Critical infrastructures such as electric grids are increasingly controlled by computers and digital systems and are thus vulnerable to cyber-attacks, as was repeatedly demonstrated in a recent past. Securing such infrastructures involves many dimensions and it is difficult to reduce security to a small number of practical guidelines. However, the following points can clearly be formulated.
Successful attacks often start by attacking non-critical infrastructures. It is generally accepted that it is important to correctly authenticate all actions and traffic, in order to avoid for example attacks based on false data injection. It is less obvious and less well admitted that confidentiality is also important as, in the absence of confidentiality, attacks on non-critical and less protected infrastructures can be used to gain information on the operation, which, in a second phase, can lead to a successful attack on the critical components.
In this context, particular attention should be given to device authentication, which should be consolidated with per-user authentication of all accesses (i.e. credentials should be those of a human user, not of a device). Many attacks are accomplished with the explicit or implicit participation of trusted insiders. Per-user authentication enables fast repudiation of compromised accounts and is necessary during post-attack recovery.
Installation of new devices during emergency conditions require special attention as it is typically during such phases that the pressure on operational conditions may lead to security breaches. It should be carefully prepared as part of contingency plans.
In addition to the generic cyber-security mechanisms mentioned above, critical infrastructures have security weaknesses that are specific to their physical processes. For example, grid monitoring and control uses high precision (GPS) time; attacks against the time synchronization system can have devastating effects. It is not always possible to use encryption and authentication to thwart such attacks: for example, it was recently demonstrated that introducing delay boxes in the communication lines on high voltage corridors can lead to estimation errors that may cause irreversible damages. Such delay boxes are below the physical layer and cannot be detected by crypto-mechanisms. It is necessary to reason vertically about the complete set of data received by the cyber-physical infrastructure, thus leading to attack detection systems that act at the global scale.
This application vertical will be extended to other critical infrastructures, such as transportation systems.
C4DT interviewed by “24Heures” on the Crypto AG scandal
In the wake of the recent Crypto Ag scandal, French-language news paper '24Heures' interviewed Jean-Pierre Hubaux, professor at EPFL, academic director of the Center for Digital Trust, on his insights on data protection and on the scandal's impact on our trust in the digital world. Read the article in French…
News type :
Press reviews
CYD and EPFL launch the CYD Fellowships
Cyber-threats have been accelerating due to the exponential growth of network connectivity. These new capabilities provide myriad opportunities for security hackers to wreak significant damage for commercial, political, or other gains. To promote research and education in cyber-defence, EPFL, the Swiss Federal Institute of Technology in Lausanne, and the Cyber-Defence…
News type :
News
C4DT mentioned in “Le Temps” as an initiative against cybercrime
Initiatives against cybercrime, online harassment or spying are increasing at an impressive rate. Switzerland wants to position itself as a world center of excellence. French-language news paper 'Le Temps' asked Olivier Crochat, executive director of the Center for Digital Trust, about the center's focus. Read the article in French on…
News type :
Press reviews
C4DT mentioned in RTS French radio show Alter Eco
C4DT is mentioned in RTS French radio show 'Alter Eco', broadcasted on Jan 6th in French and entitled "Lausanne, 'capital mondial de la confiance'". Please click below to access the broadcast.
News type :
Press reviews
Launch of the CyberPeace Institute in Geneva
Thursday 26 September 2019 saw the launch of the CyberPeace Institute, an independent NGO that will address the growing impact of major cyberattacks, assist vulnerable communities, promote transparency, and advance global discussions on acceptable behavior in cyberspace. EPFL President Martin Vetterli will be sitting on the Executive Board, and the…
News type :
News
C4DT-affiliated DEDIS lab helps launch a decentralized service for generating random numbers
On the 17th of June a new consortium consisting of EPFL, Cloudfare, Kudelski Security, Protocol Labs, and the University of Chile announced the creation of The League of Entropy, collaborative project between its founding members to produce a publicly available, verifiable, distributed randomness beacon: a service that provides unpredictable, truly…
News type :
News
C4DT’s academic director on e-ID in “Le Temps” daily newspaper
On the 4th of June, the Council of States debated the Swiss law on e-ID (Federal Act on Electronic Identification Services, LSIE). C4DT’s academic director Prof. Jean-Pierre Hubaux wrote an article on the topic for the Swiss French-language daily newspaper 'Le Temps', in which he favors state control of all…
News type :
Press reviews
EPFL computer scientists flag global hardware security vulnerability
Researchers in the HexHive and Parallel Systems Architecture (PARSA) laboratories of EPFL's School of Computer and Communication Sciences, in collaboration with IBM researchers, have identified a widespread computer security vulnerability affecting laptop, desktop and server hardware.
News type :
News
The daily newspaper “Le Temps” interviews the Center for Digital Trust
"Many SMEs are discovering digitalization but are not armed to deal with the threats that accompany this process." The Swiss French-language daily newspaper “Le Temps” interviewed C4DT's executive director, Dr. Olivier Crochat, and academic director, Prof. Jean-Pierre Hubaux, on the mission and ambitions of this new center, based at EPFL,…
News type :
Press reviews
C4DT Holds First General Assembly
The founding General Assembly of C4DT was held on Friday, 2 November, in presence of the President of EPFL, Martin Vetterli, and of 50 guests. The 12 partners of the Center said they are keen to apply research to their business needs and regulatory requirements, at a time when digitalization…