I am writing this only a few days removed from Black Hat 2019 and Def Con 27, where both events featured a number of presentations on critical infrastructure or industrial control system (ICS) threats – but with a continuing lack of scope (or imagination) for the threat landscape. While identifying new vulnerabilities or work-arounds in technology are certainly interesting, they are practically somewhat minor when considered the events required to take advantage of them (e.g., access to the vulnerable system) or the insecure-by-design engineering at the core of a product (e.g., an attack against an unauthenticated protocol). Too much attention gets paid to either arcane or difficult-to-execute attack scenarios (such as manipulation of process sensors deep within networks to cause an industrial incident) while relatively easy-to-achieve but quite effective attacks are ignored. Most specifically, and related to my previous post concerning the interplay between cyber and information operations as a whole, attackers (and defenders) overlook the powerful attack scenarios available by blending low-cost/low-skill cyber operations with more general information warfare actions to create amplified attacks.
First, we must understand a vital aspect of what we term “critical infrastructure”. While each of the 16 critical infrastructure sectors as defined by the US Department of Homeland Security is certainly affected by and requires technical soundness and integrity for operation, these sectors (and their outsized role in modern society) are also underpinned by confidence. Simply saying that electricity will flow, water is clean, and precision manufactured parts are sound is not enough as social and market interactions begin to break down when entities operating in these spaces begin to question the quality, reliability, or integrity of these entities. The most classic example of this the bank run as enabled by fractional reserve banking in the finance sector. In this scenario, a loss of consumer confidence produces a positive feedback loop where investors in a financial institution, acting on individual self-interest, rush to withdraw funds from that institution producing in reality the rumored situation that started the process: an insolvent financial institution, as seen in Mary Poppins.
Financial institutions may seem a singular example among critical infrastructure sectors, yet other areas face the same requirement of needing to maintain consumer and market confidence to ensure continued, desirable operations. An electric utility that faces popular conceptions of unreliability if not outright danger may find itself facing burdensome regulations (or even financial catastrophe). Food or pharmaceutical producers and distributors may face onerous costs and loss of markets after only a handful of isolated incidents concerning product safety. IT entities may find themselves caught trying to prove a negative (that no tampering or compromise occurred) after a sensational (if factually dubious) report. Ultimately, one can argue that while ensuring things “work” or that products are “sound” is of paramount importance in critical infrastructure, such efforts can be undermined (or even reversed) if such technical soundness is not met by consumer confidence.
In light of the above considerations, an impactful critical infrastructure attack need not directly impact the underlying systems (such as a cyber-physical ICS event) to any great extent (or even at all). Instead, very interesting scenarios can be achieved by blending a combination of relatively low-skill cyber operations with other aspects of information warfare to generate significant degrees of consumer uncertainty, or loss of confidence. These scenarios can be especially powerful if timed to coincide with organic system stresses to amplify concerns and erode confidence in the underlying system.
To see how the above might play out, let us examine a real world scenario: Operation Ababil. The event in question was a coordinated distributed denial of service (DDoS) attack against multiple US financial institutions in September 2012. While concerning, the event itself resulted in little, noticeable impact and standard defenses and mitigations allowed targeted entities to recover after initial periods of disruption. As such, Ababil as constructed and executed falls into a category of cyber operations I refer to as “computer network annoyance”: noticeable effects were generated, but with no lasting impact beyond possible embarrassment for the victims. Yet such impact (or lack thereof) may be the result of a lack of imagination or poor timing on the part of Abibil’s perpetrators rather than a weakness in the attack itself.
What if, instead of taking place in September 2012 (a period of steady if middling market and economic growth), Ababil was timed differently: to take place shortly after the collapse of Lehman Brothers in September 2008 or after news of the May 2010 “Flash Crash” started to spread? Under these scenarios, the operators behind Ababil would have created not merely an inconvenience, but a noticeable disruption in access to financial services and platforms at a moment of institutional panic. Given appropriate adversary pre-positioning of resources (i.e., the botnet required to execute the DDoS) and close attention to US financial markets and consumer confidence, an event like Ababil could potentially torpedo market confidence and liquidity at a critical moment, giving a significant “nudge” pushing short-term crisis into possible calamity.
Yet even the above scenario – while deeply concerning – only begins to scratch the surface of possibilities of “combined operations” in economic information warfare. In 2008, 2010, and 2012, existing social media frameworks were either nonexistent or in their relative infancy with respect to their latent ability to influence populations. Moving to the present time, where malicious social media campaigns can instill doubt in topics as fact-based and evidence-supported as childhood vaccinations and anthropogenic climate change, a long-running campaign designed to undermine confidence in a country’s banking system (by alleging corruption, unsoundness, or other items) can set the stage for an impact scenario such as the DDoS above to bring about magnified effects. A long-running campaign impugning a bank’s solvency followed by coordinated execution of both a DDoS against consumer-facing portals (and potentially phone lines as well) with a social media campaign amplifying stories of being unable to reach representatives or withdraw funds can set up for significant economic harm. Done properly and timed right, such an event may even be capable of achieving financial “contagion” resulting in economy-wide effects.
Financial sector effects, as described at the beginning of this essay, may appear unique in their ability to cascade via combined information warfare operations to impact critical infrastructure, but other sectors are similarly vulnerable. For example, the electric sector may appear immune from panics like the financial system – but an expanded view of attack possibilities yields intriguing options.
As an example, long-running disinformation campaigns via social media, sponsored items, and other avenues may highlight the frailty of the US electric sector, highlighting actual concerns such as recent outages caused by older equipment failing in the field. An adversary can then either wait for a large-scale natural event producing an outage, or (through a Ukraine 2015-like event) create an immediate event itself, and amplify messaging while concurrently producing a disruption of consumer-facing services (such as outage hotlines, helpdesks, or company websites) to give a multi-pronged impression of widespread utility failure (or incompetence). Depending on the broader social and economic context surrounding such an event, the above scenario could produce anything from reducing consumer confidence in critical infrastructure providers to potentially undermining confidence in the given government or system – the latter likely at least tangentially related to the two Ukraine power events.
