Sweet Dreams and Rude Awakening - Critical Infrastructure's Focal IT-Related Incidents
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010
Sweet Dreams and Rude Awakening –
Critical Infrastructure’s Focal IT-Related Incidents
Heli Tervo Timo Wiander
University of Oulu University of Oulu
heli.tervo@oulu.fi timo.wiander@oulu.fi
Abstract fact, it is widely agreed in the literature that
The proliferation of information technology has information systems failures cause huge economic
caused new challenging features for society. Modern losses [6, 7]. According to Laprie [8, 9], it has been
information systems communicate with each other and estimated that the cost of computer failures was over
create larger nets of systems. The focal systems in our 10 billion Fr in 1991 in France alone. That was five
society that maintain the core functions of a normal life percent of the total income of the computer industry at
must be reliable and robust. However, even these that time. In the USA, accidental faults cost 4 billion
systems fail. Extensive studies about IT systems’ dollars in 1991 [8, 9]. Furthermore, Laprie [8, p.6]
dependability usually concentrate either on technical states that the mean revenue lost per hour of downtime
or on human-related issues. With this study we wanted amounts to 78,000 USD based on the impact of
to give a wide-ranging and general prospect of IT- computer systems downtime on American businesses.
related problems in our society. We collected data Information systems in critical infrastructure need
from information system failures in society’s even more attention to the dependability as the stakes
infrastructure, and generated an overview of problems are higher there than just financial costs. Critical
in our core systems. The outcome of our survey was the infrastructure (CI) consists of all the structures and
fact that most failures with IT are not hostile attacks or
functions that are necessary for the continuity of
system internal problems, but rather problems in
society. This includes physical resources, services, and
surroundings with socio-economic and technical issues
in complex system-of-systems development, like a lack information technology facilities, networks and
of large-scale, holistic risk analysis and collaboration. infrastructure assets which, if disrupted or destroyed,
would have a serious impact on the health, safety,
security or economic well-being of citizens or on
effective functioning of governments [10, 11, 12].
1. Introduction Many of these CI systems are maintained and operated
by private sector actors as recent surveys reveal [13
Our society is more and more dependent on p.6, 14 p. 10].
information technology and its applications. At the The focal systems in our society that keep up the
same time these systems have become interconnected core functions of a normal daily life, like energy and
and we meet even more challenges on systems’ transportation systems, must be reliable and robust.
dependability1 issues, like reliability, availability and These systems can have very widespread consequences
safety [1]. Unfortunately, information systems are still if they are compromised or they fail otherwise. The
failing as recent studies show [2, 3, 4]. According to consequences are not necessary isolated to that one
Bieman [5], there are methods for improving specific event. As an example, a serious problem
dependability, but these methods are not in common within an electricity network could harm the
use. telecommunication networks and that in turn could
Too often business and economics determine when have a serious negative impact on the banking and
to release a new system, what kind of technology to transportation sector etc. According to Hagelstam [12],
use or in what issues to concentrate on technology [5]. this kind of domino effect could be cross-national so a
This is done at the expense of dependability and not serious problem in one national electricity network
only dependability issues are affected. As a matter of could cause serious safety and security problems and
consequences to the neighboring countries’ networks.
1
According to [1] dependability encompasses the following
The above-mentioned problems could paralyze
attributes: availability, reliability, safety, integrity and society’s vital functions when escalated from one
maintainability.
978-0-7695-3869-3/10 $26.00 © 2010 IEEE 1Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010
system to another. Thus protection of the information we chose not to carry out searches from electronic
security perimeters of different parts of a critical databases; instead we chose to read valid newspapers.
infrastructure is an important aspect when building It is impracticable to cover all words or phrases that
stability in society and trust towards the services it journalists may have used when writing about issues
provides to its citizens. that have something to do with IT, software or
We wanted to find out what is the actual situation information systems and thus the manual approach was
with the systems that have a significant meaning from justified.
the societal point of view. So, our research question The study included news from the seven biggest
asks: What kind of problems do IT systems in society’s Finnish newspapers, which are published daily.
infrastructure have and on what scale? Such extensive Circulations of these newspapers vary between 61,003
studies are scarce and usually they concentrate either and 419,791, according to statistics for the year 2007
on technical issues or on human-related issues. With [16], see Table 1. The news collection covered the year
this study we want to give a wide-ranging and general 2008. Altogether there were 530 pieces of news found.
prospect of IT-related problems in our society. About four percent of newspapers of the study period
This paper has been organized as follows: Section 2 were missed. The main reason for this was the loss of
deals with the research method and settings and in newspapers in the library.
section 3 we present the findings of the study.
