Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Critical Contours: Navigating Cybersecurity and Infrastructure Priorities in a Dynamic World

An alleged massive cyber attack on Kenya’s government underscores debates on defining critical infrastructure.
By Diego Laje
Lifeguards and volunteers evacuate an elderly woman in Kherson, Ukraine, after the Kakhovka Dam was allegedly destroyed by Russian occupying forces in June, causing floods. Credit: Drop of Light/Shutterstock
Lifeguards and volunteers evacuate an elderly woman in Kherson, Ukraine, after the Kakhovka Dam was allegedly destroyed by Russian occupying forces in June, causing floods. Credit: Drop of Light/Shutterstock

The term “critical infrastructure” carries different meanings in different countries, and some still debate the definition.

Following a cyber attack reportedly on Kenya’s central bank and other agencies in May, for example, several questions arose about which agencies and systems are critical for a country.

According to a report by Reuters news agency, the infiltration was allegedly against the African country’s financial authorities to ascertain whether funds were available to repay an infrastructure loan from Beijing.

Nairobi said that the attempts were unsuccessful, and China denied the accusations.

Nevertheless, the genie had left the bottle. “The fear among Kenyan media and the public has been that the strategic Mombasa Port was posted as collateral for these loans, feeding accusations of China indulging in ‘debt-trap diplomacy’ both in Kenya and across the continent—and the hacking reports risk re-igniting this controversy around Chinese lending,” according to a report by Fergus Kell, Africa researcher at Chatham House, a British think tank.

The stock of reserves in a central bank is public information, and this data is generally reported by authorities around the world. This case exposed how the line between critical data and critical infrastructure is hard to draw.

“Several years ago, the same discussion happened in Ukraine,” said Oleksii Baranovskyi, senior lecturer at the Blekinge Institute of Technology and associate professor at the National Technical University of Ukraine.

During an event, one expert asked whether an airport could be considered critical infrastructure.

“Almost all attendees answered, ‘Yeah, for sure,’” Baranovskyi remembered.

But the actual answer was that an airport should not be considered critical infrastructure.

“What will change in your life if the airport near you is destroyed?” Baranovskyi asked rhetorically. “Maybe you will need to travel two more hours to a new airport, or you will take a train or car. It will change your lifestyle but will not impact you on a regular basis.”

 

 

 

Unauthorized access to systems that can alter how a country or one of its relevant agencies operates is at the center of which systems are critical and which are not.

“When we look at protections on systems that process, store or transmit information, we look at what the consequences would be if we lose confidentiality, integrity or availability of that information,” said Drew York, Naval Information Warfare Center Atlantic lead systems engineer for cybersecurity.

York focuses on military systems, but a similar line of thought can be applied to civilian infrastructure.

To illustrate how other systems must be kept functioning regardless, Baranovskyi offered an example that is usually overlooked internationally but is critical for the Ukrainian capital.

“For Kyiv, the railways around Kyiv, those will be critical,” said Baranovskyi.

Railway infrastructure ranks among the key assets to sustain life in the Ukrainian capital.

“Because of logistics of food, because of logistics of medicines, because of logistics of fuel, water, etcetera,” explained Baranovskyi, an expert in cyber defense of critical infrastructure who is deeply involved in the defense of his native Ukraine. Should these deliveries be interrupted, the capital should be evacuated.

But the season also affects what is critical and what is not, according to this specialist.

“It was miracle or stupidity, depends on how you look at it,” Baranovskyi said, addressing Russia’s efforts to destroy the country’s power grid.

Nairobi’s Teleposta Tower is where the Kenyan Ministry of Information and Communications and the Ministry of Trade are based. Credit: sduraku/Shutterstock
Nairobi’s Teleposta Tower is where the Kenyan Ministry of Information and Communications and the Ministry of Trade are based. Credit: sduraku/Shutterstock

During the autumn and winter of 2022–2023, Russia launched waves of missile and drone strikes against energy infrastructure. While such actions are war crimes, as were other Russian efforts to attack food infrastructure along the coast of the Black Sea, the campaign was wrongly timed, according to Baranovskyi.

“Russia attacked Ukrainian critical energy infrastructure in winter, not in summer,” Baranovskyi explained. The effect of this campaign on the population was an inconvenience, but food could be stored outside and, due to the cold weather, it was refrigerated naturally. Food losses due to electricity shortages were minimal, according to this specialist. Had the campaign been conducted in the summer, its effects would have been very different, he suggested.

Therefore, according to this academic, even the time of the year affects what is critical and what is not.

In Eastern Europe, infrastructure is evaluated in terms of seven criteria, according to Baranovskyi:
1. Casualties
2. Economic effects
3. Necessity of evacuation
4. Service loss
5. Recovery time
6. International effects
7. Uniqueness

If at least three of these criteria are severely affected, stakeholders should maximize protections and draw contingency plans.

Kenya’s economic authorities alleged information cyber theft only had economic and, possibly, international effects but would not have posed an imminent risk against civilians in the country, according to this method.

Still, cybersecurity is about building scenarios and contrasting those theoretical possibilities with a set of steps designed to suggest where to concentrate defenses.

The U.S. Navy contrasts alternatives for cyber contingencies under different systems. Some may be related to weapons systems; others could be administrative systems for logistics, for example.

York compared the three ways to start the process: confidentiality, integrity and availability. “Loss of confidentiality, versus the impact of the loss of integrity, versus the impact of loss of availability of the information that is stored, processed or transmitted by a system—and that’s where we start with our baseline set of cybersecurity protections or controls that have to be put on a system,” York said.

“The security assessment really identifies how it’s going to be evaluated against the right mission, the right mission level,” said Aleksandra Scalco, the U.S. Navy’s subject matter expert for mission-critical control systems.

“We check everything and we’re paying very, very close attention to what they’re doing to try to catch the bad stuff before it can cause us problems,” York said.

The military and civilian realms’ proper definition of priorities goes beyond initial analysis. Parts of a power grid may have different relevance in summer or winter. Still, analysis at a granular level seems to be the best way to guide decision-making and, consequentially, resource allocation.

Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content