Scenario justification
Justification: When the value that is to be protected is information, the risk of espionage must be taken into account. Espionage involves tasks which can be undertaken by individuals, companies and, of course, states. Though espionage and intelligence gathering comes in many forms, of particular interest here is signals intelligence, or information gathered from the interception of signals. Depending on the sensitivity of the information stored on the piqlFilm, this kind of espionage must be planned for and protected against.
Purpose: As the Piql Preservation Services is an offline medium for the most part, any other form of espionage would somehow involve stealing the piqlFilm and reading its contents that way.
Physical theft of this kind has been covered in other scenarios. This scenario we would rather use to demonstrate how the Piql Preservation Services can be subjected to logical theft, i.e. gaining unauthorised access to the signals carrying the information while it is electronically transferred inside a system. For the Piql Preservation Services, this is only possible during the production phase.
Benefit: This scenario seeks to illustrate how the Piql Preservation Services is vulnerable to threats against their IT system during the ingestion of the client data. Though the information stored using the Piql Preservation Services is offline for most of its existence, it is also online for a small period of time, and securing the information during this time is vital. The risks faced are the same for all services connected to a public web server, but that cannot minimise the importance of the Piql Preservation Services doing what it can to mitigate those risks.
Caveat: The Piql IT system is assessed to be well-secured, which means that it would take a threat actor with formidable abilities to break into the system logically. Therefore, this scenario
presupposes that a state actor must be the culprit. A state actor would most likely spy on another state actor, often on some form of military intelligence or intelligence which could harm national security if it got out. We have to assume that if the Piql Preservation Services are used by a country’s Defence programme, then additional IT security would be put to meet that user’s very high security demands. However, for the sake of this assessment, we must analyse the possible risks based on the security regime set up by Piql AS. This scenario will illustrate the potential dangers of espionage to the other users who implement the IT security measures Piql stipulate, but be advised that the user in this scenario is unlikely to be as vulnerable. We must include the user, nonetheless, to gain a balance in the assessment.
Scenario outline
The scenario is set in the geographical zone North (North America). A threat actor with formidable skills in gaining unauthorised access into another’s IT system manages to break through the security software installed as part of the Piql IT system’s Front-End service. The state X, as we will call them, manages to install spyware on the Piql computer system which the security
measures in place are unable to detect. As a result, state X gains access to the designs of a weapon system developed by state Y, the major military power in the world. Though the designs are no longer state of the art by their standards, as state Y is so much further along all other states when it comes to military technology, the designs are a major breakthrough for state X to get their hands on. The malware copies these designs and sends them undetected to state X. State Y thus loses a major military advantage in possible future conflicts against state X.
Cause Type of risk (Hazard/Threat)
Threat: Spyware installed on Piql computer system which duplicates the original file containing detailed descriptions of a new weapon system as it is prepared for printing.
Intentional
(Yes/No/Both) Yes.
Profile of actor (if intentional)
State X is regarded as one of the world’s leading military powers, but it is still nowhere near the capacity of state Y, which has had the military upper hand for centuries now. Nevertheless, state X has formidable resources of its own and a perseverance which is unparalleled on the world stage when it comes to elevating their position. There are few things state X will not do to achieve this goal.
Description of cause
Espionage in the form of spyware installed on Piql receiving and processing computer which sends the prepared files to the piqlWriter.
State X has viewed the latest political developments with regards to its relations with state Y with much alarm. The relations have worsened considerably the past few months, and state X fears a military strike by state Y is imminent. State X thus uses espionage to gain further knowledge of state Y’s military capability, both to know what they are up against and to replicate state Y’s military equipment to be able to defend themselves.
Competence and resources (if intentional)
As one of the world’s leading military powers, state X has the resources, with regards to both finances and intelligence capabilities within the online realm, to go through with this kind of cyber operation.
User/value
User class Public sensitive.
User type Military, defence. Military world power, state Y.
Value Military secrets regarding the designs of a weapon system. As the technology is unknown to all other state actors, the loss of this asset will cause a major reduction in state Y’s power position.
Location
Location description
Geographical zone: North (North America). The developmental level is high and the political climate is stable.
The piqlVault is situated in an urban area, located centrally in the city.
The scenario takes place in the future, 2244, as it presupposes an imagined situation in which there are sufficient tensions between two highly developed military nations to make armed conflict imminent.
The time period is 0-30/50 years, as the value is time-sensitive, i.e.
once the military technology is sufficiently outdated it will be of no interest to spy on. The scenario is also a risk for the present, so long as the Piql Preservation Services store information which others are willing to go to great lengths to gain access to.
Environment description
The climate zone is a warm temperate climate. It is spring, in the end of April. The local weather conditions are fairly mild and dry: 12°
Celsius with a relative humidity of 69 %.
The plant of the malware happens in the middle of the night without being detected.
Production site description
The scenario takes place during the production of the piqlFilm. The setting is therefore the production site, which is situated in a standard office building. The Piql computer, the piqlWriter and the piqlReader are all located in the same large production room, whereas the processing room and equipment is located elsewhere.
The productions site is regulated through ventilation to uphold the ISO standards governing levels of humidity and temperature.
Local safety measures All safety measures required by Piql AS are in place, see section 5.5.1 for details.
Local security
measures All security measures required by Piql AS are in place.
Consequences
Outer building The physical infrastructure of the building and the storage room is not affected during the incident.
Production site
The structural integrity of the production site is not affected by the incident. However, the Piql IT system, as part of the Piql Preservation Services, is breached. A state X employee and professional hacker is able, with the full weight and resources of state X behind him/her, to breach the security software of the Front-End code and gain access into the Piql computer system. Here, the client data of state Y is being prepared for transfer over to the computer connected to the piqlWriter,
meaning that state X has access to both the original files and the prepared file. The hacker installs a spyware which monitors the system and, upon finding something of interest, duplicates that information and transfers it back to a designated database owned by state X. All this is done undetected.
Box The piqlBox is not affected during the incident.
Film
The information which is being prepared for writing onto a piqlFilm is not damaged or altered in any way, but the information is accessed without authorised permission to the detriment of the data owner.
Power/energy supply The power supply is not affected during the incident.
Divergence from ISO standard
The storage conditions of the Piql Preservation Services are not affected during the incident.
Security mechanisms
Integrity As the piqlFilms are not damaged or altered during the incident, the data is not lost. The integrity of the piqlFilms thus remains intact.
Availability
The availability of the piqlFilms is not compromised, as the
information is simply copied and not removed or damaged so that the data owner no longer has access to it. The availability of the
information thus remains intact.
Confidentiality
Most importantly for the data owner, the confidentiality of the information about to be written onto the PiqlFilms was irrevocably compromised, as another actor who absolutely should not have had access to its contents did gain access. The loss of confidentiality also resulted in a significant loss of military advantage for the data owner.
Immunity (against attacks on the above mentioned)
The Piql Preservation Services is not immune to attacks against confidentiality.
Recommendations
Recommended protective measures
Measures to mitigate against the threat of cyber-attacks include making sure that the security software used by the Piql partners is always state of the art; always keeping the security software up to date so as to secure the Piql IT system from unauthorised intrusion.
Piql AS should offer encryption methods as part of their own security architecture to the users which value confidentiality higher than availability (as encryption inevitably results in loss of self-contained).
References
Relevant literature [70] Nasjonal sikkerhetsmyndighet (2015) S-02 Ti viktige tiltak mot dataangrep.
B.10 Terrorism