ISSN 2330-717X

Critical Infrastructure Security In Information Age: Present Issues And Future Opportunities – Analysis


Critical infrastructure protection is quickly becoming a field with enormous focus and importance. As the advent of open and freely available information in the hands of malicious individuals and private entities become more prolific, it is becoming ever more important to focus on a comprehensive strategy to deal with these issues on a private and enterprise level. The aim of this research is to have current news and data (where applicable) and to be an overview towards the current state of the industry and try to predict where it shall be heading in the future. It uses openly accessible data points such as that of well-known newspapers and blogs that are accessible to the average man so that this document could be used as an introduction to the layman who is new to the world of cyber security threats and doesn’t have time to “waste”.


Critical infrastructure is defined as infrastructure which is critically important in the functioning of a country and/or organization. These entities would be directly affected if the infrastructure comes under attack or is rendered ineffective due to various different reasons. Critical infrastructure protection (CIP) is a field of study where the effects and causes of critical infrastructure attacks and vulnerabilities (CIV) are recorded and studied, usually by concerned governments or individuals1. To understand how to focus on the many different and constantly evolving forms of critical infrastructure attacks, their causes, effects and responses, the definition and scope of (CIP) and the available attack surfaces must be clarified for the purposes of this article.

Types of Critical infrastructure vulnerabilities

Critical infrastructure is defined by its importance to a country or government as it is part of the infrastructure that is essential to its functioning. Similarly, any attacks or disruption in these services would cripple the governments or countries reliant on the stability and functioning of these services. These services and functions usually consist of a wide range and variety of areas of which this paper shall be covering the following: manufacturing, agriculture, telecommunication, energy, water, gas, transportation, internet-connected services and internet connectivity2.

Figure 1: Critical infrastructure and its interdependencies
Figure 1: Critical infrastructure and its interdependencies

The Domino Effect and the Hidden Black Swan

It is important in the theme of this paper to define Critical Infrastructure as Software based as the information age has interconnected many databases and critically needed services to each other, it is therefore reliant on them 3. This has brought to attention a significantly chaotic phenomenon known as cascading system failures or the “domino effect”, under which, multiple systems that are interconnected and interdependent can face blackouts or brownouts under extremely heavy stress and loads 4. Under network theory, it is understood that attacking multiple nodes important for efficient data dissemination would cause the rate of data flowing through a network to slow down considerably, which would lead to longer wait times to get the information required. Important infrastructure that requires information to be constantly on hand at all times or on demand would suffer greatly and in effect cause trust in these critical infrastructure dissemination points to fade5. This could be the cause of many disruptive behaviors, as recently when trust in governmental (through incidents such as the Ferguson6 and London7 riots), financial (through the global financial crisis8 and the resulting occupy wallstreet9) and power systems10 (unrest in Balochistan, Pakistan might lead to civil unrest and control for normal operating procedures to breakdown.11)

Black Swans are events or incidents that are unknowingly brewing beneath the surface, they‘re understood to be unpredictable by conventional means and their impact is based on the observer12. All unexpected events such as the Financial crisis of the 1930‘s, the financial crisis of 2010 and other events having far reaching and indiscriminate impacts on interdependent fragile systems had precursor incidents where their “black swans” were being cultivated, which eventually led to situations that caused immense chaos and loss of systems integrity that foreshadowed major financial and political losses 13.

A lot of the information that the many governments are basing their decision-making on is dependent on interconnected internet based networks14. They are usually based on critical information security protocols and communication technologies, such as Open SSH, SSL15, Operating system security, and even unencrypted and unpatched version of software solutions running; most of these critical services have government mandated backdoors and/or implementation of software solutions that don’t or can’t update their components as new security issues and their fixes become available16. The isomorphism that came about after publicizing of the NSA surveillance strategies might lead to these backdoors being compromised on a wide scale by privately motivated individuals as these backdoors are also in software that is used by both critical infrastructure and consumer grade devices.

The focus on these vulnerabilities and critical structures is essential as due to the recent action on cyber warfare and cyber resilience by western governments, the intelligence gathering operations employed by the NSA 17and other entities throughout the world 18have gained public interest and traction and have revealed hidden vulnerabilities in the most secure of internet-facing infrastructure 19. The publicizing of these strategies and action through the Snowden 20leaks have lead to internet-wide speculation and copying of the techniques used by the NSA21. It has also in-turn lead to countries and organizations to adopt a stricter stance against cyber warfare related activities, much of which has lead to resistance by individuals who have either been affected or perceive it as a threat to their personal liberties22.

The evolutionary pattern

Though behavior and cultural phenomenon that fuels such actions on the part of malicious individuals and private organizations seems to stem from an evolving method of warfare known as Open source warfare, while most of the individuals contributing to it seem unaware that they may be a fueling a larger problem by creating small ones23. Low-intensity and low cost/high impact attacks seem to be in favor by individuals who don‘t have the military or technological might to counter adversaries that are nation states or giant corporations and possess an excessive amount of offensive force in their hands24. Therefore striking such individuals by circumventing their safeguards and their systems is one of the most effective ways in which individuals or private entities may be able to attack and defend against exceptionally capable foes25.

Currently this very thinking is permeating throughout the internet-connected world, how to attack and defend against attacks that target previously unknown attack surfaces26. Currently zero day exploits (0day) have caused exceptional financial damage not to mention intelligence and stability failures across various systems and countries27. One of the most recent attacks was on the IRS and OPM offices and their databases which were essentially running outdated software28 and hardware with well-known exploits29. Similarly energy 30and communication31 infrastructure targets are being consistently attacked32, most of which is software rather than hardware based. The advent of the Flame and Stuxnet viruses has had to be a wakeup call for the Critical Infrastructure Software manufacturers but has yet to see effective results in new products33.

