A decade ago it was normal practice to control critical infrastructure, such as dam spillways, water and sewerage systems or electrical power distribution systems, using closed computer systems. When it was cold in a building, a caretaker would go down into the basement and turn a wheel. And thirty years ago we locked our cars and prison gates using keys, and took money out at the bank. Today all this is done using systems accessed via the Internet or handheld devices. This is cheaper and more flexible but it opens up new possibilities for hostile hacking. Scientists at FOI talk about attacks on three levels.
The first level relates to attacks directed against Sweden as a nation. If it is possible for someone in cyberspace to knock out power distribution systems or water supplies, there is the question of how long the community can keep going. The second level is economic, such as car theft or property break-ins. The third level relates to purely mischief attacks, for example when hackers break into an IT system just to show that they can.
On assignment from the Swedish Civil Contingencies Agency (MSB) and as part of the technical platform NCS3 for the SCADA programme for increased security in industrial information and control systems, FOI operates a centre of expertise in order to build a high level of competence in protecting state facilities and infrastructure vital to the functioning of society against cyber attack. This involves both monitoring cyber warfare techniques being developed by potential adversaries and, above all, raising the level of our own ability to withstand such attacks.
Our scientists are keeping pace with those who are developing new forms of attack but the problem is accelerating as all kinds of businesses and public bodies become increasingly connected. In areas such as drinking water supply and electrical power distribution we are well aware of the risks. But in the case of properties where locks, alarms and control systems are now accessed via the Internet, there is still a lot to be done. The same applies to vehicles with keyless locking systems. These systems have been designed as a selling point, not as a means of providing fully secure locking. The question here is: if I can get in, who else can get in?
The NCS3 work is primarily strategic and is aimed at raising the levels of awareness and capability, together with cooperation and information sharing, as well as providing support for those engaged in implementing practical measures for improving the security of industrial control systems. FOI has long experience of working on these problems from a total defence perspective. This experience is combined with deep technical expertise and a tradition of working on matters that need to be handled with strict confidentiality.
FOI is currently developing a cyber-physical city model in order to be able to illustrate for visitors the societal effects of a cyber attack. This can, for example, give a good understanding of downstream effects by demonstrating how the disruption of electrical power supplies can mean loss of water supply, breakdown of healthcare facilities and traffic chaos which in turn prevents first responders and repair teams from getting through.