Cyber And Nato – Utility Systems As Sources Of Political Power

By Petra Cicvaric

This article was previously published in the Atlantic Voices Vol 8. Nr. 12. Editing and republication of this article has been realized with the financial support of NATO Public Diplomacy Division.

Introduction

The Internet is indisputably one of the greatest inventions of the 21st century that has revolutionized communication and information dissemination. Its affordability and ease of use has made a tremendous contribution to human life in various aspects, such as education, healthcare, and business, among others. People nowadays can access education online, check how many calories they consumed or burned using various mobile apps, and business owners can keep track of their stocks and the development of their company on the go. However, with all these benefits of network technologies, there are also some adverse effects. Since the Internet provides global connectivity, some have abused the power of the Internet as a weapon or a tool to force concessions from stronger forces. Cyber attacks, hacks and security breaches are no longer an exception. Their number is increasing, and organizations are incurring higher costs in dealing with these cyber security incidents. Hardly a week goes by where there is no coverage of a major security breach in the media. Although most cyber attacks are comparably harmless, the impact of some is severe. Cyber security breaches can range from Distributed Denial of Services (DDoS) attacks, to the stealing or manipulation of data, identity theft, and even takeover of systems. This can have tangible and harmful effects for the physical world. Therefore, organisations are spending more and more money on cyber security. And yet the breaches keep increasing. Cyber security is quickly morphing into cyber warfare. There will come a time in the not too distant future when a country attacking another country will first take out its critical infrastructure and systems by non-kinetic cyber means, crippling it before even launching any physical assault. Something similar to this predicted scenario has already occurred and is ongoing with regards to the Ukrainian ‘Crimean Crisis’. However, it is crucial to stress that even though, Ukraine has been taken as a case study, it is not the only region affected by the cyber security breaches.

What is the Internet of Things (IoT)?

IoT is an abbreviation that stands for a network of technologies which can monitor the status of physical objects, capture meaningful data, and communicate that data over a wireless network to a computer via the 'cloud'. This allows the software to analyze large amounts of data and determine action in real time. Such technology is capable of remotely monitoring infrastructure and electronic devices, e.g. ‘smart water meters’, or sensors in the environment, such as an area of ground to be measured for moisture or chemical content. A smart device can be associated with a wide variety of physical objects. It provides connectivity and a unique digital identity for identifying, tracking, and communicating with the object. Sensors within or attached to the device communicate via the internet or a local area connection (such as WLAN, RFID, NFC, or BTLE). Typically, each data transmission from a device is small in size, but the number of transmissions can be very frequent. The IoT involves numerous components that are interacting with each other in order to produce information. IoT applications have become more feasible in recent years because the cost and size of such devices continues to decrease and their sophistication for measuring keeps increasing. With an increasing number of devices like smart meters and networked photovoltaic systems being linked to energy grids, cyber security threats to critical infrastructure are increasing. These devices, part of the Internet of Things megatrend, provide bad actors with manifold vectors – or surfaces as experts like to call them – from which to launch an attack. Few, if any, experts suggest that an attack on a single smart meter could take down an electrical grid. But disrupting or taking control over a few such devices, or the systems connecting such devices, poses a more realistic threat. However, the danger does not come from IoT devices exclusively, but generally from all networked devices.

To illustrate the scale, Cisco (a provider of network technology) estimates that 500 billion devices will be connected to the internet by 2030. Even though the IoT can have beneficial impact for governments, businesses and citizens, one must not forget its security implications.

Possible security implications of the IoT?

With the adoption the Internet of Things in daily life, an increasing number of physical objects feature an IP (Internet Protocol) address and communicate via the Internet. Information and communication systems and the physical infrastructure become increasingly intertwined. In these cyber physical systems, the greatest impact occurs when an intruder gains supervisory control access and launches control actions that may result in catastrophic virtual or physical damage. The IoT creates a cyber physical society in which everyday life is networked and interwoven with electronic devices. As such, we are becoming ever more dependent on cyberspace, a place in which cyber attacks and cyber wars are common. This poses high potential risks as hackers could take over medical equipment, self-driving cars and flight control with life-threatening consequences.

