This week’s extract is taken from Toomas Viira’s book Lessons Learned – Critical Information Infrastructure Protection, which is a vital source of information and thought-provoking insights into potential issues within critical information infrastructure (CII).
Episode 7 – Perfecting the System:
“A great deal goes into the relevant protection system, and even more must be contributed to make that system successful. Furthermore, every country and every sector has its unique features, and there is no universal model for protecting critical information infrastructure.”
The book offers 23 key lessons, including how to:
- Describe the critical infrastructure service and determine its service level;
- Identify and analyse the interconnections and dependencies of information systems;
- Create a functioning organisation to protect CII; and
- Train people to make sure they are aware of cyber threats and know the correct behaviour.
How to protect critical information infrastructure:
“Everything is being run by computers. Everything is reliant on these computers working. We have become very reliant on Internet, on basic things like electricity, obviously, on computers working. And this really is something which creates completely new problems for us. We must have some way of continuing to work even if computers fail.
So preparedness means that we can do stuff even when the things we take for granted aren’t there. It’s actually very basic stuff – thinking about continuity, thinking about backups, thinking about the things that actually matter.” – Mikko Hypponen
“I get up in the morning and turn the radio on: all I hear is static. I change the station, but it’s just more static. I turn on the TV: there is no picture or sound. I open my laptop to read the news online, but there is no Internet connection. I want to pay by card at the café, but the terminal is not working. I drive to work: there are massive queues on the roads because no traffic lights are working. I want to call work, but my phone cannot find the network. I get to the office and want to open the door with my access card, but the card reader is not working. I go back to the street and walk to the subway station. The streets are full of people: it turns out that the trains are not running. The timetables at the station have gone blank. I leave the subway and manage to get a cab. I ask the driver to take me to the airport. I want to pay the fare by card, but the card terminal in the cab is not working either. I give the driver my last banknotes. There are more people than usual at the airport. I take my place in the check-in queue, but then there is an announcement that check-in cannot be completed because the computer systems are down. We’re not told when they will be fixed. All the information boards at the airport are blank. Perplexed people stand in the queue and wait. Arriving passengers are not allowed through passport control, because the information systems are not working. The lights on all runways are off. I leave the airport and walk to the supermarket. There is a lot of noise and commotion. Card terminals are still not working. Many people are angry because they have goods in their baskets and trolleys, but they cannot pay for them. Some people try to get past the checkouts without paying. Some are eating and drinking the groceries in their trolleys. I go to the toilet next to the store. I want to flush, but there is no water. I want to wash my hands, but there is no water. I find some coins in my pocket and rent a bike to cycle back to the city. I see massive traffic jams as I ride the bike. There is a police patrol on a corner and I ask them what’s going on. The police officers tell me they don’t know. They cannot contact the station, because their radios are not working. I keep riding on. There is a hospital on the way. There is a noisy crowd in front of its entrance and security guards are trying to prevent people from entering the hospital. It appears that some people were not allowed to see a doctor because the hospital’s information systems are down and the hospital couldn’t look up medical records or confirm insurance. They were sent away because emergency care is all that is provided. I carry on cycling towards the city and suddenly I smell something awful. I ride on and see wastewater flowing down the street. At first, I think that it’s a localised problem: a broken pipe or something. I ride on for a few kilometres and see the next spot where wastewater is flowing onto the street. It seems to be part of a bigger problem. The city’s wastewater pumps are not working.
This could go on and on…
Something like this could happen if our IT systems stopped working or stopped working the way they should. Could critical infrastructure service providers provide their services without IT systems? At what level and to what extent? Would it be possible to reduce dependence on IT systems, how much would it cost, who would pay and who determines the level to which dependence should be reduced? Have critical infrastructure service providers practised providing their services without IT systems?” – Toomas Viira