Cyber Security and Critical Infrastructure Protection (CIP) are major topics almost everywhere. Priority has also increased during recent years because of rising incidents even if the main focus is still on a sectoral approach and on prevention. Priority is also given to delayed detection gets priority. But how to cope with significant infrastructure interruptions if protection efforts fail and possible cascading effects occur is hardly public knowledge, nor do people have necessary capabilities to deal with them. Our belief that it won’t happen is still overwhelming. But it could be also a Turkey-Illusion.

Turkey-Illusion

A turkey’s trust in its owner, who feeds it daily, will increase in view of the owner’s good care. The turkey doesn’t know that this is only for one purpose. When turkeys are traditionally slaughtered on the day before Thanksgiving, the turkey will undergo a significant interruption of its trust.

Humans often act similarly. We are looking back how successful we or a system have been until now and estimate that this will also continue in future. At the same time we tend to overlook significant changes, unlike turkeys which can not foresee future or changing developments.

Similarly, there are significant indications that we are in a major transformation process which will change our societies in a comprehensive way and there are also sufficient signs that this process could be accompanied by “Creative Destructions” as described by Joseph Schumpeter many decades ago. However, with our essential infrastructure interdependencies, the future outlook is not very pleasant.

Transformation to Network Society

During the Industrial Age we had simple structures (“machinery”) and clear hierarchies which worked very well most of the time. But we are now, dating back to the 1950s, in the transformation to the Network Age or Society which will change the way of life and societies fundamentally. In considering ongoing developments, it is dangerous to adhere currently to the knowledge and experience of former times, even if past solutions were successful in their day.

One major challenge will be that Industrial Age structures and thinking will not completely disappear, but they will lose more and more influence and importance. This will increase complexity and requirements for those who must keep up with the developments and will have to cope with new challenges.

What does complexity mean?

Complexity is already a part of everyday language usage, even if different meanings are often related with it which could be described by opacity, uncertainty, dynamic and so on. To address complexity in a very short way, it can be also described by some typical characteristics:

  • Changing system properties because of feedback-loops and therefore the possibility for emergent new properties of the system. As an example: oxygen and hydrogen are flammable gases; those two elements combined with aqua lead to a liquid that disguises a fire. Even if we knew the character of the gases, we would not be able to foresee the character of the new element.
  • This also causes non-linearity where our approved risk management systems inevitably fail and predictions are difficult or impossible. They may work for a time as usual but, in a single moment, the system behaviour could change completely.
  • Interconnectivity leads to an increasing dynamic (faster and faster …) because the opportunities of the system behaviour are increasing.
  • This leads also to irreversibility (no way back) and the impossibility of reconstructing the causes or restarting at a well known point. As an example of a complex system, take a creature: you can not cut creatures into well-structured pieces, analyse them and put them together again. It will not work. And this is valid for all complex (alive) systems. This only works with complicated (“dead”) systems (machines).
  • Another very well known characteristic is that small causes could lead to large effects (“butterfly effect”). A small problem in a supply chain link could bring down the whole system/production, as we have seen recently.
  • Yet another characteristic that is often underestimated are delayed and long term effects. Especially in our very short-range focused economy. The figures are orientated towards quartiles. We know that apparent short-term solutions often have a negative impact on a long-term view and that for long-term success acceptance of short-term disadvantages is often needed.

VUCA-times

Therefore experts are also speaking from new VUCA-times or a new VUCA-normal, the acronym for volatility, uncertainty, complexity and ambiguity which is directly connected to the increasing complexity caused by the ongoing man-made interconnectivity between everything. In particular, we are not used to dealing with ambiguity.

Risk and uncertainty

But we still try to address new possible risks and developments with successful methods from the past which can hardly cope with increasing interconnectivity and complexity. In addition, risks are not the same as uncertainty. In a world with perfect hindsight, one knows what can and what cannot happen and therefore assign risk weighted probabilities to such events, build a model and take calculated decisions. However, in a world where we cannot possibly know what can and what cannot happen, assigning probabilities and building models therefore can lead us to the same fate as that of our turkey.

