Study on Critical ICT-Dependencies

Study on Critical Dependencies of Energy, Finance and Transport Infrastructures on ICT Infrastructure

Final Report

On

Study on Critical Dependencies of Energy, Finance and Transport Infrastructures

on ICT Infrastructure

On behalf of the

European Commission DG Justice, Freedom and Security

Version V1.0 - submitted

Last Update: 10/08/2009

Industrieanlagen-Betriebsgesellschaft (IABG) mbH Berlin Office Alt Moabit 94 10559 Berlin Germany Dr. Stephan Gottwald ( +49 30 293991 60 + [email protected]

mailto:[email protected]


Final Report Version - Status: V1.0 - submitted 2 / 137

History

Version Edited by Date Remark

1.0 Dr. Stephan Gottwald 10.8.2009 Final Version



Table of Content Executive Summary ...............................................................................................................6

1 Introduction....................................................................................................................9

1.1 Background ..........................................................................................................9

1.2 Objectives and Main Purpose of the Study .........................................................10

1.3 Project Embedding..............................................................................................13

2 Approach and Methodology.........................................................................................15

2.1 Key Terms ..........................................................................................................15

2.1.1 Selection Criteria and Process ................................................................18

2.2 Modelling ............................................................................................................19

2.2.1 Identifying European Critical Infrastructures ............................................19

2.2.2 Identifying high ICT-dependent ECI.........................................................20

2.2.3 ICT Threats and Vulnerabilities ...............................................................21

3 Critical Technical Objects and Processes....................................................................24

3.1 Sector Energy Infrastructures .............................................................................24

3.1.1 Sub-sector Electricity...............................................................................24

3.1.2 Sub-sector Gas .......................................................................................28

3.1.3 Sub-sector Oil .........................................................................................30

3.2 Sector Finance Infrastructures ............................................................................33

3.2.1 Sub-Sector Securities Transactions.........................................................33

3.2.2 Sub-Sector Payment Systems.................................................................37

3.3 Sector Transport Infrastructures..........................................................................42

3.3.1 Sub-sector Air Traffic...............................................................................44

3.3.2 Sub-sector Waterways ............................................................................45

3.3.3 Sub-sector Railways................................................................................47

3.3.4 Sub-sector Road .....................................................................................49

4 Critical ICT Dependencies...........................................................................................51

4.1 Sector Energy Infrastructures .............................................................................53

4.1.1 Sub-Sector Electricity ..............................................................................53

4.1.2 Sub-sector Gas .......................................................................................53

4.1.3 Sub-sector Oil .........................................................................................53

4.2 Sector Finance Infrastructures ............................................................................54



4.2.1 Sub-sector Securities Transactions .........................................................54

4.2.2 Sub-sector Payment Systems .................................................................54

4.3 Sector Transport Infrastructures..........................................................................55

4.3.1 Sub-sector Air Traffic...............................................................................56

4.3.2 Sub-sector Waterways ............................................................................56

4.3.3 Sub-sector Railways................................................................................56

4.3.4 Sub-sector Road .....................................................................................56

4.4 Secure Private Network ......................................................................................57

4.4.1 Electronic Highway..................................................................................57

4.4.2 SWIFTNet ...............................................................................................57

4.4.3 SIAnet .....................................................................................................59

4.5 Summary of Sectoral Findings ............................................................................61

5 Relevant Risks, Threats and Vulnerabilities.................................................................63

5.1 Overview.............................................................................................................63

5.2 ICT-Threats.........................................................................................................66

5.2.1 Current ICT Threats ................................................................................66

5.2.2 Relevant ICT Threats and Vulnerabilities ................................................70

6 Existing Protection Strategies......................................................................................74

6.1 Standards ...........................................................................................................74

6.1.1 Generic IT Security Standards.................................................................75

6.1.2 Sector-Specific IT Security Standards in Energy Infrastructures..............78

6.1.3 Sector-Specific IT Security Standards in Finance Infrastructures ............81

6.1.4 Sector-Specific IT security standards in Transport Infrastructures ...........84

6.2 Best Practises.....................................................................................................86

6.2.1 Sector Energy Infrastructures..................................................................88

6.2.2 Sector Finance Infrastructures.................................................................90

6.2.3 Sector Transport Infrastructures..............................................................93

7 Synergies, Conclusions and Trends ............................................................................94

7.1 Standards ...........................................................................................................94

7.2 Best Practises.....................................................................................................94

7.3 Conclusions ........................................................................................................97

7.4 Trends ..............................................................................................................100

7.4.1 Information and Communication Technology.........................................100



7.4.2 Sector Energy Infrastructures................................................................101

7.4.3 Sector Finance Infrastructures...............................................................102

7.4.4 Sector Transport Infrastructures............................................................103

8 Policy Lines ...............................................................................................................105

8.1 Approach ..........................................................................................................105

8.2 Main Categories for Policy Lines.......................................................................105

8.3 Identified Threats and Risks as Policy Drivers ..................................................107

8.4 Identified Trends as Policy Drivers....................................................................109

8.5 Future Policy lines.............................................................................................112

9 Stakeholder Involvement ...........................................................................................115

9.1 General.............................................................................................................115

9.2 Approach ..........................................................................................................116

9.3 Interviews and other bilateral contacts ..............................................................117

9.4 Workshops and Presentations ..........................................................................119

9.5 Dissemination Activities ....................................................................................120

A Annex........................................................................................................................124

A.1 Abbreviations....................................................................................................124

A.2 References .......................................................................................................126

A.3 Catalogue of Current ICT-Threats.....................................................................130

A.4 Catalogue of IT Security related Standards in Transport Infrastructures ...........132

A.5 Preparatory document of Validation / Final Workshop.......................................137

A.5.1 Invitation of Validation Workshop ..........................................................137

A.5.2 Agenda Validation Workshop ................................................................137

A.5.3 Project Incentive Paper .........................................................................137

A.5.4 Invitation of Final Workshop ..................................................................137

A.5.5 Agenda Final Workshop ........................................................................137


Executive Summary


Executive Summary

The overall objective of this „Study on Critical Dependencies of Energy, Finance and Transport Infrastructure on ICT Infrastructure” was to identify and assess the dependency of important, but very different EU-wide infrastructures on information and communication technology, the involved threats, vulnerabilities and risks, and their protections strategies to mitigate the effects of an ICT infrastructure disruption.

As a total 9 separate sub-sectors have to be analysed; concentration to the issues of major importance had been a guiding principle to this study. We introduced a methodology which prescinds from single point / single event analysis and follows an impartial but systematic view on infrastructures based on generic models for each (sub-)sector representing the main technical objects and core processes. These models are "European" as they neither rely nor base on national peculiarities. All models have been carefully developed and intensively discussed with different stakeholders from different countries.

In the electricity sub-sector the generic model is oriented at but not limited to the UCTE region, in order to take regard of its special complexity. All events, which interfere with the frequency / load control processes between control blocks can cause cross-border damage, which - in the worst case - results in black-outs affecting larger areas. Most critical are the coordination process and other large infrastructure assets.

The gas infrastructure includes a pipeline network, which is operated by TSOs, who execute a capacity and pressure control supporting compressor stations and storage. Any failure is in principle a cross-border incident. However, due to the large volumes of gas stored in the pipeline network, there is a large and in our eyes sufficient time frame for repair. Thus, it is difficult to imagine ICT-related scenarios, which lead to criticalities in terms of large or catastrophic hazards although the ICT dependency of some objects and processes is considered as high.

The analysis of the oil infrastructure focuses on refineries and the pipeline connections from the outlets of terminals / refineries to other refineries, chemical plants, or other major outlets. Any interruption of this pipeline infrastructure may have a cross-border impact. The interruption of a refinery will have an impact on the supply with oil products. As the location of refineries is very heterogeneous across EU-countries, most of the oil products are distributed by different transport modes and considerable quantities of oil products are stored in tank farms and in transport facilities along the distribution chain, it seems very unlikely that the interruption of one refinery cannot be substituted by other refineries and corresponding transport means and thus could trigger high cross-border damages in the supply with oil products. Due to the volumes of oil and derived products stored in pipelines, tank farms and in transport facilities, there is a large and in our eyes sufficient time frame for repair and / or establishment of alternative supply. Thus, it is difficult to imagine scenarios leading to criticalities in terms of large or catastrophic hazards, although the ICT dependency of some objects and processes is considered as high.

The sub-sector securities transactions of the financial sector covers all tasks from making an order to buy or sell securities by participating banks up to the settlement of the securities and the money between banks involved in the contract. The core processes are highly dependent


Executive Summary


on the ICT infrastructure. On the other hand it is expected that impacts from the disruption of these systems will not belong to the hazard categories large or catastrophic as economic loss is limited.

In the payment sub-sector the vast majority of interbank cross-border payment transactions in the Euro-countries are processed using one of two specialised platforms on behalf of the Eurosystem (cooperation of the European Central Bank and the national central banks of the Euro-countries) or the Euro Banking Association. The core processes relying on these payment systems are highly dependent on ICT infrastructures. But again for these systems it is expected that impacts from their disruption will not belong to the hazard categories large or catastrophic.

The transport sub-sectors air traffic, waterways, railroad and road have in common that complex systems are used for the control and security of traffic flow. Most critical objects and processes which are possibly carried out across borders are related to these processes and systems. Their level of dependency on ICT infrastructures is very high. Especially in the air traffic sub-sector the air traffic management system and process are sensitive. But also interlocking systems in the sub-sector railroad and tunnel control systems are ICT dependent critical objects with international importance.

As a result from modelling and dependency analysis it can be concluded, that there are highly ICT-dependent European Critical Infrastructures in the sectors energy and transport and core business processes in the finance sector that are also extremely ICT-dependent. Each sub-sector has its dedicated IT-systems and LANs the core processes highly rely on. Different approaches exist to connect to regional access points and other business partners using wide area networks (WAN) which are provided either by the CI providers themselves, by specialised secure private networks which offer connection and messaging services within the regarded sub-sector, or network services from telecom providers and in few cases also internet providers.

A first risk estimation of identified “critical” ICT in terms of appraising probability and vulnerability of “new” ICT threats was performed which led to the result that there are only a few major risks regarding “critical” ICT components. The highest risks are seen in organisational shortcomings and human errors.

All sectors invest a lot in build-up and operation of redundant ICT systems; however development and application of degradation modes and the extended use of early warning systems is currently primarily applied to the energy sector. These experiences should be shared with other sub-sectors to strengthen their security measures.

Generally there is a high level of collaboration actions within sub-sectors and also growing cross-sector activities. Long-term experiences in training and exercises in the finance sector should yield to encourage and strengthen similar plans and activities in other sectors.

Mapping possible policy measures against the identified main risks and expected future trends and relating them to already existing or started policies yields to policy lines which should be reinforced. From the study perspective, policy measures should focus on early warning and CERT-systems, test centres, (joint) training and exercising, exploitation of best practises’ findings and experiences and the development respectively adaption of supportive standards.


Executive Summary


The development of sub-sector specific models and the analysis of ICT dependencies have been accompanied by a multiplicity of different experts and stakeholders on a national and European level in various interviews and during an international validation workshop. Final results of this study were presented on a fully booked final workshop on June 8th in Brussels.

Structure of the final report

After an introduction to background, purpose and implementation of the study in section 1, the methodological approach is outlined. Main results of generic models and identified critical technical objects and processes are documented in section 3. Section 4 states the results of critical ICT dependencies analysis for each sub-sector. The first part of section 5 provides an overview of existing and on-going work considering critical information infrastructure protection in the European Union and at single member state level, followed by identifying and separating current ICT threats from all general existing threats. Mapping of these current IT threats to extracted “critical ICT” and analysis of vulnerabilities is documented in the second part of section 5. Section 6 gives an overview of existing protection strategies particularly existing or applied standards and best practises. In section 7 synergies regarding existing protection strategies are elaborated and first appraisals given which is followed by a conclusion of accomplished work and a comprehension of overall analysis result. For future assessments and policies trends with impacts on ICT dependencies are documented. Finally, in section 8 existing policy lines are analysed and assessed with regard to study results and recommendation for further actions given. The last section 9 describes our approach and activities for a continuous and effective stakeholder involvement in the study.


Introduction


1 Introduction 1.1 Background Since the mid 1990ies, protection of critical infrastructures has increasingly been recognised as a field of potential and possibly rising risks. Failure of core backbone systems of our societies such as energy, transportation, vital supplies like water and food, the financial and the healthcare system – to name only a few – incorporate the potential of massively degrading

• the well-being of population and environment,

• the functioning of the industry and economy

• the freedom and capability of governments to act

Compared to the related potential risks involved, there have been huge deficiencies in theoretical understanding of phenomena, practical preventive and reactive measures, and required national and international coordination and cooperation.

Following some preliminary research work and the request of the European Council, the European Commission (EC) issued a communication on a “European Programme for Critical Infrastructure Protection (EPCIP)” in December 2006, setting out principles, processes and instruments for its implementation which were to be supplemented by relevant sector-specific communications. An EU framework proposed within this communication has meanwhile been established, consisting i. a. of

• a procedure for the identification and designation of European Critical Infrastructures (ECI) and a common approach to the assessment of the needs to improve the protection of such infrastructures

• measures designed to facilitate the implementation of EPCIP including an EPCIP Action Plan, the Critical Infrastructure Warning Information Network (CIWIN), the use of CIP expert groups at EU level, CIP information sharing processes and the identification and analysis of interdependencies.

In parallel, a strategy for a secure information society is being developed pointing out that security and resilience of communication and information networks are potential contributions to ECPIP.

Against this background the commission tendered a series of studies in the second half of 2007. One of these has been awarded under the title “Study on critical dependencies of energy, finance and transport infrastructures on ICT infrastructures”; see [EU_SC_2007, EU_SCA1_2007, EU_SCA1_2007]. This study started in August 2008. This report documents the final results achieved by mid May, 2009. It updates the preliminary results laid down in the interim report of January, 2009 and regards the amendments requested by the European Commission. Additionally, new policy initiatives (see [EU_DIR_ECI_2008, EU_COM_CIIP_2009]) were taken into account as far as it was possible due to already completed work packages.


Introduction


1.2 Objectives and Main Purpose of the Study Nearly all sectors in our modern society and economy rely on ICT infrastructures. This study focuses on the dependencies of three main sectors: energy distribution (e. g., electricity, gas and oil), transport (e. g., air traffic, waterways, railways and road) and banking and finance.

ICT infrastructures are rapidly becoming the nervous system of our modern information society. They enable essential services and key resources, including for instance the supply of electricity or water. They provide services supporting business processes and financial markets, and assists in the control of many critical processes, such as chemical processing plants.

The main ICT network is obviously the Internet. Because of its ease of integration and low-cost of use, an ever stronger dependency of other critical infrastructures and systems on the Internet has developed and continues to develop.

While the use of ICT infrastructures provides many opportunities and increases functional capabilities, the large increase in interconnected devices and information flows also increases the vulnerability of other critical infrastructures when exposed to cyber threats and to failures of the ICT infrastructures. As a consequence, infrastructures and systems in Europe become ever more fragile and may fail faster than ever before due to a major technological collapse of an ICT infrastructure or system.

Beside the growing cross-sector dependencies, interconnected and interdependent infrastructures and systems have grown well beyond national borders. A failure in one country might have detrimental effects on critical components in an entirely different sector in another country. There exist a number of critical infrastructures in the European Union which, if disrupted or destroyed, would affect other Member States. ICT is one such infrastructure. Critical infrastructures with a trans-national dimension should be identified and designated as European Critical Infrastructures (ECI).

Neither the EU governments nor the European Commission have at present a comprehensive consolidated view on what dependencies on ICT infrastructures are critical to the European Union and why. Cross-sector and cross-border dependencies on ICT infrastructures are insufficiently understood. Getting to grips with these dependencies is an important step towards identifying (criteria for and/or components of) European Critical Communication and Information Infrastructures.

This study is recognised as one of many building blocks in a process of analysis, assessment, proposed solutions and their implementation. It will provide a systematic methodology for the assessment of the dependency of critical infrastructures (CIs) on ICT. It will demonstrate the capabilities of this method for the sample sectors of energy, transportation and finance and their sub-sectors. It will develop, try to reach agreement and establish definitions of criticality together with the CI providers and stakeholders. It will provide rules on how to reduce the huge spectrum of ICT threats, of sub-sectors and of components to those expected to bear severely critical potential. It will seek commonalities in the risk spectrum and procedures across the different subjected CIs. And it will derive recommendations of typical security measures as decision support for stakeholders as well as for EU policy initiatives.


Introduction


Accordingly, target groups will be

• the European Commission

• CI providers/ operators of the 3 sectors

• governments and subordinate governmental organisations with responsibility for CIP in the member states (e. g., BBK and BSI in Germany).

To achieve these objectives, a specific approach and methodology has been developed, consisting of a set of corresponding logically, technically and temporally interconnected work packages (Figure 1).

WP1 Develop and agree on infrastructure and dependency models of the three infrastructures sectors

WP2 Systematically define and derive the critical ICT dependencies

WP3 Identifying relevant threats and vulnerabilities

WP4 Arrange appropriate stakeholder involvement

WP5 Identify existing systems and strategies

WP6 Derive synergies and criteria

WP7 Provide decision support guidelines and assess them against technological, economical and policy trends and obstacles

WP8 Recommend policy initiatives

WP9 Project Management & Reporting


Introduction


A general challenge of the study is to cover and reflect the extremely complex structure of the energy, transport and finance sectors at European level and to address its various aspects like physical structure, functional structure, organisation, responsibilities, etc., in an appropriate manner within the given budget and time constraints. Beyond that, there is a broad range of opinions among stakeholders about the estimation of vulnerability and criticality of infrastructures ranging from neglecting to exaggerating potential threats and their impacts.

Therefore we introduce a methodology with a clear and independent view on infrastructures and comprehensible as well as traceable criteria. One of the key features of our methodology is to create appropriate, generic models for the three sectors of energy, transportation and finance (including their sub-sectors) as a baseline for a clear and common understanding of the structure of these sectors representing major structures and characteristics. These models prescind from single point / single event analysis and follow an impartial but systematic view on infrastructures. They are "European" as they neither rely nor base on national peculiarities.

For each sub-sector two generic models have been elaborated:

• one reflecting the tangible assets, the generic technical architecture (except the Finance sector) and

• one covering the processes.

WP1: Modelling of three sectorsWP1: Modelling of three sectors

WP2: Critical ICT DependenciesWP2: Critical ICT DependenciesWP5: Existing systems

and strategiesWP5: Existing systems

and strategies

WP3: Threats, Vulnerabilities, RisksWP3: Threats, Vulnerabilities, Risks

WP7: Decision supportWP7: Decision support

WP8: Policy InitiativesWP8: Policy Initiatives

WP4: Stakeholder Involvem

entW

P4: Stakeholder Involvement

WP

9: Project M

anagement

WP9: Project M

anagement

WP6: Synergies & CriteriaWP6: Synergies & Criteria

WP1: Modelling of three sectorsWP1: Modelling of three sectors

WP2: Critical ICT DependenciesWP2: Critical ICT DependenciesWP5: Existing systems

and strategiesWP5: Existing systems

and strategies

WP3: Threats, Vulnerabilities, RisksWP3: Threats, Vulnerabilities, Risks

WP7: Decision supportWP7: Decision supportWP7: Decision supportWP7: Decision support

WP8: Policy InitiativesWP8: Policy InitiativesWP8: Policy InitiativesWP8: Policy Initiatives

WP4: Stakeholder Involvem

entW

P4: Stakeholder Involvement

WP

9: Project M

anagement

WP9: Project M

anagement

WP6: Synergies & CriteriaWP6: Synergies & CriteriaWP6: Synergies & CriteriaWP6: Synergies & Criteria

Figure 1: Overall Structure of Methodology and Work Packages


Introduction


The term “processes” enfolds the sub-section’s intangibles like knowledge, transaction relationships consumer information, contracts, consumption profiles and terms of security culture.

All models have been carefully developed and intensively discussed with different stakeholders from different countries.

To address the specific characteristics of the different sub-sectors we have created corresponding models for the following sub-sectors (Figure 2)

1.3 Project Embedding The study is closely related to others, tendered in same time frame (second half of 2007):

• Risk Governance of European Critical Infrastructures in the ICT and energy sectors

• Feasibility study: European network of secure test centres for reliable ICT-controlled critical energy

• Stock-taking of existing critical infrastructure protection activities

and two other studies in August, 2008:

• Study to define sectoral criteria to identify European Critical Infrastructures in the ICT sector, focussing on internet, fixed and mobile telecommunication

• Study on measures to analyse and improve European emergency preparedness in the field of fixed and mobile telecommunication and the internet

Figure 2: Subdivision of Sectors and their (potential) ICT-Dependencies

Elec

tric

ity

Gas

Oil

Air T

raffi

c

Wat

erw

ays

Rai

lroad

Roa

d

Secu

ritie

s Tr

ansa

ctio

n

Paym

ent

ICT Infrastructure

Elec

tric

ity

Gas

Oil

Air T

raffi

c

Wat

erw

ays

Rai

lroad

Roa

d

Secu

ritie

s Tr

ansa

ctio

n

Paym

ent

ICT Infrastructure


Introduction


At reporting date the last two studies did not start but the first ones ran in parallel for a couple of months.

It was the common understanding of the EC and the project team of this study that these running projects are correlated in many respects:

• Application of models for CIs including technical terms and definitions

• Usage of same resources, e. g., the threat taxonomy

• Stakeholder involvement

• Mutual information and - where possible - the mutual use of study findings and intermediate results

The project managers of the concerned studies were inspired to get in contact and to exchange all necessary and useful information about methodology, definitions, taxonomies, etc. directly on a working level. In fact, project managers of this ICT dependency project and of the studies on feasibility of test centres and on risk governance mutually attended project’s interim workshops and took an active part in a common workshop, organized by the EC with the CIP expert group (see section 9).

Further activities on the CIP matter have been launched and/or are under way in form of different programmes and activities of the EC, including those of JLS (CIPS and ISEC) and other related directorates like TREN, the Preparatory Actions for Security Research (PASR), and in the research Framework Programmes 6 and 7 (ICT and SEC).

Due to this wide variety of actions, events, related papers, etc., the mutual exchange and resulting improvement of project results was limited. Nevertheless, this study was influenced as far as possible by those experiences and results mainly based on personal contacts and relationships.


Approach and Methodology


2 Approach and Methodology Within this section we provide a systematic methodology for the assessment of the dependency of CIs on ICT. We demonstrate the capabilities of this method for the focussed sectors of energy, transportation and finance and their sub-sectors.

For at least a decade, the analysis of interdependencies between various (critical) infrastructures and information and communication technology has been a challenge and an ongoing task in various research programmes, studies and projects at national, European, US and international level. Although there is a great wealth of existing findings, it is the general challenge within this study and the basis of our approach to strictly focus on

• European Critical Infrastructures (ECI) and their ICT-Dependencies which concludes that a failure or malfunction of any (to be identified) ICT-Infrastructure leads to an outage or malfunction of such an ECI

• Prevailing, “state-of-the-art” and prospective ICT-threats referring to the above identified ICT-infrastructures

• Existing practises like early warning systems, protection strategies, counter measures, etc. to mitigate vulnerabilities

• Conclusions (e. g., cross-sector and cross-border synergies) and recommendations for decision support, guidelines, further policy lines, …

Therefore, it is one of the first steps to build up an abstract, generic model of the surveyed European critical infrastructure sectors as a prerequisite for further ICT-dependency analysis. Additionally, for a common understanding a definition and description of key terms is necessary.

2.1 Key Terms In the last few years, various definitions of key terms around the question “What is a (European) critical infrastructure?” have been put forward. This situation reflects the ongoing tasks and processes at national as well at European and international level.

Within the European Union a first milestone was set with the presentation of a “Green Paper on a European Programme for Critical Infrastructure Protection” [EU_GP_EPCIP_2005] by the Commission of the European Communities at the end of 2005 as it contains i. a. a description of CIP terms and definitions such as “critical Infrastructure”, “European critical Infrastructure”, “Impact” etc.

In preparation of the “Council Directive on the identification and designation of European Critical Infrastructures and the assessment of the need to improve their protection” [EU_DIR_ECI_2008] which meanwhile has been adopted by the Council of the European Union, CIP terms and definitions have slightly changed. The main definitions are as follows:




"critical infrastructure means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions [EU_DIR_ECI_2008]”

"European critical infrastructure (…) means critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This includes effects resulting from cross-sector dependencies on other types of infrastructure [EU_DIR_ECI_2008]”

For the purpose of on hand study, this leads to the following conclusions and derivation of CI selection criteria (see summary in subsection 2.1.1):

• Only those CI are considered where disruption or destruction leads to significant transnational impact (Selection-Criteria 1)

• Even large-area impacts of CI failures, outages etc. which remain in one Member State are out of scope of the present study.

• Cross-cutting criteria are needed for appraising the impact significance within each sector resp. Sub-sector.

Definition and usage of cross-cutting criteria for ECI are still in discussion and also subject to other envisaged studies, e. g. “Risk governance of ECI in the ICT & energy sector”. On the other hand, results achieved so far by elaboration of the EC-Directive or by [EU_TREN_2007] and [BMI_PESG_2007] could or should not be used for several reasons (restricted access, non-availability during inception phase of this study).

For this, we identify the criticality of processes and technical assets by means of hazard categories. Criticality is defined as the impact, the loss or a significant reduction of functionality which processes or technical assets will have. The hazard categories consist of 5 discrete values in the range between “negligible” to “catastrophic” (Table 1) for which the impacts must be defined. Hazards may have different kinds of impacts like

• number of human casualties (injuries, and fatalities)

• restricted ability of governments and public authorities to act

• economic losses (all direct losses like restoration of technical assets or lost turnover as well as subsequent or indirect losses e.g. caused by environmental impacts

• public effects (restrictions in daily life and loss of public order)

The subsequent hazard category table is used for defining criticality criteria. Further analysis and considerations focus only on those hazards with the impact categories “large” and “catastrophic” (Selection-Criteria 2).




Hazard Category

Aspect

negligible low medium large catastrophic

Human casualties

No consequences

Slightly reduced well-

being

Few casualties

Many casualties or

some fatalities Many fatalities

Restricted governmental ability to act

Slight restrictions

Few reductions

Limited restrictions

Considerable restrictions Inability to act

Economic damages

Up to € 10 Mio € 10 -100 Mio € 100 Mio –1

Bil € 1 – 10 Bil More than € 10 Bil

Public effects Slight restrictions

Few reductions Local riots Regional loss

of public order

Nation wide loss of public

order

Table 1 : Hazard Categories

As shown in the above table thresholds are given in order to categorize economic losses.

There is a wide discussion wherefrom to derive such values and how to treat them in further analysis. Given thresholds are mainly influenced by experiences and detailed discussions and reconcilements with governmental and industrial stakeholders from the German electricity sector during compilation of [BMI_PESG_2007].

