FEATURE
Cyberwar and protecting
critical national
infrastructure
Cath Everett, freelance journalist
The issue of cyberwar never seems to be out of the headlines these days – and
given the slightly hysterical nature of some of the coverage, you might be
forgiven for thinking that Armageddon was imminent.
In reality though, it seems that the term
‘cyberwar’ means different things to dif-
ferent people. For some, the term was
defined in the ‘Tallinn Manual’, pub-
lished by Cambridge University Press
in 2013.1 Written by an international
group of about 20 legal experts at the
invitation of the Tallinn, Estonia-based
NATO Cooperative Cyber Defence
Centre of Excellence, it is an academic,
non-binding study on how international
law applies to cyber-conflicts and cyber-
warfare – the first real effort, in fact, to
analyse the topic in a comprehensive way
in order to try and clarify some of the
complex legal issues involved.
“Cyberwar is less specific
and includes everything from
cyber-espionage and cyber-
terrorism up to and including
all-out war in the more tradi-
tional sense – in which case,
cyber would undoubtedly
simply count as one tool in a
much wider armoury”
Among other things, the Manual pro-
vides a somewhat woolly definition of
when a cyber-attack could be deemed
an act of war, giving a country the right
to take action in order to defend itself.
Essentially this seems to amount to any
assault that results directly in loss of life
and so would inevitably include attacks
on critical national infrastructure rang-
November 2015
ing from energy, food, transport and tel-
ecoms suppliers to health and financial
institutions. This is because most indus-
trialised nations would very quickly be
brought to their knees if these facilities
were not able to function.
All-out war
For others, the term cyberwar is less
specific and includes everything from
cyber-espionage and cyber-terrorism up
to and including all-out war in the more
traditional sense – in which case, cyber
would undoubtedly simply count as one
The ‘Tallinn Manual’ attempted to define
and provide a framework for the concept
of cyberwar.
Cath Everett
tool in a much wider armoury of other
more conventional weapons.
Steve Ward, senior director at iSight’s
Critical Intelligence business, which
specialises in threat intelligence work
for critical infrastructure systems,
believes for instance that we are cur-
rently “embroiled in a long cyber-
conflict or cyber-insurgency” that is
characterised by covert espionage-style
operations. “It’s more like a cyber cold
war,” he explains. “But in the last cou-
ple of years, we’ve seen things edging
and inching further towards the red
line of ‘don’t do destructive attacks as it
warrants a destructive response’.”
“In the last couple of
years, we’ve seen things
edging and inching further
towards the red line of
‘don’t do destructive attacks
as it warrants a destructive
response’”
In other words, whether referring to gov-
ernment or private sector systems, “we are
starting to see probing taking place [against
critical infrastructure] to understand what
can and can’t be done,” Ward says.
A question of
attribution
As an example, Ward cites the Black
Energy malware that iSight discovered
in October 2014. Developed by the
Russian ‘Sandworm’ team, its aim was to
compromise the core supervisory control
and data acquisition (SCADA) systems
11
Computer Fraud & Security
 FEATURE
Steve Ward, iSight: “It’s more like a cyber cold
war.”
on which critical national infrastructure
(CNI) around the world is based. “It
targeted NATO, the EU and Ukraine
and also found its way into US energy
companies. Nothing happened from it
and they weren’t shut down, but it shows
the capability exists and penetration
occurred,” he says.
Another group of Russian hack-
ers known as ‘Energetic Bear’ or
‘Dragonfly’ were also discovered a few
months earlier to be attacking energy
firms in the US and Europe, including
France and Germany. These organisa-
tions included electricity-generating
companies, grid and petroleum pipeline
operators as well as other strategically
important targets.
“It’s got to the stage where
more countries will use these
kind of tactics as a way to
conduct activity without
people being able to connect
it back to them directly”
Interestingly, security software supplier
Symantec also pointed out at the time
that the group’s resources, size and levels
of internal organisation appeared to sug-
gest state involvement. But a key issue
in this scenario is, of course, always one
of attribution. For example, Ward says,
there is evidence to suggest that hacktiv-
ists and paid contractors, particularly
in South East Asia, are now being used
around the world as a front for nation-
state activity.
