Journal of Software Engineering and Applications, 2013, 6, 23-33 Published Online September 2013 ( 23
Critical Energy Infrastructure: Cyberterrorism Threats
and Means of Protection
V. A. Vasenin
Computer Security Department, Institute for Information Security Issues, Lomonosov Moscow State University, Moscow, Russia.
Received July 24th, 2013; revised August 23rd, 2013; accepted August 31st, 2013
Copyright © 2013 V. A. Vasenin. This is an open access article distributed under the Creative Commons Attribution License, which
permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
The present paper is concerned with potential cyberterrorist threats which the objects of national energy infrastructure
may undergo, directions of development of counteraction means for these threats, problems arising during this devel-
opment and their possible solutions. This problem field is studied by the author from scientific point of view (from
point of view of computer science and information security of large systems) and this paper reflects results of such
studies. Many special technical terms were omitted or substituted in order to make the statement accessible to wider
range of people concerned.
Keywords: Energy Infrastructure; Cyberterrorism; Threats; Vulnerabilities; Critically Important; Information Security
1. Introduction
It is important to define what we mean by energy infra-
structure before we continue to consider systematiza-
tion and analysis of threats to it. We will define energy
infrastructure as objects composed of a group of ele-
ments, including buildings, technical instruments and
technologies, staff, and attending to solve posed tasks.
Tasks are defined by functions of separate sectors of en-
ergy infrastructure, including organization of industrial
and financial activities, which are directed at extraction, pro-
cessing, storage and transporting of following resources:
oil and ga s r e sources;
electro-energy resources;
nuclear energetic resources.
The whole complex of listed tasks which are defined
as “extractive” including extraction and primary proc-
essing can be solved in some of the countries. In other
countries only a subset of such tasks is solved, such as
processing, storage and transporting. These tasks are
close in their aims, for which energy infrastructures are
established in different countries. They are close in the
ways of solving them and, as a consequence, the prob-
lems arise. But targeted purposes on organization of in-
frastructure activities are dictated and means of imple-
menting them are generally controlled by state in the
form of representative for these activities services and
persons in each country which has such infrastructures.
The reason for such attention is the fact that, unlike other
infrastructures of national industrial complex, these in-
frastructures are critically important for state and their
key forming objects are critically important.
We will include rank infrastructures as critical level if
they or their elements are mentioned in the present paper.
Critically important infrastructure is a set of interact-
ing segments and objects which compose the national
industrial complex, supporting vital activities, when par-
tial degradation or full loss of functionality can lead to
impacts on components of national security or emergen-
cies at various scales directly or within a short period of
Critically important information infrastructure is a
composition of infrastructure elements, including com-
puting and communication resources which provide the
control of critically important state infrastructures.
Critically important components of national telecom-
munication infrastructure are such elements (segments,
objects) of national telecommunication infrastructure
which provide the control of critically important compo-
nents for state in frastructures.
Critically important object is an object of critically
important infrastructure, which can impact, directly or
within a short period of time, on the state of national se-
curity or lead to emergencies at various scales, due to
partial degradation or full loss of functionality.
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection
Critically important segment is a composition of criti-
cally important objects united by one or several qualifi-
cation characteristics such as single technological pro-
cess, single department, security requirements and others.
Economical effectiveness and security of the country
at international level is defined by effectiveness of single
infrastructures, supporting various sectors of industrial
complex. These include various industry branches, trans-
port, science and medicine. Effectiveness depends at high
degree on provision of these infrastructures with energy
resources. In this meaning, absence of needed function
energy resources directly impacts on one of most impor-
tant components of national security—en ergy security.
Mutual inter-country oblig ations in field of acquisition
and provision of one or other type of energy resources
have been composed during years. Volumes and dead-
lines of supplies are estimated basing on planned vol-
umes of consumption of different branches of national
industrial complex. Any violation of such obligation due
to different destructive factors can change composed
situation. Therefore, energy security should be seen as an
international, world-wide category in this context. Com-
posed set of interacting at the conditions of aforemen-
tioned supplies and national energy infrastructures should
be interpreted and defined as international energy infra-
2. Key Principles, Architectural and
Technological Features of Business
Processes Organi zation
Studies which are dedicated to search of vulnerabilities
and security means of controlled object for protection
from destructive informational impacts as a general rule
should start from analysis of environment. This is a com-
plex, multiparametric notion for critically important ob-
jects, which required strict systematic analysis. The fol-
lowing can be mentioned as the b asic entities of such en-
separate composing elements of protection object (in-
formation actives, computing and communication re-
sources) and their architectural and technological fea-
regulations (electronic) for their support and staff,
implementing these regulations;
subjects of potentially destructive impacts and possi-
ble ways of their implementation.
Despite the certain differences basic principles of or-
ganization of retrieval (extraction or generation) and pri-
mary processing, storage and transportation of energy re-
sources in oil and gas, electro-energy and nuclear energy
sectors are equal. This fact is explained by the fact that
extraction of energy resources is realized in different, lo-
cally bound places, which are spread on Russia territory.
