Power Outages – An attack on our Critical National Infrastructure?
****Updated 1855 hrs***** -Additional Assessment at the end.
****Further Updated 10 Aug 0845*****
What I am writing is purely speculative, it is one theory and will be described by some as a bit wacky, I have no problems with that because I hope it is, but it is an informed theory, informed by years of analysis and training that gut feeling. It has been informed by watching for unusual patterns and if they happen look for the most suspicious whilst hoping for the simple in explanations.
Listing only a few recent events we have had unexpected drone interference at Gatwick in December closing the airport for 36 hours, an unexplained Russian Flag draped over the scaffolding on Salisbury Cathedral and unexplained cyber-attack on Gatwick at the time of the drone incident.
More recently, in the past few days we have seen the baggage handling system at Heathrow Airport fail through IT issues, the BA checking in system fail through IT issues, signals out of Euston Station fail and now power outages across parts of the UK when there are no conditions that would cause a user surge demand.
We have the beginnings of a pattern and that pattern is disruption of elements of the UKs national infrastructure, its critical national infrastructure with its transport networks. We have had airports disrupted, airlines disrupted, rail networks disrupted and with the traffic light systems in London suffering, now our roads disrupted.
It is very easy to shrug these incidents in isolation off and but look at them together and plot them out a pattern emerges. I have spoken with the National Cyber Security Centre (NCSC) part of the governments spy agency GCHQ and they stated that, “The Heathrow Baggage, BA check in and Euston signalling issues were not as they are aware caused by cyber incidents.”
However, this-evenings power cuts have affected airports, traffic lights and the railway network leaving some without electricity.
UK Power Networks tweeted on Friday evening: ‘We’re aware of a power cut affecting large parts of London and South East. We believe this is due to a failure on National Grid’s network, which is affecting our customers.’
Having spoken again to the NCSC, their press office was frantically busy at 6pm on a Friday! Another potential indicator. I will keep this blog updated as new information is received.
However, I do believe there is evidence in some of these incidents of deliberate hostile or rogue state action in the UK. The most recent state openly blamed for an incident in the UK was Russia for its use of Novichok nerve agent in Salisbury last year.
(New) The latest power outage incident has been assessed by the NCSC as not Cyber related, but the question remains how vulnerable is our CNI if it is creaking to this degree through other reasons? Comment: It is probable that this incident isn’t cyber related but on the other hand if it were and the Government wanted to keep it quiet from the public, the NCSC statement would be as issues. However, it is too easy to be overly machiavellian. Comment Ends.
(New 2) Now that the power is back on the power regulator Ofgem has asked for an “urgent details report” to find out what went wrong. Last night Julian Leslie, Head of National Control at National Grid ESO did a quick Twitter Vlog to try and explain what happened. However, all he said was how when two generators (power company speak for whole power stations!) went off line simultaneously the ” system protected itself by losing some demand,” the grid did what it should do and shut parts of itself down. He made no comment on what caused two completely different, geographically separated powers stations to fail at exactly the same time. All of the official commentary avoids that question. In addition the two “generators” were brought back online relatively quickly suggesting this wasn’t a mechanical failure but electronic or control.
We have to look at a few issues here to keep what I admit freely is an unlikely scenario alive, but the questions still have to be asked. Would a hostile state actor have the capability and the intent and with that why?
In June the BBC reported, “Russia has said it is “possible” that its electrical grid is under cyber-attack by the US. Kremlin spokesman Dmitry Peskov said reports that US cyber-soldiers had put computer viruses on its electrical grid was a “hypothetical possibility”. His comments came in response to a New York Times (NYT) story which claimed US military hackers were targeting Russian power plants.“
That same month Wired reported, “Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks.” Those sophisticated hackers were linked to the Russian Government.
So a ‘hostile’ state has the capability and seemingly the intent to carry out action in the UK (the Skripal attack and I personally suspect Gatwick disruption). Why now? We are in a period of political turmoil with a new Prime Minister with a majority of only one in Parliament, the looming no deal BREXIT anxiety and a very left leaning opposition and a country still smarting over its outing for the Skripal attack. So why not? It is a Russian tactic to “stir the pot”. The 2007 Cyber attacks by Russia shutting Estonia down for a protracted period are a perfect example and there have been many more since.
