“Canada’s critical infrastructure consists of the physical and information technology (IT) facilities, networks, services, and assets essential to the health, safety, security, or economic well-being of Canadians, and the effective functioning of government. The real value is that of the transportation and transformation of information and control telemetry. Cyber-attacks have already had measurable adverse economic effects for Canada, totalling in the billions of dollars. The risks to critical infrastructure and infostructure are increasingly complex and frequent. The telecommunications sector is the nervous system that binds all other critical sectors and, upon which, other sectors are most dependent. More than $174 Billion[1] in electronic funds traverse the network core every day. This figure eclipses the physical cross-border shipments of goods, which has garnered so much attention. A minuscule disruption in network-throughput results in a direct and measurable financial impact.”[2]
Key Points
§ Cyber is the nervous system that connects all critical infrastructure sectors.
§ Cyberspace is a complex, hyper-connected, non-linear and chaotic system.
§ Rapid convergence has created a frictionless state between the Human terrain, the Network and Machines, evolving to the Internet-of-Everything (IoE).
§ Interdependency increases risk contagion amongst critical infrastructures.
The media would have us believe that Cyber terrorists are poised to unleash a catastrophe that would send western civilization back to the stone-age, leaving us with zero bars in darkened rooms. Fear and ignorance sell papers and ratings.
Certainly, our most vital systems, energy, transportation, finance and communications, depend on complex, inter-connected global networks. They're fast, efficient and uniquely vulnerable to major failure or attack. System Crash: a documentary by Omni films, based upon research by Bell Canada[3], went behind the scenes and looked at how critical systems and Canadian infrastructures work, and how they can fail in spectacular and sometimes devastating ways from a Critical Infrastructure (CI) attack accidental or natural event.
http://www.omnifilm.com/factual/system-crash
A CI attack could come in the context of an emerging crisis in Russia/Ukraine, Japan-China-Senkaku Islands, or the Middle East Dealing with a deliberate CI attack in the midst of another crisis would overwhelm most governments. Hostile actors could very well take advantage of a natural disaster or malfunction to launch a cyber offensive. Whose responsibility is it then to defend Canada?
“The responsibility for CI protection related to interdependencies risks rests with the Federal Government as the national guarantor of Peace, Order and Good Government (POGG). No other entity in Canada has the mandate or capacity to address the risks to national security and prosperity resulting from the obvious and alternately understated interdependencies that exist among the variously owned and regulated CI sectors.”[4]
The Public Safety Canada Strategy and Action Plan for Critical Infrastructure warns that “as the rate and severity of natural disasters increases, so does the possibility that disruptions of critical infrastructure could result in prolonged loss of essential services. The risks and vulnerabilities are heightened by the complex system of interdependencies among critical infrastructure, which can lead to cascading effects expanding across borders and sectors. The implications of these interdependencies are compounded by society’s increasing reliance on information technologies.”
Consider that, the computational power and interconnectivity of the ‘Internet-of-Things’ has exceeded that of the human brain. We are entering a period of instability and risk within the system where social media provides a frictionless state between the Human terrain, the Network and Internet-of-Everything. Where a meme[5] can precipitate an Infrastructure Collapse or inception of a contagious idea that causes the lights to turn off in a city. Look no further than the Arab Spring, or in 2013, when the Syrian Electronic Army hacked AP’s Twitter account releasing a 140-character story of an attack on the White House that caused stock market plunge $136.5 billion.
“The history of strategic surprise has been filled with the failure to predict future discrete events and, more importantly, a failure to detect the nature of emerging threats.” – Tom Quiggin
There are plenty of anecdotes of maleficent actors turning lights off in office buildings, remotely opening dams, hacking government servers, denying commercial business operations, interfering with air traffic control, and mounting clever bank heists.
“Through convergence, cyber has evolved to a complex ecosystem of information and systems. Information warfare is advanced particularly in highly-contested environments and fragile states. Our adversaries are sophisticated and aggressive. Their operations are agile, adaptive, and dispersed.”[6]
The terrorist attack on the world trade centre on 9/11 took out vital communication hubs, trading centres and the aftermath affected the viability of the air travel industry for months afterwards. But this was not by design. The terrorists had absolutely no clue as to the ramifications of slamming airplanes into big buildings for shock effect. They could not have even foreseen that the planes would have collapsed the towers. Nor has AQ been able to capitalize on what was seen in the cascading 2nd order effects.
