A brief discussion of this report from Sky News on some Iranian cyber research reports. https://news.sky.com/story/irans-secret-cyber-files-on-how-cargo-ships-and-petrol-stations-could-be-attacked-12364871
This reports are clearly first stage fact-finding and brainstorming, the very earliest stage of capability development. They reveal only initial cursory preliminary analysis of potential vulnerabilities to exploit for cyber effects operations. Comprehensive actual hands-on testing of the target devices is necessary for real vulnerability research reports.
There are a number of things that stand out in this report that make me think this is not a particularly impressive cyber team. The main issue is that the research appears to be open source document analysis, without either domain expert interviews or hardware analysis.
The conclusions that are drawn depart from reality, speculating on what could be possible. For example they think they could sink a ship by manipulating it’s water ballast. However they do not actually test or discuss with experts whether a ship could be sunk via this route.
The line “damage to this system could cause the ship to sink” sounds like a warning from a manual that wants to emphasise the importance of a system. It does not sound like blueprint for cyber effects operations against naval targets.
When the journalist follows up a report suggesting that the gas station can be made to explode by manipulating the gasoline system the company states that redundant failsafes in place would prevent an explosion. This assertion is exactly what would need to be researched. What are these failsafes? How common are they? Can they be bypassed? Can they be defeated? What needs to happen to cause an explosion? Is there a path to that system state that can be achieved via cyber means?
These are systems that are undoubtably vulnerable to cyber attacks. However it does not follow that effect based operations are possible. This research Hass to be done with real systems. A literature review is the starting point for an actual contest and analysis of these systems.
If these reports are final they reveal a poor understanding of how to develop a cyber effects capability. If they are preliminary reports proposals for further research then their imagination is small and their vision is lacking.
Leave a Reply