While there are high degrees of variability in how these scenarios may play out and how effective they may be in impact, their disruptive nature is self-evident. More importantly, the technologies in play are (aside from the potential ICS intrusion scenario in the electric attack) rather basic and cheap: botnet creation, denial of service attacks, and social media manipulation. All have been achieved by adversaries with relatively minimal resources, from criminal enterprises to immature state-sponsored cyber operators. Social media influence, depending on scale and sophistication, can become expensive quite quickly as shown in Internet Research Agency operations. Still, depending on achieved impact, the combination of capabilities above can produce potentially profound impacts if executed in the right sequence or in conjunction with actual emergency events in the victim’s polity.
So we’ve discussed some unsettling scenarios of sowing discord and wreaking havoc in modern society – what can be done to defend against such efforts? The current trend of strategies for cyber (and cyber-enabled) operations leans heavily on offensive response and potential retaliation: “defend forward”. I’ve made my criticisms of this strategy quite clear, so I will not revisit past arguments at this time. However, an offensive-minded strategy runs into difficulty in terms of response and escalation thresholds. While the above scenarios are quite troubling, what sort of response is justified or enabled by them, especially when actions are limited to a combination of low-sophistication “computer network annoyance” and hard-to-detect social media manipulation? Strategists at USCYBERCOM may point to their “successful” disruption of Russian “trolls” the day of the 2018 US mid-term elections – yet this example is silly on its face and deeply concerning given the public declarations of success.
As stated in public reporting confirmed by USCYBERCOM entities, the disruption targeted influence operations on the day of the election. At this stage, operations had already been in motion for months (if not years) given the long-term nature of influence and manipulation operations. Executing on the day of elections, while potentially circumventing some immediate-term campaigns such as calling into doubt election execution and near-term results, does absolutely nothing to address the uncertainty and division created in the run-up to events. This operation may have made many people “feel better” about having done something about foreign interference in elections, but its actual efficacy is highly questionable. Extending such an action to cover a long (and potentially perpetual) period of time would represent not only a nearly insurmountable logistical feat, but given its implications as adversaries adapt would yield a war on the public internet itself.
Response and retaliation against more active measures – such as widespread DDoS or a direct critical infrastructure disruptive attack – seems easier and more clear. But even here problems arise especially when adopting a provocative preemptive stance relative to such actions. As detailed previously, a preemptive execution to disable or destroy such capabilities may result in the perverse outcome of accelerating attacks against civilian critical infrastructure. Retaliatory events seem clearer at first glance, but proportionality becomes puzzling: a DDoS timed with an organic systemic crisis may result in nasty effects, but it merely took advantage of events. What type of response is justified given that scenario, especially in light of possible follow-on actions from the adversary in retaliation?
Such questions are not only complex, but based on published doctrine appear to be completely outside the scope of those designated to formulate answers to them (at least publicly). Essentially, authorities have adopted an offense-heavy doctrine to enable defense that would be either inappropriate or ineffective against well-planned attacks coordinating multiple facets of information operations (even with an emphasis on cyber).
Given circumstances and the criticality of both system integrity and general confidence in critical infrastructure, a posture emphasizing active or engaged defense seems not only more plausible, but also far more effective. Rather than attempt to blunt attacks before their execution or attempt to deter when escalatory boundaries are still in flux, government entities (including USCYBERCOM and related civilian authorities) should instead emphasize an approach building up both the resilience of physical infrastructure and educating the wider public as to the stability of such infrastructure. While non-trivial and difficult, such an approach would address root cause issues enabling critical infrastructure attacks (physically antiquated or logically insecure infrastructure combined with general opacity as to the efficacy of such infrastructure to remain resilient in the face of stress) building out defense against not only deliberate, multi-stage attacks, but also freakish events of nature and other organic causes that may result in disruption.
A combination of direct investment or subsidy of private-sector hardening by government bodies combined with both education and public messaging on steps taken and their impact can build physical resilience while deepening trust in operations. Avoiding blunders in post-event analysis leading to distrust in critical infrastructure providers – stretching from concerns surrounding the PG&E wildfire investigation through items as old as the mismanaged Three Mile Island incident – strongly demonstrate a need for intense public-private collaboration for proper messaging and public information in post-crisis events. Done successfully over time, such efforts ensure transparency and build trust in the operation of critical infrastructure – and in response to emergencies.
Unfortunately, the above approach is neither sexy nor ammenable to some high-priced defense contractor-provided silver bullet. A combined approach of resiliency investment and enhanced trust combined with public communication addresses the issues laid out previously while strengthening defense against a host of other scenarios – yet its very interdisciplinary and long-term engagement requirements will almost certainly mitigate against government embracing this strategy. Furthermore, the security industry itself remains wedded to a cult of the exploit and the hack, when potentially disastrous operations can be executed through a combination of manipulating not only systems in their legitimate states, but influencing populations in a way for which traditional cybersecurity has no answer.
Essentially, critical infrastructure as operated and maintained in most Western, open societies is at risk not only from the sort of direct cyber-physical attacks that make for good Black Hat CFP submissions, but also from more subtle events aiming at the very need for such services within the communities they support. Adopting a narrow approach to resolving such problems may be appropriate for individual vendor organizations providing services within this space, but for critical infrastructure owners and operators – as well as the governments which theoretically maintain a monopoly on legitimate violence where they operate – such actions may miss significant attack vectors with profound implications.