Category Archives: Critical Information Infrastructure

SK ID Solutions declared provider of vital services

The Identity Documents Act was amended declaring the provider of certification services a vital service provider:

(31) The provider of certification service that enables digital identification and digital signing with the certificate which is entered in the documents issued on the basis of this Act is the provider of vital service specified in clause 36 (1) 8) of the Emergency Act.
[RT I, 03.03.2017, 1 – entry into force 01.07.2017]

In practice, at least currently the new status does not introduce significant new requirements, since for SK as a qualified trust service provider the operational requirements set by law were quite high anyway.


Estonian “data embassy” to open in Luxembourg

Data of the Estonian administration may be stored on servers in Luxemburg as well as in Estonia already towards the end of this year. The “data embassy” created this way will contain information vital to the functioning of the state, and make an attack on the country’s systems more difficult.

As cyber security expert of Tallinn’s NATO Cyber Defence Centre of Excellence, Jaan Priisalu, says, “If an operator is planning to occupy another country, one of their objectives is going to be to take over the existing institutions, or to suppress them, and if you can make these institutions ex-territorial, take them out of reach of the potential attacker, you increase the political price of the attack.”

According to advisor to the ministry’s state information systems department, Laura Kask, negotiations were held with other countries as well, but the ones with Luxembourg had developed the furthest. “For one thing, they offer data centers with a very high level of security, and for another they are quite similar to us in terms of their IT development and their way of thinking,” Kask said. In terms of money, there are no exact figures available, but the data center in Luxemburg will be markedly more expensive than running a similar infrastructure in Estonia. There is one entry in the government’s schedule concerning the data embassies, showing an allocation of €240,000.

The physical location of the servers will remain secret, and only people will have access to them that are cleared by the Estonian state.

The data to be backed up in Luxembourg so far covers ten priority databases, including the information system of the Governmental Payments Office (the Estonian treasury), the pensions insurance register, the business register, the population register, the cadaster, and the identity documents database.

Even now nothing forbids Estonian state to store data backups in Estonian embassies located in foreign states. Most likely the plan is to build failover system that is kept in sync in real time.


DDoS attack against Omniva’s partner distrupts the work of parcel machines


The DDoS (Distributed Denial of Service) attack that started yesterday (22.10) at 2.30 p.m. and is still ongoing, was directed at the Integer network of Omniva’s cooperation partner, and resulted in a global error in Integer systems. The attack was isolated and main functions of the system were restored by 7 p.m. yesterday evening. The functionality check of parcel machines was completed at 8 p.m. By now, the attack no longer jeopardizes Omniva’s systems. In addition, databases and customer data stored in Integer are definitely protected and are not affected by the attack in any way.

In connection with the attack, sending parcels from parcel machines and receiving paid parcels from the parcel machines was disrupted from 2.30 p.m. to 7 p.m. Customers were able to use parcel machines for receiving packages that were free of charge.

From the description it seems that Omniva accessed Integer’s databases from the same public channel which was attacked, but now Omniva has non-public access to Integer’s databases, which is not available to the attackers.


Glich by payment processor Nets Estonia causes chaos in SEB and Swedbank accounts


All it took to trigger the widespread woe was an outwardly insignificant slip: on September 17th, Nets Estonia coordinating card transactions in Estonia forwarded a file with cards transactions to the financial institutions twice, and two days later attempted to correct the mistake by sending a file cancelling the «double» transactions.

The banks which for whatever reason only acted on the cancel-entries sent on September 19th, yesterday morning unexpectedly returned to customers the money spent on September 17th. This, for instance, was the lot of SEB clients. To our knowledge, clients of institutions like Swedbank and Citadele were less lucky. The control systems of said banks had already acted on the double file dating September 17th and brazenly pocketed the customers’ money twice.

As LHV and Nordea banks control systems pulled brakes both on the file prescribing double payments and dataset sent to cancel it, the clients of both escaped the mess.

Why LHV and Nordea engineers could implement fault tolerant algorithm while engineers of the two biggest banks SEB and Swedbank could not?


Failure at card payment processor Nets Estonia causes inconveniences


There was congestion situation when some of the requests went through, but some did not and at some point card payments did not work at all. This was when the system was taken down to make changes. Banks urged customers to equip themselves with cash.

The company managing terminals Nets Estonia has confirmed that the failure resulting in overloaded card payments was caused by old data erasure process which has become too bulky. In the coming night the maintenance operation will take place which is expected to eliminate the problem permanently.

Comment from EISA:

According to head of EISA Vital Services Protection Division Urmo Sutermäe, Nets Estonia is not itself a vital service, but if their services are disrupted for any reason, it prevents banks to offer a vital service. In his opinion, it would help to reduce such disruptions in the future, if services continuously evaluate the extent of cross-dependencies and their impact and reduce the associated risks by having alternative solutions.

Not clear what merchants should do. Should they have a backup PoS terminal serviced by different card payment processor?