Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi

More documents

Recommendations

Info

CRITICAL INFRASTRUCTURE PROTECTION IN THE BALTIC SEA REGION II. Dependency Disruptions Critical information infrastructure is typically engineered with integrated fault recovery mechanisms to guarantee a five-nines (99.999%) availability, which translates to less than 5.25 minutes of total unplanned system downtime per year (Kimber et al 2006). 50 Internal failures usually result from defects or flaws in hardware, software, procedures, management functions and so forth. The complex mutual dependency and interconnectivity between different critical (information) infrastructure means that the effects of failures or their ensuing disruptions may cross infrastructure boundaries. This crossover is manifested in the triggering or cascading of new failures, or even aggravation (escalation) of existing failures in interdependent infrastructure (Rinaldi et al 2001). A CII would typically have multiple interdependencies with other infrastructure. These include physical interdependency due to need for resources from another infrastructure; 51 geographical interdependency due to collocation or close proximity with other infrastructure; and networked or cyber interdependency whereby the commodity exchanges between dependent infrastructures is information. 52 Moreover, logical interdependency accounts for those complex relationships that are not easily associated with any of the aforementioned interdependency categories. Nature of the Threats, Part II – Human Factors Threats attributed to human factors are carried out by threat actors whose threat actions either have a deliberate or non-deliberate (accidental) intent. The positioning of the threat actor also varies. They may be within a designated security perimeter (insiders) or outside the parameter (outsiders). Insiders include end-users or customers with basic access to services delivered over the CII, and employees of the organization operating the CII. Access for insiders is enabled by the use of passwords, PIN codes, smartcards, biometric identification, building keys, and so forth. Employees would naturally have more privileged access to system resources and assets, in comparison to end users. This enables employees to carry out their various responsibilities within CII organization. These employees range from key personnel responsible for system Operations, Administration, Management and Provisioning (OAM&P) of the CII to housekeeping staff that maintain the cleanliness of the facilities. The type and degree of access privileges accorded to employees also varies depending on their job description within the organization. For instance, access privileges may be restricted to just a subset of 50 In practice, planned system downtime (e.g., for equipment upgrades, routine maintenance, software patches, re-calibrations, system reboots etc.) tends to be more frequent, and is usually accounted for outside the 5.25 minutes downtime per year requirement. Planned downtime inconvenience is eased by scheduling by giving advance notice on maintenance windows to prepare users for service disruptions. 51 The most common physical dependency is need for a clean constant supply of electrical power to operate CII facilities such as network switches, servers, transmitters and so forth. However, electricity obtained from the public utility is often unavailable (blackouts) or corrupted (e.g., by power surges, sags, transients etc.) that switch off or damage CII equipment. Preventive measures include the use of localized backup power, proper grounding, surge protection and power conditioning. 52 An example is when one information infrastructure (e.g. national backbone network) is used to aggregate or backhaul information traffic from other information infrastructures. 92 NORDREGIO REPORT 2007:5
CHAPTER III: INFORMATION AND COMMUNICATION TECHNOLOGY operations or to only a few hours during some days of the week. A typical illustration of access accorded to different groups is depicted in Figure 6. Figure III—6 Example of type of authorized access accorded to different groups. I. Deliberate Threat Actors The threat actors with deliberate intent have in great part put into focus the need for CIIP. These actors are profiled briefly in Table 3. The threat posed by hackers has long been recognized within the IT security community, with anti-hacking security measures being the norm and legal procedures regularly instituted against those responsible. Continued increases in electronic/mobile-commerce activities 53 create added incentive for criminal activity (cyber-crime) 54 and fuelling unfair practices between rival companies via the information infrastructure. 55 Hostile governments are also recognizing the increased potential of undermining adversaries by launching attacks that disable their CII (Overill 2001). Of the threat actors mentioned in Table 3, the threat posed by terrorists is currently the most widely publicized. Thus far, terrorist attacks have targeted more visible or tangible critical infrastructure, such as railways, airports, water 53 For example: eMarketer (eMarketer 2007) predicts electronic commerce retail sales in Europe will reach USD 400 billion by 2011; Finextra (Finextra 2007) predicts global mobile commerce market (excluding mobile entertainment) to grow to USD 40 billion by 2009. 54 Cyber-crime refers to traditional crime activities facilitated by the use of ICTs. The proliferation of cyber-crime has prompted the Council of Europe to draw up a “Convention on Cybercrime (CETS No.: 185),” a first international treaty (with 43 signatories) on crimes committed via the Internet and other computer networks. 55 For example, a Massachusetts businessman is known to have authorized crippling DDoS attacks against three competing companies (Poulsen 2004). NORDREGIO REPORT 2007:5 93
Page 1:
Towards a Baltic Sea Region Strateg
Page 4 and 5:
Nordregio Report 2007:5 ISSN 1403-2
Page 6 and 7:
5.4 Impacts caused by terrorism, na
Page 8 and 9:
CRITICAL INFRASTRUCTURE PROTECTION
Page 11 and 12:
PREFACE PREFACE With the Commission
Page 13:
PREFACE The study includes tens of
Page 16 and 17:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 39:
CHAPTER I: INTRODUCTION CHAPTER I:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81: CRITICAL INFRASTRUCTURE PROTECTION
Page 95 and 96: CHAPTER II: ELECTRICITY 2 ELECTRIC
Page 97 and 98: CHAPTER II: ELECTRICITY electricity
Page 99 and 100: CHAPTER II: ELECTRICITY Recent clim
Page 101 and 102: CHAPTER II: ELECTRICITY Figure II
Page 103 and 104: CHAPTER II: ELECTRICITY possibiliti
Page 105 and 106: CHAPTER II: ELECTRICITY continental
Page 107 and 108: CHAPTER II: ELECTRICITY Indirect Im
Page 109 and 110: CHAPTER II: ELECTRICITY fire depart
Page 111 and 112: CHAPTER II: ELECTRICITY • Local c
Page 113 and 114: CHAPTER II: ELECTRICITY these, syst
Page 115 and 116: CHAPTER II: ELECTRICITY • long in
Page 117 and 118: CHAPTER II: ELECTRICITY • The net
Page 119: CHAPTER II: ELECTRICITY centres etc
Page 123 and 124: CHAPTER III: INFORMATION AND COMMUN
Page 129: CHAPTER III: INFORMATION AND COMMUN
Page 177: CHAPTER III: INFORMATION AND COMMUN
Page 181 and 182:
CHAPTER IV: OIL TRANSPORTATION AND
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
CHAPTER IV: OIL TRANSPORTATION ANDM
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203:
CHAPTER V: GAS CHAPTER V: GAS Sven
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 225:
CHAPTER VI: WATER CHAPTER VI: WATER
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276:
show all

Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi

Create successful ePaper yourself

Delete template?

Save as template?