2nd International Workshop on Critical Information Infrastructures Security
October 3-5, 2007, Benalmadena-Costa (Malaga), Spain
(Including ITCIP '07, Information Technology for Critical Infrastructure Protection)
The basic difficulty with societal infrastructures, call them critical infrastructures, is that they are extremely fragile.
It takes only a seemingly minor incident like a power transformer failure or an anonymous bomb threat or a road / rail
traffic crash to send the entire structure into failure mode. In event of malicious threat, natural disaster or technical
failure, we need to understand the systematic nature of infrastructures if we are to be able to respond quickly and
effectively to get the system back in its performance capability limits.
The need to understand the emerging concept of critical information in relation to the complexity of societal critical infrastructures brings new dimensions in the current discourse on the vulnerability of life support systems for providing services.
Critical information studies address a wealth of new issues in a comprehensive and holistic manner. It fits well the contemporary landscape of critical infrastructure protection. According to recent studies, critical information studies constitute a special field of work that "considers the ways in which culture and information are regulated, and thus the relationship among regulation and commerce, creativity, science, technology, politics, and other human affairs", and even more.
The lecture will address the concept of critical information as an emergent characterization of interdependencies, resiliency and sustainability of current critical infrastructures, and their future generation.
Interdependencies among critical infrastructures will be extended, in concept and magnitude, from the well known representation existing today in the state of the art literature, to the new one assisted by the implementation of the concept of critical information. The vulnerability of satellite systems, down to the potential cascading impact on many levels of societal infrastructures will be discussed and commented, in the light of critical information and system-of-systems new advanced concepts.
In the past few decades, critical infrastructures of all kinds have become largely computerised and interconnected
all over the world. This generated a web of critical information infrastructures, susceptible to digital or
computer-borne attacks and faults. Progressively, modern societies discovered that threats against computers
and control computers could have as devastating effects as attacks on the physical infrastructures themselves.
These threats range from accidental events like natural faults or wrong manoeuvres, to attacks by hackers or terrorists. The problem affects a range of systems with great socio-economic value, such as utility systems like electrical, gas or water, or telecommunication systems and computer networks like mobile telephony or the Internet. Achieving resilience, that is, ensuring acceptable levels of service and, in last resort, the integrity of systems themselves, when faced with threats of several kinds, became a major objective.
These tangled webs were woven by industrialised societies over the past few years, and although there is growing awareness about the dimension of the problem, and an increase in the concern for using security and dependability best practices in these systems, we believe that the problem is complex and not completely understood, and can not be solved with classical methods.
Whilst the high degree of interconnection is causing great concern, given that attacks can be perpetrated in an unexpected, anonymous and remote way, the complexity of the problem is mainly due to the hybrid composition of those infrastructures: the operational network, called generically SCADA; the corporate intranet; and the Internet, to which, and often unwittingly, the other parts are sometimes connected to.
These issues and possible strategies for solutions, will be discussed in this talk.
Critical infrastructure represents that infrastructure whose disruption could either directly or indirectly
affect an organization, a business, a city or even a country's ability to perform key functions and missions.
Today, infrastructures such as electrical power, water, telecommunications, etc… are highly intertwined in operations
and functionality. Today, few infrastructures exist wholly disjoint. Be it through direct connectivity,
policy and procedures or even geospatial proximity, the majority of infrastructures are tied together.
While this interconnectivity has most certainly increased efficiency, it should be a key concern for infrastructure
owners and managers at all levels. A 2002 RAND report stated: "One of the most frequently identified shortfalls
in knowledge related to enhancing critical infrastructure protection capabilities is the incomplete understanding of
interdependencies between infrastructures. Because these interdependencies are complex, modeling efforts are
commonly seen as a first step to answering persistent questions about the "real" vulnerability of infrastructures." 
While several efforts [2,3] have surveyed the current research in the area of infrastructure interdependency modeling and analysis, the object of this discussion is to present not only the key features found in these different modeling approaches, but also the challenges that exists in deploying interdependency analysis as part of an operationally deployable toolset. The objective of this presentation is to provide a technical background for research in interdependency modeling, and to invoke open exchange on approaches to overcome the challenging aspects of this area. This work draws upon discussion and exchange with leading international research teams in this area as well as lessons learned from integrating of infrastructure interdependency modeling into an operational command and control suite for the U.S. Office of the Secretary of Defense for Homeland Defense.
 D. Mussington, Concepts for Enhancing Critical Infrastructure Protection: Relating Y2K to CIP Research and Development. 2002. RAND:Science and Technology Institute, Santa Monica CA, p 29.
 M. Dunn, and I.Wigert. 2004. International CIIP Handbook 2004: An Inventory and Analysis of Protection Policies in Fourteen Countries. Zurich: Swiss Federal Institute of Technology: 243.
 P. Pederson, D. Dudenhoeffer, S. Hartley, M. Permann. 2006. Critical Infrastructure Interdependency Modeling: A Survey of U.S. and International Research, INL Technical Document: INL/EXT-06-11464.