Discussion and conclusions finish this paper. Table 1. Newspapers and circulation
Aamulehti 139,165
Etelä-Suomen Sanomat 61,003
2. Research method and settings Helsingin Sanomat 419,791
Kaleva 81,593
In our study we wanted to analyze IT system Keskisuomalainen 74,945
failures in a critical infrastructure to see what kind of Savon Sanomat 64,789
problems arise. Furthermore, we wanted to investigate Turun Sanomat 112,419
what the media tells us about incidents that have
occurred. Therefore we chose content analysis [15] as 2.2. Research method
the research method.
According to Neuendorf [17], "(Content analysis) is
2.1. Data collection an in-depth analysis using quantitative or qualitative
techniques of messages using a scientific method
Organizations do not want to publicly disclose their (including attention to objectivity-intersubjectivity, a
systems’ failings. Therefore it might be hard to find out priori design, reliability, validity, generalizability,
the real problems and issues within these failures. On replicability, and hypothesis testing) and is not limited
the other hand, when the problem is severe enough, as to the types of variables that may be measured or the
these failings become transparent to society. It is context in which the messages are created or
virtually impossible to keep serious problems hidden presented." Thus, in this paper we focused on the
when dealing with systems that affect large groups of analysis of what the news texts talk about IT-related
people or have large economic effects. Examples of problems and how the news dealt with these problems
those include the following scenarios collected from in our society.
the research data: We used an open analysis approach [18]. Open
• The impact of the failure is too drastic to analysis identifies the dominant messages and subject
be hidden, like failures in public transport matter within the text. News paper texts were
condensed while still preserving the core. Then the
• The impact concerns a large amount of
texts were abstracted and grouped together under
people or companies and cannot be
higher order headings. Abstraction included the
hidden, like a bank’s IT system crash
creations of codes, categories and themes on varying
• The problem causes legal dispute between
levels and content areas [19]. Our analysis involves an
the vendor and the user organization, like
interpretation of the underlying meaning of the text,
a cash register system malfunction causing
referred to as the latent content [20, p. 325]. The initial
commercial losses
coding was done by one researcher and the final coding
• Somebody leaks the information, like a was done as a joint effort, in order to reach consensus
customer using a system informing over the subject.
publicly about malfunction
The intention in this study was to collect all news
concerning IT-related problems in Finland. Therefore,
2Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010
3. Findings well: accidental and deliberate problems. These
problems may be caused because of a system user or
In the year 2008 there was one single case that an outsider. Accidental problems are unintentional
dominated the news. A Finnish bank was merged with misuse or damaging, like a cup of coffee falling on the
a bigger international bank (in this paper “the case keyboard, pressing a wrong button or negligent use of
Bank” or “the Bank”). We decided to analyze the systems or ignorance of security policies, for example.
situation in a two-fold manner, one analysis with all Deliberate problems, on the contrary, are intentional
news data and one without the Bank’s merger-related misuse or damaging, like data trespassing, denial of
news, in order to get a situational picture without one service, malware and viruses.
dominant case.