Due to its geographical position, Germany is one of the main European nations providing critical infrastructures with a high potential of cross-border impacts in case of larger failures or disruptions. Therefore, after consulting with the European Commission (see [EU_ICTDEP_2008]), we decided to transfer this approach from [BMI_PESG_2007] to this study and to work with the adapted thresholds shown above. As a matter of course application of these absolute values to single, (much) smaller member states would lead to distortions in the evaluation of impacts and identification of CI1.

Summarizing, it follows from Table 1 that all ECI are considered where failure or outage leads to at least one of the above listed impacts “large” or “catastrophic”, e. g., an overall economic damage of more than € 1 Bil.

Two important parameters which influence these impacts are “mean time to repair” (MTTR) and “mean time between failure” (MTBF) [ITSM_2004]. MTTR is an indicator for the amount of loss that is usually non-linearly correlated, i. e., a short time of disruption or failure causes

1 In these cases an approach using smaller or relative values (like percentages of GDP of the MS) should be useful.




certain damage but it usually increases progressively the longer the critical service is off2. MTBF is a measure for robustness and availability. Usually, MTTR is shorter in those cases where failures occur more frequently, as there is a larger awareness and preparedness.

2.1.1 Selection Criteria and Process As pointed out in the above section, the large number assets, systems, etc. which (or parts thereof) are classified as a critical infrastructure has to be filtered for the purpose of this study. For this, the following selection criteria are used

Selection Criteria 1: Only those CI are considered where disruption or destruction leads to a significant transnational impact

Selection Criteria 2: The impact of a disruption or destruction of a CI must apply to the hazard categories “large” or “catastrophic”.

Due to the limited time and resources of the project, and the complexity of the subject matter on the other hand, a rather pragmatic methodology had to be applied, mainly based on pre-existing information, and on close cooperation with stakeholders. The analysis process followed the following approach:

• Use of existing material

• Application of the team expert knowledge

• Bilateral and multilateral discussions between team members and CI Stakeholders

• Participation in several related workshops

• Validation of interim results in a stakeholder workshop

• Review of interim results by the European Commission

• Refinement of results and amendment of the outstanding chapters summarising and concluding chapters

2 Power cuts for a few minutes can be buffered easily, however long-lasting black-outs cause production downtimes




2.2 Modelling As stated above, it is a fundamental prerequisite for the analysis of ICT-dependencies to have a common understanding about the structure of each individual (sub)sector, covering and reflecting its extreme complexity within given budget and time constraints. Therefore several steps are defined and performed to reduce complexity within each sector as well as general ICT-dependencies to identify and extract “By ICT vulnerable ECI”:

1. Designing abstract models of the CI sectors and skip all non-ECI

2. Extracting all ECI that are highly ICT-dependent

3. Identifying critical ICT infrastructure (with respect to ECI selected above)

4. Identifying relevant ICT threats

5. Analysing and estimating vulnerabilities taking into account existing protection strategies

2.2.1 Identifying European Critical Infrastructures To face the challenge of reducing complexity without neglecting main characteristics of each sector, generic abstract models are elaborated for each Sub-sector in a twofold approach:

• Each (sub)sector is analysed with respect to its general technical architecture, its core technical objects and other tangible assets. Special focus lies on characteristics of physical, cross-border connections.

• Sector-specific core processes are identified which cover all major infrastructure services. As far as necessary this enfolds also responsibilities, knowledge, transactional relationships etc. for distinct process steps and other intangible assets.

In Figure 3 technical objects and processes are illustrated as a starting point of the whole approach in the upper and lower left corner. Different sectors are labelled by different background colours (energy – light brown, transport – blue; finance - yellow)3.

3 Within the finance sector there are no technical objects comparable to those in the other sectors.




To identify relevant ECI in the focussed sectors, all identified technical objects and processes which do not match the selection criteria defined in section 2.1 are filtered out. These objects are symbolically crossed out in the above figure.

2.2.2 Identifying high ICT-dependent ECI The next step in our approach is to identify those ECI within each sector which highly depend on ICT, i. e., a breakdown of such an ICT-system (or a relevant component of it) leads to a “critical” impact, a significant malfunction or a complete blackout with large or catastrophic impacts in more than one member state of the EU.

Thus, all identified critical technical objects and processes are examined with respects to their underlying ICT-systems which themselves can be distinguished between internal and external ICT systems and infrastructures (see Figure 4). This difference is made as many CI providers maintain their own IT-systems as well as their own (physical) communication lines and communication systems. Figure 4: ICT - Infrastructure

Figure 3: Approach for identifying highly ICT-dependent ECI




Analysing the dependencies of an IT-system (e. g., SCADA-system) in more detail, it has to be pointed out that these systems themselves rely on diverse other internal and external communication systems, infrastructures and services.

Finally, in case of long term malfunctions further, more qualitative dependencies have to be considered, e. g., software updates of SCADA.

Therefore, in the end all ICT-dependencies have to be added up which leads to the following results:

• ECI (technical objects and process) that highly depend on ICT

• ECI (technical objects and process) that have no or less critical ICT-dependencies and which can be omitted for further analysis (crossed out in red colour in Figure 3).

• ICT-Systems the failures of which do not have a high impact on ECI (crossed out in red colour in Figure 3).

• ICT-Systems the failures of which have a high impact on ECI but are used redundantly, i. e., there are two (or even more) different IT- or communication systems a specific ECI relies on (crossed out in yellow colour in Figure 3).4

After this “reduction” process, relevant elements with significant impact on society and economics are identified.

2.2.3 ICT Threats and Vulnerabilities Proceeding within our approach relevant ICT-threats, vulnerabilities and (existing) protections strategies with respect to extracted ECI are considered (see Figure 5). For this, existing IT threat catalogues [see BSI_GS_Cat_2008] are used which allocate known ICT threats to five general cause categories

• Force Majeure

• Organisational Shortcomings

• Human Failure

• Technical Failure

• Deliberate Acts

4 For further statements a more detailed (sector-specific) analysis considering dependencies as well as threats and vulnerabilities is necessary.




As these catalogues contain about 430 single threats it is necessary as well as appropriate to focus on

• The current internet threat situation

• Innovative technologies and new trends in ICT amplifying existing threats.

These statements can be derived from analysis, observation and current issues of various national and international ICT security

agencies, public authorities and research institutes such as [ENISA_PECCA_2008, GTISC_ECTR_2008, BSI_LAGE_2009, BSI_LAGE_Q1_2008, BSI_LAGE_Q4_2008, BERR_2008, SYM_STR_2009]. Combinations of these approaches lead to a more practical and significant appreciation of current ICT threats for the purpose of the study at hand.

Based on these derived and adjusted catalogues of current threats all relevant IT and communication systems and infrastructures that are already identified as “critical” with respect to sector-specific ECI are examined regarding their vulnerability5. Herewith probabilities of occurrences are taken into account which in case of deliberate acts are mainly influenced by the necessary effort to run such an ICT attack compared to the effort to disrupt an ECI in a “conventional way”. Furthermore, it must be considered that all ICT threats usually do not have an unlimited impact on relevant ICT systems as existing organisational, technical and other protection strategies are implemented.

Analysis of existing protection strategies follows a twofold approach: Comparable to a top-down-approach common ICT related security standards including respective guidelines, specifications, etc. are gathered. On the other hand best practises tested and applied within various companies and institutions were identified.

The whole ICT-relevant approach for this study is illustrated in Figure 6.

5 Based on existing material and experiences (no individual risk assessment has been compiled)

Figure 5 : Derivation of relevant ICT threats




Finally, model and analysis results are compared between sub-sector-specific and sector-spanning ones. Common ICT dependencies and ICT vulnerabilities are explored and existing protection strategies are gathered and examined. Special focus is laid on existing best practises and their application in different sectors and strength.

The analysis and assessment of policy lines has been organised by viewing them from different perspectives. First of all, the main categories of policy lines are identified, and broken down into a set of policy measures supporting the policy line. These main categories of policy lines are schematically mapped against the identified main ECI vulnerabilities and risks and against identified trends expected in ICT and in the individual CI

Finally a summary is given and a comparison of measures recommended vs. existing best practices. From there, recommendations can be drawn as to which important policy measures are lacking existing practice today and which should specifically be reinforced.

Figure 6 : Approach for identifying ICT-vulnerable ECI


Critical Technical Objects and Processes


3 Critical Technical Objects and Processes 3.1 Sector Energy Infrastructures The energy sector consists of following sub-sectors:

• Electricity

• Gas

• Oil

The energy infrastructures under study are limited to the region of the EU. Energy supplies which originate from inside the EU (for example coal production which is used in power plants) or which are supplied from outside of the EU (like gas and oil) are not subject of this study.

3.1.1 Sub-sector Electricity The electricity sector in the EU is divided into separate synchronised regions, each with its own characteristics. In this study generic model build-up is mainly influenced by the UCTE region (Figure 7), which comprises the majority of the EU Member States and displays more complex characteristics than other electricity systems in the EU (The generic model itself represents also main structures in other regions).

Figure 7 : Interconnected Electricity Systems in Europe (source: UCTE).




In 1999 the UCTE was established as a TSO organisation. It developed from a “club” of companies (established as UCPTE in 1951) to a “system watchdog association”. In 1995 the power systems of Poland, the Czech Republic, Slovakia and Hungary were in a condition to meet the UCTE security and control standards and the CENTREL area was synchronised with and incorporated into the UCTE system. In 1996 the Romanian and Bulgarian electricity systems could comply with the UCTE policies and were synchronised. As a result, a large synchronised region has been established in Europe, managing considerable power flows. In particular, the integration of the former CENTREL led to new power flows. With their large generation capacities, Poland, Slovakia and the Czech Republic became the main net exporters in the region. The main net energy flows are from Poland via the Czech Republic to Germany, Austria and Slovakia and from Slovakia to Hungary.

Figure 8: Physical electricity exchanges in the UCTE region (source: UCTE)

The UCTE electricity system is composed of the network interconnection and interaction of control areas—whose boundaries mostly comply with country boundaries. A TSO (transmission system operator) oversees the operation of the electricity system within the control area and coordinates his activities with neighbouring control areas. The transmission system in one control area consists of transmission lines of voltage levels between 110 and 400kV. Each control area typically has several interconnections with the transmission grids of neighbouring areas (so called “tie lines”), typically of voltage levels between 220 and 400kV, sometimes also on 110kV. These generic power system objects are shown in Figure 10.




The initial purpose of the UCTE was the mutual support of the control areas to increase maintaining system stability through access in order to reserve capacities and synchronous operation. The main processes are the load and frequency control and corresponding communication between the control areas (Figure 9). However, nowadays the initial orientation of the interconnected network operation at frequency and load control has to cope with increasing bulk power transfers triggered by market liberalisation, which are beyond the original design of the intermeshed network in the UCTE area and cause increasing problems with network capacity and dynamics. Network dynamics are becoming a critical factor for the proper operation of the electricity sector in Europe, and it displays a novel and complex structure. But since network dynamics are beyond the control of current frequency and load control processes and underlying control systems, this criticality is not investigated in this study.

Figure 9: UCTE control blocks and control areas (source: UCTE)

In principle, each control block acts as a self-sustaining system, which interacts with the other control areas in a self-organising way (there is no central control) through the coordination and frequency / load control processes. All events which disturb these processes can cause cross-border damages which range from the disconnection of power system areas from the synchronous UCTE areas to non-supply of electricity (black-out). The reasons for the interruption of the load / frequency control can lie in the process itself, or in failures in the technical objects or other processes.

It is obvious that the non-supply of electricity would be the major cause of damage. The most severe cross-border incident happened on 4 November, 2006, when the initial switching-off




of a tie-line over the river Ems (Germany) caused a cascading effect across Europe, which lead not only to the disconnection of the system but to black-outs which left 15m households without power. A rough estimation of the economic damage, which is based on higher average consumption values and a higher black-out time than actually were prevailing, gives a figure of some 220m EURO as the value of the loss6. This value is still far from the large hazard categories.

Though coordination itself can be re-established within a short time, failures in the coordination between TSOs can trigger severe consequences for the frequency load control between control areas, which lead to cascading effects and possible separation of the UCTE area. The example of the November 4th, 2006, incident shows that failures caused by the coordination process lead to cascading effects concerning the frequency / load control processes. But the MTTR of the coordination and frequency / load control processes in general is short enough to most likely not lead to the large or catastrophic hazard categories7. But there are underlying technical objects whose failure can interrupt the frequency / load control process which will definitely cause large damages.

The exchange between the physical and the commercial area is mainly composed by the scheduling of power plants, lines and interconnectors. There is no direct access to the control systems of the electricity infrastructure. Usually, an interruption of the scheduling information does not create large damage in the commercial world, because most schedules are long-term oriented. Also, in cases of non-service (black-outs) caused by the electricity system, the damage on the customer side is much higher (cf. the estimate of €8-16/kWh) than the commercial losses per non-sold kWh.

6 The estimation is based on the following assumptions:

• Average household consumption of 4000kWh/a • Black-out for the total time 2 hours (The UCTE investigation report states that normal

conditions were reached in less than 2 hours [UCTE_2006]) • Lost load for 15m households for 2 hours: 13698630 kWh • Value of lost load: €16/kWh (A meta study conducted by Frontier Economics resulted in a

range of €8-16/kWh value of lost load [FE_2008]) 7 The separated regions were back to synchronous operation after 38 minutes and normal operation was regained in less than 2 hours.




Figure 10: Power System Generic Objects and Processes

3.1.2 Sub-sector Gas The European gas infrastructure is supplied mainly by gas imports through transit pipelines and LNG tanker ships. Transit pipelines and LNG facilities feed the gas via interconnection points into the European high pressure transit / transport pipelines which together with gas storage facilities constitute a highly interconnected network. Within this network, the pressure level is regulated by compressor stations. Most sections of the European pipelines as well as the storage facilities are operated country-wide by national TSOs with control and dispatch rooms. The sections are interconnected by interconnection points, which commonly consist of export stations, measuring the gas flows for commercial purposes. Through decompression stations the gas is fed into medium pressure and eventually to low pressure networks to which consumers are connected. The generic system is shown in Figure 11.

Contrary to the electricity system, the European gas infrastructure is designed to transport gas from the entry of supplies (LNG terminals, transit pipeline interconnection points) to the consumer. The main obligation of the TSO is to execute a capacity and pressure control in the pipeline network with support of the compressor stations and storage which is appropriate to satisfy user demand.

Since the transport of gas in the European gas networks takes place across borders, any failure is in principal a cross-border incident. This is different to the principles of the electricity




system, where each control area in principle is self-sustaining and is self-organising with the other control areas in order to benefit from the synergies.

Failures in the appropriate capacity and pressure control processes lead to lower transport volumes of gas, generally reducing the cross-border deliveries to the end users. Failures can be caused within the process itself or through failures in other processes or technical objects.

Due to the large volumes of gas stored in the pipeline network and the remaining pressure, the MTTR, in case of object or process failures, is considerably longer in general than in the power sector which requires a real-time frequency / load control process. Therefore, it is difficult to elaborate scenarios of object or process failures (Figure 11) which lead to large or catastrophic hazard categories (apart from the lack of gas supply by the few producing countries, which is hardly caused by ICT problems).

Failures in metering gas flows in the export stations may cause severe commercial problems, but the metering at the export stations can be substituted by metering in other nodes of the gas grid. Any interruption of gas flows due to commercial reasons is caused by a deliberate company decision (which is similar to the interruptions of the supply of Russian gas in the winter 2008/2009), but not by any ICT vulnerability of the infrastructure.

Interruptions in the coordination process itself do not lead to severe reductions of transport capacity because the coordination process can be re-established within short periods. Failures in the capacity / pressure control process itself may lead to losses in transport capacity, but in principle the control operations can be done locally on site as well (which only is somewhat less efficient).

Though LNG terminals are entry points into the gas supply, the interruption of one LNG facility can easily be met with other supply routes and facilities. And since the LNG facilities are not interconnected with each other, a widespread failure is rather unlikely.




Generic Gas System and Commercial

Processes

Network Area B

Network Area A

Decentral Controls

Decentral Controls

Decentral Controls

Decentral Controls

Medium Pressure Regional (100m – 1 bar)

Local Distribution (20 - 100 mbar)

TSO Control and Dispatch

Transit / Transport High Pressure

Transit / Transport High Pressure

Generic Gas System Objects

Capacity Order

Balancing / Accounting

Meter Readings

TSO Control and Dispatch

Capacity / Pressure Control

Dispatching

Capacity / Pressure Control

Coordination

Commercial World

Data base

Exchange (EEX)

Data base

TradingWholesale

Data base

TradingRetail

Medium Pressure Regional (100m – 1 bar)

Export Station

Inter-connector

Export Station

Inter-connector

Export Station

Inter-connector

Export Station

Inter-connector

Figure 11: Gas System Generic Objects and Processes

3.1.3 Sub-sector Oil The European oil infrastructure consists mainly of points of entry which encompass oil terminals8 and transit pipelines, which deliver across borders crude oil by pipeline and other transport means to refineries, petrochemical plants, which deliver oil products by pipeline or other transport means to tank farms, to outlets like airports, and to final users.

The oil sub-sector differs from the other energy sub-sectors in terms of storage, transmission and distribution since oil and its products can be transported and stored more easily and cheaply than gas and electricity. The oil infrastructure includes three major features:

(i) In contrast to the electricity and gas sector, the transport and distribution of oil and refined products can be assured by many different infrastructures: pipelines, short-sea shipping, inland waterways, railways and road transport. This encompasses the down-stream transport of crude oil from the entry of supplies (oil terminals, transit pipeline interconnection points) to refineries or oil products from refineries to chemical plants, and the distribution to other outlets and final users.

8 Around 80% of the European oil import is brought by tankers.




(ii) The storage of crude oil and oil products in tank farms allocated along the down-stream chain.

(iii) The processing of crude oil to oil products in refineries.

The infrastructure is not an interconnected network as this is the case in the electricity or gas sector, but constitutes a heterogeneous and complex structure of different transport modes, refineries and different products. The generic objects and processes are shown in Figure 12.

Since tank trucks and tank wagons for the road and rail transport of gasoline or fuel oil are independent objects, their failures are single events with very limited damage. Therefore, this down-stream infrastructure is excluded from becoming critical in the context of this study.

The oil terminals, tank farms, refineries, and pipelines, which are concentrated in the Amsterdam-Rotterdam-Antwerp (ARA) area, handle some 17% of the European oil imports. The ARA area plays a major role for the oil supply of the European market and its interruption is critical for the European market. But in the European oil infrastructure, which is anyhow quite heterogeneous in the location of infrastructure objects across countries and in the different multiple transport modes, the collection of oil terminals, tank farms, refineries and pipelines of the type of “ARA Complexes” constitutes singular objects than generic objects of the European oil infrastructure. Due to its singularity a separate analysis of these technical objects is recommended.

Therefore, the analysis of critical objects and processes focuses on refineries, the pipeline connections from the outlets of the terminals / refineries to other refineries, petrochemical plants, or outlets like airports. Any interruption of this pipeline infrastructure has a cross-border impact, which can be caused by failures in the objects or processes. For example, the interruption of the Trans-Alpine-Pipeline, which feeds among others the refinery in Ingolstadt, Germany, would cause a daily loss in the gross margin of the refinery of some €400.0009.

The interruption of a refinery will have an impact on the supply with oil products. Since the location of refineries is very heterogeneous across countries in the EU and since most of the oil products are distributed by different transport modes and since considerable quantities of oil products are stored in tank farms and in the transport facilities along the distribution chain, it seems very unlikely that the interruption of one refinery cannot be substituted by transport means in the distribution chain. But on the other hand it cannot be excluded that the interruption of a refinery can lead to large damages.

Another hazard would be a pipeline leak which could cause an oil spill with large environmental damage.

Due to the volumes of oil / products stored in the pipeline and storage, the MTTR in case of object or process failures is considerably longer in general than in the power sector which

9 Assumptions:

• Throughput 65.000 bpd • Gross margin 7,99USD/barrel • Exchange rate 1,37USD/EUR

Source: Petroplus Annual Report 2007 [RM_2007]




requires a real-time frequency / load control process. Therefore, it is difficult to elaborate scenarios of object or process failures which lead to large or catastrophic hazard categories.

Figure 12: Oil Sector Generic Objects and Processes




3.2 Sector Finance Infrastructures After intensive discussions with different stakeholders from the finance sector, for this study the sector is structured into the following two sub-sectors:

• securities transactions, • payment systems

The sub-sector securities transactions covers all tasks from making an order to buy or to sell securities (shares, bonds, derivates) by participating banks up to the settlement of the securities and the money between banks involved in the contract based on this order.

The sub-sector payment systems also covers clearing and settlement tasks, but the starting points for these are rather payment transactions instead of trading of securities.

International business is an important part of the business within the two sub-sectors securities transactions and payment systems. Therefore cross-border transactions (between European and also with Non-European countries) are common within these sub-sectors.

3.2.1 Sub-Sector Securities Transactions Different market places exist in Europe for trading securities like shares, bonds and derivates. In addition also different service providers exist for the execution of the corresponding clearing and settlement related services. Therefore there is not only one single model explaining the properties of the workflow within the sub-sector securities transactions in Europe. For this reason an abstract model will be used in the study to explain the characteristics for the sub-sector.

The steps trading, clearing and settlement must be executed completely in order to finalise a single transaction. In the following the major tasks belonging to these steps are listed.

Trading

Market places offer the trading of securities. This can be done either by traditional floor trading or by electronic trading systems. The following tasks are (among others) part of the trading system:

• Receiving orders for selling or buying securities.

• Price determination (either by specialists or based on an open order book).

• Matching corresponding orders.




Clearing

The provider offering the clearing service is acting as a central counterparty (CCP) for the two parties (banks) involved in a transaction. No bilateral agreement is reached between the two parties of a transaction. Instead, both parties have got an agreement with the CCP. The following tasks are (among others) part of the CCP:

• Verification of trade-related information.

• Risk management.

• Netting (i.e. the summation of single buy and sell positions of a participating bank).

Settlement

The settlement is the final step to finish a transaction. It is usually performed by a central securities depository (CSD) (and in addition usually also mirrored by the participating banks by debiting and crediting the securities accounts of their customers). The following tasks are (among others) part of the CSD:

• Debiting the securities from the seller's bank.

• Debiting the corresponding money from the buyer's bank.

• Crediting the securities to the buyer's bank.

• Crediting the corresponding money to the seller's bank.

For the actual transfer of the corresponding money from the buyer's bank to the seller's bank the CSD usually uses a system specialised on money settlement like TARGET2 (settlement of the money in cooperation with Central Banks). This system will be described as part of the sub-sector payment systems.

The following figure gives an overview for the abstract model of the securities transactions sub-sector:




Trading Location- trading -

CCP- clearing -

CSD- securities settlement -

- money settlement -ex. TARGET2

Bank A- seller's bank -

Bank B- buyer's bank -

money credit money debit

securities debit securities credit

settlement confirm,risk data


delivery confirmationdelivery instruction

disposition disposition

order (buy)order (sell)

contract note contract note

trading data

paymentadvice

paymentconfirmation

Trading Location- trading -

CCP- clearing -

CSD- securities settlement -

- money settlement -ex. TARGET2

Bank A- seller's bank -

Bank B- buyer's bank -

money credit money debit

securities debit securities credit



delivery confirmationdelivery instruction

disposition disposition

order (buy)order (sell)

contract note contract note

trading data

paymentadvice

paymentconfirmation

Figure 13: Abstract Model for the Sub-sector Securities Transactions

The detailed analysis of all objects and processes of the sub-sector securities transactions shows that they all have a transnational dimension in the sense, that their malfunction or disruption will probably affect cross-border transactions. Nevertheless no objects and processes of this sub-sector are part of the ECI. This is due to the fact, that the impact (in this case the economic damage) of their malfunction or disruption is not expected to reach the hazard category large.

The following reasons shall support the argument, that a malfunction or disruption of the objects and processes of this sub-sector will not have an impact of a hazard category higher than medium:

• Netting is performed for the single positions of the trades of a bank within the clearing process. This results in a relatively small amount of money to be transferred between banks (as part of the settlement) compared to the large sum of all trades processed within a given timeframe. If clearing is not available for some time due to the disruption of the systems, it can be done later after the systems work again properly.

• The transfer of money between the participating banks is done in some kind of a virtual closed circle. If the settlement of money between banks is disrupted, no money is lost. The amount to be settled which is not transferred to the receiving bank stays rather with the sending bank. The settlement can be done later after the systems work again properly. The impact (economic damage) is only the loss of some interest rates (on the amount which cannot be transferred) by the receiving bank. On the




other hand the sending bank has got the opportunity to gain some extra interest rates on this amount.

• If clearing and/or settlement are disrupted for some time this may lead of course to a situation where also the trading of securities must be interrupted. The corresponding market place could not be used for some time. In this case participants could (at least for major securities) use other market places to trade their securities. This would lead to some kind of loss of fees for the provider of this market place, which is expected to be rather small compared to the amount relevant for the hazard categories.

• A liquidity risk does exist for the total market, if clearing and/or settlement cannot be performed due to some disruption of the systems. This can be solved by central banks using central bank money.

As a result it is not likely at all that an interruption of the mentioned objects and processes would lead to an impact of the hazard category large or catastrophic (i.e. loss of more than 1 Bil. Euro). Value at risk computations of one major service provider led to estimation of damages of less than 100 Mil. Euro.




3.2.2 Sub-Sector Payment Systems As part of the processing of a payment transaction the following tasks can be done by a payment system

Clearing:

• Verification of payment transaction related information,

• Risk management,

• Netting, i.e. the summation of single payment transactions of a participating bank.

Settlement:

• Debiting the corresponding money from the sending bank.

• Crediting the corresponding money to the receiving bank.

Which tasks are exactly performed during the processing of a payment transaction depends on the payment system.

Since the introduction of the Euro different systems for the processing of cross-border transactions have been established. Under these the major two platforms are the following:

• TARGET2 (Trans-European Automated Real Time Gross Settlement Express Transfer) of the Eurosystem (combination of the European Central Bank (ECB) and the national central banks of the Euro-countries).

• EBA-Clearing with the systems EURO1, STEP1 and STEP2 of the Euro Banking Association (EBA).

Further payment systems exist, but the vast majority of interbank cross-border Euro payment transactions are processed using one of these platforms. Therefore only these two platforms will be considered further within this study.

TARGET2

TARGET2 is a singled shared platform for the processing of cross-border Euro payment transactions. It is operated jointly by the national banks of France (Banque de France), Germany (Deutsche Bundesbank) and Italy (Banca d'Italia) on behalf of the Eurosystem. After finalization of the migration to TARGET2 in Mai 2008, all national central banks of the Euro-countries are part of TARGET2. In addition nearly all national banks of other European countries with another currency as Euro are also part of TARGET2. The European Central Bank (ECB) is also part of TARGET2.

