Protecting critical infrastructure in the digital age

13 February 2012 (Last Updated February 13th, 2012 18:30)

Critical infrastructure protection (CIP) has been one of the primary roles of armies throughout history. Dr Gareth Evans discovers how our increasing dependence on modern communication, transport and commodity networks are being threatened by modern forms of warfare, as we go deeper into the digital age.

Protecting critical infrastructure in the digital age

While the character of the key assets to be defended has undoubtedly changed over the years as communication, transport and commodity networks have developed (and our dependency on them grown), the nature of the threat has remained essentially the same.

For centuries CIP simply involved ensuring that your enemy did not physically destroy them, nor take control of them away from you by force. In the digital age, however, things have become more complex, as conflict has gone online - and the potential implications for CIP are enormous.

"A cyber-war can inflict the same kind of damage as a conventional war. If you want to hit a country severely, you hit its power and water supplies.

"Cyber technology can do this without shooting a single bullet," wrote Isaac Ben-Israel, senior security advisor to Israeli PM Benjamin Netanyahu, in a newly released report on global cyber-preparedness from independent, Brussels-based think-tank, Security and Defence Agenda, produced with support from McAfee.

Game changer

""Cyber technology can do this without shooting a single bullet," wrote Isaac Ben-Israel, senior security advisor to Israeli PM Benjamin Netanyahu."

The game changer for CIP came in June 2010, with the discovery of Stuxnet - a tailored computer worm, designed to target specific industrial systems and deliver a high-specialised payload of malware.

The digital equivalent of a smart bunker-busting bomb, Stuxnet perpetrates a precisely aimed, multilayered attack on Siemens supervisory control and data acquisition (SCADA) systems - technology obtained clandestinely by Iran and central to its nuclear programme - while leaving other computers and networks effectively untouched.

As was widely reported at the time, the upshot left Iran's centrifuges spinning wildly out of control, with false sensor signals generated by the worm fooling the self-destructing system into believing nothing was wrong - a 'man-in-the-middle-attack' - and speculation running rife that Israel, and possibly the US too, were behind it all.

Whatever the truth of those rumours, it was what security expert Ralph Langner described as "a marksman's job" and the appearance of what has been called the first 'cyber-superweapon' changed the face of cyber-warfare - and CIP - forever.

Strategic shift

It also marked a strategic shift, forcing military planners to seek new doctrines and rules of engagement to meet these fast-evolving threats, bolstering the human and technological assets necessary to defeat them.

"According to Ilias Chantzos, Symantec's head of government relations for Europe, the Middle East and Africa, over the last eight years, the number of new viruses appearing annually has risen from 25,000 to 286 million."

Strategies developed to counter add-on cyber elements within otherwise conventional conflicts, centred on protecting military systems, have given way to a broader focus on CIP, particularly in the light of the attacks directed against Estonian public services in 2007.

Many defence departments have, for instance, set up dedicated units - such as the United States Cyber Command and the UK's new Defence Cyber Operations Group - to implement new strategies, but the mission facing them remains a challenging one.

Unlike real world conflict, a cyber-war requires no formal declaration, nor does armistice necessarily signal its end. It is an ever-present threat, meaning CIP is a round-the-clock job. There is another complication too.

National infrastructure is often not state-owned, so a degree of cooperation and co-ordination between military and civilian cyber defence efforts is inevitable. The situation in Australia, where attempts to infiltrate networks in the public and private sectors are growing in both frequency and sophistication, is fairly typical.

"At the forefront of the government's Cyber Security Strategy are the Computer Emergency Response Team (CERT) Australia and the Cyber Security Operations Centre (CSOC) in the Department of Defence. The CSOC and CERT Australia work together to ensure Australia is well protected against new and emerging cyber security threats," a spokesperson for the Department of Defence explained.

"In the event of a threat or sophisticated attack against industry, the CSOC collaborates with industry through CERT Australia."

However, some, like Lt Col Gregory Conti, assistant professor of computer science at the US Military Academy, West Point, and Col John 'Buck' Surdu, chief of staff of the army's research, development and engineering command, would argue the battle is a military one and that, in the long-run, it should fall to the army to fight it.

"Ultimately, the role of fighting and winning in cyberspace is a military mission, which demands a military organization - one that can recruit, train and retain highly qualified cyber-warfare combatants."

Nuclear protection

For the moment at least, it seems such cyber-warriors are in short supply and with threat-awareness spiralling, internet security firms, such as Waterfall Security Solutions, are increasingly filling the void to safeguard nuclear plants and other key installations.

"Our focus is on critical infrastructure protection, mainly industrial facilities - energy, oil and gas -protecting them from cyber-attacks. That includes military grade and nation / state level of attacks, cyber-terror and criminally related cyber assault," said Lior Frenkel, Waterfall's co-founder and CEO. Their technology has already been widely deployed in their home country of Israel and elsewhere.

"The majority of nuclear power plants in the US are now using our solutions," said Danny Berko, Waterfall's product marketing director, adding that although they are generally more reticent about publicising the fact, many in Europe are doing the same - including Spain's largest nuclear power facility.

The Iberdrola-owned Cofrentes plant in Valencia installed several of the company's unidirectional security gateways in August 2011.

Used in process control, SCADA and remote monitoring systems, the key element is a fibre-optic gap that isolates the protected computer / controller system. By taking this kind of hardware-based approach, the gateway physically enforces one-way data-flow, enabling secure and real time outgoing transfer, while making enemy intrusion into the segregated network impossible.

Redefining the front line

"The game changer for CIP came in June 2010, with the discovery of Stuxnet - a tailored computer worm, designed to target specific industrial systems and deliver a high-specialised payload of malware."

Nato's member countries report five or six important cyber incidents daily and Israel is on the receiving end of a staggering 1,000 cyber-attacks a minute - though most of them are, admittedly, minor league events.

According to Ilias Chantzos, Symantec's head of government relations for Europe, the Middle East and Africa, over the last eight years, the number of new viruses appearing annually has risen from 25,000 to 286 million.

Against a continuing trend of increased reliance on computer systems and data networks, critical infrastructure - as well as the economy and way of life it supports - appears more vulnerable than ever before, without, as Ben-Israel said, a single shot needing to be fired.

With the Pentagon having recently adopted a policy which would permit the use of conventional force to respond to cyber-attacks against US critical infrastructure, and Nato reportedly considering a similar stance, as former deputy secretary of defense William J Lynn III put it: "Cyber has redefined the frontlines of national security." The challenge for modern militaries remains to defend them.