So, it is important to ask wast it a hostile state? Even though the probable answer is no. The real positive that came out of this is if it were a hostile state action, it was defeated very quickly and normality restored so our defensive processes clicked in quickly. But that is only a positive if it were a cyber attack.
Note: This blog is written by Philip Ingram MBE, a former British Military Intelligence Officer and now journalist who has served in the Gulf. If you would like any further comment from Philip, please contact him by clicking HERE
Finally a bonus – a Tin Foil Hat Podcast done with The People Hacker – Jenny Radcliffe:
It is very rare I pick up a book and go WOW, especially when it is one talking about cyber security, digits and packets, computers and of course spying.
INTERCEPT by Gordon Corera, the Security Correspondent for BBC News is in my humble opinion a masterpiece and essential reading for anyone involved in cyber security, information security, computer networks, intelligence, information and spying. It is the background and history that provides an easily readable foundation on which all of those disciplines are built from. In essence, again in my humble opinion as a cyber commentator and ex spook, if you haven’t read this book you can’t do your job properly.
Gordon Corera starts on 5thAugust 1914 where he introduces Superintendent Bordeaux and his two messages giving him a mission onboard a ship called The Alert and the first offensive action of World War 1, and that action was around information. Read the book for the rest of the story.
If you think you know your computer history and didn’t realise that in 1929 the UK War Office had a Computer Class 2 for the ‘calculation of projectiles in artillery fire’, then your computer history is missing something. That computer was called Kathleen.
Jump forward to the 1940’s and the importance of Dollis Hill in London, in the fight to crack the Enigma code is explained. He mentions Bletchley Park and elsewhere.
Without actually mentioning it Corera gives a detailed history of how the “Special Relationship” with the USA was formed and how over the years it has developed, strengthened and become interdependent. He more than hints at why it will always be there in the modern internet age.
What really struck me was when he quickly came into the modern age, events, dates, people I recognise and can remember reading about or listening to. 1988 was only a couple of years ago? Right? But what is extremely well explained is how systems were designed with no security and how foreign powers late to the game managed to leapfrog themselves into networks.
He explains in detail about “The Cell” in Banbury in Oxfordshire and it is clear he has visited the List X facility, working at high levels of classification, created by BT, overseen by GCHQ behind multiple access controls and paid for by Huawei. If you didn’t know the detail yet had an opinion on Huawei around current political statements, then your opinion is not properly informed.
INTERCEPT was first published in 2015, before the current Huawei spat started. Examination of how nation states approach intelligence and the technologies supplied from national manufacturers to the international market is at the core of many of the developments discussed throughout the book.
Having just finished reading INTERCEPT, I have started it again, this time with highlighter in hand as it is full of fantastic quotes and examples illustrating every aspect of the modern cyber challenge. INTERCEPT is a must for the Cyber and spying community. I can’t recommend it more highly.
Philip Ingram MBE is a former British Military Intelligence Officer who has walked the corridors of “The Doughnut” and been involved in many cases where the expertise gained through some of the examples in this book have helped enormously.
Please visit ‘contact us’ if you want further comment from Philip and visit the link below to buy INTERCEPT from AMAZON.co.uk.
I was fortunate to be invited to a very closed briefing and discussion with the British Army’s Commander Field Army, Lieutenant General Ivan Jones, on Tuesday with only one other defence commentator Lincoln Jopp.
We had a good 90+ minute of two on one time discussing the rebalancing detailed in the press release below, including the reformations of the Army’s 6th Division. The real challenges in delivering an Army capability to meet current threats, most of which are well below the threshold of war fighting or where you would see traditional military capabilities intervening.
It is not the final answer as to what is needed as that requires not just an Army approach but a whole defence approach and with the new Secretary of State for Defence, Ben Wallace, being a veteran and the longest serving Security Minister proper to his current appointment, we have a minister who understands.