From a technical point of view TARGET2 is a single shared platform, but from a legal point of view it is a collection of different TARGET2 system components. Each central bank being part of TARGET2 has got its own TARGET2 client system.

A Bank which wants to use the TARGET2 system for the processing of cross-border payment transactions must become a participant of the system. There are different ways how a bank can participate in TARGET2. The following figure gives an overview:




Target2-bbkBundesbank

Target2-cb2Central Bank 2

Target2-cbnCentral Bank n

...

Target2-SSP (Single Shared Platform)

RTGSaccount

Bank 1direct

participant

RTGSaccount

RTGSaccount

Bank 2direct

participant

Bank bindirect

participant

group of banks

multi-addressee access

Bank aindirect

participant

Bank 3direct

participant

Bank 3-1affiliated

bank

Bank 3-2affiliated

bankGermany Country 2

Country n

Target2-bbkBundesbank

Target2-cb2Central Bank 2

Target2-cbnCentral Bank n

...

Target2-SSP (Single Shared Platform)

RTGSaccount

Bank 1direct

participant

RTGSaccount

RTGSaccount

Bank 2direct

participant

Bank bindirect

participant

group of banks

multi-addressee access

Bank aindirect

participant

Bank 3direct

participant

Bank 3-1affiliated

bank

Bank 3-2affiliated

bankGermany Country 2

Country n

Figure 14: Architecture of the System TARGET2 for the real time gross Settlement of payment Transactions

For the consideration of TARGET2 within this study the precise way of how a bank participates is not relevant. Therefore only the case of direct participants will be regarded further.

To be a direct participant of TARGET2 the bank needs a so called RTGS account with one of the national banks which is part of the TARGET2 system. The business relationship exists exclusively between the participating bank and the corresponding national bank and not with the TARGET2 system. The national bank provides the RTGS account of the participating bank within its client system of TARGET2.

For processing payment transactions the TARGET2 system offers a real time gross settlement, i.e. payment transactions are processed continuously during the business day and finalized immediately (if the RTGS account of the payer contains the needed funds to cover the transaction). Example: If bank 1 wants to pay an amount to bank 2, it sends a corresponding payment order to the national bank which holds its RTGS account. Within TARGET2 the amount of the payment transaction is debited to the RTGS account of bank 1 and credited to the RTGS account of the receiving bank 2. The receiving bank 2 is informed about the incoming payment by the national bank, which holds the RTGS account of bank 2.

Besides the processing of cross-border payment transactions TARGET2 offers further services to its participating banks like the management of reserves and limits.

In addition to the processing of (cross-border) interbank payment transactions TARGET2 can also be used for the processing of (high-value or very urgent) individual payment transactions.




In addition to credit institutions also other systems can use the TARGET2 system for the settlement of large cross-border payment transactions. For this the system must participate in TARGET2 as a so called ancillary system.

EBA-Clearing

The Euro Banking Association (EBA) was founded 1985 by commercial banks. Today it has got about 190 members.

EBA-clearing is a private sector provider of payment systems founded by EBA. The following payment systems are offered by EBA-clearing:

• EURO1: system for single high-value cross-border or domestic payment transactions in Euro between huge commercial banks operating in the European Union. This payment system includes the clearing and settlement of the transactions. The ECB is used as settlement bank.

• STEP1: system for single cross-border payment transactions in Euro between commercial banks. This payment system includes the clearing and settlement. Banks which are direct participants of the EURO1 system are used as settlement bank.

• STEP2: system for bulk cross-border or domestic payment transactions in Euro in the sense of a pan-European automated clearing house. This payment system does not include the settlement. Settlement is rather done using TARGET2.

From the point of view of the intentions of this study the differences between the payment systems offered by EBA-clearing are of no concern. The processing of transactions with respect to the information and communication infrastructure is almost identical. For this reason only EURO1 will be considered further in this study. The following figure gives an overview for the clearing and settlement of payment transactions using the EURO1 system:




Bank 1(short after cut-off)

Bank 2(long after cut-off)payment message

EBAEURO1

copypayment message

country A country B

Central Bank A Central Bank BRTGS account

Bank 1

ECBRTGS account

EBARTGS account

Bank 2

Target2

payment order(short-amount after cut-off)

money transfer money transfer

information aboutincoming payment

paymentorder


(long-amount after cut-off)

information aboutsettlement finalization


Bank 1(short after cut-off)

Bank 2(long after cut-off)payment message

EBAEURO1

copypayment message

country A country B

Central Bank A Central Bank BRTGS account

Bank 1

ECBRTGS account

EBARTGS account

Bank 2

Target2

payment order(short-amount after cut-off)

money transfer money transfer


paymentorder


(long-amount after cut-off)



Figure 15: Clearing and settlement of Payment Transactions using EBA EURO1

Currently the EURO1 system has 66 participating banks and 63 sub-participants. A sub-participant is a subsidiary of a participating bank which is connected directly to the system. The sub-participant can use the EURO1 system autonomously but under the single liquidity position of the participating bank.

The EURO1 system acts as clearing house for the payment transactions. If a transaction shall be processed by EURO1 a copy of the corresponding payment message will be sent to the EURO1 system. Incoming payment messages are processed individually. The EURO1 system manages debit and credit caps for its participating banks. If processing of a payment message would violate the debit cap of the sender or the credit cap of the receiver, the message will not be processed directly but queued for later processing. Otherwise the incoming payment message is processed directly and the amount is virtually debited to the sender and virtually credited to the receiver (clearing and disposition). By this a netting of the single positions of a participating bank is performed, but no actual money is transferred at this time. At a special cut-off time all positions of the participating banks are settled.

For the final settlement a bank which is short after cut-off must transfer the netting amount to EBA. For this the bank gives a corresponding payment order to the central bank of its country. This central bank transfers the money to the account of EBA at the ECB. The ECB informs EBA about the incoming payment. EBA distributes the incoming money of all short banks to the banks which are long after cut-off and transfers the resulting money to these banks. For this it gives corresponding payment orders to the ECB. The ECB transfers the money accordingly to the central banks of the countries of the receiving banks. These national banks than inform the receiving banks about the incoming payment.




For transferring the money between the participating central banks TARGET2 is used.

Critical Objects and Processes

With the exception of the systems of a single bank all processes of the sub-sector payment systems have a transnational dimension in the sense, that their malfunction or disruption will probably affect cross-border transactions. Nevertheless no objects and processes of this sub-sector are part of the ECI. This is due to the fact, that the impact (in this case the economic damage) of their malfunction or disruption is not expected to reach the hazard category large.

The argumentation why it is not expected that a disruption of the systems and processes will lead to an impact of the hazard category large or catastrophic is similar to the discussion for the sub-sector securities transactions at the end of paragraph 3.2.1. In addition, if the settlement of cross-border payment transactions cannot be done using the mentioned payment systems above for some longer time, the former system of correspondent banks can be used again in the mean time to counterfeit any possibly arising liquidity risk of the participating banks. This system of correspondent banks can work using traditional ICT like fax or telephone. This would lead to an increase of transaction time and of course of transaction costs, but at least settlement could be performed between banks again.




3.3 Sector Transport Infrastructures Objects and processes in the transport sector can be related to the planning, construction and operation phases. In this study the operational aspects in the transport infrastructure are considered. The sector transport consists of following sub-sectors:

• Air Traffic

• Waterways

• Railways

• Road.

The model for the transport sector is structured as a meta model with corresponding sub-sector models which are derived from the meta model. Figure 16 shows the meta model for the transport sector.

Figure 16: Meta Model for Transport Sector

On the metalevel, the following objects of the transport sector can be identified:

• Trans-shipment complex: This is the location, where passengers get on the transportation means. Also the goods are shipped here. An airport is an example.

• Transported passengers and goods: The passengers relate to one of the most important criterion of the transport sector, namely loss of life.




• Transportation means: The transportation means are the vehicles, which are used during transportation. In the case of “airways” this would be an airplane.

• Transportation media: Transportation media are the main criteria for subdividing the transport sector (air traffic, road, waterways, rail)

• Energy supply: Objects of the transportation sector (trans-shipment complex, transportation means and transportation media) usually have components for energy supply. These components will not be taken into account in further analyses, as the question of energy supply will be discussed in the energy sector.

• Operating equipment: Objects of the transportation sector (trans-shipment complex, transportation means and transportation media) have operating equipment. Also internal ICT systems are considered as oprating equipment. In this sense an onboard computer on an airplane is a piece of operating equipment.

• Control system: The control system acts on a higher level, in order to coordinate the safe oparation of objects. A typical example is an air traffic management system which coordinates air traffic.

On the meta level. the following processes of the transport sector can be identified:

• Processing of trans-shipment procedures. This process takes place in the trans-shipment complex. It is related to transportation means (e. g., airplane) and transported passengers/goods (e. g., check-in procedure for passengers)

• Protection of the objects. This process relates to several areas:

- Environmental damage including fire and flooding.

- Access control for security purposes or against terrorist attacks

• Operation of the objects. This can be related to a trans-shipment complex or transportation means. The airport or airplane operation of an are examples for this process.

• Handling of man-made disasters, here usually after an incident. This process includes:

- Search and rescue of victims.

- Environmental disasters (e. g., averages on sea of oil tankers or accidents on the road with chemicals)

- Firefighting, e. g., on a ship

• Information supply for the public. This can be for different purposes, e. g., information about time schedules, but also to inform passengers about conditions of transport media (e. g., road conditions)

• Maintenance, which addresses many kinds of objects in the transport sector. It is a regular process and assures safe operation.

• Control. This process includes the coordination of several objects and includes

- Data retrieval from objects, e. g., positioning of the objects




- Evaluation of the situation

- Communication to the objects for control purposes

These objects and processes are valid for most of the transportation sub-sectors which will be discussed in detail in subsequent chapters. The consideration of hazard criteria shows that for the entire transport sector the most critical objects and processes are the systems for controlling traffic flow and the control process which may be carried out across borders.

3.3.1 Sub-sector Air Traffic Passengers and limited amounts of cargo can be transported via air traffic very quickly over long distances, but it is an expensive method due to high energy use. The increasing air traffic density in Europe (and elsewhere) makes the very precise control of air traffic necessary.

Table 2 shows considered critical objects and processes for the airways sub-sector.

Object or Process Hazard category Trans national

dimension

Relevance

Aircraft Loss of life possible No No

Airport Loss of life possible No No

Airport operating system No large or catastrophic hazard expected No No

Airspace No large or catastrophic hazard expected No No

Airport facilities No large or catastrophic hazard expected No No

Aircraft equipment No large or catastrophic hazard expected No No

Air traffic control No large or catastrophic hazard expected No No

Air traffic management system

Loss of life possible Yes Yes

Processing of trans shipment procedures

No large or catastrophic hazard expected No No

Airport operation No large or catastrophic hazard expected No No

Information supply to the public






dimension

Relevance

Aircraft operation Loss of life possible No No

Protection of airports and aircrafts

Loss of life possible No No

Maintenance of aircrafts Loss of life possible No No

Emergency procedures Loss of life possible No No

Air traffic management Loss of life possible Yes Yes

Table 2: Critical Objects and Processes for the Air Traffic Sub-sector.

The following critical objects and processes can be identified in the sub-sector air traffic:

• Air traffic management system, which is a complex IT-system.

• Air traffic management process. It consists of:

- Aerodrome control: This sub-process controls the movements of aircrafts on the ground.

- Approach control: This sub-process controls the movement of aircrafts in the neighbourhood of the airport

- Area control: This sub-process controls the movements of aircrafts between airports in higher altitude.

3.3.2 Sub-sector Waterways Naval vehicles can transport large quantities of non-perishable goods with little personnel over long distances. Sea transport is the most energy-efficient way of transport.

The control of water transport is mainly carried out locally without significant cross border communication. International Maritime Organisation established ship routing systems like traffic separation schemes in crowded shipping areas (e.g. Baltic Sea), and the number of collisions or groundings has been dramatically reduced.

Vessel traffic services are important for short sea shipping in coastal areas. These services range from the provision of simple information (e.g. position of other traffic) to management of traffic within a port. An exception for vessel traffic services considering two countries is the Öresund area between Sweden and Denmark. However the services in the Oresund area are provided by a single system without any (transnational) coordination between the Swedish and Danish authorities.




Beyond shipping over long distances (like transcontinental shipping) and short sea shipping in coastal areas, inland navigation plays a certain role in international transport. But the criticality is not considered very high.

An accident on the inland waterways could block the waterway, causing some financial loss, which can affect other countries, like it happened on the Rhine in early March 2007. After this accident the Rhine River was blocked for nearly a week. According to the German Association for inland navigation the financial loss was “only” about 2 million euro, which is far below the defined limit of 1 billion euro.

From the control point of view national waterways like Rhine–Main–Danube Canal have completely a local character because they connect two points inside national borders and are controlled by a national control system, without any control coordination with other control systems across Europe.

The European Commission issued several projects to promote a better use of rivers and canals for freight transport across Europe. In this context information systems for inland navigation has been established, known as RIS - River Information Services10. Examples are ELWIS in Germany, DoRIS in Danube countries. RIS are planned to be used internationally, for example for customs and border procedures. However the interoperability of vessel traffic services (VTS) for inland navigation across countries is still to be implemented.

Table 3 shows the considered objects and processes for the waterways sub-sector.


dimension

Relevance

Vessel Loss of life possible No No

Harbour No large or catastrophic hazard expected No No

Port facilities No large or catastrophic hazard expected No No

Vessel equipment No large or catastrophic hazard expected No No

Waterway No large or catastrophic hazard expected No No

Waterway equipment No large or catastrophic hazard expected No No

VTIMS – Vessel traffic management information system


10 see COMMISSION REGULATION (EC) No 414/2007





dimension

Relevance

VTIMS (for inland navigation)

No large or catastrophic hazard expected Yes No

Port management system No large or catastrophic hazard expected No No

Processing of the transhipment procedures


Harbour operation No large or catastrophic hazard expected No No

Vessel operation Loss of life possible No No

Protection of the harbour Loss of life possible No No

Average handling Loss of life possible No No

Information supply to the public


Vessel traffic services (for maritime control )


Vessel traffic services (for inland navigation)


Table 3: Critical Objects and Processes for the Waterways Sub-sector.

No critical objects and processes can be identified in the sub-sector waterways. The only exception can be the oil port of Rotterdam in The Netherlands, because the oil supply of the continent depends on this port and any failure could cause some economic damage.

3.3.3 Sub-sector Railways The rail transport is the most energy efficient method on land. Although there are a large number of different regulations for rail transport within the European community it plays a major role for freight and passenger transport.

The control systems for rail traffic distinguish between operation systems and interlocking systems. The operation system focuses on disposition while the interlocking system addresses security aspects.

Table 4 shows the considered objects and processes for the sub-sector railways.





dimension

Relevance

Train Loss of life possible No No

Railway station Loss of life possible No No

Railway station equipment No large or catastrophic hazard expected No No

Onboard equipment for trains


Railway network No large or catastrophic hazard expected No No

Railway network elements Loss of life possible No No

Interlocking system Loss of life possible Yes Yes

Railway station operating system


Operational control system


Processing of the transhipment procedures


Information supply for the public


Operation of railway stations


Operation of trains Loss of life possible No No

Protection of railway stations and trains


Operational control process


Interlocking process Loss of life possible Yes Yes

Table 4: Critical Objects and Processes for the Railway Sub-sector.

The following critical objects and processes can be identified in the sub-sector railroad:




• Interlocking system, a complex system which controls the railway network elements for security purposes.

• Interlocking process, consisting of the following sub-processes

- Route pretest

- Route locking

- Route release

- Protection handling. This includes, e. g., flank protection for trains.

- Signalling

3.3.4 Sub-sector Road A large amount of transport is taking place on the road, although it is not very energy efficient and is the main source of noise and air pollution in cities. The main reason for the importance of the road is its flexibility. Road transport is usually necessary for other kinds of transport. For example freight is often brought to a sea port by trucks.

Control of road traffic usually takes place locally without cross border communication. Rare cases for cross border interaction can be seen in some tunnels, which will be focused on in this document. While the hazardous accidents in tunnels play a significant role bridges are relatively uncritical in this context.

Table 5 shows the considered objects and processes for the road sub-sector.

Object or process Hazard category Trans national

dimension

Relevance

Road No large or catastrophic hazard expected No No

Motor vehicle No large or catastrophic hazard expected No No

Road terminal Loss of life possible No No

Road terminal facilities No large or catastrophic hazard expected No No

Motor vehicle equipment Loss of life possible No No

Operational control system


Traffic routing system Loss of life possible No No

Section (tunnel) control systems

Loss of life possible Yes Yes




Object or process Hazard category Trans national

dimension

Relevance

Tunnel facilities No large or catastrophic hazard expected No No

Toll systems No large or catastrophic hazard expected No No

Road facilities No large or catastrophic hazard expected No No

Processing of the trans-shipment procedures


Operation of the road terminal


Operation of motor vechiles


Information retrieval for the public


Protection of road terminals and motor vechiles


Traffic routing Loss of life possible No No

Emergency procedures Loss of life possible No No

Section (tunnel) control Loss of life possible Yes Yes

Table 5: Critical Objects and Processes for the Road Sub-sector.

The following critical objects and processes can be identified in the sub-sector road:

• Section control system for (cross-border) bridges or tunnels

• Section control process for (cross-border) bridges or tunnels


Critical ICT Dependencies


4 Critical ICT Dependencies In this chapter European critical infrastructures as identified in the above section are examined concerning their ICT dependencies. For further analysis, better comparison and summary conclusion a rudimental structuring of the ICT sector is necessary, bringing together general surveys as well as adequate details for further analysis of ICT threats and vulnerabilities. It is important to note that this general issue is currently subject to various activities on an EU level. One of the key considerations in this context is the ARECI Study [EU_INFSO_2008], which provides a framework for comprehensive consideration of the relevant aspects of ICT infrastructures by the introduction of the “Eight Ingredients”. Another important reference is the provision of six specific ICT based services described in the EPCIP documents, which currently serve as a sub-sector definition. After careful consideration of the most relevant suggestions in this respect, we came to the conclusion that none of those can be directly applied to the subject of this study. Instead we used a synthesis of the basic ideas and adapted it to an effective approach for the specific objectives.

It is assumed that ECI rely on a set of typical IT systems, i. e. joined software systems that run on (private) application servers “somewhere” in the domain of the ECI provider (marked “internal” in adjoining table). Additionally, dedicated (vital) software services are used which essentially rely on external (i. e., beyond the responsibility and domain of an ECI provider) IT systems and services.

Another partition of the ICT sector comprises a set of typical communication systems representing services which are mainly characterised by exchange of data, voice communication and underlying networks. In this approach, the “internet” is regarded as a communication system on which end user services (i. e., http, ftp)

are based upon. Some of the communication services listed in Table 6 rely on IT infrastructures within the domain of the ECI provider. Therefore, the

communication service “WAN” is listed twice: WAN (private) denotes private and “self-operated” network infrastructures that are common practice in focussed sectors and WAN (public) relying on public communication lines.

In some sub-sectors IT systems and services highly rely on dedicated secure private networks which themselves are based ob various physical communication lines. As these networks play an important part in communication infrastructure of some sectors major ones are described in more detail in sub-section 4.4.

Table 6 : Categories of ICT Dependencies

inte

rnal

exte

rnal

Dependency

x Process Control / SCADA Systemx Trading Systemx x Clearing Systemx x Settlement System

x Payment Systemx Messaging Servicex File Transfer Service

x LAN (own)x WAN (public)

x WAN (private)x Fixed / Landline telecommunicationx Mobile telecommunication

x Radio Communicationx Internetx Leased line

x Satellite communication (own link)x Broadcastingx Secure Private Network

x HW maintenance (replacement incl.)x SW updates and upgradesx SW support (hotline, remote access, ...)

Qualitative ICT-Dependencies

Communication System

IT System / Service




At this stage interdependencies between different communication services (e. g., reliance on common network backbone, mapping of WAN on fixed telecommunication lines) are neglected.

As already pointed out in section 2.2.2 qualitative ICT dependencies are listed which basically represent maintenance and support services for software and hardware producers.

For the identification of critical ICT infrastructure

• the dependencies of critical technical objects and processes to ICT according to the above mentioned categories have to be determined

• direct and indirect dependencies (e. g., process depends on SCADA-system which relies on WAN to remote stations / sensors) have to be “added up”

• all ICT dependencies have to be assessed regarding the impact they have in case of their failure

For this, evaluation categories as pointed out in Table 7 are introduced:

ICT Dependency Description

H High dependency

L Low dependency

HR High dependency and redundant system / process available

LR Low dependency and redundant system / process available

Table 7: Evaluation Categories of ICT Dependencies

Assessing the concrete ICT dependency of a technical object or process as “H” or “L” indicates that a malfunction or breakdown of this ICT service highly resp. lowly entails a negative impact on the availability of the technical object or process.

However, in most cases there are redundancies reducing the impacts of a (single) failure of the object or process in question. These redundancies can vary on many levels, ranging from “hot standby” down to relative simple degradation modes providing a minimum of functionality in emergency cases. To cover these facts we have introduced a simplified redundancy mode in terms of “HR” or “LR” to indicate that there is one ore more redundant function(s) which replaces or mitigates malfunction of the “primary” ICT System.11

11 Here other ICT systems and processes are focussed on; redundancy within the same ICT system (e. g., redundant hardware or replication systems) is disregarded at this point (for further analysis, see section 6.2 Existing Protection Strategies - Best Practises)




4.1 Sector Energy Infrastructures

4.1.1 Sub-Sector Electricity The frequency and load control process is based on SCADA systems which are operated through the TSO control room. In general, the SCADA works with WAN on the remote objects. In addition, these objects can also be peripherally operated by personnel on site which receives information through communication lines.

The coordination process between the TSOs of control areas mainly takes place through an “electronic highway”, which is implemented as a secure private network (see also sub-section 4.4.1). In addition, voice and e-mail communication can take place through mobile/landline telecommunication and or internet.

The frequency / load control processes could also be interrupted by failures in the SCADA systems, causing incorrect switching of lines and/or transformers, which might lead to overloads and cross-border cascading effects, triggering in the worst case separations of the interconnected system and black-outs. But in this case any cascading effects and separation of the system would occur only accidentally, because the SCADA system itself does not “know” which lines and transformers are critical in a current state of the overall system to trigger the worst case.

4.1.2 Sub-sector Gas The capacity and pressure control process is based on SCADA systems which are operated through the TSO control room. In general, the SCADA works with WAN or satellite links on the remote objects. In addition, these objects can also be peripherally operated by personnel on site which receives information through communication lines.

The coordination of the capacity and pressure control process takes place through communication lines between the TSO control rooms.

Though for example incorrect signals may lead to shutting down valves / compressors, the redundancy and independency of on-site controls and sensors in conjunction with sufficient lead times give sufficient signals to all control levels to prevent larger damage.

4.1.3 Sub-sector Oil The refinery control process is based on process control systems which are operated through the refinery control room. Depending on the design, the process control systems are run separately as an island grid or are connected to open systems. In general, the process control systems are supported by separate, independent emergency shut down systems which minimize the consequences of emergency situations.

The volume control process of pipelines is based on SCADA systems which are operated through the TSO control room. In general, SCADA works with WAN or satellite links on the remote objects. In addition, these objects can also be peripherally operated by personnel on-site who receive information through communication lines.




Due to the characteristics of the oil infrastructure, which does no constitute an interconnected network, the SCADA and communication systems are generally operated separately for each transmission pipeline and storage facility. There is no need for the coordination of volume control processes as in the electricity and gas infrastructures.

Though, for example, incorrect signals may lead to shutting down valves / pumps and eventually interrupt a pipeline, the redundancy and independency of on-site controls and sensors in conjunction with sufficient lead times give sufficient signals to all control levels to prevent larger damages.

4.2 Sector Finance Infrastructures The sub-sectors of the finance sector do not contribute to the ECI, as described in the finance sector models. As already described, impacts from malfunction or disruption of the systems and processes of these sub-sectors are not expected to belong to the hazard categories large or catastrophic, although their systems and processes are of importance for the functioning of the finance sector.

4.2.1 Sub-sector Securities Transactions As described in paragraph 3.2.1 the objects of the sub-sector securities transactions correspond to the relevant IT systems.

Any malfunction or disruption of a system immediately affects the performance of the corresponding process. Therefore the possibility of any disruption of the systems is minimised by a complete redundant system design and an architecture, which guarantees high availability of the backend systems. Furthermore different providers of such systems exist in Europe. For example different market places do exist for trading securities.

The type of connection from a participant to these systems can be chosen by the participant (e.g. other banks) up to its needs (leased lines, Internet, …).

For the settlement systems the participants can be connected using the SWIFT network which offers a network for the exchange of transaction messages between organisations of the finance sector (see section 4.4.2 for details on SWIFTNet).

4.2.2 Sub-sector Payment Systems In this paragraph the ICT dependencies for the payment system TARGET2 and the systems supported by EBA-Clearing are considered. Of course each of the payment processes highly depends on the related systems. Any malfunction or disruption of a system immediately affects the performance of the corresponding process. A redundancy between two IT systems is only available, if both corresponding payment systems can be used for a given payment transaction.




The overall system TARGET2 consists out of two regional systems which are operated in two different regions in Europe. Each of these regional systems can operate the complete TARGET2 system on its own. At any time one of the regional systems acts as the productive (live) TARGET2 system. The other regional system is used at that time as test and training system. In case of a breakdown of the regional system acting as productive TARGET2 system, the other regional system can take over the task without any relevant delay. In any case the two regional systems exchange their role of being the productive system or of being the back-up system periodically.

For the connection of the participating banks to the TARGET2 system the SWIFT network is used (see sub-section 4.4.2 for details on SWIFTNet).

The payment systems EURO1 and STEP1 are operated by two systems at different sites. For the connection of the participating banks the payment systems EURO1 and STEP1 are using the SWIFT network.

For the payment system STEP2 of EBA-Clearing a similar architecture exists. For the communication between the participating banks and the host systems of EBA-clearing the network for the STEP2 system is based on the SIA-SSB network of the Italian provider SIA-SSB. SIA-SSB network also offers a highly available, reliable and fault tolerant network (see subsection 4.4.3).

The process cross-border payment of the model for the sub-sector payment systems depends highly on the given payment systems TARGET2, EURO1, STEP1 or STEP2. But this does not mean that this process depends redundantly on these systems. For a given concrete payment transaction it depends on the nature of the transaction which payment system can be used.

For large cross-border payment transactions there is some redundancy between the TARGET2 system and the EURO1 system of EBA-Clearing. If two banks are participants (direct or indirect) of both systems, they can use either of these two payment systems for a payment transaction between them. Nevertheless EURO1 cannot be used in all cases as a back-up in case of non-availability of TARGET2, since TARGET2 may also be necessary for the final settlement within EURO1.

For the processing of a single payment transaction to be processed using STEP1 the banks can also use TARGET2. On the other hand the payment system STEP2 is operated for processing bulk payments. These cannot be processed by any of the other mentioned payment systems.

4.3 Sector Transport Infrastructures The dependency of traffic control systems and processes on ICT infrastructures is very high. The dependency covers the following ICT systems:

• SCADA system used for the control process

• Messaging services are used for data transfer between control systems but it can be replaced by file transfer services.




• A LAN is usually the basis for SCADA systems used in the traffic sector

• Radio communication is a common data transfer mean between control systems and transportation means. In some cases it can be replaced, e. g., in air traffic, by satellite communication.

The details of the sub-sectors are shown in following chapters.

4.3.1 Sub-sector Air Traffic The following dependencies can be identified:

• High dependency on the SCADA system

• High dependency on the LAN system on which the SCADA system is based

• High dependency on messaging services for data transfer between control systems which can be replaced by file transfer services.

• High dependency on radio connection to the aircrafts

• The satellite connection is considered as fallback level

• Communication via landline telecommunication is the norm but can be replaced, e. g., by mobile telecommunication.

4.3.2 Sub-sector Waterways No critical objects or processes are identified in the sub-sector waterways which fulfil the hazard criteria.

4.3.3 Sub-sector Railways The following dependencies can be identified:

• High dependency on the SCADA system


• High dependency on radio communication to trains, which can often be replaced by mobile telecommunication.

4.3.4 Sub-sector Road The following dependencies can be identified:

• High dependency from the SCADA system





• Low dependency on the landline telecommunication

4.4 Secure Private Network As presented above in various sectors core business processes depend and rely on secure private networks which therefore have to be focussed as a main critical ICT infrastructure. To make this a bit more tangible three secure private networks are presented whose influence on critical processes is shown in following subsections.

4.4.1 Electronic Highway Within the electricity sub-sector UCTE has established a communication network for data exchange among transmission system operators (TSOs) which is called Electronic Highway. Principles and minimum requirements of this communication network are part of the UCTE Operation Handbook [UCTE_2004] which are detailed in a confidential document entitled “Electronic Highway Technical Reference Manual”.

The Electronic Highway is designed for the following data exchange services (which are defined and detailed within [UCTE_2004]).

• Real-time data exchange (e.g. switch / unit status, active power, voltage, alarms, ..) to help monitoring and coordinating system operation (data for real-time control application are not recommended) – primary scope and highest priority

• File transfer (e.g. transmission schedules, planning data...)

• E-Mail/Messaging for operational person-to-person or automated application-to-application data exchange

The Electronic Highway is a private network that operates under the responsibility of the member TSO and two UCTE Network Operation Centres. It is designed as a high available (> 99.8%), reliable and redundant network based on physical connections and dedicated communication infrastructure between TSO. All network components and for all point-to-point connections physical redundancy is implemented. Network Operation Centres are operational on a 24 h / 7 day basis. Direct connections to the Internet are not allowed.

4.4.2 SWIFTNet Analysis and modelling of the financial sector led to the conclusion that core business processes and the global financial market highly dependent on an information and communication infrastructure especially for and between cross-national and global market participants. The bigger financial institutions are the more they are internationally linked.




These ICT-Dependencies exist regardless of the criticality of each process itself and existing protection strategies. Therefore the following section describes the leading global communication network provider SWIFT12 for financial institutions.13

SWIFT is a co-operative company owned by banks and financial institutes which provides the proprietary communication platform SWIFTNet and standardised messaging services (payments, treasury, securities, trade messages). This includes secure exchange of proprietary data while ensuring its confidentiality and integrity and excludes management of any accounts (no payment or settlement system) or funds transfer. SWIFT develops standards for financial message format and content and cooperates with international organisations.

According to own statement SWIFT connects more than 8.300 financial institution and corporate customers in 209 countries and delivers millions of messages each day. SWIFTNet has a service availability of 99.998% (which means less than 10 min downtime per year).

As a large number of systemically important payment systems depend on SWIFT, the central banks of G-10 agreed to co-operative oversee SWIFT with The National Bank of Belgium as lead overseer. Together with the annual reports, SWIFT publishes special reports14 that provide information about the security and reliability controls that SWIFT implements.

Technical Architecture

SWIFT operates a distributed network architecture with currently two operation centres (a third will be established in 2009). All network connections are based on a multi-vendor secure IP network using IPSec and VPN technology and relying on worldwide physical networks provided by AT&T, Colt, Orange Business Services and BT Infonet.

12 SWIFT = Society for Worldwide Interbank Financial Telecommunication 13 The following paragraphs are based on [SWIFT_2008, SWIFT_2009] 14 A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit”) represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.

US EU

new

US US US EU EU EU Asia Asia

US EU

new

USUS USUS USUS EUEU EUEU EUEU AsiaAsia AsiaAsia

Figure 17: SWIFT Operating Centres (source: SWIFT)




According to customer requirements regarding performance (less than 1.000 messages per day up to > 40.000 per day) and resilience different connectivity options (dialup, permanent, primary, backup-line, network partner(s)) are supported, which can be summarized in brief by the following Figure 18.

Protection Strategies

According to SWIFT’s slogan “failure is not an option” the company has a strong security policy which encompasses

• Broad range of resilient client connectivity packages

• Multiple access networks and managed fully redundant backbone

• Multiple operating and customer support centres on different continents

• Business continuity plans across all operations which are tested & audited

4.4.3 SIAnet SIAnet is a secure private network in the finance sector operated by SIA-SSB Group, a merger from two Italian private companies15. Starting in the 1980s as an interbank network provider in Italy it now offers a.o. connectivity and networking services to 592 nodes thereof 169 in 22 countries. SIAnet also offers access services to SWIFTNet. According to own statements SIAnet had a network availability in 2007 of 99.99%.

As one of the major services SIA-SSB operates the system EBA STEP2 which enables the reachability of banks in the context of SEPA, wherever they are located.

15 The following paragraphs are based on [SIA_2009]

Figure 18: SWIFT multi-vendor secure IP Network (SIPN) (source: SWIFT)




Technical Architecture

SIAnet is based on a multi-carrier network based on multi-protocol IP network functionalities. Security is carried out via use of encryption and virtual private networks ensuring secure end-to-end communication. The bandwidth of customer connectivity may vary between 2048 to 10240 kbit/s.

Figure 19: SIAnet Connectivity (source: SIA-SSB)




4.5 Summary of Sectoral Findings The findings of ICT dependencies within each sub-sector can be summarised for each sector using the maximum for each single ICT dependency. These results are illustrated in Table 8.

Table 8: Critical ICT Dependency in Infrastructure Sectors Energy, Finance, Transport

The sectoral findings can be summarised as follows

• In the energy and transport sector, European critical infrastructures highly depend on process control / SCADA systems and underlying local area networks.

• Messaging and file transfer services are intensively used in the sub-sectors electricity and air traffic.

• The dependencies of IT systems in the sub-sector securities transaction are marked HR (high dependency and redundant system/process available), since different providers of such systems exist in Europe.

• Although there are some redundancies inside the payments sub-sector the core business process highly rely on dedicated IT systems and underlying local area networks.

• In all energy sub-sectors and in the railroad sub-sector there are technical objects and processes which highly rely on wide area networks (WAN) which are provided by the CI providers themselves.

inte

rnal

exte

rnal

DependencyElectricity Gas Oil Securities

Trans-action

Payments Air traffic Waterways Railroad Road

x Process Control / SCADA System H H H H H Hx Trading System HRx x Clearing System HR Hx x Settlement System HR H

x Payment System Hx Messaging Service H HRx File Transfer Service H HR

x LAN (own) H H H H H H H Hx WAN (public) H H

x WAN (private) H H H Hx Fixed / Landline telecommunication LR LR LR HR Lx Mobile telecommunication LR LR LR HR

x Radio Communication HR HRx Internet LR Hx Leased line H

x Satellite communication (own link) LR LR Lx Broadcastingx Secure Private Network HR H H

x HW maintenance (replacement incl.) L L L L Lx SW updates and upgrades H H H L L L L Lx SW support (hotline, remote access, ...) H H H L L L

Qualitative ICT-Dependencies

Communication System

Transport Infrastructure

IT System / Service

Energy Infrastructure Finance Infrastructure

No critical technical object / process




• The finance sector and the electricity sub-sector highly rely on specialised secure private networks which offer connection and messaging services within the regarded sub-sector.

• The transport sub-sectors air traffic and railroad highly depend on radio communication. However, these systems are operated by themselves (no public infrastructure) and they are used redundantly with other communication systems, either fixed or mobile telecommunication.

• Except local area networks communication system within the finance sector completely and highly relies on secure public networks or network connections offered by professional telecommunication providers.

The energy sector also highly relies on third party support, i. e., software updates, upgrades, hotlines, remote access support.

Between sectors as well as between subsectors (except finance sub-sectors) no direct ICT dependencies were found which influence proper operation of ECI16. Within the finance sector proper services of SWIFT and its underlying physical network structures are indispensible for core financial business processes (which are not regarded as ECI).

16 At a lower level inter-sector ICT dependencies occur in regional energy control room as delivery of electricity and gas is managed by the same ICT systems (i. e., no large resp. cross-border impacts).


Relevant Risks, Threats and Vulnerabilities


5 Relevant Risks, Threats and Vulnerabilities 5.1 Overview Although the relevant risks, threats and vulnerabilities of critical information infrastructure (CII) – and the methods for securing critical national information infrastructure – proves to be similar in the EU, the single member states use individual approaches, institutions and initiatives, with specific and national conations, to handle this problem.

The European Network and Information Security Agency (ENISA) has been founded in 2004 to enhance European coordination on information security. ENISA assists the EU Commission, the member states and, consequently, the business community in meeting the requirements of network and information security, including present and future EU legislation.

ENISA, as an independent European-wide platform, is uniquely positioned to provide advice and assistance to Member States in enhancing their network and information security capabilities. The agency supports an open multi-stakeholder dialogue and, for that reason, maintains close relations with industry, academic sector and users. Its work programs include several deliverables, e. g. a “Who is Who Directory on Network and Information Security” with contact information for authorities acting in the field of network and information security in the member states and, an inventory of CERT activities in Europe. Further ENISA organises workshops for the circulation and dissemination of good practices in the member states, defines customised information packages, including good practices for specific target groups and issues a quarterly newsletter, the “ENISA QUATERLY”.

ENISA’s key publications are “Protecting Europe’s Citizens against Cyber Attacks” 2008, “Stock Taking of Regulatory and Policy measures related to the Resilience of public eCommunications Networks” 2008 and “PSG Vision for ENISA” 2006. Its work program 2008 describes the multi-annual thematic programs, horizontal activities, provision of advice and assistance and administrative activities of the European Network and Information Security Agency. ENISA intends to leverage existing national and EU activities and to avoid duplication of efforts while maximising results. Such European activities are the IST-FP6 Research for Critical Information Infrastructure Protection (CIIP), the Competitiveness and Innovation Program (CIP), the ICT priority in the 7th Research Framework Program and the IDABC program.

After identification of vital governmental efforts to protect critical information infrastructure a short briefing about the CIIP practice in several EU member states, putting a fair amount of effort into cyberspace security, follows:

In France, the decree on the protection of essential economic sectors within the context of the Vigipirate plan (French Alert System), upgrading regulations concerning the vulnerabilities by harmonising the interagency state approach, was passed by the French Government in 2006.

While the over-all responsibility for organising CIP is dedicated to the Secretary-General of National Defence (attached to the Prime Minister’s Office) the key organisations responsible for CIIP are the Central Directorate for Information System Security (DCSSI), the Inter-




Ministerial Commission for Security of Information Systems (CISSI) and the Advisory Office on behalf of the Ministry of Defence, and the “Central Office for the Fight Against Hi-Tech Crime” with the Ministry of the Interior.

In 1997 the DCSSI developed the guide “Expression of the Needs and Identification of Security Objects” (EBIOS). In 2003 the SGND generated the “State Information System Security Reinforcement Plan” to secure the main central and local governmental networks, and those used for vital infrastructure management. The 2002 “Plan for a Digital Republic within the Information Society” provided new impetus for information society by focusing on the efficient development and use of an ICT infrastructure. The “Defence and National Security Whitebook” 2008 outlines not only the French military strategy until 2020 but also the strengthening process of satellite surveillance and ICT in general in order to prevent cyber attacks.

In Germany CIP is examined as a comprehensive and whole-of-government approach issue. Commensurate to the German constitution and federal organisation the general coordination of CIP activities on federal level17 rests with the Federal Ministry of the Interior (BMI), together with several of its subordinated agencies, such as the Federal Office for Information Security (BSI) with the under subordinated CERT-Bund, the Federal Office of Civil Protection and Disaster Assistance (BBK), the Federal Criminal Police Agency (BKA), and the Federal Police (BPOL).

In 2005 the German Government initiated the “National Plan for Information Infrastructure Protection” (NPSI), the “Baseline Protection Concept of Critical Infrastructure” [BMI_BPC_2005], the “CIP Implementation Plan” and the “IT Security Guidelines”. NPSI is the federal government’s umbrella strategy for a comprehensive approach towards the protection of ICT and ICT dependent assets, strengthening IT security in the nation’s IT-dependent infrastructures and enabling swift responses to IT-related crises. The baseline protection concept provides guidance for the analysis of potential hazards such as terrorist attacks, criminal acts, and natural disasters, as well as recommendations for companies on adequate protective measures.

The 2005 by BSI developed “IT-Grundschutz Catalogues” [BSI_GS_Cat_2008] can serve as the basis document for IT systems and applications requiring a high degree of protection. Furthermore since 2007 the BSI has been regularly publishing the “IT-Security Situation” Report [BSI_Lage_2007; BSI_Lage_Q1_2008; BSI_Lage_Q4_2008; BSI_Lage_2009] which describes the current situation of IT security in Germany and provides an overview of current and future risks, challenges and trends and permits their categorisation and evaluation.

In the Netherland’s CII was at all times perceived as a crucial issue of national security and its protection is regarded as mutual responsibility of the public and the private sector.

The Ministry of the Interior and Kingdom Relations (BZK), with its General Intelligence and Security Service (AVID), has the general responsibility for CIP and is concerned with the

17 Subsidiary responsibilities and liabilities on federal states level are not considered in this study.




protection of government information infrastructure. Public-private partnerships play a crucial role in the sectors CIP and CIIP in the Netherlands. Public-private co-operation within the project “Critical Infrastructure Protection Project” gained further importance with the official establishment of the Strategic Board for CIP (SOVI). Furthermore, there are the National Advisory Centre Critical Infrastructures (or National Adviescentrum Vitale Infrastructure [NAVI]), the National Infrastructure against Cyber-Crime (NICC) and the National Continuity Consultation Platform Telecommunication (NCO-T).

CIIP key documents are the BITBREUK (“In Bites and Pieces”) and the KWINTreport (“Vulnerability of the Internet – Working Together for Greater Security and Reliability”). The follow-upof the KWINT program is called Veilige Elektronische Communicatie (VEC), is designed as a public-private partnership under the responsibility of the Ministry of Economic Affairs and runs until 2009.

In 2002 the Dutch government initiated the critical infrastructure protection project “Protection of the Dutch Critical Infrastructure”, developing an integrated set of measures to protect the infrastructure of government and industry, including ICT. The Dutch cabinet has drawn up a “National Security Strategy and Work Program for the years 2007–2008”. The strategy pursues an all-hazard approach and aims to provide for a more coordinated and integrated approach to national security. In 2008 one of the issues addressed within the National Security Strategy is ICT failure. A project called “ICT verstoring” was initiated in which relevant private and public parties co-operate in a government-wide analysis and risk assessment of ICT.

In Switzerland critical infrastructure are subdivided into 31 sub-sectors. The Swiss CIIP is based on a four-pillar model for information assurance; all four principles (prevention/ early recognition/ crisis management/ technical problem solution) must be taken into account to achieve a complete and strong CIIP system.

One of the main CIIP bodies in Switzerland is the Federal Strategy Unit for Information Technology (FSUIT). It is part of the Swiss Federal Department of Finance (FDF) and is charged with preparing instructions, methods, and procedures for the federal administration’s information security. The Federal Office of Communications (OFCOM) is the main regulatory body in the field of telecommunications and ICT in Switzerland. The Federal Office for National Economic Supply (NES), which includes the ICT Infrastructure Unit reports to the Swiss Federal Department of Economic Affairs. Furthermore there are the InfoSurance Association and the ICT Infrastructure Unit (ICT I). The first concept of information assurance was elaborated by the “Information Society Coordination Group” (ISCG) in 2000.

Two strategic exercises were crucial for the development of Swiss protection policies in the field of information security:

• “Strategic Leadership Exercise” in 1997 (SFU 97): The exercise dealt with the revolution in information technologies and related challenges to modern society, politics, economics, and finance, as well as to other critical sectors.

• “Strategic Leadership Training” in 2001 included the three-day exercise INFORMO 2001 to train a newly-established Special Task Force on Information Assurance.




Critical infrastructures in the United Kingdom are divided in ten sectors. In the UK, the main responsibility for CIIP lies with the home secretary, however, CIIP policy is developed and delivered by several government departments and bodies including Centre for the Protection of National Infrastructure (CPNI), the Central Sponsor for Information Assurance (CSIA), the Civil Contingencies Secretariat (CCS), the Cabinet Office Security Policy Division, the Home Office, and the Government Communications Headquarters (GCHQ). Responsibility for the provision of advice on physical protection to the CIP is shared between CPNI, the Security Service, and the police. CSIA is in charge of the UK’s broader information assurance strategy which deals with all aspects of the Information Society. The responsibility for the coordination of the government’s contingency and emergency response effort (regardless of the cause of the disruption) lies with the CCS.

The Department for Business, Enterprise and Regulatory Reform (BERR) is a United Kingdom government department, which works together with industry to raise awareness of information security issues, to provide guidance on best practice and to promote the development of solutions. In 2008 the BERR published the Information Security Breaches Survey [BERR_2008].

The UK government aims to protect the CNI from both two kinds of threats: physical attacks against physical installations and electronic attacks against computers or communications systems. Therefore it has developed the “Information Assurance Strategy” (IA). Following a data security incident in 2007, the UK began to shift focus towards greater transparency, increased monitoring, improved guidance and better mandatory training in data security; therefore the government initiated the “Poynter Review” and the “Burton report”.

To conclude this overview the following sub-section mainly refers to approaches, analysis and publications issued by the Federal Office for Information Security (BSI) [BSI_ITGM_2005, BSI_GS_Cat_2008, BSI_Lage_2009, BSI_Lage_2007; BSI_Lage_Q1_2008].

5.2 ICT-Threats As introduced in section 2.2.3 the analysis of relevant ICT threats for the extracted “critical” ICT infrastructure of current ECI is based on two phases. Firstly, an approach is made to identify and separate current ICT threats from all general existing threats in order to focus on essential vulnerabilities. Secondly, these ICT threats are “mapped” to as critical identified IT and communication systems to focus again relevance of each ICT threats resp. ICT threat-category.

5.2.1 Current ICT Threats As pointed out by the overview provided above, there are a lot of activities, publications and ongoing activities concerning critical information infrastructures. Commensurate to its mandate, structure and accoutrements ENISA relies on a European network and therefore on work and results published by national information security agencies.




For the purpose of this study basic input is required which combines a consistent and structured approach to tackle ICT threats with up-to-date research, monitoring and publications considering current ICT developments. Both can be found in a publication issued by the German Federal Office for Information Security (IT-Grundschutz, [BSI_ITGM_2005, BSI_GS_Cat_2008]) as it provides an approach from a first risk analysis of an IT system up to the attainment of an ISO 27001 security management standard certificate. Furthermore, BSI continuously observes world-wide development in ICT security, analyses and evaluates new ICT trends especially regarding IT security aspects and regularly publishes them in the context of the “IT-security situation – reports [BSI_Lage_2009, BSI_Lage_2007. BSI_Lage_Q1_2008, BSI_Lage_Q4_2008].

Following paragraphs mainly refer to these publications.

The aim of IT-Grundschutz is to achieve a security level for IT systems that is reasonable and adequate to satisfy normal protection requirements and can also serve as the basis for IT systems and applications requiring a high degree of protection. It contains detailed descriptions of threats. These are grouped into five catalogues:

Catalogue Number of threats18

Force majeure 17

Organisational shortcomings 122

Human error 86

Technical failure 66

Deliberate acts 143

Table 9 : Threat Catalogues and single ICT Threats (source: BSI)

For the purpose of this study it is necessary and advisable to refer to the current situation, i. e. current and future ICT risks, challenges and trends which also permit a categorisation and evaluation. Trend examples within ICT security are illustrated in Table 10.

Threat Trend Technology Forecast

Bot-nets é Voice over IP è DDos Attacks é Mobile data transfer é Software faults / defects19 ì Web 2.0 é Spam é SCADA é Malware é DNS é

18 Last updated in 2008 19 E.g. zero day exploits, drive by downloads




Threat Trend Technology Forecast

Phishing, ID theft é Network link elements20

é

Table 10: Threat Trends and Risk Potential of Innovative Technologies (source: BSI)

The combination of these approaches leads to a practical and significant appreciation of current ICT threats and their main causes (see Table 9) for the purpose of this study. For a better understanding, analogous to the [BSI_Lage_2007; BSI_Lage_2009] taxonomy, threats are grouped into threat clusters. Annex A.6 contains a comprehensive list of current ICT threats which is used for a detailed analysis of identified ICT dependent critical infrastructures.

In the following paragraphs current ICT threats and their causes are briefly summarized.

5.2.1.1 Email Misuse

Threats via email are caused deliberately either by overloads or by misuse of e-mail services and active content.

5.2.1.2 Hacking

There is a wide spread of deliberate hacking activities, like spoofing for IP or DNS, masquerading. There is a black market for spying and espionage software.

5.2.1.3 Insider Attacks

Serious threats are caused by employees and other internal people (e.g. service providers) abusing user rights, manipulating data or software by deliberately granting use of components, access rights etc. to third parties.

5.2.1.4 Malware

This category includes all deliberate acts such as virus attacks, Trojan horses etc.

20 E.g. routers, switches




5.2.1.5 Threats via Mobile & Remote Access

Increasing usage of mobile devices and remote access to central IT systems leads to a wide spread of various ICT threats due to force majeure, organisational shortcomings (e. g. missing patch and change management), technical failures like inadequate security mechanism and various premeditated attacks.

5.2.1.6 Network Threats

Extending networks especially through WLANs adds at least 12 new ICT threats covering all threat categories. Special attention should be paid to “man-in-the-middle attacks” and hijacking of network connections.

5.2.1.7 Organisation

Usage of new technologies must be accompanied by new and effective rules and IT security safeguards which need to be developed, issued and monitored by competent personnel. These organizational shortcomings do not entail new ICT-threats itself but they substantially increase risks and possible vulnerabilities.

5.2.1.8 Sabotage

Deliberate threats by manipulating or corrupting i. a. technical infrastructures to inflict damages.

5.2.1.9 Deficiencies of (COTS) Software

The speed of progress and change in ICT technologies allows a lot of technical failures and deficiencies in software products and applications (software vulnerabilities, conceptual errors, undocumented functions, etc.). These deficiencies provide the basis for uncountable and increasing zero-day-attacks.

5.2.1.10 User Unawareness

Besides insider attacks (sub-section 5.2.1.3) there are diverse threats caused by negligent handling of passwords and other confidential data or just simple user errors. Further threats result from insufficiently accepted or non-compliant IT security measures.




5.2.1.11 Threats via VoIP

Voice over IP is another upcoming technology which raises a lot of new threats caused by human errors (incorrect configuration), technical failures (failures and malfunction) and deliberate acts (SPIT and VISHING).

5.2.2 Relevant ICT Threats and Vulnerabilities In this section analysis focuses on “critical” ICT that are – as presented in chapter 3.2 - IT and communication systems critical processes highly depend and rely on. These “critical” ICT systems are “mapped” to above mentioned, relevant ICT threats to evaluate current vulnerabilities and probabilities bearing in mind existing protection strategies. If applicable, the vulnerability and probability of each IT and communication system by a single ICT threats is estimated and grouped into the categories high – medium – low. From the combination of these two values a common risk estimation is deduced according to Table 11.

Vulnerability Probability Risk Category

H H H M M H

high

H L L H M M

medium

M L L M L L

low

Threat not applicable

Table 11 : Risk Categories resulting from Vulnerability and Probability Estimation

At this point it has to pointed out, that following statements are based on own knowledge and research as well as on estimations reflected with selected stakeholders. They are not a result of a complete risk assessment which would exceed the scope of this study.




5.2.2.1 Sector Energy Infrastructures

Within the whole energy sector analysis and estimations of vulnerabilities and probabilities concentrate on those ICT systems that are highly related to identified critical processes. Therefore, ICT threat affecting “normal” corporate systems and networks which are not identified as critical - are ignored.

Sub-sector Electricity

This sub-sector is widely based on a private, non-public network architecture which reduces vulnerability in a high degree.

The SCADA systems are also much customized and at present they are not yet based on commodity IT platforms. This reduces common risks.

On the other hand there are a lot of vulnerabilities if people have the according access and access rights. This implies that in this context organizational shortcomings and deliberate acts caused by staff or third party members (like service providers) cause the main risks.

Sub-sector Gas and Oil21

As in the energy sub-sector non-public network architectures are used and SCADA systems are very much customized which reduces many ICT-threats.

Again main risks can be caused by staff or third party members (like service providers) with according access and access rights in the case of organizational shortcomings and deliberate acts.

Summary Energy Infrastructures

On the whole there are only a few risks regarding ICT components ECI highly rely on. If not properly addressed the highest risks are seen in organisational shortcomings like the lack of, or insufficient, rules and procedures or insufficient monitoring of IT security measures or disturbance to business processes as a result of IT security incidents.

Lower Risks can be identified in the threat clusters insider attacks, threats via mobile & remote access, network threats and sabotage which all are caused by deliberate acts. Lacks of necessary user awareness can also identified as a lower risk as this may lead to failures caused human errors as well as by deliberate acts.

Again it is mentioned that all these statements give a general risk survey which already bears in mind existing protections strategies.

21 As analysis result of the sub-sectors gas and oil do not differ at this stage they are merged in this section.




5.2.2.2 Sector Finance infrastructures

From a theoretical point of view, all threats discussed in this report are also existing threats to the ICT infrastructure of the finance sector. But – as pointed out in section 3.2 and 4.2 of this report - there is no “critical” ICT as identified in the other sectors. Therefore no estimation of risks and vulnerabilities has been compiled.

