362 Part Two Information Technology Infrastructure T Information Security Threats and Policies in Europe CASE STUDY he IT sector is one of the key drivers of in the Ministry of Defense, the city of Manchester's the European economy. It has been esti- city council and police IT network, some hospitals mated that 60 percent of Europeans use in the city of Sheffield, and other government offices the Internet regularly. Additionally, 87 per- across the country. Computers in the network of the cent own or have access to mobile phones. In 2009, German army were also reported as infected. Once the European broadband market was the largest in installed on a computer, Conflicker is able to down- the world. These facts demonstrate the importance load and install other malware from controlled Web of ensuring the security and safe operation of the sites, thus infected computers could be under full Internet for the well-being of the European economy. control of the hackers. The safety and security of the Internet have been More recently, a sophisticated malware threat tar- threatened in recent years, as Internet-based cyber geting industrial systems was detected in Germany, attacks have become increasingly sophisticated. Norway, China, Iran, India, Indonesia, and other In 2007, Estonia suffered a massive cyber attack that countries. The malware, known as Stuxnet, infected affected the government, the banking system, media, Windows PCs running the Supervisory Control and and other services. The attack was performed using Data Acquisition (SCADA) control system from the a variety of techniques, ranging from simple indi- German company Siemens. Stuxnet was propagated vidual ping commands and message flooding to more via USB devices. Experts estimated that up to 1,000 sophisticated distributed denial of service (DDoS) machines were infected on a daily basis at the peak attacks. Hackers coordinated the attack by using a of the infection. The malware, hidden in shortcuts large number of compromised servers organized in to executable programs (files with extension Ink), a botnet distributed around the world. A botnet is a was executed automatically when the content of an network of autonomous malicious software agents infected USB drive was displayed. Employing this that are under the control of a bot commander. The same technique, the worm was capable of installing network is created by installing malware that exploits other malware. Initially, security experts disclosed the vulnerabilities of Web servers, operating systems, that Stuxnet was designed to steal industrial secrets or applications to take control of the infected comput- from SIMATIC Wincc, a visualization and control ers. Once a computer is infected it becomes part of a software system from Siemens. However, data gath- network of thousands of zombies," machines that are ered later by other experts indicates that the worm commanded to carry out the attack. was actually looking for some specific Programmable The cyber attack on Estonia started in late April Logic Controllers (PLC) devices used in a specific 2007 and lasted for almost 3 weeks. During this industrial plant, a fact that points to the possibil- period, vital parts of the Estonian Internet network ity that the malware was part of a well-planned act had to be closed from access from outside the coun- of sabotage. Even though none of the sites infected try, causing millions of dollars in economic losses. with Stuxnet suffered physical damage, the signifi- At around the same time, Arsys, an important cance that such a sophisticated threat represents to Spanish domain registration company, was also tar- the industrial resources in Europe and other parts of geted by international hackers. Arsys reported that the world cannot be underestimated. hackers had stolen codes that were then used to insert As of 2001, EU member states had independent links to external servers containing malicious codes groups of experts that were responsible for respond- in the web pages of some of its clients. ing to incidents in information security. These groups In 2009, an estimated 10 million computers were lacked coordination and did not exchange much infected with the Conflicker worm worldwide. France, information. To overcome this, in 2004 the European the UK, and Germany were among the European Commission established the European Network countries that suffered the most infections. The and Information Security Agency (ENISA) with the French navy had to ground all military planes when goal of coordinating efforts to prevent and respond it was discovered that its computer network was more effectively to potentially more harmful secu- infected. In the UK, the worm infected computers rity threats. ENISA's main objectives are to secure Chapter 8 Securing Information Systems 363 Europe's information infrastructure, promote secu- rity standards, and educate the general public about security issues. ENISA organized the first pan-European Critical Information Infrastructure Protection (CIIP) exer- cise, which took place in November 2010. This exer- cise tested the efficiency of procedures and com- munication links between member states in case an incident were to occur that would affect the normal operation of the Internet. ENISA acts as a facilitator and information broker for the Computer Emergency Response Teams (CERT), working with the public and private sectors of most EU member states. The European Commission has recently launched the Digital Agenda for Europe. The goal of this ini- tiative is to define the key role that information and communication technologies will play in 2020. The initiative calls for a single, open European digital market. Another goal is that broadband speeds of 30Mbps be available to all European citizens by 2020. In terms of security, the initiative is considering the implementation of measures to protect privacy and the establishment of a well-functioning network of CERT to prevent cybercrime and respond effectively to cyber attacks. November 17, 2010); Robert McMillan, "Estonia Ready for the Next Cyberattack," Computerworld, April 7, 2010 (www. computerworld.com/s/article/9174923/Estonia_scadies_for_ the_next_cyber attack, accessed November 17, 2010): "Another Cyber Attack Hits Europe." Internet Business Law Services, June 18, 2007 (www.ibls.com/Internet_law_news_portal_view. aspx?id=1782&rs= latestnews, accessed November 17, 2010), "New Cyber Attack Hits Norway," Views and News from Norway, August 30, 2010 (www.newsinenglish.no/2010/08/30ew-cyber- attacks-hit-norway, accessed November 17, 2010). Gregg Keiser, "Is Stuxnet the 'Best Malware Ever?" Computerworld, September 16, 2010; Robert McMillan, "Was Stuxnet Built to Attack Iran's Nuclear Program," Computerworld, September 21 2010 (www. computerworld.com/s/article/9186920/Was_Stuxnet_built_t Q_attack_iran_s_nuclear_program_, accessed November 17, 2010): Ellen Messmer, "Downadup/Conflicker Worm. When will the Next Shoe Fall" Network World, January 23 2009 (www. networkworld.comews/2008/01 2319-daw alup-anflicker- worm.html?hpg1 - hn, accessed November 17, 2010); Erik Larkin, "Protecting Against the Rampant Conflicker Worm," PCWorld, January 16, 2009; "War in the Fifth Domain," The Economist, July 1, 2010 (www.economist.comode/16478792, accessed November 17, 2010). CASE STUDY QUESTIONS 1. What is a botnet? 2. Describe some of the main points of the Digital Agenda for Europe. 3. Explain how a cyber attack can be carried out. 4. Describe some of the weaknesses exploited by malware. Sources: Digital Agenda for Europe, European Commission, August 2010 (http://ec.europa.eu/information_society/ digi- talagenda/index_en.htm, accessed October 20, 2010). "The Cyber Raiders Hitting Estonia, BBC News, May 17, 2007 (http:/ews.bbc.co.uk/2/hi/europe/6665195.stm, accessed Case contributed by Daniel Ortiz-Arroyo, Aalborg University