12
Computer Fraud & Security
A good example of this was the high-
profile cyber-attack to embarrass Sony
in 2014, apparently carried out by the
so-called ‘Guardians of Peace’ group, but
widely thought to be the work of the
North Korean state, partly in response to
the entertainment giant’s plans to release
a comedy film centred around its leader,
Kim Jong-un.
And the same is true of ISIS’ apparent
‘Cyber Caliphate’ group, which hacked
US military command’s Twitter feed and
posted pictures of a goat on it. “We drew
the conclusion several months ago that
they’re not real jihadis. They’re a tradi-
tional cyber-espionage group aligned
with Russia,” Ward says.
While their initial aim was to identify
targets for potential counter-terrorism
efforts, “they’re now bleeding into doing
things that align with the overall politi-
cal will of the Russian state. It’s just a
false flag to mask and create plausi-
ble deniability for the nation,” Ward
explains. “It’s got to the stage where
more countries will use these kind of
tactics as a way to conduct activity with-
out people being able to connect it back
to them directly.”
The problem, especially when dealing
with mercenaries, is that there is always
a danger of losing control, not least
because they generally sell their services
to the highest bidder and can easily fall
out of favour with a country’s leader-
ship or vice versa. “It’s theoretical at the
moment as we’ve not seen any examples,
but it could really come back to bite
people,” Ward says.
Cyber-espionage
Whoever is involved, there is no doubt
that serious cyber-espionage activity
is currently taking place. One of the
most concerning such operations to
date involved the theft in June 2015
of more than 21 million personnel
records relating to current and former
federal employees and civilians from the
US Office of Personnel Management
(OPM), which included 5.6 million
staff fingerprints. The breach is believed
to have taken place over the course of
a year and to have been perpetrated by
China.
“They literally have a treas-
ure trove of information and
details on every cleared con-
tractor and individual work-
ing for the US Government
– detail that can be used to
identify targets for blackmail”
Ward describes it as “the biggest espio-
nage coup in the history of humanity”
and one that has laid the “groundwork
for the potential use of cyber-attacks
for disruptive purposes” in future. He
explains the rationale: “They literally
have a treasure trove of information
and details on every cleared contrac-
tor and individual working for the US
Government – detail that can be used
to identify targets for blackmail in order
to recruit agents. It’s a massive problem
and one that we won’t even begin to feel
the impact of until we write the history
books of the next decade.”
“Chinese president Xi Jinping
agreed to avoid ‘knowingly’
spying on US organisations,
while US president Barack
Obama revealed he had
threatened to carry out
sanctions”
The severity of the situation led to
an inconclusive summit at the end
of September 2015 between the two
nations aimed at reducing growing
tensions and defusing a potential
cyber-arms race. Chinese president Xi
Jinping agreed to avoid “knowingly”
spying on US organisations, while US
president Barack Obama revealed he
had threatened to carry out sanctions
against any Chinese bodies suspected
of attacks.
Given all of this, Tom Williams, lead
investigative consultant at informa-
tion security services provider Context
November 2015

Information Security, believes that, if
nothing else, cyber has certainly revolu-
tionised the way nation states undertake
espionage, as it has become a much
cheaper and more deniable way of doing
it. A case that particularly interests
him though is the cyber-attack on an
unnamed German steel works that took
place at the end of 2014.
The spear-phishing campaign involved
using booby-trapped mails to steal
employee login details, which in turn
gave the perpetrators access to the mill’s
control systems. The resultant assault on
the plant’s computer network led to one
of its blast furnaces going into unsched-
uled shutdown and suffering massive
damage.
“Over the last 10 to 15
years they’ve become quite
advanced in hardening the
control systems that make
up the bulk of CNI”
“Apart from Stuxnet, this is the only
time I’ve seen any physical implications
of a cyber-operation,” says Williams.