5.2.2.3 Sector Transport Infrastructures

An in the energy sector analysis and estimations of vulnerabilities and probabilities in the transport sector concentrate on those ICT systems that are highly related to identified critical processes. Therefore, ICT threat affecting “normal” corporate systems and networks which are not identified as critical - are ignored.

Sub-sector Air Traffic

The SCADA systems of air traffic management are based on different networks with several fall back levels as a protection strategy. This makes the whole network of SCADA systems relatively reliable in this sub-sector.

In the whole subsector main risk is human errors on different levels. High complexity of air traffic processes and heavy air traffic can cause combined with human errors severe casualties.

Sub-sector Railways

The sub sector railways is based on a non public network with clear interfaces for transnational communication. This reduces the vulnerability on the technical level. In the whole subsector main risk is human errors on SCADA level. Deliberate acts on the outside facilities which are accessible for public (e.g. cables to signals or switches) could cause some harm.

Sub-sector Roads

The SCADA systems in this subsector with international impact are designed in two ways:

• Two SCADA systems are installed on both ends of the road section (e.g. tunnels). In this case an external network is necessary for the communication.

• A single SCADA system is responsible for the road section. In this case the SCADA system is based on a LAN.

In both cases the technical vulnerability is not very high. On the whole main risks in this subsector are human errors.




Summary Transport Infrastructures

Human errors are the main contributors to risks in the transport infrastructures. Lower risks can be identified in organisational shortcomings. Other threats are not very likely or of lower impact. Main reasons for this are:

• Current SCADA systems are tested intensively

• Many protection strategies like redundancy etc. are implemented.

• Several standards and guidelines were released for the subsectors

• The ICT infrastructure for SCADA systems are based on networks which are mostly very reliable.


Existing Protection Strategies


6 Existing Protection Strategies 6.1 Standards The protection of ICT systems against related threats is subject of many worldwide established standards. The area of those standards ranges from very generic, defining basic protection principles and strategies to extremely detailed ones, addressing individual systems or specific applications. By this it can be stated that there is a huge variety of solutions against more or less all kind of threats available.

On the other hand it must be taken into account that ICT and related threats are rapidly changing so that many protection concepts are getting obsolete quickly. Therefore all protection strategies and measures must be reviewed more and more frequently.

In the subsequent sections an overview is given to the most important standards in the context of this study. It is important to note that typically a set of standards with different level of abstractions must be applied for specific applications. To make this (rather huge) set of individual requirements applicable, the selected public standards will be tailored to one (or a set of few) private standard(s) for the purposes of an organisation and/or (a family of) IT-products.

Before IT related security standards are addressed in detail a short introduction is given to related overall standards to which many of the IT security standards refer to.

• ISO/IEC 9000 ff Quality Management

is a generic name given to a family of standards developed to provide a framework around which a quality management system can effectively be implemented.

The ISO 9000 family of standards represents an international consensus on good quality management practices. It consists of standards and guidelines relating to quality management systems and related supporting standards.

Standard Standard Title

ISO 9000 Quality Management Systems - Fundamentals and vocabulary

ISO 9001 Quality Management Systems - Requirements

ISO 9004 Quality Management Systems - Guidelines for performance improvement

ISO 1901 Guidelines on Quality and Environment Management Systems Auditing

ISO 9000 should ensure consistency and improvement of working practices, which in turn should provide products and services that meet customer's requirements. ISO 9000 is the most commonly used international standard that provides a framework for an effective quality management system.

• ISO/IEC 20000 IT Service Management

ISO/IEC 20000 is the first worldwide standard specifically aimed at IT Service Management. It describes an integrated set of management processes for the effective delivery of services to the business and its customers. ISO/IEC 20000 consists of two parts: ISO/IEC 20000-1:2005 is the formal Specification and defines




the requirements for an organisation to deliver managed services of an acceptable quality for its customers. ISO/IEC 20000-2:2005 is the Code of Practice and describes the best practices for Service Management processes within the scope of ISO/IEC 20000-1. The code of Practice will be of particular use to organisations preparing to be audited against ISO/IEC 20000 or planning service improvements.

• BS 25999 Business Continuity Management

is a standard from British Standards Institution in the field of Business Continuity Management (BCM). "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management. “BS 25999-2:2007 Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.

• ISO/PAS 22399:2007 Societal security – Guideline for Incident Preparedness and Operational Continuity Management.

ISO/PAS 22399:2007 presents the general principles and elements for incident preparedness and operational continuity of an organization. It describes a holistic management process that identifies potential impacts that threaten an organization and provides a framework for minimizing their effect. ISO/PAS 22399:2007, however, excludes specific emergency response activities following an incident, such as disaster relief and social infrastructure recovery that are primarily to be performed by the public sector in accordance with relevant legislation.

• NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Program

This NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs, was prepared by the Technical Committee on Emergency Management and Business Continuity. It was issued by the Standards Council on December 1st, 2006, with an effective date of December 20th, 2006. This NFPA 1600 was approved as an American National Standard on December 20th, 2006.

6.1.1 Generic IT Security Standards The generic standards listed below can be considered as a basic framework, which apply to all specific IT security protection measures and are referenced by most of the more detailed, sector or sub-sector specific standards.

• ISO/IEC 27000 ff – Information Security Management System

The ISO/IEC 27000 series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).




The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. All organizations are encouraged to assess their information security risks, and then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.

Standard Standard Title

ISO/IEC 27001:2005

Information technology – Security techniques – Information security management systems requirements specification

ISO/IEC 27002:2005

Information technology – Security techniques – Code of practice for information security management

ISO/IEC 27005

Information technology – Security techniques – Information security risk management

ISO/IEC 27006:2007

Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems

• ISO 15408 – Common Criteria for Information Technology Security Evaluation

The ISO/IEC 15408 is an international standard for computer security certification and known as Common Criteria for Information Technology Security Evaluation (CC). The CC is a framework in which computer system users can specify their security requirements, vendors can then implement and/or make claims about the security attributes of their products and testing laboratories can evaluate the products to determine if they actually meet the claims. CC provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.

• BSI 100 – Information Security and IT-Grundschutz

The BSI Standards contain recommendations by the Federal Office for Information Security (BSI) on methods, processes, procedures, approaches and measures relating to information security.

BSI-Standard

Standard Title

100-1 Information Security Management Systems defines the general requirements for an Information Security Management Systems (ISMS). It is completely compatible with ISO Standard 27001 and moreover takes the recommendations in ISO Standards of the ISO 2700x family into consideration.

100-2 IT-Grundschutz Methodology provides a detailed description of how to produce a practical security concept, how to select appropriate security safeguards and what is important when implementing the security concept, and how to maintain and improve information security in ongoing operation.




BSI-Standard

Standard Title

100-3 Risk Analysis based on IT-Grundschutz contain standard security safeguards required in the organizational, personnel, infrastructure and technical areas that are generally appropriate for normal security requirements and to protect typical information domains.

100-4 Business Continuity Management describes a systematic way to establish a Business Continuity Management ensuring continuity of business operations.

• BSI BPC – Baseline Protection Catalogues

The IT Baseline Protection Catalogues (IT-Grundschutz Katalog) are a collection of documents from the German Federal Office for Security in Information Technology, useful for detecting and combating security-relevant weak points in the IT environment (IT cluster). IT baseline protection encompasses standard security measures for typical IT systems.

• ISO/IEC 13335-1:2004 – Security techniques – Management of Information and Communications Technology Security

The ISO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of ICT security.

• ISO/IEC 10181 – Information Technology – Open Systems Interconnection – Security Frameworks for open Systems

The ISO/IEC 10181 specifies a general framework for the provision of access control. The purpose of access control is to counter the threat of unauthorized operations involving a computer or communication system.

• ISO/IEC 10164: Information technology – Open Systems Interconnection – Systems Management

The ISO/IEC 10164 establishes user requirements for the service definition needed to support the security alarm reporting function, defines the service provided by the security alarm reporting function, specifies the protocol that is necessary in order to provide the service, defines the relationship between the service and management notifications, defines relationships with other systems management functions, specifies conformance requirements. The security alarm reporting function is a systems management function which may be used by an application process in a centralized or decentralized management environment to exchange information for the purpose of systems management. The ISO/IEC 10164 describes a model and management information for the creation and administration by a remote manager of activity schedules for management activity, e.g. schedules for performance data collection and scheduled or routine test.

• ISO/IEC 10736: Information technology – Telecommunications and Information Exchange Between Systems – Transport Layer Security Protocol




The ISO/IEC 10736 defines the transport layer security protocol, but it does not specify the management functions and protocols needed to support this security protocol. It provides a protocol which may be used for Security Association establishment and specifies one algorithm for authentification and key distribution which is based on public key crypto systems. The cryptographic protocols defined in ISO/IEC 10736 provide security and data integrity for communications over networks such as the Internet.

• ISO/IEC 10745: Information technology – Open Systems Interconnection – Upper layers security model

The ISO/IEC 10745 defines a model for security in the upper layers of Open Systems Interconnection (OSI) – logical framework for standards for computer networks and data communication – that provides a basis for the development of application-independent services and protocols; in particular it specifies the security aspects of communication in the upper layers of OSI. These layers helps dividing different tasks of communication and transferring data within the network into subtasks, that’s how one completes cycle of communications between network(s) is completed.

• ISO/IEC 11770: Information technology – Security techniques – Key management

The ISO/IEC 1170 is concerned with the management of cryptographic keys and defines a general model of key management based on asymmetric cryptographic techniques that is independent of the use of any particular cryptographic algorithm. It also identifies the objective of key management, basic concepts and key management services. ISO/IEC 11770-2:2008 specifies a series of 13 mechanisms for establishing shared secret keys using symmetric cryptography.

• ISO/IEC 11577:1995 Information technology – Open Systems Interconnection – Network layer security protocol

The ISO/IEC 11577 specifies a protocol to be used by End Systems and Intermediate Systems in order to provide security services in the Network layer, which is defined by CCITT Rec. X.213, ISO/IEC 8348 and ISO 8648. The protocol defined herein is called the Network Layer Security Protocol (NLSP).

• ISO 18014: Information technology – Security techniques – Time-stamping services

The ISO/IEC 18014 specifies time-stamping techniques. It consists of three parts, which include the general notion, models for a time-stamping service, data structures, and protocols. The ISO/IEC 18014 contains three parts: The framework, the Mechanisms producing independent tokens and the Mechanisms producing linked tokens.

6.1.2 Sector-Specific IT Security Standards in Energy Infrastructures Most of the IT security standards specific for the energy sector are devoted to the electricity sub-sector, covering the IT security aspects of SCADA systems and their communication to substations or other remote systems.




The US “NERC CIP” standards are considered in this respect as a new reference, setting compliance criteria to be met by SCADA vendors acting on the US market. There are some test sites in the US, e.g. the Idaho National Laboratory providing related compliance tests. Similar activities have been started recently in Europe at the Joint Research Centre in Ispra, Italy, which are part of the ERN CIP Initiative of the European Commission.

A typical set of standards applied for SCADA systems within the energy sector is shown subsequently and demonstrates how standards with different levels of abstraction are combined to cover all relevant aspects of an IT security protection strategy for a specific set of applications. It is important to note that, as indicated above, the content of the considered standards must be tailored to the purposes of an organisation and/or (a family of) IT-products.

• IEEE 1402 Guide for Electric Power Substation Physical and Electronic Security

IEEE 1402 identifies and discusses Security issues related to human intrusion upon electric power supply substations. Various methods and techniques presently being used to mitigate human intrusions are also presented in this guide.

• IEC 62210 Initial Report from IEC TC 57 ad-hoc WG06 on Data and Communication Security

IEC 62210 applies to computerised supervision, control, metering, and protection systems in electrical utilities. The IEC 62210 deals with security aspects related to communication protocols used within and between such systems, the access to, and use of the systems. It discusses realistic threats to the system and its operation, the vulnerability and the consequences of intrusion, actions and countermeasures to improve the current situation.

• IEC 62351 – Data and Communication Security

Many of the new work items currently under development by IEC TC 57 WG 15 are incorporated into the IEC 62351. The standard establishes the requirements needed to ensure the security of the electronic exchange of information needed to support the reliable operation of power systems. The IEC 62351 standard proposes a mechanism for securing the DNP3 and ICCP protocols.

• NERC Security Guidelines for the Electricity Sector

The Guideline addresses potential risks that can apply to Electricity Sector Organizations and provides practices that can help mitigate the risks. Each organization decides the risk it can accept and the practices it deems appropriate to manage its risk. These guidelines are intended to assist the electricity sector respond effectively to a spectrum of threats ranging from simple trespassing to dedicated acts of terror and sabotage by perpetrators whose actions may be cyber or physical in nature.

The guidelines describe general approaches, considerations, practices, and planning philosophies in each of the following areas:

- Security Guidelines Overview

- Vulnerability and Threat Assessment




- Threat Response

- Emergency Plans

- Continuity of Business Practices

- Communications

- Physical Security

- Cyber Security

- Risk Management

- Access Controls

- IT Firewalls

- Intrusion Detection

- Employment Background Screening

- Protecting Potentially Sensitive Information

• NERC 1200 Urgent Action Standard 1200 – Cyber Security

The NERC 1200 is a temporary standard to establish a set of defined security requirements related to the energy industry and to reduce risks to the reliability of the bulk electric systems from any compromise of critical cyber assets. The standard is intended to ensure that appropriate mitigating plans and actions are in place, recognizing the differing roles of each participant in the wholesale market and the differing risks being managed. NERC 1200 applies to entities performing various electric system functions. The standard applies to the existing entities (such as control areas, transmission owners and operators, and generation owners and operators) that are currently performing the defined functions.

• NERC 1300 – Cyber Security (CIP-002-1 – CIP-009-1)

NERC Standards CIP-002 through CIP-009 provide a cyber security framework for the identification and protection of critical cyber assets to support reliable operation of electric systems. These standards recognize the differing roles of each entity in the operation of electric systems, the criticality and vulnerability of the assets needed to manage electric systems reliability, and the risks to which they are exposed. Business and operational demands for managing and maintaining a reliable electric system increasingly rely on cyber assets supporting critical reliability functions and processes to communicate with each other, across functions and organizations, for services and data.

The current draft NERC cyber security standard, CIP-002 through CIP-009 will replace NERC 1200 “Urgent Action Cyber Security Standard.” These standards are expected to cover essentially the same material as NERC 1200, but in more detail.




• ANSI/ISA 99 Industrial Automation and Control System Security

This standard is part of a multipart series that addresses the issue of security for industrial automation and control systems. This standard describes the elements contained in a cyber security management system for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described for each element.

The ISA99 series addresses electronic security within the industrial automation and control systems environment. The series will serve as the foundation for the IEC 62443 series of the same titles, as being developed by IEC TC65 WG10 “Security for industrial process measurement and control - Network and system security.”

• DHS Cyber Security Procurement Language for Control Systems

The U.S. Department of Homeland Security has established an initiative to bring public and private sector entities together to improve the security of control systems. The goal is for private and public asset owners and regulators to come together and adopt procurement language that will help ensure security integration in control systems. The results of the Cyber Security Procurement Language for Control Systems represent the joint effort of the public and private sectors focused on the development of common procurement language for use by all control systems stakeholders. The goal is for federal, state, and local asset owners and regulators to obtain a common control systems security understanding; using these procurement guidelines will help foster this understanding and lead to integration of security into control systems

6.1.3 Sector-Specific IT Security Standards in Finance Infrastructures The proper functioning and availability of the IT systems and the corresponding communication infrastructure described in the models of the sub-sectors securities transactions and payment systems are of vital importance for the business of these sub-sectors. For this reason a high degree of awareness concerning the risks to the IT systems exists. As a result substantial "state of the art" protection strategies to minimise potential impacts of given threats have been developed and implemented.

The protection strategies implemented are not only motivated by the understanding of the risks and the importance of the IT systems for the business within the sub-sectors. In addition the implementation of appropriate protection strategies is also required by legal regulations. Despite the fact that supervision and oversight are not part of any critical infrastructure on their own, they are a source for legal requirements. The compliance with these regulations will be checked on a regular basis as part of the supervision or as part of the oversight.

6.1.3.1 Requirements given by National Supervision

It is regularly checked by the supervisory authorities, that a financial organisation performs its business accordingly to the rules of national regulations. Within these reviews the financial




organisation must proof that it has taken appropriate measurements to handle all risks not only from a financial point of view but also from an organisational point of view.

Several legal requirements concerning the handling of operational risks are given by laws and directives. One of the major resources for these legal requirements is the Capital Requirement Directive (CRD, 2006/49/EG) of the European Commission. Within this directive the term operational risk is defined to be the risk of losses as a result of the inappropriateness or failure of

• internal procedures,

• systems,

• people or due to

• external (infrequent) events.

Appropriate and efficient risk management is an essential part of any proper business organisation. Some supervisory authorities have issued a concretisation of this European legal requirement covering requirements

• the implementation of an appropriate risk management for operational risks,

• the operation of IT systems and

• the sufficient planning for the reaction in cases of emergencies.

Of course the operation of IT systems and the usage of communication technology are potential resources of operational risks. Hence the legal requirements must also be taken into account by the proper operation of IT systems and communication technology.

All financial organisations which are under the supervision of national supervisory authorities must specify and implement measurements to comply with these legal requirements. The appropriateness of these measurements will be proven within the annual revision by the accountant or other external auditors.

6.1.3.2 Requirements given by the Oversight by Eurosystem

Some organisations of the finance sector are subject to the oversight of the Eurosystem. Based on the policy [ECB_OPolF_2009] several standards, requirements and recommendations have been developed by the Eurosystem.

For payment systems the requirements of Eurosystem are based on the 10 core principles for systemically important payment systems, which have been published by the Bank for International Settlement (BIS) in 2001. Within these core principle VII requires, that a system should ensure a high degree of security and operational reliability and should have contingency arrangements for timely completion of daily processing.

The core principles of the BIS have been refined by the Eurosystem in 2006 to the BCOE (Business Continuity Oversight Expectations for systemically important payment systems). These require (among others):




• Each system provider must specify and implement appropriate contingency plans. This must be confirmed by the management board of the provider.

• The accepted recovery time for the resumption of the service after a disruption is the same business day.

• The specification of the contingency plan must take several realistic scenarios for the possible disruption of the systems into account.

• Well defined and structured procedures for crisis handling should be specified. Special teams for the management of crises should be established.

The contingency plans should be tested regularly.

The national central banks conduct the oversight of securities settlement systems and central counterparties (CCP) based on national laws. The Eurosystem promotes euro area-wide consistency among the oversight policies and activities in the different countries. For this the Eurosystem is cooperating with the CESR (Committee of European Securities Regulators) and the ESCB (European System of Central Banks) in order to develop recommendations. It is expected that these recommendations will be finalised in 2009 and after that applied by the Eurosystem.

6.1.3.3 Implementation of Standards

Typically service provider of the sub-sector securities transaction have developed and implemented their own business continuity management (BCM) arrangements for

• systems (i.e. redundant systems and communication infrastructure),

• workspaces (i.e. fully equipped backup workspaces),

• staff (i.e. transfer capabilities between different locations) and

• suppliers (i.e. service level agreements and contingency procedures with suppliers)

in order to assure the availability of the services within a given recovery time after a malfunction or disruption of parts of the IT systems or communication infrastructure.

In addition typically strong systems of internal controls have been implemented. These are based on ISO 9001/TickIT and ISO/IEC 20000 including IT security management and have been certified accordingly.

The operation of the payment systems TARGET2 and EURO1 are subject to the oversight of the ECB. Accordingly both systems meet the requirements given by the oversight of these systems by the Eurosystem.

The provider of the payment systems TARGET2 and EURO1 have developed and implemented their own business continuity management (BCM) systems based on these principles given by the ECB.




Table 12 : Standards used within the Finance Sector

6.1.4 Sector-Specific IT security standards in Transport Infrastructures

Generic Standards

There is a wide range of ISO standards which are all very technical but have a high bindingness within the whole transport sector. In Germany they are complemented by generic as well as technical standards released by DIN.

Sub-Sector Air Traffic

In the air traffic sub-sector there exists a wide range of standards, laws and other legal regulations as well as recommendation which in fact nearly have all a high relevance and bindingness (except US laws). The main document have been released by

• Regulations by the European Parliament and the European Council which are mandatory in the European Union

• Standards of SAE International – SAE AS (Aerospace Standards) which are de facto binding in the US

• Standards of SAE International adopted by Europe – SAE AS/EN (Aerospace Standards) which are de facto binding in the US and in Europe

• Laws by the US government (49 CFR) – mandatory in the US

• International Civil Aviation Organization – recommendations which are de facto globally binding

StandardRelevance Obligation

ISO/IEC 9000 ff Quality Management L LISO/IEC 20000 IT Service Management L LBS 25999 Business Continuity L L

ISO 27000 ff - Information Security Management System L LISO 15408 – Common Criteria for Information Technology Security EvaluationBSI 100 – Information Security and IT-Grundschutz BSI BPC – Baseline Protection CataloguesISO/IEC 13335-1:2004 – Security techniques – Management of Information and Communications Technology Securityprivate BCM standard H H

Requirements from EU directives H HRequirements from national regulators H HCore Principles of BIS H HBusiness Continuity Oversight Expectation from ECB H H

Generic IT Security

Standards

Special Security Standards for

Sub-sector

Generic standards

Finance




• National laws and regulations of Member States

A detailed list of all relevant standards can be found in Annex A.7 of this document.

Sub-Sector Waterways

Within the sub-sector waterways generic as well as more technical oriented standards have been developed by ISO computer applications, data transfer etc. which all infrastructure providers abide by. The International Maritime Organization's (IMO) International Convention for the Safety of Life at Sea (SOLAS) a special organisation of the United Nations has developed and requires a Universal Shipborne Automatic Identification System.

For Germany it is known that these requirements are complemented by further legal regulations.


Sub-Sector Railways

The sub-sector Railways abides to a couple of DIN EN Standards which a.o. have been developed especially for railway applications.

Furthermore there is a non-binding standard of the International Railway Industry Standard (IRIS) for quality management within that sector which has a smaller relevance and other US standard developed by the US Department of Homeland Security (DHS) and National Fire Protection Agency (NFPA) which have a strong relevance in the USA.


Sub-Sector Road

Within this sub-sector a wide of range of technical oriented ISO standards has been developed which all have a big relevance and which are de facto mandatory for all infrastructure providers. Additionally, the European Parliament and the Council of the European Union have adopted a directive (2004/54/EC) on minimum safety requirements for tunnels in the Trans-European Road Network which also encompasses IT security topics.





6.2 Best Practises Since all suppliers of (European) critical infrastructures generally are aware of

• the criticality of their assets

• their ICT-dependencies

• their risks and vulnerabilities

• the impact on business continuity in case of failures

• the impact on dependent companies, public authorities and the public itself

long-term endeavours have been achieved to avoid failures and outages and to mitigate potential impacts. Based on own experiences and insights, various interviews, workshops, etc. with stakeholders from each sector a wide compilation of best practise approaches has been collected.

In this section we try to cluster and to describe briefly these collections of best practises in order to analyse and identify their relevance and the degree of implementation of these measures in every sub-sector.

Redundancies

Design and build-up of redundancies in ICT infrastructure are one of the „classic” measures to prevent breakdowns and outages. These actions include the implementation of at least two operation centres as well as redundant communication systems and communication lines. Often, there are also technically alternative access possibilities to IT applications, like different client application, web access solutions, etc. Depending on business model and internationality of the companies redundancies have been built up regionally and / or internationally.

Degradation Modes

In many sectors a wide set of degradation modes have been established. Hereunto ICT system can be focussed allowing that parts of them are switched off and functionality is reduced to concentrate on the support of core processes. Furthermore design and implementation of alternative processes which are based on less or different ICT systems have to be mentioned, e.g. usage of landline telecommunication and field workers instead of automatic operations.

Tightened Access control

To prevent errors as well as attacks from users and insiders a lot of access control measures have been developed. Starting with an extensive, detailed and restrictive user access management concept different strategies exist to ensure a correct and effective implementation up to the application of special technologies (e.g. IRIS scan) to control access into control rooms and other sensitive areas. Additionally, employees and service providers with access to these areas must have special vettings in some sub-sectors.




Collaboration

Collaboration has two major objectives and aspects, raising awareness prior to a potential hazard and preparedness like (mutual) assistance to mitigate the impacts after occurrence. Therefore companies within a (sub-)sector or regionally, exchange information and / or agree on mutual assistance, usage of facilities, equipment etc in case of a disaster.

Information exchange and knowledge transfer about new, upcoming threats and risks and experiences about existing protection strategies (e.g. best practises) are further collaboration activities which are not limited to (sector-specific) industries but also encompass public authorities.

In Germany22 a CIP Implementation Plan (UP KRITIS) has been drawn up to substantiate specific measures and recommendations for critical infrastructures. UP KRITIS is a long-term partnership between the public and private sectors. The companies involved have voluntarily adopted the security measures outlined in the CIP Implementation Plan as their own standard, and are now working collaboratively on overarching measures. Particular emphasis is on intensifying cross-sector communication.

Early Warning

For short-time prevention and following mitigation strategies various organisational and technical best practises exist. In some sectors specific secure networks and messaging systems for warning, alerting, and coordination of activities, data and information exchange have been implemented. These networks already exist or are being set up in various manners: sector-specific (e.g. see subsection 4.4.1), national (e.g. see [BMI_UPK_2007]) or international (e.g. see [TPT_SC_2008]). As one of these established early warning systems collaboration of (worldwide) Computer Emergency Response Team (CERT) can be seen.

Training, Exercises

Training and exercises are important measures to rehearse the handling of acute threats and damages and to develop as well to align policies, action list, checklists etc. Even within a single company there are various useful forms of exercises deploying different complexity (tabletop, communication, coordination, field exercises) and scale (single operating site, single department, …, across the group). These can be extended to different participants in a sector, cross-sector, on a national or international basis.

Best practises in training and exercises also differ in their frequency (first plan, started, regularly, weekly, .. yearly) and whether they are announced or unannounced.

22 Similar activities exists in the Netherlands, France, …




Technical Controls

This cluster encompasses all technical controls that commonly used securing ICT systems, like central systems to limit and control transition from local (company controlled) to public ones (like security gateways, firewalls, intrusion detection and anti-malware). Corresponding to increasing interconnections of different network new measures to ensure integrity and confidentiality (encryption, digital signature, PKI …) are necessary and as well implemented as (especially) all central ICT systems hardened and secure configured.

As all these best practises a very specific and kept confidential within each company, we therefore forbear from further analysis and description.

In the next subsections an appraisal about the relevance and implementation of best practises is given according to the following evaluation schema (see Table 13).

6.2.1 Sector Energy Infrastructures In the whole energy sector there is a high degree of implementation of redundant ICT systems which is completed by various degradation modes which can substitute these systems for a restricted operational use.