These places are defined by positions of thermoelectric
stations and hydroenergy buildings, locations of nuclear
Transportation and storage of energy resources in
Russia is concerned with the need of effectively trans-
porting them to potential consumers including foreign
ones. This leads to necessity of creation of big, highly-
developed, spread network of resource transportation.
Big, supporting needed pressure compressor stations,
swap stations and other objects are built in the nodes of
the network for oil and gas swap. The difference of elec-
troenergy and nuclear energy complexes lies in the ab-
sence of necessity to accumulate and store large quanti-
ties of resources. However organization of their transport
and effective delivery requires building and supporting
big, spread transport network. High-voltage transfer net-
works are built for this purpose.
The needed level of organization of all interconnected
processes of extraction and primary processing of raw
material, storage, transportation and resource delivery,
forming a continuous technological cycle, is possible in
modern conditions only on the condition of effective in-
dustrial and financial support. This support can be achi-
eved only on the basis of clear regulations including elec-
tronic regulations of all processes of continuous techno-
logical cycle and creation of computer systems support-
ing automatic support of such processes.
Complex of measures in Russia from the administra-
tive and financial positions is supported by large subjects
of non-state property with large portions of government
involvement. These include “Gazprom”, “Lukoil”, “Ros-
neft”, “Rosenergoatom” and others. Active state involve-
ment is explained by necessity of operative control on
processes in these critically important components of na-
tional industrial complex and the ability of influencing
on them, using governmental resources.
Control systems of united technological cycle in dif-
ferent sectors of country energy complex are in the form-
ing stage at present. New regulations supporting united
technological cycle, business processes implementing
them, instrumental means and systems are formed, old
and updated and mastered in the structures (corporations)
working in the oil and gas field. Hierarchically function-
ing information systems of controlling technological
processes and objects are established and functioning.
These systems include automatic systems of directing
plants at lower levels of ar chitectura l hierarchy an d these
for their turn include ones controlling linear production
processes and equipment. Control of supporting envi-
ronment belongs to technological processes, which are
implemented during extraction, processing, storage and
transportation of oil and gas resources. The first stage of
work on creation of automated systems is related to cor-
porate control of financial and administrative activities.
“Rosenergoatom” is also being reformed at smaller
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection 25
scale. Regulations (including electronic) are developed
implementing business processes in context of united
technological process of retrieving energy resources us-
ing nuclear stations, their transportation and sale. Ade-
quate means for automatizing these processes and effec-
tive structures of controlling technological processes, ad-
ministrative and financial activities are being researched.
This field utilizes positive experience from adjoining
fields like oil and gas and electric energy.
Taking into account aforementioned reasons a deduc-
tion can be carried that exploitation of objects from all
three considered sectors of national energy complex and
means of controlling them are close. Therefore, they can
be categorized as one class of objects from this point of
Central control of technological cycle by coordination
of each of composing companies is being accomplished
by each of corporations using corporate and regional
communication networks. The largest burden of control-
ling industrial processes is carried by separate plants
which support technological cycle of retrieving raw ma-
terial, processing it, storing and transporting energy re-
sources. Technical and computer means for automating
the processes are formed basing on open standards. This
approach allows connecting new objects and updating
existing without substantial modification of basic tech-
nical and program means.
Approaches to detection of threats to critical infra-
structure obje cts, to defining means of their implementa-
tion and to development of counteraction methods are in
the large way influenced by peculiarities of architecture
and technology. This is the reason why tasks of classifi-
cation (clasterization) of such objects are very important.
Analysis of architectural and techn ical peculiarities of oil
and gas, electric energy and nuclear energy objects
shows that they all can be considered object of one class.
SCADA systems are used for operative control over the
state of basic technological processes in automatic sys-
tems of all energy complex sectors. Different types of
controllers present at worldwide IT market and being
recommended at practice can be used at lower level for
controlling mechanisms. Range of information systems
used for controlling administrative and financial active-
ties is much wider. Both information systems of middle-
performance includ ing native ones, and resource hogg ing
complex high-performance system of R-3 SAP level can
be used at this direction.
Objects of destructive information impacts on critical
energy infrastructure include:
automated control systems for technological proc-
esses at lower level of their implementation and their
components (servers, SCADA in the first place, auto-
mated working places, microprocessor controllers,
telemechanics services);
information and telecommunication networks sup-
porting automated technological process control sys-
information objects, supporting processes of acquir-
ing, processing and transporting energy resources (ob-
jects, supporting compressor systems, gas swap, elec-
tric supply and others).
3. Threats and Vulnerabilities. Terrorism
and Cyberterrorism
Threats of destructive information impacts on critical
energy infrastructure can come from:
single criminals or criminal groups, which aim against
interests of companies in bounds of corporation and
corporation in general;
terrorist groups, pursuing aims of destabilization of
social, political or economical equilibrium, creating
emergency of national scale .
