Critical National Infrastructure

Cyber-deterrence has become a fashionable concept, and there has been a wealth of literature and polemic produced which seeks to simplify it, sell it as an applicable theory and fight for its insertion into national security strategies; most zealously in the United States. It is a grafting of the theory of nuclear deterrence which underpinned and ‘stabilised’ the Cold War. In the modern era of ‘new security challenges’, especially those threats posed through the cyber-domain (cyber-espionage, cyber-warfare, cyber-attacks, computer network exploits/ attacks, hacking and cyber-vandalism, theft of industrial/ state secrets, and so on) deterrence has enjoyed a renaissance.

The argument is that deterrence by punishment as a theory worked under the auspices of the Cold War - when applied to cyber-warfare and the cyber-realm it becomes unfeasible, and in practice its ability to navigate and function within the virtual terrain is restricted. Its linearity and determinism mean that the underpinning assumptions of state-centrism, US/ Western state forms of rationality, and the omniscience implicit in ‘knowing your enemy’ do not, in the cyber-realm, fit (through the plurality of actors, range of targets and space for irrational actions or vandalism or folly) and therefore, centrally, the foundations which allow the theory to operate in reality cannot gain traction or make headway. As such, the theory is stranded.

Historically, the cyber security industry has given little consideration to threat actors seeking to disrupt Critical National Infrastructure (CNI) systems for financial gain. The recent spate of SamSam ransomware malware attacks against the healthcare industry in the US using the illustrated how devastating the corruption of data can be to critical national industries, and how great the potential profit for criminal gangs.
This paper discusses the changes in the threat environment that are creating risk for Critical National Infrastructure from criminal gangs.

In recent years, Industrial Control Systems (ICS) have become an appealing target for cyber attacks, having massive destructive consequences. Security metrics are therefore essential to assess their security posture. In this paper, we present a novel ICS security metric based on AND/OR graphs that represent cyber-physical dependencies among network components. Our metric is able to efficiently identify sets of critical cyber-physical components, with minimal cost for an attacker, such that if compromised, the system would enter into a non-operational state. We address this problem by efficiently transforming the input AND/OR graph-based model into a weighted logical formula that is then used to build and solve a Weighted Partial MAX-SAT problem. Our tool, META4ICS, leverages state-of-the-art techniques from the field of logical satisfiability optimisation in order to achieve efficient computation times. Our experimental results indicate that the proposed security metric can efficiently scale to networks with thousands of nodes and be computed in seconds. In addition, we present a case study where we have used our system to analyse the security posture of a realistic water transport network. We discuss our findings on the plant as well as further security applications of our metric.

Purpose – This paper aims to describe a high-level model portraying the relationships between operational, investment, commercial and regulatory pressures, and reports the early findings from testing alternative strategies, both over the long- and short-term. Concern about the vulnerability of utility networks (electricity, gas and water) and other infrastructures, including transport and telecommunications, to environmental, terrorist and other threats has increased in recent years. This has been motivated both by a perceived increase in such threats and by recognition that the commercial pressures and regulation of companies operating these infrastructures could unintentionally have increased that risk. Powerful simulation tools already help utility operators develop asset investment polices to improve both the performance and resilience of their networks, while others have helped increase their capability to respond efficiently when disruptive events occur. However, these tools n...

In recent years, Industrial Control Systems (ICS) have become increasingly exposed to a wide range of cyber-physical attacks, having massive destructive consequences. Security metrics are therefore essential to assess and improve their security posture. In this paper, we present a novel ICS security metric based on AND/OR graphs and hypergraphs which is able to efficiently identify the set of critical ICS components and security measures that should be compromised, with minimum cost (effort) f or an attacker, in order to disrupt the operation of vital ICS assets. Our tool, META4ICS (pronounced as metaphorics), leverages state-of-the-art methods from the field of logical satisfiability optimisation and MAX-SAT techniques in order to achieve efficient computation times. In addition, we present a case study where we have used our system to analyse the security posture of a realistic Water Transport Network (WTN).