Much effort is taken to tighten access control by strictly applying the “need to know” principle, vetting of system operators and a.o. by using special technologies like IRIS-Scans to secure and control access to control rooms.

Especially in the oil sub-sector fail operation through the control room or wrong signal as in most applications are not feasible, because the systems compare process signals with process parameters which cannot be overwritten by operators. Process control is mostly exercised through the “2 out of 3” principle. Process parameters are highly sensitive and can, in general, only be changed by two persons (four eye principle).

Within the electricity sub-sector power transmission operators self-organised and committed to collaboration with other operators within the “Union for the Co-ordination of Transmission of Electricity (UCTE)” and developed an Operation Handbook [UCTE_2004] which is binding for all members and a common basis for coordinated approaches in normal business as well as in exceptional circumstances. The Operation Handbook is a comprehensive collection of

appraisal remark appraisal remark

H high; measure applicable and useful H high; measure implemented and

tested

L low; measure conditionally applicable and useful L low; implementation intended or

planned

unknown unknown

Relevance Implementation

Table 13: Evaluation Scheme for Best Practises




all relevant technical standards and recommendations to provide support to the technical operation of the UCTE interconnected grid, including operation policies for generation control, performance monitoring and reporting, reserves, security criteria and special operational measures. It also includes principles for communication infrastructure which led to the network of European Transmission System Operators (Electronic Highway) as described in subsection 4.4.1.

Beyond that cooperation between European transmission system operators is intensified by establishing common security committee and ICT platforms [see TPT_SC_2008].

Within the whole sector there is also a high degree of collaboration with public authorities and with other system operators like written declarations for mutual assistance and usage of equipment in case of critical outages.

Training and exercises are also seen as very useful and relevant but entire implementation is still in progress.

Following Table 14 gives a comprehensive overview of the application of best practises.

Table 14: Best Practice Arrangements used within the Energy Sector

Cluster Single Measures

Relevance Implemen-tation



Operation centre H H H H H HCommunication systems, lines H H H H H HAccess possibilitiesregional, international H H H H H H

Alternative processes (e.g. telephone instead of IT-system) H H H H H HSeparation of control areas H H H H

detailled, restrictive user access management concepts H H H H H Happlication of special technologies (e.g. IRIS-Scan) H H H H H Hvetting of employees H H H H

with public authorities (e.g. German UP KRITIS) H H H H H Hwithin sector (e.g. mutual assistance, facilities) H H H H H H

CERTsector specific, national, international, .. H H H Hspecific (secure) messaging systems / networks H Hspecific security messages (e.g. validation of principles, alerts, warnings, ...)

H H H H

complexity (tabletop, communication, coordination, extended coordination)

H L H L H

extension (local, department, company, …) H L H L Hsector specific, national, international, .. H L H L HFrequency (planned, started, regularly, weekly, .. yearly) H L H H Hannounced / unannounced H L H L H

Electricity Gas Oil

Training, Exercises

Redundancy

Degradation Modes

Collaboration


Early Warning




6.2.2 Sector Finance Infrastructures

6.2.2.1 Sub-sector Securities Transactions

The arrangements of the business continuity management are tested by the service provider regularly and under realistic circumstances. Some of the tests are performed unannounced. The following points are the central parts of these tests:

• Operational effectiveness, i. e. the validation, that the arrangements are technically operational and functioning.

• Execution ability, i. e. the assurance that the staff knows the guidelines and is familiar with the execution of the plans of the BCM.

• Recovery time, i. e. the confirmation that the plans can be executed and arrangements are operational within a defined recovery time.

From a technical point of view the availability of the systems is assured by a complete redundant system architecture, operated from dual data centres with the following characteristics:

• All components of the two data centres for a system are redundant.

• In normal operation both data centres are used actively for production with load balancing and continuous data synchronisation between them.

• In case of an incident in one data centre, a failover mechanism ensures that all processing is taken over instantly by the other data centre.

• Both data centres can be operated remotely.

In addition to the redundant data centres for the operation of the systems, the participants (usually) are also connected to the systems over redundant communication systems. This guarantees a very high availability of the connectivity of the participant to the systems for trading, clearing and settlement.

6.2.2.2 Sub-sector Payment Systems

The effectiveness and feasibility of the arrangements of the BCM systems are tested regularly and extensively. For example for the TARGET2 system the appropriateness of the contingency plan is tested based on the following scenarios: Malfunction or disruption of

• one or more components of the SSP,

• parts of the communication systems,

• parts of the systems of a participating bank, or

• parts of the systems of a participating ancillary system.

One of the service providers of the TARGET2 system (Bundesbank) is a participant of the UP KRITIS working group. In this working group the participants exchange information about security relevant events. Participants of this working group are organisations of the finance




sector and the BSI (Bundesamt für die Sicherheit in der Informationstechnik), which takes part as representative of the German ministry of the interior.

From a technical point of view the availability of the systems is assured by a complete redundant system architecture (see also subsection 4.2.2). For the TARGET2 system this redundancy is given for example by two regional systems, which on their own are again complete redundant systems based on two independent sites. For both payment systems the communication with the participants is using the SWIFT network. SWIFT itself is subject to the oversight of the Eurosystem. The redundant communication system provided by SWIFT guarantees a very high availability (> 99,995%) of the connectivity of the participants to the payment systems.

The protection strategies of the service providers themselves are not sufficient for the overall security and availability of the payment systems. Additionally, also the security and proper functioning of (parts of) the systems of the participating banks are important for the proper functioning of the payment systems.

Due to the legal regulations but also in particular due to the importance of the IT systems and communication infrastructure for their own business, participating banks specify and implement extended protection strategies. These include

• information security management systems (for example based on ISO 27000), and

• business continuity management systems.

The measurements of the BCM include

• the operation of redundant (disaster tolerant) systems,

• the availability of redundant, fully equipped command rooms for the remote control of vital systems in the case of a crisis, and

• the regular testing of the effectiveness and feasibility of the arrangements of the BCM.

A similar high level for the security and the proper functioning of the IT systems and the communication infrastructure can be expected for the participating banks and for the service provider of the payment systems.

6.2.2.3 Best Practice Overview

The following Table 15 summarize the arrangements of the protection strategies which can be found within the finance sector, as far as information about these have been available for this study. If a measurement is not marked within the tables, this does not necessarily mean, that this is not part of the protection strategies of the finance sector. Instead it indicates only, that no information about this has been available for this study.




Table 15 : Best Practice Arrangements used within the Finance Sector

Cluster Single MeasureRelevance Implemen-

tationRemark

Operation Centre H HCommunication systems, lines H HAccess possibilities H Hregional, international H H partially international

Alternative processes (e.g. Telephone instead of IT-system) L Lsuspension of operation / trading …

detailled, restrictive user access management conceptsapplication of special technologies (e.g. IRIS-Scan)vetting of employees

with public authorities (e.g. German UP KRITIS) H Hwithin finance sector (e.g. mutual assistance, facilities) H H

CERTsector specific, national, international, ..specific (secure) messaging systems / networksspecific security messages (e.g. validation of principles, alerts, warnings, ...)


H H extended

extension (local, department, company, …) H Hsector specific, national, international, ..Frequency (planned, started, regularly, weekly, .. yearly) H H regularly

announced / unannounced H H also unannounced

Early Warning

Training, Exercises

Finance

Redundancy

Degradation Modes

Collaboration





6.2.3 Sector Transport Infrastructures SCADA systems in the transport sector have redundant architectures. These architectures are complemented by degradation modes for ICT systems so that a very high availability is given. Several fall back levels are defined, which ensure a “safe mode” operation.

The access to control rooms and SCADA systems is strictly limited. Recommendations for protection policies are given by national authorities (e.g. Bundesamt für Sicherheit in der Informationstechnik, BSI) and international bodies (e.g. European Network and Information Security Agency, ENISA).

The cooperation among control centres is especially in the air traffic very usual. Public authorities cooperate with air traffic management on several levels. Besides national authorities (e.g. Luftfahrt-Bundesamt in Germany), also international civil aviation authorities have been established. Most important ones are European Aviation Safety Agency; EASA and Joint Aviation Authorities (JAA). Similar institutions and authorities cooperate in other traffic subsectors.

The regular training is especially in the air traffic wide spread. But also in other sub sectors it is getting usual, e.g. for tunnel security. The exercises are often related to emergency scenarios and are usually carried out in cooperation with fire brigades.

Following Table 16 gives a comprehensive overview of the application of best practices in transport sector.

Table 16 : Best Practice Arrangements used within the Transport Sector

Cluster Single MeasureRelevance Implemen-

tationRelevance Implemen-



tation

Operation Centre H H H H H H H HCommunication systems, lines H H H H H H H HAccess possibilities H H H H H H H Hregional, international H H H H H H H H

Degradation Modes

Alternative processes (e.g. Telephone instead of IT-system) H H H H H H H H

detailled, restrictive user access management concepts H H H H H H H Happlication of special technologies (e.g. IRIS-Scan) L L L Lvetting of employees H H H L H L H L

with public authorities (e.g. German UP KRITIS) H H H H H H H Hwithin sector (e.g. mutual assistance, facili ties) H H L L L L L L

CERT L L L Lsector specific, national, international, .. L L L Lspecific (secure) messaging systems / networks L L L Lspecific security messages (e.g. validation of principles, alerts, warnings, ...)

L L L L


H H H L H L H L

extension (local, department, company, …) H H H L H L H Lsector specific, national, international, .. H H H L H L H LFrequency (planned, started, regularly, weekly, .. yearly) H H H L H L H Lannounced / unannounced H H H L H L H L

Railways Road

Tightened Access Control

Training, Exercises

Early Warning

Waterways

Collaboration

Redundancies

Air Traffic


Synergies, Conclusions and Trends


7 Synergies, Conclusions and Trends This section gives an evaluation and summary on synergies found in existing protection strategies before in the following subsection 7.3 all analysis results of the study are summarized and final conclusions are drawn.

As previous sections mainly focus on the current situation in subsection 7.4 attention is focussed to future developments which will influence criticality of infrastructures or their ICT dependencies and therefore will be conducive to further policy lines (see section 8).

7.1 Standards The role of standards to implement appropriate protection strategies and measures against ICT threats has been already addressed in previous section 6.1. From this it can be stated that the sector specific standards are to a high extent derived from the same or at least similar common “root” standards, e.g. ISO 27001/2 or ISO 20000. This fact ensures already a high degree of synergies concerning the common application of protection strategies and measures. In addition some of the referenced standards are not generally prescriptive but describing best practices for specific (sub-) sectors or ranges of application (see e.g. “Good practice guidelines”, CPNI, the (UK) Centre for the Protection of National Infrastructure).

Financial organisation performs its business accordingly to legal rules and regulations that also cover the operation of IT systems and the sufficient planning for the reaction in cases of emergencies. Typically service provider of the sub-sector securities transaction have developed and implemented their own business continuity management (BCM) whereas providers of (cross-border) payment systems refer to requirements published by the European Central Bank.

7.2 Best Practises This section summarizes analysis results of the section 6.2 about the relevance and implementation degree of best practises in specific sections.

The following Table 17 gives hereto a comprehensive overview23 of the intensity of best practises realised in the different sectors and classified by the type of strategy. Again white coloured cells indicated that no or insufficient information is available.

23 H –High relevance, M – medium; L - Low




This is a highly aggregated summary table. From the underlying information we can derive certain strength in terms of recognised high relevance or high degree of implementation. Experiences from application can be as well derived as lessons which might be learned and transferred to practical further actions:

Strengths

• All sectors invest a lot in build-up and operation of redundant ICT systems

• Especially in the energy sector sophisticated degradation modes can be found.

• Generally there is a high level of collaboration actions within sub-sectors and also growing cross-sector activities24.

• In the energy sector it is known that there is a high awareness and much effort is taken to tighten access control on various levels.

• In the energy and especially in the electricity subsector an international early warning system has been established.

• In the finance sector, driven by business continuity requirements and supervisory regulations there are extensive trainings and exercise programs (regularly, announced / unannounced, ..) which lead to high level awareness and experiences on all levels.

Capability Enhancing

• Experiences in early warning systems from the electricity sub-sector which encompass technical aspects as well as exact definitions of preconditions and message content of warnings and alerts and further aspects of information exchange should be shared with other sub-sectors to support build-up or strengthening the security provision of their systems.

24 E.g. German UP KRITIS

Table 18: Best Practise Experiences Table 17: Best Practise Overview

Sector Redundancies Degradation Modes

Tightened Access Control Collaboration Early Warning Training,

Exercises

Energy H H H H H M

Finance H L H H

Transport H H M M L M

Protection Strategies - Best Practises




• Long-term experiences in training and exercises in the finance sector in concepts, actions plans, and constraints should yield to encourage and strengthen similar plans and activities in other sectors.

Finally, we map collected and evaluated best practises to selected prevailing and future ICT-threats to derive conclusions about their effectiveness with regard to these upcoming challenges. In Table 19 this comparison shows good protection measures against selected threat categories marked “+” and average ones with “o”.

Generally, it can be summarized that all best practises which are subsumed to redundancies do not have a high protection or mitigation capability to “new” ICT-threats. Development and application of degradation modes and the extended use of early warning systems will be much more effective against new risks and in mitigating vulnerabilities. Also, the high potential of collaborative structures and measures can be clearly identified.

Table 19: Mapping of ICT-Threats and Best Practises

Threat Cluster Threat Categories Redundancy Degradation Modes

Tightened Access Control

Collaboration Early Warning

Training, Exercises

Technical Controls

Email Misuse Deliberate Acts - + - + + - oHacking Deliberate Acts - + + + + - +Insider Attacks Deliberate Acts o o + - - - oMalware Deliberate Acts o + - o + - +

Force majeure o o - - o - -Organisational shortcomings - o - o - + -

Technical failure - o - o o o oDeliberate Acts - + + o o - +Force majeure o o - - o - -Organisational shortcomings - o - o - + -

Human error - o - - - + -Technical failure o o - o o - oDeliberate Acts - + o + + - +

Organisation Organisational shortcomings - - - o - + -Sabotage Deliberate Acts + o + o + - oDeficiency of (COTS-)Software

Technical failure o o - + + - o

Organisational shortcomings - - - o - o -Human error - - + - - + -Deliberate Acts - - + - - + -Human error - o - - - + -Technical failure o o - o o - oDeliberate Acts - + o o + - +

Protection Strategies - Best Practises

User Unawareness

Threats via VoIP

Threats via Remote Access

Network Threats




7.3 Conclusions The overall objective of this study was to assess the dependency of important EU-wide infrastructures on information and communication technology and their protections strategies to mitigate the effects of an ICT infrastructure disruption.

To meet this ambitious goal, different challenges had to be met:

• to cover and reflect extremely complex structures of three very specific sectors, encompassing ten sub-sectors at a European level

• addressing physical and functional structures, technical objects and processes of each sub-sector

• to systematically identify European critical infrastructures, components and processes in each sector / sub-sector

• to analyse internal and external ICT structures and ICT reliance for each sector / sub-sector

• to derive critical ICT dependencies

• to develop an ICT threat catalogue containing prevailing ICT threats and considering coming up threats as a consequence of following new ICT trends

• to perform a first risk estimation of identified critical ICT infrastructures against the derived ICT treats catalogue

• to analyse and identify existing protection strategies

• to find out synergies in vulnerabilities, applied standards and developed respectively applied best practise strategies

In summarizing the work performed and the results achieved we can conclude that the developed approach and methodology as elaborated in section 2 suited eminently and fulfilled the intended requirements described above. Especially it has to be pointed out, that the selected model approach merged different aspects, objectives and views: Suppliers and providers of the concerned infrastructures could contribute and improve our generic sector models which also supported their own point of view on “their” ECI. On the other hand the accomplished stringent approach led to a comprehensive, comparable view on ECIs and their ICT-dependencies and established a common, cross-sector basis for further analysis and the resulting recommended measures.

It is recommended to use this methodology and approach for further identification processes of ICT dependencies.

As a result from modelling and dependency analysis it can be concluded:

• There are highly ICT-dependent ECI in the sectors energy and transport

• Core business processes in the finance sector are extremely ICT-dependent and their malfunction might lead to transnational impacts; but expected economic damages are not expected to meet ECI criteria and dimension.

• Each sub-sector has its dedicated IT-systems and LANs which core processes highly rely on.




• Different approaches exist to connect to regional access point and to other business partners:

- In all energy sub-sectors and in the railroad sub-sector there are technical objects and processes which highly rely on wide area networks (WAN) which are provided by the CI providers themselves.

- The finance sector and the electricity sub-sector highly rely on specialised secure private networks which offer connection and messaging services within the regarded sub-sector.

- Within the finance sector – dependent on required bandwidth and resilience - network services from telecom providers and also from internet providers are used.

• No ECI have been identified according to the criticality criteria in the sub-sector waterways.

Major effort has been spent on developing a catalogue of prevailing and “new” ICT threats in respect of upcoming or widening ICT trends, and to subsume them to threat clusters. This catalogue contributes, as a prerequisite, to a first risk estimation of identified “critical” ICT in terms of appraising probability and vulnerability and to a collection of related protections strategies within each sub-sector.

Bearing in mind existing protection strategies for “critical” ICT we can summarize:

• If not properly addressed in the energy sector, the highest risks are seen in organisational shortcomings like the lack of, or insufficient, rules and procedures, or insufficient monitoring of IT security measures. Some further, lower risk could also be identified.

• Human errors are the main contributors to risks in the transport infrastructures. Lower risks can be identified in organisational shortcomings. Other threats are not very likely or of lower impact.

Another main focus was directed towards existing protection strategies which were examined and compared. In a top-down-approach they were evaluated with respect to existing, applied or adjusted standards, guidelines and other specifications. In a bottom-up-approach developed and applied best practises were collected.

The main conclusions drawn from this analysis are:

• Sector-specific standards are to a high extent derived from the same or at least similar common “root” standards, e.g. ISO 27001/2 or ISO 20000

• Financial organisation performs its business according to legal rules and regulations. Handling of all financial as well organisational risks by adequate measures is regularly reviewed by external auditors. Special requirements exist for the implementation of an appropriate risk management process / system for operational risks, for the operation of IT systems and for the sufficient planning of reaction measures in cases of emergencies.




• Typically, service providers of the sub-sector “securities transaction” have developed and implemented their own business continuity management (BCM).

• For providers of systemically important (cross-border) payment systems there are requirements for the whole Eurosystem by the European Central Bank:

• All sectors invest a lot in build-up and operation of redundant ICT systems, but it can be summarized that they do not have a high protection or mitigation capability to “new” ICT-threats.

• Especially in the energy sector sophisticated degradation modes can be found which will be quite effective against new risks and in mitigating vulnerabilities.

• Generally there is a high level of collaboration actions within sub-sectors and also growing cross-sector activities

• Technical and organisational experiences in early warning systems from the electricity sub-sector should be shared with other sub-sectors to support build-up or strengthening the security provision of their systems.

• Long-term experiences from training and exercises in the finance sector applied to concepts actions plan development, and to handling of constraints should yield to encourage and strengthen similar plans and activities in other sectors.

Overall it can be concluded that the awareness on criticalities of infrastructures and on the requirement to become better prepared to counter the associated risks has considerably grown during the last years. This particularly resulted in a surprising willingness of stakeholders to cooperate in this study, and the increasing understanding that CIP requires on sector level also governmental and international frameworks.




7.4 Trends

In this section major trends in the four sectors energy, transport, finance and ICT are compiled which will most likely have an impact on ICT-dependencies and correlated risks in future. These trends are based on internal knowledge and research and analysis of [EI_CICS_2008, IOA_SGT_2009, Pars_CFI_2009, DB_FID_2009].

7.4.1 Information and Communication Technology

• Increased connectivity between networks

A major trend in ICT enterprise applications is a growing consolidation of corporate data, networks and networks resources. This growing interconnectivity of operational and corporate networks includes that real-time operational systems and data are no longer separated but shared with corporate applications. Therefore, threats and risk of corporate networks and applications move to operational networks which usually are not prepared dealing with these specific threats and that way raise new vulnerabilities.

• Increased wireless networks

Development in wireless network technology has led to a widespread network access at low costs and with growing bandwidth. These networks are public and access control and data protection is usually not very restricted, respectively.

• IP-based network communication

It is the big advantage of IPv6 to have sufficient and unique network address space for all connectors and to enable direct communication also to afield access points. But on the other hand this meets security as all afield access points can also serve as starting points for cyber attacks.

• Broadened use of commodity IT platforms

Retrogression of specific server hardware and operating systems and the greater use and reliance on commodity (e.g. Intel- or windows-based) IT platforms increases vulnerabilities as “common” attacks will also affect former specific IT systems.

• Cloud Computing

Driven by economic considerations and to avoid cost intensive investments in IT infrastructure (hardware, software, software licenses and services) cloud computing is a combination of internet technologies that offers flexible, scalable services and




applications accessible everywhere “in a cloud” of diverse providers. This technology entails a lot of security aspects regarding data protection and data integrity.

• System complexity

Generally, complexity of ICT systems is growing driven by technology (integration of established application into new ones or into new environments) as well as by business requirements to link and capitalise all corporate assets (systems, data, ..) and to optimize utilization resources. This leads to very complex systems with more or less unknown internal (critical?) dependencies which hampers risk analysis and development of efficient countermeasures.

7.4.2 Sector Energy Infrastructures It can be predicted that among the above mentioned ICT-trends the following will have a significant impact on the energy sector

• Increased connectivity between networks

• Increased wireless networks

• Broadened use of commodity IT platforms

Furthermore the following sector specific trends have to mentioned

• Smart Grids

This topic is seen as next-generation technology for electricity supply and its management. It is based on a general two-way flow of electricity and information based on arrangements of metering systems and sensors which measure and control energy flow from energy supplier to the customers in order to optimize and adjust energy production and consumption in a limited area and avoiding energy transmission over long distances. This technology implies new point of attacks and vulnerabilities which have to be addressed.

• Grid dynamics

Due to increases in power trade and construction of wind farms (offshore) the UCTE grid is exposed to a transport function for which it was not designed. Countermeasures lead to high loads on existing lines and increasing switching operations. Regional and intermittent generation by wind farms entail additional network dynamics which are sometimes out of current control possibilities. Some TSOs try to cope with these new phenomena by wide area monitoring (real time data for load flow, angle and heat).

• Regulatory Requirements




Segregation of business activities (e.g. of production and transmission) lead to longer coordination processes in case of emergency. In the course of the unbundling of production and network operation the industry is going to physically separate the dispatch control rooms from the transmission system operation control room, and thus the industry is establishing new control and communication infrastructures and coordination processes. The question to what extend these new objects and processes must considered as critical and constitute critical infrastructures in the future, is recommend to be analysed in future studies.

7.4.3 Sector Finance Infrastructures In addition to the ICT-trends

• IP-based network communication

• Cloud computing

• System complexity

the following sector specific development and challenges are pointed out:

• Satellite-based communication

Beyond ICT trends mentioned above it is anticipated that also satellite-based WAN, VLAN get higher importance for the provision of financial services. This leads to a kind of “off planet banking” especially to maximise tax efficiency in different regions.

• Banking services on mobile devices

Financial service will be more and more enabled, disseminated and provided to mobile devices which may be issued by the financial institution itself or by telecom providers who want to introduce new services. New vulnerabilities will arise by this amalgamation of end-user terminal functions and risks concentrate on them.

• New ID fraud opportunities

Intensified usage of remote or mobile access to financial services and increasingly accessible government & agency networks and databases allowing ever more personal details to be discovered remotely entails and encourages new opportunities to get access to personal IDs and to fraud them. The same risks raises moving from segregated databases to open ‘cloud’ services.

• SEPA (Single European Payments Area)

Driven by the European Commission and the European Payment Service Directive (to be implemented by all Member States by 1 November 2009) all (mass) payments in Europe - domestic as well as cross-border - are handled identically (End2End) with




uniform formats and standards and with harmonized execution and exception timelines. In the next years this leads to a massive change in payment categories (see Figure 20) as well as relevance of ICT infrastructure, especially STEP 2 - system of EBA.

Figure 20 : Development of payment categories in Europe25 (Source: Deutsche Bank)

7.4.4 Sector Transport Infrastructures In addition to the ICT trends already discussed above the following ICT-related developments appear relevant.

7.4.4.1 Air Traffic

• Integration of air traffic control systems on the ground with airline operation centres and the flight management systems aboard aircraft in flight

• Enhancement of the air traffic communications, overcoming of bandwidth shortages

25 MT = Message Type which categorizes financial messages within SWIFTNetwork

201X

TARGET2, EURO1, Correspondent Banking, Service Provider

Correspondent Banking, Service Provider

SEPA compliant ACH / PE-ACH / or Service Provider

Prior Regulation 2560

May 2004 EU Enlargement +10Jul 2005 + further countries

Jan 2006 Threshold 50.000Nov 2007 Start of TARGET2

Jan 2008 Start of SEPA

Jan 2005 + Iceland + Norway

Jul 2003 EU Regulation

100%

of P

aym

ents

Wal

let

TARGET2, EURO1, CorrespondentBanking, Service Provider

Jan 2007 + Bulgaria + RomaniaSEPA Credit Transfer

Domestic ACH

MT 202 Treasury Related

MT 202 Cover for MT 103

Regulated MT103

Non Regulated MT103 Intra-EU

Non Regulated MT103 outside EU

MT 202 Treasury Related 201X

TARGET2, EURO1, Correspondent Banking, Service Provider

Correspondent Banking, Service Provider

SEPA compliant ACH / PE-ACH / or Service Provider

Prior Regulation 2560

May 2004 EU Enlargement +10Jul 2005 + further countries

Jan 2006 Threshold 50.000Nov 2007 Start of TARGET2

Jan 2008 Start of SEPA

Jan 2005 + Iceland + Norway

Jul 2003 EU Regulation

100%

of P

aym

ents

Wal

let

TARGET2, EURO1, CorrespondentBanking, Service Provider

Jan 2007 + Bulgaria + RomaniaSEPA Credit Transfer

Domestic ACH


MT 202 Cover for MT 103

Regulated MT103

Non Regulated MT103 Intra-EU

Non Regulated MT103 outside EU





• Higher navigation accuracy (e.g. Global Navigation Satellite System, GNSS) particularly necessary due to traffic increase

• Better surveillance, providing the pilot and controller with more tools for better situational awareness

• Improvement of safe separation in remote airspace

• Automated decision aids in air traffic management

7.4.4.2 Waterways

• Implementation of telematics solutions for vessels and ports

• Optimal integration of Vessel Traffic Service (VTS) Systems

• Provision of vessel traffic information services for inland waterways

• Intelligent routing tool for safer and more efficient ship transport in ice-covered waters

• Improved distribution of traffic information

7.4.4.3 Railways

• High-speed rail transport with corresponding control systems

• Unification of European train control systems (European Rail Traffic Management System) for signalling and train protection

• Mobile communication for railway usage

7.4.4.4 Road

• Improvement of in-car telematics

• Traffic estimation, prediction and dissemination to end-users

• Intelligent transport systems

• Improvement of tunnel safety, like decision support systems for operators.


