CYBERWARFARECenter for European Policy Analysis AND CRITICAL INFRASTRUCTURE w . c e p a o r g

Assessing the New Threat Facing the Baltic States and the NATO Alliance

Sebastiano Dina September 2019

2 Center for European Policy Analysis

All opinions are those of the author(s) and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.

About CEPA

The Center for European Policy Analysis (CEPA) is a 501(c)(3), non-profit, non-partisan, public policy research institute. Our mission is to promote an economically vibrant, strategically secure, and politically free Europe with close and enduring ties to the United States. Our analytical team consists of the world’s leading experts on Central-East Europe, Russia, and its neighbors. Through cutting- edge research, analysis, and programs we provide fresh insight on energy, security, and defense to government officials and agencies; we help transatlantic businesses navigate changing strategic landscapes; and we build networks of future Atlanticist leaders.

© 2019 by the Center for European Policy Analysis, Washington, DC. All rights reserved.

No part of this publication may be used or reproduced in any manner whatsoever without permission in writing from the Center for European Policy Analysis, except in the case of brief quotations embodied in news articles, critical articles, or reviews.

Center for European Policy Analysis 1275 Pennsylvania Ave NW, Suite 400 Washington, DC 20004 E-mail: [email protected] www.cepa.org

Cover image: “The port of Klaipėda handled more than 46 million tons of cargo in 2018” by Lettered under CC BY-SA 4.0.

2 Center for European Policy Analysis

CYBERWARFARE AND CRITICAL INFRASTRUCTURE

Assessing the New Threat Facing the Baltic States and the NATO Alliance

Sebastiano Dina 2019 Title VIII CEE Area Studies Fellow

September 2019

2 Center for European Policy Analysis

The Issue

From the Editor: In Russian military thinking it is often difficult to discern a formalized doctrine of cyber warfare, but the totality of writing on the subject suggests that for Moscow, cyber is not an independent domain of operations but a subordinate part of the wider concept of information warfare. The term “cyber” as used in the West to denote computer network operations is alien to Russian thinking. For the Kremlin the key objective is information, and cyber is merely a tool to achieve that objective. In this brief, Title VIII Fellow Sebastiano Dina explores the threat of Russian CI cyberwarfare, as well as its implications for Baltic energy security and NATO’s deterrence posture.

ussia is engaging in unrelenting cyberwarfare against the critical infrastructure of the United R States and its allies. As the United States moves to secure its domestic infrastructure, it must also coordinate efforts with NATO to protect vital Allied infrastructure and curtail Russian cyber-enabled influence operations. Due to their strategic position on NATO’s frontline, cooperation must begin with the three Baltic states: Estonia, Latvia, and Lithuania.

Cyberwarfare and Critical2 Infrastructure, 1 Center for European Policy Analysis

INTRODUCTION and others like them, highlight an inescapable fact: the CI of allies is inextricably tied to the Modern states depend on reliable infrastructure security and prosperity of the United States. to function. From roads and power stations, to oil pipelines and railways, infrastructure is Prime targets of Russian cyberwarfare—and inextricably tied to the economic prosperity U.S. allies whose critical infrastructure is of and national security of states. Among these paramount importance to the United States— infrastructure assets, some are considered so are the Baltic states. Due to their strategic vital to national interests that their destruction or position on or close to Russia’s border and incapacitation would have severe, debilitating effects on state function. These vital assets are commonly referred to as Critical Infrastructure (CI) and include the chemical, communications, energy, financial, transportation, nuclear, and wastewater sectors, among others.1 Since at least Since at least 2013, Russia has launched a 2013, Russia ceaseless cyberwarfare campaign to gain “ entry, survey, and take control of the CI of the has launched United States and its allies.2 To the Russian regime, the mere appearance of launching a a ceaseless cyberattack is a cost-effective, high-impact, and difficult-to-attribute tool to influence, cyberwarfare intimidate, and blackmail its opponents. In the campaign to gain event of a military confrontation, Russia could use full-fledged cyberattacks to temporarily entry, survey, and incapacitate the vital infrastructure of its adversaries.3 And left unchecked, Russia take control of the CI will continue to develop this capability, endangering the U.S. homeland, economy, of the United States international interests, and global military and its allies. logistics network, as well as those of its allies.

With forces deployed abroad, and wide-ranging economic and strategic interests overseas, the United States relies on the CI of its allies.4 ” American logistics lines to Europe run through 5 allied ports like Bremerhaven in Germany. U.S. their significant Russian-speaking minority military aircraft in Europe fly through airspace populations, the Baltic states are a constant regulated by NATO Allies and Partners.6,7 And target of Russian influence operations and at U.S. defense manufacturing, as in the case of perennial risk of Russian incursion.10,11 From the F-35, relies on parts and spares built in the U.S. perspective, the Baltic states are NATO member states.8,9 These dependencies, valuable allies whose position on NATO’s

