threats to the australian economy from information technology / … · 2015. 6. 30. · 2002...

Security Challenges

Volume 2 Number 2 (July 2006) - 99 -

Threats to the Australian Economy from Information Technology /

Communication System Collapse1

Robert H. Anderson

This article addresses the question: How serious is the threat to Australia's critical information infrastructure from cyber attacks? Information and communication systems form the backbone of many aspects of Australia's economy and social infrastructure. Those systems have vulnerabilities that might be exploited. There are a variety of mitigation measures that can be employed to lessen, but not eliminate, the possibility of severe consequences. We conclude that most attacks will not cause overwhelming, lasting damage to Australia, but special attention should be paid to physical attacks against key information system nodes, the insider threat, and simultaneous, coordinated attacks against a system's primary and backup sites.

Introduction

The popular press and the Web contain daily reminders that cyberspace is a dangerous place, where fraud, hacking, worms, viruses, identity theft, and other crimes and misdemeanours thrive. It is also clear that we as individuals, organizations, and entire societies are becoming ever more dependent on the Internet and its World Wide Web. Commerce is conducted business-to-consumer, business-to-business, government-to-business. Control signals for pipelines, plants, telephone systems and many other real-world devices and installations are routed over the Internet because it's there, and it is (practically) free – at least compared with dedicated telephone lines, or installing a separate communication cable.

Society's increasing dependence on the Internet and Web, and the vulnerabilities of these systems, is highlighted often. For example, a 2004 United States General Accounting Office (GAO) report states

... Nowadays, our water, food, fuel, lights, heat, home, work, and vehicles are all supported, if not directly run, by computers and networks. Essentially, computers and networks run our nation's critical infrastructures that are vital to national defense, economic security, and public health and safety.

Unfortunately, many computer systems and networks were not designed with security in mind. As a result, the core of our critical infrastructure is riddled with vulnerabilities that seem to require constant patches and fixes. These vulnerabilities could enable an attacker to disrupt the operations of or cause damage to critical infrastructures. The potential exists for causing

1 This article is based on an invited presentation made to the Kokoda Foundation Conference on Next Generation Threats to Australia, Canberra, October 2005

Security Challenges

- 100 - Volume 2 Number 2 (July 2006)

physical damage to people and property by exploiting vulnerabilities in computers and networks. The problem is exacerbated by increasing computer interconnectivity, most notably growth in the use of the Internet since the 1990s...

2

Ample warnings are also provided in a more recent Congressional Research Service Report for Congress specifically discussing terrorist capabilities for cyber attack:

3

Several recent studies by global computer security firms found that the highest rates for computer attack activity were directed against critical infrastructures, such as government, financial services, manufacturing, and power...

Many observers that monitor the Internet suggest that due to the effects of intensified counterterrorism efforts worldwide, Islamic extremists are gravitating toward the Internet, and are succeeding in organizing online where they have been failing in the physical world...

Imam Samudra, convicted and now awaiting execution for taking part in the 2002 bombings of two Bali nightclubs, has written a book titled "Aku Mekawan Terroris!", which reportedly translates to "Me Against the Terrorist". Samudra advocates that Muslim youth actively develop hacking skills "to attack U.S. computer networks". Samudra names several websites and chat rooms as sources for increasing hacking skills. He urges Muslim youth to obtain credit card numbers and use them to fund the struggle against the United States and its allies. The terrorist attacks in Bali, and recent attacks in several other countries, may have been funded through stolen credit cards.

But that's from the U.S., where pronouncements of major threats are sometimes used to mobilize lethargic bureaucracies, enable legislation, allocate resources, sell software or services, or placate special interest groups. This raises the questions: How much of this cyberspace threat is hype? How afraid should we be? And if the threat is real, what should be done about it? What, in particular, should be Australia's priorities?

What is a Threat?