Policy Lines


8 Policy Lines 8.1 Approach The analysis and assessment of policy lines has been organised by viewing them from different perspectives. First of all, the main categories of policy lines are identified, and broken down into a set of policy measures supporting the policy line. It is unavoidable that this is a simplified linear decomposition of a rather complex network of existing, planned or intended network of various measures at different levels of responsibility. Consequently, this is a first order evaluation drawn from different sources, mainly expert knowledge with a rather limited effort volume. There are also certain overlaps of policy measures, as one measure may support not only one but several policy lines.

These main categories of policy lines are schematically mapped against the identified main ECI risks (see subsection 5.2.2) and against the trends expected in ICT and in the individual CI sectors (see section 7.4).

Finally a summary is given and a comparison of measures recommended vs. existing best practices. From there, recommendations can be drawn as to which important policy measures are lacking existing practice today and which should specifically be reinforced.

8.2 Main Categories for Policy Lines The high level objectives of the European CIP/ CIIP policy are understood to enhance the CIP/ CIIP governance and promote the coherence across Europe and to bridge gaps in national policies. This will include a continuous strategic dialogue, ECI governance models, coordination support between nations in an atmosphere of trust and confidence and creating added value to national approaches. By doing so, a process for improving the infrastructure safety and security (resilience), and strengthening Europe’s incident response capability will be established.26

This study will give some support to the recommended measures, derived from the findings of the analysis and the extended discussions with infrastructure stakeholders.

In summary, five policy categories have been identified:

1. Operational cooperation structures

They include CERT and associated networks with early warning and alerting capabilities, training and exercising for developing cooperation strategies, and use of joint test centres and other means of sharing of resources and of information.

2. Procedural measures

include the specification and use of common procedures and “standards” for identifying ECIs, develop common scenario based training and exercises for

26 Main sources: [EU_CPM-EPCIP_2006, EU_COM_CIIP_2009, EU_DIR_ECI_2008]]


Policy Lines


assessment and optimisation of procedures, the maintenance of best practices systems.

3. Information exchange on a regular basis

These are measures agreed upon to exchange information and experiences in a fixed or variable time schedule, on incidents and findings from real events. Dedicated expert groups could be created on identified areas of focal interest.

4. Organisational Measure

A set of organisational measures is deemed necessary for the application of standards and agreed measures and for the supervision of their implementation. Also, an organisation of national liaison officers and EU points of contact should be organised

5. Policy building measures

In adequate working fora, minimum requirements and standards of protection and other operational capabilities and assessment methodologies should be developed which could include concrete recommendations and templates. This also includes the development / adaption of (IT) security standards. Policy measures should also include frameworks and incentives for the build-up and improvement of public-private partnerships.

A more structured description of the policy lines and the underlying measures can be taken from Table 22 (left columns). This breakdown of policy lines into individual measures also underlies the assessment against risks (Table 20) and the assessment against trends (Table 21)27 This policy line structure and the individual measures behind the policy lines will be the basic scheme for evaluating the relevance of policy lines from the perspective of this project. It must be emphasised that the recommendations given here are clearly derived from the results of this study. I.e. the viewpoint of dependency of CIs on ICT infrastructures and the risks implied in or caused by these dependencies. The assessment also reflects the expected importance of measures in the future by reflecting them against the major trends in ICT and the CIs in question.

There may be numerous other economic, societal, environmental etc. reasons, e.g. political will, legislative and regulatory restrictions, national preferences, dramatic changes in the real or perceived threat (e.g. terrorism), influence to climate, and many more, which can lead to a different assessment of the importance, the expected effect, and the feasibility of individual measures. Thus, the assessment of policy lines from this study should be considered as one element in a much more comprehensive evaluation effort of policy measures in the EPCIP process.

Attention at this point is drawn to the very sophisticated evaluation methodology applied in SEC(2009)399. Although this quite extensive evaluation tables and the attempt of a first order quantitative assessment of measures are limited to the ICT sector, they could well

27 The detailed sub-columns, however, can only be visualised in the source of the Excel-sheet which may be made available upon request.


Policy Lines


serve as a baseline methodology to be extended to the evaluation of measures in the other CIs. This effort, however, is far beyond the scope of this study.

Methodological limitations

It has been realised that there is a considerable overlap between the different policy lines, which means that individual measures are depending on others or have certain commonalities with others. The measures of training and exercising may serve as one example: Exercising methods and tools can be used for developing and assessing concepts and procedures as well as for training of operators in realistic operational scenarios. Another example is that organisational and policy building measures may be the starting points for the establishment of improved operational procedures. Also, some measures sounding identical show in different policy lines. E.g. test centres are part of policy building measures but are also considered an important tool for improved cooperation structures.

8.3 Identified Threats and Risks as Policy Drivers The risks resulting from the high dependencies of ECI on ICT Infrastructures and current ICT-threats have been identified and discussed in the previous chapters, including the methodologies how they have been derived. In subsection 5.2.2, the main findings of the risk estimation of the project are discussed.

The threat cluster underlying these risks and those risks which have been identified as medium or high have been taken as an evaluation reference for policy measures.

The boxes shaded green in the following Table 20 indicate which policy line we consider particularly supportive for reducing the related risk to the infrastructure28. Please note that the relevance of measures has only been evaluated in the lines which show a relevant risk of CIs. All others have been left blank.

28 Dark green boxes indicate strong influences, light green boxes medium influences


Policy Lines


General findings

There is a relatively clear tendency that the suggested measures are expected to have the most significant impact on the avoidance or countering of deliberate acts. Also the potential of mitigating the risks coming from COTS products becomes clear, although COTS software have not been found the most severe cause of risks.

Operational cooperation structures, procedural measures, regular information exchange

Implementation structures of operational cooperation working on a real-time basis, like Early warning and alert system (e.g. CIWIN, EISAS) and CERT-networks will particularly help to reduce or mitigate the consequences of deliberate acts and in some case also of technical failures.

The evaluation shows that the strongest effects to reduce or mitigate high risks will result from the implementation of better and harmonised cooperation structures and associated procedural measures. Particularly, the implementation and execution of individual and joint exercising and training activities as well as the implementation of best practices systems will contribute to the mitigation of damages from deliberate act and to a lower extend also reduce human errors.

All measures of regular information exchange, i.e. regular reporting of incidents and the establishment of expert groups as well as information sharing processes are considered important, especially for mitigation of deliberate acts.

Table 20: Relevance of Policy Lines/Measures vs. Threats/Risks

Threat Cluster Threat CategoriesOperational cooperation structures

Procedural measures

Information exchange on a regular basis

Organisational measures

Policy building measures

Email Misuse Deliberate Acts + + + o +Hacking Deliberate Acts + + + o +Insider Attacks Deliberate Acts + oMalware Deliberate Acts + + + o +

Force majeureOrganisational shortcomingsTechnical failureDeliberate Acts o + o oForce majeureOrganisational shortcomingsHuman errorTechnical failureDeliberate Acts + + o o

Organisation Organisational shortcomings o o + +Sabotage Deliberate Acts + o + oDeficiency of (COTS-)Software Technical failure + o + + +

Organisational shortcomingsHuman error + oDeliberate Acts + o oHuman errorTechnical failureDeliberate Acts

User Unawareness

Threats via VoIP

Threats via Remote Access Malfunction

Network Threats

Policy Lines


Policy Lines


Organisational measures and policy building

These measures seem to have a lower impact on risk reduction, which looks somewhat misleading. Of course organisational measures like installation of liaison- and contact points and other supportive measures may have no visible short term influence on direct risk reduction. But their benefits will become obvious only in a longer timeframe when their implementation will show operational benefits.

So these organisational and further policy building measure are usually an unconditional prerequisite for the implementation of tools and procedures which are or will be operationally effective

The detailed evaluation of the underlying single measures shows that there should be a certain focus on enabling the build-up of early warning and CERT networks as well as joint test centres. Furthermore all policies fostering information exchange should be focussed and the development respectively adaption and implementation of standards will be a helpful policy line.

8.4 Identified Trends as Policy Drivers It is the intent of this analysis to give some indication on how the importance of policy measures will develop in the future. The future in our case is characterised by the trends we are expecting in the ICT technology and their expected impact on the operation and security of the critical infrastructures under consideration. Besides the ICT trends, general trends in the individual ECI sectors Energy, Transport and finance have been identified, which by themselves or in combination with ICT will contribute to the changes in risks. The tendency of trends influencing future risks is indicated by the arrows in the grey shaded column.

The trends are grouped into the categories

• ICT-Trends

• Trends in the Energy infrastructure sectors

• Trends in the Finance infrastructure sectors

• Trends in the Transport infrastructure sectors

A more detailed discussion of the main trends is given in section 7.4. As in the above subsection the boxes shaded green in the following Table 21 indicate which policy line we consider particularly supportive for reducing the trend-related risk to the infrastructure29.

29 Risk invariant trends flagged with horizontal arrows are not mapped to policy lines – boxes left blank


Policy Lines


This is a summary of the evaluation at policy line level. In the detailed Excel–Sheets, each policy line is broken down into its individual sub-measures and the relevance of these individual measures for the trend has been evaluated in detail. Summarizing it follows:

ICT sector view

Measures should be taken and particularly prepared for increased risks originated from the use of commodity platforms, increasing system complexity (focus on cooperative structures) and network connectivity and the use of wireless networks (focus on procedural measures). Main policy measures to mitigate these upcoming trend-related risks are the establishment of test centres and their operational usage as well as the fostering of joint trainings and exercises.

Energy sector view

Generally the energy sector is the one requiring the most intensive future care in nearly all categories of policy lines. Analogue to the ICT sector, establishing test centres and performing joint exercises are main mitigation strategies. They should be complemented by better early warning and alert systems and intensive information exchange measure.

Finance sector view

The most endangering risk increases are expected from the increased use of mobile services in conjunction with increased chances of ID fraud. To prevent this, obviously joint actions

Table 21: Relevance of Policy Lines/Measures vs. Trends

Operational cooperation structures

Procedural measures

Information exchange on

a regular basis


Policy building

measures

Increased connectivity between networks é o + o oIncreased wireless networks ì o + o oIP-based network communication èBroadened use of commodity IT platforms ì + o o +Cloud Computing ì o o o oSystem complexity ì + o o +Smart Grids ì + + + o +Grid dynamics ì + + + o +Regulatory Requirements ì o +Satellite-based communication èBanking services on mobile devices ì + + + + +New ID fraud opportunities é + + + + +SEPA (Single European Payments Area) èIntegrating of air traffic control systems with airline operation centres èEnhancement of air traffic communications ì + + o o +Higher navigation accuracy due to increased traffic èBetter surveillance with tools for better situational awareness èImprovement of safe separation in remote airspace ì + + o o +Automated decision aids in air traffic management èImplementation of telematics solutions for vessels and ports èOptimal integration of Vessel Traffic Service (VTS) Systems èProvision of vessel traffic information services for inland waterways èIntelligent routing tool for ship transport in ice-covered waters èImproved distribution of traffic information èkonkret ì + + o oUnification of European train control systems for signalling and train protection ì + + o + +Mobile communication for railway usage ì + + o o oTraffic estimation and prediction and dissemination èIntelligent transport systems ì + + o + oImprovement of tunnel safety, like decision support systems for operators è

Policy Lines

Finance Infrastructure

Transporation Infrastructure

ICT Technology

Energy Infrastructure

Contribution of Trend to

RiskSector Trends


Policy Lines


across all policy lines are as well regarded as intensive information exchange and the development resp. adaption of adequate security standards (organizational and policy building measures).

Transport sector view

Focus in air traffic should be on the enhancement of the security of air traffic communications, and in secure procedures for separation of traffic in remote air space. Actions are recommended across the whole spectrum of policy lines with focus on cooperative structures and procedures backed by policy building measures (development of test centres).

In ground traffic, operational measures should concentrate on high speed train control in conjunction with increased use of mobile / radio based communications, and on the organisational and policy level on the harmonisation of the European train control system. Concretely, joint exercises and test centres are regarded as risk mitigating but also the development, adaption and implementation of common security standards for this sub-sector.

No specific trend-related policy measures have been identified for the sub-sector waterways, which does not mean there are no requirements.

Similar to other sub-sectors risk entailed in trends of the road sector (e.g. future intelligent road traffic monitoring) can be mitigated by cooperation structures (including test centres) and procedures (joint exercises) but also by measures concerning the implementation of security standards.

In summary, the evaluation of the individual measures shows again, like in the previous chapter, that also under the view of future trends, the main thrust should be given to collaborative actions as scenario based training and exercising, the establishment of test centres and the development of standards. Information exchange remains an important cross-cutting activity.


Policy Lines


8.5 Future Policy lines The Methodology

This summarizing evaluation tries to give some indication on how the policy lines and individual measures should be seen in the future. First, the policy measures were evaluated w.r.t. their implementation status (see Table 22, column with blue marks).

• Blank means, no concrete measure could be identified in the various documents on action lines.

• “Planned” indicates to our knowledge further measures are planned but not documented and released “officially”.

• “In progress” means there are concrete official EU initiatives (papers) which document measures should be or are under way to be implemented and how

• “Existing” indicates that measures are already working or start to work.

Furthermore, the policy measures are mapped against the main risks and the main trends they have been found to be relevant for in the previous chapters (yellow marks). For each measure, the study identified whether there are already best practices in place (green marks).

The recommendations for future actions have now been derived by the following logic:

• Recommendation for further action in the header of the right column means that the project has found a degree of intensity or urgency a new measure should be initiated or an ongoing or started measure should be intensified

• If there is a major risk or trend related to the measure (at least one yellow mark), and no best practices are in place yet, the measure should be reinforced, independent of whether it is already in progress, planned or even not yet existing (blank item in the blue column). Prerequisite for any recommendation of policy action is that the measure will be supportive to either existing risks or those expected from trends. If both boxes – risk and trend - are blank, the related action is marked “minor”.

• Generally it should be regarded that the recommendation addresses importance and urgency if the yellow mark is in the “main risk” column, which means the risk already exists. If the yellow mark is in “trend”, the measure is important but maybe not that urgent, depending on when the trend will significantly impact on ECIs.

Of course, the realization status of measures varies between different infrastructures and individual Member States. This evaluation is therefore only a limited view from the project. The value of this chapter should be seen in giving some recommendation on on-going and future policy measures. A full scale inference on all arguments and influencing parameters, with starting conditions varying between MSs and between sectors cannot be given in this study. However, it is encouraged to exploit this methodology into a more comprehensive tool for identifying, justifying or prioritizing future policy lines and measures.


Policy Lines


Policy Lines Single Measure EU policy lines Main risks Trends

Existing Best

practises

Recommendation for

Action

Early Warning and Alert System in progress 6 2 + continueCERTs and CERT networks in progress 3 0 reinforceJoint exercises (e.g. for developing/ improving cooperation strategies) in progress 1 5 + continueUsage of test centres planned 2 11 reinforceMutual support structures (e.g. sharing of resources) 0 2 + minor

Identification of ECIs and their criticality; regular existing 0 0 continueImplementation of OSPs / contingency plans existing 0 0 o continueScenario development and analysis 0 3 + minorJoint exercises (e.g. for exercising novel threats) in progress 7 9 + continueJoint training programs (e.g. for training cross-border cooperation) 0 7 reinforceEstablishment and exercising of best practices system in progress 4 3 o reinforce

Regular reporting of incidents in progress 4 4 + continueEstablishing of expert groups on selected matters existing 4 5 + continueEstablish information sharing processes in progress 3 5 + continueEstablish best practices exchange process in progress 2 4 o reinforce

Install SLOs 0 0 o minorInstall ECI-Contact points existing 0 0 continueApplication of “standard” methodologies (e.g. for threat & risk assessment) 0 0 minorImplementation standards 2 2 reinforceDevelopment / adaption of standards 2 3 + reinforceSupport and supervision of implementation measures in progress 0 1 + minorRegular update of stock-taking and analysis results existing 0 0 continue

Working fora in progress 0 0 minorStock taking of national and sector-specific approaches existing 0 0 + continueDevelopment of common methodologies for risk, threat, vulnerability analysis existing 0 0 continueDevelopment of minimum CERT capability standards in progress 3 0 reinforceDevelopment incentives / frameworks for PPPs in progress 0 0 minorDevelopment of test centres planned 4 9 reinforceDevelopment of definitons, criteria, approaches, templates existing 0 0 continueDevelopment / Adaption of security standards 2 2 + reinforce

Operational cooperation structures

Procedural measures

Information exchange on a regular basis


Policy building measures

Table 22: Summary Assessment of Policy Line Measures

Summary evaluation of measures to be reinforced

The measures considered as candidates for reinforcement are required to counter better existing or developing risks. They are either not or not sufficiently covered by existing initiatives or existing best practices. In Summary

• Early warning and CERT-systems

These networks or comparable systems for cooperative assessment are expected to have a large potential. This of course includes the development of adequate standards for warning and alert and the harmonization of national approaches. These structures are expected to also have a multitude of positive side effects like the building of trust and confidence across organizations, across sectors and across borders, saving costs through sharing of resources and of information and growth potential when implemented along an incremental process, etc.

• Training and Exercising:

Similar effects are expected from joint exercising and training activities which are considered one main prerequisite for improved cooperation, mutual support in cases of emergency, and the capability to better handle incidents with an international dimension.

• Test Centres

It is expected that usage of (joint) test centres has a large potential to identify risks and to develop mitigation strategies. This applies especially in those fields where


Policy Lines


cooperative and connected ICT structures are or become essential, e.g. new transnational (financial) services, (transport) control systems or further rising system connectivity and complexity.

• Best Practices

Best practices are to a large extent sector-specific. They are lacking harmonization on one hand but particularly the exploitation of the huge potential of cross-sector and cross-border exchange of findings and experiences should be strongly fostered.

• Standards

Standards, besides in the fields of CERTS, test centres and training and exercising as discussed above, are seen most helpful in the harmonization of communication protocols and security procedures and technologies. Trends especially in the sector finance and transport (railways and road) will lead to new transnational systems and system usage which must be supported by corresponding policy lines. Standards per se, however, do not have a value of their own. The benefits of standards can only be exploited if they can be implemented at reasonable cost and if the implementation process is strongly supported, e.g. by obvious or added incentives and by voluntary, in some cases even mandatory regulatory frameworks.

Further measures

Most other measures in progress or already existing are assessed important and recommended to be continued as planned (see Table 22). But there are few measures which, from this study’s point of view, are considered of minor importance or urgency, respectively. It is once more emphasized, that from a different perspective, different conclusions may emerge. E.g. from a political sight, measures like the support of public-private partnerships, the development of scenarios or international working fora may have a much higher priority although this study has ranked them “minor”.


Stakeholder Involvement


9 Stakeholder Involvement 9.1 General Target groups of the study has been be the European Commission, CI providers / operators of the three sectors and governments / subordinate governmental organisations with CIP responsibilities in the member states. These target groups have been seen both as contributors to, as well as beneficiaries of the results of the project.

Involvement of these EU member state stakeholders means a cross-cutting project activity which resorts to their experience in order to achieve a comprehensive analysis of existing expertise and knowledge. The second line of stakeholder involvement is necessary for the development of requirements, for assessing the study results in view of these requirements, and for evaluating recommendations from the different stakeholders’ points of view.

A joint effort of as many as possible European stakeholders has been needed for producing dependable, sustainable and widely accepted project results. Therefore exchange mechanisms between the project and CI stakeholders have been established and practised and a platform has been prepared to bring together the different stakeholders and players to:

• Receive information on the methodology developed and results derived

• Exchange experiences and findings from daily operations and incidents

• Agree on intermediate and final results to be produced, and/or

• Even highlight areas of dispute.

These activities altogether have the ultimate goal to improve dependability of critical infrastructures and their risk management with focus on dependency on ICT.

The work package WP4 “Stakeholder Involvement” aims to bring together experts from energy, finance and transport sectors comprising of government organisations and initiatives, academies, applied researchers, industry sectors, manufacturers, and other stakeholders. This includes identification of points of contact (POC) in the individual EU member states as well as with related EU organisations.

The project members identified, contacted, and interviewed persons familiar with CIP within individual CI sectors and invited them to participate in stakeholder workshops to discuss the intermediate results. Different groups of stakeholders have contributed to and gain from the participation in the project in different ways.

Providers / Operators of Critical Infrastructures

Dependency and threat models have been developed as the basic tool for dependency and risk assessment. Stakeholders of this group are encouraged to discuss and help refine these models and relevant ICT threats, scenarios and vulnerabilities. This also includes existing protection strategies and the influence of the various related national laws and regulations. On the other hand, CI providers and operators are expected to gain several benefits from participating in the project, which include:

• Access to agreed models of CI dependencies




• Assessed criticality of the major CI components and their dependency on ICT

• Security measures as decision support for identifying further elements of CIP

• Best practices, synergies between sectors and of their protection strategies

• Information on recommendations for future EU policy initiatives

• Assessment of the expected impact of measures recommended by the study

• Cooperation support for trans-national activities to mitigate effects of an ICT infrastructure disruption

• Improved trusted relationships with responsible people in the respective sectors.

Governmental Organisations

Governments and governmental organisations have been invited to outline their national CIP policy issues and to provide input on criticality analyses performed at a national level. Their benefits include

• Information on CI models and methodology for criticality assessments

• Elaborated typical cross-sector and cross-border dependencies

• Best practises, synergies between and protection strategies of the different sectors

• Information on recommendations for future EU policy initiatives

• Input and guidance for national activities.

Other Organisations

There are also other target groups such as industrial associations, research communities, security sensitive industries or other public authorities which can benefit from the study activities.

These organisations contributed by supporting the development of further stakeholder involvement and views as well as comments on the methodological approach.

The final results will be presented at a final project stakeholder conference. (see subsection 9.5 for more detailed information.)

9.2 Approach The project team specified different channels which were used to identify and capture POCs covering all relevant stakeholder categories. The channels are:

• Infrastructure providers, suppliers and manufacturer in the sectors (sub-sectors: electricity, gas, oil), finance (subsectors: supervision, securities trading, payment), transport (sub-sectors: air traffic, road, railroad, waterways) and others which comprise ICT focused services




• Federal and regional ministries (e.g. of economy, transport) with their subordinated agencies

• R&D institutions, including universities

• Other organisations (non-governmental organisations, associations, foundations, sensitive industries other than critical infrastructures operators).

The preparation of adequate stakeholder involvement has included:

a) Compiling a list of people and institutions the project members were familiar with and/or have contacts to and deciding who should be contacted with respect to this project,

b) Analysing available POC lists like the comprehensive catalogue of CI2RCO

c) Internet screening to identify further relevant organisations and bodies,

d) Participation in national and international workshops like

- ESTEC

- CIP Expert Group

- German CIP implementation plan, working groups “Maintenance of critical infrastructure services” and “Emergency and crisis exercises”

e) Preparation of an invitation and an EU reference letter and further incentive material for stakeholders to be addressed and invited to a project stakeholder workshop.

The project members used the following methods of contacting potential POCs:

• E-mail,

• Telephone – usually following an e-mail or a traditional letter,

• Personal contacts

9.3 Interviews and other bilateral contacts The project partners MVV, PSI and SRC each of which is responsible for one of the sectors “energy”, “transport” and “finance”, contacted experts in the different sub-sectors of their sector and discussed the methodological approach: The objects and processes of the subsectors, the overall sector model as well as criticality assessment of system components and processes were identified with respect to dependencies on ICT. It was the goal to improve their models step by step, if necessary and finally to validate them.

Energy Sector

MVV as the responsible partner for the energy sector contacted experts via telephone and email and interviewed them on the different energy sub-sectors.




• Sub-sector “electricity”: The UCTE adviser in charge of CIP issues and a control room manager of a distribution company were interviewed face to face; the TSO manager of the Northern UCTE control area and the European network manager of Vattenfall Transmission Europe were contacted.

Subsequent to the interim workshop am member of the corporate security department of an energy supplier was as well interviewed as a representative of a SCDA manufacturer.

• Sub-sector “gas”: the Executive Secretary, the Vice-Executive Secretary, the chairman of GIE Security SG, and a gas network planning engineer were interviewed face to face.

• Sub-sector “oil”: Expert of BP and ÖMV were interviewed via telephone.

On the whole the sub-sector experts interviewed face-to-face accepted the modelling approach. GIE acted as keynote speaker on the stakeholder workshop on March 4th, 2009.

Finance Sector

SPOT and in the following SRC contacted and interviewed experts in the different finance sub-sectors and organised together with the Federal Association of German Banks and its members three workshops:

• Representatives of WestLB, SalOppenheim and Ärzte-und Apotheker Bank were interviewed who provided recommendations on how to split the model into sub-models with respect to national and European transaction processes.

• BaFin and Bundesbank supervised a workshop for the sub-sector “supervision” with representatives from supervisory authorities as well as from market participants and the EC that took place in Frankfurt on March 18, 2009

• A workshop focussing the sub-sector “securities trading” with market participants and major service providers took place in Frankfurt on March 5, 2009

• A workshop concentrating on “payment systems in Europe” was supervised by Deutsche Bank that took place in Eschborn (Germany) on March 19th, 2009. Participants were a.o. EBA Clearing, Commerzbank, Postbank, National-Bank, Bundesbank, BaFin, BSI, EC

Transport Sector

PSI as the responsible partner for the transportation sector contacted and interviewed experts in the different transportation sub-sectors.

• Sub-sector “airway”: a Eurocontrol representative was interviewed. He made some recommendations on how to upgrade the model with respect to “air traffic control” including the respective process.

• Sub-sector “waterway”: a representative of the German Water and Shipping Directorate was interviewed. He accepted the model, but provided advice regarding




the assessment of the process “average handling” and the interference liability of radio communication.

• Sub-sector “railway”: a representative of Rhätische Bahn (CH) was interviewed. He accepted the model approach and stressed the high importance of the process operating surveillance also for the international traffic especially for one-track connections with tight schedule.

• Sub-sector “road”: a representative of the Tunnel Safety and Security Network (TUSEC) was interviewed. He accepted the model and underlined the necessity of cooperation between SCADA systems in tunnels which connect two countries.

9.4 Workshops and Presentations Parallel to interviews and other bilateral contacts the project and its aims were presented to and discussed with a wider stakeholder community:

• ESTEC workshop ”Towards the Implementation of the European Network of SCADA Security Test Centres for Critical Energy Infrastructures”, November 18th, 2008, Brussels.

