Is Our Critical Infrastructure secure?
“The nature of strategy is paradoxical and does not follow a linear pattern.”
– Edward N. Luttwak
“The real measurable value within Critical Infrastructure is that of the transportation and transformation of information and control telemetry. Cyber-attacks have already adversely impacted the North American economy to the tune of tens of billions of dollars. Risks to critical infrastructure are increasingly complex and frequent. Cyber is the nervous system that binds all other critical sectors, and upon which other sectors are most dependent. More than $174 Billion in electronic funds traverse the network core every day. This figure eclipses the physical cross-border shipments of goods, which has garnered so much attention. Consider that a miniscule disruption in network-throughput results in a direct and measurable financial impact – a 2% loss of network performance is equivalent to Canada’s GNP.”
– DARK SPACE STUDY (Bell Canada and SecDev)
How Real Is The Hype?
If you believe pop culture, Armageddon is likely to be triggered by technology that we neither understand nor control. It is a theme played out in the movie Live free or Die Hard that depicted techno-savvy extremists launching a progressive-compound attack on critical infrastructures (CI) in what was coined a “fire sale” – because everything must go. If that isn’t bad enough, Matrix, I-Robot and Terminator movies examine a world where machines become self-aware and take over humanity in the dystopian worlds created in .
The media would have us believe that Cyber terrorists are poised to unleash a catastrophe that would send western civilization back to the stone-age, leaving us with zero bars in darkened rooms.
Certainly, our most vital systems (government, energy, transportation, finance and communications), depend on complex, inter-connected global networks. They\\\'re fast, efficient and uniquely vulnerable to major failure or attack. In System Crash, a documentary by Omni films, the director looked behind the scenes at how critical systems and infrastructures work, and how they can fail in spectacular and sometimes devastating ways.
A CI attack might come in the context of an emerging crisis in Russia/Ukraine, Japan-China-Senkaku Islands, or the Middle East. Dealing with a deliberate CI attack in the midst of another crisis would overwhelm most governments. Hostile actors could very well take advantage of a natural disaster to launch a cyber offensive.
As the rate and severity of natural disasters increases, so does the possibility that disruptions of critical infrastructure could result in prolonged loss of essential services. The risks and vulnerabilities are heightened by the complex system of interdependencies among critical infrastructure, which can lead to cascading effects expanding across borders and sectors. The implications of these interdependencies are compounded by society’s increasing reliance on information technologies.
The computational power and interconnectivity of the Internet will soon exceed that of the human brain. We are entering a period of instability and risk within the system, where social media provides a frictionless state between the human terrain and the cyber world… where a meme can precipitate an Infrastructure collapse or the inception of a contagious idea that overloads or otherwise compromises systems. Look no further than the Arab Spring, or in 2013, when the Syrian Electronic Army hacked the Associated Press Twitter account, releasing a 140-character fake story of an attack on the White House that caused the stock market to plunge by $136.5 billion (this would have drained the Canadian defence budget).
“The history of strategic surprise has been filled with the failure to predict future discrete events and, more importantly, a failure to detect the nature of emerging threats,” says former Privy Council intelligence analyst Tom Quiggin.
There are plenty of anecdotes of maleficent actors turning on lights in darkened office buildings, remotely opening dams, hacking government servers, denying commercial business operations, interfering with air traffic control, and mounting clever bank heists.
The terrorist attack on the world trade centre on 9/11 took out vital communication hubs, and trading centres – and the aftermath affected the viability of air travel afterwards. This was not by design. The terrorists had absolutely no clue as to the ramifications of slamming airplanes into big buildings for shock effect.
Similarly, Stuxnet was arguably one of the most sophisticated and well-orchestrated targeted attacks, but it was on an isolated system that was not designed to cascade failures through other infrastructures.
Cyberspace advances asymmetric and irregular warfare. It is the means by which a hactivist group like Anonymous can mount a successful Distributed Denial of Service (DDOS) assault against CIs.
According to McAfee, a variant of the high-roller malware could be re-engineered to target financial services infrastructure and attack the Automated Transfer Systems in Europe, which processes much of the world’s e-commerce transactions.
The Iranian government was itself suspected to be behind the hack of the Root certificate authority DigiNotar in 2011. In the same year, over 12% of the internet traffic, including that of 8,000 North American businesses, was deliberately redirected through China, for what analysts suspect was a precursor to the targeted espionage attacks against Canada.