It helps to be clear about what is meant by a threat to an information system. In a recent RAND report

4, we make the following distinctions. There is a

threat to an information system if:

2 United States General Accounting Office, Technology Assessment: Cybersecurity for Critical Infrastructure Protection. Report GAO-04-321, May 2004, p.18 3 John Rollins, and Clay Wilson, Terrorist Capabilities for Cyberattack: Overview and Policy Issues. Congressional Research Service: CRS Report for Congress, October 20, 2005. 4 Philip S. Antón, Robert H. Anderson, Richard Mesic, and Michael Scheiern, The Vulnerability Assessment & Mitigation Methodology: Finding and Fixing Vulnerabilities in Information Systems. Santa Monica CA, RAND Corporation MR-1601-DARPA, 2003. Available at: <http://www.rand.org/publications/MR/MR1601/>.

Security Challenges


• that system's operation is critical to some vital organizational or societal function;

• that system has one or more vulnerabilities;

• someone has knowledge of the existence of that vulnerability, access to the system, the technical capability to exploit the vulnerability, and the motivation to carry out that exploit.

We now consider in more detail each of those factors, each of which must be present.

5

SOME SYSTEMS ARE CRITICAL Our emphasis in this paper is on the overall Australian economy and social structure, rather than on the systems of an individual corporation or enterprise. At the country level, in particular, Willis Ware examined priorities regarding the most critical of a country's infrastructures and concluded that the most vital systems – undergirding almost all other systems and facilities – were energy systems and telecommunication systems (including public-switched telephone networks (PSTN) and the Internet).

6 The critical nature

of these systems was underscored by the recent devastation caused by hurricanes Katrina and Rita in the south eastern U.S. Emergency telecommunications systems failed from lack of energy, or relied temporarily on backup power (batteries, fuel-operated generators), which eventually failed as those power supplies were exhausted. Without telecommunications, many police, fire, and government officials were cut off from each other, unable to communicate. At times, they were reduced to use of "runners" hand-carrying messages between embattled command posts. A considerable amount of the confusion in the first days after these disasters can be traced to lack of basic energy and telecommunication systems in the area.

7

Many other systems are critical to the Australian economy, such as those of major national banks, financial systems operated by the stock market, customs and shipping systems. Because there are so many information systems controlling vital sectors of a nation's economy, it is important for any country to prioritize the top 20 to 50 systems upon which many of the others

5 We omit for now natural disasters as threats. They require all the factors except for (human) knowledge and motivation. With that exception, much of the following discussion also applies to disasters. 6 Willis H. Ware, The Cyber-Posture of the National Information Infrastructure. Santa Monica, CA, RAND Corporation MR-976-OSTP, 1998. Available at: <http://www.rand.org/publications/MR/MR976/>. 7 Bruce Meyerson, ‘Katrina Rescuers Improvise Communications.’ Telecom Digest Online, 3 September 2005. Available at ,http://massis.lcs.mit.edu/telecom-archives/TELECOM_Digest_Online2005-2/1356.html.; Mark Benjamin, ‘Communications breakdown,’ Salon.com, 9 September 2005. Available at: ,http://www.salon.com/news/feature/2005/09/09/comm_meltdown/index_np.html>.

Security Challenges


depend, so that scarce resources for infrastructure protection might be directed to those most-vital systems. As mentioned above, we believe energy, telecomm (PSTN and Internet), and financial/customs/shipping systems will come out high on any such list.

SOURCES OF VULNERABILITIES IN INFORMATION SYSTEMS It is clear that information and communication systems have a variety of vulnerabilities, but is there a systematic way of uncovering them? My colleagues and I at RAND studied various assessment methodologies in use within the U.S. Department of Defense, to assess the current state of practice for the critical information systems in use within DoD. Among these methodologies were Operational Risk Management (ORM), Naval Integrated Vulnerability Assessment (IVA)

8 checklists, and CARVER (Criticality,

Accessibility, Recuperability, Vulnerability, Effect, and Recognizability)9.

Most of these have generic steps listed such as:

• Identify vulnerabilities;

• Prioritize vulnerabilities;

• Brainstorm countermeasures;

• Assess risks.

However, we found little guidance in these documents, and in ISO/IEC 17799, the Code of Practice for Information Security Management, on how the vulnerabilities should be discovered in the first place.

To help remedy this situation, under sponsorship of the U.S. Defense Advanced Research Projects Agency (DARPA), we undertook to develop a Vulnerability Assessment and Mitigation Methodology (VAMM). We asked what fundamental features or properties of a complex information/communication system are likely to spawn exploitable vulnerabilities, from "first principles." We categorized these properties as those resulting from (1) the design or architecture of the system; (2) behavioural characteristics of the system; and (3) other general features of the system. The resulting list of 18 properties, grouped into those three categories, is shown in Table 1.