The workshop was organised by the contractors of the EC feasibility study on a “European network of secure test centres for reliable ICT controlled critical energy (ESTEC)” and was attended by European stakeholders from the energy, control systems and the ICT sector. IABG was also invited and had the chance to deliver a short presentation about the ICT dependency study and to participate in a round table discussion. The event was very helpful in order to get in contact with various European stakeholders.

• Workshop of the working groups “Maintenance of critical infrastructure services” and “Emergency and crisis exercises” within the German CIP implementation plan, November 26th, 2008, Bochum.

The workshop was attended by representatives of public and private stakeholders of all critical sectors. Purpose and objectives of the study were presented and the approach and methodology developed in the project were explained in detail. The presentation led to both several new stakeholder contacts and very useful comments and amendments to current sector-specific CI models.

• Meeting of the CIP expert group “Cross-sectoral interdependencies between the ICT sector and electricity networks infrastructures”, December 5th, 2008, Brussels.

The meeting was organised and chaired by the European Commission and was attended by representatives of the European Commission, other European institutions, CIP agency experts of other Member States and representatives from ICT industry and energy providers. During the meeting current EC studies (e. g. the ICT dependencies study) and research projects were presented and different focuses, approaches and first results were discussed.

• Stakeholder workshop, Ottobrunn, 4th of March 2009.




This workshop was organised by the project team of the study on Critical Dependencies of Energy, Finance and Transport Infrastructures on ICT Infrastructure and was attended by CI stakeholders (see Figure 21). Goal of the workshop was to validate compiled interim results and to harmonise the different views and appraisals concerning modelling approach and criticality. On the basis of the harmonised views and appraisals, models were aligned and the final study results have been compiled and published in this report. In addition, the results will also be presented on the final workshop in Brussels on 8th of June 2009.

DE

EUGB

ITNLSE

research

association

consultant

public

operator

Figure 21: Audience composition of the stakeholder workshop according to nationality and functions

• PARSIFAL30 workshop, Frankfurt, 16th – 17th of March, 2009

The workshop which was headlined “Securing the Future Critical Financial ICT Infrastructure (CFI)”. Participants were members of international banks and service providers of the banking and finance sector. Interim results of this study have been presented at the PARSIFAL workshop. The results of the workshop will still be published in an own report. They have been an important source and input for the chapter “trends” of this study.

9.5 Dissemination Activities Additionally, the project team wants to broaden the basis for additional contacts by winning more sector experts. Therefore a POC list has been established and expanded step by step

30 EU FP7-Coordination Action „Protection and trust in financial infrastructures” (PARSIFAL)




during the course of the project. Currently, the list comprises 234 POCs and has been used to invite experts from all sub-sectors and from as many EU countries as possible (see Figure 22) to the final workshop in Brussels on 8th of June 2009.

Figure 22: Number of POCs per country (incl. EU POCs)

Table 23 provides an overview on the distribution of the collected POCs per sector and subsector.

Sector Sub-sectors Total

Energy Electricity 72

Gas

10

Oil

7

Other

1

-

-

90

Transport Air Traffic 16

Waterways 5

Railroad

4

Road

5

Other

2

32

Finance Supervision 5

Trading

-

Transaction

-

Other

50

-

-

55

Other CIP

9

ICT

7

EU

2

Other

39

-

-

57

Table 23: Number of collected POCs per sector and sub-sector

Purpose of the final workshop is to communicate the study approach, its models and results to more experts in order to disseminate the study results to a broader European audience which should help to improve the problem understanding of the contacted experts concerning




the criticality of CI objects and processes. Due to the different functions of the experts (see Table 24), manifold views on the criticality of objects and processes can be gained. The functions of the companies / institutions in charge of the respective POCs have been subdivided into operator, public authority, association, research, technology provider, agency, consultancy, and other. Table 24 shows that more than 92% of the collected POCs represent the functions operator, public authority, association and research.

Function Number of POCs

Operator 108

Public Authority 45

Association 21

Research 43

Technology Provider 3

Agency 2

Consultancy 10

Other 2

Table 24: Functions of the collected POCs

Well developed contacts and carefully established POC list are the reason that the final workshop has been fully booked in a short time. Only the available seats of the conference room limit the number of participants31 of the workshop. Figure 23 shows that

• representatives of many different European countries will attend the workshop

• all required sectors and functions were covered.

31 40 participants




AT

BE

CH

DE

EE

EU

FI

FR

NL

NO

Countries

Energy

Financial Services

Transportation

Other

Sectors

Association

Consultancy

Operator

Public Authority

Research

Functions

Figure 23: Segmentation of the Workshop Participants concerning Country, Sector and Function


Annex - Abbreviations


A Annex A.1 Abbreviations

BaFin Bundesanstalt für Finanzdienstleistungsaufsicht - Federal Financial Supervisory Authority

BBK Bundesamt für Bevölkerungsschutz und Katastrophenhilfe – German Federal Office of Civil Protection and Disaster Assistance

BCM Business Continuity Management

CCP Central counterparty

CERT Computer Emergency Response Team

CESR Committee of European Securities Regulators

CIWIN Critical Infrastructure Warning Information Network

CPSS Committee on Payment and Settlement Systems

CSD Central securities depository

DIN Deutsches Institut für Normung - German Institute for Standardization

EBA Euro Banking Association

EC European Commission

ECB European Central Bank

ECI European Critical Infrastructure

ECSB European System of Central Banks

EISAS European Information Sharing and Alert System

ENISA European Network and Information Security Agency

EPCIP European Programme for Critical Infrastructure Protection

ESTEC European Network of SCADA Security Test Centres for Critical Energy Infrastructures

FP 6 / FP 7 Research Framework Program (of the European Commission)

GIE Gas Infrastructure Europe

HW Hardware


Annex - Abbreviations


ICT Information and Communication Technology

IEC The International Electrotechnical Commission

ISO The International Organization for Standardization

JLS European Commission, Directorate-General Justice, Freedom and Security

LAN Local area network

LNG Liquefied natural gas

MPLS Multiprotocol Label Switching

MTBF Mean time between failure

MTTR Mean time to repair

POC Point of Contact

R&D Research & Development

RTGS Real Time Gross Settlement

SAE Society of Automotive Engineers

SCADA Supervisory Control and Data Acquisition

SW Software

SWIFT Society for Worldwide Interbank Financial Telecommunication

TARGET Trans-European Automated Real Time Gross Settlement Express Transfer

TREN European Commission, Directorate-General Energy and Transport

TSO Transmission System Operator

UCTE Union for the Co-ordination of Transmission of Electricity

WAN Wide area network

WP Work Package


Annex - References


A.2 References

BERR_2008 2008 Information Security Breaches Survey, Department of Business Enterprise & Regulatory Reform, 2008

BIS_CP_2001 Bank for International Settlements, Committee on Payment and Settlement Systems, Core Principles for Systemically Important Payment Systems, January 2001

BMI_BPC_2005 Protection of Critical Infrastructures – Baseline Protection Concept, Recommendation for Companies, Federal Ministry of the Interior, Section P II 1

BMI_PESG_2007 Protection of the Electricity supply in Germany, 12.11.2007, restricted by the German Federal Ministry of the Interior

BMI_UPK_2007 Umsetzungsplan KRITIS des Nationalen Plans zum Schutz der Informationsinfrastrukturen, 6.9.2007, German Federal Ministry of the Interior

BMWi_AASE_2008 Analysis and Assessment of Security of Electricity supply, 30.5.2008, German Federal Ministry of Economics and Technology

BSI_GS_Cat_2008 IT-Grundschutz-Catalogues, German Federal Office for Information Security, 2005, updated 2008

BSI_ITSG_2004 IT Security Guidelines: IT Baseline Protection in Brief, German Federal Office for Information Security., Bonn, 2004

BSI_Lage_2007 The IT-Security Situation in Germany in 2007, German Federal Office for Information Security, April 2007

BSI_Lage_2009 The IT-Security Situation in Germany in 2009, German Federal Office for Information Security, March 2009

BSI_Lage_Q1_2008 Internet-Lagebild Erstes Quartal 2008, German Federal Office for Information Security, April 2008

BSI_Lage_Q4_2008 Lagebericht 4. Quartal 2008, German Federal Office for Information Security

DB_FID_2009 Financial Industry Developments in Europe, Gerd Lübke, Deutsche Bank, March 2009


Annex - References


ECB_OPolF_2009 Eurosystem Oversight Policy Framework, ECB, Feb. 2009

ECN_2008 European CIIP Newsletter, Volume 4, Number 1, March/April 2008, Main editor B. Hämmerli

EI_CICS_2008 Critical Infrastructure Cybersecurity: Survey Findings and Analysis, Energy Insights, IDC Company, November 2008

ENISA_PECCA_2008 Protecting Europe’s Citizens against Cyber Attacks, European Network and Information Security Agency, 2008

ENISA_PSG_2006 The PSG Vision for ENISA, Permanent Stakeholders Group (PSG) at European Network and Information Security Agency (ENISA), May 2006

ENISA_ST_2008 Stock Taking of Member States’ Policies and Regulations related to Resilience of public eCommunications Networks, European Network and Information Security Agency, September 2008

ENISA_WP_2008 Multi-annual Thematic Programmes, horizontal activities, provision of advice and assistance and administrative activities of the European Network and Information Security Agency.

ETH_CIIPHB_2008 INTERNATIONAL CIIP HANDBOOK 2008 / 2009, Series Editors, Andreas Wenger, Victor Mauer and Myriam Dunn Cavelty, Center for Security Studies, ETH Zurich

EU_COM_CIIP_2009 Communication from the Commission on Critical Information Infrastructure Protection, COM(2009)149 final, Brussels, 30.3.2009

EU_COM_EPCIP_2006 Communication from the Commission on a European Programme for Critical Infrastructure Protection, COM(2006) 786 final, Commission of the European Communities, Brussels, 12.12.2006

EU_DIR_ECI_2008 COUNCIL DIRECTIVE on the identification and designation of European Critical Infrastructures and the assessment of the need to improve their protection, 2008/114/EC, Council of the European Union, Brussels, 8 December 2008

EU_GP_EPCIP_2005 Green Paper on an European Programme for Critical Infrastructure Protection, COM(2005) 576 final, Commission of the European Communities, Brussels, 17.11.2005

EU_ICTDEP_2008 Inception Report on “Study on Critical Dependencies”, 12.9.2008

EU_INFSO_2007 “Availability and Robustness of Electronic Communication


Annex - References


Infrastructures, The ARECI-Study”, Final Report, Commission of the European Communities, DG INFSO, March 2007

EU_SC_2007 Service Contract “Study on Critical Dependencies”, JLS/2007/D1/027; 8.7.2008; 12/07/2007

EU_SCA1_2007 Service Contract “Study on Critical Dependencies” – Annex 1 (Tender Specification and Terms of Reference)JLS/2007/D1/027; 17/07/2007

EU_SCA1_2007 Service Contract “Study on Critical Dependencies” – Annex 2 (Contractor’s Tender), JLS/2007/D1/027; 4.10.2007

EU_TREN_2007 Communication on “Protecting Europe’s Critical Energy and Transport Infrastructure” (SEC(2006)1697, 02.02.2007, restricted EU)

FE_2008 Frontier Economics, Kosten von Stromversorgungsunter-brechungen, RWE AG, 4. Juli 2008

GTISC_ECTR_2008 Emergency Cyber Threats Report for 2009, Georgia Tech Information Security Center, October 2008

IOA_SGT_2009 Critical flaws in next generation Energy Infrastructure, Press Release, IOActive, 23th March 2009

ITSM_2004 IT Service Management: eine Einführung, J. van Bon, von Van Haren Publishing, 2004

MaRisk_2007 Mindestanforderungen an das Risikomanagement – MaRisk, Rundschreiben 5/2007 der BaFin, 30.10.2007

Pars_CFI_2009 „Securing the Future Critical Financial ICT-Infrastructure “, Closed Workshop from FP7-Project Parsifal, 16th/17th March 2009 (unpublished)

RM_2007 Petroplus Holdings AG 2007 Annual Report, Research and Markets, 2007

SIA_2009 • Corporate Profile

• SIANET.NG – The solution for the whole financial industry, SIA-SSB

• www.siassb.eu, April 2009

SolvV_2006 Verordnung über die angemessene Eigenmittelausstattung von Instituten, Institutsgruppen und Finanzholding-Gruppen

http://www.siassb.eu


Annex - References


(Solvabilitätsverordnung – SolvV), 14.12.2006

SWIFT_2008 • Annual Report, SWIFT, 2008

• the secure IP network, SWIFT, 2008

SWIFT_2009 • Maintaining the resilient infrastructure for global financial messaging, R. Gambineri, SWIFT, Parsifal Workshop, March 2009

• www.swift.com, April 2009

SYM_STR_2009 Symantec EMEA Internet Security Threat Report – Trends for 2008; Symantec Enterprise Security, Volume XIV, April 2009

TPT_SC_2008 Establishment of TSO System Security Cooperation of 11 transmission providers, Press Release, 22.12.2008, Transpower Stromübertragungs Gmbh

UCTE_2004 • Operation Handbook, V2.5, 2004 ,UCTE

• Operation Handbook, V0.9 E, 2006 , UCTE

UCTE_2006 Final Report, System Disturbance on 4 November 2006, UCTE

http://www.swift.com


Annex - Catalogue of Current ICT-Threats


A.3 Catalogue of Current ICT-Threats

Category Threat Catalogue Single Threat Misuse of e-mail services Overload due to incoming e-mails Mail bombs Misuse of webmail

Email Deliberate Acts

Misuse of active content in e-mails Masquerading IP spoofing DNS spoofing Web spoofing Espionage Web bugs Spyware

Hacking Deliberate Acts

SQL-Injection Manipulation of data or software "Inquisitive" staff members Abuse of user rights Abuse of administrator rights

Insider Deliberate Acts

Permitting use of VPN components by third parties Trojan horses Computer viruses Macro viruses Malware Deliberate Acts

Misuse of active contents Force majeure Degradation due to changing application environment Organisational shortcomings

Insufficient consideration of mobile devices in patch and change management Inadequate security mechanisms on PDAs Technical failure Loss of data when using a portable device Abuse of remote maintenance ports Misuse of information on portable terminal devices

Mobile & Remote Access

Deliberate Acts Spreading malicious software via mobile data media

Force majeure Failure or malfunction of a wireless network Inadequate regulations for the use of WLAN Inappropriate selection of WLAN authentication methods Inadequate monitoring of WLANs

Organisational shortcomings

Lack of, or insufficient, rules for the use of VPN Human error Incorrect configuration of WLAN infrastructure

Uncontrolled radiowave propagation Technical failure Unreliable or missing WLAN security mechanisms Hijacking of network connections Attacks on WLAN components Tapping of WLAN communication

Network

Deliberate Acts Man-in-the-middle attack


Annex - Catalogue of Current ICT-Threats


Category Threat Catalogue Single Threat Lack of, or insufficient, rules Insufficient knowledge of rules and procedures Insufficient monitoring of IT security measures Disturbance to business processes as a result of IT security incidents

Organisation Organisational shortcomings

Inappropriate siting of security relevant IT-systems Denial of services Sabotage Deliberate Acts Sabotage Discovery of software vulnerabilities Software vulnerabilities or errors Software conception errors

Deficiency of (COTS-)Software Technical failure

Undocumented functions Organisational shortcomings

Insecure protocols in public networks

Loss of data confidentiality/integrity as a result of IT User error Non-compliance with IT security measures Errors in configuration and operation Inappropriate handling of passwords Carelessness in handling information Insufficient acceptance of IT security

Human error

Unregulated and careless use of printers, copiers, and all-in-one devices Social engineering

User Awareness

Deliberate Acts Manipulation by family members or visitors Incorrect configuration of VoIP middleware Human error Incorrect configuration of VoIP components Failure of a VoIP architecture Malfunction in use of VoIP over VPN Vulnerabilities in use of VoIP user devices Technical failure

Unavailability of VoIP caused by NAT

VoIP

Deliberate Acts SPIT and VISHING


Annex - Catalogue of IT Security related Standards in Transport Infrastructures


A.4 Catalogue of IT Security related Standards in Transport Infrastructures

Generic Standards

"ISO 9735:1988: Electronic data interchange for administration, commerce and transport (EDIFACT) -- Application level syntax rules"

ISO/AWI 10711: Intelligent Transport Systems -- Interface Protocol and Message Set Definition between Traffic Signal Controllers and Detectors(IPMSTSCD)

ISO/PRF TR 12859: Intelligent transport systems -- System architecture -- Privacy aspects in ITS standards and systems

ISO/NP TS 13185: Vehicle Interface for Provisioning and Support of ITS Services

ISO 14813: Intelligent transport systems -- Reference model architecture(s) for the ITS sector

ISO 14817: Transport information and control systems -- Requirements for an ITS/TICS central Data Registry and ITS/TICS Data Dictionaries

ISO 14819-1:2003: Traffic and Traveller Information (TTI) -- TTI messages via traffic message coding -- Part 1: Coding protocol for Radio Data System -- Traffic Message Channel (RDS-TMC) using ALERT-C

ISO 14819-2:2003: Traffic and Traveller Information (TTI) -- TTI messages via traffic message coding -- Part 2: Event and information codes for Radio Data System -- Traffic Message Channel (RDS-TMC)

ISO 14819-3:2004: Traffic and Travel Information (TTI) -- TTI messages via traffic message coding -- Part 3: Location referencing for ALERT-C

ISO 14819-6:2006: Traffic and Traveller Information (TTI) -- TTI messages via traffic message coding -- Part 6: Encryption and conditional access for the Radio Data System -- Traffic Message Channel ALERT C coding

ISO 14827-1:2005: Transport information and control systems -- Data interfaces between centres for transport information and control systems -- Part 1: Message definition requirements

ISO 14827-2:2005: Transport information and control systems -- Data interfaces between centres for transport information and control systems -- Part 2: DATEX-ASN

ISO 15662: Intelligent transport systems -- Wide area communication -- Protocol management information

ISO/DIS 17264: Intelligent Transport Systems -- Automatic vehicle and equipment identification -- Interfaces




ISO/PAS 17684:2003: Transport information and control systems -- In-vehicule navigation systems -- ITS message set translator to ASN.1 format definitions

ISO 17687:2007: Transport Information and Control Systems (TICS) -- General fleet management and commercial freight operations -- Data dictionary and message sets for electronic identification and monitoring of hazardous materials/dangerous goods transportation

ISO/TS 20625:2002: Electronic data interchange for administration, commerce and transport (EDIFACT) -- Rules for generation of XML scheme files (XSD) on the basis of EDI(FACT) implementation guidelines

ISO/TR 21707:2008: Intelligent transport systems -- Integrated transport information, management and control -- Data quality in ITS systems

ISO/PRF 24097-1: Using Web Services (machine-machine delivery) for ITS service delivery -- Part 1: Realization of interoperable web services

ISO/TR 24098: Intelligent transport systems -- System architecture, taxonomy and terminology – Procedures for developing ITS deployment plans utilizing ITS system architecture

ISO/TS 24534-1:2007: Automatic vehicle and equipment identification -- Electronic Registration Identification (ERI) for vehicles

ISO/FDIS 24978; Intelligent transport systems -- ITS Safety and emergency messages using any available wireless media -- Data registry procedures

ISO/TR 25100:2008: Intelligent transport systems -- Systems architecture -- Harmonization of ITS data concepts

DIN EN 61508 Funktionale Sicherheit sicherheitsbezogener elektrischer/elektronischer/programmierbar elektronischer Systeme

DIN V VDE 0801/01.90: Grundsätze für Rechner in Systemen mit Sicherheitsaufgaben

Sub-Sector Air Traffic

Luftfahrt-Bundesamt: Leitfaden

Luftfahrt-Bundesamt: Anleitung zur Erstellung des Luftfracht-Sicherheitsprogramms (LFSP)

VO (EG) Nr. 1217/2003: Festlegung gemeinsamer Spezifikationen für nationale Qualitätskontrollprogramme für die Sicherheit der Zivilluftfahrt

VO (EG) Nr. 1486/2003:Festlegung von Verfahren für die Durchführung von Luftsicherheitsinspektionen der Kommission im Bereich der Zivilluftfahrt

VO (EG) Nr. 1138/2004: Festlegung einer gemeinsamen Definition der sensiblen Teile der Sicherheitsbereiche auf Flughäfen

VO (EG) Nr. 849/2004: Festlegung gemeinsamer Vorschriften für die Sicherheit in der Zivilluftfahrt (Änderung von VO 2320/2002)




LuftSiG: Luftsicherheitsgesetz - Gesetz zum Schutz vor Angriffen auf die Sicherheit des Luftverkehrs, insbesondere vor Flugzeugentführungen, Sabotageakten und terroristischen Anschlägen; Stand: geändert durch Art. 49 G v. 21. 6.2005 BGBl. I 1818

VO (EG) Nr. 820/2008: Verordnung (EG) Nr. 820/2008 der Kommission vom 8. August 2008 zur Festlegung von Maßnahmen für die Durchführung der gemeinsamen grundlegenden Normen für die Luftsicherheit.

LuftSiSchulV: Verordnung zur Einführung von Luftsicherheitsschulungen vom 2. April 2008, Artikel 1 - Luftsicherheits-Schulungsverordnung (LuftSiSchulV)

LuftSiZÜV: Luftsicherheits-Zuverlässigkeitsüberprüfungsverordnung vom 23. Mai 2007

US department of homeland security, Transport security administration: Recommended security guidelines for airport planning, design and construction

International Civil Aviation Organization International Standards and Recommended Practices – Security - Safeguarding International Civil Aviation Against Acts of Unlawful Interference

International Civil Aviation Organization: Human Factors Guidelines for Air Traffic Management Systems (Doc 9758)

International Civil Aviation Organization: Human Factors Guidelines for Safety Audits (Doc 9806)

International Civil Aviation Organization: Safety Management Manual (Doc 9859)

AS/EN 9100 - Qualitätsmanagementsystem-Anforderungen für die Entwicklung und Fertigung von Produkten in der Luft- und Raumfahrtindustrie

AS/EN 9110 - Qualitätsmanagementsystem-Anforderungen für Wartungsorganisationen

AS/EN 9120 - Qualitätsmanagementsystem-Anforderungen für Händler und Lagerhalter

Sub-Sector Water

ISO 17894: Ships and marine technology -- Computer applications -- General principles for the development and use of programmable electronic systems in marine applications

ISO 15849: Ships and marine technology -- Guidelines for implementation of a fleet management system network

ISO/PAS 16917: Ships and marine technology -- Data transfer standard for maritime, intermodal transportation and security

ISO/AWI 28005: Ships and marine technology -- Computer applications - Electronic port clearance (EPC)

ISO/PAS 22853: Ships and marine technology -- Computer applications -- Specification of Maritime Safety Markup Language (MSML)

AIS (Universal Shipborne Automatic Identification System)




Gefahrgutverordnung See (GGVSee)

Seesicherheits-Untersuchungs-Gesetz (SUG)

Sub-Sector Railways

DIN EN 50126: Railway applications - The specification and demonstration of reliability, availability, maintainability and safety (RAMS)

DIN EN 50128: Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems

DIN EN 50129: Railway Applications: Safety Related Electronic Railway Control and Protection Systems

DIN EN 50159: Railway applications - Communication, signalling and processing systems

DIN EN 60870: Telecontrol equipment and systems

DIN EN 61069: Industrial-process measurement and control - Evaluation of system properties for the purpose of system assessment

International Railway Industry Standard (IRIS): Quality Management

Department of Homeland Security (DHS): Standards for Freight, Passenger Rail Systems

NFPA 130: Standard for Fixed Guideway Transit and Passenger Rail Systems

Sub-Sector Road

Directive 2004/54/EC of the European Parliament and of the Council on minimum safety requirements for tunnels in the Trans-European Road Network

ISO 15628: Road transport and traffic telematics -- Dedicated short range communication (DSRC) -- DSRC application layer

ISO/WD 11915: Communications Access for Land Mobiles: high speed, air interface parameters and protocols for broadcast, point-point, vehicle-vehicle, and vehicle-point communications in the ITS Sector using IEEE802.11 Wireless LAN standard in normal operational modes

ISO/NP 13181-1: Intelligent Transport Systems - Communications Access for Land Mobiles (CALM) - Security -- Part 1: Framework

ISO/NP 13181-2: Communications access for land mobiles (CALM) - CALM receiving public broadcast communications -- Part 2: Threat Vulnerability and Risk Anlaysis

ISO/NP 13181-3: Intelligent Transport Systems - Communications Access for Land Mobiles (CALM) - Security -- Part 3: Objectives and Requirements

ISO/NP 13181-4: Intelligent Transport Systems - Communications Access for Land Mobiles (CALM) - Security -- Part 4: Countermeasures




ISO/NP TS 13184: Real-time decision support system at all-way stop control intersections via nomadic and mobile devices

ISO 14814: Road transport and traffic telematics -- Automatic vehicle and equipment identification -- Reference architecture and terminology

ISO 14815: Road transport and traffic telematics -- Automatic vehicle and equipment identification -- System specifications

ISO 14816: Road transport and traffic telematics -- Automatic vehicle and equipment identification -- Numbering and data structure

ISO/DIS 21210: Intelligent transport systems -- Communications access for land mobiles (CALM) -- Networking protocols

ISO 21212: Intelligent transport systems -- Communications access for land mobiles (CALM) -- 2G Cellular systems

ISO 21213: Intelligent transport systems -- Communications access for land mobiles (CALM) -- 3G Cellular systems

ISO 21214: Intelligent transport systems -- Communications access for land mobiles (CALM) – Infra-red systems

ISO 24101: Intelligent transport systems -- Communications access for land mobiles (CALM) – Application management

ISO/CD 24102: Intelligent transport systems -- Communications access for land mobiles (CALM) – CALM Management

ISO/NP 24103: CALM mail

ISO/DIS 25112: Intelligent transport systems -- Communications access for land mobiles (CALM) -- Mobile wireless broadband using IEEE 802.16e/IEEE 802.16g

ISO/DIS 25113: Intelligent transport systems -- Communications access for land mobiles (CALM) -- Mobile wireless broadband using high capacity spatial division multiple access (HC-SDMA)

ISO/CD 29281: Intelligent transport systems -- Communications access for land mobiles (CALM) -- Non-IP communication mechanisms

ISO/CD 29282: CALM Applications using Satellite

ISO/CD 29283:CALM - Mobile wireless broadband using HC-SDMA

ISO/TS 16949: Quality management systems -- Particular requirements for the application of ISO 9001:2000 for automotive production and relevant service part organizations


Annex - Preparatory document of Validation / Final Workshop


A.5 Preparatory document of Validation / Final Workshop

A.5.1 Invitation of Validation Workshop

A.5.2 Agenda Validation Workshop

A.5.3 Project Incentive Paper

A.5.4 Invitation of Final Workshop

A.5.5 Agenda Final Workshop

Documents

Study on Critical ICT-Dependencies