'Critical Infrastructures': What if one day everything fails?

This post was written by Joaquin Rodriguez Rodriguez, Research and Innovation Specialist at ARI Cybersecurity Lab in Atos Spain.

Madrid, Dec. 22nd

What could happen if one day nothing worked, there was no light, food spoiled, money could not be withdrawn from the ATM, or we could not pay with a credit card, or charge the mobile phone? Every day European authorities are more concerned about protecting the determinants of the system, which could create chaos if they fail. Although our society is nowadays, for the interconnection and for the dependence of the technologies, much more interdependent and less autonomous than decades ago, one of the main reinforcements made by Governments is precisely in terms of preventing cyber-attacks in critical infrastructures. The fact that everything works in a computerized and Internet connected driven way is an advantage for convenience and speed, but it increases the risks of a system.

The increasing activity of hacktivists, cybercriminals or terrorists has led raising the threat level in many EU countries, reinforcing all strategic protection plans, and establishing specific working groups with different skills and expertise -engineers, computer scientists, physicists, chemists, white hackers-, that collaborate discreetly controlling and protecting the security of the most decisive points of the system, all those infrastructures that make our life as it is. That is to say, when a switch is pressed, the light turns on, or that when the tap opens, there is water, but also that you can withdraw money from a cashier or pay with a card at a store. Operations seeming not to be very relevant. But, what if one day nothing worked?. What would happen if, for example, the light went out in a massive way?

It is very disturbing how the fiction documentary entitled ‘American Blackout’, made by National Geographic, basing on studies and scientific evidence, shows the chaos and devastation that may follow a total blackout in a country as large as the United States. What people initially take as a joke and record with their smartphones in the dark, becomes a progressive disaster that triggers accidents, aggression, looting and, ultimately, a state of widespread terror in ten days. Impact - it simulates what would happen if there were a cyberattack that cut off electricity - propagated in geometric progression, and ended up being similar to that which could produce natural disasters such as great earthquakes, hurricanes or brutal attacks.

CSIRT (Computer Security Incident Response Team) works constantly with such catastrophic hypotheses to cover the security holes of an increasingly interconnected system in which any dysfunction could cause a domino effect and make it collapse.

Turning point

The turning point when the great risks awareness was taken was closely related to the disgraceful events of terrorist attacks against New York (11/09/2001) and Madrid (11/03/2004), where Air Transport, Financial Services or Railway System were affected, among others. Until then, the protection of so-called critical infrastructures - mostly (80%) private companies, which provide essential services - depended exclusively on their owners. But the fact that they were responsible for nurturing the system and maintaining the proper functioning of society by the type of service they provided, also made them a state matter. That is why different national centers for critical infrastructure protection have been created in EU and that is why they have begun to include these "critical operators" in a list in the protection plans, giving rise to a kind of risk map, which remains "safe."

This is a PPP (public-private partnership), on the one hand the companies included in this list have to fulfill a series of security requirements because they are audited by local official organizations, and on the other hand they enter a platform that establishes their priority protection, and where they share and have access to sensitive information.

The idea is that this high-risk map is progressively completed, more and more companies are incorporated, and these essential services become more protected. The more elements this critical plane includes, the safer the country in question will become. Currently, only in Spain, there are 93 "critical operators" ecosystem offering essential services to society that must not be overlooked.

Ad-hoc contingency plan definition

In order to increase the resilience of Critical Infrastructures in Europe, CIPSEC proposes several activities to facilitate national Public-Private Partnerships (PPPs) where private companies and public bodies can build coordination to ensure increased preparedness and reduced response time for a detected accident. Such efforts focus on analysing already existing partnerships and establishing new ones to enhance readiness and swift response to disasters or failures. By coordinating the public and private resources, CIPSEC aims to prepare appropriate contingency plans among different stakeholders for advancing collaboration and data sharing. CIPSEC consortium will organize and set up national and cross-border mechanisms, on an ad hoc basis depending on the general needs, at a European level, to respond to both existing and emerging threats. CIPSEC will implement the ENISA strategies to identify synergy among several entities.

CIPSEC project results receive funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
The opinions expressed and arguments employed in this publication do not necessarily reflect the official views of the Research Executive Agency (REA) nor the European Commission.