10

Furthermore, each of these system properties might occur in:

8 U.S. Department of Defense, Joint Staff, Integrated Vulnerability Assessment (IVA) Integrated Process Team (IPT) Final Report, July 2001. 9 U.S. Department of Defense, Joint Publication 3-05.2, Joint Tactics, Techniques, and Procedures for Special Operations Targeting and Mission Planning, May 2003. See appendix: ‘A Target Analysis Methodology.’ 10 This table and much of the discussion in this subsection is taken from Antón et al, 2003.

Security Challenges


Table 1: System Properties Leading to Vulnerabilities

Design/Architecture Behavioural Characteristics General/Other

• Singularity o Uniqueness o Centrality o Homogeneity

• Separability • Logic/implementation

errors; fallibility • Design sensitivity,

fragility, limits, finiteness • Unrecoverability

• Behavioural sensitivity / fragility

• Malevolence • Rigidity • Malleability • Gullibility, deceivability,

naiveté • Complacency • Corruptability,

controllability

• Accessible, detectable, identifiable, transparent, interceptable

• Hard to manage or control

• Self-unawareness and unpredictability

• Predictability

• the physical domain (hardware such as data storage, servers, network links),

• the cyber domain (software, data, information, knowledge),

• the human/social domain (staff, management, policies, procedures, training, authentication), and

• enabling infrastructure (such as needed power supplies, water, air conditioning, building controls).

All of the terminology in Table 1 is explained in Antón et al (2003); we will use only one example here to illustrate what is implied. Most vulnerability analyses comprise a checklist of things that have gone wrong in the past, such as "apply patch SP2 to Windows XP." Our more general terminology asks that a system manager to think systematically about whether a singularity such as uniqueness might be present in the human/social domain for system operation – for example, whether there is only one system manager capable of rebooting and restoring the system in case of trouble. If so, that would be a vulnerability (if he or she is sick, injured, or otherwise incapacitated). Such questions should be asked for each of the 18 properties in each of the four domains.

In studying vulnerabilities of information systems, we have concluded that too much emphasis is often placed in software flaws such as buffer overruns or malware infestation. There are two areas of vulnerability in particular that seem to be overlooked or given insufficient attention. They are physical vulnerabilities (e.g., to an explosion), and simultaneous, coordinated attacks taking out both a primary facility and its backup site.

We have discussed physical vulnerabilities of critical information systems in Anderson (2004), which gives further detail. As stated there,

Security Challenges


The means for physical, kinetic attack can be simple and relatively inexpensive. For the purposes here, [we] consider the means of carrying out a physical, kinetic attack against critical infrastructures (especially those housing information system components) to be truck bombs of the type used in Oklahoma City or airplanes filled with fuel of the type used on September 11, 2001–with special attention on small, private aircraft that can target individual buildings. These smaller aircraft allow ready access to otherwise potentially inaccessible sites, for example, those surrounded by fences, barbed wire, barriers, or guards…

11

Many critical information systems rely on a primary operating site and secondary "hot backup" site mirroring those transactions, perhaps located a substantial distance away (and even on a separate power grid, and using separate telecommunication lines). We are greatly concerned about simultaneous, coordinated attacks on both the primary and secondary sites of such systems, because terrorists have repeatedly shown the ability to plan and execute simultaneous attacks. The twin World Trade Center towers hits of September 11, 2001 are the most prominent example, but there were also:

• 2003 attacks on separate expatriate housing complexes in Riyadh, Saudi Arabia

• 1998 U.S. embassy bombings in Nairobi, Kenya and Dar es Salaam, Tanzania

• 1983 U.S. Marine barracks + French paratroop HQ in Lebanon

• 1981 hijacking of three Venezuelan passenger jets.

Backup sites are often "hidden," in that their location isn't prominent on corporate or government websites or other public information sources. However, as a test the author has discovered the location of a key international financial system backup processing site in about 20 minutes of Web searching (e.g., for job openings, Internet IP address listings, and the like). "Security through obscurity" is rarely a recipe for success.

