The document discusses cyberterrorism threats to critical infrastructure systems like power grids. It describes how terrorist groups could target these systems through cyber attacks, giving examples of botnets being used to overwhelm networks with denial of service attacks. The document also examines the challenges of attribution and response to such attacks since terrorist networks operate asymmetrically online. It argues strong cybersecurity defenses and ability to trace attacks are needed to counter potential cyberterrorism.
1. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
Study case: The European Power Grid
2. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
CYBERTERRORIST THREATS TO POWER GRID
Threats to critical infrastructure
Threats to Networked Control Systems
Direct – Action Threats to Power
Grid
Threats to Trustworthy Cyber-Infrastructure for
Power (TCIP)
3. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
EXAMPLES OF CRITICAL INFRASTRUCTURE
TARGETED BY CYBER TERRORISM
•Electricity, Gas & Oil Grids
•Nuclear Reactors
•Finance & Banking
•Passengers Transportation
•Human & Agricultural Health
•ICT Systems & Infrastructure
•Cities & Major Civil Works
4. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
INTERDEPENDENCY OF SYSTEMS
5. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
DEPENDENCY ON NETWORK-BASED SYSTEMS
• Dependency on network-based systems is pervasive
across all sectors. Critical components of our
national infrastructure rely on a variety of network-
based systems.
• Each critical sector surveyed identified dependency
on one or two sectors.
• The answer to the question “Are we ranking our
critical infrastructures as to their vulnerability to
cyber attacks?” is multi-faceted. The degree that any
sector is vulnerable is dependent upon a number of
characteristics: type of attack, scope of impact, time
of attack, duration of outage.
6. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
Impact Assessment
7. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
EARLY ATTACKS ON THE INTERNET
8. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
9. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
Power Grid Management
10. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
What Should We Protect:
The equation:
– Summed over millions of Customers
– Entity types that comprise the Electricity
Systems : Generation, Transmission, Load
Serving Entities, Purchasing-Selling Entities,
Reliability Coordinators, Control Areas, State
National and Regional Carriers, Independent
System Operators, Regulators.
– Splitted by three level of interconnections:
• European
• National
• Regional
11. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
Electrical Grid of Europe
12. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
Nation’s Electrical Infrastructure comprised of integrally linked
generation, distribution, and transmission subsystems.
13. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
The European Commission’s Directorate-General
for Energy manages work in this area :
• Sets reliability standards.
• Ensures compliance with reliability standards.
• Provides education and training resources.
• Conducts assessments, analyses, and reports.
• Facilitates information exchange and coordination
among members and industry organizations.
• Supports reliable system operation and planning.
• Certifies reliability service organizations and personnel.
• Coordinates CIP of the bulk electric system
• Administers procedures for conflict resolution on
reliability issues.
14. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
DEFINING CYBER TERRORISM
• Cyber Terrorism is the convergence of Cyberspace and
Terrorism. It refers to unlawful attacks and threats of
attacks against computers, networks and the information
stored therein when done to intimidate or coerce a
government or its people in furtherance of political or
social objectives.
• Serious attacks against critical infrastructures could be
acts of Cyber Terrorism, depending on their impact.
Attacks that disrupt nonessential services or that are
mainly a costly nuisance would not.
• Cyber Terrorism refers to premeditated, politically
motivated attacks by sub-national groups or clandestine
agents against information, computer systems, computer
programs, and data that result in violence against non-
combatant targets.
15. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
Cyber Terrorism Threats
The four most common sources of threats:
1. Nation-States (launch of major cyber
attacks against one another already done
during the last decade)
2. Terrorists (groups seeking to expand their
capability in this area)
3. Terrorist sympathizers (the most likely
group to launch a cyber attack)
4. Thrill Seekers (a minor threat because they
are driven by a desire to show off their skills
rather than a desire to destroy)
16. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
PHILOSOPHY OF CYBER TERRORISM (I)
• The Cyber Space is a place where the bad guys
have always been one step ahead of the good
guys.
• Cyber Extremism is a reliable indicator of social
problems and geopolitical tensions, shedding light
on the root causes of terrorism and insurgency.
• Every extremist thinks that Cyber Security is a
joke, and every cyber terrorist sees it as a
weakness.
