Hosts compromised with Aurora botnet agents and rallied to the botnet Command-and-Control (CnC) channels were distributed across multiple countries before the public disclosure of Aurora, with the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.

Damballa identified additional botnet CnC domains used by these criminal operators and established a timeline of malware associations back to May 2nd, 2009 by tracking the evolution of the malware used by Aurora’s operators

This botnet has a simple command topology and makes extensive use of Dynamic DNS (DDNS) CnC techniques. The construction of the botnet would be classed as “old-school”, and is rarely used by professional botnet criminal operators any more. Reliance upon DDNS CnC is typically associated with new and amateur botnet operators

The criminals behind the Google attack appear to have built and managed a number of separate botnets and run a series of targeted attack campaigns in parallel. This conclusion is based upon CnC domain registration and management information. The earliest of the CnC domains associated with these botnets, reliant upon DDNS service provisioning, appear to have been registered on July 13th 2009

The botnet operators behind the Aurora attacks deployed other malware families prior to the key Trojan.Hydraq release. Some of these releases overlapped with each other. Two additional families of malware (and their evolutionary variants) were identified as “Fake AV Alert /Scareware – Login Software 2009” and “Fake Microsoft Antispyware Service,” both of which employed fake antivirus infection messages to socially engineer victims into installing malicious botnet agents.

In the short-run, the data protection initiatives would revolve around focussing on early warning and putting in place a remediation plan. Also, Symantec would focus on spreading education on best practices in this area, he said. In the medium term, he felt, there was need to design and structure new technologies that would have the ability to protect data and critical infrastructure from newer threats, he pointed out.

In this context, he underscored the need for a coordinated approach to tackle the `new cold war’ which could result in disproportionate damage to the world as a whole. Mr. Salem pointed out that Symantec had just signed a memorandum of understanding with the Co-operative Cyber Defence Centre of Excellence (CCDCOE), which was established in 2008 to beef up the cyber defence capability of NATO (North Atlantic Treaty Organisation). Under the MoU, Symantec had agreed to provide technology and manpower to research online threats.

“It is a research agreement,” he said. Essentially, Symantec would supply CCGCOE of NATO with technology to collect information about attacks. The CCDCOE, based in Tallinn, was established in 2008 following extensive, coordinated denial-of-service attacks against Estonian financial and Governmental organizations. It is an international effort sponsored by Estonia, Latvia, Lithuania, Germany, Italy, the Slovak Republic and Spain. Symantec would use a system of remotely-deployable collector nodes to gather cyber-attack data from specific, targeted geographic areas. The collector nodes would make use of Symantec’s existing global intelligence network (GIN), which consists of 240,000 software sensors and its customers’ 120 million desktop, server and gateway antivirus installations. The GIN allows malicious software to be captured and transmitted back to Symantec security response centres for analysis. On the individual customer front, Symantec, he said, would strive to do its best to make the online back-up service cost-effective and full-proof.

Keywords: Symantec, data protection, CCGCOE, NATO

Printable version | Mar 2, 2010 1:18:22 AM | http://beta.thehindu.com/sci-tech/internet/article124493.ece

© The Hindu

Doch wer steckte wirklich dahinter? Der chinesische Geheimdienst? Irgendein Militär? Private Hacker? Am Ende doch nur Spaßvögel? Ausländische Hacker gar, die diese chinesischen Computer unterwandert hatten? “Völlig zweifelsfrei konnten wir nie nachweisen, wer genau hinter diesen Angriffen steckte”, sagt Villeneuve. Er hat jedenfalls schon viel gesehen – und häufig erlebt, dass der erste Anschein bei solchen Untersuchungen trügt. Villeneuve arbeitet manchmal im Auftrag der Universität Toronto, wo er als Forscher arbeitet; mal als Cheftechniker einer kleinen Firma, die Zensursperren im Internet knackt; und mal als technischer Experte hinter aufsehenerregenden Reports von Organisationen namens “Internet Warfare Monitor” oder “Open Net Initiative”.

Erst kürzlich dachte er wieder, er kämpfe gegen eine gigantische Cyberarmee – und dann war die Realität doch ernüchternder. Das war, als er herausfinden wollte, wer die Webseite Mizzima News mit Parolen verunstaltet hatte. Dieser Dienst der Bürgerrechtsbewegung von Birma trug plötzlich Sprüche wie “We Born for Hack Those Fucking Media Website, Which Are Ever Talk About Only Worse News For Our Country.” Steckte dahinter das berüchtigte Militär von Birma? Waren Geheimdienste in Aktion?

Die Täter hatten es leicht: Es gab ein Sicherheitsloch in der Serversoftware dieser Webseite, über das ein trojanisches Pferd namens c99shell eingeschleust werden konnte, und das zumindest ließ sich leicht herausfinden. Aber die Täter? “Die Angriffe kamen scheinbar aus vielen verschiedenen Ländern, auch aus Deutschland”, sagt Villeneuve. Das lag bestimmt nicht daran, dass die Täter wirklich in so vielen verschiedenen Ländern saßen. Hatten sie aus der Ferne Computer an all diesen Standorten gekapert?

Nein – ironischerweise hatten die Täter für ihre Angriffe einen Dienst missbraucht, den auch viele Bürgerrechtler nutzen, um ihre wahre Identität im Internet zu verschlüsseln. Ein Onlineservice, der Besuche im Netz für einen staatlichen Schnüffler so aussehen lässt, als sitze da ein Websurfer in der einen Sekunde in Ostdeutschland, in der nächsten in Mumbai und wenige Sekunden später dann in der Ukraine. Die Hacker hatten diesen Service für ihre eigenen Zwecke genutzt.

