93% of large corporations and 87% of small businesses reported a cyber breach in the past year. On average over 33,000 malicious emails are blocked at the gateway to the Government Secure Intranet (GSI) every month.
With the cost for a cybersecurity breach estimated between £450,000 to £850,000 (over €1 million) for large businesses and £35,000 to £65,000 (nearly €80,000) for smaller ones, governments must look at new ways to protect businesses and critical infrastructure and make their countries more resilient to cyber attacks and crime.
The general definition of cybersecurity is to put in place tools, policies, security concepts, security safeguards, guidelines, risk management, approaches, actions, training, best practices, assurance and technologies to protect the cyber environment and organization and the user’s assets.
Cyber warfare can be used to conduct political, economic or military attacks. Cyber warfare can also be used to conduct espionage including industrial espionage, allowing a country to potentially gain access to another nation’s secrets with little risk.
Attacks are becoming more frequent and are often attributed to hacktivists, politically motivated hackers whose attacks range from the annoying defacement of websites to full-scale attacks on a target country, as was the case in Estonia in 2007.
There is a debate as to whether these hacktivists are controlled by a nation state, or are simply a loose band of people on a cause. Much of the evidence points to the former. That nation states lie behind many of the attacks. One question that arises is whether the Estonia incident was an incidence of cyber warfare.
Scott D. Applegate from the US army argues that there is no legal definition of cyber warfare and there is unlikely to be one in the near future. He further argues that cyber warfare provides attackers with plausible deniability, since Internet attacks are difficult to track to a single origin.
Critical infrastructure at risk
What Applegate describes as cyber militia, a confederation of hacktivists funded by a nation-state who perpetrate cyber attacks, can achieve their political objectives without adhering to the Law of Armed Conflict. The UN defines this as “the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.”
While many militaries use computers as a weapon system, it’s debatable whether using computer systems to attack a country can be deemed as using armed force. Under the Law of Armed Conflict, armed forces must distinguish between military and civilian targets. However, distinguishing targets in cyberspace is difficult, as people can only identify the majority of systems by their Internet protocol addresses and domain names.
Cyber attackers targeting a nation-state’s information infrastructure may well cause collateral damage to civilian systems and critical infrastructure.
Applegate also points out that the greatest concern to most security analysts is the critical infrastructure which is particularly vulnerable to cyber warfare.
While there is no record of anyone ever having died due to a cyber attack or because of a computer being hacked, vulnerabilities associated with critical infrastructure, especially Supervisory Control and Data Acquisition (SCADA) systems, poses a serious threat.
SCADA systems are networked computers that automate the control of infrastructure systems such as the electrical grid, sewage systems, utilities and traffic control systems.
An example of an attack on a SCADA system is when a disgruntled former employee hacked into the sewage system in Queensland, Australia and released an estimated million liters of raw sewage into rivers and coastal waters. The attacker attempted to hack into the system 44 times from a remote location without being detected until he finally succeeded.
1982, the first incident
Since as far back as 1982 there have been several cases of cyber attacks where nation states are suspected of being the instigators.
In 1982 the CIA used a so called “logic bomb” to blow up a Siberian gas pipeline. The Trans-Siberian Pipeline required an advanced SCADA system. The pipeline used plans for a sophisticated control system and its software that had been stolen from a Canadian firm by the KGB. The CIA allegedly had the company insert a logic bomb in the program for sabotage purposes. The result was a violent explosion with the power of three kilotons of TNT. The attack had an enormous economic and psychological effect on the Soviet Union and is credited with helping to end the Cold War.
On April 26 2007, the Baltic State of Estonia experienced the first wave of distributed denial-of-service (DDoS) attacks. These cyber attacks were launched as a protest against the Estonian government’s removal of the Bronze Soldier monument in Tallinn, a Soviet war monument erected in 1947.
