ICT contribution to secure-by-design approaches for critical Infrastructures
Information and Communication Technologies (ICT) play a decisive role in the operation of modern organisations such as industries, commercial businesses/companies, public bodies, governments or so called critical infrastructures. The first changes occurred in the second half of the last century and have shown a tremendous acceleration since the late nineties further demonstrating that our societies are evolving in the Information Age.
As a consequence of these fast mutations and rapid technology evolutions, all sectors of the economy have adapted to benefit from the opportunities ICT is providing to operations through faster exchanges, dematerialised transactions, global reach of messages and automation of business and industrial processes. However all sectors do not show the same maturity towards ICT and especially concerning the new challenges they have to face in security.
As a consequence of the central role they play, ICT infrastructures are increasingly targeted by a large variety of threats ranging from cyber terrorism, organised crime, hackers, and activists to untargeted threats like computer viruses or worms. It is therefore no surprise that consequences of ICT infrastructure failures or security breaches have received large public visibility in the past years. For instance:
-
In 2008, a Polish teenager turned the tram system in the city of Lodz into his “own personal train set” by taking control of the tracks. Four trains were derailed and several had to make emergency stops.
-
In 2003, a virus or more exactly a worm called “slammer” penetrated a private computer network at Ohio's Davis-Besse nuclear power plant and disabled a safety monitoring system for nearly five hours.
-
In 2000, a former employee of an Australian water company was arrested with a 2 ways radio antenna, a remote telemetry system, and a laptop computer he had used to attack the control system. 264,000 gallons of sewage inundated the grounds of a local tourist resort.
These examples illustrate the impact such breaches can have on systems for which security was not part of the design or at least for which very relevant threats were not taken into account.
In the framework of the coming Communication on Critical Information Infrastructure Protection, this session presented some necessary framework concepts to move towards “secure by design” ICT systems. In particular, EOS described how appropriate processes and governance need to be put in place during the complete system lifecycle to make sure that security is managed as a core capability.
The presentations suggested a road map for the adoption of these principles by Critical Infrastructure operators across Europe.