General Ivan was clear that this was a journey for the Army, starting with small adaptive steps enabling a better cycle of rebalancing for the future as threats evolve and develop. He was also clear that his remit was and could only be focused on the Army only.
The rebalancing, within current assets is a very necessary start emphasising the importance of capabilities that were closely held before in an organisation, not formation, called Force Troops. Grouping them into a formation with an identity and history puts them on the same footing as other elements and that is the first win in a psychological and information battle to recognise their value.
It also recognises the vital importance of maintaining a Division focused on high intensity armoured warfighting, 3rd Division, which I emphasised was the Army’s strategic capability as it kept the UK able to fight at the highest intensity with an Armoured Divisional formation alongside the Americans. No other NATO nation can do this.
With the 1st Division providing much of the capabilities needed to meet all of the tasks that develop on a regular basis around the globe, emphasising the Army’s contribution to the UKs P5 responsibilities and global reach, 6th Division can support those daily operations whilst contributing to the countering of more asymmetric attacks happening on a daily basis.
This restructuring is not the answer to everything and nor will or can it meet all current threats, but it is the first step in a journey and that first step gives a series of capabilities a Divisional command and control structure akin to the other capability providing divisions, and for the new division with psychological warfare in its structure, that rebranding is important in influencing future Army force development.
The Press Release from an earlier press update is here:
Army restructures to confront evolving threats The Army has outlined its plans to rebalance the Field Army to ensure that it can compete with and defeat adversaries both above and below the threshold of conventional conflict. Lt Gen Ivan Jones, Commander Field Army (CFA), has described plans for rebalancing his command which will see changes to the structure of the Field Army’s primary formations. Lt Gen Ivan Jones, Commander Field Army said: “The character of warfare continues to change as the boundaries between conventional and unconventional warfare become increasingly blurred.
The Army must remain adaptable and evolve as a fighting force. The three complementary British Army Divisions harness the wide range of British Army capabilities, providing choice to the Government in defence of the UK’s interests. Whilst retaining its operational focus, the intention is to rebalance the Army’s formations in order to meet the challenges of constant competition and maintain its high-end warfighting capability. Lt Gen Jones added: “The Field Army must build on the strong foundation of the 3rd Division’s world class warfighting force. 1st Division provides specialist soldiers and equipment to develop other nations’ armies, deal with disaster and humanitarian crises worldwide and enable our warfighting division. 6th Division focuses on Cyber, Electronic Warfare, Intelligence, Information Operations and unconventional warfare through niche capabilities such as the Specialised Infantry Battalions. “The speed of change is moving at a remarkable rate and it will only get faster and more complex.” This change will be integrated within broader Defence, national and alliance efforts and enable the Field Army to operate and fight more effectively above and below the threshold of conflict.
The Field Army rebalancing is part of the Army’s response to the emerging Defence thinking and will create a Field Army of integrated, interdependent and complementary formations from 1 Aug 2019. 1st (United Kingdom) Division (1 (UK) Div) with its blend of lighter infantry, logistics, engineers and medics will provide more strategic choice and a range of capabilities, conducting capacity building, stabilisation operations, disaster relief and UK resilience operations. It will include: 4th (Infantry) Brigade, 7th (Infantry) Brigade, 11th (Infantry) Brigade, 51st (Infantry) Brigade, 8th Engineer Brigade, 102nd Logistic Brigade, 104th Logistic Brigade, 2nd Medical Brigade; 3rd (United Kingdom) Division (3 (UK) Div) will remain as the Army’s primary armoured warfighting force comprising: 1st Armoured Infantry Brigade, 12th Armoured Infantry Brigade, 20th Armoured Infantry Brigade, 1st Artillery Brigade, 101st Logistic Brigade, 25th Engineer Group, 7th Air Defence Group; 6th (United Kingdom) Division. The re-designation of Force Troops Command (FTC) to 6th (United Kingdom) Division (6 (UK) Div) will provide the Army’s asymmetric edge , orchestrating Intelligence, Counter-Intelligence, Information Operations, Electronic Warfare, Cyber and unconventional warfare. 6 (UK) Div will include: 1st Signal Brigade, 11th Signal Brigade, 1st Intelligence Surveillance and Reconnaissance Brigade, 77th Brigade and the Specialist Infantry Group.
