Security of critical national infrastructure (CNI) is a key concern the world over, and not for nothing. Large infrastructure such as electric grids, water, oil and gas networks are vulnerable to hackers. If any of these CNI systems are hacked into, it can cripple the functioning of a country for days together. Therefore, critical infrastructure security becomes a necessity.
With most critical infrastructure driven by information systems, this CNI is mainly
controlled by SCADA systems which use protocols that rely on the TCP/IP suite to communicate with the control center. SCADA systems are used for monitoring and controlling processes in critical infrastructure such as power grid, oil and gas. To create awareness about critical infrastructure security in CNI, CDAC Mumbai along with IIT Gandhinagar and City University London recently organized an Indo-UK workshop in Mumbai.
The common refrain at this workshop was the lack of standards, policies, regulation or compliance for critical infrastructure security. Speaking at the session, Professor M Rajarajan from the City University of London observed that since protection of CNI is a nascent topic, it's difficult to come up with standards and policies for critical infrastructure security. "What is applicable to the power sector may not be applicable to oil and gas. You also have to look at the interoperability between different security and industry standards. A cyber attack or security incident on CNI can have a cascading effect. Therefore, we need standards for critical infrastructure security in order to isolate an affected point from other critical systems," he added.
When it comes to private companies that own such infrastructure, it is imperative that they incorporate critical infrastructure security in their organizational security policy. "Most CIOs are unaware about defining policies in this regard, since it can only be defined on known knowledge—lacking in this case. But companies need to start somewhere on the critical infrastructure security front, understand threats from different areas, and define policies," Rajarajan said.
SCADA systems and critical infrastructure security
In recent years, supervisory control and data acquisition (SCADA) systems have been integrated with corporate business systems for operational efficiencies— a practice which has increased security risk and scale of loss. "Sometimes, a SCADA system operates in remote areas accessible only through satellite connectivity. How does one provide secure access and protect from malicious attacks?" asked Zia Saquib, the executive director of C-DAC. Cryptography, firewalls and IDS/IPS are some of the solutions being used to address these concerns. In this direction, C-DAC has launched three solutions for protection of critical infrastructure security. It has launched a secure two-factor authentication solution STAR along with GYAN (a network intrusion prevention appliance to protect critical network from malicious attacks).
The workshop identified behavior detection technology and geo-encryption as the latest technologies used for critical infrastructure security. In the case of geo-encryption, a user not only requires the key, but also needs to be physically present at the location. Rajarajan said that British Telecom and the Centre for Protection of National Infrastructure (CPNI) are involved in a project to develop visualization tools that will use existing threat data on the open domain to understand pattern of clusters and attacks, so that such attacks can be thwarted.