As the use of cyber tools to attack infrastructure is apparently starting to be used as a means of effecting nation state political goals it is necessary to examine how those tools can be honed, improved and tested without risking conventional warfare. While in the early days of cyber weapon development (ala Stuxnet) subterfuge or obfuscation was adequate to prevent retaliation, strides in the technologies for isolation, identification and attribution of cyber weapons are making real world testing of these weapons more difficult.
Artificial testbeds and weapons ranges will certainly have their place in cyber weapon development and evaluation, but a cautious adversary would be wary of relying on new strategic weapons in a full scale attack without having tested both their capability and their target’s potential responses to such an assault.
A time honored tradition in conventional weapon development has been the use of new weapon systems against proxy targets. Lesser third party nations that had limited retaliatory capability were attacked with new weapons to see how well the weapons actually fared in combat conditions. If the proxy target had some of the defensive armament used by the primary opponent, the test would provide important data to the developers of weapons and tactics as to how best employ the new weapons in future conflicts.
There have been people that have suggested that the recent cyber-attacks on the electric grid in the Ukraine was just this type of attack. While the Russians certainly have local interests vis a vis the Ukraine that might cause them to execute this type of attack, the use of a new cyber-attack methodology in actual field conditions could certainly be used to refine and improve such methods.
Limited attacks with conventional kinetic weapons against one’s primary adversary are very hard to hide. That may not be the case with cyber weapons. If one were to employ portions of the attack tools against an adversary during events when the target was already being stressed, the target might not notice the small cyber effects.
For example, if during a winter storm when a certain amount of electric distribution and transmission failures are to be expected, an adversary were to us new cyber weapons in very limited application the failures related to those attacks might not be investigated in sufficient detail to identify them as a cyber-attack.
An adversary that had already gained access to an electrical distribution network, for instance, could cause an automated breaker to open and carefully watch how that opening affected the remainder of the network. If the breaker controller had been doctored to not show that particular directed opening it is unlikely that the utility would take particular note of that breaker opening in the grand scheme of responding to the weather related problems.
In a posting on the SANS ICS Blog last summer I described how isolated changes could be made to the controls of chemical reactions in a chemical manufacturing plant and make them seem like operator errors. Such attacks could be used to map control system responses at such a facility. Lacking detailed process knowledge, an attacker could use such response mapping over time as a method for developing an effective attack that could shut down or even damage the facility.
The last two weapon testing methodologies should be of increasing concern to control system owners as it becomes more obvious that there are nation states (and possibly non-state organizations) that are actively developing technology to attack industrial control systems as a tool of cyber warfare.
While few organizations are going to have the internal resources to complete prevent the possibility of such an attack, the ability to identify unauthorized intrusions into control system networks is a key to limiting the effectiveness of such attacks if they do occur. Such identification should allow for the emergency isolation/shutdown of the affected systems in a way that minimizes the potential damage.