There will be no changes to personnel numbers, resourcing, cap badges or locations. 1st August marks the rebirth of a Division which served throughout the First World War and during the Second War. More recently, 6 (UK) Div was formed between 2008-2011 and deployed to Afghanistan as Headquarters Regional Command (South).
Analysis was provided by Philip Ingram MBE a former Colonel in the British Army and an Intelligence and planning expert. If you would like any further comment from Philip, please contact him by clicking HERE
With the UK flagged tanker Stena Impero being seized by the Iranian Revolutionary Guard in the Strait of Hormuz, reportedly in Omani Territorial waters according to the UK Defence Secretary Penny Mordaunt, what can be done next?
Whatever the next step is, it will by default be seen by the Iranians as escalatory. We are entering a very dangerous phase that would tax the most experienced and hardened of Prime Ministers never mind a new one starting next week.
The Foreign Office has summoned Iran’s charge d’affaires in London, in the first step of what will be a fraught period of diplomacy where every word counts. Penny Mordaunt has already declared it as a ‘Hostile Act,’ a significant choice of words in the diplomatic world as it is one associated with the easing of a military’s rules of engagement and a precursor to greater military deployments.
Once severe displeasure has been lodged with the Iranian charge d’affaires it is likely that Teresa May and Jeremy Hunt, the Foreign Secretary will be on the phone to allied to ask them to pass their condemnation onto Iran’s representatives in their capitals. We should start to see statements of condemnation and concern from allies coming out.
The next formal step will likely be an emergency meeting of the United Nations Security Council early in the week, to pass a resolution ordering Iran to release the Stena Impero and her crew and to stop all aggressive behaviour in the region. If the phrase ‘hostile act’ gets into the UNSCR the next phrase to watch for is “by all means necessary” when it comes to enforcing the resolution. That is in effect a UN authorisation to go to war if necessary. Words are important!
Given Iran’s links to Syria and therefore Russian activity in Syria they would probably hope that Russia would veto any resolution worded too strongly. However, given there is a Russian citizen amongst the crew and there is already pressure on Russia elsewhere, this is less likely.
Iran is angry at the UK’s seizure of an Iranian oil tankerthe Grace 1in Gibraltar’s waters, for operating against EU sanctions on Syria. Iranian TV’s Channel Two, broadcast part of an interview with Mr Abbas Mousavi, an Iranian Foreign Ministry spokesman who said the seizure was “a form of piracy”
The issue is however much bigger and Iran’s beef with the UK goes far back in history with recent disputed over undelivered tanks, ordered during the Shar’s reign and partially paid for but not delivered due to the Iranian Revolution. The initial payments were never refunded, and Iran has taken the UK Govt owned company who brokered the deal, to court.
Iran is concerned about current sanctions and sees the UK as a bedfellow of their arch enemy the US. President Trumps recent withdrawal from the Iran nuclear treaty has enflamed tensions. Those tensions are further enflamed by the continuing proxy wars in Syria and Yemen where British weapons and supplied military capabilities are being used against Iranian backed rebels.
The one conclusion form all of this is it is a mess and will be very difficult to unpick, it is likely the Stena Impero will be in Iranian waters for quite some time to come. Any next step is likely to enflame tensions further and I suspect activity in Portsmouth will be increasing rapidly to prepare more ships for sea. Not a good time for RN personnel if they have annual leave booked.
Note: This blog is written by Philip Ingram MBE, a former British Military Intelligence Officer and now journalist who has served in the Gulf. If you would like any further comment from Philip, please contact him by clicking HERE
Related Article: https://greyharemedia.com/the-intelligence-game-how-will-we-know-it-was-iran/
With the latest embarrassment linked to Porton Down Philip Ingram MBE asks, the document find, was it the GRU?
