Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CRITICAL INFRASTRUCTURE PROTECTION IN THE BALTIC SEA REGION<br />
Threats on the Underly<strong>in</strong>g Information Infrastructure for CI<br />
The system monitor<strong>in</strong>g, control and status data gather<strong>in</strong>g <strong>in</strong> most CI are now<br />
automated processes with reduced reliance on human effort. These processes rely<br />
on SCADA (Supervisory Control and Data Acquisition) networks that enable<br />
communication with remote units us<strong>in</strong>g <strong>in</strong>dustrial protocols, such as, Modbus and<br />
PROFIBUS (Process Field Bus). Traditionally, SCADA networks have been<br />
considered to be closed networks and so security was not addressed <strong>in</strong> great depth<br />
compared to conventional ICT systems.<br />
However, recent trends have seen open standards and Internet technologies<br />
be<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly adapted <strong>in</strong> SCADA networks. This is partly driven by the need<br />
to share up-to-date status data (e.g., with supply cha<strong>in</strong> partners) and m<strong>in</strong>imize<br />
expenditures by, for <strong>in</strong>stance, reus<strong>in</strong>g corporate network <strong>in</strong>frastructure and leased<br />
l<strong>in</strong>es to implement parts of the SCADA network. Unfortunately, these measures<br />
provide direct or <strong>in</strong>direct connectivity po<strong>in</strong>ts to the Internet and other public<br />
networks, creat<strong>in</strong>g a security gap that can end up compromis<strong>in</strong>g the systems<br />
controlled by the SCADA networks (Graham and Maynor 2006). Many examples<br />
exist of previous security breaches <strong>in</strong> SCADA networks. For <strong>in</strong>stance, <strong>in</strong> March<br />
2000, a disgruntled ex-employee <strong>in</strong> Australia repeatedly hacked <strong>in</strong>to a sewerage<br />
management system releas<strong>in</strong>g over a million litres of raw sewage <strong>in</strong>to public<br />
places. And <strong>in</strong> January 2003, the Slammer worm disrupted SCADA traf<strong>fi</strong>c caus<strong>in</strong>g<br />
operators to temporarily lose some degree of control of the Davis-Besse nuclear<br />
power plant <strong>in</strong> Ohio USA. As a result, there is now <strong>in</strong>creased acknowledgement of<br />
the possibility external attacks on SCADA networks by CI owners, and a notable<br />
surge <strong>in</strong> <strong>in</strong>terest <strong>in</strong> SCADA systems by terrorists groups (Naedele 2007).<br />
Recent <strong>in</strong>formation security trends <strong>in</strong> the BSR<br />
Most of the nations of the <strong>Baltic</strong> <strong>Sea</strong> <strong>Region</strong> (BSR) epitomize what are known as<br />
<strong>in</strong>formation societies, and their achievements <strong>in</strong> this regard are rout<strong>in</strong>ely used as<br />
yardstick by other countries. This assertion is justi<strong>fi</strong>ed by the global rank<strong>in</strong>gs of<br />
various ICT <strong>in</strong>dices (e.g., Knowledge Economy Index 61 , Networked Read<strong>in</strong>ess<br />
Index 62 , ICT diffusion Index 63 etc.), where the BSR countries feature prom<strong>in</strong>ently<br />
<strong>in</strong> top tier of the rank<strong>in</strong>gs. Paradoxically, highly advanced <strong>in</strong>formation societies<br />
are usually left exposed to new k<strong>in</strong>ds of vulnerabilities, as attested by the select<br />
examples below describ<strong>in</strong>g <strong>in</strong> brief some realized <strong>in</strong>formation security threats <strong>in</strong><br />
the BSR.<br />
• Example 1: Users of Nordea’s personal Internet bank<strong>in</strong>g service <strong>in</strong> several<br />
countries <strong>in</strong> the BSR are regularly targeted by fraudulent phish<strong>in</strong>g<br />
of that spam is now image-rich e-mail spam message (about three times the size of a text only e-<br />
mail spam), thus speed<strong>in</strong>g up the exhaust of bandwidth and e-mail gateway capacities.<br />
61 World Bank’s Knowledge Economy Index (KEI) evaluated based on variables represent<strong>in</strong>g<br />
conduciveness of economic and <strong>in</strong>stitutional regimes; educated and skilled population; ef<strong>fi</strong>ciency<br />
of <strong>in</strong>novation environment; and use of ICTs.<br />
62 World Economic Forum’s Networked Read<strong>in</strong>ess Index (NRI) measures a country’s preparedness<br />
to exploit the opportunities offered by ICTs.<br />
63 United Nations Conference on Trade and Development’s ICT diffusion <strong>in</strong>dex (ICTDI) measures<br />
a country’s penetration of ICTs (that is, mobile/<strong>fi</strong>xed phones, Internet hosts and PCs) and it<br />
affordability.<br />
98 NORDREGIO REPORT 2007:5