Systemic risks

Therefore the rise of systemic risks is hardly observed. Systemic risks are characterised by a high degree of interconnectivity and interdependencies and missing outreach limitation. Cascading effects are possible. Because of complexity and feedback loops, there are no simple cause-and-effect-chains and the triggers, as well as the impact, are systematically underestimated by responsible persons and organisations.

Which challenges are we facing?

First we have to know that in nature there are only complex, open systems. But they are new on a technical level, especially the increasing interdependencies (vulnerabilities). And we are still used to dealing with linear simple machines and not with complexity which is caused mainly by a lack of education and training. Especially in the education system we often still train and teach as was necessary for the Industrial Age but that is hardly what is needed in the upcoming Network Age; even a black and white description is too simple.

Lack of knowledge and systemic thinking

There are of course improvements but, in general, they can not keep up with the fast developments on a technological basis and therefore we can see more and more complexity gaps. Even though there are people who have the necessary knowledge to develop these emerging and converting technologies, most of the people do not have such knowledge, including in areas where they should have, such as in public authorities or regulatory bodies to protect public interests. In particular, administrative bodies are often still organised under good old hierarchical structures which are hardly able to cope with the fast changing VUCA-developments. Not to mention the fact that interconnected special knowledge and fast reaction are often needed. Today nobody could know everything any more and therefore we have to arrange more flexible ad-hoc networks and interaction among different experts to address complex dynamic challenges. We improve and raise interconnections between technical systems more and more but the necessary interconnection between people and organisations to cope with non-intended side effects is lagging behind. This leads again to complexity gaps, which implicates systemic risks and danger of extreme events.

Example one: Cyber Space and Cyber Security

Ten years ago Cyber Security was hardly a topic anywhere. We spoke about Information and Communication Technology (ICT-)Security, but not about Cyber Security. With increasing networking of systems, also of infrastructures and, with the spreading of new technologies like smartphones, focus shifted to a broader perspective. This was also necessary because of a qualitative as well as quantitative increasing threat landscape. Hardly any nation has no Cyber Security Strategy to mitigate new challenges which came from the new virtual world. However, as we can see, everyday regulations and efforts seem not to be able to follow up the developments on the dark side of interconnectivity.

A reason for that could be because we still try to beat symptoms and not sources. We still try to fix vulnerabilities and wonder why it does not work. But more of the same will not be successful as Albert Einstein already said: “Problems cannot be solved with the same mind set that created them.”

Of course, to terminate some essential vulnerabilities will not be easy because they are often based on some significant design failures, which are due to the fact that the Internet and also the connected hard- and software was often not designed for purposes for which they are used nowadays. This problem is escalating, in particular, with legacy infrastructure systems like Supervisory Control and Data Acquisition (SCADA) or Industrial Control Systems (ICS) which are used for automation and were designed for an offline use. Nowadays, however, they are increasingly connected to office-IT-Systems; so the known office-IT-problems and threats could spread without the possibility to use known IT-Security solutions because of other system requirements or because of costs.

But developments do not stop: on the contrary, new technologies like Internet of Things (IoT) are coming up quickly and, with them, more future interconnectedness and threats. A few months ago only a few experts warned that major risks could spread from these technologies. Since some major Distributed Denial of Service (DDoS) attacks, we know that a large number of unsecured internet-connected digital devices, such as home routers and surveillance cameras and so on, could build up a powerful weapon which has the possibility of also bringing down parts of our infrastructure. Until now we have been lucky and only services were interrupted. But what we have already seen would be also enough to trigger a major cascading infrastructure collapse, even if most people still believe that this will not be possible. But the threat increases with every new unsecure and connected device and with every new interconnection within infrastructural systems.

For the moment we are still at the beginning but interconnectedness is likely to increase rapidly within the next few years because of Smart Grids, Smart Homes, Smart Cities but also with “Industry 4.0”. Digitalisation is on everybody’s lips, especially those of politicians. But do we really know what we are doing? Why should rapidly increasing threats from ICT be solved when they become more connected? Why are again seeing serious security vulnerabilities in IoTs which we previously solved in other domains years or decades ago? At that time they were in offline systems, but nowadays they are in highly interconnected systems where failure and disruptions could spread very fast and very far. It looks as though we have not learned the right lessons, but the risks of today are growing exponentially and it seems only a matter of time until it will come to serious infrastructural disturbances because of an increasing complexity gap and underestimated systemic risks.