The need for cyber security is becoming increasingly important due to our dependence on Information and Communication Technology (ICT) across all aspects of our cyber physical society. It is essential for individuals, for public and non-public organizations, but guaranteeing security often proves to be difficult. The websites of many governments have limited security and might be easily hacked. The issue of security is not limited to the executive power, but is also relevant to political parties, energy infrastructure providers, water boards, road management, ministries, administrative organizations, NGOs and even sporting organizations – all of which have already been the target of breaches and the stealing of information.

Recent research shows that in case of a network failure or hacker attack, a series of severe consequences, particularly in the water infrastructure are almost inevitable. The most recent publicly reported incident is of hackers changing chemical settings in a water treatment plant. Sensors and other entry points for an IoT network have such small software footprints, that implementing security is difficult without architectural changes impacting the economics of the network. While most infrastructure IoT networks will only have general cyber security concerns, there will be additional privacy issues in consumer IoT networks. Hacking into a smart water meter and monitoring its pattern of operation, for example, could reveal even the smallest aspects of life, such as, whether or not a family is at home. Better security will mitigate privacy concerns. However, complete protection is never possible and cyber security comes at a price.

The reputation of companies and other organizations plays a major role in retaining the trust of clients. Companies do not want to be associated with cyber security hacks or viewed as having not taken appropriate security measures. They might be reluctant to share information on their cyber security spending with the public. The paradox is that too little spending might indicate that they are not well protected, while too much spending could send the message that they are overly concerned to be the potential target of hackers, or simply wasting money. In relation to cyber security, it is impossible to take a one-size fits-all approach. Organizations are diverse and have different demands. A bank and a hospital demand higher levels of security than a restaurant. Moreover, a company’s level of knowledge, expertise, experience, their systems, their vulnerability, and the possible impact of a cyber security breach are all different. This makes it difficult to talk about companies in general and what is expected from their actions in cyberspace.

Utilities and their infrastructure are essential resources for a society. Water, for example, has also always been an important source of political power. Today, 2.1 billion people do not have access to clean and safe drinking water at home, and there are huge inequalities between countries. Moreover, demand for the 'drinkable water' is expected to increase by one third until 2050 with climate change and population growth being the main challenges for the global water distribution. Therefore, water scarcity forces humankind to find new ways of smart water management. However, in the modern ‘cyber-driven’ world, this development is prone to cyber-attacks.

It is crucial to stress that this trend is not only key in terms of water management, but it is also widely present in electric power management. Therefore, these two important components of the utility system can be considered as critical infrastructure. While grids and cities are becoming ‘smarter’, they are becoming more exposed to the cyber attacks at the same time.

Case study: UKRAINE

In late 2015, hackers turned their focus on the Ukrainian power grid. In one of the largest attacks of its kind, hacking shut off the power to hundreds of thousands of residents in Ukraine. According to public reports, the attacks that caused the outage were accompanied by parallel cyber intrusions into Ukraine’s rail system and TV stations.

These cyber attacks in Ukraine are the first publicly acknowledged incidents to result in power outages. As future attacks may occur, it is important to scope the impacts of the incident. Power outages should be measured in scale (number of customers and amount of electricity infrastructure involved) and in duration to full restoration.

During the interference, the attackers demonstrated a variety of capabilities, including spear phishing emails, the deployment of variants of the BlackEnergy 3 malware, and the manipulation of Microsoft Office documents that contained the malware to gain a foothold into the Information Technology (IT) networks of the electricity companies. The intruders were able to harvest credentials and information to gain access to the Internet Connection Sharing (ICS) network. Additionally, they showed expertise not only in network connected infrastructure such as Uninterruptible Power Supplies (UPSs), but also in operating the ICSs through supervisory control system such as the Human Machine Interface (HMI).

The Ukrainian incidents affected up to 225,000 customers in three different distribution-level service territories and lasted for several hours. On a macro-scale, these incidents should be rated as low in terms of power system impacts because the outage affected a relatively small number of overall power consumers in Ukraine and its duration was limited. In contrast, it is likely that the impacted companies rate these incidents as high or critical to the reliability of their systems and business operations.

Interestingly, these incidents have not stopped Ukraine to dedicate itself to making Kiev a ‘smart city’ in the same year. Namely, this project aims at developing intelligent city infrastructure based on the principles of open data as well as reasonable and transparent management.