Terrorism will be viewed as a demonstration of ex-
tremism in action, based on disagreements (national, in-
ternational) o f separate groups of pe ople with state inter-
ests and institutes (in politics, social sphere, on religious
or criminal basis) and directed at creating an atmosphere
of fear and tensio n in the so ciety, on formatio n of factors,
directly or indirectly destabilizing state of national secu-
rity with the aim of advancing requirements to govern-
mental structures, which cannot be fulfilled on the cur-
rent law basis.
Cyberterrorism is viewed as one of the terrorism direc-
tions which:
utilizes information complexes and network segments
supporting critically important from national secu-
rity point systems for pursuing its aims;
computer services are used as objects of impact.
Cyberterrorist act is a terrorist act which is performed
using computer means using which can directly or poten-
tially impact health or lives of people, large-scale de-
struction of material objects and other consequences af-
fecting national security.
Destructive information impact on an automated con-
trol system (ACS) is an unsanctioned impact on single
information actives, communication and telecommunica-
tion resources. Such impacts lead to violation of regular
(determined by regulation) procedures of system func-
tioning as a result of breach or total destruction of sup-
porting information and telecommunication infrastruc-
ture. Destructive impacts can be aimed at single compo-
nents of ACS, such as SCADA server, backup server,
AWP of dispatcher, AWP of the specialist, local auto-
mated control system, controller, connection device and
other, including supporting information actives.
Destructive information depending on the ways of
impact can have the following aims:
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection
violation of ACS information confidentiality;
violation of ACS information integrity (unsanctioned
data modification);
violation of ACS information resources availability.
Violation of confidentiality of ACS information, which
is stored or processed by ACS, assumes disclosing in-
formation by persons, who do not have rights of access-
ing it. Violation of integrity is an unsanction ed modifica-
tion of data. An example of destructive impact, which
has aims of violating confidentialit y and in tegrity, is a ty-
pical remote attack when the false ACS object is created.
Principally different aim of destructive impact is a
violation of availability of ACS resources. Unsanctioned
access to information by malicious person is not required
in this case. His primary objective is making resources of
the attacked object unavailable for other elements of
ACS and as a consequence access to its resources and
controlled technological devices impossible.
It should be noted that system can be made unavailable
by means of physical or other impact at the ACS hard-
ware and software.
The following vulnerabilities are commonly used for
implementation of confidentiality threats:
errors in access control mechanisms implementation
in operating systems;
lack of needed physical protection of communication
vulnerabilities of communication environments, allow-
ing unsanctioned connections to data transfer chan-
vulnerabilities of network control protocols allowing
packet rero u t ing to the ot h e r host of the ne t work;
absence of s ecure cyphe ring met h od s.
In case of implementation of integrity threats vulner-
abilities of correspond ing network proto cols are required.
Such vulnerabilities allow malicious person to modify
data on its own discretion.
Vulnerabilities, which are used for implementing avail-
ability attacks include:
errors in access control mechanisms implementation
in operating systems;
lack of needed physical protection of communication
vulnerabilities of communication environment to po-
tential noises.
Implementation of attack is possible in absence of ef-
ficient methods of counteracting possible distributed de-
nial of service attacks. Such means as a rule are pre-
sented by systems for monitoring communication envi-
ronment for detecting destructive impacts and counter-
The most important element supporting information
interaction in the bound s of the ACS is a telecommunica-
tion (network) infrastructure. Network infrastructure can
be viewed at three levels: communication, application
and level of connection between devices and technologi-
cal objects.
Communication level includes data transfer channels,
a set of required communication hardware, system of
monitoring and controls the state of communication hard-
ware (including software supporting control protocols
and automated system services) on the purpose of con-
trolling availability an d absence of destructive impacts.
Network application level includes software, working
on ACS over control protocols of communication level
(for example, web-servers, e-mail servers, DBMS, elec-
tronic documents systems).
Connection level includes controllers and other hard-
ware, which is installed directly on the technological
object and cannot be separated from that object.
Let us discuss main classes of vulnerabilities of ACS
network infrastructure elements and classes of destruct-
tive information impacts connected with them. Vulner-
ability of network infrastructure of ACS is a property of
its elements which can allow an offender in given envi-
ronment disturb safe functioning regiments of system,
determined by security policy. Primarily, vulnerabilities
which allow a violation of confidentiality or integrity of
information processed by ACS, or loss of ACS services
availability, or physical damage to ACS elements should
be reviewed. It is important to mention that the large part
of ACS network vulnerabilities is composed of errors in
software, which is responsible for supporting operating
system kernel of user applications working on single
hosts of automated systems. These errors usually do not
depend on the purpose of the program.
4. Need for Consolidation
Analysis of destructive information impacts with the ter-
rorist purposes on the industrial objects of energy infra-
structure lets us make the following conclusions.
The most probable scenarios of cyberterrorist attack
on the objects of energy infrastructure are the ones
which allow not only temporary or full loss of func-
tionality but as a consequence (a secondary effect)
create a large-scale emergency with high level of da-
mages (material, casualties and others) and/or threat
to national security.
Implementation of such scenarios will with high
probability be carried out by a group of agents, coor-
dinating their actions, from different points of net-
work environment, located outside of the attacked
The most valuable actions from the scale of potential
damage are the following:
distributed denial of service attacks which are hard to
prevent in the efficient manner;
complex attacks, which result in o verriding co ntrol on
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection 27
industrial object and important technological proc-
esses, allowing it to function.
