An overview on ICT and critical infrastructure protection
We all take it for granted: pressing a switch turns the light on, opening a tap lets the water flow, the heating runs when we wake up in the morning, and our mobile phone keeps us connected and reachable around the clock. We do not think about the critical infrastructures enabling these services, unless they are disrupted. Fortunately, this has happened rarely – so far. However, the risk of more outages is increasing, due to natural and man-made factors, and the effects can be severe, as the recent disaster in Japan has shown.
Modern societies are heavily dependent on the functioning of a number of infrastructures which are, thus, called Critical Infrastructures. They are expected to be available 24 hours a day, 365 days a year. Examples of such infrastructures include ICT, energy and drinking water supply, public health, security services, transport, finance, and some more.
Threats to these infrastructures can have natural causes, e.g. earthquakes, tsunamis, tornadoes, heavy rain, floods, extreme heat periods, or pandemias. On the other hand, risks can also be man-made, caused, for example, by terrorist attacks, online and offline sabotage, maloperation, accidents, or simply system failures. Interestingly, people perceive these risks at very different levels of relevance: risks from terrorism receive often a very high attention by the media and can cause fear, while other risks, like for example failure of technologies or maloperation, are seen as a lesser concern. Due to our extreme dependability on these infrastructures, and due to the strong effects their outages can have, we need to take appropriate measures to protect their operation.
Example: energy supply
Reliable power supply is a basic ingredient of our society. How much this is true we often learn only when there are disruptions. Blackouts have occurred e.g. in 2003 in the US, UK, Switzerland and Italy. A blackout in the Munsterland area in Germany in November 2005 received wide publicity. Nearly 100 powerline poles had collapsed under the heavy snow load and left 250,000 people “power-less” for several days. Only one year later the lights went off in large parts of Western Europe due to an unexpected chain reaction caused by a planned shut down of a high voltage powerline. These examples show the vulnerability in spite of modern technologies employed in material and control. Besides the negative effects on people’s daily lives, such blackouts also have huge economical costs: the one-day blackout in the whole north-west of the US in 2003 caused an economic loss of 7 to 10 billion US dollar. Even the blackout in the sparsely populated Munsterland in 2005 caused an estimated damage of about 130 million euro.
Changing general conditions affect ICT
There are a few basic conditions that are changing on a global scale that affect Critical Infrastructures. These include threats from international terrorism and transnational organised crime. The climate change is expected to increase extreme weather periods, and the high global mobility of people and goods increases the risk of spreading diseases and pandemias.
In addition, ICT, which has become an indispensable part in people’s daily lives and in economy, has led to new vulnerabilities. In 2007, Alcatel-Lucent’s Bell Labs presented the findings of a study on the Availability and Robustness of Electronic Communications Infrastructures (ARECI), which was performed on behalf of the European Commission with the support of Eurescom. One of its ten recommendations is very relevant for current Future Internet discussions: it addresses the issue of network bandwidth management in future networks to enable, among others, a guaranteed completion of high priority calls. The study recommends that in the future world of multiplicity of network and service operators stringent interoperability tests should be performed before connecting to a new network.
Activities at EU level
In 2006, the European Commission released the Directive European Programme for Critical Infrastructure Protection (EPCIP), which was created to identify and protect CIs in EU member states. In the FP7 research programme a joint ICT and Security call for proposals was released in 2007. One of the topics addresses secure and resilient information infrastructures for Critical Infrastructures. Currently, the European Commission together with the European Network and Information Security Agency (ENISA) is establishing a European Public-Private Partnership for Resilience (EP3R). It aims to involve public and private stakeholders in discussions with the goal of strengthening security and resilience in the context of Critical Information Infrastructure Protection. ITU SG 17 is asked to consider the standardisation of the relevant aspects.
ARECI study – http://ec.europa.eu/information_society/newsroom/cf/itemdetail.cfm?item_id=3334
ENISA – http://www.enisa.europa.eu