Cyberwarfare and Critical2 Infrastructure, 2 Center for European Policy Analysis frontline makes their CI essential for the RUSSIA’S APPROACH TO sustainment and rapid deployment of Allied forces. Additionally, the Baltic states’ smaller CYBERWARFARE economies and limited cyber recruitment pool may create gaps in their future capacity It is often difficult to discern a formalized doctrine to counter Russian cyberattacks. By sharing in Russian military writing.12 But an inescapable cybersecurity expertise with the Baltic states, concept nonetheless emerges from analysis of the United States can help close these gaps, government, military, and academic sources: thwart Russian cyber-enabled influence for Moscow, cyber is not an independent operations, and deter Russian incursions into domain of operations but a subordinate Baltic territory. part of the wider concept of information warfare (informatsionaya voyna).13,14 More This policy brief explores the threat of Russian CI fundamentally, the term “cyber” as used in the cyberwarfare, its implications for Baltic energy West to denote computer network operations security, and NATO’s deterrence posture. The (CNO) is not a “Russian concept,” and terms like first section traces Russia’s unique approach “cyber warfare” are only ever used in Russian to cyberwarfare. The second offers a technical sources to describe “foreign concepts and primer on Russian CI attack methods. The third activities.”15 To Russian experts, the difference analyses the threat of Russian cyberattacks to between CNO (cyber) and any other tool to Baltic energy security. It concludes with policy collect, spread, and amplify disinformation— and technical recommendations to counter like bot networks or propaganda websites—is this emergent threat. negligible and spurious.16 The key objective is

“NATO Secretary General visits Estonia” by NATO North Atlantic Treaty Organization under CC BY-NC-ND 2.0.

Cyberwarfare and Critical82 Infrastructure, 3 Center for European Policy Analysis information. Cyber is merely a tool to achieve Second, for maximum psychological effect, that objective. Russian cyberattacks are often carried out at symbolic times. For instance, cyberattacks More broadly, information warfare is the use of against Ukraine—including the 2015 attack— “informational-technical” and “informational- often correspond with national holidays like psychological” means, such as electronic Constitution Day, Independence Day, and warfare, psychological operations, and disinformation to “dominate the information landscape” and “reduce the fighting potential of the enemy.”17,18 Russian information warfare manipulates, distorts, destroys, and fabricates information which it then proliferates into the Past Russian press, academia, and social media to control international narratives, foment dissent, and cyberattacks incapacitate an adversary’s decision-making. “ Contrary to Western doctrine on information have been as much warfare, the Russian approach—which harkens back to Soviet methods—is for information about achieving the warfare to be conducted at all times and aims of information against any target, regardless of the state of hostilities.19 warfare through

Past Russian cyberattacks have been as influence and much about achieving the aims of information intimidation as warfare through influence and intimidation as they have been about physical destruction. they have been A telling example was the 2015 cyberattack against Ukraine’s electrical grid.20 During this about physical operation, Russian hackers infiltrated the control systems of three Ukrainian power destruction. companies and caused a six-hour blackout that affected an estimated 225,000 customers in the Ivano-Frankivsk, Chernivtsi, and Kyiv 21 Oblasts. Christmas.23 Finally, by tauntingly” repeating the Three indicators point to the use of information attack almost exactly a year later in 2016, Russia warfare in that attack. The first is the limited may have sought to reinforce a disinformation physical impact. If Russia’s primary goal had narrative about the incompetence of the been to cause kinetic destruction, the hackers Ukrainian government and Ukraine as a “failed could have gone much further and caused state.”24,25 “permanent, physical damage to the grid.”22 Instead, they opted for a limited show of force Cyberattacks like these, which have a relatively which avoided long-term physical destruction. low impact, become weaponized in the broader

Cyberwarfare and Critical92 Infrastructure, 4 Center for European Policy Analysis context of Russian information warfare. Rather Reconnaisance than individual events, they are compounded by a daily campaign of disinformation, leaks, The common starting place for Russian false narratives, energy warfare, corruption, cyberattacks is reconnaissance. In this phase, and influence operations all aimed to weaken extensive open source research is carried an adversary’s “will to resist.”26 Cyberattacks out to identify targets and gather knowledge are a tool in the information war, not just an about potential vectors to infiltrate their end. computer networks. By parsing websites,

In the future, as Russian cyber-kinetic capabilities improve, their doctrine may evolve to place greater emphasis on the physical aspect of cyberwarfare. But until then, Western observers should not discount attacks that Western have only limited physical effect and must instead view them in the wider context of observers should Russia’s information strategy. “ not discount attacks THE ATTACK PATH that have only OF RUSSIAN CI CYBERATTACKS limited physical effect and must Below the doctrinal level, basic knowledge of the technical tools being developed by Russian instead view them in hackers and how attacks are carried out are prerequisites to understanding their potential the wider context of strategic impact for the Baltic states and Russia’s information NATO. Some of the key stages and methods in Russian CI cyberattacks are apparent in four strategy. recent public cases attributed to Russia: the 2015 Sandworm and 2016 Industroyer attacks against Ukraine’s electrical utilities, the 2016 Dragonfly 2.0 campaign against the United States and Europe, and the 2018 Triton malware ” attack against a petrochemical plant in the executive interviews, public tenders, and other 27,28,29,30 Middle East. Analysis of these attacks— sources of personally identifiable information, though necessarily neither non-exhaustive hackers collate information about the target’s nor a predictor for future methods—highlights employees and organizational structure. This nonetheless some of Russia’s demonstrated is later used to entice the end user by crafting capabilities, and offers an opportunity to highly-tailored emails that appear legitimate, explore basic policy and technical responses. but which in fact contain malicious code.31

Cyberwarfare and Critical82 Infrastructure, 5 Center for European Policy Analysis

“150611-D-FW736-013” by DoD News under Public Domain.