Implementation of efficient counteraction to the men-
tioned attack needs detailed study of environment, which
influences their preparation and implementation. All as-
pects of cybercounteraction need to be accounted: from
motivation of subjects of attack to features of counteract-
tion computer means. Therefore, it seems to be important
to transfer from verbal definition of cyberterrorist actions
at political level to the strict formal definition and study
at scientific and technological level. This fact is stated
based on our own experience of carrying out studies of
this phenomenon being applied to critical infrastructure
objects during more than 10 years. Two-volume edition
“Critically important objects and cyberterrorism” [1,2] is
based on the results in this direction.
One of the features of each presented attack is the fact,
that implementation scenarios assume that distributed
agents actions are coordinated and prepared at several
stages. This fact shows the necessity of detailed study of
such scenarios, development of counteraction means at
all levels of information security of critically important
objects. Effective use of such knowledge and means can
be achieved only on the basis of coordinated actions of
all organizations involved in supporting computer sys-
tems and communication environment which can be used
for preparing cyberterrorist attacks. Such consolidation is
required at all stages—from analysis o f possibility of dif-
ferent attacks, implementation scenarios, information
infrastructure state monitoring to the joint actions at the
stage of generating efficient counteraction measures and
Given the transnational origin of network environment
and energy infrastructure which the environment sup-
ports an important role in creation of efficient cyberter-
rorist threat counteraction system is fulfilled by interna-
tional force consolidation.
5. Approaches to Counteraction
Reviewing approaches to organisation of protection
against cyberattacks on objects of critically important
energy sectors, the mentioned above belonging of objects
of all three sectors to one class fro m information security
point of view will be taken into consideration. It should
also be taken into consideration that many characterizing
attributes of these objects, including threats, ways of im-
plementation and counteraction means are common for
the most critically important objects of other infrastruc-
tures. Noting these considerations we will omit the be-
longing of object to critical energy infrastructure later
where it is not required.
As mentioned before, implementation of efficient
counteraction to cyberterrorism requires thorough analy-
sis of this field, its systematization and formal definition.
This definition must contain:
ways of identification, systematization and category-
zation of protection objects as elements of one or an-
other critical infrastructure, having it's peculiarities;
ways of detecting protection level of the complexly
organized critically important object and methods of
risk assessment of destructive information impacts;
ways (mechanisms and models, methods and means)
of organizing co unteraction to cyberterrorist threats at
all level of complex approach to critical objects in-
formation security ensuring.
Without mentioning methods of identification, sys-
tematization and categorization the questions of defining
protection level and risk management for critically im-
portant objects which are not the target of the present
paper let us consider organizing the complex approach to
information security ensuring. This approach assumes
combining coordinated methods and actions, mecha-
nisms, models and instrumental means at several levels
of objects’ information security. These levels include law,
administrative, procedural and technical levels. Levels
will be reviewed now, on the example of russian prob-
5.1. Law Level of Ensuring Information Security
Law level of ensuring information secu rity of any object,
including objects of critically impor tant infrastructures is
based on using:
law norms of present legislation;
statues of documents, developing law norms and
regulating the activities of different type of organiza-
tions, state members, responsible for these activ ities;
standards and recommendations, both native and in-
Laws and regulating documents create a base for all
actions at other levels of information security ensuring.
Analysis of law norms established in Russia shows
that the law field at the present time is not adequate to
the current requirements in protecting even less impor-
tant from the state point of view and less architecturally
complex objects. Without mentioning the details of the
inadequateness it should be noted that specifics of criti-
cally important object is referenced in a very general way
in the legislation. This specifics lies in the very crude
(very general) separation of information, and therefore,
protection methods applied by access categories on open
and confidential, including personal data, working in-
formation and state secrets. The problem field which is
defined by approaches to protecting critical infrastructure
objects is influenced by this separation very indirectly.
As a consequence, there are no documents, regulating
actions on ensuring information security of critically
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection
importa nt objects.
It should be noted, in view of given theses, that in the
last years, with the initiative membership of Security
Council of Russian Federation attention to questions of
ensuring information security of critical infrastructure
objects and cyberterrorist threat has gone up significantly.
It reflects in discussion at different levels of government.
These questions are seriously studied in scientific envi-
ronment at different forums. An example of the results of
such discussions is the material of International confer-
ences on information security issues and cyberterrorism
counteraction, which were made in 2005-2010 at Lo-
monosov Moscow State University. Attendants from
USA, Germany, UK, China and other countries took pati-
cipation there. There problems are discussed last 5 years
on international forums at Garmisch-Partenkirohen in
Germany and other countries. It should be noted that
automated systems for controlling technological proc-
esses, industry and financial activities in the extraction,
processing, storage and transportation fields discussed
earlier belong to these objects.
