Defending Critical Infrastructure: only 6% of incidents malicious

News by Steve Gold

The weather, or even simple mis-configuration, are threats to critical infrastructure, but in an emergency, could government now run privatised utilities?

The third annual report on large-scale electronic communications system outages in Europe by ENISA reveals that it not just terrorist and criminal incidents that can result in network/system downtime, but more mundane issues such as bad weather, snowfall and natural phenomena.

The report from the European Union Agency for Network and Information Security makes sobering reading for anyone planning a Disaster Recovery option for their company's IT systems, pointing out that a wide variety of problems can result in quite severe outages.

The agency says that most incidents (50 percent-plus) reported to regulators and ENISA involved mobile Internet and mobile telephony outages, with the most frequent causes being system failures affecting base stations and telecoms switches.

During 2013 - the period covered by the report - ENISA says that there were 90 significant incidents spanning 19 countries, although nine countries reported no significant incidents.

Delving into the analysis reveals that 21 percent of the major incidents also had an impact on emergency calls, with a hefty 61 percent of outages caused by system failures triggered by software bugs, hardware failures and software mis-configurations.

Commenting on the report, Guy Kenyon of Kenyon Consulting and a Special Interest Group (SIG) champion for the security and defence group within Cambridge Wireless, said it highlights the need to increase security, reliability and resilience in cellular communications networks.

Kenyon, who has been a senior professional in the wireless industry for two decades, said that plans are already well advanced to carry emergency services voice and data traffic over LTE (4G) networks in the UK under the Home Office Emergency Services Mobile Communications Programme (ESMCP) and the US Homeland Security FirstNet programme.

According to Kenyon, additional essential functionalities are already being introduced to the LTE/4G specification.

"In addition to functional improvements such as adding emergency services specific capabilities, it is also important - as the ENISA report highlights - to make substantial improvements in reliability, resilience and security of end-to-end communications," he said.

"We need to move on from the commercial mobile communications model where no service guarantees are provided and the mass market accepts 'best endeavours' service to an environment where bullet-proof services are standard," he added.
e explained that this will require significant development of the mobile network operators' infrastructure.

Jim Carlsson, CEO with IT security vendor Clavister, said that, whilst it is reassuring to see that the majority of infrastructure outages were caused by simple IT issues and not cyber-attacks, it is critical that that we - as an industry - do not become complacent.

IP attacks  

"As an increasing amount of communications and data travel over mobile infrastructure, next-generation networks are going to become an ever more appealing target to attackers," he said, adding that this is particularly true of IP based networks, like 4G, that will be most exposed to traditional IP-based attacks and vulnerabilities.

As more people migrate to these networks, Carlsson says we will see a boom in the number of small cell deployments to manage the network traffic and deliver expected speeds.

"As a result it will be critical that small cells are robustly secured to safeguard the overall network infrastructure and reduce the risk of attack," he explained.

Professor Peter Sommer, a visiting professor with de Montfort University and a digital forensics/communications expert, said that, as far as the media is concerned, cyber security is at its most interesting when there are stories of elite hackers and ingenious exploits, but the ENISA report makes it clear that in only six per cent of incidents was malicious activity the root cause.

"It is the dull but important stuff about poorly maintained hardware, software bugs and system mis-configuration that needs attention," he said.

Professor Sommer added that one area the report does not cover is the extent to which national governments -  particularly the UK - are heavily dependent on their ability to keep their citizens safe on a Critical National Infrastructure that is privately owned, often by businesses with majority non-UK owners.

"In a real disaster in theory the Civil Contingencies Act allows the government to take over CNI companies - but would it actually be able to run them properly?" he questioned.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews