By Emil M.Hasanov
The National Cyber Strategy demonstrates my commitment to strengthening America’s cybersecurity capabilities and securing America from cyber threats. It is a call to action for all Americans and our great companies to take the necessary steps to enhance our national cybersecurity. We will continue to lead the world in securing a prosperous cyber future.
—President Donald Trump [1]
Nowadays, we are witnessing the increase of cyber crime-attack related incidents and the impacts are becoming more damageable. This fact alarming about the importance to improve security measures to mitigate the risks and impact in the area of critical infrastructure. Analyzing the problems related to the security of critical infrastructures we can see that human factor based on the level of awareness heavily affects cyber attacks and its consequences. The threat to critical infrastructure is becoming more real and severe and it is necessary to be aware of it and accordingly anticipate, predict, and make appropriate actions to be fully equipped for a cyber attack. As it is mentioned above the main reason for the escalation of cyber attacks against the field of Critical Infrastructure (CI) is the fact that most control systems used for CI do not use appropriate protocols and software. And instead of that, they adopt standard solutions that not applicable for all cases. As a result, critical infrastructure systems are more than before becoming vulnerable and uncover to cyber attacks.
Critical Infrastructure
Nowadays, there is a slight difference between countries and international institutions concerning their definition of critical infrastructure (CI) and sectors.
European Commission defines is the following: critical infrastructure’ means an asset, system or part thereof located in the Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions; [2]
UNDRR (United Nations Office for Disaster Risk Reduction) defines is the following: The primary physical structures, technical facilities, and systems which are socially, economically, or operationally essential to the functioning of a society or community, both in routine circumstances and in the extreme circumstances of an emergency. [3]
NATO defines is the following: Physical or virtual systems and assets under the jurisdiction of a State that are so vital that their incapacitation or destruction may debilitate a State’s security, economy, public health or safety, or the environment.[4]
The US approach is more comprehensive and inclusive, and it has been particularly evolving since the attacks of September 11, 2001.
The United States defines is the following: “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”[5]
Homeland Security Act of 2002 established the Department of Homeland Security (DHS) and also formally introduced the concept of “key resources” “Key resources” are defined as “publicly or privately controlled resources essential to the minimal operations of the economy and government”
Critical Infrastructure Sectors
Each national or international strategy and policy identifies different categories of sectors that are considered to offer vital services and thus require protection. A 2008 survey examined the policies of 25 countries and identifies as the most frequently mentioned the following sectors:[6]
- Banking and Finance
- Central Government
- (Tele-)Communication / Information and Communication Technologies (ICT)
- Emergency -Rescue Services
- Energy / Electricity
- Health Services
- Transportation / Logistics / Distribution
- Water (supply)
- Food (supply)
- Environmental Protection
European Definitions[7]
The EU directive identifies the following two sectors and their respective sub-sector:
I Energy
II Transport
UNDRR (United Nations Office for Disaster Risk Reduction)
Critical facilities are considered as elements of the infrastructure that support services in a society.[8]
US Critical Infrastructure sectors
There are 16 critical infrastructure sectors in the US whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.[9] | ‘ |
Cyberattacks
Our adversaries and strategic competitors will increasingly use cyber capabilities—including cyber espionage, attack, and influence—to seek political, economic, and military advantage over the United States and its allies and partners. China, Russia, Iran, and North Korea increasingly use cyber operations to threaten both minds and machines in an expanding number of ways—to steal information, to influence our citizens, or to disrupt critical infrastructure.
In fact, every year malware from unlicensed software costs companies and governments worldwide nearly $359 billion a year, or $10,000 per infected computer.
According to Daniel R.Coats, (Director of National intelligence) China and Russia pose the greatest espionage and cyber-attack threats, but the US anticipated and equipped accordingly. These countries increasingly build and integrate cyber espionage, attack, and influence capabilities into their efforts to influence US policies and advance their own national security interests.
China
According to Daniel R., Coats China authorizes cyber espionage against key US technology sectors. The US expressed its concerns about the potential for Chinese intelligence and security services to use Chinese information technology firms as routine and systemic espionage platforms against the United States and allies. [10]
Russia
According to the United States Intelligence Community’s report of 2019 Russia poses cyber espionage, influence, and attack threat to the United States and its allies. Moscow continues to be a highly capable and effective adversary, integrating cyber espionage, attack, and influence operations to achieve its political and military objectives.
Following to the report Russian intelligence and security services will continue targeting US information systems, as well as the networks of our NATO and Five Eyes partners, for technical information, military plans, and insight into our governments’ policies. [11]
Iran
Iran uses increasingly sophisticated cyber techniques to conduct espionage; it is also attempting to deploy cyber-attack capabilities that would enable attacks against critical infrastructure in the United States and allied countries. Tehran also uses social media platforms to target US and allied audiences, an issue discussed in the Online Influence Operations and Election Interference section of this report.
