This is why we need you. This has jumped up in conversation with the CPNI (the Centre for Protection of the National Infrastructure), and we are confident that many hands will make light work of this:

Premise: Almost all critical industrial infrastructures and processes are managed remotely from central control rooms, using computers and communications networks. The flow of gas and oil through pipes; the processing and distribution of water; the management of the electricity grid; the operation of chemical plants; and the signalling network for railways. These all use various forms of process control or “supervisory control and data acquisition” - SCADA technology. Until recently the term SCADA was unknown outside its niche area in industry. Today it is one of the key issues for infrastructure protection.

Question: Of the 63 subject areas we explore on our wiki and here, which are directly relevant to SCADA (it might be easier to list the ones that are not). How would emerging ICT help SCADA work better? Which emerging technologies are likely to pose a threat to SCADA systems, and how will that threat manifest itself?

If you would like to learn more about this, go here. Here is our chance to provide practical assistance to someone who wants it.

Here’s our preliminary assessment of the main categories of emerging technology issues, along with an impact rating. Each is discussed in more preliminary detail on the Blindside Wiki. We will be reporting to the Cabinet Office in mid-July on those that assessed as having an impact level of 3, and need full expert descriptions by that date.

This is your chance to tell us we’re on the wrong track: to add stuff; to argue that somethings missing, over-rated or under-rated. Don’t miss it!

Category Impact (from 3/high to 1/low)
————————
CCTV 3
Convergence 3
Location-based services 3
Mobile and Pervasive Computing 3
Open Standards 3
Anonymity 3
Data breaches 3
E-Voting 3
Human rights (intersection with emerging technology) 3
Identity management 3
NHS IT 3
Non-bank payment service providers 3
People and IT 3
Mission Critical Legacy Systems 3
Rampancy: AI gone wrong 3
Surveillance society effects 3
Semantic Web 3
Self-reproducing technologies: the “GRINs” 3
- *Geno- 3
- *Robo- 3
- *Info- 3
- *Nano- 3
Social media 3
APIs 2
Bandwidth - massive wireless and cable bandwith to the home 2
Shared Service Management 2
Ultraportable devices 2
Automated number-plate recognition (ANPR) 2
Bad sysadmin procedures 2
Bad procedures - other 2
Changes to daylight saving time in the US 2
Public sector databases on children 2
Keyloggers 2
Phishing 2
Phones as bugs 2
Technologies for Non-Repudiation 2
Underground economy servers 2
Unencrypted email 2
Biometrics - unencrypted 2
Windows Vista and other operating systems 2
Government IT projects 2
DNA terrorism 2
On demand computing (ODC) 2
Grid Computing 2
Quantum Computing 2
plus in the lower impact categories (please use the search box if you want to add to these):
Aeronautical cabin services 1
OpenDocument 1
Service-oriented architecture 1
APIs that change without warning 1
Cybercrime 1
Electronic banking 1
Fraud Websites 1
Search Engine Logs 1
Spam 1
Computing Monoculture 1
DRM and its side-effects 1
Environmental side-effects 1
Exploding Batteries 1
Optical Computing 1
User-generated content 1
Virtualisation 1
Generation C - the knowledge nomads 0

Thank you for any help, comments, suggestions.

The chaotic present and hopeful future of information systems exists in a microcosm about 30 minutes by tube from my flat, and I daily watch a stately procession of airliners descending to Heathrow Airport, a beautiful, if not quite silent, parade. It is at Heathrow airport that the current need for better performance on every topic covered in this blog is demonstrated. It is a non-sterile testing environment and the ultimate pilot project to test the ability of information systems and information assurance to integrate modern technology to meet the needs of a mass public. You may have noticed that I ticked every category we use in assigning this blog post its proper place in our own information hierarchy. It’s not a coincidence.

