CHAPTER 10: THREATS AND VULNERABILITIES OF INFORMATION SYSTEMS
‘An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.’14 – Leon Panetta
As a result of the activities described in the seventh and eighth chapters, we should know which information assets are necessary for critical infrastructure services and what the connections are between these assets. Their level of criticality from the position of providing critical infrastructure services should also be assessed.
Next, we should identify the threats to the provision of critical infrastructure services. A threat is something that has the potential to damage the assets needed to provide various services. Vulnerability is related to assets and allows a threat to damage them. A threat may be caused by people (intentionally or unintentionally) or nature, and can arise from inside or outside an organisation. An intentionally caused threat may target a specific organisation or its information assets.
Organisations that provide critical infrastructure services should focus on the threats that may disrupt those services. Completed lists of threats can be found in different standards and frameworks. It is important to keep the list of threats short at first and focus on the main threats, at least until the risk assessment process has been completed. Otherwise, the discussion may focus for a long time on topics that may not be that important at all.
Cyber threats have changed considerably in recent years. The increasing use of IT systems and new technological solutions for providing services is making critical infrastructure service providers more vulnerable, and many new attack vectors have emerged. The spread of malware is increasing, cyber attacks are more professional, cyber crime is growing, different groups and some states are creating and strengthening their cyber attack capabilities, and the organisers behind cyber attacks are still difficult to apprehend. These developments have also created a fertile ground for attacks against critical infrastructure organisations.
Disruptions resulting in power cuts are a good example of this. Natural events, such as storms, are one of the causes of power cuts, but power cuts may also be caused by intentional or unintentional activities. Vandalism at a power substation is an intentional action but a human error by an employee at the energy company’s control centre is an unintentional action. The vandalism may be regarded as a targeted attack if the person who committed it or ordered it wanted to attack that specific substation or a consumer who receives electricity from that substation.
If a threat takes advantage of the vulnerability of information assets, it may cause loss of the availability, confidentiality or integrity of those assets. In some cases, several of these components may be lost at the same time, or the loss of one may cause the loss of another. Confidentiality is lost when an unauthorised person gets access to an organisation’s data (e.g. an unauthorised person gaining access to the configuration of an industrial control system). Integrity is lost when an unauthorised person changes the data (e.g. when an unauthorised person changes the configuration of an industrial control system). And availability is lost when an authorised person can’t access the data or service when it is needed (e.g. an unauthorised person blocks access to the configuration of an industrial control system).
The principle of moving from the general to the detailed should be the basis for identifying threats and vulnerabilities. This principle could be used to identify the threats and vulnerabilities pertaining to critical infrastructure service providers, different sectors and the entire state.
Lesson 10: Identify threats and vulnerabilities.