Critical Information Infrastructures: What Lies Ahead? Giampiero - - PowerPoint PPT Presentation

Critical Information Infrastructures: What Lies Ahead?

Giampiero Giacomello EIB Seminar November 6, 2013

What are Critical Information Infrastructures?

• Critical Infrastructures (CI) are the “arteries

and veins” of Western urbanized societies (and, increasingly, not only them).

• I think “blood and nerves” is more accurate,

because information flows in there and it is essential for managing them.

• And when CI are managed via information

flows, they become Critical Information Infrastructures (CII).

CII Today

• There are some differences between the EU

and the US on some specific definitions and typologies, but they basically include:

• Energy (production and distribution);

information technology (IT); telecommunications (all); health care (including emergency services); transportation (all); water; government and law enforcement; banking and finance

Why Critical?

• Because any major disruption of any of

these would have serious consequences on the well-being and wealth of the people affected

• Think of power outages or airport delays to

have a (mild) idea

• Plus our societies tend to become more

dependent on CII and increasingly risk- adverse (Beck 1992), thus pretending that no major disruption will ever happen!

Worst Case Scenario

Two Sweeping Events

• CI have always been vulnerable (e.g. WWII

strategic bombing)

• There were however 2 sweeping events, both

in the 1990s, that, unintentionally, converged to make today the CI the most vulnerable

• The first, when CI have become CII, relying on

the Internet (late 1990s). Why?

• Because to their own inherent vulnerability, CI

have added the “birth defect”, “the original sin” of Internet, namely the (almost) total lack

• f security

Imperfection, all the way down

• When networks were proprietary, we had

“security through obscurity”

• For the Internet, security was never a

priority, because its nature was to be open, easy, adaptable (and to be used by academics and engineers, who else?)

• But when businesses discovered that it was

free and, by remote monitoring, they could cut cost, it seemed (almost) too good to be true (SCADA and all the rest…)

But it gets worse…

• Such situation was problematic but

manageable and then came the second event, namely the 1990s liberalization/deregulation/privatization frenzy

• Infrastructures that had been public, became

the “public-private partnership” (PPP)

• Business logic was applied, hence cut costs to

increase profit (bring in the Internet and SCADA even here)

• But “security” as a public good is subject to

market failure…a lot 

Now the good news…

• Organizational theories (such as “Normal

Accident”; Perrow, 1999) tell us that institutional fragmentation (too many stake- holders) negatively affect the ability to reliably manage the CI

• Indeed, evidence shows that the CI operate

“closer to the edge” than before the restructuring

• And yet, the (so far) performance of

restructured CI and even CII is far better than expected/predicted. Why?

End of the good news…

• One study (de Bruijne & van Eeten, 2007)

identified the “real-time, information-rich communication and coordination” as the answer

• Namely “guts”, instincts, coup d’oeil and

familiarity and informality of communication among the experts, in real-time

• We are anxious, risk-adverse societies,

however, and we would never trust this protocol to work…

The (Un)Balance

• Thus we (societies) demand that a

“balance” of anticipation and resilience policies are applied to protect CII

• Effective anticipation, however, requires

precise assessment of the risk, which was difficult (not impossible) when every CI was separated

• Today, with networks, webs and grids all

interconnected, cascade effects make effective anticipation a next to impossible

Resilience? Market Failure!

• Resilience too is dreamland, as it demands

redundancy

• Redundancy is the duplication (and more) of

controls, of monitoring and safety devices

• But the private sector, which heftily benefitted

from the “fragmentation” (liberalization??), has no intention whatsoever to start paying for duplication (a clear market contradiction)

• The state, which benefited too, is also

reluctant, but in case of CII failure, it will be it to have to “pick up the pieces”…

Last but not least…

• In all this, we considered natural events and

“normal accidents”, not evil deeds. If evil comes, just in cyberspace (the information domain)

• Cyberterrorism: possibly, but for now, more of

a myth (Conway, 2002; Lewis, 2002; Giacomello, 2004; Weimann, 2004)

• Cyberwarfare: this is serious stuff (US, Russia,

China, Israel, UK, France, Germany, but also Pakistan, India, North Korea and some others) and it’ll be part of an “all out” war

Conclusions

• The picture is bleak, very much so!
• Internet is unsecure and transition to a secure

Internet (v.6) will be costly and (probably cumbersome)

• CII will grow, interconnections and SCADA will

grow and so will cascade effects and multiple vulnerability

• Plus, none of the stake-holders wants to bear

the costs (business, state) or is aware and willing enough to pay more (consumers)

• Any good idea?? 