Example two: European power supply system

Another sector where a large complexity gap emerges is within the European power supply system. We just started the largest infrastructure transformation ever with a transformation from fossil fuel driven power plants to renewable energy, which means a major shift from centralised to decentralised structures and power ratios. Yet every member state carries out its transformation at its own speed and in its own way, with hardly any common aim or plan; this leads to a more and more fragile system. However, not enough new developments driven by ICT-Sector or new market players will also increase vulnerabilities in this highly sensitive system. It is our most important lifeline even if we do not notice it normally because it works almost every day without problems. Therefore we do not have fall back plans in the event of a considerable disturbance in the power supply system.

A European-wide power and infrastructure breakdown („Blackout“) is hardly imaginable for many people, including most decision makers. Nevertheless, the warning signs were never as concrete as in recent months. The system instabilities have been increasing rapidly for years. And even the Association of European Transmission System Operators, ENTSO-E, has stated in the investigation report on the Turkey Blackout 2015: „The electric supply should never be interrupted, there is, unfortunately, no collapse-free power system!“

While most regions in the world have had corresponding experience of how to deal with such major disturbances, Europe has not had this experience due to its excellent security of supply. Therefore it is also difficult to predict how long it will take until power can be restored. These assessments last from several hours to several days. The knock-on effect for our strong inverse infrastructure and society would be devastating, because we do not expect and are not prepared for it.

For this crisis situation there are rarely contingency plans that would have to work also „offline“, and, because of the power outage, telecommunication systems would also collapse soon. So we could say that we have very good systems and operators because they coped with all problems until now. But we could also be subject to a major Turkey-Illusion.

Learning from nature – “small is beautiful”

Therefore we should learn more from nature which has a very long history and development phase. Only survivable structures and organisms were successful and are still here. We often miss the so-called “silent witnesses”, those who did not survive and are not to be found in history books. So one major structure which succeeded is: “small is beautiful.”

  • Small structures are more flexible and robust against strokes (asymmetry).
  • People are more resilient in small structures.
  • You can not prevent the development, but early warning is an important part of navigation and we have to prepare to cope with uncertainty and with major incidents/disruptions.
  • It is all about communication and knowledge. If people and decision makers know the challenges, they can react and prepare before crisis/disruption or change the path.
  • Security Communication will be a main driver to increase resilience of people and to be capable of acting in case of uncertainty and after extreme events.
  • “Understanding the problem is half of the solution” as Albert Einstein stated.

Are we preparing for the right thing?

So we are moving on a very narrow path. Benefits and risks are very close together. One main question is, therefore, are we mature enough? To prepare for possible and more and more likely significant infrastructure interruptions it is not enough to speak on a high political or management level. We have to include people and activate them to prepare themselves. Because such scenarios can be solved only by people themselves and not, as is usually the case, by emergency services. Therefore, an open security and risk communication is needed, which addresses risks and uncertainty and shows people their responsibility in the event of significant infrastructure interruptions. Therefore, we also have to ask ourselves in politics and in the security sector if we have the right focus, or if we are preparing for “the last war”. As an example, we are devoting a large amount of money and effort to terrorism prevention, but, on the other hand, we have a fundamental problem with our deadly vulnerable infrastructures. The problem is that there is no easy and fast technical solution, but we have to start to think about it and to develop new design approaches, to mitigate already existing catastrophic potential. To start with it after a first event, as we usually do, will be too late.

 

Author

Herbert Saurugg has been a career officer in the ICT-Security Section of the Austrian Armed Forces until 2012. Since then he has been on leave and is engaged in raising awareness about the increasing systemic risks due to the rising interconnections and dependencies between many Critical Infrastructures, which is contributing to extreme events. He is known as an expert on the topic of blackout: a Europe-wide power-cut and infrastructure collapse, where he has initiated a civil society initiative to raise awareness and preparation among all stakeholders throughout Austrian society. He is also a founding member of the association Cyber Security Austria which is the mastermind behind the European Cyber Security Challenge. As a result of his systemic reflections he is calling for more efforts to raise awareness and resilience throughout our societies to face major extreme events in the foreseeable future.