ABSTRACT
Unprecedented internet connectivity in dangerous machinery and the essential function of society requires preventative cyber risk solutions. This article reviews the new Kinetic Cyber, the UK’s upcoming Product Security and Telecommunications Infrastructure (PSTI) Bill and reflects upon International Humanitarian Law (IHL) relating to weapons of mass destruction.
BY EMMA MOODY
The increasing convergence of cyberspace with the physical world is formidable. The security community must consider the effects of unprecedented levels of internet connectivity. Technological advances, such as a new Internet of Things (IoT), are advantageous but have also generated an era of digital interdependency. The most vital societal systems, such as hospitals, supply chains, and energy grids, are all internet-connected, interdependent and are at risk of cyber-attacks. Kinetic cyber-attacks on these systems can cause maximum physical impact. They are a form of cyber-attack that directly and indirectly causes tangible destruction, injuries and death via computer-operated mechanisms [1]. A recent press release by the UK Department for Digital, Culture, Media & Sport (DCMS) indicates enthusiasm for expanding internet connectivity. UK policy makers have suggested ‘slashing’ the red tape for the multi-billion-pound 5G rollout [2]. However, policymakers must balance efficiency, innovation and economic benefits with precautions that safeguard civilisation. The new ‘Kinetic Cyber’ is outpacing legislation and is recasting security standards provincially and internationally.
The UK government has made important strides such as establishing the National Cyber Security Centre. Additionally, the latest Integrated Review encourages enterprises, organisations and civilians to bolster their cyber security standards [3]. However, cyber security professionals demand greater accountability, recognising that private enterprises’ cyber standards are interlinked with essential services and with national security [4]. More preventative and future-proof security measures are still required. The consequences of leaving volatile machinery vulnerable to attack can cause destruction to environments, economies, health and safety, as well as the essential function of critical national infrastructure (CNI) [5].
Currently, kinetic cyber-attacks are considered ‘statistically insignificant’ and improbable [1]. However, their immense potential harm must not be overlooked. The House of Commons noted that kinetic cyberattacks on the UK’s essential services is not a question of ‘what if’, but ‘when’ [6].
The case of Triton is a kinetic cyber-attack that exemplifies a potential for widespread destruction. It has been described as a “watershed” moment in cyber security [8]. Triton, also named HatMan or TRISIS, compromised the critical safety systems of at least one petrochemical plant in Saudi Arabia in 2017 [9]. After remaining undetected for three years, the perpetrator managed to gain remote control of the plant’s safety systems. Whilst other significant cyber-attacks, like SolarWinds in 2020, were aimed at stealing important data, Triton malware directly targeted and developed capabilities to catastrophically harm human life [10]. The malfunction of the safety systems of the Union Carbide pesticide plant in India in 1984 killed 15,000-20,000 people [11]. Had the Triton malware in Saudi Arabia not been discovered it could have also led to the death of thousands of people. By targeting the safety systems of volatile machinery, Triton malware was capable of maximum physical impact.
FireEye, a cyber-security company, tracked the IP address found in the Triton malware to a research institute in Moscow. They suspect that the attack was state-sponsored and was likely practicing for a zero-day attack on safety systems that protect human life. The hackers behind Triton have since been found targeting companies internationally, including in North America. In 2019 the Triton hackers were discovered to be illegally scanning US critical national infrastructure for vulnerabilities [12].
The Triton incident highlights new unforeseen vulnerabilities of digital dependency. Industrial facilities are ‘systematically connected’ to internet servers today, especially following COVID-19 and subsequent growth in ‘remote’ work [13]. The UK’s national security is dependent upon outdated legacy systems which have not been replaced due to limited resources [14]. Consequently, most safety systems remain linked to the internet, leaving them vulnerable to attacks much like Triton.
Kinetic cyber-attacks are enabled by Internet of Things (IoT) technology which embeds connectivity into everyday life [15]. IoT is the connection of physical devices to Internet Protocol (IP) networks and facilitates device-to-device connectivity [16]. A vast array of ‘smart’ devices are considered IoT technology, from networked medical devices to home heat monitors, to smart cars and toys. Professional use of IoT is industrialised and automated on a far larger scale than for personal devices. It encompasses the monitoring and logistics of operational devices, and even the remote control of machinery within important supply chains [15]. With the ubiquity of ‘smart’ devices, IoT has become increasingly relevant.
