Abstract
National and international security, our financial, industrial as well as economic prosperity, healthcare system and national well-being as a whole are dependent on critical infrastructures, which could be described as highly interdependent. Many examples are available such as the national electrical grid, oil and natural gas systems, telecommunication and information networks, transportation networks, water systems, and banking and financial systems. Keeping them in reliable and secure state and study their dependencies is paramount for every government or organization. There is an urgent need of their classification. Creation and development of model and methodology which could describe their behaviors is going to make this world safer. The presented here model and based on it study and initial results are steps toward reliable and secure critical information infrastructure.
Access provided by CONRICYT-eBooks. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Interrelations in most of the aspects of our modern life are based on a complex system of complementary and in some cases mutually exclusive network connections that organize contacts to multiple system interfaces. So the realization of any product or any task becomes dependent on large and complex, but relatively logical mechanism based on infrastructure and serviced by communication and information systems and networks from different class. Such a complex mechanism, enables the organizations (public, private, non-governmental etc.) to conduct their interests and to achieve their goals. So the meaning of “security” and the ability to achieve it requires a different approach from the conventional.
The term “cyber defense” becomes extremely important, especially after the NATO summit in Warsaw in 2016, when “cyber space domain” [1] was established as a new operational domain, in addition to the existing Air, Sea and Land domains. The emergence of a new area in military and economic confrontation defines the necessity of developing a new scientific area and cooperation on a different level and variety of requirements. The last few years have clearly demonstrated that this approach is right, particularly in a situation of hybrid threat and use of the opposing sides of the so-called “soft power” to resolve any problems in a wide range of areas. Taking into account how dynamic is the development of the technology, concepts named “cyber defence” and “cyber space domain” acquires particular significance in terms of the critical infrastructure of any type.
Although NATO has adopted the term “cyber space domain”, it is doubtful that critical infrastructure of military or civilian type could be divided, as far as those terms have largely lost their identity and are strongly intertwined, with no possibility to be set independently.
2 Infrastructure vs. Critical Infrastructure
To determine the scope of what the authors would like to achieve, it is necessary to define the terms that we will handle. The term “infrastructure” had been introduced in the nineteenth century by Swiss military theorist Antoine-Henri Jomini, who highlights its strategic and operational importance for the leadership during any military operation [2]. Purely military use of the term has been lasted until the mid-twentieth century. At this time the term had indicated the territorial organization of an army battlefield. After the middle of this century, the term “infrastructure” had been recognized and began to be used in economics and management theory. Now the term is used in almost every field of science and is very common in studies related to security.
In our opinion there is still no comprehensive and widely accepted definition of the term “critical infrastructure” This fact is only an illustration of the importance of the critical infrastructure and the interests, connected to it. Many researchers in various fields have defined the term “critical infrastructure” but for the means of this article the authors will stick to a definition, synthesized from various sources.
Critical infrastructure is a system of facilities, services, rules, personnel, documents, management methodology and procedures of processing and exchanging information, whose malfunction or destruction for whatever reason, would have a serious negative impact on the health and safety of people and environment as well as could lead to serious financial and material losses and would violate the effective functioning of the state and/or military governance in any region or country.
In general, the basic types of the critical infrastructure subdivision are described on Fig. 1. [3]
Main types of critical infrastructure
Increasingly clear is the tendency to change the center of gravity of threats from physical or purely military impact (conventional military conflict) to indirect/not conventional impact on the enemy’s critical infrastructure elements [4].
It is obviously how important and contemporary the terms “terrorism”, “cyberwar” and “environmental changes” are, often grouped under the general term “hybrid war”. The primary purpose of “hybrid war” approach is not to be destroyed the enemy’s critical infrastructure. The main purposes is, the violation of the enemy’s critical infrastructure work to cause crises, through which the critical infra-structure to be unbalanced. The main advantage of this approach is the possibility at a later stage, this critical infra-structure easily to be recovered and managed [5].
Multilateral features of the term “critical infrastructure” determines as an optimal the following fragmented classification [6]:
-
In accordance with the location:
-
Critical terrestrial objects - sites located throughout the country;
-
Critical marine sites - ships, oil and gas marine platforms, pipelines.
-
-
In accordance with the mobility:
-
Fix/stationary - manufacturing equipment, power plants, transportation facilities (airports, ports, oil, gas and fuel facilities, rail, bus and marine stations), underground special equipment – mainly communications, control stations, warehouses of state raw materials and fuel reserves, laboratories, etc.;
-
Mobile - aircraft, ships, ground transportation, even satellite communication means;
-
-
In accordance with their public role and social significance:
-
Administrative buildings - district and other smaller centers and municipalities;
-
Objects of the energy system;
-
Sites of the chemical industry, working with hazardous and toxic substances;
-
Objects, parts of the transport system of any kind - ports, airports; marine, railway and bus stations, highways and shuttle lines (roads), bridges and passages.