The 2003 Ontario blackout is a good example of how multiple threat vectors can ‘inadvertently’ combine to create perfect storm events in complex infrastructures. Offices were closed when the lights went out downtown, although many people continued to work remotely from alternative locations. The Blaster worm was introduced into enterprise systems through these insecure computers, causing widespread and prolonged shut-downs. The worm also contributed to the cascading effect of the blackout – recursive effect. According to the U.S. Department of Energy's Idaho National Engineering and Environmental Laboratory, it degraded the performance of several communications lines linking key data centers used by utility companies to manage the power grid, most certainly affecting the timeliness of the flow-control and load-balancing data that's transmitted over public telecommunications networks also known as supervisory control and data acquisition (SCADA) systems. Although, there is no evidence that malcode caused the blackout, the two events became entangled. The original Blaster was created after a Chinese hacking collective called Xfocus reverse engineered the original Microsoft patch. Subsequently a Romanian man was charged with releasing a variant of the Blaster worm.
Russian and Chinese cyber-espionage has proved a persistent threat to Canadian CI including the Public Sector. Flame, Shamoon and red October spyware have been labeled CI attacks, but in reality these have been targeted cyber espionage campaigns against CI owners rather than the critical infrastructure itself.
Indifference and passivity after repeated Chinese and Russian attacks against Canadian Institutions, military installations and infrastructures[7] have invited more aggressive campaigns and transgressions. It can be argued that, indecisiveness has contributed to the collapse of our Information Communication Technology (ICT) supply chain, and ironically led us to become more dependent on our rivals for critical technology.
The New York Times reported that Stuxnet was part of an operation dubbed ‘Olympic Games’ launched against the Iran nuclear weapons program. It affirmed what many suspected; that cyberwar is not a distant theoretical probability. Stuxnet was arguably one of the most sophisticated well-orchestrated targeted attacks.
Cyberspace advances asymmetric and irregular warfare. It is the means whereby a hactivist group, like Anonymous, can mount a successful Distributed Denial of Service (DDOS) assault against one of our Canadian sectors, despite the early warnings and indicators picked up in social media. But this does not require sophisticated understanding of the infrastructure.
Quantitative Evidence
There is incontrovertible documented evidence[8] of a clear aggressive and sophisticated cyber threat, widespread attacks and measurable losses affecting all critical public and private sectors in Canada.[9] Leading with a react and recover strategy is unaffordable.
“The current strategy reflects a willingness to wait for disaster to strike – and in so doing invite it.”[10]
Cyber threats have evolved from hackers, script kiddies and web defacements, to crime cartels operating sophisticated robot networks in tandem with hostile foreign intelligence services (HoIS). Attacks are becoming more bodacious, sophisticated, targeted, dangerous and undetectable by traditional means[11].
“Deterrence needs to be cross-domain and cannot exist without a credible offensive capability in which to project both power and influence.”[12]
An Advanced Persistent Threat (APT) development called “Operation High Roller” used cyber- agents to collect PC and smart-phone information to raid bank accounts electronically. The attackers were operating from servers in Russia, Albania and China to carry out electronic fund transfers. According to McAfee, a variant could be re-engineered to target financial services infrastructure and attack the Automated Transfer Systems in Europe and new High Roller-based attacks aimed at manufacturing and import/export firms could target the Automated Clearing House infrastructure, which processes much of the world’s e-commerce transactions. The Iranian government was suspected to be behind the hack of the Root certificate authority DigiNotar in 2011. The recent, Swift Payment System Attacks[13] have cost banks millions.
Similarly, over 12% of Internet traffic, including that of 8,000 North American businesses, was deliberately redirected through China for what analysts suspect was a templating effort and a precursor to the targeted attacks against Canadian public and private sectors that followed soon thereafter.
