In May 2008, following sustained nation-state levels of cyberattacks on Estonia, James Mattis, NATO's supreme allied commander and a U.S. Marine Corps general, described the need for a cyberdefense center to be “compelling.” The aim was to “provide a capability to assist allied nations, upon request, to counter cyberattack.” By October, the center was granted full NATO accreditation and the Cooperative Cyberdefense Center of Excellence (CCDCOE) obtained the status of an international military organization.
Since then the agency has sought to enhance the capability, cooperation and information sharing among NATO nations and partners in cyberdefense via education, research and development, lessons learned and consultation. In particular, the Tallinn Manual on the International Law Applicable to Cyber Warfare – compiled for the CCDCOE with contributions from around 20 experts and published in April 2013 – aims to establish international law applicable to cyberwarfare.
“The 2007 cyber operations against Estonia and the 2008 cyber events in Georgia demonstrated that this new medium of future warfare should be taken seriously,” says William Boothby, an editor on the Tallinn Manual and a former deputy director of legal services in the U.K.'s Royal Air Force (RAF). The Stuxnet operation that reportedly damaged Iranian nuclear centrifuges reinforced the point, he adds.
“Many of the established legal principles apply surprisingly well to this man-made environment,” Boothby says. “Certain cyberevents could amount to a prohibited use of force under the UN Charter and they even amount to an ‘armed attack.' The law as to what warring parties can attack assumes that there is an act of violence. When using computers to cause harm, the experts concluded that it is the damaging or injuring effects of a cyberoperation that are important. Consequently, laws as to who or what may be attacked can also sensibly be applied to cyberwarfare operations. If the law on attack can be applied to cyberattacks, the law on weapons can also be sensibly applied to cyberweapons.”
Jamal Elmellas (left), technical director at Auriga Consulting, says that worldwide the most targeted verticals are government, energy, financial services and higher education. “We're already seeing sensors deployed on gas and electricity pipelines to monitor supply,” he says. “These are based on IP and could be susceptible to attack. In addition to the increased attack surface, the stakes are also higher with intellectual property – now a prized asset and key motivator.”
But investment in security hasn't kept pace, says Elmellas. “Many of the energy companies have inadequate risk management security policies and even fail to maintain updated anti-virus solutions. In the U.K., around 100,000 new pieces of malware are introduced every day. It can only be a matter of time before an attack against an entire nation's energy sector manifests itself.”
Examples include Stuxnet, Disttrack/Shamoon (targeting Saudi Aramco); Icefog (hired hackers focused on the supply chain); and Flame (a trojan aimed at the Iranian and Eastern European energy sectors). Typically these were zero-day attacks, used intelligent sector targeting and were aimed at the weakest link to exploit integration weaknesses.
“These attacks require weaknesses to be addressed and security implemented throughout the organization, from a secure code development lifecycle to holistic security governance covering all aspects – from power delivery to billing,” Elmellas explains. Secure communication mechanisms, he adds, are a must as is resilience testing for new technology introduced to the network (think tamper protection for field components such as smart meters). As well, he advises that incident management processes should be put in place and isolation readiness addressed in the event that a breach does occur.
Further, he suggests that the energy sector build a tiered security strategy into the design phase of all critical national infrastructure (CNI) control systems, embedding multi-firewall mechanisms and anti-virus into complex technological solutions, ensuring protection by spreading the load and placing targets across multiple platforms. Adopting a context sector-specific approach to the gathering of intelligence is vital, as is responsive risk management.