Interdependencies with the information infrastructure: dependability and

complexity issues
M. Masera, M. Wilikens
Institute for Systems, Informatics and Safety, Joint Research Centre, European Commission
T.P.210, Ispra (VA), Italy
Tel: +39-0332-789238 Fax: +39-0332-789576 email: Marcelo.Masera@jrc.it

Abstract
This paper focuses on the risks that arise from the interdependencies between the global
information infrastructure and other critical infrastructures. Critical infrastructures are
indispensable for the human welfare (e.g. banking-finance, energy, commerce, health care,
transport), because their failure to meet an expected service level might have a significant
impact on society at large. An emerging issue is that infrastructures until now independent
are becoming entangled into network-of-networks. It is this interconnection where the
information and communication technologies play a pivotal role.

When infrastructures are interconnected, several new aspects should be considered: new
vulnerabilities might arise from the common links, failures might propagate through the
different systems, intrusions and disruptions in one infrastructure might provoke unexpected
threats to others. In such cases, the question of specifying dependability and trust
requirements and translating them as performance and functionality requirements for other
systems becomes vital.

The work reported herein investigated:

1. The dependability and vulnerability of the information and communication
infrastructures, discussing the main concepts and terminology used for characterising
the problem, and based on a multi-layer approach comprising the communications
networks, data services and the application levels.
2. The interdependencies in two sectors by means of dedicated case studies (energy and
health care).

Keywords: information infrastructure, interdependencies, dependability, vulnerability,

complexity

1. Complexity and dependability

1.1. Internetworking and complexity

Three main, interrelated trends seem to affect all the infrastructures that compound modern
society: 1) their increasing complexity, with an acceleration that reflects the general evolution
of technology, 2) their interconnectedness, put into practice at different layers: organisational,
procedural, informational, material; and 3) a growing reliance on Information and
Communication Technologies (ICT), both for internal use and for interaction with external
systems.

Complexity grows with the extension of the geographical reach and the expansion of the
services provided, the introduction of new components with richer functionality using diverse
technologies, and the layering of systems over systems for coping with intricate processes
dealing with material goods, energy and information (Kyriakopoulos, 2000). The single more
important enabling factor appears to be the exploitation of ICT for the creation, processing,
transmission and storage of data.

The interconnections among infrastructures are facilitated by the internal use of ICT, and by
the availability of affordable means for establishing fast and reliable data communications.
These communications means are beginning to be considered as a sort of public information
infrastructure, and are increasingly employed for exchange of information and access to new
value-adding services such as trade tools for actors in a given market sector, and for getting
connected with other infrastructures. The widespread use of Internet is certainly the best
example (Schneider, 1999).

The Internet has created a new environment for conducting human activities and has given
substance to the concept of the Information Society. The Internet is now a key component of
a global information infrastructure that consists of interconnected communications networks
and the data services provided through them. In this new environment, existing economic and
social activities are redefined and new ones are born. At the same time, concerns about the
impact of the Internet on these activities cover a wide spectrum of topics ranging from ethical
to technical and scientific.

A point of chief importance is the open, unbounded nature of Internet – an attribute that will
likely characterise, mainly for economic reasons, the entire future information infrastructure,
which will arise from the interlinking of numerous independent networks sharing common
(or at least interoperable) architectural principles and communication protocols, but with no
single command point. Control is decentralised, and in principle any data packet can flow
over it. This single fact affects in a fundamental way the reliance that could be placed on the
contents flowing through the information infrastructure. In its “open space” security,
dependability and trust acquire new dimensions.

The crucial problem is that what is being deployed over the information infrastructure is, in
most cases, actually information that is critical for individuals, government, business and
other societal actors. Moreover, in most cases these information assets (i.e. information of
appreciable value) come into being and acquire their importance by the fact of making use of
the information infrastructure. And their value is contingent upon the exploitation of the same
characteristics of the infrastructure –i.e.: affordability, ubiquitous accessibility, easiness of
use, extent of reach.

For those reasons, and without evidence of a complete and thoughtful risk assessment, every
societal and economic sector seems to try to take advantage from the opportunities offered by
the information infrastructure (Robinson, 1998). As a consequence, one of the main areas of
concern is the question on the ability of this new medium to deliver services in a trustworthy
manner inspiring confidence to the users of these services, because the capacity for creating
advantageous capabilities comes together with the potentiality for producing extreme risks. If
this were only the case of systems and applications used for personal or single business
purposes, any failure might only provoke restricted effects. But the fact is that each and every
infrastructure, and that means society at large, is attempting to benefit from the public
information infrastructure. The end result is an overall, global dependence in a limited set of
hardware and software technologies, with evolving and not yet mature interconnection and
business models.
This issue gives place to great concerns:
o Which are the technological and organisational vulnerabilities of this information
infrastructure that might expose our systems (and ultimately our business, our society)
to undesired harms?
o How dependable (i.e. reliable, available, safe and secure) will be this infrastructure?
o Which threats will menace our applications and data, with intentionally malicious and
accidental events? With which capabilities? In which circumstances? How can we
counteract them?
o How the interconnections with the information infrastructure might trigger
unanticipated chain effects? Who might have unwarranted access to one system by
exploitation of weaknesses of another one?

1.2. Networked infrastructures

The critical infrastructures that are being composed into network-of-networks, mainly as a
consequence of their interactions with the information infrastructure, are generally
characterised by a subset of the following features:
• Their complexity as a result of:
o Multiplicity of layers, both from the functional and structural viewpoints.
o Multiplicity of compositions of products and services in the value chains.
o Multiplicity of data entry and interaction points resulting from their distributed
nature.
o Multiplicity of roles interacting with the system at different levels and with
different requirements and goals (final users, partners, operators, etc.).
o Multiplicity of conflicting and competing operational objectives.
o Evolving, never stable deployment of components, with the following
deficient determination of the current system architecture.
o Emerging attributes at the upper layers resulting from unknown and mainly
non-linear interactions among components.
• Their uncertain operation at the global level, as a result of:
o Lack of central control and coordination due to the opening of markets and the
increase of the quantity of actors.
o Lack of means to evaluate and determine attributes such as reliability and
availability.
o Imperfect mechanisms for managing systems in real time.
o Reliance of the final delivery on intermediate services out of the jurisdiction
and responsibility of the supply/transaction actors.
• Their increasing exposure to risk, as a result of:
o Rise in the quantity of vulnerabilities, with most of them new for the industrial
sector of reference – as typically those related to the information security field.
o Intricate interrelationships among organisational, human and technical error
and failures, and insufficient understanding of emergent dependability
attributes.
o Use of mostly inadequate “defence” style approaches that do not match the
needs of open unbounded networks.
o Possibility for extensive cascading effects resulting from single local failures,
and relative widespread consequences.
o Lack of adequate warning and response systems.
Therefore it is possible to state that the current status of networked, interacting and
interdependent infrastructures, as their capacity to assure the continuity of proper (safe,
secure) operations is concerned, is certainly worrying. Our analytic means for adequately
grasping the problem seem to fall short of what would be required. We are not even certain of
being capable of predicting all the potential risky situations (either the multitude of low-
consequence ones, or the more alarming high-consequence ones). And additionally it should
be considered that those infrastructures are continually changing: incorporating new
technologies, modifying the business process with new actors and functions, and augmenting
the links in their networks. The conclusion is that much work is still required for being able to
satisfactorily specify, architecture, model, design, simulate, analyse, establish cause-effect
relationships and vulnerabilities, develop countermeasures and control networked
infrastructures.

2. The information infrastructure

2.1. The layered model

By information infrastructure it is meant the multi-layered system-of-systems composed of

hardware, software, and procedures that provides electronic data communication to users that
want to deploy a specific information service. Driven by open standards and deregulation, the
information infrastructure is increasingly fragmenting, moving towards a layered model,
Figure 1, consisting of interconnected communications networks with intermediate services
and applications operating on top. New entrants and established industries compete for the
provision of added value services (e.g. e-payments, digital certificates, etc.). The layering of
services implies that lower layers details are hidden from higher layers and that the
dependability (availability, security) of the upper-layer applications relies in large part on the
performance of lower layer services and networks [1].