KNOWLEDGE OF SECURITY FLAWS, ACCESS, CAPABILITY, MOTIVATION Other components of a threat mentioned earlier were the existence of knowledge of a system's security flaws, access to the system, the capability of someone to exploit the flaws, and motivation. We do not dwell on these here, because through the thousands of exploits that occur literally daily on the Internet, all of these are amply demonstrated, even by amateur hackers. Terrorists and criminals have even more knowledge, capability, and motivation.

11 Robert H. Anderson, ‘Physical Vulnerabilities of Critical Information Systems,’ in Information

Assurance: Trends in Vulnerabilities, Threats, and Technologies, eds. Jacques S. Gansler and Hans Binnendijk. Washington DC: National Defense University, 2004, pp. 27-40.

Security Challenges


One threat is worth noting in particular, however: the malevolent insider. Insiders have knowledge of the inner workings of a system, they have access and capability, and motivation might include a grudge against an employer, the need for money, or perhaps even being blackmailed by some person or organization. For more information on the scope and magnitude of the insider threat and what might be done to counter it, see Brackney and Anderson (2004).

12

The Magnitude of the Threat

To recap the discussion so far, in assessing the magnitude of a threat to the Australian economy from information technology/communication system collapse, we argue that

• any analysis should not just look at "pure" information and communication systems, but rather, look at what they control, e.g., via SCADA

13 systems – particularly the electric power supply and the

public-switched telephone network;

• one must consider attacks beyond Internet-type "cyber-incidents" such as viruses, worms, and denial of service attacks. Pay special attention to physical destruction of critical, singular nodes in an information system – and having a "hot backup" site might not be sufficient protection; and

• one must pay special attention to the insider threat, as one of the most serious to be guarded against.

ATTACK SCENARIOS To better understand who might attack Australian critical information networks, what they might use as capabilities and methods, their motivation, and the range and magnitude of the effects caused, consider the six attack scenarios shown in Table 2, all of which are simple hypothetical examples taken from a much richer set of possibilities.

These are not necessarily the most likely or the most damaging, but help illustrate the range of attackers, motivations, and effects that might be caused. Clearly a more complete analysis would be performed by Australian critical infrastructure protection authorities, regarding the highest-priority information and control systems in the country and the magnitude of possible damage to Australia's infrastructure and economy that might result from an attack.

12 Richard C. Brackney, and Robert H. Anderson, Understanding the Insider Threat:

Proceedings of a March 2004 Workshop. Santa Monica CA, RAND Corporation CF-196-ARDA, 2004. Available at: <http://www.rand.org/publications/CF/CF196/>. 13 Supervisory Control and Data Acquisition

Security Challenges


Table 2: Example Attack Scenarios

Who

(perpetrator) What (capability)

Why (motivation)

Range of effect

Magnitude of effect

A Virus writer(s)

Polymorphic, ”zero-day” virus affects majority of government and business PCs in Australia

The challenge of it

Many PCs throughout government and business must be scrubbed and reinitialized

$$ tens of millions

B

Disgruntled electrical system employee

Causes SCADA system perturbation resulting in physical destruction of main transformers, capacitors

Retribution for being fired, not getting raise, …

A major city's power goes out for several days

$$ hundreds of millions

C

Chinese or Indonesian hackers (or are they?) possibly supported by 3rd parties

Penetration of, and manipulation or destruction of records within, Australian stock exchange and its backup site

Retribution for Australian government policies

Stock market records are inaccurate; stock exchange offline for two days while recovery undertaken

$$ tens of millions (?)

D Organized crime (e.g., Eurasia)

Obtain 20,000 credit records from key Australian bank sites

Major identity theft; records sold worldwide to other groups

20,000 individuals must handle identity theft, losses

$$ tens of millions (?)

E

Other government's intelligence service

Hack into Defence or other government sites’ sensitive weapon/plan information

Weapon development; warfare planning

Foreign country obtains major weapons data, plans

??

F Terrorist group

Hack into chemical/biological/ refinery plant SCADA system; it explodes

Retribution for Australian government policies

An Australian city becomes toxic, with significant destruction

???

