Critical infrastructure, critical vulnerability

Blogs
(Source: Stockfresh)

27 February 2014

There is a story on the BBC News web site that tells how energy distribution companies in the UK have been denied insurance against cyberattacks.

It is not uncommon for companies to look to insure infrastructure, such as power networks, mobile phone towers and even water piping. Often a consortium of insurers come together to break up the deal in a process known as re-insurance.

However, the issue identified in the BBC News report is not the nature of the infrastructure for which cover is sought, but rather the fact that the cyberdefences of the companies in question are not up to scratch.

To assess whether the insurance could be provided against cyberattacks, vulnerability testing was carried out and the companies were found to be lacking. The attitude of the insurance providers was, unsurprisingly, that they did not want cyberattack insurance to be a justification for poor cyberdefences.

Now, this raises a very important point, and one which is highly relevant to Ireland. Huge efforts have been made in this country, from legislation and tax measures to infrastructure and connectivity, to attract large multinational technology companies to these shores, to establish operations bases, research and manufacturing facilities or data centres (DC).

There is a veritable roll-call of top technology companies here now employing a large number of people, and despite what some might say, contributing greatly to our still fragile economy.

However, if this, and the data centre side of things in particular, is to be further developed, there is a critical issue that must be faced. How well would our national critical infrastructure stand up to cyberattack?

If our national energy, water and connectivity network organisations were assessed for cyberattack insurance, as has been done in the UK, would a consortium of insurers be happy to take on the risk?

I think not.

Several internationally prominent security experts in this country have brought to the attention of successive governments the need for greater cyberdefences for critical national infrastructure, largely to no avail.

Despite pointing out that the consequences of a crippling cyberattacks on national critical infrastructure could potentially ruin Ireland as a site for data centres, almost nothing has been done on this front.

This is a particular pity because all of the expertise necessary to implement these proposed cyberdefences resides here.

As yet, there has not been a major attack on a nation’s critical infrastructure, but one cannot expect that to remain the case for long. In the US, power companies shave started sharing information on attacks have cooperated to develop standards for IT as basis for defence. But as the increasing vulnerability of SCADA systems is revealed, coupled with the adoption of intelligent metering and instrumentation for critical infrastructure networks, now is the time to act.

Critical infrastructure is just that: critical. We cannot afford to be the cautionary tale for the world on the need for critical infrastructure protection.

Read More:


Back to Top ↑

TechCentral.ie