Service User
provider
Applications

Trust – Authentication - Security …

Intermediate services Brokerage – Group/community clustering
The Information
Infrastructure

Communications networks OSI 1-4

Figure 1. The layered model of the information infrastructure

The Information Infrastructure behaves as a single but decentralised, multi-jurisdictional,
heterogeneous open system: it consists of an unknown (or only partially known) number of
interconnected systems, whose capabilities to establish dependable and trustworthy
connections are as well only partially known.

From the perspective of the user, the desirable outcome from the Information Infrastructure is
to receive services as it were a public utility meeting a set of expected performance
requirements. From the perspective of the service provider, or, equivalently, the designer of
an application, the desirable outcome is to be able to offer services through a public utility
that meet specified performance requirements. From either perspective, the application
should be capable of offering a service in accordance with desirable, expected, perceived, or
specified performance requirements. These services are to be delivered in a dependable
manner by a complex system-of-systems that is beyond the capabilities of the user to
comprehend and to control. By formulating the problem in such general terms, one can ask
the following questions:
1. How can an application exploit the functionality and performance offered by the
information infrastructure? Are the expected services within the capabilities of the
available information infrastructure systems?
2. If not, how could an application be designed to deliver these services in a cost-
effective manner, taking advantage of the current infrastructure?
In broad terms, this implies the knowledge of significant features of the information
infrastructure, which is not always the case. The challenge can be then categorised within two
types of problems: a) the problem of characterising dependability of the information
infrastructure in terms of attributes and requirements that can be imposed on it, and b) the
problem of characterising vulnerabilities, the effects of disruptions on components of the
information infrastructure and how these affect dependability requirements, and ultimately
the risks for the information assets concerned.

Regardless of the nature of each application the demands upon the information infrastructure
may be viewed in terms of data transfers and distributed computations. When these two
operations involve the parameter time, the terms real time and continuous data stream are
also added to the set of parameters. Furthermore, if data are exchanged between two or more
users in real time the operation is characterised as interactive. Additional terminology is in
wide spread use when one refers to computer-to-computer communications or user-to-
computer communications. However, these terms are not very useful as attributes for
specifying performance requirements of an application from the information infrastructure.

Although each application has its own specific requirements, there are some attributes that
are common to all applications. These are:
• availability of the communication infrastructure (layers 1 to 4 of the OSI model), and
of all the intermediate services needed for the provision of the application,
• integrity of the data during data transmission through the communication networks,
and during its handling by any intermediate service,
• confidentiality of the data, securing that they are only accessible to whom is
authorised to do so, in the form and for the activities permitted,
• timeliness of transfer end-to-end, from source to sink, for all the exchanges of data,
• capacity of data transport per unit time, as apparent at each of the end points.

To the extent that the performance requirements of a given service depend on data
communications (for instance of the Internet) and other intermediate services, these five
attributes (availability, integrity, confidentiality, capacity and timeliness) are both necessary
and sufficient for specifying both the complete chain and each one of those services. It should
be noted though that, for the data communications service, the term integrity means that,
whatever data (in the clear, or encrypted) are sent by the transmitter, they will be received by
the intended recipient without any modification, regardless of cause; and that confidentiality
involves the whole set of transmitted data (who sent to whom, when, etc.).

Thus, the dependability attributes of the application, namely, availability, integrity and
timeliness can be mapped into the dependability attributes of the Internet and of intermediate
services. These attributes can be used as variables either for analysing existing systems or for
designing new ones, because the attributes are quantifiable and can be translated into the
quality of service attributes of communications systems. From the perspective of the designer
of an application, the dependability requirements for data transport is an output derived from
the dependability requirements of the application. In turn, this output could become a useful
input for specifying the dependability requirements of the components of the information
infrastructure, and especially of the communications network (e.g. Internet). The open
question for the Internet is whether the dependability requirements imposed on it by a given
application are feasible and at what cost.

The assignment of the application dependability requirements, decomposing them into

requirements for the communications infrastructure and the intermediate services, is not a
straightforward task. Much of the Internet-related communications network and services are
just offered as a bundled functionality, with a non-assured set of performance and
dependability. Availability, timeliness and bandwidth are defined on a best-effort basis,
without considering malicious actions. Integrity and confidentiality should be the subject of
specific means, and should be respected in each single point of the infrastructure.

The composition/decomposition of the dependability requirements is further complicated by

the fact that they can be violated by a scheme of actions over different components of the
infrastructure (typical for violation of integrity), and by the entangled character of the links
amongst components. For instance, a problem of bandwidth for one component, could mean a
lack of availability for a second, resulting finally in a problem of timeliness for the
transmitted information.

2.2. Interdependencies from the information infrastructure standpoint

In addition to the dependence upon the information infrastructure, each application depends
upon additional systems in order to provide the required services. Practically all applications
rely on electric power systems for their energy needs and on transportation systems for the
delivery of products to mention two other important infrastructures. Of course, the
communications infrastructure itself relies on the electric power infrastructure. Furthermore,
the transportation infrastructure relies on other infrastructures such as communications,
power, etc. This interdependence among infrastructures raises the question whether the
hierarchical decomposition is sufficient to describe the relationship between one or more
applications and the communications infrastructure, or some form of feedback is necessary as
shown in Figure 2. This circularity of requirements should be seen as one of the main sources
of non-linearity, and the main obstacle a clear assignment and decomposition of requirements
among different infrastructures.

In a “networked society”, the derivation of requirements for the information “contents” that
the societal actors want to communicate (i.e. the information assets), impose conditions on
the information infrastructure, on all the coupled infrastructures, and on the interconnections
among all of them. In addition to this, all other infrastructures are making use of the
information infrastructure for their own internal purposes, and for communicating among
them.

The information infrastructure could be so seen interacting in two fronts:

• the information assets and the corresponding applications (both end applications and
from other infrastructures), that expect that specific dependability constraints are
respected – mostly related to “contents”, i.e. syntactic and semantic aspects;
 • other infrastructures that are connected by means of physical, energetic or
organisational links, and that deliver services with dependability attributes that affect
the information infrastructure capabilities.
Dependability
Dependability requirements
requirements

Dependability Electric power

Application requirements infrastructure

Information Dependability
Dependability requirements
infrastructure
requirements

Dependability Automation
Information requirements systems
infrastructure

Linear derivation of requirements Feedback of requirements

Figure 2. Relationships among dependability requirements

2.3. Trust and dependability

As the final judgment about the reliance onto the information infrastructure relates to the
information assets put at stake, the consequences of negative incidents have to be ultimately
assessed in the light of the potential risks that might be provoked. And this consideration of
risk is responsibility of the stakeholders engaging in the information exchange.

Figure 1 includes actors: i.e. people or organisations that are the end users of the
infrastructures. While dependability is the “trustworthiness of a system such that reliance can
justifiably be placed on the service it delivers” [..], the counterpart is the trust that the actors
placed among themselves and all through the service chain. The question is how much
assurance can be given for supporting that reliance judgment, given a certain information
infrastructure. Here a distinction can be made between confidence (as the assurance given for
a general reliance on an infrastructure), and trust (the specific assurance on another actor,
such a service provider, and by extension on the intermediate services).

The request for confidence is pervasive not only in the business context but also in every
social interaction. There would be no use of any given technology without enough confidence
on its suitability, including the potential consequences from accidents and improper
utilisation. In addition any contact between parties (who could be organisations, people or
devices) implies a mutual trust on the reciprocal identity and on the technical means used for
establishing and making use of the link. In an interconnected world, these requirements on
trust and confidence are emphasised since interactions and transactions occur mainly within
the ICT realm, without the need for any physical contact.

