When we are thinking of protecting critical national infrastructure we often focus on the protection of the critical systems required to deliver energy, telecommunications or finance.
In picturing the effect of an attack on critical infrastructure, we may picture in our mind's eye a Hollywood-esque scene of total disaster (think of the plot for Live Free or Die Hard).
However attacks on a country's critical infrastructure can be more nuanced than simply disabling or destroying industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems.
Rather than destroying pipelines, plants or refineries, they could cause them to simply never be built or expanded in the first place, causing economic damage in a more subtle and long-lasting, manner.
Full spectrum cyber operations (FSCO) can include the use of information warfare (IW) to influence public support and trust, creating difficulties in continuing or expanding critical infrastructure operations.
attacking social license
Let's use a hypothetical example. Imagine a foreign entity's national economic interests would be harmed by the development of expanded Canadian oil pipelines, which would increase global oil supplies and constrain prices by keeping demand and supply in a better balance.
That foreign entity may choose to use a full spectrum of options enabled by cyber capabilities. Their activities may include information warfare using smart, dedicated teams to create social media presences (Facebook pages, Twitter accounts) projecting negative messages about the energy project and amplifying any existing domestic opposition. They may play on any number of concerns including local environmental effects in the event of a spill. They may even create propaganda campaigns and social media viral communications to undermine trust.
Real world examples
The use of social media to undermine public trust in critical infrastructure is hardly hypothetical. Successful campaigns have been documented in the past five years, including the Columbian Chemicals hoax:
The Columbian Chemicals hoax was not some simple prank by a bored sadist. It was a highly coordinated disinformation campaign, involving dozens of fake accounts that posted hundreds of tweets for hours, targeting a list of figures precisely chosen to generate maximum attention.
The perpetrators didn’t just doctor screenshots from CNN; they also created fully functional clones of the websites of Louisiana TV stations and newspapers. The YouTube video of the man watching TV had been tailor-made for the project. A Wikipedia page was even created for the Columbian Chemicals disaster, which cited the fake YouTube video. As the virtual assault unfolded, it was complemented by text messages to actual residents in St. Mary Parish. It must have taken a team of programmers and content producers to pull off.
"The Agency", Adrian Chen, New York Times, 2015.
Attackers may seek to exploit the concept of social license - a loosely defined concept originally "designed to capture the notion that natural resource development companies can benefit from winning public approval for a project above and beyond the legally required licences and permits" (MacDonald-Laurier Institute, 2014). The concept has since evolved and is now being used by environmental activists in attempts to halt a number of controversial projects from mining to energy.
An example of an attempt to revoke social license can be seen in the United States:
A recent report by the U.S House of Representative claims that the same Russian group behind the 2016 presidential election manipulation have been actively leveraging social media to stir up opposition to oil and natural gas projects in the United States.
In essence, it's easier to stop a plant or pipeline from being built than it is hack in and attempt to destroy it.
Expanding offensive cyber operations
In support of an information warfare campaign, threat actors (a nation-state, terrorist group, activist group or malicious individual) may also choose to initiate additional attacks designed to further undermine support for existing or new critical infrastructure.
For example, a sucesssful intrusion into the business networks of an energy firm may reveal confidential information such as risk management plans for environmental issues. Or perhaps an executive's private communications about combatting opposition to a new project.
A limited attack against the control system may be designed simply to cause doubt about the safety of those systems and the competency of authorities to keep it safe in the future.
A growing threat
While the playbook for full spectrum cyber operations was largely written by government organizations, the potential for all threat actors to leverage the same tactics, tools and strategies increases every day.
Additionally, the targets for FSCO can and will expand to include other organizations and businesses as they are just as vulnerable. Business-to-consumer (B2C) firms are perhaps even more susceptible to propoganda campaigns designed to smear brands and products.
How we can help you:
- Improved cyber awareness and accountability throughout the organization
- Reduced security team time on tactical, compliance-focused efforts, leading to more strategic efforts.
- Actionable cyber risk insights through meaningful analytics, metrics and reports that can be shared with management.
Successful defense from FSCO will require new multi-disciplinary teams that break down barriers between business leadership and all support groups within the organization. Those groups include but aren't limited to information technology, operations, security, marketing as well as legal counsel.
This new multi-disciplinary group should be formed before an attack occurs and should be included in the organization's incident response plan. The group should meet to discuss potential threat actors who may use FSCO along with examples of how particular campaigns could be executed against the organization.
Tabletop or scenario-based exercises should be used to test the incident response plan and to improve team cohesion.
Monitoring for potential threats includes more than the data feeds traditionally found in security operations centres (SOCs) and will now need to include detailed analysis of news media reports, political analysis and social media monitoring.
Managing the growing risk from FSCO will require better support and communications between national assets, including the intelligence community and policing, which must provide support to organizations.
FSCO is a risk that will not go away on its own. This risk will grow and its impacts will increase, particularly on organizations that fail to properly manage it.
David Shipley is the CEO and Co-Founder of Beauceron Security Inc., a New Brunswick-based cybersecurity software firm with clients across North America. David is a certified information security manager and frequently writes and speaks about cybersecurity issues across North America.