Software side critical infrastructure vulnerabilities

Critical Infrastructure hardware runs on specialized fault-tolerant software and has recently been developed in ways that it is supposed to be secure from regular infection threats but is usually based on well-established yet old software such as COBOL34 and basic C. It is also supposed to be able to fully monitor any and all changes in the system; it uses multiple software solutions to do this which fall under the term of SCADA (Supervisory Control and Data Acquisition). As most of it is based on hardware embedded software solutions, it is seen as a nuisance and risk to update it, as the risk of a bad system update crashing important processes such as manufacturing, basic security operations and the like is seen as a bigger issue by management personnel.

Figure 2: Issues relating to software vulnerabilities
Figure 2: Issues relating to software vulnerabilities

As of 2004, there had been talk of effective attacks on SCADA software (One of the software that Critical Infrastructure widely uses) and its effects on manufacturing, energy and transportation sectors. In 2007-2008, these threats were the cause of many warnings that went unheeded by industry professionals who decided that it is not something worth being concerned about35. However it led to a situation where the malicious actors and reverse engineers were able to give extensive attention to high value systems which were not secured for quite some time. This created an environment where vulnerabilities were available in the wild for software that ran Critical Infrastructure for entire organizations and countries, thus causing the creation for exploits and hacks available on the black market as well as in open source implementations36.

It is not inconceivable to believe that a cyber attack will be accompanied by a physical attack in the future and it is very much a possibility to have individual devices, due to the BYOD (Bring your own device) craze in corporate life, become a gateway to such attacks37. New policies for bringing in personal technology into the office needs to revamped, as most of the vulnerabilities come in from insecure contractors and their implementations. It is also through those contractors that it becomes very imperative to revamp the legislation required to become a contractor involved in critical infrastructure implementation.

Though the manufacturing, energy and agriculture industries are critical infrastructure or critical infrastructure based in any modern economy, other services such as banking, internet connectivity, transport networks and even applications made by these industries would be considered part of critical infrastructure. Cascading systems failures can be initiated by malicious parties who could compromise critical systems at various junctions and cause a total collapse even in the most well guarded and mitigated systems. Attacks on power plants and energy distribution nodes could be physical as well as cyber and cause immense chaos as it would directly cause the breakdown of communication and emergency services. Nation state actors could be responsible for such actions as has been seen in the case of Stuxnet and Flame, where the viruses had the potential to destabilize entire countries but were only reigned in due to their operators‘ intentions. It is also widely believed that Stuxnet was only detected because its operators ordered it to conduct activity that was very noticeable by anyone giving the slightest bit of interest towards the centrifuges and the Siemens SCADA command and control system.

Agricultural and manufacturing industries could face similar attacks in nations where comparative advantage or absolute advantage in the exports of goods and services in certain industries are the backbone of the economy. Countries such as Japan, the Philippines, South Korea and China, for example, all base a lot of their exports on technical and manufacturing innovation. Under the guise of cyber warfare by a nation state or an individual, their facilities can be attacked by a virus similar to Stuxnet or Duqu, and bring the entire globalized JIT (Just in time) system to a halt as was demonstrated by the world wide hard drive and car shortage after a typhoon disrupted manufacturing and transport in Thailand38.

This could serve as a starting to an attack to “soften” the target by creating chaos that puts governmental and military institutes near coping capacity and then institute direct or indirect kinetic warfare such as starting a revolution or a full blown pre-emptive military strike from one overly-aggressive nation to another39. It is part of history that attacks such as those done by APT (advanced persistent threats) are used to gather intelligence and data towards sensitive information, this could be conceived as a nation state gearing up for a future conflict where they believe that the information they gather would be of use to them40.

Current issues facing the industry

Governmental secrecy and its attempts to subvert political processes by affecting the transparency through which those processes might be enacted, within their own country or other countries are exactly what started the cyber arms race in the 1990s, it effects are still being felt today, as issues such as the heartbleed41 vulnerability and others are coming to light. While the NSA and its other sister organizations were merely trying to do their jobs in what they understood would help protect their country, it in effect has given a new level of sophistication to individuals and organizations that use cyber vulnerabilities to their advantage42.

While this can easily be blamed on the Snowden leaks, it would not altogether be true. Rumors of such activities by these organizations were far and widespread for at least a decade before such revelations came to light43, cyber arms bazaars already existed and the sale and purchase of which were lead by individuals from cyber security divisions from many countries44. Publicly, cyber warfare had not made its debut on the big stage, but various white and gray hat hackers had consistently warned about the proliferation of technology and capability by individuals and organizations of vulnerabilities for various services, operating systems and products that if used properly in conjunction with each other would be able to create chaos within a interdependent networked infrastructure such as a country or an organization45.

Legislation, Atmosphere and Incentives

The focus on software based solutions in large industries needs to take into account that the software in question would need to be constantly updated and monitored for issues arising due to the change in technology and the evolution of security protocols and policies. One of the most important ways that this gets done is independent research by non-affiliated individuals, usually called “security researchers”. These are individuals who possess the skills of understanding the intricacies of software and hardware and their interactions and thus find situations in which systems and software running them might be compromised from their secure state and/or are made to give up any processing information. At its core, what security researchers do can be considered “hacking”, as the tools and techniques they use are usually used in traditional hacking by cybercriminals. It is important to note here that most ―hackers‖ can be divided into the 3 subgroups of “White Hats”, “Grey Hats” and “Black Hats”.

Security researchers usually fall into the categories of white and grey hats while some might fall into Black Hats as well. While there is a lot of excited confusion over what these individuals do and how they achieve it, in recent times it has not been met with positive reinforcement. In many countries, research into cyber security and publicly disclosing vulnerabilities may become harder to do.

Countries such as India46, Pakistan47, the United States48 and most of the European Union have continuously regressive policies when it comes to vulnerability research and disclosure49. The issues in question fall under the following headings:

Figure 3: Complex inter-related issues affecting the future of cyber security
Figure 3: Complex inter-related issues affecting the future of cyber security

United States:

The United States has an extensively complicated history with hacking, vulnerability analysis and disclosure. Some of the laws passed by them recently in regards to whistle blowing seem to directly affect how security researchers do their jobs and conduct research50 51 52.

The United States is the reason for the creation and existence of the internet as it is today, starting up as a defense project, the internet made its debut and most of its critical components exist under United States jurisdiction and/or under United States‘ control. It is also looked towards as the deciding factor as to how to shape the future of the internet Recently the FBI detained a researcher who, onboard a plane, tweeted to the world about the inherent vulnerabilities in the sort of airplane he was flying on. What was most shocking was that he had approached all the proper authorities and the airplane companies themselves about his findings for the past decade and was summarily ignored. As soon as he decided to go public, he was detained at a crossing point, his gear confiscated as he was being questioned for 4 hours.

This has been foreshadowed by independent researchers who have found vulnerabilities but have been unable to securely disclose it to the company in question in confidence, fearing legal reprisal they have had to use intermediaries for these functions53. Their research means that they continually have to attack software, reverse engineer it and bypass its safeguards to find or create vulnerabilities in the software implementation.

Along with Wassennar agreement’s amendment to include intrusion malware and therefore affect a ban on such software, companies who deal with intrusion software export are increasingly facing tight regulation. Their answer to this seems to be shifting their businesses into areas or countries that don‘t have such tight restrictive controls on such practices54. The DMCA directive stays in effect where individuals can be persecuted for trying to get around encryption built into products as well as intention to create exploits55.

Directives such as this are one of the pushing forces behind parts of the world and the United States itself creating “Intranets” and limiting the global reach of the internet to and from their geographical borders56. The limitation of internet access to and from the country and or its allies seems to be on track under the TPP, which affects various trade agreements as well as internet related privacy concerns, where signing countries would have to agree on an equal basis to handle internet privacy related queries and legal actions57. This has the potential to create legal areas where laws accepted and passed in the USA could be forced onto TPP signatory countries, with little legal recourse for the parties affected except dealing with intermediaries and/or arbitration personnel 58.


The EU has initiated a framework where creation and use of hacking tools is a crime, while this seems to be made in regards to stopping cyber attacks, it does in fact have consequences for white and gray hat hackers59 60. People using such tools aren’t always doing so maliciously but might be doing so without proper authorization or permission of the company in question. This is especially true in car firmware security, where the automakers are purported to be creating easily exploitable software solutions for their “internet connected” cars61.

The EU has also been known of its liberal interpretations of issues such as that of internet privacy and personal privacy, up until recently it has followed through with exceptional legal directives that secure the rights of their citizens online and offline, one of the most famous recent cases being of Google’s “right to be forgotten” issue, where individuals and companies could ask Google to remove search results pertaining to themselves in light of bad publicity and personal privacy62. Though the EU countries are pushing Google the “right to be forgotten” law to be globalized, their actions towards internet privacy and activism may be affected by the oncoming TPP agreement that might affect how local and international laws are interpreted and followed63.

Issues arising from these actions and the proliferation of malicious hackers and vulnerabilities and the marginalization of the cyber class

Criminalization of such acts and tools would lead to the marginalization of individuals who are vested in the protection and attacks of existing critical infrastructure. France‘s Vupen, who deals specifically with 0 day exploits is already considering shifting their headquarters to countries that have a less regulated spectrum on cyber-related tools and weapons. This also creates a climate where individuals researchers who are simply researching for the purposes of academia and knowledge are targeted by interested parties such as the NSA and CIA, who have both declared people creating “interesting content” to be of interest to them whether they are doing something illegal or not64. This could end up creating an atmosphere for said researchers that is repressive and they are under constant scrutiny, they could face travel65 and employment66 restrictions and bar them from potential sources of information, career advancements 67 or the liberty to leave their chosen fields or professions if they choose to do so68. Which in turn would de-incentivize them from wanting to be part of the “bigger picture”, as they are marginalized, they might turn to illegitimate sources that value their skills and accomplishments more than the “legal” world does. The other side of the coin being that these researchers leave towards “brighter pastures” where legislation doesn’t hinder them from doing their work in a comprehensive manner as they see fit69.

This has the potential to create a rift between countries and even regions where one region might benefit from having lax legislation where cyber security and cyber weaponry is concerned. The rift however, won‘t be immediate; rather it would take a couple of decades to become obvious. In history it has always been individuals who have contributed greatly towards hacking techniques as their unique mindset and exposure to a non-regulated/less regulated cyber world have taught them about building and dismantling systems. Creating an atmosphere where a high-school student can go to jail for changing a desktop wallpaper won‘t be doing such individuals in the United States and other western nations any favors. These individuals will seek to hide their activities and when regulation tightens enough for them to be legitimately afraid for their freedoms and rights; they may seek to emigrate towards areas or countries that have a better recognition for their talents.

Critical connection nodes such as transportation and communication rely on the constant stream of feedback from the system that they support, being attacked is part of their routine and they can be made to better carry out their intended tasks. This means that they are designed to be red-teamed and tested for exploits and vulnerabilities, the inability or sheer reluctance of these systems and the commercial entities behind them might mean that important feedback never arrives and flaws in the system are left to be found by either a malicious or curious individual. Evidence for this can be found in various reports, the latest of which has been showcased by NASA in the investigation of the Toyota motorcar that accelerated on its own accord. More and more solutions are focused towards software rather than hardware or mechanical tools in car models and thus require security models and personnel to be able to account for the unexpected.

Car navigation systems along with internal electronics and car control mechanisms all seem to have crippling vulnerabilities present within them and are being showcased by private individuals to the world. Following a practice of open disclosure, gray hat hackers seem to have a positive impact on the issue of transport safety.