All transactions exploiting information infrastructures entail that the flow of information
assets develops over public, and consequently insecure, networks. In this context trust
appears as a multifaceted requirement that users need for assuring their reliance on:
 1) Trust on the partners with whom they would interact (their identity, but also
antecedents that would help in supporting the assurance rationale, i.e. “Why to
rely on that partner?”);
2) Trust on the service that they would make use of for enacting the information
exchange (i.e. the belief that the service will behave as expected, both as
functionality and dependability are concerned. This includes all the
complementary and auxiliary services necessary for operational or trust purposes –
e.g. trust certificates);
3) Trust on the information asset itself (e.g. that aspects such as integrity and
confidentiality are enforceable).

Therefore, the enabling of trust and confidence strongly depends on the integrity,
confidentiality and availability of information services, and on the dependability of the
underpinning technologies.

For putting into effect the trust requirements relative to a given service model and related
information assets, they should be translated into dependability requirements to be imposed
on the information infrastructure. These dependability requirements could be purely non-
functional ones, or expressed as performance or functionality.

2.4. Vulnerabilities and threats

In a risk-oriented perspective, the three more important factors to consider are: threats,
vulnerabilities and the dependability countermeasures put in place for neutralising them.

Threats are the cause of unwanted incidents, either of malicious attacks or accidental events.
Yet, in the literature there is no single understanding of the notion of threat. Diverse
definitions are given: 1) the original cause of the danger (adversary or fault); 2) the same
potentially negative event; 3) the conditions or circumstances of its occurrence; 4) the means
or ways by which the harm is produced; 5) the unwanted negative outcome as loss. This
varied set of views is indicative of the wide-ranging different backgrounds of people dealing
nowadays with critical infrastructures: network security, risk management, cyber-crime,
dependability, defence.

Vulnerability is a more established concept, although at times understood in a very restrictive

way. Any vulnerability can be defined only relative to a given threat. Vulnerability is a
weakness or flaw in the system that could give place to the elimination or reduction of its
ability to deliver a specified service, when a threat turns up. Normally vulnerabilities are only
considered as the weaknesses of computing and networking systems, whilst the concept
should have greater connotations - for instance at the system and at the system-of-system
levels. In particular the new type of vulnerabilities to be studied in the context of critical
infrastructures are related to interdependencies between systems due to the massive
interconnection of systems-of-systems.

3. Interdependencies with the information infrastructure

3.1 The case in the electric sector

An advanced management of the generation and distribution of electricity has been made
possible by the establishment of monitoring and control systems relying on complex
communications systems. In addition electric companies rely on information exchange for
their connections with the energy value chain and their customers. Thus now it is possible to
speak of the electricity infrastructure as composed of the power grid and an associated
information network.

The electric sector started from a single power plant feeding a local distribution network to
evolve into geographically distributed grids consisting of interconnected diverse power
networks. The European electrical power system is now composed of a large number of
coupled national grids, organised as international markets (e.g. British isles, Scandinavia,
continental Europe). The operation of each grid, linking several tens or hundreds production
sites with many million end-users, is controlled by a set of complex, distributed automation
systems. Regional control centres are usually co-ordinated by a National Grid Management
Centre in charge of regulating energy trading and dispatching.

The creation of on-line energy trade markets gives rise to a flow of critical information
between energy producers, the market managers, the operator of the transmission grid, energy
distributors, intermediaries and energy brokers, and some categories of end customers. The
result is a set of interdependencies between the energy systems and the information
infrastructure.

On the one hand, electrical systems are vulnerable to many threats, both internal (e.g.,
subsystem faults) and external (extreme weather conditions, earthquakes, sabotage and
intentional disruption). In addition to physical threats to the grid, there are threats concerning
the grid automation system itself, like software bugs, hardware malfunctions, cyber attacks,
etc (NIPC, 2000). A local malfunction may impact quickly on the whole network, due to the
high level of interconnection. Through a cascading effect, a malfunction may result in a
sequence of events leading to faults of other systems and isolation of generating plants due to
the activation of protection systems, which may lead to blackout in large areas.

On the other hand, energy producers and distributors, while trying to develop their markets
and enhance their efficiency, are getting strongly dependent on the public open Information
Infrastructure on both the demand and supply sides. They have to communicate with the
other energy market actors, as well as complete the energy offer with information-related
services. These could be energy information services related to the energy loads, generation
and consumption, or pricing and billing; or derived services that take advantage of the link
established with residential or industrial customers (for instance, alarm management, heating,
etc.).

