En morfologisk analyse av tilsiktede uønskede handlinger rettet mot Forsvarets informasjonsinfrastruktur

The Norwegian Armed Forces’ Information Infrastructure (INI) connects the sensors, effectors and decision makers of the Norwegian Armed Forces in order to collaborate efficiently and effectively. The INI is therefore a critical resource, and it can be assumed that the INI will be considered as an important target for an adversary. In this work we have defined an attack against the INI to contain one or several intentional unwanted actions that can be performed in serial and/or parallel. We have tried to identify all possible intentional unwanted actions that can be directed against the INI. This spectrum of actions contains not only actions in the cyber domain, but also actions like physical destruction of infrastructure components, and attacks directly targeting critical staff. The entire spectrum can be used as a basis for further analysis related to the Norwegian Armed Forces’ INI and security. Examples include analysis related to risk assessment, incident response, responsibilities, and the need for security mechanisms. By using this proposed spectrum, one is forced to make conscious choices in relation to which actions to include and which actions to exclude in the analysis. We have used morphological analysis to extract all actions that can be directed against the Armed Forces’ INI. This method is suitable for analysing complex issues and provides a framework that contains the different solutions, which in this case is the entire spectrum of intentional unwanted actions. The motivation for using morphological analysis is to include actions that may be difficult to predict, but which can still have major consequences. The goal is to help decision makers and planners to see the whole picture with challenges, thus being prepared for a wider range of actions. This enables the Norwegian Armed Forces to work out the robustness required to protect itself from, or to handle, these actions. We have developed a morphological framework, and we show two examples of how to use it. Furthermore, we show how the framework can be utilised to identify the intentional unwanted actions in which the different security mechanisms and incident response mechanisms will mitigate. We describe some related methods like Cyber Kill Chain and STRIDE, and compare and contrast these methods with our morphological framework. Finally, our analysis illustrates how large and complex the spectrum of intentional unwanted actions is, thus demonstrating the need for comprehensive and traceable methods when working with security for the INI.