Doch nach einer monatelangen Jagd – zu denen geduldige Recherchen auf Webservern mit Namen wie overkill.myanmar.org gehörten, Untersuchungen vergleichbarer Angriffe vergangener Jahre und sogar eine Erkundungsreise nach Birma und stundenlange Gespräche in entlegenen Chatrooms des Internets – wusste Villeneuve schließlich genug. So viel zumindest, dass er einen Angreifer zur Rede stellen konnte, in einem Chatroom im Internet. Einen Mann in Birma, der einmal in Russland studiert hatte, und der allerhöchstens noch mit einer Handvoll Hackerkollegen zusammengearbeitet hatte. Ein Einzelgänger, der mit den Verunstaltungen von Webseiten seine nationalistischen Neigungen auslebte. “Ganz endgültig zugegeben hat er es allerdings nie”, sagt Villeneuve und zuckt bedauernd die Schultern. “Aber er hat genug gesagt. Ich habe ihn verstanden.”

Die Tür geht auf, und Ron Deibert betritt den Kellerraum der Hacker. Professor Ron Deibert, der Mann, der hier vor vielen Jahren damit begann, ein Institut für die Überwachung von Internetzensoren, Datenkriegern und Hackern in aller Welt aufzubauen. Es ist auf der ganzen Welt das einzige Institut dieser Art; und Deibert ist zu einer führenden Autorität auf dem Gebiet der Internetzensur und der Internetkriege geworden. Er hat Vorträge bei Google gehalten und sie vor Eindringlingen gewarnt, noch bevor die Attacken auf den Konzern publik wurden. Er hat Hillary Clinton mit beraten, bevor sie vor wenigen Wochen eine aufrüttelnde Rede über die Sicherheit im Cyberspace hielt, die viele als eine Kriegserklärung an China verstanden. Er hat Firmen gegründet, die ihren Kunden helfen, mit den neuen Gefahren im Netz richtig umzugehen.
Mehr zum Thema

* Cyberwar Der Kalte IT-Krieg hat längst begonnen
* Bundeswehr Statusmeldung: Bin im Krieg

Deibert sieht müde aus. Er hat in den vergangenen Wochen viele Interviews gegeben, viele Vorträge gehalten. “Es gab eine Zeit, da hatten wir eine romantische Vorstellung vom Internet”, sagt er. “Ein Tummelplatz für Nichtregierungsorganisationen! Ein Paradies für Hippies!” Doch von Beginn an, glaubt Deibert, waren auch dunkle Mächte mit am Werk. Zensoren. Spione. Doch nie so viele wie heute.

“Die Phase, die jetzt begonnen hat, ist sehr gefährlich”, glaubt Deibert. “Ein riesiges Ökosystem von Computern und mobilen Geräten ist da entstanden – und die Entwicklung von Waffen gegen dieses System schreitet rasant voran. Das ist ein Rüstungswettlauf. Ehrlich gesagt, die schlimmsten Dinge haben wir noch lange nicht gesehen. Wir brauchen eine Art Waffenkontrolle im Cyberspace.”

Future state-on-state conflict, as well as conflicts involving non-state actors such as al-Qaida, would increasingly be characterised by reliance on asymmetric warfare techniques, chiefly cyber-warfare, Chipman said. Hostile governments could hide behind rapidly advancing technology to launch attacks undetected. And unlike conventional and nuclear arms, there were no agreed international controls on the use of cyber weapons.

“Cyber-warfare [may be used] to disable a country’s infrastructure, meddle with the integrity of another country’s internal military data, try to confuse its financial transactions or to accomplish any number of other possibly crippling aims,” he said. Yet governments and national defence establishments at present have only limited ability to tell when they were under attack, by whom, and how they might respond.

Cyber-warfare typically involves the use of illegal exploitation methods on the internet, corruption or disruption of computer networks and software, hacking, computer forensics, and espionage. Reports of cyber-warfare attacks, government-sponsored or otherwise, are rising. Last month Google launched an investigation into cyber attacks allegedly originating in China that it said had targeted the email accounts of human rights activists.

In December the South Korean government reported an attack in which it said North Korean hackers may have stolen secret defence plans outlining the South Korean and US strategy in the event of war on the Korean peninsula. Last July, espionage protection agents in Germany said the country faced “extremely sophisticated” Chinese and Russian internet spying operations targeting industrial secrets and critical infrastructure such as Germany’s power grid.

One of the most notorious cyber-warfare offensives to date took place in Estonia in 2007 when more than 1 million computers were used to jam government, business and media websites. The attacks, widely believed to have originated in Russia, coincided with a period of heightened bilateral political tension. They inflicted damage estimated in the tens of millions of euros of damage.

China last week accused the Obama administration of waging “online warfare” against Iran by recruiting a “hacker brigade” and manipulating social media such as Twitter and YouTube to stir up anti-government agitation.

The US Defence Department’s Quadrennial Defence Review, published this week, also highlighted the rising threat posed by cyber-warfare on space-based surveillance and communications systems.”On any given day, there are as many as 7 million DoD (Department of Defence) computers and telecommunications tools in use in 88 countries using thousands of war-fighting and support applications. The number of potential vulnerabilities, therefore, is staggering.” the review said.

“Moreover, the speed of cyber attacks and the anonymity of cyberspace greatly favour the offence. This advantage is growing as hacker tools become cheaper and easier to employ by adversaries whose skills are growing in sophistication.”

Defensive measures have already begun. Last June the Pentagon created US Cyber Command and Britain announced it was opening a cyber-security operations centre attached to GCHQ at Cheltenham, in coordination with MI5 and MI6.

William Lynn, US deputy defence secretary, described the cyber challenge as unprecedented. “Once the province of nations, the ability to destroy via cyber now also rests in the hands of small groups and individuals: from terrorist groups to organised crime, hackers to industrial spies to foreign intelligence services … This is not some future threat. The cyber threat is here today, it is here now,” Lynn said.

• The IISS 2010 Military Balance, published yesterday, said the insurgency in Afghanistan is complex and Pakistan’s full cooperation remains elusive.

• Al-Qaida retains the capability to launch regular attacks in Baghdad.

• The report said technical difficulties frustrate Iran’s nuclear ambitions but all the same Iran’s stockpile of enriched uranium continues to grow.

• The IISS looked forward to increased defence co-operation between France and Britain,saying both countries needed to “spend smarter” because they cannot afford to “spend more”.

NEW DELHI – The world now accepts that protecting our atmosphere, hydrosphere, lithosphere, and biosphere – the “global commons” – is the responsibility of all countries. The same norm must apply to cyberspace, which is critical to our everyday life, economic well-being, and security.

At a time when cyber attacks are increasing worldwide, US Secretary of State Hillary Clinton was right to declare that an attack on one nation’s computer networks “can be an attack on all.” Indeed, the attacks are a reminder that, as a new part of the global commons, cyberspace already has come under threat.

Cyberspace must be treated, along with outer space, international waters, and international airspace, as property held in common for the good of all. And, like ocean piracy and airplane hijacking, cyber-crime cannot be allowed to go unpunished if we are to safeguard our common assets and collective interests.

Naming China among a handful of countries that have stepped up Internet censorship, Clinton warned that “a new information curtain is descending across much of the world.” Her statement, with its allusion to the Cold War-era Iron Curtain, amounted to an implicit admission that the central assumption guiding US policy on China since the 1990′s – that assisting China’s economic rise would usher in greater political openness there – has gone awry.

The strategy of using market forces and the Internet to open up a closed political system simply is not working. Indeed, the more economic power China has accumulated, the more adept it has become in extending censorship to cyberspace.

If anything, China has proven that a country can blend control, coercion, and patronage to stymie the Internet’s politically liberalizing elements. Through discreet but tough controls, Beijing pursues a policy of wai song, nei jin – relaxed on the outside, vigilant internally.
Google is now crying foul over ” a highly sophisticated and targeted attack on our corporate infrastructure originating from China.” But, despite its corporate motto – “Don’t be evil” – Google itself was instrumental in aiding online censorship in China, having custom-built a search engine that purges all references and Web sites that the Chinese government considers inappropriate. Now Google itself has become a victim of China’s growing cyber prowess, in the same way that appeasement of Hitler boomeranged onto France and Britain.

China deploys tens of thousands of ” cyber police” to block Web sites, patrol cyber-cafes, monitor the use of cellular telephones, and track down Internet activists. But the threat to the new global commons comes not from what China does domestically. Rather, it comes from the way in which the know-how that China has gained in fashioning domestic cyber oversight is proving invaluable to it in its efforts to engage in cyber intrusion across its frontiers.

Canadian researchers have discovered a vast Chinese surveillance system called “GhostNet,” which can compromise computers in organizations abroad through booby-trapped e-mail messages that automatically scan and transfer documents to a digital storage facility in China. This is what happened when computers of the Tibetan government-in-exile in Dharamsala, India, were attacked last year.

India’s national security adviser recently complained that his office was targeted yet again by hackers. “People seem to be fairly sure it was the Chinese,” he said. Officials in Germany, Britain, and the US have acknowledged that hackers believed to be from China also have broken into their government and military networks.

The state-sponsored transnational cyber threat is at two levels. The first is national, with the hackers largely interested in two objectives. One is to steal secrets and gain an asymmetrical advantage over another country. Cyber intrusion in peacetime allows the prowler to read the content and understand the relative importance of different computer networks so that it knows what to disable in a conflict situation. The other objective is commercial: to pilfer intellectual property.

The second level of cyber threat is against chosen individuals. The most common type of intrusion is an attempt to hack into e-mail accounts. The targets also can face Trojan-horse attacks by e-mail intended to breach their computers and allow the infiltrators to corrupt or transfer files remotely.

To be sure, if a cyber attack is camouflaged, it is not easy to identify the country from which it originated. Through the use of so-called “false-flag espionage” and other methods, attacks can be routed through the computers of a third country. Just as some Chinese pharmaceutical firms exported to Africa spurious medicines with “Made in India” labels – a fact admitted by the Chinese government – some Chinese hackers are known to have routed their cyber intrusion through computers in Russia, Iran, Cuba, and other countries.

But, like their comrades in the pharmaceutical industry, such hackers tend to leave telltale signs. Then there are many cases in which the attacks have originated directly from China.
It seems unlikely that these hackers, especially those engaged in cyber espionage, pilferage, and intimidation, are private individuals with no links to the Chinese government. It is more likely that they are tied to the People’s Liberation Army. In war, this irregular contingent of hackers would become the vanguard behind which the PLA takes on the enemy. Systematic cyber attacks constitute a new frontier of asymmetrical warfare at a time when the world already confronts other unconventional threats, including transnational terrorism.

With national security and prosperity now dependent on the safekeeping of cyberspace, cybercrime must be effectively countered as an international priority. If not, cyberspace will become the new global-commons battlefield.

Brahma Chellaney, a former member of India’s National Security Council, is Professor of Strategic Studies at the Center for Policy Research in New Delhi.

