Any modern country has a wide variety of assets to protect. Some of those assets are more necessary than others for the country’s security, welfare, and economy in general. Such critical assets include power grids, water supplies, public-transit systems, and telecommunications, to name a few. Critical infrastructure has to be protected from a wide variety of threats, both domestic and foreign. Given the nature of critical infrastructure, much of it is interconnected and interoperates through the use of technology—thus increasing the overall risk of possible threats.
As such, every country follows a variety of procedures and operations to minimize the risk of interrupting any critical infrastructure operations. It has to be mentioned here, though, that no one can completely erase the risk because, at any given time, there may be vulnerabilities in those infrastructures that we are not aware of.
As mentioned above, critical infrastructure holds huge significance for a country, and as such, these elements are considered HVTs (high-value targets) to enemies. The most convenient way to attack critical infrastructure is by using the Internet. Because of the nature of the target, attacks have to be carefully planned and specially “crafted” so that they can be carried out successfully. Such attacks are called advanced persistent threats (APTs). One of the most well-known APT attacks was delivered using Stuxnet, although that is not the only one.
Over the past few years, we have witnessed a lot of APT attacks against U.S. corporations such as Google, and even against U.S. government agencies. According to a report, most of these attacks can be traced back to China. China is operating a group called PLA Unit 61398, stationed in Shanghai and directly associated with the CPC, and it it tasked with cyber-espionage operations. In September 2014, the FBI issued a warning regarding a more advanced cyber-espionage group dubbed Axiom. In May 2014, the U.S. DoJ issued an indictment for five PLA Unit 61398 officials.
Although at the time Unit 61398 and Axiom conducted their operations mostly for economic espionage, that doesn’t mean this will always be the case. Those units have an established record of excellence when it comes to APTs and infiltrating critical infrastructure. For example, there are allegations that the Chinese J-31 4th Gen fighter jet is a direct copy of the U.S. F-35 (below). At the same time, their ability to infiltrate networks allows them to access to trade secrets, classified intel reports, ongoing operations, etc.
Infiltrating a network allows an attacker to halt operations or wreck motors. For example, during the Stuxnet operations, the Iranian nuclear-enrichment facility lost almost 1000 centrifuges. Of course, if that can be done to them, that means that such techniques are also possible for them to use on us. In other words, such an adversary is capable of shutting down power grids and water pipelines, or messing with key transportation systems by exploiting SCADA (supervisory control and data acquisition). Although a nation can recover from such attacks, attacking even one piece of infrastructure may cause secondary harm to other critical systems. Also, depending on the extent of the attack, chaos may spread among the country’s citizens.
On top of this, a lot of hardware is produced in China and used worldwide by people. A report in The Guardian stated that an e-cigarette made in China was capable of infecting computers through its USB. This attack vector, although there are no indications that it would be used at this time, may be used by such units to attack corporations and critical infrastructure in the future. Given their wide variety of possible attack vectors and their known competency in building APTs, it is safe to assume that the Chinese cyber-espionage units are able to conduct cyber warfare and cause damage to critical infrastructure.
From an infosec perspective, the weakest link of any infrastructure is its users. Given that, historically, most APTs have successfully infected their targets by exploiting users through targeted emails, user awareness has to be addressed. An OPSEC model has to be used so that the user is constantly aware of possible threats. At the same time, security policies must address the threat of complicit insiders that might stray from established security protocols.
Summing everything up, Chinese units are capable of conducting a variety of cyber-espionage and cyber-warfare operations. At the same time, critical infrastructure security officers need to begin educating users properly so that they are constantly aware of potential threats.
Thanks to Manolis Mavrofidis for his help writing this article.