Let’s walk through the daily issues faced at Heathrow from an information standpoint:

1. About half of all tickets to fly are booked via the Internet, and that information must be completely available to several very different systems immediately and be perfectly accurate.
2. Parking systems must provide availability, administrative and financial information.
3. Public transportation systems must send and receive useful information about current operations and schedule changes, and receive and use similar information from several different airport systems.
4. The logistics of welcoming, feeding, watering and moving 67.7 million people per year (and taking care of 70,000 employees) are an interesting challenge, as is maintaining 48,000 square metres of retail space. Private security, first aid, tourist information, all of these have information issues attached.
5. Oh yes–core business–mustn’t forget–90 airlines, 186 destinations, 469,000 ‘air transport movements’ (er, would that translate to flights in English?) annually. Information requirements include weather at each destination, status of all airports and traffic, passenger information (but more on that below…)
6. On-time status of flights relating to connecting flights.
7. Correlating information from HMRC (well, more the C part than the R) with the Home Office (now with both parts of the newly divorced members of what was once one) and probably discreet communications with agencies using numbers as well as initials.
8. Communicating with the Civil Aviation Authority, National Air Transport System, HM Immigration–of course I’m sure they all use the same electronic forms that grab data smoothly from Heathrow systems… right?
9. Communicating with the media–and having the capability of communicating with international media
10. Having co-ordinated disaster preparedness programmes that are up to date as well as up to snuff.

Probably missed half a dozen supremely vital information systems there… but it’s Sunday morning, so it’s okay. (Did somebody say baggage?)

Lots of things to go wrong there. Amazingly, not much does. (Did somebody say baggage–again?) That’s why when things do go wrong it’s news.

Notice they don’t have an uber-contractor trying to integrate all systems and dictate technology standards and usage. Strange, that. And I’ll bet they often use trainer-net(where some employee puts on trainers and walks information to diverse destinations). But that’s how functional communities develop–and despite grumbling and glitches, Heathrow functions as an information community: People get to destinations, planes don’t fall out of the sky. Successful information communities do seem to develop from the ground up, not the top down.

I guess the point I’m trying to make is that information systems and information assurance issues develop in an ecosystem not a vacuum. Complexity in information management is probably a geometric rather than arithmetic function relating to the number of actors involved. And yet don’t we often see government requirements for information systems that are internally oriented and indeed self-referential? The box must be this big with holes here and here, and those holes must be guarded in this way. I think more than anything else, government’s inability to get value for money from IT investment is based on this issue.

Please feel free to contribute complaints about Heathrow in the comments–I’ve suffered there myself. My praise is directed at a higher level, at finding a community that functions. Your nominations?

Hi all, Tom here again. I need your help. I am going to be adding content to the wiki we are running here.

One of the first areas I intend to work on is identity management, and I hope to incorporate much of what is on this weblog. If I make any mistakes, well, that’s what wikis are all about–you can fix them when you see them.

But I like to measure twice and saw once, so before I start I thought I would ask for your assistance in preparing my mindset and removing any cant or prejudice I bring to the task. So I am going to lay out my starting assumptions and ask for your comments before I start.

1. What we are focusing on here is not a technical or financial issue, or at least not primarily. It is political, social and ethical.
1A. I say this because I have not met anyone who would change opposition to large scale ID projects based on cost–if Oracle, Tesco and Dun Humbie offered a solution for free, the concept of UK government ID management would not win any new adherents. Nor have I met anyone who has said they support ID management for £X, but would oppose a scheme at £X+1, or even £2X.
1B. There are large scale databases that securely contain and manipulate similar volumes of data as proposed for UK identity management, and many are fit for purpose. The fact that UK government has had scant success in finding, buying or building such a database in the past is not a compelling argument against ID management–it may be an argument against government procurement practices.
2. Proponents of large scale identity management programmes focus on social benefits, such as the reduction of crime or terrorism. A secondary argument is made regarding internal efficiencies of government operation.
3. Opponents of such programmes focus on the risks posed to individual liberty and civil rights, with secondary arguments about costs and past performance of government IT endeavours.

This is the mindset I am bringing to the project. If I am mischaracterising anything or completely ignoring large parts of the issue, if you enlighten me before I begin, it will save me a lot of time and work. Please use the comments section to continue my education.