Copyright: Project Syndicate, 2010.
www.project-syndicate.org

For a podcast of this commentary in English, please use this link: http://media.blubrry.com/ps/media.libsyn.com/media/ps/chellaney6.mp3

“The scope and scale of the attacks has not abated despite the international opprobrium and outcry,” Mulvenon says. “It’s a serious problem that at the moment we don’t have a solution to, because our inability to attribute the source of the attack fundamentally undermines our efforts at deterrence. If you can’t identify the attacker, you can’t deter them.”

That’s a troubling situation for China’s potential adversaries to find themselves in, particularly as, unlike in conventional military training, what China’s hackers are doing is the real thing, not make-believe. “The skill sets needed to penetrate a network for intelligence-gathering purposes in peacetime are the same skills necessary to penetrate that network for offensive action during wartime,” notes a recent congressional report on China’s alleged clandestine cyberattacks in the U.S. According to the report, released in October by the congressionally mandated U.S.-China Economic and Security Review Commission, that means that “if Chinese operators are, indeed, responsible for even some of the current exploitation efforts targeting U.S. government and commercial networks, then they may have already demonstrated that they possess a mature and operationally proficient CNO [computer network operations, or cyberwarfare] capability.” (See a story about the invasion of Chinese cyberspies.)

But even if Obama had raised this tricky issue with his Chinese counterpart, it is unlikely that his efforts would have brought about any change. As the congressional report notes, the heavy emphasis on cyberwarfare is a key component in the Chinese military’s strategic vision for defeating the technologically superior U.S. in any future conflict. That means conducting so-called asymmetrical warfare, aimed at using the U.S.’s dependence on technology as a weapon: for example, targeting America’s network of space satellites or developing missiles that could sink U.S. aircraft carriers. For China’s generals, though, of all the asymmetrical methods of attack available to them, cyberwar presents a uniquely effective — and cost-effective — means of neutralizing the U.S advantage. “They recognized the importance as far back as the early ’90s,” says Mulvenon, “and they now have a major advantage, a weapon like no other that allows them to reach out and touch right into the continental United States.”

“ If it is someone stealing information or planting logic bombs, it’s far more difficult to find them ”
Chris Wysopal, Veracode

The US is known to have an operating manual governing the rules and procedures of how it can use cyber warfare tactics. It is known to have used hack attacks alongside ground operations during the Iraq war and has continued to use this cyber capability while policing the nation.

Mr Day said there was evidence of a growing number of attacks that could be classed as “reconaissance” in advance of a future conflict. The ease with which the tools of such attacks can be gathered and used was worrying, said Mr Day.

“To go to physical war requires billions of dollars,” he said. “To go to cyber war most people can easily find the resources that could be used in these kind of attacks.”

The targets of such future conflicts were likely to be a nation’s infrastructure, said Mr Day, because networks of all kinds were now so embedded in peoples’ lives.

In response, he said, many nations now have an agency overseeing critical national infrastructure and ensuring that it is adequately hardened against net-borne attacks.

Chris Wysopal, chief technology officer at Veracode which advises many governments on security, said cyber war presented its own problems when it came to deciding motive and finding the perpetrators.

“In physical warfare it’s pretty clear who has which weapon and how they are using them,” he said. “In the networked world that attribution is incredibly difficult.”

The same is true for cyber crime, he said, where following a trail of money can lead investigators back to a band of thieves.

“If it is someone stealing information or planting logic bombs, it’s far more difficult to find them,” he said.

Mr Wysopal said many governments had woken up to the threat and were starting to put in place systems and agencies that could help protect them.

However, he said, they still had some weaknesses.

“The thing about governments doing this is that they have a time horizon of many years,” he said. “But the criminals are doing it in a matter of months.”

Story from BBC NEWS:

http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/8363175.stm

Published: 2009/11/17 08:18:24 GMT

By blurring the borders between cyber crime, cyber terrorism, and private or state-sponsored cyber war as a new form of “asymmetric warfare” in the 21st century, the threat of a “digital Pearl Harbor” has become real. Even hostile governments can hide behind “unholy alliances” with crime syndicates, terrorists or nationalist movements and individuals without risking detection and identification. Massive denial-of-service attacks by viruses, worms and other forms of malware on servers of government ministries, newspapers, banks, and other corporations as well as on private web sites and on a country’s cell phones have already occurred. Examples of such attacks have been recorded in Estonia in May 2007, Lithuania in June-July 2008, Georgia in August 2008 and in South Korea last July in an attack of 12,000 computers in that country and 8,000 in other countries.

With regard to critical energy infrastructure, the EU has recognized two major challenges that it needs to confront:

• The spread of information and communication technologies (ICT) highlights numerous new security implications for our dependencies on them in all areas of our daily life. Market liberalization and privatization of state-owned infrastructure operators, as well as new regulations, have made private industry and government agencies increasingly dependent on external providers of goods and services, including commercial off-the-shelf (COTS)-products. At the same time, almost every single service depends directly or indirectly on the secure supply of electricity. The physical, virtual or logic networks have grown in size and complexity. As the result of those growing interdependencies between various critical infrastructures (see Figure 1), those dependencies and impacts of supply shortages and disruptions are often not apparent until a crisis occurs and connection breaks down. Even smaller outages, failures and disruptions can have dramatic consequences in ever more complex systems (“the vulnerability paradox”), something which has not been anticipated.