Cyber security - a strategic security priority for NATO

NATO shares common liberal values and strategic interests with the EU and therefore, their recent collaboration represents a crucial step forward. NATO, a political and military alliance and a self-defence organisation, defends not only common security and prosperity of its member states, but it forms a unique community of liberal values including freedom, human rights, individual liberty, democracy and the rule of law. NATO’s mission is to ensure security of its member states by executing its core tasks: collective defence and deterrence, crisis management, and cooperative security through partnerships. Its primary tasks also encompass the protection of member states and its own organisations, infrastructures, and operations against cyber-attacks. In the view of NATO, cyber threats have negative implications for transatlantic and national security. In the Strategic Concept of 2010 NATO Allies declared that: “Cyber-attacks are becoming more frequent, more organised and more costly […]; they can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability” and committed to “develop further our ability to prevent, detect, defend against and recover from cyber-attacks.”

However, the principal focus of NATO’s cyber defence approach has always been the protection of its own headquarters, agencies, and operations. The Alliance has been improving its cyber defence capabilities since 1990s. The first well-known cyber incident against NATO took place in 1999 during NATO’s operation “Allied Force” in Kosovo when hacker groups from Russia and Serbia disrupted NATO’s internal systems. Few years later, at the Prague Summit in 2002, cyber security appeared for the first time on NATO’s political agenda with NATO declaring to “strengthen our capabilities to defend against cyber-attacks.” In the same year, the North Atlantic Council (NAC) approved a Cyber Defence Programme and as part of this, the NATO Computer Incident Response Capability (NCIRC) – NATO’s emergency team to prevent, detect and respond to cyber incidents – was created. The cyber-attacks against Estonia in 2007 that disabled its governmental, media and financial websites and the Russia-Georgia war in 2008 that included military offence against Georgian military forces and cyber-attacks against Georgian webpages helped NATO to realize how it was behind in cyberspace. Subsequently, the Alliance’s focus broadened from the security of its own networks to that of its member states. In January 2008, NATO approved its first Policy on Cyber Defence stressing “the need for NATO and nations to protect key information systems […]; share best practices; and provide a capability to assist Allied nations, upon request, to counter a cyber-attack.” In the following years, numerous bodies, policies and personnel advancements have been developed and implemented, but NATO has always had issues of political nature and ones in terms of equal burden sharing when it comes to development of the cyber capabilities. Meanwhile, more advanced member states, having heavily invested into national cyber capabilities, hesitate to share these with others for financial and security reasons. So far there seems to be little will for the development of NATO’s own defensive or offensive capabilities, primary because it would require further defence expenditure. This is especially true for European members which are reluctant to further strain their defence budgets (only three of NATO’s European members fulfil the requirement to spend on overall defence 2% of gross domestic product: UK, Greece and Estonia). Concerning the civilian capabilities, the uneven and insufficient level of preparedness and capability of EU member states undermines security of European countries with overlapping memberships. Smaller EU member states tend to have particular difficulties: even staffing their Computer Emergency Response Teams is challenging. Another major issue is linked to the classification of cyber-attacks as trigger for collective response. Article 4 and 5 of the North Atlantic Treaty provide for political consultations if an Ally feels its security is threatened and for a collective response in case of an armed attack against an Ally. It has been convincingly argued elsewhere that the existing ambiguity for the threshold concerning cyber-attacks to be considered an armed attack or defining concrete circumstances entailing collective response actually increases NATO’s cyber deterrence. Likewise, it is undesirable for NATO to draw a clear red line that obliges collective response when it is crossed, and it is indeed questionable if a clearly articulated threshold would deter non-state actors from crossing it. In addition, one major issue in particular that needs to be addressed within the cyber domain is the role of international law. To date there has been little public discussion within NATO on what role, if any, international law should play in governing either offensive or defensive cyber actions. There are few treaties or UN statutes that deal explicitly with cyber actions. Therefore, the creation of a cyber jus in bello should be explored since NATO still has not managed to find the suitable answer on How would NATO respond if a member state were to invoke Article V of the North Atlantic Treaty following a cyberattack?

Possible NATO strategy

2018 has been another challenging year for those tasked with preventing cyber attacks. Experts warn that state-sponsored hacking is likely to further increase and attacks against IoT devices will worsen.

