Our infrastructure is much more fragile than we think

Why we underestimate the risks

Q: You say we live in a “hybrid world.” What does that mean?

A: By a hybrid world I mean that many systems that used to be purely physical – cars or mobile phones, for example – have become increasingly digital over time. As a result, we now face entirely new threats that hardly anyone would have imagined 20 years ago. Today, a car is essentially a large smartphone on wheels.

Over the past two or three years we have seen the same development in large infrastructure: power grids, satellites, airports, and similar systems. The more these systems are digitized, and therefore more user-friendly and technologically accessible, the more new risks arise.

Q: Why do we underestimate how fragile these systems are?

A: Public awareness is still relatively low, even though many people are generally aware that security risks exist. In large systems in particular, new IT infrastructure often needs to remain compatible with older so-called legacy systems.

For efficiency reasons, existing IT solutions are frequently reused and simply transferred – classical computing concepts are applied to systems that were not originally designed for IT. That creates a major risk. For example, you cannot simply install antivirus software like the one on a regular PC into the safety system of a power plant. It does not work that way.

The technical differences are subtle, but they require much deeper understanding.

From natural event to security vulnerability

Q: How are digital risks connected to natural disasters?

A: Not just in Austria, but worldwide, we see that extreme natural events such as floods or fires can seriously affect critical infrastructures, including electricity and water supply. When these systems are strongly interconnected, a failure can also affect digital monitoring and control systems. In such situations, a cyberattack might even go completely unnoticed.

At the European level, there have been many research and development projects aimed at building monitoring systems. In practice, however, such comprehensive systems have rarely been implemented across the board, neither here nor globally. There is plenty of research, but not yet consistent implementation in real-world operations.

Q: “A single failure – a so-called ‘single point of failure’ – can affect the entire system.” How exactly can natural disasters create security risks?

A: Take flooding in Austria. Across the country there are several hundred substations and nodes in the electricity grid. If a flood causes even a small number of them – say ten or a dozen – to fail for just a few milliseconds, that alone can have consequences. Such deviations in the grid may not be detected immediately by monitoring systems.

This is what we call a cascading effect: a single point of failure can influence the entire system. One might say there are safeguards and backups. But during those few critical seconds, from a digital perspective, a security gap can arise.

This is not science fiction, even if it sounds complex. Something similar happened about three years ago in Ukraine during an attack on the Ukrainian power grid.

The endless contest

Q: Is there a kind of contest between attackers and defenders?

A: Yes, that contest has existed since ancient times, ever since cryptography began. Even in Caesar’s time there were early encryption systems, espionage, and countermeasures.

Today, defenders – or security-conscious actors – are usually one step behind. When a new attack method is developed, it may initially appear like a normal technological innovation. Defenders may never have seen it before.

So, we are in the situation of having to predict something unknown: where and how a system might be attacked. From a security perspective we therefore try to protect every possible weakness, even the smallest ones. Take the simple example of passwords for instance: do not use your date of birth, choose a complex password. Measures like this make the defense effort easier behind the scenes.

When it comes to organized groups, there are so-called Advanced Persistent Threats – hacker groups that are often state-funded. “Persistent” means they keep working systematically until they reach their goal. They use highly sophisticated attack methods.

In the past there were mainly hackers who wanted to expose vulnerabilities to raise awareness. Today there are many groups motivated by financial or political interests, for example, through ransomware or targeted attacks on critical infrastructure, sometimes on behalf of states pursuing geopolitical goals.

Of course, defenders also have state capacities, specialized centers, and even military resources. But even then, we are often still one step behind.

That is exactly what makes the situation so challenging and why we need increasingly sophisticated and robust defense strategies.

What can we do?

Q: What role does awareness of cybersecurity play and what can individuals do?

A: You can start by encouraging people to adopt small habits, because that is how societies change. It is about simple things: How do I create a password for my smartphone? How do I use public Wi-Fi? What permissions do I grant apps? What data do I share with large technology companies?

Many people assume that systems such as those in autonomous vehicles are automatically secure. That is a misconception.

Everyone carries responsibility here. It is about being more attentive and using digital services more consciously. These are small steps, but they are a start – at least for citizens. When it comes to larger actors and political decision-makers, the discussion is naturally more complex. But when it comes to awareness, that is where I would begin.

If not only students or scientists but the public become more aware, a great deal can change in the long run.

Q: What is your central message to the public?

A: At its core I would say: become aware of the importance of cybersecurity, that is the first step. It is about protecting your own systems. By “systems,” I mean your digital assets and resources.

And we should not blindly accept technological solutions, especially those currently being offered in areas such as artificial intelligence.

This interview was first published on the OeAW website. Read the original interview (in German) or watch a video recording of the lecture below.