Scenario justification
Justification: Sabotage is a real vulnerability to any system. This could be a wire being cut, a control panel being smashed or a microchip being dislodged in a vital machine. The same vulnerability exits in the Piql Preservation Services.
Purpose: The purpose of this scenario is to stress the vulnerability of the Piql system to sabotage, be it sabotage against the structural integrity of the building housing the storage facility or production site, against the piqlVault system, against the necessary machines in the production process, or against the piqlFilm directly. This particular case is a case of logical sabotage which takes place on the Piql computer which receives and processes the client data before writing.
Benefit: This scenario seeks to highlight the importance of protective measures against acts of sabotage, particularly where it comes to IT security. Though the information stored with the Piql Preservation Services is immune to logical threats for most of its existence, as it is an offline medium, the risks are still present during production.
Scenario outline
The scenario is set in the geographical zone South (Southern Africa). A state actor, state X, is able to break through the computer security defences of the Piql partner and performs logical sabotage on the client information – important diplomatic correspondence. As a state actor, state X has formidable resources and skills where it comes to accessing other computer systems without authorisation. Due to the relatively strong security mechanisms put in place by Piql AS, only skilful hackers with a big support system are able to perform the kind of sabotage we are outlining here: logically tampering with the printing process so that the finished piqlFilm is missing vital information that the data owner sent in. This is only possible if state X is able to plant malware on the Piql (reception) computer which uses the physical link between that computer and the Piql I/O (production) computer to connect the two. Only then can the malware alter the checksum on both computers’ CPUs, which is necessary if state X wants to alter the client data undetected. Otherwise, the CPU on the Piql I/O computer would have picked up on the alternations to the checksum from the Piql computer’s CPU during verification. This is why this type of sabotage is so demanding: one needs to alter the checksum on both CPUs or the alterations would not be successful. Unless the data owner has backup copies of what they sent to the Piql partner, these pieces of information are lost.
Cause Type of risk (Hazard/Threat)
Threat: Logical sabotage of the information while stored electronically in the Piql IT system.
Intentional
(Yes/No/Both) Yes.
Profile of actor (if intentional)
State X wants to alter the details of diplomatic agreements to their advantage. One of the few countries in the world that is both capable of and willing to violate the privacy of other states for their own betterment.
Though nothing can be definitively proven, state X has been involved in these kinds of operations before.
Description of cause
In removing some of the proof of agreements between itself and another country’s Foreign Ministry, state X stands a better chance at altering the agreements to its benefit.
Competence and resources (if intentional)
State X has formidable resources and skills with regards to accessing other computer systems without authorisation. Employs many skilful hackers, whom they provide with a big support system.
User/value
User class Public sensitive.
User type The Foreign Ministry.
Value Sensitive diplomatic correspondence. Contains the details on how important bilateral decisions and agreements were made, which were not always above board. If it falls into the wrong hands, it could greatly damage the reputation of the Foreign Ministry and could potentially alter their future relationships with other nations who might now view them differently.
Location
Location description
Geographical zone: South (Southern Africa). The region has varied terrain, ranging from forest and grasslands to desert. The developmental level is medium and the political climate is fairly stable.
The piqlVault is situated in an urban area, near the city centre.
The scenario takes place in the present. The time period is 0-30/50 years, as the value is time-sensitive, i.e. the diplomatic repercussions of such intelligence getting out is lessened with time. The scenario is also a risk for the future, or as long as diplomatic services have communications with other nations that they would like to hide.
Environment description
The climate zone is a warm temperate. It is winter, in early June. The local weather conditions are mild and hot and dry: 15° Celsius with a relative humidity of 57 %.
The incident occurs at the start of the working day.
Production site description
The scenario takes place during the production of the piqlFilm. The setting is therefore the production site, which is situated in a standard office building. The Piql computer, the piqlWriter and the piqlReader are all located in the same large production room, whereas the processing room and its equipment are located elsewhere.
The productions site is regulated through ventilation to uphold the ISO standards governing levels of humidity and temperature.
Local safety measures
We assume that all safety measures required by Piql AS to be in place in the storage facility also apply in the production site. See section 5.5.1 for details.
Local security
measures All security measures required by Piql AS are in place.
Consequences
Outer building The physical infrastructure of the building and the storage room is not affected during the incident.
Production site
The structural integrity of the production site is not affected by the incident. However, the Piql IT system, as part of the Piql Preservation Services, is breached. State X hackers are able, with the full weight and resources of state X behind them, to breach the security software of the Front-End code and gain access into the Piql computer system. Once there, the hackers place malware which utilises the interconnection between the Piql computer and the Piql I/O computer to completely connect the two. As the hackers now have free access to both computers’
CPU they can alter the client data undetected because they also change the corresponding checksum on both CPUs. Even though the Piql I/O computer does what it is supposed to and checks the integrity of the data against the designated checksum, it can find no faults and confirms the data ready for writing on the piqlFilm.
Box The piqlBox is not affected during the incident.
Film
The client information which is being prepared for writing onto the piqlFilm is accessed without authorised permission to the detriment of the data owner. It is altered to exclude certain important pieces of information. The complete information is thus prevented from being printed.
Power/energy
supply The power supply is not affected during the incident.
Divergence from ISO standard
The storage conditions of the Piql Preservation Services are not affected during the incident.
Security mechanisms
Integrity
The integrity of the piqlFilm that is being printed was never intact to begin with, as the complete file of original information was never printed onto the film in its entirety. The integrity of the logical information stored in the Piql IT system was compromised when the alterations due to sabotage took place.
Availability The availability of the information is forever lost, unless the data owner has backup copies.
Confidentiality
The confidentiality of the information was also breached the moment state X broke through the security software of the Front-End code and was able to access the client information to see which parts it wanted to alter.
Immunity (against attacks on the above mentioned)
The Piql Preservation Services is not immune to attacks against confidentiality, integrity and availability.
Recommendations
Recommended protective measures
The IT security measures already in place are sound. Only a highly resourceful threat actor would be able to perform the sabotage outlined here. An option is to create a true air gap between the two computers’
CPUs. Although this will not stop the threat actor from gaining access into the Piql IT system, it will make it impossible to alter the received client data undetected. However, such a measure is an unlikely feature in a production process, as it would make the production too inefficient.
References Relevant literature
B.9 Espionage