Critical National Infrastructure (CNI) sites such as water supply facilities, nuclear power stations and oil refineries are the life support systems necessary for a country to function. People rely on them for clean water, reliable power and fuel. For this reason alone, they could serve as targets for terrorists seeking to disrupt vital services for thousands – if not millions – of individuals. With this in mind, Andy Gent reviews the latest thinking around CNI security
LOOKING BACK, 9/11 was one of the most defining moments in our history. It changed people’s view of the world and brought evolving threats to society into sharp focus, fundamentally altering the security landscape forever. The World Trade Centre and Pentagon-centric episodes were symbolic of a direct attack on US economic and military power, duly prompting Governments worldwide to concentrate their attentions on ramping up protection regimes at all critical sites which could be vulnerable to terrorism.
Across the last decade, there has been an increasing interest among Jihadi terror groups on attacking water supplies. This has been documented in computer records retrieved by western world intelligence agencies and law enforcement. Some examples include the attempted contamination of drinking water in Rome, an attempted water poisoning in Spain linked to al-Qaeda and cyber hackers targeting US water systems.
Some low profile – but nonetheless high value – CNI sites may not have the visual impact of the World Trade Centre but, in many ways, attacks on them can create just as much damage to a nation. That being so, how can Governments, countries and their populations successfully protect vital life support systems against an ever-evolving terror threat?
Dangers of digital
Now more than ever, the world is becoming accustomed to a life dependent on technology. Industries are making more and more of their operations digital and national infrastructure sites are no exception to that trend. Not only are these facilities more heavily reliant on technology to function and make processes more efficient on site, but as larger numbers of people are now necessarily working from home, some of the processes adopted at critical sites can be controlled remotely using the latest technology.
However, that scenario can render digital networks vulnerable to cyber attack. Ciaran Martin (former head of the National Cyber Security Centre) is on record as stating that it’s only a matter of time before a Category One cyber attack is launched against the UK’s national infrastructure. This is defined as: “A cyber attack which causes sustained disruption of essential services or affects national security, leading to severe economic or social consequences, or even the loss of life.”
Recently, the European Union has identified this risk as being serious enough for it to issue the Network and Information Security Directive (itself an attempt to create a pan-European culture of security across those sectors providing critical services to the economy and society). Operators of these essential services are now required by law to take appropriate security measures and notify national Governments of any serious incidents that occur.
In May 2018, the UK Government enshrined in law the Network and Information Systems Regulations relating to any incident that has an impact on a service, wherein that impact produces a significant disruptive effect. While this legislation was initiated to reflect an increased threat posed to cyber security, it’s not in itself a cyber security law. It also includes impacts that have non-cyber causes, including interruptions to power supplies, natural disasters (such as flooding) or a terrorist threat posed in relation to a nuclear power plant or water treatment facility.
Exploring all avenues
As the security landscape has evolved, so the need to explore all avenues for security tools and assets – both digital and physical – has never been more crucial when it comes to protecting the national infrastructure. The miniaturisation of technology combined with the commoditisation of advanced technology has enabled those responsible for critical infrastructure security to consider the deployment of tools that would never have been deemed possible even a decade ago.
Technological innovations once the preserve of intelligence professionals have now been made commercially available. As terrorism has increased in prevalence and become more sophisticated in nature, Governments have become acutely aware of the opportunities new surveillance and detection technologies present for locating individuals of interest in real-time, thereby providing enhanced safety and security on behalf of members of the public.
Mobile communications networks have developed to be the very backbone underpinning business and consumer discourse. Every new generation of technology adds capacity and efficiencies that will enable billions of devices – whether traditional smart phones or monitoring devices within machines as part of the Internet of Things – to remain constantly connected.
The growth of mobile communications has witnessed a shift from traditional infrastructure to more modern and flexible networks. Historically, mobile phone masts were large and spaced at a significant distance from each other. Mobile handsets connected to at least three masts at any one time to ensure there was an orderly handover of communications when people moved around, providing the user with continuity of connectivity. A by-product of the technology was the capability to triangulate individuals and find out approximately where they were when they made a specific phone call.
As mobile communications became far more mainstream, and particularly as demand grew for reliable data services, so the need for more and more network infrastructure increased. Rather than huge and widely dispersed cell sites, technology evolved to provide millions of smaller cell sites that provided infill capacity, and particularly so in populous or urban areas. While the network operated in much the same way as before, the average person on a modern cellular network would be connected to cell sites much closer to each other than was the case two decades ago. As a result, triangulation of position through these sites became more accurate.