The attacks targeted prominent government websites along with the websites of banks, universities, and Estonian newspapers. After three weeks, the attacks ceased as suddenly as they had begun, but not before the Estonian government undertook measures to block all international web traffic, effectively shutting off the “most wired country in Europe” from the rest of the world.
The cyber attack on Estonia led NATO to establish the Cooperative Cyber Defense Center of Excellence in 2008, focusing on coordinating cyber defense and establishing policies for aiding allies during cyber attacks.
The importance of these cyber attacks lies not in their size or scope, but rather in the precedent they created for future cyber conflicts. Since then, cyber attacks have become a proven political weapon as a way of intimidating enemies, silencing them, and potentially controlling their infrastructure.
On 6 September 2007, Israeli aircraft carried out a bombing raid on a Syrian nuclear reactor being constructed by North Korean technicians. Codenamed Operation Orchard, the Israeli military reportedly used technology similar to the USA’s Suter airborne network to feed enemy radar with false targets and directly manipulate enemy sensors. This allowed Israeli jets to pass through undetected and carry out their mission. Some sources also maintained that the Israeli military had deactivated the Syrian air defense network using a secret built-in switch.
The largest cyber attack to date
In June 2010, a security company identified the malware that became known as Stuxnet. It is designed to infect SCADA systems targeting the Iranian nuclear program.
Stuxnet is a sophisticated program that disguises the damage it is wreaking from operators and overseers, until it is too late to reverse. Evidence suggests that Stuxnet was first created in 2005.
Stuxnet contained two different attack routines; the smaller and simpler attack routine that changes the speeds of centrifuge rotors. The other routine attempted to over-pressurize centrifuges, causing solidification of process gas. This would have resulted in simultaneous destruction of hundreds of centrifuges per infected controller. However it seems the attackers took care to avoid catastrophic damage, which they could have potentially caused.
Stuxnet is thought to have inflicted substantial damage to the Iranian nuclear centrifuges, putting the program off track for several years. While the attack was specific, the tactics and technology used are generic and can be used against other targets. Stuxnet is seen as an opening act of cyber warfare in today’s IT society.
Duqu, often called “Son of Stuxnet”, was found on a number of corporate computer systems in Europe in 2011. Based on the Stuxnet source code, Duqu is used as a backdoor to allow attackers to remotely access compromised systems to siphon off sensitive information and gather intelligence, potentially for use in future attacks.
Duqu disguises itself as a device driver that loads when the system boots. Basically, Duqu can steal anything from a targeted system, including passwords, take desktop screenshots, and steal documents. This malware runs on an infected system for 36 days before deleting itself, staying under the radar.
Probably the most complex malware ever discovered, Flame targeted several Middle-eastern countries in 2012, including Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
Dedicated to stealing data, this virus turned computer microphones into listening devices, take screenshots, copying instant message chats and even keyboard strokes.
Like Stuxnet and Duqu, Flame was probably commissioned by a nation state and seemed to primarily target Iran.
Humans exploit system weaknesses
Many examples of breaches of data security are human, where people exploit weaknesses in a given system to steal sensitive information. Two recent examples that gained world attention are Bradley Manning and Edward Snowden.
Private Bradley Manning downloaded thousands of classified documents from military servers and passed them on to WikiLeaks. As an intelligence analyst in the US Army, Manning was given access to a large amount of highly sensitive information which he saved on a CD-R which he labeled “Lady Gaga”. According to an interview with the magazine Wired, Manning confessed to former hacker Adrian Lamo, saying that he encountered, “Weak servers, weak logging, weak physical security, weak counter-intelligence and inattentive signal analysis… a perfect storm.”
Former employee of the Central Intelligence Agency (CIA) and former contractor for the National Security Agency (NSA), Snowden worked as a systems administrator for private contractor Booz Allen. He came to international attention while working as a systems administrator, when he downloaded thousands of classified documents on to thumb drives and disclosed them to several media outlets.
The leaked documents revealed operational details of global surveillance programs run by the NSA and the other Five Eyes governments of the United Kingdom, Australia, Canada, and New Zealand, with the cooperation of a number of businesses and European governments.
The release of classified material was called the most significant leak in US history by Pentagon Papers leaker Daniel Ellsberg.
A series of exposés beginning June 5, 2013, revealed Internet surveillance programs such as PRISM, MUSCULAR, XKeyscore and Tempora, as well as the bulk collection of US and European telephone metadata. The reports were based on documents Snowden leaked to The Guardian and The Washington Post.
Preventing cyber attacks
By taking precautions in three key areas it is possible to reduce cyber attacks to a minimum, keeping critical systems secure. These areas are: availability, integrity, and confidentiality.
Availability means ensuring timely and reliable access to, and use of information. A loss of availability disrupts the access or use of information or systems. The classic case of an attack on availability is a Distributed Denial of Service attack, such as in the case of Estonia attack.
Confidentiality covers data confidentiality and privacy. It is the preserving of authorized restrictions on information access and disclosure, including means of protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information, as in the case of Manning and Snowden.
Integrity covers both data and system integrity. It entails the guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information, repudiation and authenticity, such as an attack on a Supervisory Control And Data Acquisition (SCADA) system.
Data origin authentication can be achieved using a secure VPN. By implementing secure VPNs, control systems can send status and alert/alarm information without leaking sensitive information. This prevents attacks or manipulation of infrastructure, and enables the safe monitoring of surveillance cameras from a central site.
Preventing human interference
In high security environments, set regulations often require that networks hosting classified information are isolated from other networks, effectively creating zones of different security clearances. However, there are times when these networks need to be made accessible, for instance when information needs to be transferred to them. The ability to transfer information to a classified network is vital for organizations such as military and government agencies. It is equally vital in industrial control system (ICS) environments managing critical infrastructure, such as utilities or public transportation operators.
Moving information manually, by exporting information onto a USB stick or a CD and importing it into the secure network, is a tedious process that does not provide real-time transfer, and opens up to human error or sabotage. It is thought that Stuxnet was introduced using a USB stick.
A data diode, a smart, one-way information transfer device, connects two networks of different security levels eliminating any possibility of information being sent in the opposite direction of the transfer, shielding the network and its information from external manipulations and attacks.
Bidirectional information exchange between two networks of different security levels can only be realized if information flow control is guaranteed.
This can be guaranteed by implementing in a Cross Domain Solution (CDS) with high assurance design. It enables bidirectional-filtered transportation of data between different security domains by acting as a boundary protection device.
When geographically scattered networks of similar security levels need to share information and data over open networks, such as the Internet, they need to assure that their communication is protected from eavesdropping, manipulation and fabrication. By utilizing hardware based network encryptors organizations are able to create encrypted tunnels through open networks, such as the Internet. Encrypted tunnels, Virtual Private Network (VPN), prevent all kinds of unauthorized data access and manipulation. Thus, secure tunnels enable organisations to securely exchange classified information over the Internet. By combining VPN with CDS, geographically scattered networks of different security levels are able to exchange information securely without the risk of unauthorized disclosure of classified information.
The term Digital Pearl Harbor predicts a world where hackers could launch several attacks on critical infrastructure at one time that could actually destroy physical infrastructure, as opposed to just simply disrupting or exploiting digital information and communication. Stuxnet appears to demonstrate such an attack. However with the right countermeasures in place, we can hopefully prevent further attacks.
While some would say it was difficult, or even impossible to prevent determined cyber
militia, or individuals like Snowden and Manning from compromising a system, new emerging technology is available today to prevent this.
About the authors:
Stefan Chevul holds a Tec.Lic. degree in telecommunication systems from Blekinge Institute of Technology and also a M.Sc. in Electrical Engineering. He currently works as system designer at Advenica AB where he is involved in the development of cryptographical systems certified for high-level security (Restricted and Top Secret). Stefan has participated as a speaker in various conferences and workshops on the topic of cyber attacks, network security, data protection, high assurance design and Quality of Experience (QoE).