Events - Future Lecture.

Non-traditional Threats

How to Protect Critical Infrastructure from Cyber Breaches?
Wednesday، September 28، 2016
Non-traditional Threats

Cyber attacks pose serious threats to the critical infrastructure and economy of states and by large their national security. It is estimated that there will be more than 20 billion devices connected to the Internet by 2020, which result in further increasing cyber threats.

On September 28, 2016, Future for Advanced Research & Studies (FARAS) hosted a workshop on how to protect critical infrastructure from cyber security breaches where Adel Abdul Mumen, an expert at the ITU Arab Regional Cybersecurity Center (ITU-ARCC) presented the main working paper.

Threats to Critical Infrastructure

Civilian infrastructure is among the strategic assets that any state seeks to protect and secure from all forms or threats, whether traditional threats such as physical and military attacks, or non-traditional threats such as cyber security breaches- and for a good reason: The potential human and material losses sustained through exposure to damage are immense.

The problem is even more severe when the targeted infrastructures are critical, i.e. the energy, electricity, transportation, telecommunications, dams, water reservoirs, solar power plants and nuclear power stations.

A large part of infrastructures such as dams and electrical power plants are run by systems such as the SCADA (Supervisory Control and Data Acquisition. Consequently, if hackers manage to breach these systems, the ramifications would be unimaginable, and the damage to the state can be too severe for some governments to bear. Moreover, what makes threats to critical infrastructures highly serious is that they involve people's lives.

Significant Cyber Incidents

1. The August 2012 cyberattack on Saudi Aramco, one of the world's largest oil companies, affected tens of thousands of workstations of the oil giant. The cyber attack was aimed at damaging the Saudi economy and stopping oil and gas production and exports to local and global markets and is an instance of how a virus can be used to jeopardize the infrastructure of a state like Saudi Arabia and consequently the global economy.

2. The October 2010 cyber attack using Stuxnet, a malicious computer worm, to affect computers across Iran targeting the country's industrial plants and systems, in particular, centrifuges for separating nuclear material in the Iranian nuclear program. Iran said the Stuxnet worm infected 30,000 computers in Iran, including those within the Natanz nuclear plant.

3. The conflict between Russia and Ukraine witnessed a cyber war. Kiev accused Moscow of launching the December 2015 cyber attack on Ukraine's power grid which caused power outages leaving tens of thousands of houses without electricity. Later in 2016, Ukraine said that Russia is behind cyber-attacks that targeted Boryspil Airport in Kiev.

4. In April 2016, Germany's Gundremmingen plant, run by the German utility RWE AG, suffered a disruptive cyber attack that prompted the operator to heighten precautionary cyber security measures.

Mechanisms of Ensuring Cybersecurity

Cyber breaches jeopardizing critical infrastructure, and people's lives prompted states to adopt cybersecurity strategies and set up special bodies and authorities to handle the protection of these assets from cyber risks.

Strategies and frameworks established by international organizations include the following:

1. The International Telecommunication Union (ITU), a part of the United Nations system, developed a national cyber security strategy guide which builds on the following five pillars: 

  • Pillar 1 - Legal Measures: Seeks to elaborate strategies for the development of a model that is globally applicable and contains inter-operable cyber crime legislation.
  • Pillar 2 - Technical and Procedural Measures: Focuses on measures for addressing vulnerabilities in software products.
  • Pillar 3 - Organizational Structures: Aims to create organizational structures and strategies including a cybersecurity coordinating body in the state and a protection unit.
  • Pillar 4 - Capacity Building: Seeks to elaborate strategies for enhancing knowledge and expertise to boost cyber security.
  • Pillar 5 - International Cooperation: Focuses on strategies for international cooperation, dialogue and coordination to reduce cyber risks.

2. The US National Institute of Standards and Technology (NIST) developed a framework for improving critical infrastructure cybersecurity. The Framework core consists of five functions—Identify, Protect, Detect, Respond, Recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.

3. Cybersecurity standards such as ISO/IEC 27001 specify the requirements for establishing, implementing, maintaining and continually improving an information security. The more recent ISO/IEC 27032 standard guides are improving the state of cybersecurity, in particular, digital assets.

The participants noted that cybersecurity systems could also help protect the economy, critical infrastructures, data and information about the state and individuals and the state's national security.

Therefore, it is crucial for any country to identify its digital assets, take all measures to protect them, create a system to detect cyber security risks and a system to respond to potential attacks using Computer Emergency Readiness Teams (CERTs). It is also important to set up a special CERTs in each critical sector such as telecommunications, oil, etc. as well as at major corporations and ministries.

The following elements should be taken into account while creating cyber security protection systems and safeguards:

  • Business Continuity (BC) is also known as Business Continuity Management (BCM), which encompasses actions and measures to ensure that an organization can continue to operate in case of serious incidents or disasters, whether minor or major, continue to provide services to society, can develop alternatives, for individuals and facilities, to recover to an operational state . Noteworthy is that the United Arab Emirates was among the first Arab states to have developed a business continuity guide with help from the British Business Continuity Institute (BCI) and the Disaster Recovery Institute International (DRII).
  • Disaster Recovery (DR) involves a set of policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster.
  • Recovery time objective (RTO) is the targeted duration of time and service level within which a business process must be restored after a disaster or disruption.

At the conclusion of the workshop, the participants expected that cyber attacks in the future will be larger in scale and have a more destructive impact on critical infrastructure especially because of the fast-increasing number of devices connected to the Internet, the increasing number of smart cities where tens of thousands of cyber-attacks are launched every second.

Keywords: Cyber SecuritySecuritySCADAStuxnetcyberattacks