The federal government is spending nearly $3 million to find out how Canada’s critical infrastructure IT systems are connected – for better or for worse.
The research, which is being divided among six multi-partner projects at the universities of British Columbia, York, Ecole Polytechnique,
Toronto and Guelph, is aimed at deciphering all the links connecting Canada’s critical infrastructure — including the banking, telecommunications and energy sectors — in order to better protect them.
The funding comes out of the public safety and antiterrorism funding the government announced in December 2001 and will be delivered through Public Safety and Emergency Preparedness Canada and Science and Engineering Research Canada.
“When we began to ask our partners what the challenges were, they said the biggest one is IT, it’s cyber, it’s the thing that connects all of us,” said Janet Bax, senior director in Public Safety and Emergency Preparedness Canada’s infrastructure assurance program. “It’s the thing that has expanded horizons but also it has increased vulnerability.”
SCADA (supervisory control and data acquisition) systems, for example, were designed for the management of physical infrastructure such as dams and gates. “Never was security a factor,” said Bax. “What we know now is it’s not as much about actually protecting physical pieces of infrastructure, it’s much more important to think about interdependencies,” said Bax.
Although the banking sector can take care of the problems within its own system — as it did when a computer software problem created havoc for days at the Royal Bank last summer — it is still dependent on electricity and telecommunications infrastructure, she noted.
“Each infrastructure has become very complex and sophisticated and the interconnections and interdependencies are the things we have to worry about most.”
Jose Marti, a professor in the University of British Columbia’s electrical and computing engineering department, has been awarded just over $1 million to study decision-making for critical linkages in infrastructure networks.
“Most planning is done internally on how to bring structures back up,” said Marti. “What they don’t do that well is to co-ordinate their actions in the case all three things (energy, telecommunications and banking) have to be fixed.”
Marti’s group comprises 11 researchers in a wide range of expertise areas, including psychologists to train system operators and managers on how to understand what’s happening in the system and how to relate to each other. The goal is to come up with a system to alert organizations in the three critical infrastructure sectors to potential problems in each other’s systems. It’s not clear yet what that system will look like, and where it will reside, or whether there will be some central agency overseeing it.
“There has to be better visualization techniques on the part of system operators so they can more clearly and quickly understand the severity of the event that is developing and the extent of that event,” he said. “Right now the way information is presented to operators of control systems is in a flat text-based manner. In the power system grid operators get messages, such as ‘This is failing here, there’s a fault occurring there,’ but it’s very difficult for them to get a global picture from the isolated events.”
Another researcher, Vincent Tao, an associate professor of geomatics engineering at York University in Toronto, has received $586,500 to model interdependencies for emergency management using geographic decision support systems.
“What we are looking at is geospatial-based cascading effects,” said Tao. His team is building a mapping system using GIS to look at the cascading effects of three sectors — energy, water and transportation in the Greater Toronto area.
The team will be conducting vulnerability assessments of the GTA’s water, energy and transportation sectors in the first phase. In the second phase it will be designing models of the cascading effects of disasters on all three sectors using artificial intelligence. “We will build a knowledge base, because those are very complex things and it is hard to predict the potential,” he said.
The third phase is looking at network-based decision supports. “We do constant monitoring and if there is any evidence of potential disaster those parameters would trigger the knowledge base, so it will start to do the calculations based on the artificial intelligence engine to see whether there is some other potential effect to other sectors,” said Tao. “For example, if the water level gets really high that would affect maybe major airports or highways and that would also affect energy and other sectors.”
Tao said his research team is working with the City of Toronto as well as Emergency Measures Ontario to make sure the research is usable in a real-world context.
Although PSEPC, which used to be the Office of Critical Infrastructure Protection and Emergency Preparedness, knew it needed to have a better idea of the cascading impact of critical infrastructure failures, it was the blackout of August 2003 that spurred it to issue a request for proposals from researchers, said Bax. The law firm Gowling Lafleur Henderson LLP, meanwhile, issued a PSEPC-commissioned report last year warning of a major meltdown in Canada’s critical information infrastructure within five years.
The government has taken the lead on this initiative because it only owns about 15 to 20 per cent of the country’s critical infrastructure, putting it almost equally at risk as the private sector in the event of a catastrophic event, noted Bax.
To ensure the research gets applied to the real world. PSEPC will be hosting annual workshops for researchers to meet with industry and government. The first is scheduled for late spring this year. “Every taxpayer has the right to ask me how has this been of use to (them),” said Bax.
One of the challenges researchers will face is related to privacy and security. Organizations in the electricity sector, for example, might not be enthusiastic about the possibility that one of their own internal vulnerability assessments could end up outside their own domain.
“We need first to set up a trusting environment where that information can be shared and we need to provide assurances we’ve got the means to be able to protect that information,” said Bax.
PSEPC is looking right now at amendments to the Emergency Preparedness Act to see if the legislation can and should be tightened, Bax added.