• Cyber Defense is only as strong as the weakest
link.
17. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
• Cyber Terrorists - at least three goals in mind:
(1) Information Theft - stealing data from a targeted
personal device, system or network is not only the most
common threat, but one which makes Cyber Terrorism
attractive and profitable
(2) Information Disruption - defacement for the purpose of
sabotage or vandalism, rendering critical operating
systems incapable of performing their essential functions
(3) Information Denial - destruction via floods of
automated hits, capable of bringing down whole countries
if the economic, news media, Internet and
telecommunications structures are disabled
PHILOSOPHY OF CYBER TERRORISM (II)
18. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
CASE STUDY (I) : A HYPOTHETICALLY CYBER TERRORIST ATTACK
• The typical Cyber Terrorist attack would involve bringing down
a country's energy & information infrastructure. They would use
a distributed denial of service attack. Doing so would be the
equivalent of launching millions of infobombs (e-Bombing) at a
target, all while maintaining total deniability. The initial stages
of the attack would only last a few hours, but there would be
lingering effects lasting days or weeks. It would look something
like this: • Flag 1 is the Attacker -
Republic Armada - a
hypothetically country from
the Far East,
• Flag 2 is the Bot Herder
(explained in the next slide),
• Flag 3 is the Zombie (placed in
Central America),
• Flag 4 is the Target (the U.S. in
this case).
19. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
1. (ATTACKER) In this scenario, tension over proposed US
legislation to raise tariffs on ARMADA imports triggers a
crisis. Armada Gov’t orders a limited attack on the
computer systems of US Congress members and energy
corporations that support the bill. Armada security officials
hire criminal bot herders to launch the denial of service
attacks. Payments are routed via anonymous services like
PayPal (often using branches based in Latin America).
Target IP addresses and email accounts (harvested in earlier
operations) are distributed through private chat rooms used
by criminal hackers. Once the attack is under way, a media
and diplomatic campaign will portray the attackers as
Cyber Vigilantes operating on their own.
CASE STUDY (II) : SCENARIO - ATTACKER
20. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
CASE STUDY (III) : SCENARIO – BOT HERDER
2. (BOT HERDER) Freelance computer hackers function as
the project managers for the DDoS attack. Typically, a
hacker or a syndicate of hackers control one or more giant
botnets, worldwide networks that can include 100,000
computers. Each machine has been surreptitiously infected
by the bot herder with a bot, a remotely controlled piece of
malicious software. Herders usually make their living by
renting these networks out for commercial spam, phishing
fraud, and denial-of-service extortion. On the bot herder's
signal, his network of bots can launch millions of packets of
information toward a single target, overwhelming its defenses
and either crashing it or driving its owners to shut it down as
a defensive precaution.
21. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
CASE STUDY (IV) : SCENARIO - ZOMBIE
3. (ZOMBIE) Once an ordinary computer is infected by a
bot, it becomes one of the unwitting drones that make up
a global botnet – a Zombie. When Zombies receive a
signal from the bot herder, the bot takes control of its
host and sends out multiple packets of information -
usually spam - to designated targets. Thanks to the
distributed nature of these networks, attacks appear to be
coming from random personal computers located all over
the world. In this scenario, many will even be from within
the US. And if you're wondering if your PC is infected,
detection isn't easy. Fortunately, new versions of home
security software, like Norton AntiBot, are targeting this
new strain of malware. But bots keep mutating, so the
22. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
CASE STUDY (V) : SCENARIO - TARGET
4. (TARGET) A full-scale DDoS attack meant as
an act of war might target military and Gov’t
servers, power grids, civilian email, banks &
Telco’s. But in this more likely scenario, the
targets are Web sites and email systems of
Congress members and energy corporations that
support higher trade barriers. These groups
blame the Armada government, but can't prove
it. Nevertheless, targets will be effectively shut
down while they undergo security upgrades and
damage assessment, inhibiting their ability to
work on behalf of the legislation.
23. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
CASE STUDY (VI) : DIFFERENT SCENARIOS
Three likely scenarios of what's going to happen
because of all the Internet mischief in cyberspace:
• Scenario #1 : Malicious activity in cyberspace
becomes so pervasive that a crisis of confidence
develops, and governments and corporations
scramble to exert greater control, but
eventually give up, resorting to behind-the-
scenes work in "walled gardens," allowing the
rest of the world to degrade and decay
economically and socially with an egregiously
offensive (and criminal) Internet.
24. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
CASE STUDY (VII) : DIFFERENT SCENARIOS
• Scenario #2 - A set of nation-states go to cyber war
against one another, followed by dissenters and
protesters who turn to disruptive attacks, and as the
world becomes accustomed to nonkinetic modes of mass
disruption, terrorists or insurgents jump on the
bandwagon, launching a new form of long-term, cyber-
guerrilla warfare.
• Scenario #3 - Technological breakthroughs occur which
allow the transmission of digital information via
electromagnetic pulses or some other form of directed
energy, and terrorists exploit this new technology to
launch pinpoint, assassination-like strikes against
specific targets like the national electricity grids.
25. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
COUNTER – CYBER TERRORISM
Two most important things for countering
Cyber-Terrorism:
(1)Attribution - WHO IS BEHIND IT;
(2)Characterization - HOW DID THEY DO IT.
• The hackers, like terrorists, tend to work in
asymmetric, non-hierarchical formation, which
means that they do not have organizations like
linear gangs and so forth, but instead rough and
temporary alliances = NETWAR
26. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
NETWAR : information-related conflict at a
grand level between nations or societies. It means
trying to disrupt or damage what a target
population knows or thinks it knows about itself
and the world around it. A netwar may focus on
public or elite opinion, or both. It may involve
diplomacy, propaganda and psychological
campaigns, political and cultural subversion,
deception of or interference with local media,
infiltration of computer networks and databases,
and efforts to promote dissident or opposition
movements across computer networks
27. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
MEMBERSHIP ROLES OF HACKING / TERRORIST NETWORKS
Organizers -- core members who steer
group
Leadership -- charismatics who lead
group
Insulators -- members who protect the
core
Bodyguards -- members who protect
leaders
Communicators -- pass on directives Seconds in command -- pass on orders
Guardians -- security enforcers
Intelligence -- and counter - intelligence
agents
Extenders -- recruiters of new members
Financiers -- fund raisers & money
launderers
Monitors -- advisors about group
weaknesses
Logistics -- keepers of safe houses
Members -- those who do the hacking
Operations -- those who commit the
terror
Crossovers -- people with regular jobs
Sleepers -- members living under deep
cover
28. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
COUNTER – CYBER TERRORISM METHODS (I)
A national security response to a Cyber Attack would
consist of one or both of the following elements:
• "TRACK-BACK" - where officials quickly trace an
attacker through the Internet nodes transited by obtaining the
transactional data from each node. Such action may require the
cooperation of Internet Service Providers or a legal means of
compelling subscriber information from such providers. If the
computer intrusion is disrupting a real-time military
deployment or combat operation, or presents an imminent and
serious threat to public health and safety, or is producing
extensive property damage or paralyzing financial institutions,
there is a need for urgent action in the form of utilizing
constitutional exemptions to search & seizure law, such as the
“Exigent Circumstances" exemption or the “Hot Pursuit"
29. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
COUNTER - CYBER TERRORISM METHODS (II)
"SHOOT-BACK" - once the computer equipment is
located (meeting the disruption and/or threat
requirements above), it may be possible to damage and
destroy it by electronic means or traditional military
means. Electronic means (such as discharging an
electromagnetic pulse toward the equipment) would
probably have to meet just war standards regarding
proportionality and discrimination, ensuring no
unintentional or collateral damage to nearby
noncombatants. Traditional military means would
involve a raid by special forces or a cruise missile
through the window.
30. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
31. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
Power Grid Management
32. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
Power Systems Applications Overview
33. XV EURO-ASIAN ECONOMIC SUMMIT EU Power Grid - Increasing the Safety level of CIP ISTANBUL – 10-12.4.2012
MARIUS – EUGEN OPRAN
MEMBER EESC - CCMI
MANY THANKS TO:
- Dr. CARL A. GUNTER
UNIVERSITY OF ILLINOIS
- Dr. CHARLES HOOKHAM
VP, HDR ENGINEERING