It’s a big question not least because CNI covers everything vital to life in an industrialised society ranging from electricity generation and distribution to financial services, water and the food supply. As a result, the US Patriot Act of 2001, for one, defines such infrastructure as:
Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
Which at least gives a slightly verbose idea of the vital nature of operations that would inevitably become a target if things got hairy – a scenario which, if the recent spate of slightly hysterical press headlines on cyber war are to be believed, could well be just around the corner.
But the term “cyber-war” itself apparently means different things to different people. For some, a useful definition was laid out in the Tallinn Manual, written by an international group of about 20 legal experts at the invitation of the Estonia-based NATO Cooperative Cyber Defence Centre of Excellence.
Published by Cambridge University Press in 2013, the Manual is an academic, non-binding study on how international law applies to cyber-conflicts and cyber-warfare – the first, in fact, to analyse the subject in any kind of comprehensive fashion in a bid to clarify some of the complex legal issues involved.
As a result, the document sheds light, among other things, on when a cyber-attack could be considered an act of war, giving an individual country the legal right to defend itself. Effectively such a situation amounts to any offensive action that would lead directly to loss of life, an attack on CNI being a case in point.
But others use the phrase “cyber-war” in a much looser sense and include within its remit everything from cyber-espionage and cyber-crime to all-out cyber conflict.
Cyber cold war
Even in the latter instance though, Tom Williams, lead investigative consultant at information security consultancy, Context Information Security, believes it unlikely that cyber warfare would be conducted in isolation. It would instead more probably occur as part of a broader strategy, acting either as a “precursor to or in conjunction with traditional military activity”.
But whatever the truth of it, it seems that threats to CNI are steadily increasing. A recent study entitled “Cyber Supply Chain Security Revisited by market research firm ESG revealed that just over two thirds of the US-based critical infrastructure organisations questioned had suffered one or more security breaches over the last two years – although it was unclear whether these attacks were political or commercial in nature.
Some 36% of those affected said that a cyber-security incident had disrupted critical business processes and/or critical operations, leading to everything from power failures to ATM outages or clinical systems going offline. Just under a third of those surveyed disclosed that they had also experienced a confidential data breach.
Steve Ward, senior director at iSight’s Critical Intelligence business, which specializes in threat intelligence work for critical infrastructure systems, believes this means that Western nations are now embroiled in what amounts to “a long cyber-conflict or cyber-insurgency”.
These are characterised by covert cyber espionage-style operations from perpetrators such as Russia, China and North Korea, which often use arms-length hactivists and paid contractors particularly from South East Asia as a front. He explains:
It’s more like a cyber cold war. But in the last couple of years, we’ve seen things edging and inching towards the red line of ‘don’t do destructive attacks as it warrants a destructive response.
So if that really is the case, just how vulnerable are our CNI systems today? The answer, it seems, is mixed depending on which elements you’re talking about and which industries. Mark Carolan, head of research and development at information security services provider Espion Group , explains:
It’s better than it was 10 years ago, but it’s not perfect. If we were under attack, the standalone elements would be OK but the devil’s in the interconnectedness.
A key concern here is that many of the core supervisory control and data acquisition (SCADA)-based systems on which CNI around the world is based are old but complex. They were also designed as standalone machines to be looked after by specialist control engineers.
The fact that they were not built with security in mind did not matter until they started being networked together and connected to the internet, at which point they inevitably became vulnerable to external attack – a scenario made even more difficult because of the bespoke nature of such machines which makes them testing to protect. Carolan says:
It’s kind of a soft underbelly in both the UK and US, although over the last 10 to 15 years, they’ve become quite advanced in hardening the control systems that make up the bulk of CNI. They’ve been retrospectively swapping out the more vulnerable systems and getting more secure infrastructure in place, but clearly it’s a long process.
In the case of all-out war though, he believes that the most sustained attacks would be launched against low-profile, soft targets that have garnered little investment for years. He explains:
If you look, for example, at the UK’s reservoirs, canal and river systems, they’re integral to how the country functions, but they’re in isolated places that are rarely visited. I doubt there’s much cyber-security on them but floodgates, for instance, are all controlled by sensors. They’re also disparate and underfunded and so they’re vulnerable.
Financial services institutions, on the other hand, invest huge quantities of money in cyber-security because it is in their reputational interest to do so, which means their operations are among the safest in the world.
But this disparity points to a key challenge for governments. Although they are tasked with protecting the interests of the nation and its citizens, they rely in many instances on private sector companies with often quite different priorities to provide critical services. As Context Information Security’s Williams points out:
It might not be in every chief executive’s greatest interest to implement levels of security that impact their profits. Governments have responsibility and are already doing a lot, but companies have a responsibility too - and not all of them want to spend X amount on security measures for hypothetical situations.
To make matters worse, the supply chain is subject to numerous “interdependencies” that generate their own problems. Espion’s Carolan explains:
Different countries are all buying and using each other’s technology, generally supplied by the cheapest vendor. So you might buy a US tank, but it could have elements that are Russian or Chinese-made. It’s the world we live in, but by adding different service providers into the supply chain, you’re inherently building in insecurity.
Another weak link in the chain is in-house personnel, many of whom could wreak just as much havoc as an external cyber-attack but often are not necessarily vetted as closely as they might be.
So as a result of all this, the European Union (EU) has started investing significant amounts of money to try and safeguard its member nation states’ CNI. One important three-year initiative that has been running since June 2014 is the European Control System Security Incident Analysis Network (Ecossian).
The research project’s aim, which involves nine countries including the UK, is to improve the detection and management of cyber attacks against CNI by implementing a Europe-wide early warning system complete with three tiered command-and-control facilities to coordinate real-time intelligence-gathering and responses to incidents.
The top tier of the model will comprise regional Operator Security Operation Centres (O-SOCs) that support CNI service providers, which, in turn, supply them with intelligence about what is happening on the ground.
The next layer will consist of National Security Operation Centres (N-SOCs), which have been set up at the member state level to coordinate O-SOC activity and liaise with international counterparts in order to improve decision-making and incident response capabilities. The final level is the European Security Operation Centre (E-SOC), whose mission it is to ensure consistent cross-border collaboration.
The goal is to have the entire prototype up and running by 2017 at which point a full-scale test and evaluation will take place. Use cases here will include an attack on international rail and gas networks as well as a cyber-terrorism offensive. If it works, the aim is to use it as the basis of EU-US information-sharing activities for cyber-defense purposes.
Espion’s Carolan, who is involved in the initiative, explains that the focus is one of “coordination rather than control” in order to enable “the free flow of information for the benefit of Europe as a whole to guard against common threats”.
But he also warns that cyber-offensives to hamstring systems or assets are not the only ways to bring a country to its knees. Simply introducing an element of doubt can in some instances be just as damaging. Carolan concludes:
If you wanted to cripple a country, all you’d have to do is poison a bottle of milk, announce it, but don’t say which one it is. If you could prove you did it and got away with it, the government would topple in a week as people’s faith in its ability to protect its citizens would dissolve quickly. So it’s important that CNI is seen to be dependable – in fact, it’s vital.
As attacks against CNI continue to mount, finding ways and means at both the operator and government level to protect national interests and prevent any escalation is a must, making early-warning initiatives such as Ecossian increasingly crucial.