In complex cyberattacks like the ones against opened, the embedded exploits pave the way Ukraine, reconnaissance may take upwards of for hackers to take control of the system. a year and often extends to a target’s clients and suppliers.32 For example, Russian hackers The targeted use of compromised emails is associated with Sandworm were already known as “spear phishing” and is a common launching a phishing campaign six months in infiltration tool among hackers.35 In 2015, spear advance of the final attack in 2015.33 And in the phishing was used to enable the installation of Dragonfly campaign against the United States, malware onto the computers of three Ukrainian reconnaissance identified third-party suppliers energy distribution companies;36 in 2016, it was early as staging points in the final attack.34 used to infect Ukrenergo computers;37 and in Consequently, hindering Russian cyberwarfare Dragonfly 2.0, malicious Microsoft Office files requires that CI operators be judicious about were sent from compromised legitimate email the information they share online and watchful accounts to targets across the United States’ against adversarial reconnaissance efforts. energy and critical infrastructure sectors.38 Guarding against phony attachments and spear Weaponization phishing is therefore critical to CI cybersecurity and must start at the individual level. Next, Russian hackers weaponize the information from reconnaissance to create Delivery, Exploitation, and legitimate-looking files (often PDF or Word Installation documents) modified with malicious code or exploits. These files are later sent via email to The weaponized file is then delivered in order the target company’s employees where, once to obtain user credentials and other exploitable

Cyberwarfare and Critical82 Infrastructure, 6 Center for European Policy Analysis information. Delivery can be achieved the physical sabotage of industrial machinery. through spear phishing, as described in the To achieve this effect, the new malware must weaponization phase, but there are other be able to interfere with industrial control methods for achieving the same effect. systems (ICS) – the devices and instruments used to control an industrial process. One such method is a “watering hole” attack. In these attacks, hackers compromise legitimate Since 2010, there has been an observable websites known to be frequented by the increase in the sophistication of Russian ICS target to harvest their access credentials or malware. Russia’s first such malware, known lure them into downloading a malicious file. as Havex, was a simple intelligence-gathering During Dragonfly, Russian hackers made tool used to scan computer networks for extensive use of “watering holes” by, for connected systems and devices – but unlike example, compromising the websites of trade other such scanners, it was tailored to detect publications related to the CI industry.39 ICS equipment and systems.41 In 2016, Russia made further progress with the development Another method is a supply chain attack, of Industroyer, which had a modular system where hackers compromise a target’s software that allowed it to interact with a wider variety suppliers by using their update stream to of systems. Once installed, it could be used upload malware to the target. In 2017, Russian to erase data from ICS instruments and hackers compromised the update servers of render them inoperable.42 The latest step in the Ukrainian accounting software M.E.Doc Russia’s malware development is known as and used them to upload the NotPetya worm to Triton. Discovered in 2017 after an accident an estimated 10% of all computers in Ukraine.40 at a petrochemical plant in the Middle East, its Though NotPetya did not specifically target advanced features allow hackers to interfere critical infrastructure, this attack path could with ICS equipment by attacking its supervisory be adapted to compromise power plants, gas safety software.43 companies, and other CI facilities through their software suppliers. To secure supply chains, The increasing sophistication of Russian ICS more robust regulation is needed to make malware is a clear indication of Moscow’s software providers liable for the security of intent to target critical infrastructure. This will their updates. necessitate CI operators banning the use of all non-recognized software through blacklisting Development, Testing, and and, at the NATO level, sharing knowledge of Delivery new ICS vulnerabilities and malware as they emerge. In the development, testing and delivery phase, hackers develop additional malware, test its Execution effectiveness in a simulated environment, and deliver it to the target system. Malware Russian hackers complete CI attacks by developed in this phase is different from the activating malware or exploiting existing one used in previous phases. Its focus is no functionality to disrupt industrial processes. longer on gaining access or information, but on Execution can take many forms, although past

Cyberwarfare and Critical82 Infrastructure, 7 Center for European Policy Analysis

cyberattacks have generally involved a high the power companies’ phone lines; (4) they degree of coordination between concurrent erased data and activity logs from the target Russian teams and operations. systems to render computers inoperable and destroy evidence of the attack.44 Such high- In the 2015 Sandworm attack against Ukraine level coordination, coupled with the lack of a for example, execution involved four highly profit motive, are strong indicators of a state- coordinated steps: (1) Russian hackers sponsored cyberattack which may often be interrupted the power supply in central Ukraine beyond the ability of CI operators to defend against.

Further, this case shows that Russian cyberattacks are often accompanied by additional measures to frustrate CI recovery Russian efforts, lengthen operational downtime, and cyberattacks are remove evidence that could be used to attribute “ the attack. A Russian cyberattack is therefore often accompanied by not necessarily a standalone operation, but can involve multiple simultaneous efforts. additional measures Sabotage of an industrial process is not to frustrate CI the sole objective, but could also involve incapacitating the enemy’s response and recovery efforts, securing plausible deniability for the Kremlin. Building on this knowledge, NATO member lengthen operational states should mandate off-site backups of downtime, and remove all CI access and activity log data and be weary when responding to a cyberattack that evidence that could concurrent attacks could occur elsewhere. be used to attribute IMPLICATIONS FOR the attack. BALTIC ENERGY SECURITY So far, this brief has explored the doctrine ” and practice of Russian CI cyberwarfare by by remotely and near-simultaneously activating assessing past operations. In the process, the breakers of at least 27 power substations; it has highlighted three key takeaways: (1) (2) to stop Ukrainian engineers from restoring Russia has a permissive cyber doctrine with power, they “blew the bridges” by uploading a high tolerance for CI attacks, even during malicious firmware that broke the connection peacetime; (2) Russia is actively developing between power companies and their technical capabilities to sabotage CI; and (3) substations; (3) they launched a coordinated Russian cyberattacks, even against physical telephone denial-of-service attack that flooded targets, can be part of a larger information