The mobile networks have never really exploited this location information, though, and its use has been largely confined to rare legal cases in which the whereabouts of certain individuals was critical to their innocence or guilt.
In 2003, however, IMSI-catchers started to become commercially available and legislation has been put in place to support their use in specific security scenarios such as prisons.
An International Mobile Subscriber Identity (IMSI) is a unique 15-digit number assigned to the SIM card that identifies the mobile user within the network. Each IMSI is unique to a subscriber and is a way of identifying who’s calling whom. An IMSI-catcher acts in the same way as a cellular base station and logs the IMSI numbers of mobile handsets that connect to it. IMSI-catchers can then be deployed to identify if a specific IMSI is in a certain place.
Take the example of a suspected terrorist planning an operation. Security professionals could use IMSI-catchers to monitor the movements of this individual or even communications from the individual’s mobile device to others. Permission to use IMSI-catchers as covert devices in this way is strictly limited to specific circumstances and usually requires the approval of senior Government officials. IMSI-catchers have also been deployed to monitor for the illegal use of mobile phones in prisons.
In the past, IMSI-catchers were both extremely expensive and cumbersome, meaning that they could only be used in a fixed place and in circumstances where the cost was justified (ie protection of the public). More recently, and as the technology has become smaller and cheaper, applications for it have become wider to the point at which those charged with securing national infrastructure may start looking to adopt this technology over time.
One obvious application of IMSI-catchers is to use them as ‘virtual fences’ around critical infrastructure sites. Physical fences are often erected close to the perimeter of such locations, but it could be argued that, by the time an intruder has reached the perimeter fence of a high value target, they may well have enough explosive material to do a great deal of damage.
Indeed, a terrorist attempted to attack a water intake facility in the Ukraine with explosive devices, which would have led to a prolonged interrupted water supply to the region. If an individual with harmful intentions can be close enough to the target with enough explosives, they could exert maximum damage without needing to breach the physical perimeter at all.
The cost of building a perimeter fence far enough away to protect against explosion is likely to be prohibitive, so the operator of a high value target facility may instead decide to deploy IMSI-catchers either 10 km or even 50 km distant from the site, thereby creating an effective ‘virtual fence’ that identifies any IMSI within this distance of the facility. That would enable site security to intercept would-be terrorists/criminals before they can exact any harm.
Pinpointing the target
Modern mobile infrastructure has advanced to the point at which it now has the capability to accurately target a specific area. As a result, IMSI-catchers can be fine-tuned to provide geographical coverage of a specific location. This could be particularly relevant to, for example, specific customs areas or locations (such as vaults, warehouses for electronic devices or safes) housing high value assets. By fine-tuning a series of IMSI-catchers to monitor the space around them, security professionals can identify intruders before they attempt to gain entry either through force or forgery.
A multi-layered approach is needed to protect critical infrastructure sites. The use of IMSI-catchers is likely to become a further evolution of security for high value targets, enhancing the deployment of CCTV and other methods of security monitoring. IMSI-catchers can act as a passive form of security monitoring that provides a far more granular and effective means for reducing crime, either on a larger scale or for minor incidents like employee theft.
One of the most compelling reasons for deploying IMSI-catchers is that almost everyone carries a personal mobile device with them wherever they go and, when an IMSI-catcher identifies a moving IMSI, it identifies a moving person. Therefore, the concept of white-listing IMSI numbers becomes so important.
Staff, for example, at a high value venue could all have their IMSI numbers white-listed to ensure they don’t trigger any alarms when going about their normal business and legitimately accessing a given premises. When a non-identified IMSI is discovered, it’s quick and simple to understand where the individual’s located and then track and confront them. There have been examples of high-profile individuals deploying IMSI-catchers to keep the paparazzi at a distance and close protection specialists using the technology to protect those under their care.
The aforementioned miniaturisation of IMSI-catcher technology has evolved so quickly that some companies are even looking to deploy them on drones, providing an entirely new range of applications including monitoring risk from the air over private estates, high value critical infrastructure sites or even across borders, thereby identifying people both quickly and effectively.
Undoubtedly, security practitioners face some challenging hurdles when it comes to protecting critical infrastructure sites. These high value sites are essential to the well-being of the nation, providing the core services upon which the population relies. As such, all potential avenues for protection – IMSI-catchers among them – must be explored in detail.
IMSI-catcher technology has broken free of being solely the domain of the police, intelligence professionals and similar services to become a widely available platform for deployment across several different scenarios and applications. As the technology evolves still further, it will become an indispensable tool for those responsible for protecting CNI sites.
Andy Gent is CEO of Revector (www.revector.com)
64 High Street