We have tracked a textbook pattern of unrestricted warfare in Estonia, Syria, Iran and ongoing now in the Ukraine:
- Deny the opposition forces or government their information communications technology (ICT) infrastructure;
- Jam the media and outside access to the Internet;
- Propagate malware through manufactured hactivism to hide advanced targeted cyber operations;
- Attack confidence in the economy and financial systems;
- Launch a disinformation and influence campaign in traditional and social media;
- Become the only source of news, and control the message;
- Precipitate power blackouts where you are mounting operations; and
- Roll tanks down the main streets to ‘protect’ the population and ‘restore stability’.
Critical Infrastructures are vastly complex beasts. As an analogy, tic-tac-toe is a solved game, chess can be mastered with a super-computer, but poker represents a nearly unsolvable game owing to computationally-heavy probabilities, practically infinite possibilities and human interaction. As such, gaming or simulating the attack and defence of CIs is even more complex, and cannot be done with a working group. A potential aggressor cannot avoid the theoretical mathematics or big-data processing.
The Cyber Critical Infrastructure Interdependencies Study by Bell Canada and the RAND Corporation in 2006 quantitatively measured the interdependency risks, contagion and multi-order effects between Canadian CIs using network communication flows, and supply chain econometrics. The findings were compared with qualitative risk assessment gained through extensive interviews of stakeholders. There was found to be a profound perceptive gap between common beliefs about threat-risk and the evidence.
The Davos Foundation warns of the perils of hyper-connectivity and networks; “a healthy digital space is needed to ensure stability in the world economy and balance of power.”
Challenges for bad actor
Thankfully, not all terrorist groups are good at math, nor do they have the means or insider knowledge to model and manipulate CIs for effect. Deliberately knocking out a national infrastructure and getting it to stay down, is tough.
Components of systems-of-systems fail all the time, which builds resiliency through natural selection, evolution and self-organized criticality. Consider that, 1.7% to 8.6% of disk drives will fail in a year across the country. Power and telephone lines are taken down by storms every day. Yet, telecommunications remain effective 99.9995% of the time.
In the same fashion that complex systems can fail in unforeseen ways, they also heal in unexpected ways. Thus, an ‘invisible hand’ frustrates attackers. CI attacks are even more difficult to predict and effect because the strategy requires an in-depth understanding of the systems-of-systems, within each environment.
Also, attacking a given CI can prove dangerous because globalization of supply chains and interconnectivity often make the attacker and defender reliant upon the same critical infrastructure.
The science behind a successful strategic offensive against critical infrastructure is to manufacture the perfect storm of events such that one can precipitate cascading failures, from which it is difficult to recover.
While the fortification system that made up the Maginot Line did prevent a direct attack, it proved strategically ineffective. Likewise, traditional security systems can’t deal with strategic assaults. Physically mapping some ‘vital’ facilities is missing the forest for the trees – ignoring the larger ecosystem.
Calls for more working groups, standards, or compliance audits are as effective as “rearranging deck chairs on the Titanic.” Much of the discourse to date has been preoccupied on recovering from natural and accidental disasters, but these scenarios do not address complex deliberate offensive campaigns across multiple domains, particularly the vital ones: cyber, transportation, finance and energy.
The beneficial purpose of regulation of CI is to limit degrees of freedom in these systems, to allow for them to self-correct. However, this must be done very carefully.
What is the art of possible for defence of CI?
We can still win at poker (an unsolvable game) by complex pattern recognition, playing the probabilities, and practical gaming theory.
Protection of Critical Infrastructure requires a high-fidelity model based on interdependencies, contagion and risk conductance. The next priority would be to conduct an attack surface analysis using Advanced Open Source Intelligence, or A-OSINT. This would involve: network enumeration, detection of existing cyber attacks and compromises, supply-chain providence, operational security exposures, foreign ownership control and influence activities, econometrics, social media monitoring and human terrain mapping. Subject Matter Experts from the CIs should then validate and verify the data-model. Operational research could then be used to create a synthetic environment (test range) to realistically simulate a given critical infrastructure defence strategy.
Dave McMahon is the Chief Operating Officer of the SecDev Group and formerly managed R&D and complex security programs for Bell Canada. SecDev is an Advanced Open Source Intelligence (A-OSINT) company. They work at the intersection of cyberspace, social and political change, competition and conflict to provide critical insight, digital acuity and fidelity onto complex issues affecting businesses and governments.
© FrontLine Security 2014