Cyberwarfare and Critical82 Infrastructure, 8 Center for European Policy Analysis

“Li Keqiang. China-CEEC 2017 Budapest, Hungary. Central Europe.” by Elekes Andor under CC BY-SA 4.0.

“Exercise Combined Endeavor 2014” by US European Command Public Affairs under CC BY-NC-ND 2.0. warfare strategy. Coupled with the growing with an assessment of the potential impact on volume and boldness of Russian cyberwarfare, U.S. and Baltic state interests. this is a clear indication that Moscow intends to continue CI cyberattacks in the future. Among Russian interests in the Baltic Moreover, they also signal a growing need states, perhaps none is more important than to assess the exposure of vulnerable U.S. reestablishing “strategic depth.”45 For more allies to cyberattacks, as well as the potential than a decade, this has been a driver of implications for NATO’s deterrence posture Russian influence operations in the region, and U.S. foreign policy. and could be furthered through future CI attacks. This apparent need for strategic In the following section, the brief will outline depth comes from the belief that Russia is just such an assessment with a focus on the under “permanent siege” by the West.46 In Baltic states and the implications for local this world view, Moscow perceives that the energy security. The first section starts with United States has abused its post-Cold War Russia’s key interest in the Baltic states. It unipolar hegemony by expanding NATO and then explores how the history of energy in using democracy promotion to undermine the region has perversely increased the Baltic its authority.47 This sense of vulnerability is states’ vulnerability to CI cyberwarfare and compounded by Russia’s geography, which highlights key infrastructure assets that may be lacks significant natural defenses.48 Therefore, targeted in the future. The section concludes to ensure its security under these conditions,

Cyberwarfare and Critical82 Infrastructure, 9 Center for European Policy Analysis

The Kremlin believes that it must re-establish (LNG) terminal in Klaipėda, and the Inčukalns strategic depth by expanding outwards and Gas Reservoir in Latvia. increasing the distance between its heartlands and the enemy – a distance which decreased Klaipėda is a floating LNG storage and significantly when Estonia, Latvia, and Lithuania regassification unit that allows Lithuania to joined NATO in 2004.49 import natural gas through maritime shipping. Since starting operations in 2014, it has Russia will be unlikely to coerce the Baltic successfully broken Gazprom’s monopoly in states back into its sphere of influence the Lithuanian gas market and allowed energy through military force.50 Instead, Russia relies supply diversification.55 Between 2014 and on a variety of tools including corruption and disinformation to undermine faith in NATO, erode Baltic national cohesion, and influence elections. But a particularly effective tool— which stands to gain from Russia’s increased cyber proficiency—is pipeline politics. Here, Russia has exploited its dominant position Two assets are as the primary regional energy exporter by particularly threatening dramatic energy price increases “ or stopping supply. Examples of energy concerning: the blackmail span from the beginning of Baltic independence through today: in 1990, Russia Lithuanian liquified interrupted oil supplies to the Baltic states in an effort to crush calls for independence;51 in natural gas (LNG) 1992-1993, Russia again cut off oil exports to terminal in Klaipėda, pressure the Baltic states into rescinding their demand for the withdrawal of Russian troops and the Inčukalns from the region;52 and on various occasions in 1998, 2003, and 2006, Russia curtailed Gas Reservoir in energy supplies to influence negotiations for the sale of the Latvian port of Ventspils and the Latvia. Mažeikiai oil refinery in Lithuania – the only such refinery in the region.53,54

Recognizing Russia’s chokehold on their energy supply, the Baltic states have started ” ambitious infrastructure projects in recent 2016, greater diversity and market competition years to secure energy independence. led to a 55% decrease in Lithuanian gas Though largely successful, Baltic energy has prices.56 In 2015, its first full year of operation, been concentrated into a few infrastructure the terminal imported 90% of Lithuania’s natural assets, increasing the potential damage of gas demand and has the capacity to import a cyberattack. Two assets are particularly Lithuania’s annual gas needs twice over.57,58 concerning: the Lithuanian liquified natural gas With this spare capacity, it can also partly fulfill

Cyberwarfare and Critical82 Infrastructure, 10 Center for European Policy Analysis