At one-minute past midnight on 4thOctober 2018 a statement came out from the British Government saying that the National Cyber Security Centre (NCSC) had “identified that a number of cyber actors widely known to have been conducting cyber-attacks around the world are, in fact, the GRU.”
The GRU is the Russian Military Intelligence organisation also known as the Main Intelligence Directorate who have been accused of being responsible for the assassination attempt on Sergei Skripal in Salisbury in March last year and causing the death of Dawn Sturgess.
Colonel Anatoliy Chepiga and Colonel Dr Alexander Mishkin had flown into Gatwick on 02 March and out of Heathrow on 04 March 2018, having been seen in Salisbury on Saturday 03 and again on Sunday 04 March when Sergei Skripal was contaminated by Novichok being placed on the handle of the front door of his house.
Sergey Naryshkin, the head of the Russian Foreign Intelligence the SVR said in October,“Even if one assumes that some secret service was really given such a mission, the way it handled this case was very unprofessional.” Philip Ingram MBE a former Colonel in British Military Intelligence believes rather that his statement being a Russian denial of Salisbury, it was a swipe at the GRU. “There is no love lost between the GRU and the SVR especially when it comes to competing for resources and influence,” Ingram said.
Then in November 2018 Victor Korobov, the head of the GRU died at the age of 62 supposedly after a “long and difficult illness.” He had been on sick leave ever since a dressing down by President Putin after the expose of GRU activities in Salisbury, outside the OPCW in the NL and the Bellingcat revelations of wider GRU activities.
The one thing that clearly comes out of this is the GRU were bruised, bruised operationally and their ego was deflated. As an organisation they had something to prove, that something was they could still operate.
Since then we have heard of Wiltshire Council computers suffering a cyber attack (The GRU operate Russia’s cyber capability), Gatwick Airport suffered a cyber attack, a mysterious and large Russian flag was unveiled on scaffolding on Salisbury Cathedral, Gatwick Airport was closed for 36 hrs through drone incursions which both Philip Ingram and Sir Gerald Howarth, David Cameron’s international security minister, assessed could have been done by the Russians and now we have classified documents relating to staff at Porton Down being found in a recycling bin in North London.
One thing an intelligence professional will look for is a pattern, and there is a very clear pattern of activity aimed at embarrassing Wilts council and the people of Salisbury, Gatwick who had pictures of the GRU team arriving, Porton Down and through to all the UK Government. That pattern of activity points towards an intent.
The second question an intelligence professional asks is if they have the capability. That is easier to confirm. The GRU are responsible for Russia’s national cyber capability. The Bellingcat investigations have exposed their global travel carrying out operations. Philip Ingram believes even Salisbury will have a longer term focus as he highlighted in his blog https://greyharemedia.com/salisbury-sleepy-hollow-or-spooks-playground/.
Putting all of this together we have a strong possibility that the documents discovered by an individual in a recycling bin, reportedly from or related to Porton Down and passed to a national newspaper and not the police, were compromised and put there by a GRU team to embarrass Porton Down. Ingram’s spooks paradise blog looks even more credible!
Note: This blog is written by Philip Ingram MBE, a former British Army Intelligence Offficer who was based near Salisbury in the past. If you would like any further comment from Philip, please contact him by clicking HERE
In the streets of Tehran, for many years Israel’s Mossad, Germany’s MRD, Americas CIA, France’s DGSE and of course the UK’s MI6 with many others will have been playing the potentially deadly game of HUMINT. Human Intelligence, recruiting individuals with access to pass on secrets from the organisations they have access to. If they are caught, they will almost certainly be tortured and killed, it is probable that their families will disappear, and that access will be lost. This is part of the intelligence game.
One of the key targets of the international intelligence community will be the Iranian Revolutionary Guard Quds force. Their special operations division, the part of the revolutionary guard that infiltrates other states, that carries out guerrilla and terrorist type attacks, that carries out ‘black’ operations, that is currently being blamed by the US and UK for the spate of attacks on oil tankers in the Gulf of Oman.