The main novelty in the energy sector is its vulnerability to malicious information-related
attacks. For instance an incident was reported on December 13, 2000 to the US National
Infrastructure Protection Center (NIPC). According to the report [12], “a regional entity in
the electric power industry has recently experienced computer intrusions through the
Anonymous FTP (File Transfer Protocol) Login exploitation. The intruders used the hacked
FTP site to store and play interactive games that consumed 95 percent of the organization's
Internet bandwidth. The compromised bandwidth threatened the regional entity's ability to
conduct bulk power transactions …”.

The more urgent areas of concern regarding the interdependencies between the electric
energy sector and the information infrastructure seem to be:
• The overall security of on-line energy trade markets.
 • The information security of control systems (e.g. Supervisory Control and Data
Acquisition systems, SCADA).
• The susceptibility to the potential combination of effects between acts against
physical assets and malicious attacks on information assets.
• The cascading effect of insecure information (lack of availability or integrity) on the
reliability and quality of the entire energy infrastructure, and the requirements for
response and recovery technologies.
• The dependability requirements imposed by real-time power dispatching and the
related decision-making on the information exchanged over wide geographic areas.
• The security implications of the use of wireless communication and mobile code for
remote data access.
• The management of trust (with emphasis on privacy) in the gateways to end
customers, and the implications for reliability and quality of service.

3.2. The case in the health care sector

A similar evolution has taken place in the field of health care (Mittman, 1999). In the past,
the basic health care service was on an individual basis between the provider and the
recipient and a single location. It has now evolved into a complex system consisting of a
number of actors and services no longer concentrated in a single location. Because health
care provision is essentially a matter of sharing information and knowledge, both in the
clinical and organisational/logistics domain, large-scale information and communication
infrastructures are a crucial enabling factor. The term “virtual healthcare organisation” not
only covers a number of telemedicine activities from the remote monitoring of specific
conditions of patients to the remote provision of medical services relying on distributed data
bases and using high speed networks, but also closer integration of different business
processes involved in healthcare provision such as pharmaceutical suppliers/distributors,
insurance, hospitals. In this scenario, citizen health care records and, more in general, clinical
or clinical-related information are distributed (i.e., generated and stored) among these
different health care enterprises. The increased mobility of citizens is further driving
requirements for remotely accessing in secure ways patient-related safety-critical
information.

The application of information and communication technologies is apparent in the whole

healthcare sector: from the development of electronic medical records, to the automation of
the operations in wards; and from the constitution of virtual enterprises for the delivery of
drugs, to the remote access to medical services. This opens numerous opportunities for
accidental errors and malicious attacks that could jeopardise the safety and security of
patients, but also that could provoke the violation of the dependability requirements of all the
other stakeholders. This requires the respect of strong accountability standards (Goldman,
2000).

A simple example will illustrate the complexity of the information dependence and the
problem of delineating the responsibilities for the provision of dependable services. A patient
visits the office of a general practitioner (GP) for medical services. The GP has a fully
automated medical information system, which consists of a local information management
system with access to the databases of the medical facilities in the region. A segment of the
patient’s record is in the database of a distant facility. The dependencies are obvious. The
patient expects a certain quality of service from the GP including the availability of the
complete medical history during the time of the visit. The GP, in turn, expects the provider of
the medical information system to make available all the required information services.
Because the medical information system has a distributed database, the access to it relies on
an Internet service provider. Of course, the remote database is part of another medical
information system that is controlled and operated by someone else. Thus, the quality of
service offered by the GP depends on the Information Infrastructure and on the performance
of at least three different applications: the patient’s information related systems, and the GP’s
local and remote medical information systems.