Latvian and Estonian natural gas demand, the Baltic states to address the shortfall or find further weakening Russia’s regional energy emergency suppliers.63 As the only significant monopoly.59 But its outsized role in Lithuanian Baltic reservoir, Inčukalns is critical to regional and regional energy independence also means gas supply and, like Klaipėda, is therefore a that the Klaipėda terminal could become a potential cyberattack target. prime target for Russian cyberattacks. A successful Russian cyberattack against either Similarly, the Inčukalns Gas Reservoir in Latvia asset would significantly impact Baltic security, is the only significant gas storage facility in the NATO’s Eastern Flank defense posture, and Baltic states.60 It has a capacity of 2.3 billion regional U.S. foreign policy interests. In the cubic meters, with the potential for further region, Russia could use cyber-enabled energy expansion to 2.8 billion cubic meters.61 This disruptions, coupled with more traditional capacity enables it to function as a safety subversion methods, as a tactic to intimidate reserve, increasing the reliability of regional gas and sow chaos.64 A well-timed cyberattack stocks from 100% to 145.94%.62 It also operates during an election period could be used to in synergy with Klaipėda: when gas demand is sway voters in a direction more favorable to low during the summer, the reservoir fills with Russian interests. And a concerted cyber excess gas from Klaipėda and is then released campaign against CI could be used to slow back into the system when demand increases; construction of Baltic energy infrastructure, and in the event of a sudden shortfall in extending the lifespan of Russia’s remaining supply, it provides a cushion, buying time for energy influence.

“FSRU Independence in the port of Klaipėda” by AB Klaipėdos Nafta under CC BY-SA 4.0.

Cyberwarfare and Critical82 Infrastructure, 11 Center for European Policy Analysis

At the NATO level, because cyberattacks are role in independently detecting and blocking difficult to attribute and their destructiveness intrusions. In Lithuania, the National Cyber can be highly tailored, Russia could Security Center is developing new sensors manipulate the intensity of the attack to inflict for its domestic CI assets.65 Once completed, significant damage while remaining below they will be deployed across Lithuania and NATO’s Article 5 threshold. Such cyberattacks protect important regional facilities like could also damage NATO cohesion by Klaipėda. To increase their effectiveness, straining the confidence of Allies that NATO NATO states should standardize the type of is capable of defending them. Disruptions to data collected and how it is recorded, and the Baltic energy system could also hinder then share it. This will allow for comparison the reinforcement and sustainment of NATO of intrusion trends, detection of patterns of Enhanced Forward Presence troops stationed network reconnaissance, simplification of in the region. And attacks against the military the communication of technical data, and gas supply chain could impede the refueling of identification of the spread of new malware, Allied air patrol missions. exploits, and attack methods.66

Finally, for the United States, leaving Russian Invite Baltic CI Operators to DHS Initiatives CI cyberattacks in the region unchallenged would weaken confidence in American The United States can also support Baltic CI security guarantees, endanger U.S. personnel operators by extending an invitation to existing stationed in the region, and allow Russia to field Department of Homeland Security (DHS) CI test and develop new CI attack methods which initiatives. A first such initiative is the Cyber could more intensely threaten U.S. interests in Information Sharing and Collaboration Program the future. The United States should thus seek (CISCP). CISCP is a collaborative program that to support Baltic cybersecurity efforts through allows CI operators in the United States to share greater information-sharing and technical knowledge about vulnerabilities and grants assistance. them access to DHS threat analysis databases. Through CISCP, when CI engineers discover a new vulnerability, they can rapidly notify the POLICY rest of the industry and request DHS support. RECOMMENDATIONS As members of CISCP, Baltic CI operators would be able to check their systems against Support Lithuanian Sensor Development the existing vulnerabilities database, respond more rapidly to new vulnerabilities, and One area which could benefit from U.S. contribute knowledge of any vulnerabilities technical assistance in the Baltic region is they discover. A second initiative prime for the development of cybersecurity intrusion United States-Baltic collaboration is the sensors, which scan for suspicious activity like DHS’s Automated Indicator Sharing (AIS) unrecognized IP addresses, known malware system. AIS is a software that automatically code, and irregularities in packet exchange. As checks incoming IP and email addresses future cyberattacks could become increasingly against a CI community-generated blacklist. automated, these sensors will play a critical When AIS detects a blacklisted address, it

Cyberwarfare and Critical82 Infrastructure, 12 Center for European Policy Analysis

“150611-D-FW736-001” by DoD News under Public Domain. automatically blocks it and issues a report to contained and separate from the internet. the DHS. Participation in AIS would give Baltic But the digitalization of control systems that CI operators an added layer of protection has taken place over the past two decades against spear phishing and contribute their has resulted in a breach of this separation own knowledge of suspect addresses to the (known as the “air gap”). Today, engineers database. Should Baltic membership of these operate machinery remotely from their home initiatives prove successful, DHS could consider or office computers, field technicians receive granting limited access for vetted individuals live sensor data through apps on their to sensitive but unclassified platforms like personal phones, and CI software is updated the Homeland Security Information Network through the open internet.68 These devices (HSIN).67 and processes, which are connected to the web, are potential entry points for hackers. Rethink the Airgap Because cybersecurity engineers do not have the resources available to secure every new A common feature of all CI vulnerabilities is phone, computer, and piece of IoT equipment the insufficient separation of systems from that is added to company networks, there is the open web. Before the introduction of a growing need to rethink the importance internet of things (IoT) industrial management and implementation of the airgap. A potential technologies, CI systems were entirely self- solution, is to identify the vital controls needed

