State-sponsored cyber attacks against critical infrastructure are increasingly pervasive. Their global presence and effective methods are asymmetric, coercive, and debilitating.
As the US becomes progressively vulnerable to cyber espionage and exploitation, it largely relies on domestic agencies to protect infrastructure from aggression. Accordingly, a whole-of-nation approach, in which the Department of Defense (DoD) plays a larger role in supporting infrastructure security, would better defend against the catastrophic consequences of a state-sponsored cyber attack.
No better example emphasizes the gravity of this threat variety than Stuxnet, the infamous worm that disrupted Iranian nuclear proliferation by attacking a suspected enrichment facility. Stuxnet covertly worked its way into industrial operating software through intermediary devices before targeting centrifuge motors and degrading enrichment (Farwell & Rohozinski, 2011). Sabotage eluded detection for months. Though damage was limited and eventually repaired, attacker tactics delayed rather than completely incapacitated Iranian efforts (Lindsay, 2013).
Iran’s response to Stuxnet, a malware attack on Saudi Aramco (known as Shamoon), offers another instance. Here, a self-replicating virus struck Aramco’s network, deleting hard-drive data, corrupting files, overwriting master boot records, and relaying vital information (Bronk & Tikk-Ringas, 2013). Thousands of computers were disabled, thus hurting production, hindering profits, and disturbing global energy markets.
In comparison, Russian-linked attacks have evolved to exact physical damage to critical infrastructure through cyber means. Russian hackers facilitated a Turkish pipeline explosion in 2008 by infiltrating security systems, disarming alarms and cameras, blocking communications, and super-pressurizing crude oil in the line (Robertson & Riley, 2014). This was a suspected blended attack involving the assistance of onsite special operators (Robertson & Riley, 2014).
Power stations are also popular targets for Russian hackers, as in a malware-based attack on a Ukrainian energy substation. Known as CRASHOVERRIDE, this attack leveraged infiltrated knowledge of grid operations and network communications to manipulate control system settings, leaving thousands of residents without power during the winter (Nakashima, 2017).
These global trends underline major strategic implications. They challenge conventional notions that cyber-weapons are leveraged by the weak. They also paint cyber-attacks as possibly more effective or safe than traditional strikes, inferring that cyber warfare is a strategic substitute rather than a complement to conventional warfare (Lindsay, 2013). Further, such events have taught us that public-private defense partnerships are challenging, physical security of sites alone is insufficient, and slight modifications to adversary malware can affect us directly within our borders.
Closer to home, foreign hackers have penetrated over a dozen American power plants (including a nuclear facility in Kansas), aiming to extract critical operational information and establish backdoors into the systems for future disruptions (Riley, Dlouhy & Gruley, 2017).
Firms that produce power generation control systems have also been hacked by Russia (Riley et. al, 2017). CRASHOVERRIDE could be deployed against American utilities and electrical transmission because the malware can stop power flow while erasing the control software (Nakashima, 2017). If employed at multiple sites, results could be tragic and responses extremely difficult.
Just this year, the Office of the Director of National Intelligence (ODNI) revealed Chinese interest in our infrastructure. China has been testing its ability to inflict focused and disruptive effects on power sectors, with emphasis on pipelines (Coates, 2019). Oil and gas rely on intricate and computer-centric procedures for drilling and logistics (Bronk & Tikk-Ringas, 2013). A multifaceted attack, in which power is sabotaged and a contingency of oil is restricted, would have devastating consequences on our economy in short order.
The heart of adversary cyber activities surrounds supervisory control and data systems (SCADA), which utilize remote monitoring and controlling. Thus firmware on critical devices can be overwritten at substations, effectively booting operators (Wagner, 2016). How does this occur? Malware sneaks through systems undetected by targeting users, and eventually establishes a backdoor (Wagner, 2016). Security systems are supposed to be in place protect the entire system with patches. Nonetheless, it only takes a single vulnerability to be exploited amidst numerous safeguards.
Adversarial intent is unclear, but vulnerability-hunting activities infer initial preparations for future conflict or technologically generated disasters. In a nation that is increasingly reliant on information technology and its interconnection with the electrical grid, exploitation looks growingly susceptible.
The challenge of security is tenuous. Defending against cyber attacks on infrastructure has dual liabilities at grassroots and national levels of authority.
At the grassroots level, most infrastructure is locally or privately owned. Poor security and cyber hygiene are entirely private issues. Due to modernization, however, micro implications have become macro liabilities.
Decades ago, most of our power generation leveraged analog technology with air-gapped deployments. When such control architecture is eventually brought online, it becomes a prime target for brute force attacks (Wagner, 2016). Here, cyber security inexperience often leads to failure to patch software weaknesses. This lack of awareness increases susceptibility to zero day attacks with national impact.
Eventually firms adopt blacklisting, where it’s possible to patrol a network to identify and block threats. Nevertheless, the cyber domain routinely demonstrates that advantages lie with attackers over defenders. This is particularly the case for nation states with large-scale cyberspace capabilities, such as China. They target vulnerabilities.
In the US, a largely private and locally owned infrastructure industry requires government assistance. Domestic response is focused around US Code Title 6 funding allocated for homeland security and critical infrastructure.
The Department of Homeland Security (DHS) is the principal provider of protective and advisory services to industries in need of cyber security. The Department of Justice (Federal Bureau of Investigation) contributes with investigatory assistance if attacks entail criminal damages, while the National Security Agency collects data to better appraise the intelligence picture and determine attribution. In essence, these agencies monitor the attack environment, identify (usually belatedly) threat types, and warn utilities of potential threats. Such actions have limited effects.
For instance, beyond DHS’ challenges of size, budget, and policy enforcement, its emergency cyber competencies are limited to mitigation of ongoing attacks. Without authorized clearances to address attacking networks, DHS has little power beyond mentorship and intelligence sharing.
In fact, none of the inter-agency has Defensive Cyberspace Operation Response Action (DCO-RA) competencies, which seek to neutralize an attacking network (JP 3-12). Ironically, the governmental arm best equipped to address and protect against such attacks, is both organizationally reluctant and legally restrained from doing so.
The Department of Defense’s cyberspace operations competency relies on a triad of prerequisites to create an effect in cyberspace. These criteria comprise capability, access, and authority (JP 3-12).
While first-step measures are nearly guaranteed, follow-through measures pose problems. United States Cyber Command (USCYBERCOM), DOD’s proponent for cyberspace operations, avoids (for authorization reasons) operating within the gray zone. This area is a domain below the level of war and questionably inside our borders (CSIS, 2019).
Of course, it’s well within CYBERCOM’s capacity to respond to an overt act from a nation state. Yet, the challenge of attribution, a trait synonymous with cyber attacks, presents an obstacle. Thus, intervention without direct attribution mostly ensures the status quo and continued vulnerability.
Cyberspace advantage should be a goal of the national defense of critical infrastructure. This is a realistic target when considering that cyber superiority is a fleeting concept given increased interconnectivity, exponential technological growth, and adversaries’ aversion to ethics. How do we get there?
Three words provide the roadmap: unity of effort. This phrase is a regularly espoused joint military precept, yet daunting in practice. It simply entails working towards a common goal. Suitable national cyber security cannot remain a domestic security practice, or even a whole-of-government approach. It requires a whole-of-nation effort.
President Obama spearheaded this path by establishing a framework for government agencies to share risk management practices with willing private and public sectors (EO 13636).
Further, President Trump has enacted cyber authorization reforms to make operations easier to conduct (NSPM 13).
Nevertheless, we still face challenges tied to conflicting interests, differing cyber linguistics, poor hygiene, intelligence sharing, deficient domestic agency tools, and constrained military aptitudes. In turn, the means of protecting critical information is foiled by the inability to share information.
That dilemma is compounded when the laws surrounding the deployment of cyber actions are outdated, trail technological advancement, and are intentionally murky.
It’s no longer enough to monitor for potential attacks in reactionary fashion. Policy reform is obviously needed to loosen execute orders (EXORDs), bolster activities outside DOD, compel hygiene compliance, and strengthen interagency cyber expertise.
Notwithstanding the absence of such reforms, below are some realistic prescriptions for bridging the gap between infrastructure-related disaster and cyberspace advantage.
The US can ensure it is better prepared to prevent cyber attacks on infrastructure by focusing on three broad areas: increased threat consciousness; deterrence; and creativity.
In order to increase threat consciousness, a paradigm shift needs to occur where notions of need-to-know become need-to-share. The result yields national interoperability and holistic defense. Certainly, this requires the entity with the strongest cyberspace competencies to take the lead, support others, and share its expertise. Thus, the DOD must assist domestic agencies in defense of the homeland.
This effort starts with coordination at the Inter-Agency Working Group level and verified within fusion cells at the Cyber Joint Operations Center. Synchronously, CYBERCOM can train and assist DHS, FBI, and others in building competencies while the National Security Agency (NSA) capitalizes on current intelligence sharing practices to paint a better picture of the dynamic threat.
CYBERCOM should also share some of its analytical programs (which detect and mitigate malware and system abnormalities) in an effort to build similar machine learning platforms. It should also work more directly with the US Coast Guard, which possesses sufficient cyber authorities and skill sets to support Title 6 defense in more significant fashion.