A textbook pattern of unrestricted warfare in Estonia, Georgia, Syria, Iran and, now, the Ukraine, looks something like:
-
Deny the opposition forces or government their information communications technology (ICT) infrastructure;
-
Jam the media and outside access to the Internet;
-
Propagate malware through manufactured hactivism to hide advanced targeted cyber operations;
-
Attack the confidence in the economy (financial systems);
-
Launch a disinformation and influence campaign on traditional and social media;
-
Control the message and become the only source of news;
-
Generate power blackouts where you are mounting operations; and
-
Roll tanks down the main streets to ‘protect’ the population and ‘restore stability.’
Although these are not the wildly destructive infrastructure attacks we see from the movies, they do chart a path in that direction.
Thankfully, since the emergence of the Internet and CIP was first discussed, there have been no recorded cases of a successful attack, which deliberately caused a cascading unrecoverable state across multiple CIs. Why not?
The Challenge of Complexity
To understand real threats and risks to Canadian critical infrastructures one needs a grasp of: complex systems, chaos and gaming theory. You will also need comprehensive pragmatic experience in CI (telecommunications, financial, energy sectors et.al), presumably from a cross-domain team of experts, access to telemetry & metrics, and a super-computing grid.
Complex systems are described in high-fidelity modeling, technology, processes, and social networking. The relationships between parts give rise to the collective behaviors of a system and its interaction with the larger ecosystem. The equations that model these systems are derived from statistical physics, information chaos theory and non-linear dynamics, and represent unpredictable behaviors of natural systems that are fundamentally complex.
The key problems of CI are the challenge with their formal modeling and simulation. Since all complex systems have many interconnected components, the socio-technological network sciences are critical to the study of CI.
Game theory involves strategic-listening and decision-making, building mathematical models of conflict and cooperation between intelligent entities in contested space.
Cyber Critical Infrastructure Interdependencies by Bell Canada and the RAND Corporation in 2006-2007 quantitatively measured interdependency risk, contagion and multi-order effects between Canadian CIs using network communication flows, and supply chain econometrics. The findings were contrasted with qualitative risk assessment gained through extensive interviews of stakeholders. There was found to be a profound perceptive gap between common beliefs about threat-risk and evidence. The conclusion was: “You cannot manage, what you don’t measure”.
Similarly, using the models created by the Bell-RAND study, the 2010 Olympics confirmed that the confluence of targets-of-opportunity represent a greater risk contagion through their complex interdependencies; where risk conductance (volume and velocity) across CIs are a direct function of interdependency.
The Davos Foundation warns of the perils of hyper-connectivity and networks; “a healthy digital space is needed to ensure stability in the world economy and balance of power.”
Hard problem for the “Bad Actor”
Thankfully, not all threat actors are good at math, nor do they have the means or insider knowledge to model and manipulate CIs for effect. Deliberately knocking out a national infrastructure and getting them to stay down is tough. Part of the reason is that they are so resilient.
In the same fashion that complex systems can fail in unforeseen ways, they also heal in unexpected ways. Thus, an ‘invisible hand’ frustrates attackers.
“Volatility, uncertainty, complexity and ambiguity characterize the strategic environment.” – U.S. Army War College
What constitutes a Nightmare Scenario?
“The tipping point is the point where "the momentum for change becomes unstoppable." – Gladwell
“In this age, the mouse has proved mightier than the missile in its ability to deliver measured strategic real-world effects. The annual costs of cyber-attacks on Canada rivals the entire defence budget. The innovation cycle is driven by the threat and offensive doctrine. The vector of change will come out of traditional cyber domains. We do not yet have a winning strategy.”[15]
The science behind a successful strategic offensive against critical infrastructure is to manufacture the perfect storm of events such that one can precipitate cascading failures, from which it is difficult to recover.
Application
These steps are even more difficult to operationalize because the strategy requires an in-depth understanding of systems-of-systems, within each environment[16].
Thus, telecom, energy and financial systems represent a highly co-dependent ‘iron triangle’ of critical infrastructure.
Traditional tic-tac-toe Solutions
While the fortification system that made up the Maginot Line did prevent a direct attack, it was strategically ineffective. Likewise, traditional security systems can’t deal with strategic assaults. Physically mapping some ‘vital’ facilities is missing the forest for the trees; ignoring root systems and the larger ecosystem.
