Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CHAPTER III: INFORMATION AND COMMUNICATION TECHNOLOGY<br />
A concept map orig<strong>in</strong>at<strong>in</strong>g from the concept of threats on a CII would be rather<br />
large and cumbersome to depict with suf<strong>fi</strong>cient clarity on a s<strong>in</strong>gle <strong>in</strong>tegrated map.<br />
Therefore, a high-level concept map represent<strong>in</strong>g only the major concepts (the<br />
nom<strong>in</strong>al ‘view from 50,000 feet’) can be seen <strong>in</strong> Figure 3. The map is derived from<br />
an extensive survey of standardization documents (ITU-T X.800 and RFC 2828),<br />
technical notes from <strong>in</strong>dustry (Gordon 2003; Albert et al 2003), general scienti<strong>fi</strong>c<br />
literature (Stall<strong>in</strong>gs 2003, Rozenblit 2000, Vacca 2006, Yoo 2005) and a multitude<br />
of onl<strong>in</strong>e material. It is clear from Figure 3 that threats to CII are attributed to a<br />
range of factors that exploit system vulnerabilities and if realized will result <strong>in</strong> any<br />
of a possible set of consequences to the system. Further explanation of these <strong>in</strong>itial<br />
observations is provided <strong>in</strong> the subsequent subsections with the aid of detailed<br />
low-level concept maps.<br />
Consequences of Threats<br />
The successful realization of a threat on a CII would result <strong>in</strong> at least one of the<br />
follow<strong>in</strong>g outcomes:<br />
• The destruction of <strong>in</strong>formation, system assets or resources.<br />
• The corruption or modi<strong>fi</strong>cation of <strong>in</strong>formation.<br />
• The theft, removal or loss of <strong>in</strong>formation, system assets or resources.<br />
• The undesired or unauthorized disclosure of <strong>in</strong>formation.<br />
• The <strong>in</strong>terruption of service delivery.<br />
The methods or action lead<strong>in</strong>g to each threat consequence may vary, as illustrated<br />
<strong>in</strong> Figure 4. Destruction, removal or <strong>in</strong>terruption could potentially lead to the<br />
partial or complete failure of the system to function and provide <strong>in</strong>tended services.<br />
This, for example, could be the result of the physical destruction of a ma<strong>in</strong><br />
switch<strong>in</strong>g centre that weakens the ability to exchange <strong>in</strong>formation between<br />
geographically distant areas, or a prolonged denial-of-service (DoS) attack that<br />
illegally consumes limited system resources and makes an asset (e.g., website,<br />
server etc.) unavailable. Distributed DoS (DDoS) attacks are even more <strong>in</strong>tense, as<br />
they use multiple compromised systems or zombies to launch simultaneous attacks<br />
on a target system.<br />
On the contrary, corruption, disclosure or removal of <strong>in</strong>formation may not<br />
directly lead to system failure, but may enable unauthorized access to system data<br />
that could be used to launch more severe attacks on the system, comprise<br />
operations of organizations rely<strong>in</strong>g on the system (e.g. leakage of <strong>in</strong>formation<br />
from a military network reveal<strong>in</strong>g troops position<strong>in</strong>g), or even as part of a more<br />
s<strong>in</strong>ister plot. For example, it is believed that the bombers beh<strong>in</strong>d the 2004 attack<br />
on the Madrid commuter tra<strong>in</strong> had planned their attack us<strong>in</strong>g fraudulent telephone<br />
calls made by hack<strong>in</strong>g <strong>in</strong> to a telephone exchange (a practice commonly known as<br />
‘phreak<strong>in</strong>g’) belong<strong>in</strong>g to a bank <strong>in</strong> France (Pollard 2005).<br />
NORDREGIO REPORT 2007:5 89