Figure 1. Source: Federal Ministry of the Interior (BMI), Protecting Critical Infrastructures – Risk and Crisis Management, Berlin, January 2008

• Previously energy supply systems were decentralized with a power plant for each region and a local distribution network which connected the producer with the consumers. If the power plant failed, the whole region was without energy. When regional networks were interconnected by transmission networks, security of supply was enhanced by the possibility to exchange energy between these networks. It also saved financial resources, particularly on the side of producers. Today these regional networks have been expanded across national boundaries, connecting individual EU member states with the perspective of creating a common, liberalized energy market in the entire EU. Whereas this is true for both electricity and gas supplies, the European pipeline-based gas supply system, perceived as the “Achilles heel” of the European energy supply security, covers a much wider geographical area by long distance gas pipelines. They start in external producer states (such as Russia or in difficult environments such as in the North Sea, in the Maghreb and in the future also in the Arctic region, in the Caspian Basin, in the Persian Gulf/Middle East and in Central Africa) and transport natural gas across state borders via other transit states to the final consumer countries and their distribution grids, often distances of more than 1,000 km.

By increasing and diversifying its gas supplies from outside Europe, European gas supply security will be enhanced, but at the same time numerous vulnerabilities will increase by expanding network interconnections. This increased vulnerability is true not just in terms of gas networks (pipeline and LNG-based – see Figure 2), but also in regards to the interconnectedness of ICT to the networks of other critical infrastructure systems.

Figure 2. Source: Octavio-Project

The Natural Gas Supply Chain, the Functionalities of Gas Control Centers and its Vulnerabilities
The European gas supply system is overwhelmingly based on pipelines and supported by compressor stations and storage sites. The operational processes of the natural gas supply chain as well as its security and control are highly dependent on the ICT infrastructure. In contrast to the EU’s oil supply security (based on flexible shipping imports), a much more inflexible pipeline gas supply system creates many more dependencies, risks and vulnerabilities – particularly obvious during crisis situations as Europe experienced with the Russian-Ukrainian gas conflicts in 2006 and 2009 when gas flow was cut.

Natural gas systems involve a series of processes and components at different physical facilities. Once the gas has been explored and exploited at a gas field, in mixtures with other hydrocarbons, a pipeline gathering system directs the flow of gas to a processing plant where is it purified. From these plants it can be transported directly to the mainline transmission grid and through its often long-distance “trunk lines” (with a pressure typically up to 100-120 bars), and finally distributed by smaller pipelines to final customers (see Figures 3 and 4). Unlike the electricity system, natural gas can be stored for an indefinite period of time using storage facilities in order to meet balanced demand requirements during different seasons and to insure against unforeseen supply disruptions such as accidents, natural disasters or disruptions which are politically motivated. The main components of the complex transmission grid include pipelines, compressor stations, storage sites, metering stations and city gate stations.

Energy control centers control the operation of power plants as well as of networks. The operation of huge border crossing gas networks require a network management and a control center hierarchy to ensure security of gas supplies:
• Main Control Centers (i.e. system and network control centers) responsible for generation coordination, load dispatching, as well as monitoring and controlling the storage sites and transmission network to provide reliable communication, to keep the integrity and security of the complete network, and to guarantee the supply of the services;
• Regional Control Centers responsible for monitoring and controlling the distribution network within a specific area;
• District Control Centers responsible for monitoring and controlling the distribution network within a specific district.

Figure 3. Source: Octavio-Project

Figure 4. Source: Octavio-Project

The efficiency of control centers by applying methods of data handling and processing is closely linked with the development and application of ICT. Their task is:
• Measurement and information gathering: By sensors including satellite-based surveillance and control of pipeline systems, power plants, pump stations, storage sites and networks;
• Acquisition: Transmission of necessary information from the network to the Control Center, and transmission of commands from Command Centers to “operational” components like substations;
• Processing, display and archiving of information: Generating control information from network data.

In contrast to the former auxiliary function for the control of operations of plants and networks, the control function is transferred to a centralized complex instrument with the central function in energy supply. Without this central function, any operation within the energy and gas supply chains ranging from production to distribution and supply would be impossible. The efficiency and reliability of those Control Centers, in particular the System or Central Command and Network Control Centers, is essential and is the biggest vulnerability in case of physical or electronic attacks. This could have extensive follow-up consequences on other critical infrastructures and lead to heavy losses at the stock exchange.

Acquisition and processing tasks are elements of a SCADA (Supervisory Control and Data Acquisition) System. With SCADA, control centers are able to identify and repair interferences, to take necessary measures of repairs centrally, and to acquire data relevant for planning and further actions. Originally, each power plant had its own control center linked with others as part of a hierarchy of networks. The development of ICT enhances the capability to combine different tasks of the command structure for the hierarchy of networks into a central command center for different media such as electricity, gas, water or district heating. The latter have extended their capabilities by using Geographical Information Systems (GIS) to provide geo-referencing information of facilities, networks, vehicles and geographical or political details. Modern SCADA systems use standard interfaces and standard components (of computers operating under UNIX or Windows). SCADA systems have improved system interconnections and efficiencies, but they have also significantly increased system vulnerabilities to outside electronic attacks.

Figure 5: Octavio-Project

European infrastructure security by and large follows the guidelines applied to US facilities. However, the extent of newly implemented technologies, modernization, the limitations imposed by national postures, the divergent risks inherent in divergent suppliers, systems and transit zones, the uneven exposure to potential violence (be it by terrorists or in war-like situations), the competitiveness governing European energy markets, and the limitations on flexibility of adoptions to changing challenges inherent in gas pipeline systems all pose additional challenges to energy industries as well as to national, EU and international governmental authorities – be they producers, transit providers or suppliers.

Given the growing extension and complexity of energy systems (i.e. of gas supply systems), the requirements for the effectiveness and the security of control centers get more demanding, and trade-offs between effective and secure solutions become more challenging. The requirements for effective and secure control centers are made even more critical by the increasing number of interconnectors between gas systems, the cost of ever larger numbers of sites and growing size of systems, the vast areas they cover, and the inherent risks resulting from how administrative units and control centers are often connected, typically needing control engineers, ICS operators and IT security professionals to cooperate closely.