Iran is capable to cause a disruptive effect on companies’ corporate networks for weeks that it was done for data deletion attacks against Saudi Arabia governmental and private-sector networks in late 2016 and early 2017. [12]
North Korea
North Korea has a capacity for the cyber threat to financial institutions. North Korean cybercrime operations included attempts to steal more than $1.1 billion from financial institutions around across the world.[13]
Another group of the cybercriminals can be attributed to non-state and unattributed Actors
Terrorists could obtain and disclose compromising or personally identifiable information through cyber operations, defacing websites or executing denial-of-service attacks against poorly protected networks—with little to no warning. [14]
In fact, every year malware from unlicensed software costs companies and governments worldwide nearly $359 billion a year, or $10,000 per infected computer. One study conducted last year showed that organizations now face a nearly one-in-three chance of encountering malware when they obtain or install unlicensed software.[15]
Analyzing the governmental expenditures we can see the increase, for example, the US FY 2019 President’s Budget includes $15 billion of budget authority for cybersecurity-related activities, a $583.4 million (4.1 percent) increase above the FY 2018. US DOD was the largest contributor to this total. [16]
Worldwide spending on information security (a subset of the broader cybersecurity market) products and services exceeded $114 billion in 2018, an increase of 12.4 percent from 2017, according to Gartner, Inc. For 2019, they forecast the market to grow to $124 billion, and $170.4 billion in 2022.[17]
In April 2019 European Commission recommendation highlighted some points that the cybersecurity of the energy system, and the electricity grid, needs a dedicated sectorial approach.[18]
The EU has one of the most reliable electricity grids in the world, and possible vulnerabilities have not so far been exploited to disrupt the energy supply on a large scale. [19]
The American and European approaches in this area present many differences. The United States has favored a strategy of ‘security in-depth’ with strict and detailed regulations in specific sectors, which are implemented by institutions possessing coercive powers. The EU has adopted a more flexible and exhaustive approach covering a wide range of issues, leaving an important margin of maneuver for member states in the implementation of norms. No doubt the American system can serve as a model to improve certain weaknesses in the European approach, and vice versa, the EU also can make its contribution as well.[20]
Nowadays, emerging threats are numerous: as all sectors of the economy rely on energy to operate, exploiting weaknesses in the grid’s critical infrastructure has the potential to initiate a ‘cascade effect’ that hinders or halts operations in other sectors, such as transport, finance, and healthcare. Disabling the energy grid can provoke civil unrest, disrupt chains of communication, degrade military readiness, and generally impede a government’s ability to respond quickly and effectively in a crisis situation. [21]
Notable incidents related to the physical and cybersecurity of energy
Reports of hackers penetrating Russian and US power networks, 2019
In March 2019, the US grid regulator NERC warned[22] that a hacking group with suspected Russian ties was conducting reconnaissance[23] into the networks of American electrical utilities. In June 2019, the New York Times reported [24]that American ‘code’ had been deployed inside many elements of Russia’s power network by US military hackers that were targeting Russian power plants. The claims were denied by President Trump and regarded with skepticism by cybersecurity experts.
Cyber-attack on the petrochemical plant, Saudi Arabia, August 2017
Cyber-attack on a Saudi petrochemical plant attributed in August 2017 [25] was the first known attempt to manipulate an emergency shutdown system. The attack resulted in the plant shutting down and Cybersecurity experts from FireEye Intelligence reported of deployment of TRITON that attributed to the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. [26]
Cyber-attacks on the Ukrainian power grid, 2015 and 2016
In December 2015, hackers attacked the computer system of a western Ukrainian power utility and cut off the electricity to some 225 000 people. [27] In February 2016, U.S. Deputy Energy Secretary Elizabeth Sherwood-Randall attributed the first attack on the Ukrainian grid to Russia at a meeting with U.S. energy industry executives. The experts drew the attention to the Sandworm Team that has targeted NATO, European governments, and industrial control systems generally. In February 2017, Ukrainian officials blamed Russian security services and the group behind the BlackEnergy3 malware.[28]
Baku-Tbilisi-Ceyhan oil pipeline explosion, Turkey, 2008
The Baku-Tbilisi-Ceyhan (BTC) oil pipeline in Turkey experienced a rupture and fire in 2008[29]. The Kurdish Workers Party claimed responsibility for the cyberattack on 6th August 2008 on the BTC pipeline that occurred inside of Turkey near the town of Refahiye. The physical rupture led to escaped product ignition and an explosion resulting in a fire that was extinguished by firefighters on August 7, 2008. The pipeline was out of commission till August 25, 2008.[30]