“But after it was first announced, no fur-
ther details were made public, which is
interesting in itself as there was obvious-
ly sensitivity around the information.”
In light of such damaging activities,
the obvious question is just how secure
the CNI of highly industrialised coun-
tries such as the UK and US actually
would be in an all-out-war situation?
The answer, it seems, is mixed depend-
ing on which elements of CNI you’re talk-
ing about and in which industries. Mark
Carolan, head of research and development
at information security services provider
Espion Group, sums it up: “It’s better than
it was 10 years ago, but it’s not perfect. If
we were under attack, the standalone ele-
ments would be OK, but the devil’s in the
interconnectedness of everything.”
Soft underbelly
A key issue is that many SCADA sys-
tems on which CNI is based are com-
November 2015
Mark Carolan, Espion: “The devil’s in the
interconnectedness of everything.”
plex and old and, as such, were built as
standalone entities to be looked after
by specialist control engineers. The fact
that they were not designed with secu-
rity in mind did not pose a problem
until they were networked together and
connected to the Internet, at which
point they became vulnerable to exter-
nal attack – a situation made worse due
to the bespoke, specialised nature of
such machines, which makes them dif-
ficult to safeguard.
“It’s kind of a soft underbelly in both
the UK and US, although over the last
10 to 15 years they’ve become quite
advanced in hardening the control sys-
tems that make up the bulk of CNI,”
says Carolan. “They’ve been retrospec-
tively swapping out the more vulnerable
systems and getting more secure infra-
structure in place, but clearly it’s a long
process.”
“Two-thirds of the cyber-
security experts involved in
the study believed that the
threats they faced were more
dangerous than two years
ago, and that things were
only likely to get worse”
A recent study entitled ‘Cyber Supply
Chain Security Revisited’ by market
research firm ESG revealed that such
FEATURE
activity was vital, however – and becom-
ing more so.2 For instance, it found that
just over two-thirds of the US-based
critical infrastructure organisations ques-
tioned – and there is no reason to believe
that things would be any different in the
UK or other industrialised nations – had
experienced one or more security inci-
dents over the past two years.
Some 36% of those affected said that
a cyber-security event had led to the
disruption of critical business processes
and/or critical operations resulting in
everything from a power failure to an
ATM network outage or clinical sys-
tem going offline. Just under a third
of respondents also indicated that they
had suffered a confidential data breach.
Worryingly, two-thirds of the cyber-
security experts involved in the study
believed that the threats they faced were
more dangerous than two years ago, and
that things were only likely to get worse.
Cultural issues
Technical matters are not the only con-
cern in this context though. Equally
worrying are the cultural and people
issues. On the one hand, many CNI
organisations are under private sector
ownership and have different priorities
to those of government, which is there
to protect the nation’s interests as well as
those of its citizens.
But as Context Information Security’s
Williams points out, despite this, “it
might not be in every chief executive’s
greatest interest to implement levels of
security levels that impact their profits.
Governments have responsibility and are
already doing a lot, but companies have
a responsibility too and not all of them
want to spend X amount on security
measures for hypothetical situations.”
To make matters worse, there are also
a number of ‘interdependencies’ at dif-
ferent levels. “Different countries are all
buying and using each other’s technol-
ogy generally supplied by the cheapest
vendor,” says Espion’s Carolan. “So you
might buy a US tank, but it could have
13
Computer Fraud & Security
 FEATURE
elements that are Russian or Chinese-
made. It’s the world we live in, but by
adding different service providers in
to the supply chain, you’re inherently
building in insecurity.”
“You might buy a US tank,
but it could have elements
that are Russian or Chinese-
made. It’s the world we live
in, but by adding different
service providers in to the
supply chain, you’re inher-
ently building in insecurity”
The same goes for internal personnel,
who could wreak just as much havoc as
an external cyber-attack if they so chose.
For instance, a double-agent working
in a nuclear power station would could
do just as much damage to systems as a
remote hacker or even a terrorist firing a
missile outside from a rocket launcher.