In order to deal with them effectively, just as during any physical warfare, we need to learn and apply some lessons to cyber warfare and security. In order to protect itself, an organisation needs to secure two major aspects:

1. Gather intelligence on its adversaries in order to stay up to date;

2. Bolster its defences based on the knowledge on how it may be attacked.

Unfortunately, this approach is seldomly taken by organisations when it comes to cyber security. Organisations need to gather cyber intelligence to understand who may be attacking them and why. A critical part of this is so-called ‘dark market intelligence’. Dark markets serve as trading ground for various kinds of stolen data. Unless it is traded there, it is hard to monetise. And unless it is monetised, it is worthless to the profit-oriented hacker, and therefore considered a waste of time and resources.

In the modern era, a large number of hacking actions aim at generating monetary profit. Arguably, one key method deployed in cyber-attacks is phishing. It is used to trick users to hand over passwords and get access to their devices. Once the user has taken the bait, the attacker will be able to access the organisation’s IT environment where they may manipulate, destroy or exfiltrate critical data or processes. Such passwords or data are not necessarily used directly, but often sold to other private or institutional hackers. Consequently, it makes a lot of sense to scan dark markets for any leaked data or chatter on activities aimed at attacking public or private organisations. This will allow an organisation to do two things:

1. Proactively manage a breach if one has occurred by activating their incident response procedures;

2. Gaining intelligence on any potential attacks and preparing to thwart it.

It is key that there is a very good understanding of the who, why, and how of (potential) attacks based on cyber intelligence and the analysis of the hacking methods. With that knowledge, specialists can not only better understand hacks and manage the defence against them. Furthermore, they are enabled to better prioritise and advocate for necessary cyber security investments.

However, the cyber security landscape is changing quickly. Notably, the quantity and quality of cyber-attacks are increasing dramatically. There is the need to take a risk-based approach. A new approach is required to deal with this threat. Proactive intelligence and attack-based contextualization – not reactive and one that is without context. Only then can we add value and opportunity to the business and manage compliance, legislative, reputation and financial risks. Therefore, NATO’s strategy in this ongoing battle should be flexible and multidimensional so it can evolve as the bad actors continually improve their devious, clever methods.

While NATO was founded on the idea of collective defence, the nature of security threats has changed since its inception. The above-mentioned possibilities are crucial when it comes to creating a pool of knowledge regarding this new type of danger. However, the Cold War-era alliance is struggling to adapt to evolving technology and the altered nature of warfare. Nowhere is this truer than in the cyber realm. NATO policymakers have acknowledged cyberwarfare as a distinct sphere of conflict, but they have not yet tailored nuclear-era concepts of deterrence and response to this new domain. As cyberattacks increase in destructive potential and remain difficult to attribute, the alliance faces the dilemma of whether and how to adapt their policy of strategic ambiguity to a new era of cyberwarfare. An attack on a country’s electric grid, a softer target, could in theory cause hundreds of billions of dollars in damage and put lives at risk as traffic lights stop working, hospitals lose power, and unrest erupts. Given these stakes, NATO has an obvious incentive to strengthen its capacity to deter and punish cyberattacks, including through conventional retaliation.

Conclusion

While smart cities have not yet become major targets of cyber attacks, threats are becoming real, both technically and intentionally. Large-scale attacks are not a matter of if but when. On one hand, exploitation of mobile devices is overblown, and will continue to be growth areas. On the other hand, new war scenarios in the world are making smart cities attractive targets to cyber terrorists. The black market for vulnerabilities in recent years is dominated by more disciplined, organized, and structured groups that often identify specific targets. Cyber security breaches can thus be said to impact all stakeholders in our society. Interest in cyber security issues often focuses on incidents and how to deal with them after the fact, while a concern for prevention and investments in better cyber security have lagged behind. This is surprising in a world where there is a continuing battle between hackers and various societal actors attempting to protect the system. Cyber security is said to be the new form of war and is viewed as the next platform in modern warfare. Thus, cyber attacks against critical infrastructure, dubbed a potential “Cyber Pearl Harbor” by US military officials, are no longer the fantasies of Hollywood producers, conspiracy theorists or sci-fi aficionados, but are the reality that governments and businesses across the world must now confront and NATO should take a leading role in it in order to avoid another Ukraine, Georgia, Estonia i.e.