Cyberwarfare and Critical82 Infrastructure, 13 Center for European Policy Analysis for the baseline operations of CI facilities, and used in many countries, it is possible that there then segment those controls into a network are no government-run CI honeypots in either completely separated from the internet.69 Once Lithuania or Latvia.70,71 To increase knowledge segmented, they could no longer be accessed of the cyber threat to Baltic CI, the United remotely, and would require engineers be States should offer its assistance and prior physically present at a facility to operate them. expertise in setting up honeypots to the Baltic In turn, hackers would hindered in accessing governments. Once operational, data from the these most vital systems, effectively limiting honeypots should be corroborated with sensor their potential to cause damage. In addition data from CI facilities to paint a detailed picture to segmentation, CI operators should run of the number and frequency of cyberattacks, security checks on their staff’s personal the most common attack vectors, and the origin devices, increase awareness about the airgap, of attacks – insofar as this can be ascertained. and hard-lock personal devices out of the segmented network. Increase Bilateral Training

Create Honeypots As part of existing efforts to strengthen allied CI, the U.S. Department of Energy has run A final technical measure for securing Baltic CI cybersecurity trainings and exchanges with are “honeypots.” In cybersecurity, honeypots the Baltic states.72,73 Lithuanian officials have are computers, websites, servers, and emails testified to the usefulness of these trainings and disguised to appear as alluring targets to suggested they could be extended.74 Future hackers. Honeypots are usually disguised as trainings and exchanges could begin in two high-value targets like banks, utility companies, areas: forensics and emergent technologies. and government agencies that promise to With improved forensics, the Baltic states will hold lucrative financial information or sensitive be better-able to protect their CI by detecting government documents. In reality, honeypots existing breaches and tracing the origin of hold only phony data and an array of intrusion attacks. Finally, by running new trainings on sensors. In the past, they have been used to emergent technologies, the United States can great effect to safely gather information about contribute to future-proofing Baltic CI against the wider threat landscape. Though widely the threats of tomorrow.

Cyberwarfare and Critical82 Infrastructure, 14 Center for European Policy Analysis Endnotes

1 “Critical Infrastructure Sectors,” Department of Homeland Security, Accessed July 31, 2019, https://www.dhs.gov/cisa/critical-infrastructure-sectors.

2 “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” US-CERT, March 16, 2018, https://www.us-cert.gov/ncas/alerts/TA18-074A.

3 Daniel R. Coats, “Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community,” Office of the Director of National Intelligence, January 29, 2019. https:// www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf.

4 James Marson, “NATO Plans Facility in Poland to Store U.S. Military Equipment,” The Wall Street Journal, March 22, 2019, https://www.wsj.com/articles/nato-plans-facility-in-poland-to-store- u-s-military-equipment-11553271255.

5 Jen Judson, “Deterring Russia: US Army Hones Skills to Mass Equipment, Troops in Europe,” DefenseNews, March 17, 2017, https://www.defensenews.com/digital-show-dailies/ global-force-symposium/2017/03/17/deterring-russia-us-army-hones-skills-to-mass-equipment- troops-in-europe/.

6 Edgar Reuber, “Ensuring Military Cross-Border Air Operations in Europe,” Joint Air Power Competence Centre, Accessed August 15, 2019, https://www.japcc.org/ensuring-military-cross- border-air-operations-in-europe/.

7 Edward Wigfield,et al., “Mission Effectiveness and European Airspace: U.S. Air Force CNS/ATM Planning for Future Years,” The MITRE Corporation, Accessed August 20, 2019, http:// dodccrp.org/events/11th_ICCRTS/html/papers/139.pdf.

8 Mark A. Lorell and James Pita, “A Review of Selected International Aircraft Spares Pooling Programs: Lessons Learned for F-35 Spares Pooling,” RAND Corporation, 2016, https://www.rand. org/content/dam/rand/pubs/research_reports/RR900/RR999/RAND_RR999.pdf.

9 Valerie Insinna, “Turkish Suppliers to be Eliminated from F-35 Program in 2020,” Defense News, June 7, 2019, https://www.defensenews.com/air/2019/06/07/turkish-suppliers-to-be- eliminated-from-f-35-program-in-2020/.

10 “International Security and Estonia 2019,” Valisluureamet Estonian Foreign Intelligence Service, Accessed August 20, 2019, https://www.valisluureamet.ee/pdf/raport-2019-ENG-web.pdf.

11 Andrew Radin, “Hybrid Warfare in the Baltics,” RAND Corporation, 2017, https://www.rand. org/pubs/research_reports/RR1577.html.

12 Gudrun Persson (ed.), “Russian Military Capability in a Ten-Year Perspective – 2016,” Swedish Defence Research Agency, December 2016, https://www.foi.se/rest-api/report/FOI-R-- 4326--SE.

Cyberwarfare and Critical2 Infrastructure, 15 Center for European Policy Analysis

13 Alina Polyakova, “Weapons of the Weak: Russia and AI-driven Asymmetric Warfare,” Brookings, November 15, 2018, https://www.brookings.edu/research/weapons-of-the-weak-russia- and-ai-driven-asymmetric-warfare/.

14 Keir Giles, “Handbook of Russian Information Warfare,” NATO Defense College, November 2016. http://www.ndc.nato.int/news/news.php?icode=995.

15 Ibid.

16 Ibid.

17 “Russia Military Power: Building a Military to Support Great Power Aspirations,” Defense Intelligence Research Agency, 2017, https://www.dia.mil/portals/27/documents/news/military%20 power%20publications/russia%20military%20power%20report%202017.pdf.

