Intelligence games in power grid - deception, denial, manipulation
The behavior analysis topic will be used to discuss a case study related to SCADA systems and the sale of SCADA hardware and associated software that could be spiked (loaded with malware). The case study would focus on potential Russian activities in this area, their creation of fake companies, their duplication of websites and website content to make them look legitimate, and the tracking of the potential people behind this to other malicious cyber activities.
“A new type of war has emerged, in which armed warfare has given up its decisive place in the achievement of the military and political objectives of war to another kind of warfare - information warfare.”
Infiltrating systems in the deployment phase is attractive as this does not require the devices themselves to be vulnerable. As SCADA systems generally are very poorly maintained, with patch penetrations bordering towards 0% when we have been able to observe penetration on the market. The intentions apart from directly affecting those systems as means in a conflict, they are often deployed on networks from where they can reach other internal resources. Being able to infect devices which are likely to spend 10 to 20 years on a network largely unmaintained is one of the most stable sources of persistence a threat actor can obtain. This means the devices not only provide means of controlling critical infrastructure in other nations, it is also a means of obtaining access to other internal resources for an extended period.
The accelerating trends of supply chain globalization and outsourced manufacturing and distribution have combined to increase the pace of change, complexity, and risk for brand owners. These trends have created a fundamental shift in the way companies of all sizes plan, source, make, and deliver their goods and services. The Russian focus to actively target various phases of the supply chain makes for malware installation to be viewed as normal network activity. Activity that is deemed normal upon installation of the hardware and software in question.
Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your organization, and its reputation, as one from within the organization. There is great necessity to track everything that is happening in the supply chain as even the smallest supplier or the slightest hiccup can have dangerous impact on your business.
The cyber security industry has already seen USB-devices shipped with malware straight out of the factory, just as we have seen CD's from magazines with malware during the 90's. Affecting devices in the production line is of course equally tempting to actors from Russia as it is for the NSA. A state actor focusing on monitoring citizens has different requirements from a nation building its cyber arms arsenal. Where the NSA had a focus on networking equipment and traffic monitoring, this makes the same degree of sense from a cyber arms perspective.
Russian methods of information influence and information operations include network operations alongside disciplines such as psychological operations, strategic communications, Influence, along with “intelligence, counterintelligence, maskirovka, disinformation, electronic warfare, debilitation of communications, degradation of navigation support, psychological pressure, and destruction of enemy computer capabilities. Taken together, this forms a whole of systems, methods, and tasks to influence the perception and behavior of the enemy, population, and international community on all levels.
One fundamental distinction between Russian and Western approaches to information activities is the categorization of computer network operations and other activities in cyberspace.
“Cyber” as a separate function or domain is not a Russian concept. The delineation of activities in the cyber domain from other activities processing, attacking, disrupting or stealing information is seen as artificial in Russian thinking. In this context, “Distributed denial of services attacks (DDoS), advanced [cyber] exploitation techniques and Russia Today television are all related tools of information warfare.
A key concept often lost on the West is Russia’s willingness to give primacy to non-kinetic operations, especially information warfare. The Western assumption has been that subversion, deception, and the like are all ‘force multipliers’ to the combat arms, not forces in their own right. At present, though, Russia is clearly seeing the kinetic and the non-kinetic as interchangeable and mutually supporting.
The Russian targeting of various phases of the SCADA supply chain represents information-technology warfare (to affect technical systems which receive, collect, process and transmit information), which is conducted during wars and armed conflicts. The behaviors exhibited by the perpetrators is not usually targeted. Examining Russian activities within the SCADA supply chain requires analysis that is focused on users, user accounts, user identities, and the sources of their activities. This discussion focuses on potential front companies selling industry known and respected SCADA hardware with accompanying software. Openly selling to various Western, Asian, and Middle Eastern energy organizations who purchase from these known companies is seen as a method to infiltrate critical infrastructures in target organizations globally. The potential for use later is part of an overall sea, air, land, cyber integrated strategy of hybrid warfare.
Jeffrey Bardin
Currently serving as the Chief Intelligence Officer for Treadstone71, Jeff has worked in leadership positions organizations such as General Electric, Lockheed Martin, and Marriott International. He also served as the Security Manager for the Centers for Medicare and Medicaid (LMIT), Chief Security Officer for Hanover Insurance, the Chief Information Security Officer for Investors Bank & Trust, and the Director, Office of Risk Management for EMC. In 2007 he was awarded the RSA Conference award for Excellence in the Field of Security Practices. The Bardin-led security team from Hanover Insurance also won the 2007 SC Magazine Award – Best Security Team. Jeff sits or sat on the Board of Directors, Boston Infragard, Content Raven, Wisegate, was a founding member of the Cloud Security Alliance; is a member of the Cyber Security Forum Initiative, former member of the RSA Conference Submission Selection Committee and formerly on the Customer Advisory Board for Chosen Security. Jeff published The Illusion of Due Diligence in 2010 and was a co-author for the Computer and Information Security Handbook, Understanding Computers, Middle Eastern Cyber Warfare Doctrine and has published articles for magazines such as The Intelligencer, CSO, and SC Magazine. Mr Bardin has also appeared on CNN, CBS News, and Fox as well as contributed bylines to the Business Insider and other news outlets. Jeff served in the USAF as a cryptologic linguist, National Security Agency, and in the USANG as an Armored Scout Platoon Leader. He has BA in Special Studies - Middle East Studies & Arabic Language from Trinity College as well as a MS in Information Assurance from Norwich University, Cum Laude. Jeff blogs on cybershafarat.com and was also a professor of master’s programs in cyber intelligence, counterintelligence, clandestine cyber HUMINT, and cyber terrorism. Jeff also holds the CISSP, CISM, and NSA-IAM certifications.
Phone: +420 737 215 220
E-mail: