More than any other event in recent history, September 11, 2001 changed the security landscape across the globe. The terrorist attack on the twin towers highlighted both America and the rest of the world’s vulnerability to a new type of threat. But it also raised a wider question: how can governments, countries and populations protect themselves against future catastrophic attacks? writes Andy Gent, pictured, of security, intelligence and fraud detection product company Revector.
New technologies bring opportunities and risks in the modern world. There is no doubt the evolving digital landscape and access to unlimited information at the click of a mouse has opened new opportunities for humanity. But equally, it is arming criminals and terrorists with the resources to cause serious harm. Technological advances in encryption and messaging have made it easier for criminals to communicate secretly and radicalise young, vulnerable people who are disenchanted with the world.
But it is not just terrorists that are potential perpetrators of crimes. From rogue groups to organised gangs, environmental groups to even hostile foreign governments, security professionals must consider all the risks posed. Perhaps equally important as the how and the who is the where. The twin towers were the iconic symbol of New York and the USA and symbolised all that the terrorist hated. However, the reality is that there are thousands of high value sites that the world relies on for critical services such as clean water, reliable power and even connectivity. These critical national infrastructure sites may not have the visual impact of the World Trade Centre, but in many ways, attacks on these kinds of assets can create as much damage to a country.
NIS
Inevitably these national infrastructure sites are relying more and more on technology to function and make processes more efficient. This naturally makes these networks vulnerable to cyber-attacks. Recently the European Union has identified this risk as serious enough to issue the Network and Information Security (NIS) Directive – an attempt to create a pan-European culture of security across sectors that provide critical services to the economy and society. Operators of these essential services are now required by law to take appropriate security measures and notify national governments of any serious incidents that occur.
In May 2018, the UK Government set into law the Network and Information Systems Regulations 2018 (NIS Regulations). This relates to any ‘incident’ that has an impact on a service, where that impact produces a significant disruptive effect. While the legislation was initiated to reflect an increased threat of cybersecurity, it is not in itself a cybersecurity law. It also includes impacts that have ‘non-cyber’ causes, for example interruptions to power supplies or natural disasters such as flooding or a terrorist threat against (for example) a nuclear power plant or water treatment facility.
Toolkit
The miniaturisation of technology combined with the commercialisation of advanced computing tools has enabled those responsible for critical infrastructure security to consider deploying tools that would have been deemed impossible even a decade ago. Technological innovations which were one reserved for intelligence professionals, have now become commercially available. As terrorism increased and became more sophisticated, governments became increasingly aware of the opportunities new surveillance and detection technology presents for locating individuals of interest in real time, providing enhanced safety and security to the public. In 2003, for example, IMSI-catchers started to become commercially available and legislation has been put in place to support their use in specific security scenarios, such as prisons.
An International Mobile Subscriber Identity (IMSI) is a 15-digit, unique number assigned to the SIM card that identifies the mobile user within the network. Each IMSI is unique to a subscriber and is a way of identifying who is calling whom. An IMSI-catcher acts in the same way as a cellular base station and logs the IMSI numbers of mobile handsets that connect to it. IMSI-catchers can then be deployed to identify if a certain IMSI is in a certain place.
Take the example of a suspected terrorist planning an operation. Security services could use IMSI-catchers to monitor the movements of this individual or even to monitor communications from the individual’s mobile device to others. Permission to use IMSI-catchers as covert devices in this way is strictly limited to specific circumstances, and usually requires the approval of senior government officials. IMSI-catchers have also been deployed to monitor for illicit mobile phones in prisons across the world.
In the past, IMSI-catchers were both extremely expensive and cumbersome, meaning they could only be used in a fixed place and in circumstances where the cost was justified (protection of the public). But recently, as the technology has become smaller and cheaper, the applications for the technology have become wider, and this is where those charged with securing national infrastructure may start looking to adopt the technology over time.
Virtual fences
One obvious application of IMSI-catchers is to use them as ‘virtual fences’ around critical infrastructure. Physical fences are often erected close to the perimeter of the critical infrastructure. But it could be argued that, by the time an intruder has reached a close perimeter fence of a high value target, they may well have enough explosive material to do a great deal of damage. Indeed, a terrorist attempted to attack a water intake facility in Ukraine with explosive devices, which would have led to a prolonged interrupted water supply to the region. If an individual with harmful intentions can get close enough to the target with enough explosives, they can have maximum damage without needing to breach the physical perimeter.
The cost of building a perimeter fence far enough away to protect against explosion is likely to be prohibitive, so an operator of a high value target facility may instead decide to deploy IMSI-catchers 10 or even 50 kilometres from the site, creating an effective ‘virtual fence’ that identifies any IMSI that comes within this distance of the facility. This enables site security to intercept people before they get anywhere near assets themselves or do harm.
Security professionals face a challenging new landscape when it comes to protecting critical infrastructure sites, as attacks get more sophisticated and the potential perpetrators expand. But these high value sites are essential to the wellbeing of a nation, providing the core services that a population relies on, and all avenues for protection must be explored.
IMSI-catcher technology has broken the boundaries from being solely the domain of the police, intelligence professionals and similar services, to a widely available platform that can be deployed across several different scenarios and applications. As IMSI-catching technology evolves further, it will become an indispensable tool for those responsible for protecting sites which are critical to societies.