The calls for more working groups, standards, compliance audits or renewed attempts at redefining cyber are as effective at CIP as “re-arranging deckchairs on the Titanic.” To date, much of the discourse has been preoccupied with recovering from natural and accidental disasters and hazards like: the 1996 Saguenay Flood, the 1997 Red River Flood, the 1998 Ice Storm, the 2003 Power Blackout, and the 2003 Severe Acute Respiratory Syndrome outbreak. But these scenarios do not address complex deliberate offensive campaigns across multiple domains particularly ethereal ones like cyber, finance and energy.
One cannot regulate quantum mechanics, chaos and complexity. The beneficial purpose of regulation of CI is to limit degrees of freedom in these systems, to allow for them to self-correct. However, this needs to be done very carefully. Pulling the wrong leaver or cutting the red wire instead of green can lead to dire consequences.
You begin by developing as good of defensive capability as possible, but at some point you have to ask yourself, and ministers will have to consider, whether they should be given the capacity to push back as opposed to just defending." - Dick Fadden, Former National Security Advisor
What is the “art of the possible for defence of CI?
We can still win at poker (an unsolvable game) by complex pattern recognition, playing the probabilities, and practical gaming theory.
“Foremost, effective Cyber Security begins with a Strategic Understanding of the domain.”[17]
So, for cyber and CIP, one would start with a high-fidelity model based upon interdependencies, contagion and risk conductance. Not just qualitative surveys and workshops. An attack surface analysis[18] using Advanced Open Source Intelligence (A-OSINT) that would gather the necessary data to populate the model and complete an organizational security posture assessment from the perspective of a sophisticated cyber adversary. Subject Matter Experts (SME) from the CIs would validate and verify the data-model. Operational research could use a synthetic environment (test range) to simulate or war game critical infrastructure defence strategy realistically. This is just the beginning.
[1] Canadian Bankers Association [2] Study on the Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity –Communication Security Establishment, Bell Canada and Secdev Cyber Corp, 31 Mar 2011 [3] State-of-Readiness (Cyber Security) of Canada’s Critical Infrastructures. And Cyber Interdependencies of Canada’s Critical Infrastructures, 2007 [4] Consolidated Industry response to Public Safety Canada’s: Working Towards a National strategy and Action Plan for Critical Infrastructure, 2008 [5] A highly contagious idea, thought or trend established in social media in the form of a photo, video, saying, or idiom. [6] 5th Dimension Defence Policy Review – Cyber 2016 [7] Combating Robot Networks, Dark Space, APT0, APT1 and Night Dragon investigation, et.al. [8] Darkspace Project, Combating Robot Networks and their controllers Study, Night Dragon, Aurora, Koobface, Shadows in the Cloud, McAfee Annual threat report and GhostNet et.al. [9] Cyber Critical Infrastructure Interdependencies Study 0D160-063075/A, Public Safety Canada, Bell Canada and the RAND Corporation dated 2006-04-28 [10] Consolidated Industry response to Public Safety Canada’s: Working Towards a National strategy and Action Plan for Critical Infrastructure, 2008 [11] Night Dragon Investigation [12] 5th Dimension Defence Policy Review – Cyber 2016 [13] https://www.ffiec.gov/press/PDF/Cybersecurity_of_IMWPN.pdf [14] “Most malicious traffic is filtered by the ISPs.” Combating Robot Networks and their Controllers PSTP08-0107eSec. 2013 [15] 5th Dimension Defence Policy Discussion Paper – Cyber 2016 [16] Core PE/CE routers of Multiprotocol Label Switching (MPLS), Content delivery networks (CDN), Root Domain Name Services (DNS), Network Time, and certificate authorities represent fundamental control points for telecom in the same way that Supervisory control and data acquisition (SCADA), Industrial Controllers and smart grid are critical to the energy sector. Both link to the financial sector through the provision of banking systems, online merchants, power-related commodity trading and Energy Trade Risk Management (ETRM) systems. [17] Thing Big on Cyber, Dave McMahon, COO Secdev Cyber Corp 2014 [18] Attack Surface Analysis would involve: network enumeration, detection of existing cyber attacks and compromises, supply-chain providence, operational security exposures, foreign ownership control and influence activities, econometrics, social media monitoring and human terrain mapping.