We believe several lessons can be derived from even this introductory analysis:

• A major cyber incident, in most cases, is like the consequences from a major cyclone or flood. It is bad, but manageable. The threat should not be over-hyped. In particular, "backbone" networks for the Internet, the PSTN, and electric power distribution system are decentralized and distributed, and therefore quite robust. (As we discuss below, the "last mile" interconnect from the backbone network into individual offices and sites in these systems is almost always the weakest link, but that is localized.)

Security Challenges


• But a cyber attack that causes a major chemical or biological release or explosion in a metropolitan area is a major danger. Although this might be considered unlikely, a knowledgeable, malevolent insider in such a plant might be able to trigger such an event.

• Australia currently does not operate nuclear electric power generation facilities. However, if it ever does, such a facility's information and control systems should be very carefully isolated from outside information networks, because triggering a release or explosion in such a facility is the worst cyber-related event that this author can envision. Consider the following news item as a cautionary tale:

The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January [2003] and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall...

14

Prevention and Mitigation

In the above discussion, we have briefly considered a range of attacks, actors, and motivations. The magnitude of vulnerabilities of Australia's critical infrastructure systems depends in part on steps taken to prevent or mitigate such attacks. If some steps are taken to avoid the most damaging types of attacks, Australia's security posture might be considerably improved.

In the RAND VAMM report cited earlier15, security mitigation techniques

were surveyed and placed into four general categories, as shown in Table 3. Again, details about the terminology used in Table 3 can be obtained from that report. The point of Table 3 is that there is a large, diverse portfolio of measures that might be adopted in preventing and mitigating cyber attacks – certainly far beyond the ones that first come to mind, such as firewalls and virus checking software packages. The VAMM report also discusses which mitigation techniques (Table 3) work best to counter which of the generic types of system vulnerabilities (Table 1).

Regarding two of the biggest threats we highlighted earlier (malevolent insider, and physical attack), some key corresponding preventative steps would be:

• Check and periodically re-check insiders that have significant access to critical information systems. This includes performing background checks, including financial, and frequent review logs of that user's behaviour on the system(s);

14 Kevin Poulsen, ‘Slammer Worm Crashed Ohio Nuke Plant Network,’ SecurityFocus, 19

August 2003. Available at <http://www.securityfocus.com/news/6767>. 15 Antón et al, 2003.

Security Challenges


Table 3: Categories of Security Mitigation Techniques

Resilience/Robustness

• Heterogeneity • Redundancy • Centralization • Decentralization • Verification, validation, and

authentication; software/hardware engineering; evaluations; testing

• Control of exposure, access, and output

• Trust learning and enforcement systems

• Non-repudiation • Hardening • Fault, uncertainty, validity, and quality

tolerance and graceful degradation • Static resource allocation • Dynamic resource allocation • Management • Threat response structures and plans • Rapid reconstitution and recovery • Adaptability and learning • Immunological defence systems • Vaccination

Intelligence, Surveillance, Reconnaissance (ISR) and Self-

Awareness

• Intelligence operations • Self-awareness, monitoring, and

assessments • Deception for ISR • Attack detection, recognition,

damage assessment, and forensics (self and foe)

Counterintelligence (CI), Denial of ISR,

and Target Acquisition

• General counterintelligence • Deception for CI • Denial of ISR and target acquisition

Deterrence and Punishment

• Deterrence • Preventive and retributive

information, military operations • Criminal and legal penalties and

guarantees • Law enforcement; civil proceedings

• Place critical information system nodes underground, or protected by distance or blast-deflecting bunkers. (By contrast, many critical information processing centres and nodes are located in--and often on the ground floor of--normal office buildings, with street access nearby.)

Neighbourhoods Must Fend For Themselves

In considering the facts that:

(1) many critical information systems are, and will remain, vulnerable;

(2) therefore, bad things will happen; and

(3) electrical power and telecommunications (including Internet access) are vital supporting infrastructures for the operation of almost all systems,

a colleague and I formulated the concept that "neighbourhoods must fend for themselves," which is described briefly in Balkovich and Anderson (2004).

16

16 Edward E. Balkovich, and Robert H. Anderson, ‘Critical Infrastructures Will Remain

Vulnerable: Neighbourhoods Must Fend For Themselves,’ International Journal of Critical Infrastructures, Vol 1 No 1 (2004), pp. 8-19.