Similarly, airplane vulnerabilities are considered to be very common to outside attackers but have significant consequences to the industry as well as personal safety. The control of aircraft from a spoofed air traffic control system was made possible in a Defcon conference presentation, while the airplanes internal critical systems and subsystems seem to be vulnerable to direct manipulation by wired or wireless connections. This was demonstrated when a researcher simulated an attack while seated inside a vulnerable airplane and shared his discoveries with the world, causing himself to taken off the plane at the nearest stopover and being questioned by the FBI, he declared plainly the security of airplane internal systems is nonexistent and a major incident is only waiting to occur.

This would leave countries and industries with official yet stagnating cyber security divisions, where the government and corporations would have the final say in how cyber security legislations and exploits can be announced and which of those vulnerabilities is dangerous enough to be patched. While the centralized control structure would definitely help in the beginning, it would stagnate due to little to no local competition. Other countries on the other hand would gain immense advantages in cyber offense and defensive capabilities, allowing them to surpass the western world in a few decades. Any plans to nationalize internet traffic to ensure a curb on cybercrime would eventually make the defenders blind to new developments where it matters, a dearth of skills in an industry where those skills are gained from individual interest and practice would create a fragile system as opposed to the current anti-fragile one.

Individuals being recruited by official government agencies would not be paid well and be heavily scrutinized due to their skill set70 . This has the potential to create envy between individuals in the same sort of jobs in different countries, which is something the United States and Europe are currently facing when dealing with individuals leaving or emigrating to other countries due to more accepting atmospheres of academic research71. Similarly areas that have low employment and/or employment that doesn’t not match the levels of skills a proposed candidate has is creating an environment where illegal activities are more lucrative for the individual in question. 72

The Future

The most critical issue is that the future of critical infrastructure protection and vulnerabilities won‘t be single dimensioned. As it is very easy to automate using zero day exploits one after another, it is also easy to automate hitting multiple targets at the same time through multiple spectrums. Critical infrastructure like power production plants could easily be overwhelmed by immense power draw from the grid based on a wide-spread attack that uses a zero day exploit that is universal in the IOT (Internet of things) supporting appliances73. This could directly affect Water, Power, Transport and Communication networks simultaneously and the most harrowing part is that it might not be the end, rather the beginning of an attack more massive in scale.

Figure 4:How interdependent infrastructure of today can suddenly become vulnerable, as was with these cases
Figure 4:How interdependent infrastructure of today can suddenly become vulnerable, as was with these cases

Groups such as Al Qaeda and ISIS have been slow on the uptake of new technologically related exploits, but they seem to be catching up as time passes by74. Both groups are using internet connected technologies to recruit individuals and disseminate their messages. ISIS in particular has been blamed for taking a French TV station offline and has been reported to be recruiting individuals with talents related to cyber warfare and computer science75. It is not inconceivable that they will eventually become proficient in the cyber deployments to attack targets with a narrow range attack. SCADA vulnerabilities, transport network vulnerabilities, the fragility of the globalized services sector and its reliance on inter-dependant centralized networks are well known and can easily be exploited by individuals that possess little to no knowledge of computer science or computer security. However the blame for these weak policies lies squarely in the industry and government backed business practices, where safety and security were sacrificed for the sake of convenience and passive defense; while the overall level of security provided is limited to a degree where agencies like the NSA feel that they are able to progressively break communication secrecy76. Passive defense (aka. Security through obscurity and “don‘t fix what isn‘t broke”) and fraudulently crippling security capabilities is what led to the current state of chaos that is the field of information security today.

The data leaked by Edward Snowden along with others seem to have kicked off a cyber arms race between security vulnerabilities, those fixing it and those willing to exploit them. A true malicious actor with advanced capabilities has not come forth, other than nation states, that focuses on multiple vulnerabilities on multiple platforms and use them in conjunction with each other for a singular goal in mind. Issues coming forth like vulnerabilities in SSL certificates, OpenSSH, HTTPS and basic Operating system programs can be fixed in environments that allow change and are more accepting to it, however software that has been embedded into hardware based portals such as Embedded computers, “Connected devices” and devices that are part of the “Internet of Things” trend, would have issues in upgrading their software and could be considered “change resistant”.


Firms across the planet are coming up with various solutions to the problems of cyber defense and security in critical infrastructure, while unable to directly patch the hardware and software in question but rather focus on the ingress and egress of commands and data to and from the SCADA implementations. In this authors opinion it would be best for organizations to invest in all forms of cyber defense technology in this field and understand that it is only a stop gap measure. Cyber warfare capabilities will continue to be developed by nation states as well as individual actors.