One of the crucial factors assisting perfection of prac-
tical activities in the field of ensuring information secu-
rity of any country is an effective usage of composed
international system of standard s and regulating this field
documents. Discussion and adoption as recommenda-
tions of several international standards for using them at
stages of development, supporting and enhancement of
information security products is a sign of perception of
importance of such actions. The most valuable from the
point of view of this paper are the following documents:
GOST R ISO/IEC 15408-1,2,3-2002 “Methods and
means of information security”, “Criteria of informa-
tion security assessment”, GOST R ISO/IEC 13335-1-
2006, “Information technology, Part 1: Conception and
management models of information security manage-
ment”, GOST R ISO/IEC 17799-2005, “Information
technologies, Practical rules of controlling information
There exist a whole set of other government standards,
special requirements and recommendations, which were
brought to regulate such activities in Ru ssian Federation.
They include the set of “Directing documents”, which
were published in 1992-1994 by Federal Technical
Committee by the President of Russian Federation and a
number of government standards. These standards in-
GOST R 50739-95 “Information technology. Protec-
tion from unsanctioned access to information”;
GOST R 50922-96 “Information secur ity. Basic terms
and definitions”;
GOST R 51188-98 “Information security. Software
testing for detecting computer viruses”.
Standards GOST R ISO/IEC 17799-2005, GOST R
ISO/IEC 13335-1-2006 and such define general ways to
forming policy of secure usage of object resources,
which must be protected, to the assessment of protection
level and risks of implementing destructive impacts on
them. Regulations of these standards are mostly directed
at simple from the architectural and administrative point
of view objects. Measures for securing such objects at
each level of complex approach to its implementation
can be defined in the boundaries of single company sup-
porting this object. In reality automated information sys-
tems are usually supported by interconnected multiple
companies. Their relations to the object in general to the
usage of its separate elements and actives can be differ-
ent. Harmonisation of such relations, unification of re-
quirements on enforcing security policy for the object in
general is a separate and very important task. Methods of
solving it are not present in the aforementioned docu-
ments. Some approaches to its solu tion and first results in
the form of mechanisms of unification access control
models in different subsystems of complex object were
presented in already mentioned “Critically important
objects and cyberterrorism”.
Standard GOST R ISO/IEC 15408-2002 describes a
systematic catalog of requirements on the information
security technologies. This document defines the regula-
tions and gives methodological recommendations on
using it during definition of req uirements at stages of de-
velopment, supporting and enhancement, during product
and information systems assessment and certification
from security point of view. This document was ap-
proved in 2002. It includes requirements, which were
defined in the set of analogous documents developed in
different countries earlier.
It should be noted, however, that existing standards,
including mentioned above, do not satisfy modern re-
quirements, given to complex from functional and archi-
tectural points of view systems of automatization and
controlling technological processes in objects, being se-
cured, including critically i mportant, on several positions.
The GOST R ISO/IEC 15408-2002 standard as well as
Directing documents consider questions of securing in-
formation from position of ensuring confidentiality, in-
tegrity of information actives, protecting software from
undeclared abilities and making requirements on specific
technical protection means (such as firewalls). However,
this list does not cover all potentially existing techn ically
implemented security threats to functioning automated
systems, including control systems of critically important
Threat classes of a different character should be taken
into consideration at present time. These classes, pres-
ence of which can significantly impact the state of secu-
rity of automated system, include the following:
threats of distri b uted deni al of servic e attacks;
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection 29
threats of breaching cryptographic algorithms used in
subsystems of identification and au thentication;
threats of exploiting vulnerabilities and undeclared
functions of other kind in programs;
threats of confidentiality violation during user inter-
action with network applications such as distributed
databases, web-browsers.
The mentioned regulating documents underline the
necessity for partial ve rification of software using formal
methods. Implementation of these regulations could re-
solve part of the threats but the practical questions are
not discu ssed there .
Approaches given in GOST R ISO/IEC 15408-2002
and in Directing documents allow to set security aims
and requirements to the facilities implementing them
basing on the purpos e of the analyzed object, characteris-
tic of secured actives, threats and relation of supporting
organization to them and number of other environment
elements. Therefore, high level of universality is main-
tained during assessment of information security valua-
tion, means and systems of such evaluation compared to
other approaches preceding Directing documents and
GOST R ISO/IEC 15408-2002. However, it must be
noted that descriptiveness of the valuation lowers be-
cause of the loss of applicability of the valuation after the
change of the tasks or the environment. Analysis of com-
plex from functional or architectural point of view auto-
matization and technological process control systems
used in the critically important objects shows that these
systems should not be viewed as typical products but as
complexes functioning in permanently modifying envi-
ronment. Structure and components in such system can
change during its life cycle. Protection of the system de-
pends not only on character istics of security mechanisms
of its components but at the equal scale at methods of
integrating them and ways of maintaining interaction.
Therefore, a model of higher level, defining “meta-re-
quirements” on development of security requirements on
the single components of the system should be created.
During the study of such components, including “Auto-
mated systems, Protection from unsanctioned access to
information, and Classes of automated systems”, direct-
ing document can be taken as a prototype. Such compo-
nents are controlled by requirements of this document, so
we can get methods of protection uniformly spread among
structural elements of big system. This approach takes
into consideration the peculiarities of all complex dis-
tributed information systems. On the other hand it allows
using positively Russian and international standards.
