The objective of cyber warfare against CNI is to achieve strategic effects equivalent to or exceeding those of conventional military action, but often with less direct attribution and at a lower cost. The tactics employed are diverse and constantly evolving, targeting the very essence of how these infrastructures operate.

1. Exploitation of Industrial Control Systems (ICS) and SCADA Systems: At the heart of much CNI, from power grids and water treatment plants to transportation networks and manufacturing facilities, lie Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. These systems manage and control industrial processes. Cyber warfare tactics often focus on:
   • Direct Manipulation: Gaining unauthorized access to ICS/SCADA systems to send erroneous commands, alter operational parameters, or disable critical functions. This could involve manipulating flow rates in pipelines, changing pressure in gas lines, or adjusting chemical levels in water treatment, leading to catastrophic physical outcomes.
   • Firmware and Software Tampering: Injecting malicious code directly into the firmware of devices or the software applications controlling CNI. This can create backdoors, enable persistent access, or even brick devices, rendering them unusable.
   • Denial of Control: Overwhelming control systems with false data or commands, or by initiating Distributed Denial of Service (DDoS) attacks, preventing legitimate operators from monitoring or controlling the infrastructure. This can lead to operators making incorrect decisions based on faulty information, or being unable to respond to emergencies.
   • Reconnaissance and Espionage: Covertly accessing ICS/SCADA networks to map their architecture, identify vulnerabilities, and gather intelligence for future, more impactful attacks. This prolonged reconnaissance can allow adversaries to understand the subtle interdependencies within a system, enabling more targeted and devastating disruptions.
2. Network and Data Attacks: Beyond direct control systems, the underlying IT networks and data infrastructure supporting CNI are also prime targets.
   • Distributed Denial of Service (DDoS) Attacks: Flooding CNI’s communication networks with overwhelming traffic, rendering them inaccessible to legitimate users and operators. For example, a DDoS attack on a railway’s signaling network could bring train operations to a standstill.
   • Ransomware and Extortion: Deploying ransomware to encrypt critical data and systems, demanding payment for decryption. While often financially motivated by cybercriminals, nation-states can use ransomware to cause prolonged disruption and economic damage, as seen with attacks on healthcare systems or transportation networks.
   • Data Exfiltration and Manipulation: Stealing sensitive operational data, blueprints, or intellectual property related to CNI, which can then be used to plan future attacks, gain economic advantage, or sow distrust. Furthermore, manipulating data—such as financial records in the banking sector or patient records in healthcare—can lead to widespread chaos and loss of public confidence.
   • Supply Chain Attacks: Targeting vendors, suppliers, or third-party service providers that have access to CNI systems. By compromising a trusted supplier, attackers can gain a foothold into numerous critical networks. The SolarWinds attack is a stark reminder of the devastating potential of such tactics.
3. Human Element Exploitation: No matter how robust the technological defenses, the human element remains a significant vulnerability.
   • Phishing and Spear Phishing: Tricking employees of CNI organizations into revealing credentials or downloading malware through deceptive emails or messages. A successful phishing attack can grant attackers initial access to internal networks.
   • Social Engineering: Manipulating individuals into performing actions or divulging confidential information, often by impersonating trusted entities or exploiting human psychological biases.
   • Insider Threats: Cultivating or exploiting disgruntled or malicious insiders who have legitimate access to CNI systems, enabling them to cause damage from within.
4. Disinformation and Psychological Warfare: While not directly disrupting systems, these tactics aim to undermine public trust and create chaos, indirectly impacting CNI’s functionality and recovery efforts.
   • Spreading False Information: Disseminating misinformation about the safety or functionality of CNI after an attack, or even fabricating reports of attacks, to incite panic and disrupt normal life.
   • Undermining Confidence: Through propaganda and targeted messaging, eroding public confidence in government’s ability to protect its citizens and infrastructure, which can have long-term societal and economic consequences.

Appropriate Example: The 2015 and 2016 Cyberattacks on Ukraine’s Power Grid

The cyberattacks on Ukraine’s power grid in December 2015 and December 2016 serve as definitive, real-world examples of how cyber warfare tactics aim to disrupt critical national infrastructure. These incidents are widely attributed to Russian state-sponsored actors and demonstrate a multi-faceted approach to disruption.

The 2015 Attack (BlackEnergy and KillDisk):

• Initial Access (Phishing/Spear Phishing): The attackers gained initial access to the IT networks of several Ukrainian energy companies (Oblenergos) through highly sophisticated spear-phishing campaigns. Employees received malicious emails disguised as legitimate communications, containing attachments that, when opened, deployed the BlackEnergy malware.
• Reconnaissance and Lateral Movement: Once inside the IT networks, the attackers moved laterally, patiently mapping the network, gathering credentials, and identifying connections to the operational technology (OT) networks controlling the power distribution. This phase involved a deep understanding of the ICS/SCADA environment.
• ICS/SCADA Manipulation: On December 23, 2015, the attackers launched their coordinated strike. They used their access to the SCADA systems to remotely open circuit breakers in multiple substations, effectively disconnecting power to over 230,000 customers in the Ivano-Frankivsk region and other areas.
• Denial of Service (Telephony): To impede the energy companies’ ability to respond, the attackers simultaneously launched a denial-of-service attack on the call centers of the affected utilities, preventing customers from reporting outages and hindering coordination efforts.
• Wiping Data (KillDisk): To further delay recovery and destroy forensic evidence, the attackers deployed the KillDisk malware, which wiped data from the affected computers, including SCADA workstations, servers, and even some uninterruptible power supplies (UPS). This made it harder for the utilities to restore operations quickly.
• Result: A widespread power outage lasting several hours in the middle of winter, causing significant disruption and economic losses. The manual nature of the restoration process (sending crews to physically reset breakers) highlighted the vulnerability of these systems to remote manipulation.

The 2016 Attack (Industroyer/CrashOverride):

• Evolution of Tactics: The 2016 attack, which hit Ukraine’s capital Kyiv, demonstrated an evolution in the adversary’s capabilities. This attack utilized a highly sophisticated and purpose-built malware known as Industroyer or CrashOverride.
• Targeting of Specific Protocols: Unlike the 2015 attack, which relied more on generic IT attack tools, Industroyer was specifically designed to interact with and disrupt various industrial communication protocols (IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access – OPC DA) commonly used in electrical substations. This meant the malware could directly communicate with and issue commands to the industrial equipment, such as circuit breakers and relays, without needing to interact with human-machine interfaces (HMIs) or SCADA software directly.
• Automated Disruption: Industroyer was designed for automated disruption, making the attack faster and less reliant on human intervention from the attacker’s side. It was capable of causing cascading failures across the grid.
• Secondary Effects and Sabotage: The malware also included modules for other disruptive actions, such as targeting protective relays to prevent them from functioning correctly during the attack (which could lead to physical damage) and a “wiper” component similar to KillDisk to impede recovery.
• Result: Another significant power outage, though generally shorter in duration due to lessons learned from the 2015 attack and faster manual recovery efforts. However, the sophistication of Industroyer signaled a new level of threat in cyber warfare against CNI, demonstrating the ability to weaponize industrial protocols for direct physical impact.

These Ukrainian power grid incidents illustrate the multi-layered approach of cyber warfare, moving from initial compromise and reconnaissance to direct operational disruption, denial of communication, and data destruction, all with the aim of causing widespread chaos and undermining national stability. They underscore the critical need for robust cybersecurity defenses, real-time threat detection, strong incident response plans, and constant vigilance across all sectors of critical national infrastructure.