Security of Critical Information Infrastructures



The rapid evolution of information technologies in the past decades gave information systems an increasingly central role in society. Some of these information systems are now so critical that their disruption or unintended consequences can have detrimental effects on vital societal functions. This chapter clarifies the concept of critical information infrastructures. After a brief introduction to salient characteristics and main functions of critical information infrastructures, the chapter discusses threats and risks critical information infrastructures are confronted with and presents approaches to master these challenges. Recent attacks and disruptions of critical information infrastructures, such as Cambridge Analytica, WannaCry, the Mirai Botnet, and Microsoft Tay, are presented for illustrative purposes. Critical information infrastructures often linger unnoticed and their vital role in society remains unheeded. This chapter provides the foundations required to understand and protect critical information infrastructures so that they can be appropriately managed before adverse consequences manifest.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


Recommended Reading

  1. Adelmeyer, M., & Teuteberg, F. (2018). Cloud Computing Adoption in Critical Infrastructures –Status Quo and Elements of a Research Agenda. In MKWI 2018 Proceedings (pp. 1345–1356). Lüneburg, Germany.Google Scholar
  2. Dehling, T., & Sunyaev, A. (2014). Secure Provision of Patient-Centered Health Information Technology Services in Public Networks—Leveraging Security and Privacy Features Provided by the German Nationwide Health Information Technology Infrastructure. Electronic Markets, 24(2), 89–99.
  3. Lins, S., Schneider, S., & Sunyaev, A. (2018). Trust is Good, Control is Better: Creating Secure Clouds by Continuous Auditing. IEEE Transactions on Cloud Computing, 6(3), 890–903.
  4. Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies. IEEE Control Systems Magazine, 21(6), 11–25.