A broad and systematic analysis of control center vulnerabilities is thus an important step. But the conditions for moving from highly decentralized to increasingly centralized energy systems differ from the US and the EU with regard to regional and state energy demands and decision-systems.

Security Conditions in Perspective for Asset Criticality in Gas Supply Systems: The Octavio Project
The criticality of assets, in particular of control centers, for the functioning of gas supply systems depends on both the degree to which technical security requirements are met and on the conditions under which they are expected to function. Technical security requirements are indispensable, but their criticality depends also on a variety of additional conditions such as (1) assumed general security conditions of gas pipeline systems; (2) the size, length and expected growth of pipeline systems; (3) design parameters; (4) the given security status; (5) geographical conditions; (6) conditions of social-political stability; (7) economic conditions;(8) strategic conditions; and (9) costs and investment choices.

Depending on the type of attack, all elements of a pipeline system can be targeted. Attacks on control centers (in addition to compressor stations) are, however, among the most attractive targets for sabotage, terrorists, multiple attacks, etc. The Octavio Project has therefore concentrated especially on attack options against and protection of control centers. Yet the functioning of SCADA systems is itself a condition that deserves special analysis.

In general, the size, length and expected growth of European and global natural gas networks will impact on both the need for control assets and the security requirements of control centers and other critical components:
• Except for LNG transport, there does not exist a global gas supply system. But enabled through IT developments and driven by increasing demand and supply, as well as increasing competitiveness within the gas market, gas supply systems are growing steadily in terms of identified resources, length of transport lines, transit zones, diversity of geophysical conditions, and distribution of critical assets – with ever wider regional differences.
• Increasingly demanding security requirements for gas pipelines systems are necessitated by the growing size of gas supply systems, the length of pipes, the diversity of regional conditions, the increasing exposure to both accidental and intentional hazards, the vast amount of critical information from far away locations, the vulnerability of systems for controlling the flow of gas, the security of the system requirements, the need to integrate warning signals from a given system with higher-level crisis information, and the fact that awareness is the single most important aspect of preparedness.
• The increasing size, length and complexity of pipeline systems are of the most critical factors in this vulnerability assessment. However, there is no direct link between the overall size (i.e. kilometers) of gas pipeline systems in the world and an increase in security requirements. Between 2002 and 2005 the totals in kilometers globally increased by more than 30%. Rather than just concentrate on the overall global trend, it is particularly important to recognize the regional trends in major gas markets like the EU, the US, the Persian Gulf, as well as in South Asia.

Asset security in pipeline systems is an important requirement, in many cases much more so than protection of the pipes themselves. It is a prerequisite for effective mitigation against accidents and incidents caused by criminals. Regarding localized hostile attacks, other means become very important, like the speed of response and the means to cope with aggressors. While protection against strategic terrorism requires a broader spectrum of protective means and measures, effective control centers and other critical assets remain an indispensable means of crisis management. In major contingency-scenarios the continued functioning of gas pipeline supplies will depend on a wide variety of circumstances. Agreed definitions regarding the criticality of pipeline assets still need to be refined. Those definitions need to reflect security requirements for assets in pipeline systems in relation to conditions that apply to a given situation. The Octavio Project has laid some useful foundations on which to base more comprehensive sets of security requirements for control centers, gas pipelines and their critical pipeline assets.

Summary and Perspectives
In addition to the new threats coming from terrorist attacks, private or state-sponsored hackers and (transnational) criminal organizations, the vulnerability of the different sector infrastructures has also increased because they are now much more linked with each other – due to the rapid spread of information technologies. ICT infrastructures in the energy, transport, banking and financing sectors have become the nervous system of our modern information society. Disruptions of ICT can cascade to other locations, branches or sectors, with impacts that extend far beyond the original area of damage, as well as across the state-border of an EU-member state, given that critical information infrastructure (CII) is global as well as tightly interconnected and interdependent with other infrastructures. Their security and resilience cannot be ensured and enhanced by purely national and uncoordinated strategies. Furthermore, market forces do not provide sufficient incentives to private operators for investing to protect CII systems at the level that governments would normally demand. In this light, the fundamental and still underestimated problem is that the low level of protection in some member states can increase vulnerabilities in others. Also, the insufficient systematic interstate cooperation in Europe substantially reduces the effectiveness of preventative and timely countermeasures.

The pipeline-based EU gas supply chain and networks need to recognize the dependencies and interconnectedness of critical European infrastructures between the EU as the consumer and non-member states such as Russia, Ukraine, and others as the producer and transit states.

Whereas there is limited availability of financial and human resources for operators to protect their infrastructure systems, it is essential for both the energy industry and for governments to use all available resources efficiently and effectively by assessing risks and setting priorities to achieve adequate risk management. While it is impossible to protect a utility 100% from a physical or a cyber attack on its facilities and infrastructure, these threats need be minimized as much as possible without compromising their productivity and day-to-day operations. A professional security and risk assessment requires a systemic perspective to address physical and cyber security, supervisory control and data acquisition (SCADA) and distributed control systems (DCS), communications security, grid security, distribution security, generation security, and biological/chemical issues. Integrated security concepts such as the TAAS Industrial Corporate Security Awareness Program (ICSAP) are a positive step forward in this regard. With well protected infrastructure programs and well trained-and equipped security forces (e.g. in Saudi Arabia), the oil and gas industry and their governments can foil or mitigate terror attacks on critical oil, gas and other energy infrastructure.

