Natural disasters, from floods and bushfires to earthquakes and hurricanes, constantly remind us that critical infrastructure can fail.
But what if those vulnerabilities were intentionally targeted?
We are used to dealing with unintentional outages caused by a natural disaster. However, critical infrastructure may also be viewed as a “soft target” by those who wish to inflict major disruptions.
Unlike an attack on one physical asset or organisation, an attack on critical infrastructure directly impacts many organisations and individuals, creating a ripple effect through the community, as well as businesses and the wider economy.
This is not a new threat: In 2003 the case against the first person to be found guilty of planning a terrorist attack in Australia included plans to bomb part of the national electricity supply system.
As today’s critical infrastructure is highly dependent on IT systems, it is increasingly vulnerable to malicious cyber attacks aimed at disrupting a whole city, state or nation.
In addition, failure in one area of infrastructure can also create outages in others – in a domino effect. For example a major power outage may cause mobile (cell) phone towers to fail impeding communications or disrupt public transport management systems leaving people stranded.
In fact, the World Economic Forum’s Global Risk Report 2012 ranks cyber attacks as the fourth top global risk in terms of likelihood. The report highlights the vulnerabilities created by hyperconnectivity. While significant resources have historically been necessary to cause devastating consequences for geopolitical or corporate powers, it is increasingly possible for skilled individuals to do so remotely and anonymously through networked computer systems.
The potential impact of cyber attacks on critical infrastructure should no longer seen as an IT issue impacting the utility provider, but rather a national security concern.
US Defense Secretary, Leon Panetta, points out such risks could paralyse and shock the nation. “Terrorist-technology experts could bring down the power and transportations systems, financial networks, and the government itself,” he said.
This isn’t a hypothetical issue. According to research by McAfee, “In the Dark: Crucial Industries Confront Cyberattacks”, cyber attacks on critical utilities systems have nearly doubled since 2009. It found that 80 percent of the water, gas and energy firms surveyed globally reported that hackers had compromised their security systems within the last year.
Which critical services are we most reliant on?
Research by Unisys on the “Impact of two-day critical infrastructure failure on Australians” into the perceived impact of critical infrastructure outages on the Australian public revealed a higher reliance on basic services such as electricity and water supply and banking financial systems than on mobile phone networks, the Internet or transport systems.
The overwhelming majority of more than 1,200 Australians surveyed said a two-day power or water outage would have a major impact on their lives, nearly twice as many as those who said a mobile phone network or Internet failure would have a similar impact.
Percentage of Australian public who say a two-day outage would be a major impact
|Electricity supply in your city/region||84%|
|Water supply in your city/region||80%|
|Banking systems such as ATM & EFTPOS||60%|
|Mobile phone network||46%|
|Public transport network||27%|
|Major thoroughfare such as Sydney Harbour Bridge||20%|
|Capital City Airports||17%|
Business and economic impact
While outages can create annoying disruptions in our everyday lives, in the business world it can mean monetary loss, which can ultimately impact the wider economy.
Financial services may be disrupted as a flow on effect from power or telecommunications outages, but they may also be directly targeted. Where previously cyber-attacks may have been more focused on obtaining customer data or committing financial fraud, now such attacks may be designed to disrupt the ability for customers, both personal and business, to conduct necessary transactions.
When it comes to protecting critical infrastructure, the lines have blurred between cyber security and traditional physical security.
Also, it is clear that the individual critical service providers and the government have a joint responsibility to work together to protect the greater issue of national security.
Fundamentally, we need to start by creating a broader definition of national security than what we have today.