Security Challenges


By a "neighbourhood," we mean a cluster of buildings housing critical societal functions. This might be an "office park" or "campus", or at minimum a single building.

By "fending for themselves," we mean that these facilities should be able to generate their own power locally for up to 72 hours, and have at least two separate telecommunication lines (to PSTN and Internet backbones) from different suppliers/operators, so that if one becomes inoperable the other can be used for at least emergency communications. Such an emergency communication line might also link this office to backup information processing and storage facilities, such as one or more "hot backup" processing sites.

LOCAL POWER GENERATION We emphasize local power generation for several reasons. First, essentially all critical information processing functions require electrical power. Second, a distributed system can be many times less sensitive to a systematic attack against power generation facilities.

17 Third, trends in micro-generator costs

make local generation (e.g., from diesel- or natural-gas-powered reciprocating engines or microturbines, or fuel cells) increasingly cost-effective. In fact, for new building construction, combining locally-generated heating and power might make such facilities cost-effective for routine operation now.

18 Microturbines can generate power up to at least 200

kilowatts. Often the reasons for a lack of local, self-sufficient power generation are regulatory and bureaucratic (e.g., barriers raised by monopoly providers of power to a region) rather than technical and economic.

19

Australia is accumulating experience in microturbines. The evidence is promising but a recent presentation concludes that the costs are still excessive for the market, and there remain impediments to implementation.

20 We believe, however, that it may well be worth some

incremental cost to assure the reliability and survivability of the provision of electrical power to local sites housing critical information systems in the event of an attack or incident, be it natural or malevolent.

17 Hisham Zerriffi, Hadi Dowlatabadi, and Neil Strachan, ‘Electricity and Conflict: Advantages of

a Distributed System,’ The Electricity Journal, vol. 15, no. 2 (January-February 2002), pp. 55-65. 18 Steve Silberman, ‘The Energy Web,’ Wired magazine (July 2001), pp 115-127.

19 R. Brent Alderfer, M. Monika Eldridge, and Thomas J. Starrs, Making Connections: Case

Studies of Interconnection Barriers and their Impact on Distributed Power Projects, National Renewable Energy Laboratory NREL/SR-200-28053, May 2000. 20 Glen Watt, Australia and Microturbines: The Experience to Date and the Hope for the Future,

Fifth Annual Microturbine Applications Workshop, 25-27 January 2005, Ottawa, Ontario Canada. Available at ,http://www.nrcan.gc.ca/es/etb/cetc/cetc01/downloads/ presentations_2005/presentations/australia_microturbines.htm>.

Security Challenges


Fuel cells for electric power generation offer another local option for office parks or major buildings. They, too, can generate up to 200kW and trends in efficiency are increasing. Costs and benefits of distributed energy resources, both to the electrical utility company and to end-users, are discussed in a recent Electric Power Research Institute technical report.

21

REDUNDANT TELECOMMUNICATIONS There are a number of candidate technologies for providing broadband telecommunications to critical infrastructure functions. We envision a "neighbourhood network" supplying alternate communication paths among a cluster of office buildings. Such a network would have distinct, separate links to other telecomm networks than the primary provider. This alternate network could be used routinely to offload portions of the bandwidth from the main provider, or only be used in emergencies (but tested periodically).

Among the candidates for such a neighbourhood network are:

• Licensed radio-frequency (RF), including a local multipoint distribution system (LMDS) which can provide two gigabit/second (Gbps) line-of-sight capability up to two miles, or multipoint multichannel distribution service (MMDS) with 135 megabit/second (Mbps) line-of-sight capability up to 30 miles.

• Unlicensed RF, using protocols such as the IEEE 802.11 family, up to 25 Mbps per user.

• Free space optics (FSO) using lasers, providing 1.5 Mbps to 10 Gbps, from 500 feet to one mile.

• Powerline communication, for up to 2.4 Mbps.

• Satellite communication up to 40 Mbps.

A more prosaic approach would be contracting to an alternate traditional telecomm provider, but assuring that their service is provided over a separate copper or fibre optic line, in a separate trench, from a distinct central office (CO) or point-of-presence (POP) to the neighbourhood.

