Digitalization is a megatrend that spreads information technology to all sectors of society. Networking information systems, especially through the Internet, is a key factor in digitalization. In addition to information processing, these systems increasingly control physical processes and, in particular, the critical infrastructure of the society. While digital control systems, as a rule, increase efficiency and reliability, they also provide a broad reachable interface that provides opportunities for malicious actions that threaten the safety and security of society. This doctoral dissertation studies the vulnerabilities and weaknesses of the digitalized society. The research area is wide and has been approached by examining several smaller topics. Key findings include mapping known vulnerabilities in Ethernet, and that intrusion protection systems are vulnerable to evasion techniques, even well known old attacks can pass the protection. Scanning the Finnish Internet networks revealed a large number of unprotected industrial control devices, many of which have known vulnerabilities. The work also describes the architecture of cyber weapons, lifting state actors up into a key threat. The thesis also examines protection against cyber threats: examining the usability of SPKI (Simple Public Key Infrastructure) certification techniques, presenting an analysis of the cyber response provided by Finland against a Stuxnet-like attack and ponders the effectiveness of active network scanning. As a conclusion, it should be noted that, within the framework of the current technology, it is not possible to achieve comprehensive protection against cyber threats by means of technology alone, nor can the critical infrastructure protection of society be left to the individual players in the industry alone. The missing part of the solution is careful regulation: the existing critical infrastructure regulation needs to be enhanced to protect against digital technology based harm, the systemic risk of networked information systems needs to be analyzed and, in the case of consumer products, incentives for companies and other actors to encourage voluntary protection should be encouraged. A similar approach has helped to resolve previous technological changes in society, such as the introduction of motor cars.
|Publication status||Published - 2018|
|MoE publication type||G5 Doctoral dissertation (article)|
- cyber security, ICS, IPS, critical infrastructure, ethernet