  1. Rule-set based policies must be the first line of defense for ingress or egress of information along with strict firewall control. Manual control over critical command and control structures as well as SCADA systems should be considered a primary concern, cyber defenses and offenses can fail and one of the mitigation techniques could be taking the entire system offline while still retaining control and monitoring capabilities
  2. Restrict remote management to certain VPN‘s, certain ports, and only under certain hardware systems while restricting systems from direct internet access and/or implement customized private protocols, hardware and practices for access (customized protocols and hardware are known to be difficult to check for vulnerabilities, but
  3. Airgapped systems simply aren’t enough for this, a rethinking of low cost solutions needs to be done industry wide. The primary examples of low cost alternatives for SCADA system are in Central America, Argentina and Brazil. Crowd sourcing solutions through governments with the same prerogatives is something that is important for the future local self reliance77.
  4. This is all done under defense in depth and command and control restriction but is dependent on networking and control infrastructure that may have compromised under the current state of cyber warfare and vulnerabilities. Machines with affected protocols either need to be taken offline or have their software stacks updated.
  5. Education about cyber security and cyber defense of corporate executives who are dealing with or are planning to take critically important infrastructure online must be made mandatory. Personnel responsible for guarding and maintaining the infrastructure must be educated towards social engineering attacks. Looking into daily browsing habits and providing safe alternatives for their use and entertainment would go a long way in deterring Advanced Persistent threats (APT). A BYOD (bring your own device) policy would be a really easy way for attackers to target any company, lessening the attack surface would only serve to make it more difficult for an attacker therefore BYOD should be restricted where seen increasing the attack surface.
  6. Any institution going through a transitional or upgrade phase for software and hardware that is directly or indirectly linked to critical infrastructure or to processes/objects used in critical infrastructures and their implementation need to be red teamed as part of their compliance towards hosting such important services.
  7. Any organizations dealing with critical infrastructure implementation need to have either a rotating or permanent cyber security team, whose mandate should be separate from that of corporate, any service before being taken on or off the internet must be reviewed by the cyber security team beforehand. Constant blue-teaming exercises and implementations should become the norm of cyber-corporate culture.
  8. Contractors need to have limited access and should configure and/or implement new solutions through the company’s own systems; their personal devices should be limited and maybe banned from the premises. Removable media must be limited or non-existent and separate terminals with hardware antivirus’ are recommended for file transfers as they can limit any spread of infection from a contaminated USB. USB and other removable media transfers should be minimized and transfers be done through a monitored and controlled email and data transfer system that has been hardened on a regular basis by cyber security personnel the company employs.
  9. Open source alternatives to software solutions must be the aim of every corporation and cyber security team, creation and implementation of such tools would require some effort on the part of companies concerned. But it is in the interest of every organization to have a system where they do not need to wait for the vendor or organization who designed the system to sign off on an update if and when they deem it important.
  10. It must be an accepted idea that no company or system is invulnerable. Therefore a mitigation plan must be in place and must be practiced by cyber security personnel on a regular basis. Like a fire drill, it must encompass all essential personnel; low level personnel especially must be educated on how to prevent compromising their security and if compromised, know the bare minimum things to do including reporting it. Cyber security personnel, IT and executives should have regular meetings and if possible receive updates with cyber security risk registers. Advanced threat and infiltration modeling would expose single points of failure and may help with a failure of imagination by the
    individuals responsible for the security framework.
  11. Networks related to command and control structures should have honeypots running with customized directories and filenames, making exfiltration harder and costlier for the attacker. Easy to detect honeypots could be run in conjunction with more versatile, hidden and passive honeypots, creating a false sense of security for the more experienced hackers, while deterring the ―script-kiddies‖ and the less experienced.

The author suggests looking into unifying these technologies and methods, which would have the capacity to overcome weaknesses in a single line or way of defense. While thinking of this sort would add complexity to single form systems, the hybrid approach would have the ability to defend against simple attackers and give complexity to advanced attackers. The already existing vulnerabilities in these systems would need to be patched or controlled against, lest the system itself be compromised to help the attackers as was the case with Kaspersky78.

About the author:
*Ali Imran Malik has a Msc International Relations and a Msc Oil and Gas Management and has worked in the tech field for 4 years while gaining certification in Linux, Cisco routers (CCNA) and is currently studying for the OSCP (Offensive Security Certified Professional) penetration tester course.