3.1.3. Problems in surroundings with socio-
economic and technical issues. The third problem
3.1. Group of “Problems”
class includes troubles that arise because of
circumstances in the system’s surroundings and
When trawling through the data, we found news
community. These problems include five subclasses: 1)
about single incidents or problems which were grouped
System incompatibility, or problem caused by another
together as “Problems”. These were pieces of news that
system; 2) Information flow problems (both technical
informed about realized problems, either system
and human) like data flow cut-off, delays in data flow,
incidents or other trouble followed by faulty systems,
or delays in system delivery; 3) Problems caused by
system misuse, problems using the system, or
updates and new system installations; 4) Problems
something causing trouble for the system. Thus,
arising with juridical and sentiment issues; and 5)
basically anything that was connected somehow to an
Troubles in physical circumstances, like weather, the
IT system and was having trouble was chosen for
location of the system affecting the system operation,
further investigation. This enabled us to take a more
or physically broken network connections.
holistic view of all surrounding problems with IT
The subclass 3, “Problems caused by updates and
systems, and not only to focus on problems with
new system installations”, may have actually turned
systems per se.
out to be a combination of some of subclasses 1, 2, 4
We wanted to count the amount of individual
and 5 and a class “system inner technical problems”, if
problems, so we had to filter out all overlapping news
we had the first hand information of the incident. We
of the same case. It is noteworthy that incidents with IT
wanted, however, to highlight the visible view of
systems are usually the consequence of multiple
system renewing and the system’s complex
hazards and hardly ever caused only by one single
connections to its surroundings. Systems in critical
cause, but we wanted to find here the visible and
infrastructure are presumably well tested before
obvious or most influential causes and problems and
installation (in hospitals, for example), but for different
therefore simplify the news in one main problem.
social or other causes in the system’s surroundings or
By filtering the news we found 206 problems. We
environment the update or new system installation
extracted the types of problems from the news and then
causes intricate problems. This is different from pure
sorted them. After that we derived four main classes of
technical malfunction and the news informed these
problem types: system inner technical problems,
problems pointing out the state of the system:
problems caused by people, problems in surroundings
update/system renewing.
with socio-economic and technical issues, and a class
of unspecified technological problems. These are
3.1.4. Undefined technological problems. The
discussed more closely in the next subsections. The
fourth class of problems is undefined technological
first three classes were furthermore divided into
problems. This class contains all news that informed
subclasses, as some news provided detailed
about some IT problem using general or vague terms,
information on the problem.
but did not however specify what the actual problem
was. Terms used in these news texts were, for example,
3.1.1. System internal technical problems.
a technological or technical trouble/problem in a
System inner technical problems were divided further
system. Figures 1 and 2 present the problem shares
into two subclasses: faulty software, which included
between these four classes. The detailed classification
faults in program code as well as other situations where
of all problems is presented in Table 2.
the program or technical parts of the system were
operating wrongly, and unsatisfactory usability.
3.1.2. Problems caused by people. Problems
caused by people were divided into two subclasses, as
3Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010
3.2. Group of “Reissued problems”
The other main group of news we found, in
addition to “Problems”, was “Reissued problems”.
This group contains pieces of news addressing the
Internal technical
same problem later. These include causes,
People
consequences, reflections, opinions and interviews, or
Surroundings
how the same issue escalated harming other people or
Unspecified
organizations later on, and how the initial issue has
proceeded over time.
We combined all pieces of news of “Problems” and
“Reissued problems”, without any filtering, in order to
see the amount and percentage value of these news
texts in each class. Figure 3 represents the news
Figure 1. Problem shares between classes distribution.
Internal technical Internal technical
People People
Surroundings Surroundings
‘ Unspecified
Unspecified
Figure 2. Problem shares excluding the Figure 3. Shares of pieces of news about
case Bank problems and reissued problems
Table 2. The detailed classification of all problems
Internal technical
Surroundings
the case Bank
4Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010
Figure 4 represents the news distribution about 4.2. Main findings
problems and reissued problems excluding the case
Bank. The findings in our research revealed that the
biggest sources of problems in critical infrastructure
are issues in systems’ surroundings. According to our
study, 45 per cent of all problems were related to those
(Figure 1). System internal technical problems were 8
percent, problems caused by people 15 percent and
Internal technical unspecified problems 32 percent of all problems. The
People case of a bank merger emphasized the class of
Surroundings problems in surroundings, but even if it was not
Unspecified included in the results, the ratio would be quite similar:
surrounding aspects would have 35 percent, system
internal problems 10 percent, problems caused by
people 18 percent, and unspecified problems 37
percent.