Thanks

Update: Thanks all, for the cogent comments. All of a sudden I’m glad there’s no football on tonight.

Government agencies could do more to combat the problem of “fraud websites” targeting English speaking internet users, including UK citizens. These sites are set up to give credibility to many types of internet scams - they pretend to be banks, barristers, couriers, escrow companies, secure storage facilities, etc (different identities are needed for different types of scam). Often they will clone and lightly edit legitimate websites, such as the Matrix Chambers site belonging to Cherie Booth and her colleagues.

Although fraud sites are easy to recognise, the owners cannot usually be prosecuted under current UK legislation, unless they are “passing off” [example: fake “Barclays Bank”]. The proposed anti-fraud legislation will fare little better, given the difficulty of tracing the offenders (most operate from overseas, routinely hiding behind false identities).

Given the problems faced by traditional law enforcement methods, volunteer groups such as AA419.org have taken the lead in the fight against the fraudsters. Every year, thousands of fraud sites are closed by AA419 (including the Matrix Chambers clone mentioned above).

AA419 succeeds by highlighting blatant falsehoods (e.g., “banks” claiming to operate in the UK but not registered with the FSA), then persuading webhosts to terminate on the grounds of TOS (Terms Of Service) violation. A further incentive for webhosts to act is the likelihood that fraud victim support groups such as scampatrol.org will assist victims to sue webhosts that fail to take effective action after receiving an “internet abuse” report.

However, although AA419 closes thousands of fraud websites each year, there are some areas where the support of UK government agencies may be needed, such as:

1) Fraudsters are increasingly turning to foreign webhosts with poor records for closing fraud sites. Representations by the UK government, perhaps in conjunction with US and European counterparts, could encourage other governments to require their webhosts to take effective action when internet abuse reports are received. Example: fake “Bohai Trust Bank” in netblock owned by China Telecom [source AA419].

2) Some registrars appear to have no effective process for closing fraudulently registered domains. Registrars have no responsibility for website content, but should be encouraged by government to take effective action against fraud sites when it can be shown they were registered using false information. Example: fake “Bank Of China” in the .uk domain controlled by Nominet UK [source: AA419].

Just to be short-term for a moment, here’s the top 10 threat list of Richard Stiennon, who does the ThreatChaos blog for ZDNet. for the current year

1. 100% growth in revenue for cyber crime. …the quest for financial gain will spur cyber criminals to a banner year, at least doubling their overall take…
2. DDoS in support of phishing attacks. ….an attack against a banking or ecommerce site along with a barrage of emails that claim the site is “down for maintenance, please log in here to access your account”…
3. Successful DDoS attack against a financial services firm. …2007 will be the year of the first high profile attack against a large US or UK bank or trading desk.
4. Attacks against DNS are the threat of the year. …the collateral damage could be devastating if an attack took our one of the root domain name servers….
5. No abatement in identity theft. …Markets are developing that make it easier to monetize stolen identities thus increasing the value of stolen IDs while decreasing the cost of “moving” them.
6. More attacks against wireless networks. ..text message urging you to call a particular premium phone number (vishing), and malware that infects phones…
7. MySpace grows up and gets secure. …the number of attacks from predators, criminals and hackers will get to the point that MySpace will tighten up its controls and monitoring…
8. YouTube abuse threatens site. …video sharing will succumb to spammers who post ads, ad backed videos, and stealth marketing exploits, ruining the experience for everybody.
9. Network infrastructure shows signs of overloading. …outages, slowdowns, and a mad scramble to lay more fiber in 2007…
10. Spread of Windows Vista will have zero impact on the overall threatscape. …Reportedly you can already purchase Vista zero day exploits on the web.

Sobering stuff, even with mixed metaphors (”The cat is out of the bag. Pandora’s box is open.”). But the man was flying to Maui and back just to get frequent flyer points when he wrote this. Does he have his priorities right about imminent global catastrophes?