Cyberattacks and defense of critical infrastructures: the risk track

(To Andrea Puligheddu)

According to the railway development plan prepared by Network Rail, the largest rail infrastructure manager and developer in England, the 2019 will be the year in which the entire rail transport department will have achieved total digital coverage.

In other words, more than 1,7 billions of journeys on trains transiting every year on the English tracks will be managed and monitored, by a percentage close to the absolute, by artificial intelligences and algorithms set up for it.

It is not about science fiction or other extreme visions: although there is still a human component that is still strong and that inevitably will be constantly essential and unique, the increase in the rate of dependence on digital technologies for the entire global industrial sector is a fact well known. In this sense, the transport infrastructure plan also makes no exception.

Unfortunately, equally strong are the strong risks inherent in the IT environment to which these infrastructures are daily exposed, precisely because of the high digitization rate they possess. Still remaining on English soil, in fact, the fact that over the last few months the UK rail system has been the subject of at least four cyber attacks of considerable magnitude has recently been announced. Apparently the attackers would have limited themselves exclusively to penetrating the defensive barriers of the railway network, accessing the exchange systems, the passenger management and car management network without putting in place any other action than to simply observe them and acquire the information with which they came into contact.

It is not clear if those behind the attacks are a nation or more simply one of the myriad organizations and individuals that carry out continuous penetration of computer systems. Of course, the mere fact remains that the violation of the railway system of one of the countries with the most advanced cyber protection on the planet represents a disturbing index with which it must in any case come to terms. The reasons are many. First of all, like a military offensive, one of the potential aims pursued by the hacker in question could have been to obtain particularly relevant information through an act of cyber espionage, such as to allow those who were in possession of it in the future to acquire information and correlations useful for other purposes such as generating a blackout of the entire railway network or, worse still, a derailment or clash between cars in transit: think of the traffic of materials and people that happens every day on the railway networks of every western nation and to the patrimony of data and information generated by them and the equation is soon identified.

The threats of cyberspace for the security of these contexts are continuous and above all absolutely impossible to map through traditional methods. From the point of view of cd targeted against the risks of terrorism, as opposed to that of the US mass recently denounced by "Snowden affair ", the present scenario unfortunately leaves very little room for optimistic forecasts. Deep web, social media and cryptography are now the abc of communication between terrorists and fundamentalist recruiters, and more and more the needle of the balance of allocated resources sees an increase of funds to protect the national frontiers of cyber space (if of frontiers can be talked about!) and aimed at building effective and structured strategic intervention plans.

The reason for this is easily understood. Consider the case in which, instead of being limited to reading and observation alone, the intruder penetrated into the railway system of the whole of Britain had decided at that time to crash the state railway systems, or worse if they had taken advantage of it for carry out a terrorist act, causing the same terrible effects as the Madrid 11 March 2004, without however the presence in this case of a terrorist aboard the vehicle. Not being able to have an intervention group specifically designed to map the damage, manage the emergency, trace the attack and identify the attacker at the very moment in which he carried out the violation is a negative value that can cost him not only in terms of system productivity and efficiency, but also with respect to the future security of the infrastructure.

In the final analysis and with respect to the outlined contexts, the cybersecurity plays a role of fundamental importance for operators in the sector. It represents a real "key area"To refer to in the development of the infrastructure, making sure to put in place all those measures to prevent cases such as these from ever happening. Although there are no security measures "absolute"Such as to make it possible to definitively shelter from the dangers of intrusion and damage, there are however some indications, procedures and prescriptions that can be prepared and followed in such a way as to certainly make the defense of the points of strategic interest more direct and dilute in large measures the risk of attack.

First of all it must be premised that, according to the data referring to the national context, 80% of the cases of accidents in the network security systems of the infrastructures are caused by problems of involuntary system malfunctions, such as incorrect software and application configurations or malfunctions in the protocols network installed. A first step would therefore be to set up a configuration system and periodic checks to ensure continuous operation of the logical measures adopted to protect the systems. In this sense, using adequately trained personnel on how to behave to manage the emergency is a vital step that generates an additional protective value for the structure.

Secondly, we need a real change of paradigm within the institutions so that we can witness a concrete change in the cyber risk situation: in Italy, since the 80 years, critical infrastructures have been constantly subjected to repeated, terrible attacks and they are real massacres like those of Fiumicino of the 1973 and of the 1985 or that of the railway station of Bologna of the 1980 (Photo). At the time it was practically impossible to foresee the occurrence of such events, just as the preventive character of the deployable measures was strongly limited. To date, it does not seem that, in terms of the terrorist attacks inflicted, there has been no major change from the point of view of the preventive blocking of the threat prior to its entry near the infrastructure: the 22 March 2016 massacre in Brussels and the recent events in Istanbul are in this sense the sign that a total change of mentality is needed on the security side for critical infrastructures, both as a mentality and as methods used for their protection. The role of the Defense sector, in this area is not only appropriate: it is crucial: In Italy the operation has been active for some time now "Safe roads", Aimed at preventing threats of terrorist and violent origin, and subject to continuous reinforcement in these times of particular geopolitical instability. It certainly plays a leading role in preventing the physical risks of attacks by hostiles, as well as providing a fundamental contribution to protecting the linearity and functionality of the structures, guaranteeing their productivity. But is it really enough to outline a landscape of full protection?

Certainly not, or at least this is not its margin of extension. On the other hand, computer-based threats to critical systems are certainly not ghosts: in the world there are over 13 thousand critical infrastructures connected to the Internet, and 91% of them present vulnerabilities that can be exploited by cyber-criminals to access remotely. The United States and Europe are the areas most at risk compared to the entire global scenario. A Kaspersky Lab survey says that, a few days after the approval of the EU directive on the protection of critical infrastructures in Europe, the 6 July 2016 took place. The Directive Network and Information Security (so-called NIS Directive), which now begins to see the first implications and the first prospects over the long term. Wanting to be extremely brief, the NIS Directive contains basically 5 key points:

a) all member states must adopt one national strategy on network and information system security;

b) establishes a cooperation group in order to support and facilitate strategic cooperation and information exchange between member states and to develop trust between them;

c) creates a community network of computer security intervention groups in the event of an accident ("network CSIRT") to contribute to the development of trust between member states and to promote rapid and effective operational cooperation;

d) establishes security and notification obligations for operators of essential services and for digital service providers;

e) obliges member states to designate competent national authorities, unique contact points e CSIRT with tasks related to network and information system security.

A similar structure is structurally designed to allow a full synergy between the inter-force structures that must deal with the physical protection of infrastructures (critical, with particular reference to transport, defense and information), allowing a rapid point of contact with the private or institutional counterparts responsible for logical protection and management and organization structures.

In addition to this it is envisaged that, while always protecting the entity that suffered the attack, there will be a notification to the interested parties of the violation only in some specific cases, and drastic and adequate measures will be taken in a preventive manner. security to protect systems and networks.

Even if the normative instrument in itself can be sterile if isolated, it is impossible to conceive a development in a cyber-defense context totally divorced from a legislative imprinting. It must be considered the fertilizing element that will allow, on the contrary, a greater coordination and an ever-increasing unification of joint forces between European states, necessary to shape a concept of cyber resilience new, founded on common bases and shared by both the public and private sectors, such as to allow the operators of the sector to be able to face the present circumstances, as well as those immediately future, in an adequate manner and with the necessary protection tools.

(photo: Network Rail / web / European Parliament)