If one of the intelligence agencies has recruited an agent inside the Quds Force then their intelligence, their presence and their access will only be known by a very very small number of people; their identity by even fewer. Their reports will be unlikely to be shared, but assessments utilising intelligence provided may be shared with allies.
Luckily, HUMAN intelligence is the icing on the cake and not needed in all cases to form an intelligence assessment. It is highly unlikely to have formed part of the picture that allowed the US Secretary of State Mike Pompeo to blame the Iranians for the attacks on Thursday on two tankersin the Gulf of Oman, just a month after four others were targeted off the coast of the United Arab Emirates. The British Foreign Minister Jeremy Hunt said that the Iranian regime was “almost certainly” behind it, but how would they know?
The key is knowing exactly what happened and when and that is very easy in this case. It is easy because the exact time and location is known and the ships at 06:12 (02:12 GMT) the Norwegian-owned Front Altair followed at 07:00 the Japanese-owned Kokuka Courageous sent distress calls following explosions and these were picked up by US naval forces in the region.
The US has already released video from an unmanned drone flying in the region, this is one of the most highly surveilled regions in the world. The drone reportedly showed Iranian Revolutionary Guards boats evacuating crew from one of the distressed ships whilst surreptitiously removing an unexploded limpet mine. Some commentators have questioned its validity especially as the owners of the Kokuka Courageous claim that the crew saw a flying object just before the explosion.
One thing that people should recognise is the drone was not alone! There are layers of intelligence collection systems all watching and listening to target areas of interest, which the Gulf of Oman is. These systems have the ability to monitor the whole electromagnetic spectrum passively through satellites, drones, aircraft, ships and land based capabilities and also actively through land based, sea borne and airborne radar.
So, what would be looked for? We have boat movement, the 2 ships that were attacked and any smaller craft that approached them through their journey. Small craft present a problem for intelligence systems as they can often get lost in the background clutter in images, or radar returns and that clutter can be caused by atmospherics, sea states and geography. This means that unless they are being actively looked for, they can often hide. Boats no matter what size leave a wake, a temperature difference in the sea as they travel, a radar and an acoustic signature, a thermal signature and if they use radar and/or radio, an electromagnetic signature. If crew members are carrying mobile phones, those too leave a unique signature in the electromagnetic spectrum.
For limpet mines to be attached, this is either done in port or on the journey from a surface or sub surface vessel. The location of the explosion and the alleged limpet mine that was removed can rule out a sub-surface approach. But what of the flying object?
The ships were over 50 km off shore, for anyone with experience at sea, that is a long way! Any ‘flying object’ would have to be launched from Land, the Air or the Sea. It would also have to be guided to the target either actively or using passive on board guidance systems. We are talking about a very sophisticated system to get a warhead to a ship. At that range any land launched system would have been spotted immediately through its thermal signature, the US would have called it out immediately. Again, if launched from the air, aircraft type, course, time of flight are all being recorded, not just by civil air traffic control but also military assets across the region. The USS Bainbridge, a US Arleigh Burke-class guided missile destroyer, over 500 feet long and weighing in at 9,200 tons, has some of the most sophisticated radar and other sensors and it was operating in the area.
So, a close in missile launch would see the need for a small boat to get within a few km of the tankers, leaving its own signature and once a missile is launched, leaving another trail of ways of identifying it. I would assess it as unlikely that a missile system was used to attack the tankers.
Will we ever know for sure? Well if samples of the explosive residue left around the site of the explosion and the size and shape of the damage to the ship’s hull can be gained – the type of explosive can be determined and the exact weapon system used therefore determined with a very high probability, if it is a manufactured weapon and not a home-made IED, even then the residue will indicate where the explosive substance came from.
So, for all the doubters out there who want to immediately counter the state narrative. Realise, it is certainly based on much more than will ever or should ever be in the public domain. Meanwhile, the attempts to recruit human assets in Tehran and elsewhere will continue.
This blog was written by Philip Ingram MBE a former Colonel in British Military Intelligence who has worked in the Gulf region. Please go to contact us if you want further comment from him.