Screen Shot 2015-10-07 at 11.54.42 AM

Reference List

  • Alastair Stevenson. “NSA Admits ̳Regret’ over Backing Dodgy Cryptography Standard.” Accessed August 7, 2015.
  • Anciaes, Paulo Rui. “Energy Price Shocks Sweet and Sour Consequences for Developing Countries.” Accessed March 17, 2014.
  • Atran, Scott. “A Failure of Imagination (Intelligence, WMDs, and ̳Virtual Jihad‘).” Studies in Conflict & Terrorism 29, no. 3 (2006): 285–300. doi:10.1080/10576100600564166.
  • BBC. “England Rioters ̳Poor and Young.”
  • BBC News, October 24, 2011. BBC News.  “Edward Snowden: Leaks That Exposed US Spy Programme.” BBC News, January 17, 2014.
  • Bradely, Tony. “SCADA Systems: Achilles Heel of Critical Infrastructure.” PCWorld, June 17, 2011.
  • Bruce Schneier. “How to Remain Secure Against the NSA,” September 15, 2013.
  • “Brute-Force Cyberattacks against Critical Infrastructure, Energy Industry, Intensify.” Computerworld, July 2, 2013.
  • Buldyrev, Sergey V., Roni Parshani, Gerald Paul, H. Eugene Stanley, and Shlomo Havlin. “Catastrophic Cascade of Failures in Interdependent Networks.” Nature 464, no. 7291 (April 15, 2010): 1025–28. doi:10.1038/nature08932.
  • Chapple, Mike, and David Seidl. Cyberwarfare. Jones & Bartlett Publishers, 2014.
    Chris Hoffman. “Hacker Hat Colors Explained: Black Hats, White Hats, and Gray Hats,” March 20, 2013.
  • Dara Kerr. “EU Increases Penalties for Cybercriminals and Hackers.” CNET, July 4, 2013.
  • DHS. “What Is Critical Infrastructure? | Homeland Security.” What Is Critical Infrastructure?, 2015.
  • Digital Rights Foundation. “Pakistan: New Cybercrime Bill Threatens the Rights to Privacy and Free Expression,” April 2015.
  • Dobson, I, Carreras B., A. Lynch, and D. E. Newman. “Complex Systems Analysis of Series of Blackouts: Cascading Failure, Critical Points, and Self-Organization.” Chaos: An Interdisciplinary Journal of Nonlinear Science 17(2), no. 026103.
  • Dough Drinkwater. “ISIS Hackers Take Control of French TV Station.” SC Magazine UK, April 9, 2015.
  • Elizabeth K. Kellar. “The Hard Work of Restoring Trust in Government,” November 5, 2014.
  • Elizabeth Weise. “Security Experts Take Aim at the Internet of (unsafe) Things.” USA TODAY, August 7, 2014.
  • Friedersdorf, Conor. “Michael Hayden’s Hollow Constitution.” The Atlantic, January 30, 2015.
  • Fuller, Thomas. “Pervasive Thailand Flooding Cripples Hard-Drive Suppliers.” The New York Times, November 6, 2011.
  • Gendron, Angela. “Critical Energy Infrastructure Protection in Canada.” Canadian Centre for Intelligence and Security Studies, December 2010.
  • Greenberg, Andy. “Hackers Remotely Kill a Jeep on the Highway—With Me in It.” WIRED, July 21, 2015.
    ———. “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits.” Forbes. Accessed August 18, 2014.
  • Griffiths, Shawn M. “Will The Trans-Pacific Partnership Threaten Net Neutrality?” Accessed August 7, 2015.
  • “Heart Bleed Bug,” n.d. “Heartbleed Bug.” Accessed August 6, 2015.
  • James Gannon. “Wassenaar: Turning Arms Control into Software Control,” May 25, 2015.
  • James McFarlin. “ISIS Cyber Ops: Empty Threat or Reality? | SecurityWeek.Com,” September 26, 2014.
    ———. “The Malware Economy.” Heimdal Security Blog, June 23, 2015.
  • Jeff Stone. “TPP Trade Deal Would Curb Freedom Of Speech Online, Internet Activists Warn.” International Business Times, April 17, 2015. 1883780.
  • Jennifer Baker. “New EU Security Strategy: Sod Cyber Terrorism, BAN ENCRYPTION,” April 29, 2015.
  • John Blau. “Russia – a Happy Haven for Hackers.” ComputerWeekly, May 2004.
  • John C. K. Daly. “The Baloch Insurgency and Its Threat to Pakistan’s Energy Sector.” The Jamestown Foundation, March 21, 2006.
  • John Robb. “THE CHANGING FACE OF WAR: Into the 5th Generation (5GW).” Global Guerrillas. Accessed August 6, 2015.
  • Kenric Ward. “Transparently Bad: U.S. Whistleblowers Feel Blowback.”, September 11, 2014.
  • Kirkwood, Alan. “Discounting the Unexpected: The Limitations of Isomorphic Thinking.” Risk Management, 1999, 33–44.
  • Kris Holt. “Did U.S. Immigration Read This German Au Pair’s Facebook Messages?” The Daily Dot, June 13, 2013.
  • Lewis, James Andrew. “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats.” Center for Strategic a Nd International Studies, December 2002.
  • Little, Richard. “Controlling Cascading Failure: Understanding the Vulnerabilities of Interconnected Infrastructures.‖ Journal of Urban Technology Volume 9, no. Issue 1, (2002).
  • Long, Susan, and Burkard Sievers. Towards a Socioanalysis of Money, Finance and Capitalism: Beneath the Surface of the Financial Industry. Routledge, 2013.
  • Lucian Constantin. “Critical Vulnerability in NetUSB Driver Exposes Millions of Routers to Hacking.” Network World, May 19, 2015. routers-to-hacking.html.
  • Manjoo, Farhad. “Right to Be Forgotten’ Online Could Spread.” The New York Times, August 5, 2015.
  • Matt Brian. “Hackers Use Snowden Leaks to Reverse-Engineer NSA Surveillance Devices.” Engadget, June 20, 2014.
  • May 19, 2015.”Satellite Communication Systems Rife with Security Flaws, Vulnerable to Remote Hacks.” Network World, April 18, 2014. with-security-flaws–vulnerable-to-remote-hacks.html.
  • Mc Afee. “In the Dark: Crucial Industries Confront Cyberattacks,” 2011. infrastructure-protection.pdf.
