Hostname: page-component-586b7cd67f-t8hqh Total loading time: 0 Render date: 2024-11-23T23:04:49.507Z Has data issue: false hasContentIssue false

Governing Critical ICT: Elements that Require Attention

Published online by Cambridge University Press:  20 January 2017

Eric Luiijf
Affiliation:
Cyber Operations and Critical (Information) Infrastructure Protection, the Netherlands Organisation for Applied Scientific Research TNO, The Hague
Marieke Klaver
Affiliation:
Cyber Operations and Critical (Information) Infrastructure Protection, the Netherlands Organisation for Applied Scientific Research TNO, The Hague

Abstract

With respect to critical information and communication technologies (ICT), nations most often declare their national critical infrastructure to include telecommunication services and in some cases critical services offered by key Internet Service Providers (ISP). This paper debates whether nations, their policy-makers, legislation and regulation largely overlook and fail to properly govern the full set of ICT elements and services critical to the functioning of their nation. The related societal and economical risk, however, needs to be closely mitigated, managed and governed. Legal and regulatory obligations to increase the ICT resilience may sometimes encourage this process.

Type
Symposium on Critical Infrastructures: Risk, Responsibility and Liability
Copyright
Copyright © Cambridge University Press 2015

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Council Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, OJ 2008 L 345/77, Article 2.a.

2 The United States - Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, U.S. H.R. 3162, Public Law 107–56, § 1016(e).

3 Commission Green Paper on a European Programme for Critical Infrastructure Protection, COM(2005) 576 final, at Annex 2 pp. 42.

4 Netherlands Ministry of Security and Justice, “Protecting critical infrastructure” , available on the Internet at <http://www.government.nl/issues/crisis-national-security-and-terrorism/protecting-critical-infrastructure> (last accessed on 7 May 2015).

5 Swiss Federal Office for Civil Protection (FOCP), “The Swiss Programme on Critical Infrastructure Protection - Factsheet”, November 2010, available on the Internet at <http://www.bevoelkerungsschutz.admin.ch/internet/bs/en/home/themen/ski.parsysrelated1.82246.downloadList.18074.DownloadFile.tmp/factsheete.pdf> (last accessed on 7 May 2015).

6 The White House, Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection (HSPD7), Washington DC, December 17, 2003.

7 USA DHS, Communications Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan, 2010, Appendix D: Sector Profile, pp. 91–98.

8 USA DHS, Information Technology Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan, 2010, pp. 8.

9 CIPedia©, “Critical Infrastructure Sector”, available on the Internet at <https://www.cipedia.eu> (last accessed 7 May 2015).

10 EU's Telecoms package consists of five Council Directives and two Regulations, available on the Internet at <http://ec.europa.eu/digital-agenda/en/telecoms-rules> (last accessed on 7 May 2015).

11 Also known as (Data) Privacy.

12 HSPD7, supra note 6 at paras. 15 and 16.

13 Eric Luiijf, “Are we in love with cyber insecurity?”, 7 International Journal of Critical Infrastructure Protection (2014), pp. 165 et sqq. at p. 166.

14 Goldstein, Mark and Wilshusen, Gregory, “Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems”, GAO-15-6, (Washington DC: GAO, 2015), at p. 23.Google Scholar

15 Council Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, OJ 2008 L 345/77, supra Art. 2.a.

16 Hardware most often includes firmware. Firmware is “the combination of persistent memory and program code and data stored in it” according to IEEE, Authoritative Dictionary of IEEE Standards Terms (IEEE 100), (IEEE, 2007), at p. 438.

17 Jasper van der Horst, Erik Pruyt, Diederik Wijnmalen et al., Working with Scenarios, Risk Assessment and Capabilities in the National Safety and Security Strategy of the Netherlands (Netherlands Ministry of Security and Justice, 2012), at p. 64 and pp. 67 et sqq., at p. 70.

18 CERT.ORG, “Microsoft ASN.1 Library improperly decodes constructed bit strings”, 10 February 2004, available on the Internet at <http://www.kb.cert.org/vuls/id/583108> (last accessed on 7 May 2015).

19 CERT.ORG, “Cisco IOS contains DoS vulnerability in MPLS packet processing”, 26 January 2005, available on the Internet at < http://www.kb.cert.org/vuls/id/583638> (last accessed on 7 May 2015).