Furthermore, given that health care data is sensitive information, further vulnerabilities
related to interdependencies will include the privacy dimension (Wilikens, 2000). With the
move to electronic patient records accessible from the Internet, there is now the potential for
health information to be maliciously exploited. For example, quoting from (Anderson, 1996),
it is reported that a large pharmaceutical company gained access to a prescription database
covering over 0.5 million prescription users. They are said to be mining the database in
search of patients whose prescription requirements fit depression related illnesses, with a
view to promoting the use of one their drugs by contacting the patient's GP's. It is also
reported that many health insurance companies pass on medical information to third parties,
such as financial institutes or employers, without the permission of patients. Even employers,
for recruiting, routinely use this information and other personnel related issues.

The health care sector is characterised by the convergence of a great quantity of stakeholders
with very dissimilar standpoints and backgrounds: hospitals, government regulatory offices,
insurance and pharmaceutical companies, distributors and logistics operators, standards
organisations, practitioners (as individual people and as associations), and finally the patients.
The use of information infrastructures is present in all the links among those actors.

The more urgent areas of concern regarding the interdependencies between the health care
sector and the information infrastructure seem to be:
• The protection of the patients’ privacy, during and after the provision of medical
services.
• The integration of information security with the accountability of operations over
complex and multi-jurisdictional business processes.
• The dependable and timely conjunction of information from different sources
(practitioners’ credentials, drugs’ technical and logistics data, patients’ records),
satisfying security and safety constraints, even under emergency conditions.
• The management of insiders, their authorisation rights on the different information
assets, and the traceability of their actions.
• The appropriate definition of on-line medical services, taking into account the
dependability limitations of the information infrastructure.
• The security requirements stemming from the ubiquitous access to medical services,
mainly derived from the use of wireless devices.

4. Final considerations

The dependence on the Information Infrastructure can be easily recognised as one of the main
challenges facing our society, even by laypersons. The incorporation of Information and
Communication technologies is justified by gains in efficacy and the deployment of brand
new value-added services, at the cost of a net increase in risk for citizens, organisations and
society at large. Two main features characterise the novelty of the problem under
consideration: the reliance on open unbounded networks (where nobody is intruder, and
everything is exposed to hazards), and the criticality of the items of information exchanged.

A traditional defence-oriented approach to information security (based mainly on protection

and access control principles, corresponding to well-defined security characteristics) will not
provide adequate answers to those new requirements (that imply the notion of an ever,
dynamic, remaining level of vulnerability). Any successful solution will have to consider in
an integrative, multi-dimensional way the dependability and trust requirements discussed in
this paper. This solution will certainly need an assembly of:
• dependability enforcement components and trust services acting at the diverse
information infrastructure layers (perhaps in the form of customisable architectures,
which can be composed in real time, at request, according to the specific needs of a
given transaction),
• application level mechanisms and policies, and
• information asset level mechanisms and policies, packaged together with the same
critical information. This is the main difference between dealing with raw, generic
information, and identifiable information assets.

References
Anderson R., (1996), Patient Confidentiality - At Risk from NHS Wide Networking,
Proceedings of Health Care. Accessible at http://www.cl.cam.ac.uk/users/rja14/hcs96.ps.Z.
Goldman, J., Hudson, Z. (2000), Virtually Exposed: Privacy and E-Health, Health Affairs,
vol. 19, n. 6, pp.140-149
Kyriakopoulos, N, Wilikens, M. (2000), Dependability and Complexity: Exploring ideas for
studying open systems, JRC-EC Report.
Mittman, R., Cain, M. (1999), The future of the Internet in Health Care, California Health
Care Foundation.
NIPC, National Infrastructure Protection Center (2000) Assessment 00-062, FTP Anonymous
Login Exploit, December 13, 2000. Accessible at http://www.nipc.gov/
Robinson, C.P., Woodard, J.B., Varnado, S.G. (1998), Critical Infrastructure: Interlinked
and Vulnerable, Issues in Science and Technology, Sandia Laboratories, Fall 1998.
Schneider, F. (ed.), (1999), Trust in Cyberspace, National Research Council, National
Academy Press.
Wilikens, M., Jackson, T. (2000), Dependability Requirements of Large-Scale Information
Infrastructures, A Case Study fromn the health Care Sector, JRC-EC Report EUR 19642.