An effort to deter can be conceptualized as a two-edged sword. On one side, individual utilities can limit access to their networks, reducing exposure and opportunities for hackers. In turn, a need-to-use basis for security compounded across industry would prove formidable. Since the best defense entails having a robust offense, and considering that domestic agencies or infrastructure firms lack offense, the alternate blade edge must wield the coercive cyber capacity of the US.
Suitably, CYBERCOM is developing more assertive targeting against Russian and Chinese power grids (Cheravitch, 2019). Naturally, these states have recognized such activities and protested (Cheravitch, 2019). If an adversary knows their exploitations will be matched, there may be less incentive in the pursuit.
Without a doubt there is a role for National Guard Cyber Protection Teams (CPT) in protecting state infrastructure on Title 32 status. CPTs are trained to conduct Defensive Cyberspace Operations (DCO), the use of “blue” cyber capabilities to defeat ongoing malicious activity (JP 3-12). That said, this should be considered at the national level and hashed out with respective governors. It may also be worthwhile to look into allowing domestic agencies to conduct their own versions of DCO-RA.
Finally, creativity is the ingredient that will make our infrastructure resilient. Promoting cutting edge technology at the highest level will prompt upgrades of systems and platforms. Industries will seek out better means to secure data within them. This activity infers that the DOD must be engaged with the information community and monitor technological advancement.
Momentum appears to support that engagement with the recent establishment of the Army Futures Command. Part of this creation entails seeking out ways to leverage data with the assistance of machine learning and artificial intelligence. Such tools assist with network intrusion detection, anomaly detection, and cyberspace log analysis. They should be rapidly presented to industry. The DOD could thereby connect suppliers with consumers, while the federal government could provide subsidies to mitigate costs needed to modernize control architecture.
Another area to focus on is creating ways to incorporate industries into the Department of Defense Information Network (DODIN). DODIN operations internally secure and protect the defense network, to include leased systems (JP 3-12). Figuring out ways to incorporate the DODIN into local utilities, such as conditional lease agreements, may compel better cyber hygiene (data management, secure authorizations, and web security tools).
A cyber partnership with the private, state, and local sectors is larger than mere protection. Partnership projects a united front that signals to adversaries potential consequences for exploiting a part of that whole. Sharing threat intelligence, early warning indicators, and best practices through research, symposiums, contracts, and assessment are merely the means to get there.
Conflict among adversaries exists on a continuum, yet many times activities fall short of traditional warfare. Here, cyberspace asymmetrically enables the realization of strategic gains, particularly when the domain becomes a medium to covertly cripple national infrastructure.
Adversaries have exercised this threat both abroad and at home, highlighting our ill preparedness to identify and counter cyber exploitations.
Challenges to streamlined defense include deficient interoperability, unbalanced competencies, complicated permissions, and poor internal security measures. That being said, it’s apparent that the DOD needs to share the wealth in terms of cyber security, both within government and industry.
Efforts that champion threat consciousness, deterrence, and creativity provide a blueprint for closing this gap and getting us to a place where infrastructure is safe from cyber peril.
References
Bronk, C., & Tikk-Ringas, E. (2013). The cyber attack on Saudi Aramco. Survival, 55(2), 81-96.
Center for Strategic & International Studies (CSIS). (2019). Competing in the Gray Zone: Countering Competition in the Space between War and Peace.
Cheravitch, J. (2019). Cyber threats from the US and Russia are now focusing on civilian infrastructure. Tech Crunch.
Coates, D. (2019, January 29). Worldwide Threat Assessment of the US Intelligence Community.Office of the Director of National Intelligence. 2-40.
Executive Order (EO) 13636. (2013). Improving Critical Infrastructure Cybersecurity.
Farwell, J. P., & Rohozinski, R. (2011). Stuxnet and the future of cyber war. Survival, 53, 23-40.
Lindsay, J. R. (2013). Stuxnet and the limits of cyber warfare. Security Studies, 22(3), 365-404.
Nakashima, E. (2017). Russia has developed a cyberweapon that can disrupt power grids, according to new research. The Washington Post, June 12, 2017.
National Security Presidential Memorandum (NSPM) 13 (2018, September 18).
Riley, M., Dlouhy, J.A., and Gruley, B. (2017). Russians Are Suspects in Nuclear Site Hackings, Sources Say. Bloomberg Politics, July 6, 2017.
Robertson, J., & Riley, M. (2014). Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar. Bloomberg Technology, December 10, 2014.
Wagner, D. (2016). The Growing Threat of Cyber Attacks on Critical Infrastructure. IRMI.