  • Micheal German. “Why the FBI Needs To Protect Its Intelligence Whistleblowers.” Defense One, March 5, 2015.
  • Miller, Peter. Smart Swarm. HarperCollins UK, 2010.
  • Moteff, John. “Critical Infrastructures: Background, Policy, and Implementation.” Critical Infrastructures: Background, Policy, and Implementation. Congressional Research service, June 10, 2015.
  • Nicole Blake. “The Government‘s COBOL Conundrum.” Text. FedTech, June 2, 2014.
  • NIST. “Framework for Improving Critical Infrastructure Cybersecurity.” U.S Department of Commerce, February 12, 2014. ———. “Framework for Improving Critical Infrastructure Cybersecurity.” April 8, 2015.
  • O‘Neal, Payton. “Bugs Happen: Analyst Moderated Webinar on Bug Bounties.” Official @bugcrowd Blog. Accessed August 7, 2015.
  • Peerenboom, James, R. Fischer, and Ronald Whitfield. “Recovering from Disruptions of Interdependent Critical Infrastructures.” In Proc. CRIS/DRM/IIIT/NSF Workshop Mitigat. Vulnerab. Crit. Infrastruct. Catastr. Failures, 2001.
  • Presenter, With Liam Dutton C4 Weather. “Snowden Leaks: Undermining Security or Defending Privacy?” Channel 4 News. Accessed August 6, 2015.
  • Ramadan, Tariq. “Why I‘m Banned in the USA.” The Washington Post, October 1, 2006, sec. Opinions.
  • “Red Team, Blue Team: How to Run an Effective Simulation | Network World.” Accessed August 19, 2015.–blue-team–how-to-run-an-effective- simulation.html.
  • Reifer, Tom. “Occupy Wall Street, the Global Crisis, and Antisystemic Movements: Origins and Prospects.” BOARDS AND STAFF, 2013, 186.
  • Robert, Benoit, Renaud De Calan, and Luciano Morabito. “Modelling Interdependencies among Critical Infrastructures.” International Journal of Critical Infrastructures 4, no. 4 (2008): 392. doi:10.1504/IJCIS.2008.020158.
  • Robert Graham. “Errata Security: Some Notes about Wassenaar,” May 27, 2015. about-wassenaar.html.
  • Robert Vamosi. “Detroit Crackdown Blocks Security Professional’s Entry into the U.S.” CNET. Accessed August 7, 2015.
  • Rose, Andrew. “The Internet of Things Has Arrived — And So Have Massive Security Issues.” WIRED, January 11, 2013.
  • Ryan Gallagher. “NSA Planned to Hijack Google App Store to Hack Smartphones.” The Intercept, May 21, 2015.
  • Singel, Ryan. “Watch Out, White Hats! European Union Moves to Criminalize  Hacking Tools.”  WIRED, April 6, 2012.
  • S, James, ers July 7, 2015, and 10:50 AM PST // jas_np. “How the Wassenaar Arrangement Threatens Responsible Vulnerability Disclosures.” TechRepublic. Accessed August 7, 2015. arrangement-threatens-responsible-security-vulnerability-disclosures/.
  • Soledad Vega. “Arstechnica: EU Plans to Destroy Net Neutrality by Allowing Internet Fast Lanes.” OpenMedia, June 30, 2015.
  • Springer, Kate. “British Tourists‘ Tweets Get Them Denied Entry to the U.S.” Time. Accessed August 7, 2015.
  • Staff, SPIEGEL. “Spying Together: Germany’s Deep Cooperation with the NSA.” Spiegel Online, June 18, 2014, sec. International. than-thought-a-975445.html.
  • Stanage, Niall. “Feds search for ways to impede ̳cyber bazaar.” Text. TheHill, March 15, 2015.
  • Symantec Inc. “Advanced Persistent Threats: How They Work | Symantec.” Advanced Persistant Threats. Accessed August 19, 2015.
    ———. “A Manifesto for Cyber Resilience,” November 24, 2014.
  • Taleb, Nassim Nicholas. Antifragile: Things That Gain from Disorder. Penguin UK, 2012.
    ———. “The Black Swan: Second Edition: The Impact of the Highly Improbable Fragility”. Random House Publishing Group, 2010.
  • The Economist. “The Digital Arms Trade.” The Economist, March 30, 2013.
  • “Top Official Admits F-35 Stealth Fighter Secrets Stolen.”Breaking Defense. Accessed August 19, 2015.
  • Trend Micro. “Report on Cybersecurity and Critical Infrastructure in the Americas.” Organizations of American states, April 2015.
  • Tue, Chris Arkenberg at 1:22 pm, Jun 15, and 2010. “John Robb Interview: Open Source Warfare & Resilience.” Boing Boing. Accessed August 6, 2015.
  • Vlad Tsyrklevich. “Hacking Team: A Zero-Day Market Case Study,” July 22, 2015.
  • Warren, Elizabeth. “The Trans-Pacific Partnership Clause Everyone Should Oppose.” The Washington Post, February 25, 2015.
  • Warwick Ashford. “US Researchers Find 25 Security Vulnerabilities in SCADA Systems.‖” ComputerWeekly, October 18, 2013.
  • “What Is a Script Kiddie? | Security News.” Accessed August 19, 2015.
  • “What Is BYOD and Why Is It Important? | TechRadar.” Accessed August 19, 2015.–1175088.
  • Wheeler, David. “Is an Exodus of Ph.D.s Causing a Brain Drain in the U.S.?” Text. The New Republic, October 1, 2014.
  • Willis, Gerri. “IRS Using 13-Yr. Old Microsoft Software.” Text.Article. Fox Business, June 1, 2015.
  • Yager, Ronald R., Marek Z. Reformat, and Naif Alajlan. Intelligent Methods for Cyber Warfare. Springer, 2014. Zetter, Kim. “An Unprecedented Look at Stuxnet, the World‘s First Digital Weapon.: WIRED, November 3, 2014.
    ———. “Attackers Stole Certificate From Foxconn to Hack Kaspersky With Duqu 2.0.” WIRED, June 15, 2015.
    ———. “Hacker‘s Tweet Reignites Ugly Battle Over Security Holes.” WIRED, April 21, 2015.
    ———. “Researcher Arrested in India After Disclosing Problems With Voting Machines.” WIRED, August 23, 2010.