Taking into account outlined earlier considerations on
standards and law basis of information security from
point of view of applicability to automated information
systems in the composition of critically imp ortant objects
the utter importance of solving the appearing tasks should
be underlined. The mentioned shortages of law basis of
information security of critically important objects apply
at the full scale to objects of national energy infrastruc-
5.2. Administrative Level of Information
Actions at administrative level of ensuring information
security of critically important infrastructure object are
directed at:
formation of policy of secure usage of its resources;
formation of requirements to environment and speci-
fication of protection p r o fi l e s ;
at development of specifications of means used at
controlled object.
Taking into consideration the aforementioned absence
of required law basis and documents regulating measures
of ensuring information security of critically important
infrastructure objects, systematized requirements or even
recommendations on organizin g activity at this level do es
not exist at the present time. The same situation due to
the same reasons exists in other countries. This fact is a
negative factor which lowers effectiveness of creation of
automated information systems as parts of critically im-
portant infrastructures. These shortages can be fully ap-
plied to the nation al energy infrastructure.
In view of present arguments development of recom-
mendations on organizing actions at administrative level
of information security of critically important infrastruc-
ture objects is very important. Approaches of application
of these recommendations to single infrastructures of na-
tional industrial complex including energy which would
consider specifics of these infrastructures are seen as a
continuation of this work.
5.3. Procedural Level of Information Security
Procedural measures are oriented on protection of criti-
cally important objects from destructive information im-
pacts through the complex of measures engaged by staff
administering the object and its users. These measures
should be d i r ected at:
staff management;
physical p r o t e ction;
functionality maintenance;
response to security breaches;
planning of repair activities.
Mechanisms supporting interaction of separate infor-
mation systems in the composition of complex critically
important objects must be strictly documented with the
aim of maintaining united approach of administering
staff to tasks of ensuring correct and reliable functioning.
Documented regulations of this level must be aimed at
maintaining coordinated work of staff during develop-
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection
ment, maintaining and testing systems in interactive
Actions at procedural level of information secu rity are
regulated by mentioned GOST R ISO/IEC 17799-2005
and the number of special regulations and recommenda-
tions on technical protection of confidential information.
However, implementation of such recommendations in
case of complex automated information systems in criti-
cally important objects, including objects of national
energy infrastructure, meets difficulties. One of the ex-
amples is ensuring high level of reliability using perma-
nent monitoring of state of separate elements of such
objects seems to be impossible without use of special
systems with high level of autonomy. Greater difficulties
are connected with online analysis of erroneous situa-
tions and measures of efficient reaction to them. These
and other difficulties of implementing measures of in-
formation security of critically important infrastructure
objects at procedural level require development of spe-
cial systems with high level of automatization, contain-
ing sufficient intelligence and capable of autonomous
actions in case of erroneous situations.
5.4. Technical Level of Information Security
Traditional view on technical level of information secu-
rity is a complex of protection measures for information
actives and other resources of controlled object. This
complex includes mathematical models, software, hard-
ware and communication mechanisms. The modern in-
formation technology market includes a large variety of
technical measures for protecting information which are
aimed primarily at protecting confidentiality and integ-
rity of data. Measures for protecting from denial of ser-
vice attacks are presented at much lesser grade, for pro-
tecting from distributed denial of service attacks—even
less. However, architecturally and technically complex
automated information systems in the composition of
critically important infrastructures have high categories
of importance and as a consequence high requirements
on securing their resources.
Analysis of computer equipment and automated sys-
tems present at international IT market from point of
view of approaches and criteria presented in GOST R
ISO/IEC 15408-2002, Directing documents and other
regulatory documents shows that only the small fraction
of market can meet these regulations. The reason for this
is the fact that these measures are oriented mostly at
common user. They have very large functionality and as
a consequence hold additional sources of vulnerabilities
and do not open their source code. This circumstance
reflects the fact that “untypical” critically important ob-
jects require corresponding “untypical” approaches to
ensuring their security. As a consequence, task of devel-
oping such measures, including mathematics, algorithms
and software, computing and telecommunication meas-
ures, which would take specifics of critically important
objects from both user properties and higher level of se-
curity requirements, is one of the most important for the
state. Development of such means, which should be car-
ried out on regulations of responsible for the state ser-
vices, should include active involvement of business.
These include companies and corporations serving en-
ergy complex of the country. Acting as potential con-
sumers of protection mechanisms and information secu-
rity systems, investing into these works business should
influence deadlines and work results. The following in-
struments can be named as basic on this direction: oper-
ating systems and mechanisms of their enhancement
(implementation of interaction) to the key services of
information security-identification and authentication,
access control, enciphering, system state audit for func-
tional monitoring and efficient counteraction and a num-
ber of others. Let us discuss these instruments in more
5.5. Operating System Distributions
Operating system is one of basic elements supporting
functioning of modern computer complexes. It is de-
signed to manage hardware resources and organize user
interface, allowing running and execution of user pro-
grams, application and system services. Operating sys-
tem includes the largest part of basic mechanisms and
services for ensuring security of computer complexes.