In order to overcome the historical legacies of insufficient physical infrastructure and traditional policies, the EU agreed in March 2009 to create numerous new interconnectors for both trans-border electricity and gas delivery. This new infrastructure, of which control centers for gas and electricity are an important part, will improve individual nations’ energy supplies and promote a common crisis management system.
Any future risk assessment needs to include the wider political-strategic policies and intentions of the EU and its member states for analyzing the concrete risks, along with future vulnerabilities of existing and to-be-built critical energy infrastructure. In this context, the March 2007, November 2008 and March 2009 decisions of the EU’s energy policies and newly built energy infrastructure are of utmost importance. Any analysis of a comprehensive risk assessment of these gas and electricity control centers would be of benefit by including these dimensions and new policies in a strategic perspective for the EU’s future energy infrastructure security. If the EU’s agreed energy policies and projects are implemented, they will greatly enhance common energy security inside the EU and bolster a common crisis management system, a common energy market, and a common foreign energy policy.

In this regard, the future safety and security of gas control centers and any discussions of critical gas infrastructure need to take into account:
• The new transnational dimensions of interconnecting gas supplies and national gas markets within the EU’s internal market.
• The implications of terrorist and cyber attacks on these new or modernized control centers with their high strategic value, which, if disrupted, could have wide-ranging, cascading effects on transnational gas supplies.
• The overall dependence of European gas control centers on external gas infrastructures outside the EU (i.e. Russian or other foreign gas pipelines, gas control centers, etc.) – particularly in light of the EU’s further growing dependence on gas and other energy imports from outside Europe – including much more unstable regions.

Thus, safety and security issues of gas control centers and other gas and energy infrastructure should become an integral part of the EU’s energy foreign policy with other producer and transit states.

Frank Umbach and Uwe Nerlich are Senior Associates for International Energy Security, Centre for European Security Strategies (CESS), Munich-Berlin.

Strictly isolated from the publicat the Tomburg barracks in Rheinbach, a picturesque town near Bonn, 76 members of his staff are busy testing the latest methods of infiltrating, exploring and manipulating — or destroying — computer networks. The unit, known by its harmless-sounding official name, Department of Information and Computer Network Operations, is preparing for an electronic emergency, which includes digital attacks on outside servers and networks.

The uniformed hackers from Rheinbach are Germany’s answer to a growing threat which has begun to worry governments, intelligence agencies and military officials around the world. Now that computers have made their way into practically every aspect of life, their susceptibility to attacks has risen dramatically. In the United States, experts have been warning for years against an “electronic Pearl Harbor,” a “digital Sept. 11″ or a “Cybergeddon.”

Estonia was the first NATO member state to fall victim to this form of digital attack. In the spring of 2007, banks, government agencies and political parties in Estonia came under massive electronic attack. The Baltic republic was essentially offline for a while, making it the scene of the first “cyber war.” Officials there suspect the attack came from neighboring Russia, because Estonia was embroiled in serious diplomat disputes with Moscow at the time.

The use of the term “war” in the Estonian case was controversial from the start, and rightfully so, since there were no dead or wounded. Nevertheless, the attack shows that assaults on the virtual world can also have disastrous consequences. The Internet has developed into a virtual battlefield, which can mirror conflicts in the real world.

Many countries are now preparing for similar threats. The Americans alone plan to invest billions of dollars in a national cyber-defense program. Western intelligence agencies and military officials are convinced that their enemies are in the East, just as they were in the Cold War — in Russia and China. A report submitted to the US Congress last fall concluded that China is “aggressively” expanding its cyber-warfare capabilities and may soon possess an “asymmetric advantage.” According to the report, “these advantages would reduce the conventional superiority of the United States in a conflict situation.”

The Germans have also had adverse experiences with China in this field. Just two years ago, the Federal Office for Protection of the Constitution (BfV), Germany’s domestic intelligence agency, informed the government that servers from Lanzhou province in China had attacked several German ministries and the chancellery with malicious software aimed at tapping sensitive information.

In mid-January the cabinet approved draft legislation to “strengthen the information security of the federal government.” The draft legislation is now being reviewed by the Bundesrat, the upper house of the German parliament. So far it’s gone largely unnoticed by the public, but the draft will be submitted to the lower house, or Bundestag, in early March. The “special urgency” of the legislation stems from the “need to safeguard government communication.” The corresponding government agency, the Federal of Security in Information Technology (BSI) in Bonn, is to be expanded into something resembling a data watchdog for government agencies.

Defense Minister Franz Josef Jung ordered Bundeswehr officials to develop a cyber force for the military three years ago. It was the birth of Kriesel’s unit.

“Denial-of-Service” attacks

The 76 German Internet warriors are mainly graduates of the computer science departments at the Bundeswehr’s internal universities. Last Tuesday General Kriesel gave a proud report on his unit’s successes — including electronic surveillance activities in Afghanistan — to Inspector General Wolfgang Schneiderhan and the chiefs of staff of the army, air force and navy. Then he discussed his top-secret group. Kriesel’s cyber unit will be ready to start operations next year, when it will be asked to demonstrate its capabilities — in a simulated attack on a real target, known as a penetration test.

The soldiers use the same methods employed by criminals. The future digital warriors learn how to load malicious software onto outside computers, unbeknownst to their users, through e-mail, external media like a CD-ROM disk or simply “while surfing by” on a prepared Internet site. Infected computers can then download additional malicious programs, such as a letter recorder that reads every keystroke on the machine, which can record whole e-mail messages, Internet addresses and passwords. Then program inconspicuously sends the collected entries to a remote computer.