1 DHS, “What Is Critical Infrastructure? | Homeland Security.”
2 Moteff, “Critical Infrastructures: Background, Policy, and Implementation.”
3 NIST, “Framework for Improving Critical Infrastructure Cybersecurity,” February 12, 2014; NIST, “Framework for Improving Critical Infrastructure Cybersecurity,” April 8, 2015.
4 Buldyrev et al., “Catastrophic Cascade of Failures in Interdependent Networks.”
5 Dobson, et al., “Complex Systems Analysis of Series of Blackouts: Cascading Failure, Critical Points, and Self-Organization.”; Little, “Controlling Cascading Failure: Understanding the Vulnerabilities of Interconnected Infrastructures.”
6 Elizabeth K. Kellar, “The Hard Work of Restoring Trust in Government.”
7 BBC, “England Rioters ̳Poor and Young.‘”
8 Long and Sievers, Towards a Socioanalysis of Money, Finance and Capitalism.
9 Reifer, “Occupy Wall Street, the Global Crisis, and Antisystemic Movements.”
10 Anciaes, “Energy Price Shocks Sweet and Sour Consequences for Developing Countries”; “Brute-Force Cyberattacks against Critical Infrastructure, Energy Industry, Intensify”; Gendron, “Critical Energy Infrastructure Protection in Canada.”
11 John C. K. Daly, “The Baloch Insurgency and Its Threat to Pakistan‘s Energy Sector.”
12 Taleb, The Black Swan.
13 Atran, “A Failure of Imagination (Intelligence, WMDs, and ̳Virtual Jihad‘)”; Taleb, The Black Swan.
14 Trend Micro, “Report on Cybersecurity and Critical Infrastructure in the Americas.”
15 “Heart Bleed Bug.”
16 Bradely, “SCADA Systems”; Peerenboom, Fischer, and Whitfield, “Recovering from Disruptions of Interdependent Critical Infrastructures.”
17 Ryan Gallagher, “NSA Planned to Hijack Google App Store to Hack Smartphones.”
18 Staff, “Spying Together.”
19 Rose, “The Internet of Things Has Arrived — And So Have Massive Security Issues.”
20 BBC News, “Edward Snowden.”
21 Matt Brian, “Hackers Use Snowden Leaks to Reverse-Engineer NSA Surveillance Devices.”
22 Presenter, “Snowden Leaks.”
23 Tue, 15, and 2010, “John Robb Interview.”
24 Lewis, “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats”; Yager, Reformat, and Alajlan, Intelligent Methods for Cyber Warfare. 25 John Robb, “THE CHANGING FACE OF WAR.”
26 Symantec Inc., “A Manifesto for Cyber Resilience.”
27 Vlad Tsyrklevich, “Hacking Team: A Zero-Day Market Case Study”; Greenberg, “Shopping For Zero-Days.”
28 Willis, “IRS Using 13-Yr. Old Microsoft Software.”
29 Nicole Blake, “The Government‘s COBOL Conundrum.”
30 “Brute-Force Cyberattacks against Critical Infrastructure, Energy Industry, Intensify”; Gendron, “Critical Energy Infrastructure Protection in Canada.”
31 Lucian Constantin, “Critical Vulnerability in NetUSB Driver Exposes Millions of Routers to Hacking.”
32 May 19, 2015, “Satellite Communication Systems Rife with Security Flaws, Vulnerable to Remote Hacks.”
33 Mc Afee, “In the Dark: Crucial Industries Confront Cyberattacks.”
34 Nicole Blake, “The Government‘s COBOL Conundrum.”
35 Mc Afee, “In the Dark: Crucial Industries Confront Cyberattacks.”
36 Warwick Ashford, “US Researchers Find 25 Security Vulnerabilities in SCADA Systems.”
37 Zetter, “An Unprecedented Look at Stuxnet, the World‘s First Digital Weapon.”
38 Fuller, “Pervasive Thailand Flooding Cripples Hard-Drive Suppliers.”
39 Chapple and Seidl, Cyberwarfare.
40 “Top Official Admits F-35 Stealth Fighter Secrets Stolen.”
41, “Heartbleed Bug.”
42 Kirkwood, “Discounting the Unexpected.”
43 Bruce Schneier, “How to Remain Secure Against the NSA.”
44 Stanage, “Feds search for ways to impede ̳cyber bazaar.‘”
45 The Economist, “The Digital Arms Trade.”
46 Zetter, “Researcher Arrested in India After Disclosing Problems With Voting Machines.”
47 Digital Rights Foundation, “Pakistan: New Cybercrime Bill Threatens the Rights to Privacy and Free Expression.”
48 Zetter, “Hacker‘s Tweet Reignites Ugly Battle Over Security Holes.”
49 Dara Kerr, “EU Increases Penalties for Cybercriminals and Hackers.”
50 Kenric Ward, “Transparently Bad.”
51 Micheal German, “Why the FBI Needs To Protect Its Intelligence Whistleblowers.”
52 S et al., “How the Wassenaar Arrangement Threatens Responsible Vulnerability Disclosures.”
53 O‘Neal, “Bugs Happen‘ Analyst Moderated Webinar on Bug Bounties.”
54 James Gannon, “Wassenaar: Turning Arms Control into Software Control.”
55 Robert Graham, “Errata Security.”
56 Griffiths, “Will The Trans-Pacific Partnership Threaten Net Neutrality?”
57 Soledad Vega, “Arstechnica.”
58 Warren, “The Trans-Pacific Partnership Clause Everyone Should Oppose.”
59 Jennifer Baker, “New EU Security Strategy.”
60 Singel, “Watch Out, White Hats! European Union Moves to Criminalize  Hacking Tools.”
61 Greenberg, “Hackers Remotely Kill a Jeep on the Highway—With Me in It.”
62 Manjoo, “Right to Be Forgotten‘ Online Could Spread.”
63 Jeff Stone, “TPP Trade Deal Would Curb Freedom Of Speech Online, Internet Activists Warn.”
64 Friedersdorf, “Michael Hayden‘s Hollow Constitution.”
65 Springer, “British Tourists‘ Tweets Get Them Denied Entry to the U.S.”
66 Kris Holt, “Did U.S. Immigration Read This German Au Pair‘s Facebook Messages?”
67 Robert Vamosi, “Detroit Crackdown Blocks Security Professional‘s Entry into the U.S.”
68 Ramadan, “Why I‘m Banned in the USA.”
69 John Blau, “Russia – a Happy Haven for Hackers.”
70 James McFarlin, “The Malware Economy.”
71 Wheeler, “Is an Exodus of Ph.D.s Causing a Brain Drain in the U.S.?”
72 John Blau, “Russia – a Happy Haven for Hackers.”
73 Elizabeth Weise, “Security Experts Take Aim at the Internet of (unsafe) Things.”
74 James McFarlin, “ISIS Cyber Ops: Empty Threat or Reality? | SecurityWeek.Com.”
75 Dough Drinkwater, “ISIS Hackers Take Control of French TV Station.”
76 Alastair Stevenson, “NSA Admits ̳Regret‘ over Backing Dodgy Cryptography Standard.”
77 Trend Micro, ” Report on Cybersecurity and Critical Infrastructure in the Americas.”
78 Zetter, “Attackers Stole Certificate From Foxconn to Hack Kaspersky With Duqu 2.0.”
79 Tue, 15, and 2010, “John Robb Interview.”
80 Kirkwood, “Discounting the Unexpected.”
81 Robert, Calan, and Morabito, “Modelling Interdependencies among Critical Infrastructures.”
82 Taleb, The Black Swan.
83 Miller, Smart Swarm.
84 “Red Team, Blue Team: How to Run an Effective Simulation | Network World.”
85 Ibid.
86 Symantec Inc., “Advanced Persistent Threats: How They Work | Symantec.”
87 “What Is BYOD and Why Is It Important? | TechRadar.”
88 “What Is a Script Kiddie?”
89 Taleb, Antifragile.
90 Atran, “A Failure of Imagination (Intelligence, WMDs, and ̳Virtual Jihad‘).”
91 Chris Hoffman, “Hacker Hat Colors Explained.”
92 Ibid.
93 Ibid.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.