18 Michael Connell and Sarah Vogler, “Russia’s Approach to Cyber Warfare,” Center for Naval Analysis, March 2017, https://www.cna.org/CNA_files/PDF/DOP-2016-U-014231-1Rev.pdf.

19 Stephen Blank, “Cyber War and Information War a la Russe,” George Perkovich and Ariel E. Levite, eds., Understanding Cyber Conflict: Fourteen Analogies, (Washington, DC: Georgetown UP, 2017).

20 “Cyber-Attack Against Ukrainian Critical Infrastructure,” Department of Homeland Security ICS-CERT, February 25, 2016, https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01.

21 Robert M. Lee, et al., “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case,” SANS Industrial Control Systems, March 18, 2016, https://ics.sans.org/media/E-ISAC_ SANS_Ukraine_DUC_5.pdf.

22 Andy Greenberg, “How an Entire Nation Became Russia’s Test Lab for Cyberwar,” Wired, June 20, 2017, https://www.wired.com/story/russian-hackers-attack-ukraine/.

23 David Brennan, “Russia is Preparing a Huge Cyberattack, Ukraine warns,” Newsweek, June 27, 2018, https://www.newsweek.com/russia-preparing-huge-cyber-attack-ukraine- warns-997170.

24 Katri Pynnöniemi and András Rácz, eds., “Fog of Falsehood: Russian Strategy of Deception and the Conflict in Ukraine,”The Finnish Institute of International Affairs, October 5, 2016, https://www.fiia.fi/wp-content/uploads/2017/01/fiiareport45_fogoffalsehood.pdf.

25 Andy Greenberg, “‘Crash Override’: The Malware That Took Down a Power Grid,” Wired, June 12, 2017, https://www.wired.com/story/crash-override-malware/.

26 Connell and Vogler, “Russia’s Approach to Cyber Warfare.”

27 Jim Finkle, “U.S. Firm Blames Russian ‘Sandworm’ hackers for Ukraine outage,” Reuters, January 7, 2016, https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm/u-s-firm- blames-russian-sandworm-hackers-for-ukraine-outage-idUSKBN0UM00N20160108.

Cyberwarfare and Critical2 Infrastructure, 16 Center for European Policy Analysis

28 Ellen Nakashima, “Russia has Developed a Cyberweapon that can Disrupt Power Grids, According to New Research,” The Washington Post, June 12, 2017, https://www.washingtonpost. com/world/national-security/russia-has-developed-a-cyber-weapon-that-can-disrupt-power-grids- according-to-new-research/2017/06/11/b91b773e-4eed-11e7-91eb-9611861a988f_story.html.

29 “Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” Department of Homeland Security ICS-CERT, March 15, 2018, https://www.us-cert.gov/ncas/alerts/TA18-074A.

30 “TRITON Attribution: Russia Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers,” Fire Eye, October 23, 2018, https://www.fireeye.com/blog/threat- research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html.

31 Michal J. Assante and Robert M. Lee, “The Industrial Control System Cyber Kill Chain,” SANS, October 2015, https://www.sans.org/reading-room/whitepapers/ICS/industrial-control- system-cyber-kill-chain-36297.

32 Greenberg, “How an Entire Nation Became Russia’s Test Lab for Cyberwar.”

33 Lee, et al., “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case.”

34 “Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.”

35 “Spear-Phishing Scammers Sharped Their Attacks with Clever New Tactics,” Symantec, 2015, https://www.symantec.com/content/en/us/enterprise/images/mktg/Symantec/Email/13927/ WSTR_SYM_Spear_Phishing.pdf.

36 Lee, et al., “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case.”

37 Robert Lipovsky, “New Wave of Cyberattacks Against Ukraine Power Industry,” ESET, January 20, 2016, https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian- power-industry/.

38 “Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.”

39 Ibid.

40 Andy Greenberg, “The Untold Story of NotPetya, the Most Devaststing Cyberattack in History,” Wired, August 22, 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine- russia-code-crashed-the-world/.

41 “Havex,” New Jersey Cybersecurity and Communications Integration Cell, August 10, 2017, https://www.cyber.nj.gov/threat-profiles/ics-malware-variants/havex.

Cyberwarfare and Critical2 Infrastructure, 17 Center for European Policy Analysis

42 “Crashoverride: Analysis of the Threat to Electric Grid Operations,” Dragon Inc, Accessed September 3, 2019, https://dragos.com/wp-content/uploads/CrashOverride-01.pdf.

43 Blake Johnson, et al., “Attackers Deploy New ICS Attack Framework ‘TRITON’ and Cause Operational Disruption to Critical Infrastructure,” Fire Eye, December 14, 2017, https://www.fireeye. com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html.

44 Lee, et al., “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case.”

45 Julia Gurganus and Eugene Rumer, “Russia’s Global Ambitions in Perspective,” Carnegie Endowment for International Peace, February 20, 2019, https://carnegieendowment. org/2019/02/20/russia-s-global-ambitions-in-perspective-pub-78067.

46 Blank, “Cyber War and Information War a la Russe.”

47 Ibid.

48 Andrew Radin and Clint Reach, “Russian Views of the International Order,” RAND Corporation, 2017, https://www.rand.org/pubs/research_reports/RR1826.html.