The problem shares between the two data groups,
Figure 4. Shares of news about problems and individual problems (Figures 1 and 2) and all news
reissued problems excluding the case Bank texts together (Figures 3 and 4) follow the same shape.
In news shares with the case of a bank merger (Figure
3), it is seen that the case affected news texts so that
4. Discussion surrounding issues are emphasized even a little more
than in individual problems (Figure 1). However, news
Systems are not as dependable as expected. Our seems to follow the share of problems and informs
study revealed that problems in surroundings overrule about incidents fairly.
system internal technical and people-related problems. Next we analyze these findings in more detail.
One reason for this is that the systems and business
processes are increasingly interconnected and problems 4.2.1. Aspects in surroundings. Within
in systems are reflected in others. surrounding aspects, the most dominating reasons were
system updates and new system installations. This was
4.1. Limitations 62 percent of problems within the environment class
(43 excluding the case Bank). The second biggest
subclass was incompatibility issues with 20 (30
Our study was based on published news so it lacks
excluding the case Bank) percent share. These two
first hand information about the problem cases. In this
subclasses form the majority of the problems in
kind of process of managing information and passing it
surroundings. This reflects that the system
on there are many opportunities for misunderstanding
development and update processes are not adequately
and distortion. This might partly explain the high
implemented in organizations. Compared to problems
proportion of news in the class of undefined technical
caused by people or system inner technical problems,
problems.
the amount of problems in system updates and new
Nevertheless, the most influential failures become
system installations is disturbingly high.
public [21]. The media informs about problems that
To overcome these problems there might be a need
cannot be hidden. So, the media plays an important
in organizations to take the interfaces and
role when finding out general and severe problem
interdependencies with systems even more into
types in the societal infrastructure. From this data of
account through better alignment of risk analysis/risk
most severe IT failures we can generate an overview of
management and system development methods. As we
focal problems in our core systems.
deal with a critical infrastructure, also regulators
The research data had one dominating incident, the
should emphasize interdependency issues more so that
case of a large bank merger, which was assumed to
they are more holistically implemented.
skew the results. To prevent this from happening, we
In this class the problems emphasize the fact that IT
divided the data and results into two different sets, to
systems are complex systems with multiple potential
see the effect of the dominant case. A larger data set
hazards, and to overcome problems with system’s
covering several years would have evened out the
surroundings we desperately need further studies and
differences.
new means for sketching and managing these troubles.
5Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010
4.2.2. Problems caused by people. Surprisingly, people who operate the technical systems.
human problems were causing only 15 percent (18 Furthermore, they state that information security
excluding the Bank) of problems. In the class people, it should not simply be viewed as a means of protecting
is notable, that between deliberate and accidental physical assets alone. By taking individuals and their
problems, there is not a huge difference. This means social relationships into account, the protection level
that deliberate problems are not dominating the should be expanded [23].
problems caused by people overwhelmingly. So, Based on our research, surrounding issues should
beside attacks or viruses, the “normal” users or other be taken even more into account. The case Bank
people are causing quite a large problem in systems, by reflected one example of how one system problems
accidentally harming the systems. escalated to other systems. A couple of weeks and
The small amount of deliberate problems may be months after the bank merger, the bank in Finland had
because of the good overall situation of system lost thousands of customers and also employees were
security. Without doubt there is deliberate harming of leaving, monetary transactions in other banks were late
systems, but the news seems to indicate a good level of as well, and people’s salaries were delayed, for
security awareness. example. The State’s railroad operator had problems in
selling tickets, and the corrupted invoice data from the
Bank crashed another State billing system. From the
4.2.3. System internal problems. System inner
Bank’s point of view system problems were
problems were only about a tenth of problems. Based destructive, but from society’s viewpoint malfunctions
on this research it seems that the system inner in a banking system and how it escalated to other
problems are reasonably well taken care of within systems were even worse.
organizations. The problems are not fully overcome yet Our survey resulted in the fact that most failures in
but the systems are quite robust when they are taken our society with IT are not hostile attacks or system
into use. Systems operate well independently, but the internal problems, but rather a complicated mixture of,
biggest problem is the interdependencies of systems for example, insufficient communication and a lack of
and that should be more taken care of, as we previously large-scale, holistic risk analysis and collaboration.