Policy Questions

If local power generation and redundant telecommunications for critical infrastructure operations were cost-effective and easy, they would already be in place. Clearly, some incentives, or regulatory changes, must be considered to increase the robustness of critical information systems. For example, if certain information system operations were deemed critical to

21 Electric Power Research Institute (EPRI), Economic Costs and Benefits of Distributed Energy

Resources, Report 1011305, Technical Update, December 2004.

Security Challenges


Australia's economy and social structure, the government might require that those operations be housed in facilities that are relatively blast-proof (e.g., to a truck bomb, or small aircraft), and have local power and redundant telecommunications. This in turn might create a market for facilities certified as meeting these requirements and having a premium in rental or lease costs to cover the added expense.

Other policy questions relate to the market for micro-generators, and the ability to tie such local generation facilities into the power grid, and perhaps being able to sell power back into the grid to recoup some of the costs.

We do not undertake to answer such questions in this article, but point to such questions as important research and policy issues to be addressed locally within Australia by anyone concerned with critical infrastructure protection, and critical information systems in particular.

Australia's Trusted Information Sharing Network

Source: http://www.tisn.gov.au/agd/WWW/rwpattach.nsf/VAP/(930C12A9101F61D43493D44 C70E84EAA)~Diagram+for+web+site.doc/$file/Diagram+for+web+site.doc

Figure 1: Organization of Australia's Trusted Information Sharing Network

There are several organizations and programs within Australia for which these issues are salient and of concern. Among them are the Trusted Information Sharing Network for Critical Infrastructure Protection (TISN),

Security Challenges


whose structure is shown in Figure 1, and the Computer Network Vulnerability Assessment (CNVA) Program, which is an Australian Government initiative developed to support the work of the TISN.

Conclusions

There are now, and will continue to be, significant vulnerabilities in critical information systems supporting Australia's economy, government, and social infrastructure. Those vulnerabilities result from a variety of sources, including reliance on commercial off-the-shelf (COTS) hardware and software containing weaknesses and requiring diligent "patching", and a set of generic architectural and behavioural system properties extant in most complex information systems. Those vulnerabilities may also occur in the physical, cyber, or human/social domains, or in enabling infrastructure supporting a system. Special attention should be paid to physical attacks against key information system nodes, to insider attacks, and to simultaneous, coordinated attacks damaging both primary and backup system facilities.

Some worst-case scenarios involve cyber attacks that could cause major chemical or biological release or explosion in a metropolitan area. If Australia adopts nuclear generation of electrical power, its cyber systems should be isolated from any possible outside malevolent attack, and insiders' system access and behaviour very carefully and periodically monitored.

Most key infrastructure systems, such as the Internet and public switched telephone networks, have built-in redundancy in their backbone networks. Cyber threats are unlikely to take down such systems nationwide. However, "last mile" links to key organizations and facilities are vulnerable. It is therefore important to provide redundancy in electrical power provision and access to telecommunication networks for such critical facilities. There are a variety of options for doing so, many of them becoming increasingly cost-effective.

Australia has a set of most critical information systems supporting its economy and social infrastructure. Attacks against most of these systems could cause consequences similar to a major cyclone or flood: bad, but manageable. As efforts such as Australia's Computer Network Vulnerability Assessment Program determine which information systems are most critical and most vulnerable, there are a variety of steps that can be taken to mitigate and minimize damage from a concerted cyber attack.

Robert Anderson, Ph.D., is a senior computer scientist at RAND and is currently head of its Information Sciences Group. Bob joined RAND in 1968, and has been an employee or consultant here for most of the past 25 years. He has also served as Executive Vice President of Interactive Systems Corporation in Santa Monica, and has consulted on computer information systems for the United Nations Industrial Development Organization (UNIDO) in Vienna and others. Bob's current research interests include security and safety issues in cyberspace, the societal impacts of the continuing information revolution, the design of effective

Security Challenges


electronic mail systems for communication within organizations and interest groups, and the development of user-computer environments for modeling and simulation. He received his M.A. and Ph.D. in Applied Mathematics from Harvard University, and serves as a professor of information science at the RAND Graduate School. [email protected].

threats to the australian economy from information technology / … · 2015. 6. 30. · 2002...

Documents