In November 2021, the DCMS introduced a new bill that may improve UK cyber resilience in IoT technology. The Product Security and Telecommunications Infrastructure (PSTI) bill has passed the committee stage in the House of Commons. The first section “creates a new regulatory scheme to make consumer connectable products more secure against cyber-attacks” [18]. The bill bans default factory passwords, improves communication of vulnerabilities, and mandates transparency about updates. However, the scope of the bill is limited. For example, it does not cover IoT products such as “vehicles, smart meters, [and] medical devices” [19]. The failure to include these devices is significant to national security since they are industrialised and interlinked to essential systems within the UK. Furthermore, whilst the bill suggests enforcement of compliance it does not specify what regulatory body would retain such powers. Will this bill merely encourage business cyber resilience rather than enforce it?
Perhaps then, we should turn to international legislation on IoT devices. The use of cyber tools as a means of warfare is a developing segment of international law. International law functions within the paradigm of ‘just war’ principles. However, changing definitions of what a cyber ‘attack’ is, what ‘cyber warfare’ is and subsequently what ‘just’ war is proves challenging. The International Review of the Red Cross distinguishes between using information weapons and using physical cyber weapons within warfare [21] :
“… the use of ICTs [information and communications technologies] in military contexts may be preferable to use of kinetic [physical] weapons and can be de-escalatory”. [22]
Another central debate in the international law of IoT is whether malware capable of vast physical destruction qualifies as a weapon of mass destruction, means or method of warfare [23]. Certainly, in Triton’s case, the malware was capable of mass physical destruction. Moreover, it was likely state-sponsored. Should malware like Triton, which targets human life and weaponises interdependency, be subjected to stricter international humanitarian law?
With greater automation, with internet-connected devices proliferating under an industrialised IoT, and with entire cities designed to be ‘smart’, it is more difficult than ever to determine which infrastructures are most at threat. The ongoing developments in the UK, such as the ambitious 5G rollout, provide strong benefits. However, increased dependency upon uninterrupted operation escalates cyber threats and complicates cyber-security strategies. Consequently, UK cyber resilience measures must keep pace with the reorganisation of ‘smart’ infrastructure and should engage with new definitions and developments in international humanitarian law.
REFERENCES
1 Applegate, Scott D. 2013. The Dawn Of Kinetic Cyber. Ebook. Virginia: NATO CCD COE Publications. https://ccdcoe.org/uploads/2018/10/10_d2r1s4_applegate.pdf.
2 Department for Digital, Culture, Media & Sport. 2022. "New Plans To Slash Red Tape From 5G Roll Out And Improve Mobile Phone Connectivity".https://www.gov.uk/government/news/new-plans-to-slash-red-tape-from-5g-roll-out-and-improve-mobile-phone-connectivity.
3 Cabinet Office. 2021. "Global Britain In A Competitive Age: The Integrated Review Of Security, Defence, Development And Foreign Policy". https://www.gov.uk/government/publications/global-britain-in-a-competitive-age-the-integrated-review-of-security-defence-development-and-foreign-policy/global-britain-in-a-competitive-age-the-integrated-review-of-security-defence-development-and-foreign-policy.
4 Scully, Tim. 2013. "The Cyber Security Threat Stops In The Boardroom". Journal Of Business Continuity & Emergency Planning 7 (2): 138-148. https://www.ingentaconnect.com/content/hsp/jbcep/2014/00000007/00000002/art00006.
5 Cook, Allan. 2018. "Establishing Cyber Situational Awareness In Industrial Control Systems". PhD Thesis, De Montfort University Leicester.
6 House of Commons, Joint Committee on the National Security Strategy. 2022. "Cyber Security Of The UK’S Critical National Infrastructure". https://houseofcommons.shorthandstories.com/jcnss-cni-report/index.html.
7 Rezof. 2012. Petropavl/Kazakhstan - May 11 2012: Modern Laser Precision CNC Cutting Machine. Sparks Of Hot Metal Pieces. Image. https://www.shutterstock.com/image-photo/petropavlkazakhstan-may-11-2012-modern-laser-1817264684.
8 Alladi, Tejasvi, Vinay Chamola, and Sherali Zeadally. 2020. "Industrial Control Systems: Cyberattack Trends And Countermeasures". Computer Communications 155: 1-8. doi:10.1016/j.comcom.2020.03.007.
9 Black Hat USA 2018. 2022. "TRITON: The First ICS Cyber Attack On Safety Instrument Systems". NOZOMI. https://scadahacker.com/library/Documents/Cyber_Events/Nozomi%20-%20TRITON%20-%20The%20First%20SIS%20Cyberattack.pdf.
10 Peisert, Sean, Bruce Schneier, Hamed Okhravi, Fabio Massacci, Terry Benzel, Carl Landwehr, Mohammad Mannan, Jelena Mirkovic, Atul Prakash, and James Bret Michael. 2021. "Perspectives On The Solarwinds Incident". IEEE Security &Amp; Privacy 19 (2): 7-13. doi:10.1109/msec.2021.3051235.
11 Giles, Martin. 2022. "Triton Is The World’S Most Murderous Malware, And It’S Spreading".https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-triton-malware/.
12 U.S. Department of the Treasury. 2020. "Treasury Sanctions Russian Government Research Institution Connected To The Triton Malware". https://home.treasury.gov/news/press-releases/sm1162.
13 Duda, Oleksij, Volodymyr Kochan, Natalija Kunanets, Oleksandr Matsiuk, Volodymyr Pasichnyk, Anatoliy Sachenko, and Taras Pytlenko. 2019. "Data Processing In Iot For Smart City Systems". 2019 10Th IEEE International Conference On Intelligent Data Acquisition And Advanced Computing Systems: Technology And Applications (IDAACS). doi:10.1109/idaacs.2019.8924262.
14 Johnson, Chris. 2017. Written Evidence From UK Computing Research Committee, UKCRC (CNI0005). Ebook. UKCRC. https://www.theiet.org/media/6312/2018-02.pdf.
15 Shafique, Kinza, Bilal A. Khawaja, Farah Sabir, Sameer Qazi, and Muhammad Mustaqim. 2020. "Internet Of Things (Iot) For Next-Generation Smart Systems: A Review Of Current Challenges, Future Trends And Prospects For Emerging 5G-Iot Scenarios". IEEE Access 8: 23022-23040. doi:10.1109/access.2020.2970118.
16 K Patel, Keyur, and Sunil M Patel. 2022. Internet Of Things-IOT: Definition, Characteristics, Architecture, Enabling Technologies, Application & Future Challenges.Ebook.Gujarat,India.http://www.opjstamnar.com/download/Worksheet/Day-110/IP-XI.pdf.
17 Beer, Nick. 2020. London, UK - Circa October 2020: Resident Seen Checking His Electrical Usage Via A Newly Installed Electricity Smart Meter. The Display Shows How Much Electricity Has Been Used.. Image. https://www.shutterstock.com/image-photo/london-uk-circa-october-2020-resident-1836507238.
18 House of Commons. 2022. "Product Security And Telecommunications Infrastructure Bill". https://bills.parliament.uk/bills/3069.
19 Department for Digital, Culture, Media & Sport. 2022. "New Cyber Laws To Protect People’S Personal Tech From Hackers". https://www.gov.uk/government/news/new-cyber-laws-to-protect-peoples-personal-tech-from-hackers.
20 Nuhoglu, Sahan. 2018. IZMIT, TURKEY - JANUARY 11, 2017: An Operator Monitoring The Programme Process In A Waste And Residue Treatment, Incineration And Recycling Company.. Image. https://www.shutterstock.com/image-photo/izmit-turkey-january-11-2017-operator-1410309881.
21 Gisel, Laurent, Tilman Rodenhäuser, and Knut Dörmann. 2020. "Twenty Years On: International Humanitarian Law And The Protection Of Civilians Against The Effects Of Cyber Operations During Armed Conflicts". International Review Of The Red Cross 102 (913): 287-334. doi:10.1017/s1816383120000387.
22 OHCHR Regional Office for Europe. 2020. UK Response To Chair’S Initial ‘Pre-Draft’ Of The Report Of The OEWG On Developments In The Field Of Information And Telecommunications In The Context Of International Security. Ebook. United Nations.https://front.un-arm.org/wp-content/uploads/2020/04/20200415-oewg-predraft-uk.pdf.
23 Hatch, Benjamin. 2018. "Defining A Class Of Cyber Weapons As WMD: An Examination Of The Merits". Journal Of Strategic Security 11 (1): 43-61. doi:10.5038/1944-0472.11.1.1657.