20 A synonym of CERT is Computer Security Incident Response Team (CSIRT).

21 Gareth Halfacree, “Windows XP gets first post-EOL security patch”, 2 May 2014, available on the Internet at <http://www.bit-tech.net/news/bits/2014/05/02/winxp-eol-patch/1> on 7 May 2015)

22 Tony Bradley, “Windows XP use declining, but millions still willingly at risk”, 16 April 2014, available on the Internet at <http://www.techrepublic.com/article/windows-xp-use-declining-but-millions-still-willingly-at-risk> (last accessed on 7 May 2015).

23 Ben Grubb, “Heartbleed disclosure timeline: who knew what and when”, 15 April 2014, available on the Internet at <http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html> (last accessed on 7 May 2015).

24 Paul Wagensell, “Heartbleed: Who Was Affected, What to Do Now”, 9 April 2014, available on the Internet at <http://www.tomsguide.com/us/heartbleed-bug-to-do-list,news-18588.html> (last accessed on 7 May 2015).

25 Sam Frizell, “Report: Devastating Heartbleed Flaw Was Used in Hospital Hack”, 20 August 2014, available on the Internet at <http://time.com/3148773/report-devastating-heartbleed-flaw-was-used-in-hospital-hack/> (last accessed on 7 May 2015).

26 Tom Brewster, “More than 300k systems “still vulnerable” to Heartbleed attacks”, 23 June 2014, available on the Internet at <http://www.theguardian.com/technology/2014/jun/23/heartbleed-attacks-vulnerable-openssl> (last accessed on 7 May 2015).

27 Bruce, Robert, Dynes, Scott, Brechbuhl, Hans, et al., “International Policy Framework for Protecting Critical Information Infrastructure: A Discussion Paper Outlining Key Policy Issues”, (The Hague: TNO, 2005) & (Dartmouth: Center for Digital Strategies at Dartmouth, 2005), at p. 73.Google Scholar

28 Staatssecretaris van Verkeer en Waterstaat, “Brief aan de Tweede Kamer der Sten Generaal over Kwetsbaarheid op internet (KWINT)”, (9 July 2001) 26 643 No. 30, available in Dutch on the Internet at <https://zoek.officielebekendmakingen.nl/dossier/26643/kst-26643-30> (last accessed on 7 May 2015), [“Letter to the House of Representatives on the vulnerability of Internet”].

29 ICANN/DNSO, “IANA Handling of Root-Zone Changes”, 9 October 2002, available on the Internet at <http://www.dnso.org/clubpublic/council/Arc11/msg00123.html> (last accessed on 7 May 2015).

30 De Telegraaf, “Bankroet KPNQwest kan zakenwereld ontwrichten”, 1 June 2002, available on the Internet at <http://krant.telegraaf.nl/krant/archief/20020601/teksten/fin.kpnqwest.netwerk.faillissement.html> (last accessed on 7 May 2015).

31 de Bruijn, Hans, de Bruijne, Mark, van Eeten, Michel et.al., “Verschuiving in de publieke belangen: Van toegang naar gebruik”, 9 Reflecties op elektronische communicatie (July 2007), pp. 39 et sqq., at p. 41.Google Scholar

32 Council Directive 2002/58/EC on privacy and electronic communications, OJ 2002 L201/43.

33 EU's Telecoms package, supra note 10.

34 ENISA, “Shortlisting network and information security standards and good practices” (Heraklion: ENISA, 2012), at pp. 1824 Google Scholar, available on the Internet at < https://resilience.enisa.europa.eu/article-13/shortlist-of-networks-and-information-security-standards> (last accessed on 7 May 2015).

35 In this paper, the notion process control systems includes Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Industrial Control Systems (ICS), Industrial Automation Control Systems (IACS) and alike.

36 Nicholas Falliere, Liam O Murchu, and Eric Chien, “W32.Stuxnet dossier”, version 1.4, February 2011, available on the Internet at <http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf> (last accessed on 7 May 2015).

37 Eric Luiijf and Bert Jan te Paske, Cyber Security of Industrial Control Systems, (TNO, 2015), pp. 10, available on the Internet at <http://www.tno.nl/ICS-security> (last accessed on 7 May 2015).

38 Food and Drug Administration (FDA), “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff”, 2 October, 2014, available on the Internet at <http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf> (last accessed on 7 May 2015).

