In addressing cyber threats to critical infrastructure, it is helpful to think of the lesson of the “3 Little Pigs”

On June 7th the European People’s Party organized a public hearing on Cybercrime and Cybersecurity at the European Parliament in Brussels, Belgium (1) . It was a great honor to be invited as a speaker on Cybersecurity and Critical Energy Infrastructure for the second panel discussion covering the theme of “Cybersecurity: improving European industry”. I shared the panel with some high officials. One was the Secretary General of the European Cyber Security Organisation (ECSO). Another was from the Industry, Research and Energy Committee of the European Parliament and one official from security company Symantec not to mention representatives from law enforcement. With the public hearing focusing on “cybercrime” I felt a special challenge and responsibility in speaking more broadly about the cyber threats to European industry in my allotted time of 10 minutes. Especially in terms of protecting the industrial control systems which support the operations and services associated with critical infrastructure. To me the public hearing was missing an important threat in focusing on cybercrime threats to industry. As if that was all there was to worry about.

Public Hearing at the European Parliament on Cybercrime and Security Poster

Yes, organizing a public hearing to discuss cybercrime in terms of threats to the financial sector and personal data privacy was very appropriate. However, what about the other threat actors that have been active in attacking the supporting critical infrastructures such as the energy sector which the financial sector depends on to function? One of them is the electric power sector which provides electricity to run the IT and Telecommunications equipment used for the transactions going on in global finance. Is there a danger of falling into the “3 Little Pigs” trap of poor preparation for surviving an attack from the “big bad wolf” or state sponsored cyber-attack on critical infrastructure?

Up until now, cybercrime has largely left critical infrastructure (utilities, energy, and transportation sectors) alone as a target.(2) Most of the disturbing cyber-attacks directed at critical infrastructure since 2010 have been associated with the malicious cyber activities of states not cyber criminals. There seems to be no apparent motive for a criminal to engage in an activity that does not pay. What money is there in causing a power blackout for the perpetrator? However, motives for such activity can be found in the policies of a state that is unhappy with the policies of another.

Is focusing on the cybercrime threat enough to address the danger, what about the malicious cyber activities of states?

Have attended several conferences and seminars on cybersecurity, including this one at the European Parliament and what I find missing in terms of threats is an appreciation for the malicious activities of states in cyberspace. It would appear that today it is generally recognized that the level of cyber threats require some kind of bold action. However if all the threats are not taken into account then we risk making the error of the two of the 3 little pigs from the children story. This is the error of building security structures that don’t take into account all the relevant sources of threats. Much good work is done in fighting cybercrime. There is the International Convention on Cybercrime. Interpol and Europol have cybercrime units. Unfortunately, for the security of critical infrastructure, they only investigate cybercrime cases. If it looks like the work of a state, they drop the case (3) . This is the problem. In cyberspace there is no organization that is actively picking up the case when law enforcement says it is out of their cybercrime jurisdiction. It would appear that we have a system that is built to deal with the problems recognized by the 2 pigs. Structures made of “straw and wood” that are enough to keep out the “wind and rain” of cybercrime. So far, we have no 3rd pig who is dealing with the threat of the “wolf” or far more capable and less money seeking state actor. No house of brick to withstand the wolf’s huffing and puffing from the outside and no one tending the fireplace inside to keep the wolf from sneaking down the chimney to attack critical infrastructure. This current state of affairs needs to change as it sends the wrong signals to the perpetrators thinking about using this new cyber technology as a weapon to employ against critical infrastructure. Until then these advanced, resourced and persistent actors will continue to see these malicious activities as effective, cheap and deniable.

However, on the hopeful side, this conference that focused on cybercrime did include the topic of cyber threats to critical energy infrastructure and did provide an opportunity to discuss the additional threats of states and the need for an international cooperative effort similar to what has been done to fight cybercrime. There are signs of a change in awareness in understanding the complexity and scale of the challenges faced in making cyberspace safer for both people and the machines they depend on for their well-being.

References:
1. http://www.eppgroup.eu/event/Cybercrime-and-Cyber-Security

2. Unless these sectors become targets of ransomware attacks. Perhaps the “WannaCry” event is a harbinger for the future?

3. Sadauskas, A., Inside Interpols digital crime centre, http://www.itnews.com.au/news/inside-interpols-digital-crime-centre-410768?eid=3&edate=20151021&utm_source=20151021_PM&utm_medium=newsletter&utm_campaign=daily_newsletter Oct 21, 2015

https://enseccoe.org/en

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.