-
Sites of domestic security such as drinking water system; food establishments (grain warehouses, oil mills, bread factories, meat and dairy farms, wineries, hypermarkets);
-
Polyclinics and hospitals, universities and schools; resorts; buildings and complexes for socio-economic, commercial and entertainment activities, business forums, theaters, sports and other festivals and competitions facilities with great daily and seasonal attendance.
-
-
Objects of CI with year-round importance;
-
Objects of CI with seasonal importance - the seasonal nature is formed in the summer of short-term concentration of huge mass of tourists mainly in urban settlements and resorts of southern European Mediterranean type along the coast as well as in the country site (Fig. 2).
Fig. 2. 
Critical infrastructure classification
-
It is important to be mentioned that such a classification and a list of objects is not and cannot be finalized. It is continuously subject to adjustment and expansion, especially in this dynamic security environment and variety of public relations.
If we focus on the types of interdependencies of the critical infrastructure, we can define four classes:
-
1.
Physical dependence - physical dependences that comes from physical connections or links among different elements of the infrastructure. In this context, interruptions and disturbances in one infrastructure can spread to other infrastructure projects.
-
2.
Cyber dependence - interdependencies that occur when the infrastructure is dependent on information transmitted through the information infrastructure. Such relationships are the result of increased use of computer-based information systems that support surveillance and management activities.
-
3.
Geographical dependence – dependence, which exists between the two infrastructures, when a local environment event can cause problems in both. This usually happens when the infrastructure elements are in close spatial proximity;
-
4.
Logical dependence - relationship that covers all dependencies far from all above mentioned, which could be caused for example by regulation, legal or political restrictions.
The four described types of relationships are not mutually exclusive, although each has its own characteristics [3].
Additional complexity in terms of interdependencies occurs, when the information infrastructure is categorized by two different key dimensions:
-
Service-oriented interconnections;
-
Information and data oriented interconnections.
Although the integration of critical infrastructures and the synergy in its usage undoubtedly provides valuable benefits in terms of efficiency, service quality and cost reduce, the interdependencies increase the vulnerability of the critical infrastructure, as they lead to avalanche effect in distribution of errors from one critical infrastructure of another. This creates problems, whether their exposure is accidental or effect of malicious threat. Even a simple power outage caused by a problem, mismanagement or operator intervention is able to lead to cascading outages and ultimately to the collapse of the whole system. There are many examples of cascading problems of infrastructure dependencies that lead to catastrophic events in multiple infrastructures that can cover wide geographical areas.
Organizational and economic logic stimulates the usage of Internet as well as globalization enables to different organizations, wherever they are located, to work as a whole. Communication technologies improve productivity, efficiency and competitiveness. Nowadays many organizations (both governmental, industrial and financial as well as military) focus much of its activity by consolidating the operations through virtual tunnels to a central location for processing of all data. In such cases, Internet use reduces operating costs. With the increasing number of transactions, huge amounts of data with varying degrees of protection flow and pass through the Internet.
The society has evolved to the state of dependency on the availability, reliability, safety and security of main infrastructures of any type. It is due to significant social and economic benefits they provide. Unfortunately, in case of malfunctioning or improper protection appear extremely serious negative consequences due to the fact that all systems have become a necessity. The gradual introduction of total management of all networks, the introduction of systems for monitoring and control as well as the interdependence that always arise in cases like this, certainly optimize and improve the level of performance in the critical infrastructure. Along with the benefits, such approach permits access of cyber criminals and terrorists, with all negative consequents. So the scenario becomes more complex, based on the fact that the modern technologies introduce new sources of potential risk, upon the traditional threats.
Even the broad defined above classification of critical infrastructure presents its diversity. This creates even greater variety of parameters that would have to be taken into account in determining the criteria how critical one infrastructure could be. In order to optimize efforts to determine adequate measures in case of problems with critical infrastructure, a researcher has to focus on a specific segment of this very broad concept. During the development of this material a focal point was mainly a segment named “Critical Information Infrastructure” - CII.
3 Methodology and Enhanced Methodology
The main objectives that an organization has to follow preparing actions for critical information infrastructure protection could be specified as follows [7]:
-
1.
Determination of critical information infrastructure at national level;
-
2.
Preparing the methodology and conducting a national survey to determine the dependencies of critical information infrastructure of information systems involved in the management of the state;
-
3.
Development of a national program to protect critical information infrastructure;
-
4.
Development of rules and standard operational procedures to assist owners and operators of critical information infrastructure (both government and private) to minimize the risk of the collapse of parts or whole segments thereof;
-
5.
Definition and description of problems with cross-sector dependencies;
-
6.
Development of policies and standard operational procedures all together with the International Critical Infrastructure Protection (CIP)/Critical Information Infrastructure Protection (CIIP) organizations setting a transnational solutions and minimize the consequences;
-
7.