The training agenda in the unit’s offensive division is even more difficult and exotic. The Rheinbach soldiers no longer fight with tanks, fighter jets and assault rifles. Their weapon is the computer, and their simulations sound like science fiction or scenarios from a computer game. But Kriesel’s soldiers study two major types of cyber assaults — “denial of service” or “botnet” attacks — based on real-life attacks on Estonia and Georgia.

Science Fiction from the Real World

In Estonia, a political conflict over the relocation of a Soviet memorial spilled over into the Internet after only a few hours in the spring of 2007. The Estonians had removed a bronze statue during the night, planning to move it from downtown Tallinn to a more remote military cemetery. A symbol of occupation for many Estonians, the statue represented the Soviets’ victory over Nazi Germany on behalf of the nation’s Russian minority.

In less than 24 hours, the first wave of attacks were recorded on Web sites for the Estonian prime minister, the parliament and various political parties. Hackers placed a false apology for the decision to relocate the statue on the sites. They also gave the prime minister a Hitler mustache on one of his Web pages.

Various Russian Internet forums also posted instructions on how individual users could express virtual displeasure with the Estonian decision. The forums provided descriptions in Russian of how to flood Estonian Web sites and servers with test signals — instructions for a classic denial-of-service attack.

The instructions produced the desired effect, as the volume of data traffic rose dramatically on Estonian networks. Experts with the Estonia Computer Emergency Response Team detected orchestrated attacks on individual targets coming from more than one million computers. The attacks emanated from so-called “botnets,” or linked computers that have been infected with malicious software and can thus be used for criminal purposes, unbeknownst to their owners, whenever the owners are online.

The consequences were devastating. The Estonian parliament had to shut down its e-mail system for half a day. Internet providers temporarily cut off their customers’ connections, and several Estonian banks were unreachable online for an extended period of time.

After that, one Estonian network provider counted a total of 128 attacks, including 36 on the websites of the government and parliament, 35 on the Estonian police and another 35 on the finance ministry.

For military officials and intelligence agencies around the world, Estonia is considered a precedent with an unsettling message. According to a Swedish study, the Estonian case conclusively demonstrates “that an individual attacker or a group can, with relative ease, significantly disrupt the normal business operations of government agencies and economic activity in another country — and successfully conceal its involvement.” In fact, it is still not clear who was behind the Estonian cyber-attack. Nevertheless, authorities know that the botnets involved had already attacked the Web site of a Russian opposition party in the past.

The attacks on Georgia last summer followed a similar pattern, although in that case they accompanied a real invasion by Russian troops. Once again, it was Russian-language Internet forums that provoked the attack, also providing a list of worthwhile Georgian targets. On “stopgeorgia.ru,” a website set up for this purpose, users could download a malicious program called “war.bat,” tailored for the attack on Georgian networks.

Because of the attacks a site for the Georgian president had to be taken offline for a day, and on orders from the national bank, Georgia’s financial institutions cancelled all electronic banking for 10 days. Hackers also manipulated the contents of Web sites in Georgia. The foreign ministry’s home page, for example, suddenly contained a collage of portraits of Georgian President Mikheil Saakashvili and Adolf Hitler.

In the Georgian case, many trails also lead to Russia. A NATO report, however, says there is “no conclusive evidence” of official involvement by the Russian government.

Warfare or Not Warfare?

Analyzing these incidents raises a number of serious questions for the Bundeswehr and German politicians. Were these situations in fact “cyber wars,” that is, the shifting of a conventional war between two nations onto the Internet? Or were they simply new forms of “asymmetric conflict,” in which countries are attacked by digital guerilla groups?

Should they be treated as a violation of the European Council’s Convention on Cyber Crime, which 23 countries have ratified? Or are they a military action that justifies retaliatory attacks? For instance, if the Bundeswehr has identified a server controlling a botnet, does it have the authority to destroy it? Will it ultimately need its own botnet of maliciously-programmed computers?

These questions have been the subject of heated debate among military leaders and diplomats since the Estonia incident. At last year’s NATO summit in Bucharest, the heads of state agreed to a joint cyber defense concept and strengthened the security precautions for their own networks, for which a NATO agency in the Belgian city of Mons is responsible. In addition, the alliance established a “Center of Excellence on Cyber Defense,” in the Estonian capital Tallinn. The new institute has produced an analysis of the attacks on Georgia, in which it points to “attacks in a gray zone.” According to the report, “the current question of whether cyber attacks should be treated as armed attacks remains unresolved.” It will “take time to achieve international consensus on the legal issues of cyber defense,” the report concludes.

Germany, at any rate, is apparently unwilling to wait that long. The draft legislation prepared by the interior ministry, now headed to the Bundestag for debate, proposes upgrading the BSI into something of a civilian cyber defense agency. In the future, it would employ automated technology to monitor the flows of data at the Federal Chancellery and ministries, so that abnormalities can be detected and corrective steps taken more quickly. In addition, the small Bonn agency would no longer simply issue recommendations to reluctant government institutions, but would have the authority to issue concrete “guidelines,” such as to reduce the number of unmonitored points of access to the Internet.

In a previously unpublished report on the situation of IT security in Germany in 2009, the security experts warn that both the number and level of sophistication of attacks is rising. They predict not only a growing threat stemming from botnet attacks, but also from attacks on major systems that control critical infrastructures, such as those of nuclear power plants or traffic guidance systems.

Meanwhile, the uniformed hackers at Rheinbach are battling a particularly treacherous adversary: German criminal law, which has banned the preparation of computer sabotage since 2007. If the German cyber warriors did in fact launch test attacks on outside networks they would, strictly speaking, be breaking the law. The penalty for serious computer sabotage is a prison sentence of up to ten years.

Translated from the German by Christopher Sultan