Taking into account higher demands for security given to
the computer systems for controlling critically important
objects at early stages of their design and implementation
allows using the required mechanisms of operating sys-
tem efficiently. The stability of operating system and
security mechanisms functioning defines the large part of
protection of automated control system for critically im-
portant object.
Traditional approaches to creating operating systems
often result in superfluity of software implementation.
This circumstance makes auditing automated systems
using such operating systems for ensuring security regu-
lations harder. An important aspect of such superfluity
are extensively complex methods of controlling security
measures, for example, access control. One of the effect-
tive approaches to solving this problem is a multi-profile
architecture of a set of distributions of operating system.
This approach allows controlling superfluity without ge-
nerating a large number of independently developed soft-
ware complexes. Each distribution from developed set
must be oriented at its own profile, assuming support for
specialized services included in it.
Important role in operating systems from security
point of view is occupied by basic security services such
identification and authentication and access control. Im-
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection 31
plementation of the former service can be enhanced in
comparison to traditional approaches by implementing
hardened protocols of communication between persons
and algorithms using steady authentication data. Effec-
tive functioning of access control service in context of
ensuring security of critically important objects requires
using modern models of access control which allow
automated checking of their correctness against the given
set of rules (security requirements). These enhancements
allow creating means of sound separation of software
components in operating system and complexes where it
is used.
Development of UNIX-like operating systems based
on Linux kernel and open-source software can be pre-
sented as a perspective approach to creating operating
systems for objects of critically important infrastructures.
Stage-by-stage development of such operating systems
must include full-range auditing of included software for
program errors and vulnerabilities using both static code
analysis (for example, basing on formal verification me-
thods) and testing of software during its functioning.
Carrying out such measures during development process
and creation of program means for verifying security
requirements allows making level of reliability of com-
plex computer complexes sufficiently higher.
5.6. Monitoring of Functionality State
Support for regular, allowed by regulations, modes of
functioning of computer systems for controlling critically
important objects is one of the defining measures in com-
plex of measures for ensuring information security. Hard-
ware and software components of critically important
objects including system and user services, communica-
tion services are poten tially susceptib le to inner an d outer
destructive impacts. Definition of parameters which de-
scribe the state of functionality of the object in its regular
state, constant monitoring and analysis of values of these
parameters allows opportunely detect anomalous situa-
tions, react to them and ensure stable and highly effective
functioning of both single components and critically im-
portant object in general.
A separate service must be included in the system for
controlling critically important object in order to solve
the presented tasks–the system for monitoring function-
ality state of key elements, supporting work of the object
in regular state. The primary aims of this service is the
automatic detection of malfunctions in software and
hardwar e co mp on en ts of th e protected object, preparation
of proposals and actions for localization and elimination
of such malfunctions.
5.7. Active Audit Subsystem
One of the primary requirements in complex app roach to
information security of automated systems for control-
ling critically important objects is echelonment placing
of technical means of protection information security.
The need for this requirement is based on several reasons
the lack of set of security mechanisms in operating
systems adequate to modern requirements;
existence of vulnerabilities in software implementa-
tion and system administration;
constant flow of new errors and vulnerabilities, un-
accounted at forming information security policy and
at assessing risks of security threats to computer sys-
tems’ functioning.
These reasons are due to human factor and objective
deficiencies of security mechanisms. Complex character
of protected objects, lack for scientific, methodological,
technological base and means for solving these tasks are
key problems.
Considering mentioned above problems a supplemen-
tary echelon of protection in current situation can be cre-
ated by active audit subsystem. Such system is designed
early detection of anomalous activity of computer
systems due to malicious activity, errors of legal users
and a numb er o f other pos sible reasons;
operative reaction to not regular situations and pre-
vention of large damage to protected computer sys-
It should be noted that active audit subsystem must be
modular, integrated and highly configurable, which
means the following:
ability to efficiently add and remove new algorithms
for anomalous activity detection in computer system,
which will allow reacting on new types of threats and
ability to collect and analyze in cen tral place informa-
tion from all components of a distributed system,
which will allow to make correct decisions in case of
distributed att ack on the prot ected system .
Ability to make decisions in real-time manner, which
will allow reacting efficiently to anomalous situations, is
an additional requ irement.
5.8. Tools for Analyzing Source Code for
One of the most important requirements for information
security subsystem in automated system for controlling
critically important objects is an inclusion of source code
vulnerability analysis to ols in it. High degree of attention
to this problem is determined by high probability of ex-
istence of vulnerability in source code, which may be
brought by errors of developers or the malicious intent.
Usage of such vulnerabilities by a malicious person can
result in breaching regular functioning state of the con-
trolled critically important object an to unallowed by the
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection
security policy escalation of privileges of the plotter on
one of the system hosts, which is one of the stages of
computer attack.
Existing approaches to solving this task usually de-
mand that a group of specifically prepared experts ana-
lyses the source code manually. As a consequence the
high probability of an error in expert work exists, which
increases with the increase of volumes to process. This
circumstance is not possible when creating automated
systems for controlling critically important objects, so
demand for more sophisticated solutions arises. One of
such solutions is using tools for automated analysis of
source code with the purpose of finding potentially vul-
nerable places. When using these tools, experts need to
analyze only these parts of code, which are detected by
automatic “analyzer”. It should be underlined, that no
such effective and wide-spread tools exist at the current
time. However, there exist a number of theoretical ap-
proaches to developing such tools, but the practical im-
plementation is hard to achieve for a number of reasons.
One of the reasons is that used programming languages,
such as C and C++, are hard to analyze. On the other
hand, preliminary experiments have shown the high po-
tential of creating effective tools for automatic analysis
of programs for a number of typical vulnerabilities con-
nected with memory access. Such tools have been tested
on several systems with open code, including key ele-
ments of operating system distribution, like kernel, base
applications, libraries for working with executable code,
key network applications (web-server, web-client), and
graphical sub-system.
5.9. Automated System for Information Analysis
Administrative staff awareness of new threats, vulner-
abilities, attacks, carried out on similar by purpose and
architectural and technological class objects, and meth-
ods of counteracting them plays a key role in process of
protecting information security of critically important
infrastructure objects. In order to maintain actual state of
information, considering security of controlled objects
the permanent search and theme analysis of large vol-
umes of information is required. Usage of automated
systems for theme analysis of information seems to be
worthwhile in this context. These systems include con-
figured monitoring for information sources selected by
user, annotating and visualizing search results, storage of
text information in different formats, engaging search,
theme analysis, classification, filtration and ranging text
information. Automation of listed processes will allow
using actual information effectively in processes of de-
velopment, modernization of software, forming rules of
security policy, carrying out audit of software and hard-
ware complexes for security regulations ensuring. Exis-
tence of such system in each of critical infrastructures,
targeted at infrastructures' specifics and purposes can
significantly alter level of information security of its ob-
6. Conclusions
The results of studies which connected with analysis of
protection of critically important objects of energy infra-
structure from destructive information impacts with ter-
rorist intentions allow making the following conclusions.
Problem field reflecting questions of protection of
critical infrastructure objects in general, specifically,
energy infrastructure is not well studied and systema-
tized, which prevents from making reliable deduc-
tions on potential threats, means of carrying them out
and approaches to counteracting them.
Objects which are potentially vulnerable to cyberter-
rorist attack on the objects of critically important en-
ergy infrastructure, need protection in the first place,
include the follo wing:
automated control system for technological processes
at lower level of implementation and their compo-
nents (servers, primarily SCADA servers, automated
working places, microprocessor controllers, teleme-
chanics means);
information and telecommunication networks, sup-
porting automated control systems;
information objects, supporting processes of extrac-
tion (retrieval), processing and transportation on en-
ergy resources (objects, supporting compressor sys-
tems, gas swap, electric energy traffic and similar).
Threats of cyberterrorist which impact on objects of
critically important infrastructure can have the fol-
lowing purposes:
confidentiality of ACS information;
integrity of ACS information (unsanctioned data modi-
availability (functionality) of ACS information re-
sources, successful implementation of which sepa-
rately on in composition would result in emergencies,
other losses which modifies state of national security.
Analysis of implementation means, for destructive
information impacts, with terrorists aim on industrial
objects of energy infrastructure, allows underlining
the following features.
the most probable scenarios of a cyberterrorist attack
on objects of energ y infrastructure are the ones which
allow not only temporary or full loss of their func-
tionality but also create large-scale emergency with
high level of losses (material, casualties and oth er) as
a consequence, and/or threats to national security.
implementation of such scenarios will be carried out
with high probability by group of individuals from
Copyright © 2013 SciRes. JSEA
Critical Energy Infrastructure: Cyberterrorism Threats and Means of Protection
Copyright © 2013 SciRes. JSEA
different points of network environment to coordinate
their actions, including ones outside the country.
from the point of view, the most important potential
damages are:
distributed denial of service attacks, which can hardly
be efficiently prevented;
complex attacks, which result in gaining control over
industrial object and important maintaining techno-
logical processes.
The following actions are important during develop-
ment of system of measures for counteracting cy-
berterrorist threats on objects of energy infrastructure:
systematic scientific research and applied works at
this direction under control of government and with
active involvement of business in this field;
tight interaction of state services, companies and bus-
inesses at national level and consolidation of efforts
of countries at international level;
complex approach to ensure information security of
controlled objects, assume coordinated system of means
and measures, models, mechanisms, instrumental me-
thods and law, administrative, operational and tech-
nical levels of implementation.
[1] V. A. Vasenin, “Critically Important Objects and Cyber-
terrorism. Part I: System Approach to Counteraction (in
Russian),” MCCME Publishing, Moscow, 2008, 398 p.
[2] V. A. Vasenin, “Critically Important Objects and Cy-
berterrorism. Part II: Implementation Aspects of Coun-
teraction’s Software Tools (in Russian),” MCCME Pub-
lishing, Moscow, 2008, 607 p.