49 Lee Myers, Steven. “As NATO Finally Arrives on Its Border, Russia Grumbles.” The New York Times. April 3, 2004. https://www.nytimes.com/2004/04/03/world/as-nato-finally-arrives-on- its-border-russia-grumbles.html

50 Mark Galeotti, “The Baltic States as Targets and Levers: The Role of the Region in Russian Strategy,” George C. Marshall European Center for Security Studies, April 2019, https:// www.marshallcenter.org/mcpublicweb/mcdocs/security_insights_28_-_galeotti_-_rsi_-_ march_2019_-_letter_size_-_aug_26.pdf.

51 Keith Smith, “Russian Energy Politics in Poland, Ukraine and Baltic States,” Center for Strategic and International Studies, December 1, 2004, https://csis-prod.s3.amazonaws.com/ s3fspublic/legacy_files/files/attachments/041019_smith_presentation.pdf.

52 Ibid.

53 Gabriel Collins, “Russia’s Use of the ‘Energy Weapon’ in Europe,” Bake Institute for Public Policy, July 18, 2017, https://www.bakerinstitute.org/media/files/files/ac785a2b/BI-Brief- 071817-CES_Russia1.pdf.

54 Christopher S. Chivvis, et al., “NATO’s Northeastern Flank,” RAND Corporation, 2017, https://www.rand.org/content/dam/rand/pubs/research_reports/RR1400/RR1467/RAND_RR1467. pdf.

55 A. Grigas, “US Natural Gas Arrives in Lithuania. What it Means for Russia and the Baltic Region,” Foreign Affairs,September 12, 2017, https://www.foreignaffairs.com/articles/ baltics/2017-09-12/us-natural-gas-arrives-lithuania.

Cyberwarfare and Critical2 Infrastructure, 18 Center for European Policy Analysis

56 Arunas Molis, et al., “Mitigating Risks of Hybrid War: Search for an Effective Energy Strategy in the Baltic States,” Journal on Baltic Security 4(2), November 14, 2018.

57 Chivvis, et al., “NATO’s Northeastern Flank.”

58 Collins, “Russia’s Use of the ‘Energy Weapon’ in Europe.”

59 Agnia Grigas, “Energy Game Changer: Klaipėda LNG Terminal and the Baltic States,” The Lithuania Tribune, September 22, 2014, https://lithuaniatribune.com/energy-game-changer- klaipeda-lng-terminal-and-the-baltic-states/.

60 L. Zemite, et al., “Consistency Analysis and Data Consultation of Gas System of Gas-Electricity Network of Latvia.” Latvian Journal of Physics and Technical Sciences. March 24, 2018, https://content.sciendo.com/configurable/contentpage/ journals$002flpts$002f55$002f1$002farticle-p22.xml.

61 Tiziana Melchiorre, “Recommendations on the Importance of Critical Energy Infrastructure (CEI) Stakeholder Engagement, Coordination and Understanding of Responsibilities in Order to Improve Security,” NATO Energy Security Centre of Excellence, 2018. https://www.enseccoe.org/ data/public/uploads/2018/04/d1_2018.04.23-recommendations-on-the-importance-of-critical- energy.pdf.

62 Zemite, et al., “Consistency Analysis and Data Consultation of Gas System of Gas- Electricity Network of Latvia.”

63 Melchiorre, “Recommendations on the Importance of Critical Energy Infrastructure (CEI) Stakeholder Engagement, Coordination and Understanding of Responsibilities in Order to Improve Security.”

64 Donald N. Jensen and Peter B. Doran, “Chaos as a Strategy: Putin’s Promethean Gamble,” Center for European Policy Analysis, November 2018, https://docs.wixstatic.com/ ugd/644196_46af11fbc287466f96a9ecdfbad0fa7c.pdf.

65 Jen Judson, “A Necessary Rise: Lithuania Bolsters its Cybersecurity, Catching the Attention of Other Nations,” FifthDomain, July 16, 2019, https://www.fifthdomain.com/smr/a- modern-nato/2019/07/15/a-necessary-rise-lithuania-bolsters-its-cybersecurity-catching-the- attention-of-other-nations/.

66 “Interview with Lithuanian government officials” July 2019.

67 “Information Sharing and Awareness,” Department of Homeland Security, Accessed August 1, 2019, https://www.dhs.gov/cisa/information-sharing-and-awareness.

68 “Protecting critical internet infrastructure from IoT device risks,” GCN, December 10, 2018, https://gcn.com/articles/2018/12/10/iot-critical-infrastructure.aspx.

Cyberwarfare and Critical2 Infrastructure, 19 Center for European Policy Analysis

69 Kegan Kawano, “Designing Critical Infrastructure Cyber Security Segmentation Architecture by Balancing Security with Reliability and Availability,” In Javier Lopez and Bernhard M. Hämmerli, eds., Critical Information Infrastructures Security. CRITIS 2007.

70 “Interview with Lithuanian government officials,” July 2019.

71 “Interview with NATO officials,” June 2019.

72 “Interview with Lithuanian government officials,” July 2019.

73 “Deputy Secretary Brouillette Meets With Estonia, Latvia, and Lithuania Energy Officials,” Department of Energy, March 15, 2019. https://www.energy.gov/articles/deputy-secretary- brouillette-meets-estonia-latvia-and-lithuania-energy-officials.

74 “Interview with Lithuanian government officials,” July 2019.

Cyberwarfare and Critical2 Infrastructure, 20

Center for European Policy Analysis

2