39 Anne-Greet Haars, “Beveiliging apparatuur van ziekenhuizen schiet tekort”, 2 October, 2014, available on the Internet at <http://www.bnr.nl/nieuws/tech/759869-1304/beveiliging-apparatuur-van-ziekenhuizen-schiet-tekort> (last accessed on 7 May 2015).

40 U.S. FDA, “Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication”, 13 June 2013, available on the Internet at <http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm> (last accessed on 7 May 2015).

41 ICANN/DNSO supra note 29.

42 De Telegraaf, supra note 30.

43 Ministry of Security and Justice, “Dossier Diginotar”, 2011, available on the Internet at <https://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/files%5B2%5D/dossier-diginotar.html> (last accessed on 7 May 2015).

44 J.P.H. Donner and I.W. Opstelten, “Letter to the Speaker of the Lower House of the States General on Digital burglary DigiNotar”, 5 September 2011, available on the Internet at <http://www.government.nl/files/documents-and-publications/letters/2011/09/06/digital-burglary-diginotar/microsoft-word-2011-sept-brief-minister-5-sept-2011-en.pdf> (last accessed on 7 May 2015). The Parliament reference to the (Dutch) letter is 26643 Nr. 188, 5 September 2011.

45 W. van Dijk, A. Könen, N. Svartz, “International Case Report On Cyber Security Incidents”, 2014, The Hague, Bonn, and Stockholm: NCSC, BSI and MSB, pp. 7 et sqq. 11, available on the Internet at < https://www.gccs2015.com/nl/node/462 > (last accessed on 7 May 2015).

46 Paul Ducklin, “The TURKTRUST SSL certificate fiasco - what really happened, and what happens next?”, 8 January 2013, available on the Internet at <https://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next/> (last accessed on 7 May 2015).

47 Council Directive 2002/58/EC, supra note 32.

48 EU's Telecoms package, supra note 10.

49 JusticeNewsFlash.com, “Facebook outage sparks calls to 911”, 8 January 2013, available on the Internet at<http://www.justicenewsflash.com/2015/02/02/facebook-outage-sparks-calls-to-911_20150202133988.html> (last accessed on 7 May 2015).

50 Claire Reilly, “AFP using site blocking laws to target malware”, 22 October 2014, available on the Internet at <http://www.cnet.com/au/news/afp-using-site-blocking-laws-to-target-malware/> (last accessed on 7 May 2015).

51 Eric Luiijf, supra note 13.

52 CyberGibbons, “Heatmiser WiFi thermostat vulnerabilities”, 20 September 2014, available on the Internet at <http://cybergibbons.com/security-2/heatmiser-wifi-thermostat-vulnerabilities/> (last accessed on 7 May 2015).

53 IBM Security Systems, “Securing the new world of the Internet of Things”, 4, IBM X-Force Threat Intelligence Quaterly (2014), pp. 3 et sqq., at p. 7.Google Scholar

54 Bijlsma, Tjerk, de Kievit, Sander, van de Sluis, Jacco, et al., “Security Challenges for Cooperative and Interconnected Mobility Systems”, in: Luiijf, Eric and Hartel, Pieter (ed.), Lecture Notes in Computer Science, Vol. 8328, (Heidelberg: Springer, 2013), pp. 1 et sqq., at p. 15.Google Scholar

55 Collaborative driving is a form of intelligent transportation where vehicles communicate with each other and roadside systems. Benefits comprise risk reduction by sharing information, e.g., about fog, braking or stopped vehicles, and higher fuel efficiency.

56 J. C. Boemer, K. Burges, P. Zolotarev, et al., “Overview of German Grid Issues and Retrofit of Photovoltaic Power Plants in Germany for the Prevention of Frequency Stability Problems in Abnormal System Conditions of the ENTSO-E Region Continental Europe”, October 2011, available on the Internet at <http://www.ecofys.com/files/files/ecofys_2011_paper_on_frequency_stability_challenge.pdf> (last accessed on 7 May 2015).

57 Darren Pauli, “Spotty solar power management platform could crash the grid”, 12 May 2014, available on the Internet at <http://www.theregister.co.uk/2014/05/12/hackable_solar_systems_spurt_free_money/> (last accessed on 7 May 2015).

58 Consider Facebook which became a public service less than ten years ago and its Chinese equivalent Renren.