stated. This is not only the case within the private sector but
also in society’s core systems, important infrastructure
4.2.4. Undefined problems. A significant systems, as well.
observance is that roughly one third of all problems (37 As our research revealed a lot of work still lies
percent excluding the case Bank) were undefined ahead for regulators, organizations and researchers in
problems: this amount of the news does not represent order to tackle the interdependency challenges within
problems adequately. This finding requires further critical infrastructure’s information systems. By having
investigation of the phenomenon. more focus on proactive actions within system
Some of the undefined problems might be purely development the safety and usability of critical
technical problems and not related to information infrastructure systems is improved in addition to the
technology. The news, however, indicated that most of total cost savings.
these problems were somehow related to IT, and thus This could be done, for example, by collecting and
may belong into any of the previous groups. But publishing incidents and best practices within system
because the news did not clearly identify this, we were development. It is especially important to raise the
forced to classify these problems to the class of awareness of developers so that they fully understand
undefined problems. the character of systems: they are not intended to work
in isolation – they are truly interconnected, and a chain
4.3. General discussion is only as strong as its weakest link.
In early studies of system dependability, technical 5. Conclusion
aspects were seen as a major source of problems. This
was not the case within this study as the results Based on our research, systems are not as
showed. The biggest source of problems was dependable as expected. Our study revealed that
undoubtedly surrounding problems, not the problems environmental problems overrule system internal
in systems per se. technical and people-related problems. One reason for
This is validated in the literature too. According to this is that the systems and business processes are
Dhillon and Backhouse [22], information security in increasingly interconnected and problems in systems
itself is not a technical problem alone. They argue that are reflected more widely. Large systems and nets of
it has social and organizational dimensions that involve systems become complicated combinations of
6Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010
exceedingly different systems. Global buyouts causing [4] C Rettig, MIT Sloan Management Review
system integrations and migrations meet challenges, “communitech-solutions.com: Trouble with enterprise
not only in techniques but also in cultural aspects and software”, 2007.
laws. We need more collaboration to achieve a more
[5] J. Bieman, (Ed.), “Is Anyone Listening?”, Software
holistic view of systems and their use. Furthermore, by Quality Control 13, 3, Sep. 2005, pp. 225-226.
having more focus on proactive actions within system
development the safety and usability of critical [6] A. Arora, J. P. Caulkins, and R. Telang, “Sell First, Fix
infrastructure systems is improved along with the total Later: Impact of Patching” on Software Quality, October
cost savings. 2004. Available at SSRN: http://ssrn.com/abstract=670285.
This research analyzed the vulnerabilities in the
Finnish infrastructure’s IT systems. The study covered [7] M. Zhivich and R. K. Cunningham, "The Real Cost of
information system failings presented in the media. We Software Errors," Security & Privacy, IEEE , vol.7, no.2,
found that present systems, also in critical March-April 2009, pp.87-90.
infrastructure, have considerable vulnerabilities that [8] J. Laprie, “Dependability: The Challenge for the Future
are mostly based on complex interconnections in the of Computing and Communication Technologies”, in
system’s surroundings. Within aspects in surroundings, Proceedings of the First European Dependable Computing
the most dominant reasons were system updates and Conference on Dependable Computing (October 04 - 06,
new system installations. Surprisingly, human 1994). K. Echtle, D. K. Hammer, and D. Powell, Eds.
problems and system inner technical problems together Lecture Notes In Computer Science, vol. 852. Springer-
caused less problems than problems in surroundings Verlag, London, 407-408.
alone.
Dependability, safety and security have a new [9] J. Laprie, “Dependability of Computer Systems: from
Concepts to Limits”, in proceedings of IFIP International
scope with global and interacting systems. This is a Workshop on Dependable Computing and its Applications
growing domain that has, to date, had too little (DCIA'98), Johannesburg, South Africa, 12-14 January 1998,
attention but needs urgently visibility and solutions to pp.108-126.
meet present-day requirements in information systems.
