Menu

Swedish Defence

Research Agency

29 August 10:50

Risks with online societal services

Critical societal services are often dependent on information technologies to function effectively. Many of them are vulnerable to cyberattack via Internet connections.

screenshots

Screenshots from the two Internet services Censys and Shodan. The search results have been edited.

Electric power, transportation, and health care are examples of critical societal functions that are dependent on information technologies to function effectively. When these are connected to Internet, they are exposed to cyberattack, for a variety of reasons. Today, Internet services such as Censys and Shodan also enable external actors with little technical expertise to find and interact with sensitive information technologies and inflict major damage. Electric power is easily the most exposed sector.

“We identified fifty or so components that affected industrial information and control systems and that could be attributed to specific organisations in Sweden,” says Hannes Holm, Senior Scientist, at FOI’s Division of C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance), in Linköping. “If we also include those hits that can’t be attributed to a specific organisation, the number is significantly greater.”.

The study categorised Internet-connected components for various critical societal functions in Sweden according to the purposes they might have, such as in control systems, office systems, and communications equipment. The work was conducted with the help of organisational keywords, technical keywords, and geodata, as well as information from Shodan and Censys.

According to Hannes Holm, there is no reason to allow sensitive components to be directly accessible on Internet.

“All organisations that are responsible for critical societal components should think about how these are connected,” he says. “An important future task to reduce the number of critical systems connected to Internet is to spread information about the risks with Internet-connected components, and to produce guidelines for how these can be securely connected to an operation’s other systems.”

Back to startpage, foi.se

FOI – Research for a safer and more secure world.

FOI’s core activities are research, methodology/technology development, analyses and studies.

FOI is an assignment-based authority under the Ministry of Defence.

FOI’s core activities are research, methodology/technology development, analyses and studies. FOI is an assignment-based authority under the Ministry of Defence.