Coordinated response
As a result, in an attempt to deal coher-
ently with attacks on critical systems,
the UK launched a national Computer
Emergency Response Team (CERT-UK)
in spring 2014. Its aim is to take the
lead in coordinating the management
of any incident response activity and to
act as the country’s key contact point
for collaboration with international
counterparts. A further role is to sup-
port CNI companies in handing secu-
rity events and promoting awareness of
the issue across industry, academia and
the public sector.
At the European level, meanwhile,
work on the E20 million, three-year
European Control System Security
Incident Analysis Network (Ecossian)
research project is about a year in and
includes 14 member states. The goal is
to coordinate CNI intelligence at the
European level in order to improve the
detection and management of cyber-
security incidents and attacks.
Ultimately Ecossian is intended to
act as a pan-European early warning
14
Computer Fraud & Security
system and will be based on a three-
tier model – national CNI services
providers will provide intelligence
and be offered support via Operator
Security Operation Centres (O-SOCs).
National Security Operation Centres
(N-SOCs) will likewise be set up at
the member state level to coordinate
activity and liaise with international
counterparts in order to improve
decision-making and incident response
capabilities. They, in turn, will be
connected to a European Security
Operation Centre (E-SOC) to enable
consistent cross-border collaboration.
The final stage of the project in 2017
will be to perform a full-scale demon-
stration of the Ecossian framework and
system for evaluation purposes in order
to establish whether it should become
operational and, over time, form a suit-
able platform to share similar informa-
tion with the US.
Espion’s Carolan who is involved in
the initiative, explains that its focus is
one of “coordination rather than con-
trol” with the aim of enabling “the free
flow of information for the benefit of
Europe as a whole to guard against com-
mon threats”.
He continues: “It would mean warn-
ing people with similar systems if, for
example, a microprocessor that controls
a certain valve was known to have a vul-
nerability. So it might open the car park
gates at a supermarket, but also open the
control rods in a nuclear reactor.”
Asymmetric warfare
A particularly worrying issue in the
cyber realm, of course, is that of asym-
metric warfare, in which a great deal of
damage can be done by an enemy with
few resources. “For example, if you look
at the UK’s reservoirs or canal and river
systems, they’re an integral part of how
it functions, but they’re in isolated plac-
es that are rarely visited or monitored,”
Carolan says. “They’re all controlled by
flood gate sensors, which are computer
controlled and owned by disparate
companies that don’t put much resource
into them and so they’re vulnerable.”
“If you wanted to cripple
a country, all you’d have
to do is poison a bottle
of milk, announce it,
but don’t say which one
it is”
It is possible to do even more damage
by introducing an element of doubt. The
point is that CNI not only has to be relia-
ble but also has to be seen to be so or peo-
ple lose faith very quickly and fear rules.
Carolan concludes: “If you wanted to
cripple a country, all you’d have to do is
poison a bottle of milk, announce it, but
don’t say which one it is. If you could
prove you did it and got away with it,
the government would topple in a week
as people’s faith in its ability to protect
its citizens would dissolve quickly. So
CNI has to be seen to be dependable –
it’s vital.”
About the author
Cath Everett has been an editor and jour-
nalist for more than 20 years, specialis-
ing in information security, employment,
skills and all things HR. She has worked
in the online world since 1996, but also
has extensive experience of print, having
worked for publications ranging from The
Guardian to The Manager. She returned
to the UK from South Africa at the end of
2014 where she wrote a lifestyle blog for
International Business Times.
References
1. ‘Tallinn Manual’. NATO
Cooperative Cyber Defence Centre
of Excellence. Accessed Oct 2015.
https://ccdcoe.org/tallinn-manual.
html.
2. Gahm, J; Lundell, B; Oltsik, J.
‘Cyber Supply Chain Security
Revisited’. ESG, 14 Sep 2015 (sub-
scription required). Accessed Oct
2015. www.esg-global.com/research-
reports/cyber-supply-chain-security-
revisited/.
November 2015