  1. Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., … Zhou, Y. (2017). Understanding the Mirai Botnet. In Proceedings of the USENIX Security Symposium (pp. 1092–1110). Vancouver, BC, Canada: USENIX.Google Scholar
  2. AT&T. (2010, March 9). AT&T Completes 100-Gigabit Ethernet Field Trial. Retrieved December 3, 2018, from
  3. Azencott, C.-A. (2018). Machine Learning and Genomics: Precision Medicine Versus Patient Privacy. Philosophical Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences, 376(2128).
  4. BBC. (2017, May 15). Ransomware Cyber-Attack: Who Has Been Hardest Hit? Retrieved November 11, 2018, from
  5. Benlian, A., Kettinger, W. J., Sunyaev, A., & Winkler, T. J. (2018). The Transformative Value of Cloud Computing: A Decoupling, Platformization, and Recombination Theoretical Framework. Journal of Management Information Systems, 35(3), 1–24.Google Scholar
  6. Bhagat, S., Burke, M., Diuk, C., Filiz, I. O., & Edunov, S. (2016, February 4). Three and a Half Degrees of Separation. Retrieved January 24, 2019, from
  7. Bharadwaj, A., El Sawy, O., Pavlou, P., & Venkatraman, N. (2013). Digital Business Strategy: Toward a Next Generation of Insights. MIS Quarterly, 37(2), 471–482.Google Scholar
  8. Bundesamt für Sicherheit in der Informationstechnik. (2014). UP KRITIS: Public-Private Partnership for Critical Infrastructure Protection. Retrieved from
  9. Cadwalladr, C. (2018, March 17). ‘I Made Steve Bannon’s Psychological Warfare Tool’: Meet the Data War Whistleblower. Retrieved November 27, 2018, from
  10. Cadwalladr, C., & Graham-Harrison, E. (2018, March 17). Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach. Retrieved November 26, 2018, from
  11. CERT-EU. (2017). WannaCry Ransomware Campaign Exploiting SMB Vulnerability (Security Advisory No. 2017–012). Retrieved from
  12. Council of the European Union. (2008). Council Directive 2008/114/EC on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve Their Protection. Official Journal of the European Union, L 345(75). Retrieved from
  13. Egan, M. J. (2007). Anticipating Future Vulnerability: Defining Characteristics of Increasingly Critical Infrastructure-like Systems. Journal of Contingencies and Crisis Management, 15(1), 4–17.
  14. Fekete, A. (2011). Common Criteria for the Assessment of Critical Infrastructures. International Journal of Disaster Risk Science, 2(1), 15–24.
  15. Gallagher, R., & Moltke, H. (2018, June 25). The NSA’s Hidden Spy Hubs In Eight U.S. Cities. Retrieved December 3, 2018, from
  16. Harašta, J. (2018). Legally Critical: Defining Critical Infrastructure in an Interconnected World. International Journal of Critical Infrastructure Protection, 21, 47–56.
  17. Hess, T., Matt, C., Benlian, A., & Wiesböck, F. (2016). Options for Formulating a Digital Transformation Strategy. MIS Quarterly Executive, 15(2).Google Scholar
  18. International Organization for Standardization. (2004). Conformity Assessment – Vocabulary and General Principles (Vol. 03.120.20; 01.040.03). Retrieved from
  19. Issenberg, S. (2015, November 12). Cruz-Connected Data Miner Aims to Get Inside U.S. Voters’ Heads. Retrieved November 27, 2018, from
  20. Janita. (2016, November 9). DDoS Attack Halts Heating in Finland Amidst Winter. Retrieved December 6, 2018, from
  21. Karnouskos, S. (2011). Stuxnet Worm Impact on Industrial Cyber-Physical System Security. In Proceedings of the 37th Annual Conference of the IEEE Industrial Electronics Society. Melbourne, Australia: IEEE.Google Scholar
  22. Kozlowska, H. (2018, April 4). The Cambridge Analytica Scandal Affected Nearly 40 Million More People Than We Thought. Retrieved November 11, 2018, from
  23. Lansing, J., Benlian, A., & Sunyaev, A. (2018). `Unblackboxing’ Decision Makers’ Interpretations of IS Certifications in the Context of Cloud Service Certifications. Journal of the Association for Information Systems, 19(11).Google Scholar
  24. Lins, S., Grochol, P., Schneider, S., & Sunyaev, A. (2016). Dynamic Certification of Cloud Services: Trust, but Verify! IEEE Security and Privacy, 14(2), 67–71.Google Scholar
  25. Lins, S., Schneider, S., & Sunyaev, A. (2018). Trust is Good, Control is Better: Creating Secure Clouds by Continuous Auditing. IEEE Transactions on Cloud Computing, 6(3), 890–903.
  26. Lloyd. (2018, January 23). Failure of a Top Cloud Service Provider Could Cost US Economy $15 Billion. Retrieved December 6, 2018, from$15-billion
  27. Mackay, M., Baker, T., & Al-Yasiri, A. (2012). Security-Oriented Cloud Computing Platform for Critical Infrastructures. Computer Law & Security Review, 28(6), 679–686.
  28. Martin, K. (2016). Understanding Privacy Online: Development of a Social Contract Approach to Privacy. Journal of Business Ethics, 137(3), 551–569.
  29. National Institutes of Standards and Technology. (2002). Federal Information Security Management Act of 2002. (National Institutes of Standards and Technology, Ed.). Gaithersburg, USA: National Institutes of Standards and Technology. Retrieved from
  30. Neff, G., & Nagy, P. (2016). Talking to Bots: Symbiotic Agency and the Case of Tay. International Journal of Communication, 10(0). Retrieved from
  31. Newman, L. H. (2016, December 14). Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion. Retrieved December 6, 2018, from
  32. Nicander, L. (2010). Shielding the Net – Understanding the Issue of Vulnerability and Threat to the Information Society. Policy Studies, 31(3), 283–300.
  33. Nissenbaum, H. (2010). Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford, CA, USA: Stanford University Press.Google Scholar
  34. Ouyang, M. (2014). Review on Modeling and Simulation of Interdependent Critical Infrastructure Systems. Reliability Engineering & System Safety, 121, 43–60.
  35. Perlroth, N. (2016, September 22). Yahoo Says Hackers Stole Data on 500 Million Users in 2014. Retrieved December 6, 2018, from
  36. Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies. IEEE Control Systems Magazine, 21(6), 11–25.
  37. Sunyaev, A., & Schneider, S. (2013). Cloud Services Certification. Communications of the ACM, 56(2), 33–36.
  38. Theoharidou, M., Kotzanikolaou, P., & Gritzalis, D. (2010). A Multi-Layer Criticality Assessment Methodology Based on Interdependencies. Computers & Security, 29(6), 643–658.
  39. Travers, J., & Milgram, S. (1977). An Experimental Study of the Small World Problem. In S. Leinhardt (Ed.), Social Networks (pp. 179–197). Academic Press.
  40. Trist, E. (1981). The Evolution of Socio-Technical Systems. In Perspectives in Organization Design and Behavior (pp. 32–47). London, UK: John Wiley.Google Scholar
  41. US Department of Homeland Security. (2016). Automated Indicator Sharing (AIS). Retrieved from

Copyright information

© Springer Fachmedien Wiesbaden GmbH, ein Teil von Springer Nature 2019

Authors and Affiliations

  1. 1.Institute of Applied Informatics and Formal Description Methods, Department of Economics and Management, Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.Karlsruher Institut für TechnologieKarlsruheGermany

Personalised recommendations