A Review of Critical Infrastructure Domains in Europe


16/3/2021

Based on EC 2008/114 of the European Council as a European critical infrastructure (ECI), we can define critical infrastructure located in Member States that the disruption or destruction of which would have a significant impact on at least two Member States [1]. Damage or destruction of critical infrastructures by natural disasters, terrorism and criminal activity may have negative consequences for the security of the EU and the well-being of its citizens. Thus, it is very crucial to protect the ECIs since they play vital role for the functioning of a society and economy.

Table 1 presents an indicative list of CIs sectors and services identified by the EU Member States [2] :

Table 1: Indicative list of ECI sectors

Sector

Product or service

I Energy

1 Oil and gas production, refining, treatment and storage, including pipelines

2 Electricity generation

3 Transmission of electricity, gas and oil

4 Distribution of electricity, gas and oil

II Information, Communication Technologies, ICT

 

5 Information system and network protection

6 Instrumentation automation and control systems (SCADA etc.)

7 Internet

8 Provision of fixed telecommunications

9 Provision of mobile telecommunications

10 Radio communication and navigation

11 Satellite communication

12 Broadcasting

III Water

 

13 Provision of drinking water

14 Control of water quality

15 Stemming and control of water quantity

IV Food

16 Provision of food and safeguarding food safety and security

V Health

 

17 Medical and hospital care

18 Medicines, serums, vaccines and pharmaceuticals

19 Bio-laboratories and bio-agents

VI Financial

 

20 Payment services/payment structures (private)

21 Government financial assignment

VII Public & Legal Order and Safety

 

22 Maintaining public & legal order, safety and security

23 Administration of justice and detention VIII Civil administration

24 Government functions

25 Armed forces

26 Civil administration services

27 Emergency services

28 Postal and courier services

IX Transport

 

29 Road transport

30 Rail transport

31 Air traffic

32 Inland waterways transport

33 Ocean and short-sea shipping

X Chemical and nuclear industry

34 Production and storage/processing of chemical and nuclear substances

35 Pipelines of dangerous goods (chemical substances)

XI Space and Research

 

36 Space

37 Research


Over the last years, CI systems are increasingly being targeted by attackers. Most of these systems use outdated security protocols and weak security mechanisms, a fact that easily creates attack surfaces for a large group of attackers [3]. Moreover, the period from when a vulnerable system is breached by a malicious outsider to the breach being discovered and vulnerabilities identified and patched, is currently on average about 200 days [4].

It is important to understand that the protection of ECI should be a sector that the EU will always support and innovate. But what exactly are the threats we should face? The rest of the article is dedicated on three major CI systems.


Industrial Networks

Industrial Networks refer to networks that deal with transfer of data on a large scale (most of the times to cover real-time needs). These networks allow us to connect various devices across large spaces and enable communication between them by allowing us to transfer huge chunks of data between them. Most operations on all CI sectors are highly dependent to computer‐based control systems. These systems are increasingly connected to open networks such as the Internet, exposing them to cyber risks. Components such as SCADA systems, unsecure servers, remotely accessed operational networks could be accessible to anyone with basic knowledges of using attacking tools. For example, SQL worms (such as SQL Slammer Worm), or vulnerable Smart Meters able to spread malwares from point to point, are known to disrupt electric system control systems and cause grid failures or catastrophic problems [5] [6].


Healthcare

In healthcare systems the emergence of "online" applications has generated various risks to both patient’s health and their information security. Malicious operations general speaking lies on two major categories, the identity thefts and healthcare frauds where the attacker aims the security of patient’s EPHI (Electronic Patient Healthcare Information) to steal sensitive information, and the network and communication systems, where the malicious actions might have negative impact on patients and affect the proper use of their medication and drugs.

Based on a 2017 Accenture survey found that healthcare data breaches have affected 26% of U.S. consumers with average cost around $2.5 thousand, for each one of the individuals [7].

Security threats are mainly created by unauthorized access, system’s vulnerabilities, illegitimate activities and are mainly formed in taxonomies such as denial of service (DoS) and distributed denial of service (DDoS) attacks, man-in-the middle and remote brute-force attack, password sniffing, trojan horses, data tampering etc. These attacks threat the confidentiality, the availability, and the integrity, of a healthcare service provider’s information assets.


Telecommunication Networks

Telecommunication systems, computer networks and satellite communication systems consists a major category where a user can easily gain unauthorized access to private information and critical resources. The attackers aim at the communications links between the systems trying to force a malfunction to the system. Attacks such as DoS (Denial of Service) on satellites could cause tremendous effects in application such as military communications to become unavailable at critical moments or in business to prevent legitimate clients from accessing necessary services. Moreover, satellite systems and systems that relies on wireless communications are increasingly vulnerable to various attacks, such as RF jamming and network traffic spoofing, which can result in a total signal loss or even in receiving malicious signals [8].

Over the past year, advanced malwares have been developed to target improperly protected critical infrastructure. Since several CI systems relies on weak security mechanisms and communication protocols, new attack surfaces for exploitation are revelled for the attackers every day. Thus, Critical infrastructure service providers and operators must constantly seek for cost-effective and comprehensive secured solutions for their systems.

References

  1. http://kemea.gr/images/documents/EC1142008CIP.pdf
  2. Green paper on a European program for Critical Infrastructure protection (2005), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52005DC0576&from=EN [accessed on 20th Oct 2020]
  3. Trend Micro, A Security Evaluation of AIS, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-a-security-evaluation-of-ais.pdf, 2015
  4. Infosecurity, Hackers Spend 200+ Days Inside Systems Before Discovery, http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/, 2015
  5. Andres, Richard B. and Loudermilk, Micah J. (2012), National Security & Distributed Power Generation. livebetter Magazine Issue Number 24, Sep 2012
  6. Vaas, Lisa (2012), Nuclear power plant cybersecurity warnings silenced by legal threats, http://nakedsecurity.sophos.com/2012/10/31/nuclear-security-silence/ [accessed on 20th Oct 2020]
  7. One in Four US Consumers Have Had Their Healthcare Data Breached, Accenture Survey Reveals (February 20, 2017), https://newsroom.accenture.com/news/one-in-four-us-consumers-have-had-their-healthcare-data-breached-accenture-survey-reveals.htm [accessed on 20th Oct 2020]
  8. Northcutt, Stephen (2007), Are Satellites Vulnerable to Hackers? http://www.sans.edu/research/security-laboratory/article/satellite-dos [accessed on 20th Oct 2020]