BIBLIOGRAPHY

Al-Khateeb, S. and Agarwal, N. (2016) "Understanding Strategic Information Manoeuvres In Network Media To Advance Cyber Operations: A Case Study Analysing Pro-Russian Separatists’ Cyber Information Operations In Crimean Water Crisis". Journal On Baltic Security 2 (1), 6-27

Burmester, M., Magkos, E. and Chrissikopoulos, V. (2012) "Modeling Security In Cyber–Physical Systems". International Journal Of Critical Infrastructure Protection [online] 5 (3-4), 118-126. available from <https://www.sciencedirect.com/science/article/pii/S1874548212000443> [17 December 2018]

Condliffe, J. (2016) Ukraine Has Has Its Military And Power Grid Hacked (Again), And Signs Point To Russia [online] available from <https://www.technologyreview.com/s/603262/ukraines-power-grid-gets-hacke... [16 December 2018]

ICS-CERT (2016) Cyber-Attack Against Ukrainian Critical Infrastructure [online] available from <https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01> [19 December 2018]

de Bruijn, H. and Janssen, M. (2017) "Building Cybersecurity Awareness: The Need For Evidence-Based Framing Strategies". Government Information Quarterly [online] 34 (1), 1-7. available from <https://www.sciencedirect.com/science/article/pii/S0740624X17300540?via%... [18 December 2018]

Desk, J. (2018) NATO Integrates Cyber Security In Military Operations - Ihls [online] available from <https://i-hls.com/archives/79698> [19 December 2018]

Greguras, F. (2017) Water And The Internet Of Things 2017 [online] available from <https://www.wateronline.com/doc/water-and-the-internet-of-things-0002> [15 December 2018]

Horbenko, A. (2018) Initiative And Construct - Kyiv Smart City [online] available from <https://www.kyivsmartcity.com/Initiative/?lang=en> [15 December 2018]

Hughes, R. (2009). NATO and Cyber Defence. [online] Csl.armywarcollege.edu. Available at: http://csl.armywarcollege.edu/SLET/mccd/CyberSpacePubs/NATO%20and%20Cybe... [Accessed 16 Jan. 2019].

Hunter, E. and Pernik, P. (2015) [online] available from <https://icds.ee/wp-content/uploads/2013/Eve_Hunter__Piret_Pernik_-_Chall... [16 December 2018]

Lee, R., Assante, M. and Conway, T. (2016) [online] available from <https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf> [16 December 2018]

Li, Z. and Liao, Q. (2018) "Economic Solutions To Improve Cybersecurity Of Governments And Smart Cities Via Vulnerability Markets". Government Information Quarterly [online] 35 (1), 151-160. available from <https://www.sciencedirect.com/science/article/pii/S0740624X16302155> [18 December 2018]

Pal, A. (2018) Three Things That Need To Change In Cyber Security [online] available from <https://www.cso.com.au/article/639171/three-things-need-change-cyber-sec... [15 December 2018]

Patrick, S. and Gevarter, D. (2018). NATO's Deterrence Problem: An Analog Strategy for a Digital Age. [online] Council on Foreign Relations. Available at: https://www.cfr.org/blog/natos-deterrence-problem-analog-strategy-digita... [Accessed 17 Jan. 2019].

Pernik, P. (2014). Improving Cyber Security: NATO and the EU. [online] Icds.ee. Available at: https://icds.ee/wp-content/uploads/2010/02/Piret_Pernik_-_Improving_Cybe... [Accessed 17 Jan. 2019].

Quick Report: Smart Water Iot Solutions To Fight Against Climate Change And Scarcity | Libelium (n.d.) available from <http://www.libelium.com/quick-report-smart-water-iot-solutions-to-fight-... [12 December 2018]

Strother, N. (2018) Grid Operators Need A Revised Cybersecurity Strategy In The Iot Era[online] available from <https://www.euractiv.com/section/energy/opinion/grid-operators-need-a-re... [20 December 2018]

Water Crisis - Learn About The Global Water Crisis | Water.Org (n.d.) available from <https://water.org/our-impact/water-crisis/> [20 December 2018]