Control and measuring the level of maturity achieved in CIP/CIIP and following procedures of adjustments the legislation, strategies, rules and procedures based on the results.
To limit somehow the scope of this paper, the authors will focus primarily on the first two points of the proposed above plan for the protection of CIIs. There are various algorithms based on a set of parameters that could determine whether an infrastructure is within the scope of the definition “critical”. Each national unit for Cyber Security/Defense either defines his own algorithm or adjusts one by adding any relevant national parameters to already developed and verified algorithms of other organizations.
Based on the theory mentioned before, the authors conducted a study, during which, national critical information infrastructure had been designated and a set of critical dependencies had been defined, based on critical tasks, performed by NATO in support international peace and stability [8].
Beginning of the study had been given by determination of the entire national critical infrastructure working in favor of the state management and based on the criteria set up in Fig. 1.
On this basis and following the steps, described in the methodology, we had determined as well the national information infrastructure which manages and control the national critical infrastructure. Following the objectives of the study the authors designated a summary list with 256 critical tasks that NATO performed. It had been found, that our national information infrastructure is an important factor for 49 of these critical tasks.
Subsequently NATO critical tasks execution had been compared with the tasks, performed by national information infrastructure. Based on this comparison the authors discovered that 66% of defined national information infrastructure falls in the scope of the definition “critical information infrastructures”.
On such designated national critical information infrastructure works two information platforms serving a total of nineteen IT applications. They all could be described with the definition, given at the beginning of the material.
From Table 1, it is visible, that all described infrastructure and systems are critical from pure national point of view, but just any of them are critical from NATO prospective. Part of these infrastructures are important and valuable for the collective defense but they are not critical [9].
4 Summary and Further Recommendations
At the end it should be noted that the determination of national critical information infrastructure is not an end in itself. This process allows the determination of priorities in the development of national programs for the protection of CII. This also helps in development of national policies and standard operational procedures to assist owners and operators of CII (both government and private) in order to minimize the risk of failure. Such approach gives us an idea for the steps that should be taken in order an integrated security system to be created.
As a conclusion I would like to underline, that the results from the study, based on the above described model and methodology, are reliable enough and the figures are acceptable. Such study could be reported as a very close to the reality, in case that cross border connectivity is included. Following such course of action is going to increase the number of parameters and variables, but it will make the model and methodology more mature.
The recommendations for the future enhancement – the model and methodology could be used easily and the reliability will increase, after the development of special software, deliberately constructed for testing critical information infrastructures, with possibility many variables and parameters to be object of modification. This will allow one information infrastructure to be tested with variable of parameters and suitable and secure protection model to be followed.
References
North Atlantic Treaty Organization NATO - NATO’s capabilities. http://www.nato.int/cps/en/natohq/topics_49137.htm?selectedLocale=en. Accessed Jan 2017
Antoine-Henri (Baron) de Jomini: The art of war, Arc Manor, Library of congress control number 2006936549. http://www.arcmanor.com/FDL/AofW5674.pdf. Accessed Jan 2017
Rinaldi, S.M.: Modeling and simulating critical infrastructures and their interdependencies. In: 37th Annual Hawaii International Conference on System Sciences, 8 p. IEEE Conference Publications (2004). doi:10.1109/HICSS.2004.1265180
Echevarria II, L.C.A.J.: Clausewitz’s center of gravity, its not what we thought. Naval War Coll. Rev. LVI(1), 108–123 (2003)
Vatis, M.A.: Cyber Attacks during the War on Terrorism: A Predictive Analysis. Dartmouth Coll Hanover NH Inst for Security, Accession Number: ADA395300
Homeland Security WEB Page, Critical Infrastructure Sectors. https://www.dhs.gov/critical-infrastructure-sectors. Accessed Jan 2017
ENISA, Europa. https://resilience.enisa.europa.eu/enisas-ncss-project/CIIPApproachesNCSS.pdf. Critical Information Infrastructures Protection approaches in EU, Final Document, Version 1, TLP: Green, July 2015
Bulgaria National Security and Defence Strategies. https://www.md.government.bg/bg/doc/drugi/20101130_WP_BG.pdf. White Paper on Defence and the Armed Forces of the Republic of Bulgaria (2010)
National cyber security strategy “Cyber Resilient Bulgaria 2020” (2016). http://www.cyberbg.eu/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Petrov, L., Stoianov, N., Tagarev, T. (2018). Critical Information Infrastructure Protection Model and Methodology, Based on National and NATO Study. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds) Advances in Dependability Engineering of Complex Systems. DepCoS-RELCOMEX 2017. Advances in Intelligent Systems and Computing, vol 582. Springer, Cham. https://doi.org/10.1007/978-3-319-59415-6_34
Download citation
DOI: https://doi.org/10.1007/978-3-319-59415-6_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59414-9
Online ISBN: 978-3-319-59415-6
eBook Packages: EngineeringEngineering (R0)