures. Computer Law & Security Review, 28(6), 679–686. https://doi.org/10.1016/j.clsr.2012.07.007
- Martin, K. (2016). Understanding Privacy Online: Development of a Social Contract Approach to Privacy. Journal of Business Ethics, 137(3), 551–569. https://doi.org/10.1007/s10551-015-2565-9
- National Institutes of Standards and Technology. (2002). Federal Information Security Management Act of 2002. (National Institutes of Standards and Technology, Ed.). Gaithersburg, USA: National Institutes of Standards and Technology. Retrieved from http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
- Neff, G., & Nagy, P. (2016). Talking to Bots: Symbiotic Agency and the Case of Tay. International Journal of Communication, 10(0). Retrieved from https://ijoc.org/index.php/ijoc/article/view/6277
- Newman, L. H. (2016, December 14). Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion. Retrieved December 6, 2018, from https://web.archive.org/web/20161215005048/https://www.wired.com/2016/12/yahoo-hack-billion-users/
- Nicander, L. (2010). Shielding the Net – Understanding the Issue of Vulnerability and Threat to the Information Society. Policy Studies, 31(3), 283–300. https://doi.org/10.1080/01442871003615935
- Nissenbaum, H. (2010). Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford, CA, USA: Stanford University Press.Google Scholar
- Ouyang, M. (2014). Review on Modeling and Simulation of Interdependent Critical Infrastructure Systems. Reliability Engineering & System Safety, 121, 43–60. https://doi.org/10.1016/j.ress.2013.06.040
- Perlroth, N. (2016, September 22). Yahoo Says Hackers Stole Data on 500 Million Users in 2014. Retrieved December 6, 2018, from https://web.archive.org/web/20160922192732/https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html
- Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies. IEEE Control Systems Magazine, 21(6), 11–25. https://doi.org/10.1109/37.969131
- Sunyaev, A., & Schneider, S. (2013). Cloud Services Certification. Communications of the ACM, 56(2), 33–36. https://doi.org/10.1145/2408776.2408789
- Theoharidou, M., Kotzanikolaou, P., & Gritzalis, D. (2010). A Multi-Layer Criticality Assessment Methodology Based on Interdependencies. Computers & Security, 29(6), 643–658. https://doi.org/10.1016/j.cose.2010.02.003
- Travers, J., & Milgram, S. (1977). An Experimental Study of the Small World Problem. In S. Leinhardt (Ed.), Social Networks (pp. 179–197). Academic Press. https://doi.org/10.1016/B978-0-12-442450-0.50018-3
- Trist, E. (1981). The Evolution of Socio-Technical Systems. In Perspectives in Organization Design and Behavior (pp. 32–47). London, UK: John Wiley.Google Scholar
- US Department of Homeland Security. (2016). Automated Indicator Sharing (AIS). Retrieved from https://web.archive.org/web/20160326161554/https://www.dhs.gov/ais.