The investigations found that an elaborate cyber-attack caused the explosion, where the perpetrators turned off all the distress signals and erased 60 hours of surveillance video. According to Bloomberg, the main weapon of the attackers was a keyboard, as they hacked into the control room, cut off communications, and maximized the pressure in the pipelines.[31]
The incident occurred at a time when tensions between Russia and Georgia were building towards armed conflict. Russia officially deployed troops into the Russian-Georgian conflict two days after the pipeline explosion occurred. Cyber attackers accessed the control system of the pipeline via internet-connected security cameras and gained access to the industrial control systems to raise the pressure in the pipeline, causing it to rupture.[32]
Critical Infrastructure Protection Measures
EU
Cybersecurity Act: Regulation (EU) 2019/881 cybersecurity package (Cybersecurity Act), which is part of the 2017 and entered into force in June 2019, aims to strengthen the EU’s response to cyber-attacks, improve cyber-resilience and increase trust in the digital single market. The Act empowers the European Union Agency for Cybersecurity (ENISA)– to improve coordination and cooperation in cybersecurity among EU Member States and EU institutions. It establishes an EU cybersecurity certification framework for specific categories of information and communication technology products, processes and services.[33]
Security of Gas Supply Regulation: Regulation (EU) 2017/1938 deals with gas supply shortages caused by a number of risk factors, including cyber-attacks, war, terrorism, and sabotage. [34]
In April 2019, the Commission issued Recommendation (EU) 2019/553 that member states should take appropriate measures that includes cybersecurity risk analysis and preparedness when making decisions about infrastructure.[35]
United States of America
The 2005 Energy Policy Act in the United States was the first important legislation to address the growing challenge of cybersecurity in the energy sector. The mentioned legislative act was adopted as a response to the North-east blackout of 2003 that left 50 million North Americans without power. The act granted the Federal Energy Regulatory Commission (FERC) the ability to appoint an Electric Reliability Organization (ERO) responsible for reliable standards for all bulk power electric utilities in the country.
The North American Electric Reliability Corporation (NERC), a private non-profit organization, was designated as the ERO for the United States and several Canadian provinces in 2006. The NERC is responsible for developing a list of Critical Infrastructure Protection-CIP standards (NERC-CIPs) that at the end should be reviewed by the FERC.
The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is designed to lead the Department of Energy’s coordinated response to disruptions by partnering with the National Laboratory system, private sector coordinating organizations, and state and local governments. The cybersecurity risk information-sharing program (CRISP) is a public-private data sharing and analysis platform that facilitates the timely bi-directional sharing of unclassified and classified threat information among energy sector stakeholders.[36]
About the Author
Emil M.HASANOV (L.L.M) studied Law at Baku State University (Azerbaijan), University of Geneva Switzerland. Completed programs in Cranfield University (Defense Academy)-Cranfield Mine Action (UK), Carlton University (Canada), George Washington University, Thunderbird School of Global Management”, USEUCOM-US European Command (and another reputable int. institutions). Conducted lectures in Cranfield Academy, MFA of Azerbaijan (NATO winter school), MFA of Georgia.
Used to work for the Ministry of Justice (retired captain of Justice), provided advisory service for MFA of Azerbaijan, Germany and Slovenia. Used to work as a Head of Operations (Deputy Director of Agency) for UNDP/ANAMA- Azerbaijan National Agency for Mine Action, researcher/editor of Geneva-based Land Mine&Cluster Munitions Monitor (21 countries/ areas CIS/MENA), Regional Adviser of Slovenian International Trust Fund for South Caucasus (Slovenia-Georgia).Strategic Capacity Development Adviser of UN Peacekeeping Operations-UN Hybrid Operations for Darfur-UNAMID (Sudan)., Transition Manager/ Legal Advisor of US Dep. of State program to MoD Georgia, International Expert of OSCE-Ukraine and other int. organizations. Emil had different assignments with UN, NATO/NAMSA, EC-EEAS, OSCE. Co-founder of Club de Geneve (Geneva-based think tank www.clubofgeneva.org )
Emil had missions/assignments to armed conflict-affected countries/ areas: Georgia, Ukraine, Yemen, Turkish-Syrian, Turkish-Iranian, Tajikistan-Afghanistan Borders, Darfur (Sudan), Cyprus, Bosnia and Herzegovina, Iran.
The author of articles published in Azerbaijan and the USA. The charter member of the Rotary Club of Baku International- RCBI. Past President of RCBI, past Assistant Governor RI District 2430 (Azerbaijan). 2430 RI District Assistant Governor (Afghanistan, Tajikistan, Turkmenistan, and Uzbekistan).
Currently is working in Communication & External Affairs of International Energy company