Chapter 3 - Crime Areas

3.8 Vulnerabilities of critical infrastructure - Overview

As EC3 is not directly mandated to assess the vulnerabilities of critical infrastructure, it is not a core competency of Europol. However, since it is an area that can directly impact upon the work of EC3’s three Focal Points, it is considered important to provide an overview of these vulnerabilities as well as relevant developments and potential new attack vectors for cybercrime.

Critical infrastructure refers to physical and virtual assets or systems, which if disrupted or destroyed would have a significant impact on safety, security, public health, the economy or social well-being of people [127]. European Critical Infrastructures (ECI) are defined as critical infrastructures located in Member States (MS), the disruption or destruction of which would have a significant impact on at least two Member States, or a single MS if the critical infrastructure is located in another Member State [128].

Some important additional aspects of critical infrastructure are cross-sector dependencies and cascade effects which means that an outage in one critical infrastructure sector may have an impact on other sectors. This is particularly true for the energy sector as it supports other critical infrastructures such as transport, health and ICT.

A large part of critical infrastructure, including energy, water treatment or transport, is controlled, monitored and operated by Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA) systems as well as Automatic Identification System (AIS) tracking systems.

These systems, which used to only be accessible internally, have gradually become more accessible remotely via the Internet. While increased interconnection, integration, remote-control and the use of open software standards and protocols [129] make critical infrastructure easier to operate, they also make them more vulnerable to cyber-attacks, for instance by compromising wireless access points or by distributing infected USB keys around facilities. Consequently, cyber threats are becoming a core challenge for the operators of critical infrastructure because, especially with cascade effects, a well co-ordinated cyber-attack could cause far more damage than a physical attack. The challenge is further compounded by the fact that a number of these monitoring and control systems are poorly protected as most of these systems were designed at a time when Internet connection was not envisaged [130], [131] or they run on software that has reached end-of-life such as Windows XP [132]. Moreover, the use of open standards may provide additional risks as it is easier for criminals to identify potential vulnerabilities. However, this must be counter-balanced against the time it may take to detect and patch vulnerabilities in proprietary software. The risk of a remote, malicious attack became apparent when Stuxnet [133] was used to target control systems for nuclear centrifuges. The possibility of such cyber-attacks poses an increasing threat to EU critical infrastructure [134]. According to a recent study among critical infrastructure operators, specialists and vendors, the overwhelming majority of respondents believe it is not a matter of if – but when – there will be a cyber-attack of major significance and impact on critical operational infrastructure [135].

With the Internet of Everything we see new forms of critical infrastructure emerging, for instance in the form of smart grids, smart cars, smart homes or smart cities. An area of concern, for example, is the growing use of smart metering and smart grids that enable utility companies to measure energy consumption more accurately. These smart meters can be manipulated to send false information or report incorrect billing identities, resulting in substantial economic damage [136]. The necessary tools are readily available on the Internet. They may also be used as an attack vector on the operator of the critical infrastructure since these devices are connected with the utility company in some ways. Moreover, the cycle to update or change smart devices can be costly and time-consuming.

The potential impact of organised crime as well as state-sponsored or cyber-attack by terrorist or extremist groups in this area is significant. Any cybercrime approach can be used by other actors as well. The key message is that while the motivations among the various actors in cyberspace differ, the methods employed are, to a large degree, very similar and often they are the same [137], [138].