The Bridge - Issue 2, 2023 - 16

Feature
Bridging the Gap between Cybersecurity and Reliability for Critical National Infrastructures
architecture. In contrast, the most widely used simulation
technique, Monte Carlo, is a time-consuming and efficient
way to evaluate the dependability of large, complex
systems like CNIs. For CNI reliability calculations, there is
a need for novel approximate methods that can be both
efficient and less time-consuming [3].
The system's reliability is measured, among other things, by
the Mean Time to Failure (MTTF) and the Mean Time to
Repair (MTTR). Reliability theory can be used to support a
system's robustness by analyzing the behavior of complex
systems and developing new stable ones.
III. CYBERSECURITY IN CNIS
As the various types of cyber threats continue to multiply,
the following are some common and highly prevalent cyber
threats (presented in Figure 2) that CNIs should be aware
of:
* Malware attacks: Malware is software intended to
interrupt, disrupt, or obtain access to a network or system
without permission. When malicious software is used
to attack a CNI, it can interrupt the function of sensitive
public services such as transportation, water, or electricity.
* Phishing attacks: Phishing involves the distribution of
fake messages or emails that seem to be from legitimate
sources in order to encourage users to provide sensitive
information or to click on links that may be malicious.
CNIs, such as water treatment facilities, transportation
systems, and electrical grids, are especially susceptible
to these kinds of attacks since they can have extensive
effects on society.
* Man in the Middle attacks: These attacks require
the unauthorized interception and manipulation of
communications between two different entities, which
allows hackers to obtain critical information or interrupt
critical system operations.
* Trojan attacks: These attacks can be used to obtain
unauthorized access to a system and then remain
undiscovered for significant time periods, which enables
the attacker to disrupt operations or collect critical
information.
* Distributed Denial-of-Service attacks: These attacks
usually consist of overwhelming a targeted system or
network with massive quantities of traffic in order to cause
it to become unavailable or malfunction.
* Ransomware attacks: The purpose of these attacks is
to access and then encrypt the data in the CNI systems,
which will make them unavailable to the operators until
the hackers are paid a ransom.
* SQL injection attacks: These attacks consist of the
injection of malicious code into the SQL database of a
critical infrastructure system, allowing an attacker to disrupt
the infrastructure as well as manipulate data.
* Zero-day attacks: This indicates that the vulnerability has
not been detected or resolved by the security services
provider, and therefore, the application is susceptible to
future attacks.
* Worm attacks: Computer worms are usually developed
with malicious intentions and can significantly disrupt
the infrastructure they are attacking, causing potentially
massive damage and disruption. The worm spreads
by self-replicating and propagating to multiple systems,
usually via email or by exploiting software or operating
system vulnerabilities.
* Brute force attack: This is a form of cyberattack where
an attacker employs the use of various automated
techniques to generate a different password or key
combinations in order to obtain unauthorized access to
systems, accounts, or websites. The attacker will usually
employ a list of popular passwords or a word dictionary to
guess the correct password.
IV. PRIVACY REQUIREMENTS IN CNIS
CNIs are generally viewed as critical systems or assets
for the operation of a nation or region, and, as such, they
are often required to meet rigorous privacy requirements.
These requirements are intended to preserve the integrity,
confidentiality, and availability of information and systems
associated with CNIs. However, depending on the region or
country in which the CNI is located and the characteristics
of the CNI in question, various standards, laws, and
regulations may apply to the privacy of the CNI. The
following are some examples of these standards, laws, and
regulations:
* The General Data Protection Regulation (GDPR) in the
European Union.
* The Health Insurance Portability and Accountability Act
(HIPAA) in the United States.
* The California Consumer Privacy Act (CCPA) for residents
of California in the United States.
* The Personal Data Protection Act (PDPA) in Singapore.
* The Personal Information Protection and Electronic
Documents Act (PIPEDA) in Canada.
* The Federal Data Protection Act (FDPA) in Switzerland.
The CNI privacy requirements are generally intended to
provide assurance that the CNI information and systems
are secured from any disclosure, unauthorized use,
tampering, or other unauthorized access. The following are
the privacy requirements in CNIs that should be taken into
consideration:
* Confidentiality and data protection: Sensitive and
private data should be protected from disclosure and
unauthorized access.
* Periodic monitoring and audits: Regular monitoring and
audits are required to ensure that appropriate privacy and
security systems are in operation and working to secure CNIs.
THE BRIDGE

The Bridge - Issue 2, 2023

Table of Contents for the Digital Edition of The Bridge - Issue 2, 2023