We rely on magnificent information technology, but [10] Green paper on a European programme for Critical
the technology is evolving fast. In a society which is Infrastructure Protection. Available http://eur-
built on information technology there are parts and lex.europa.eu/LexUriServ/site/en/com/2005/com2005_0576e
aspects that are not always as advanced and n01.pdf. Referenced 20.1.2009.
sophisticated in this fast moving time frame. We
[11] United States Congress. U.S.A. Patriot Act. Available
should keep moving all the time and not just sleep and http://www.epic.org/privacy/terrorism/hr3162.html.
trust new innovations blindly. Referenced 20.1.2009.
Acknowledgements [12] A. Hagelstam, ”CIP – Kriittisen infrastruktuurin
turvaaminen. Käsiteanalyysi ja kansainvälinen vertailu”,
Huoltovarmuuskeskus, Julkaisuja 1/2005. (In Finnish: ”CIP –
The authors would like to thank the Finnish Funding Critical Infrastructure Protection. Contextual Analysis and
Agency for Technology and Innovation/Safety and International Comparison”, National Emergency Supply
security program, University of Oulu and University of Agency, Publications 1/2005.)
Kuopio, for funding this research.
[13] Queensland University of Technology, University of
Melbourne, Macquarie University, Edith Cowan University,
References Deakin University, Royal Melbourne Institute of
Technology, University of Woolongong, University of South
[1] Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., Australia, Attorney Generals Department, National Office of
"Basic concepts and taxonomy of dependable and secure the Information Economy, CSIRO, Defense Signals
computing," Dependable and Secure Computing, IEEE Directorate, Department of Defense, AusCERT, Freehills,
Transactions on, vol.1, no.1, pp. 11-33, Jan.-March 2004. Biometrics Institute, Key Trust, Spyrus. “Building Trust in
Australia’s Infrastructure: dealing with scientific,
[2] T.A.Longstaff, C. Chittister, R. Pethia, and Y.Y. Haimes, technological, business, policy and legal issues in
“Are we forgetting the risks of information technology?”, information security”. 2004.
Computer, vol.33, no.12, pp. 4351, Dec 2000.
[14] P. Pederson, D. Dudenhoeffer, S. Hartley, and M.
[3] C. Mann, “Why Software Is So Bad,” Technology Permann, “Critical Infrastructure Interdependency Modeling:
Review (July-August 2002): 32-38. A Survey of U.S. and International Research” . Technical
7Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010
Support Working Group, Washington, DC, USA 2006.
Available: [20] E. Babbie, “The Practice of Social Research”, Belmont,
www.inl.gov/technicalpublications/Documents/3489532.pdf. CA: Thomson/Wadsworth. 2007.
Referenced 20.1.2009. [21] J.Bieman, Editorial: “What makes a software failure a
pageone story?”, Software Quality Control 14, 2 (Jun. 2006),
[15] B. Berelson, ”Content analysis in communication pp. 81-83.
research”, Glencoe, Ill.: Free Press. 1952.
[22] G.Dhillon, and J..Backhouse, “Information system
[16] Web document. security management in the new millennium”,
http://www.levikintarkastus.fi/levikintarkastus/tilastot/Levikk Communications of the ACM, Volume 43, Issue 7, pp. 125-
itilasto2007.pdf (in Finnish: newspaper circulation statistics 128. 2000.
from year 2007) Referenced 20.1.2009.
[23] G. Dhillon, and J. Backhouse, “Current directions in IS
[17] K. A. Neuendorf, "The Content Analysis Guidebook" security research: towards socio-organizational
SAGE, ISBN 0761919783. 2005. perspectives.” in Information Systems Journal, Volume 11,
Issue 2, pp. 127-153. 2001
[18] D. McKeone, “Measuring Your Media Profile”, Gower
Press, A general introduction to media analysis and PR
evaluation for the communications industry. 1995
[19] L.A Baxter, “Content analysis”, in: B.M., Montgomery,
S. Duck, (Eds.), Studying Interpersonal Interaction. The
Guilford Press, New York, London. 1991.
8You can also read
