29 August 2017

Risks with online societal services

Critical societal services are often dependent on information technologies to function effectively. Many of them are vulnerable to cyberattack via Internet connections.


Screenshots from the two Internet services Censys and Shodan. The search results have been edited.

Electric power, transportation, and health care are examples of critical societal functions that are dependent on information technologies to function effectively. When these are connected to Internet, they are exposed to cyberattack, for a variety of reasons. Today, Internet services such as Censys and Shodan also enable external actors with little technical expertise to find and interact with sensitive information technologies and inflict major damage. Electric power is easily the most exposed sector.

“We identified fifty or so components that affected industrial information and control systems and that could be attributed to specific organisations in Sweden,” says Hannes Holm, Senior Scientist, at FOI’s Division of C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance), in Linköping. “If we also include those hits that can’t be attributed to a specific organisation, the number is significantly greater.”.

The study categorised Internet-connected components for various critical societal functions in Sweden according to the purposes they might have, such as in control systems, office systems, and communications equipment. The work was conducted with the help of organisational keywords, technical keywords, and geodata, as well as information from Shodan and Censys.

According to Hannes Holm, there is no reason to allow sensitive components to be directly accessible on Internet.

“All organisations that are responsible for critical societal components should think about how these are connected,” he says. “An important future task to reduce the number of critical systems connected to Internet is to spread information about the risks with Internet-connected components, and to produce guidelines for how these can be securely connected to an operation’s other systems.”