"A risk assessment of the Piql Services" by FFI

motive of the threat actor might not be purely to damage the information stored itself, which compromises its integrity, but simply create chaos and thus affect availability, the negative consequences of sabotage increase. Sabotage can primarily take place in two phases: during the production phase and the storage face. The target of the sabotage can be the building which houses both the production site and the storage facility; it can be the necessary machines in the production process, i.e. the piqlWriter, piqlReader and the equipment used when developing the piqlFilm. It can be the piqlVault system grid and the corresponding machinery; and the target can of course be the piqlFilm itself. As with theft, there is a distinction between logical and physical sabotage, i.e. somehow damaging or altering the information while it is being stored or transferred electronically, or somehow damaging the physical entities and surroundings of the Piql Preservation Services. During the storage phase, the main risks of sabotage are of a physical nature. There is only one real logical threat to the operations of the automated storage system, i.e. the piqlVault system, and that falls under sabotage. Logical theft or espionage is not a real concern, as there is no logical information stored in the piqlVault system which is of interest to a threat actor. Only the unique reel IDs of the piqlFilms and the corresponding local IDs which are used to specify their location in the piqlVault system is stored electronically: should you want to access any valuable information during the storage phase, you would need to get your hands on the physical piqlFilm, i.e. steal it, which has already been covered. It is, however, possible to affect the availability of the piqlFilms by logically sabotaging signals which are transferred in the piqlVault system and essentially wreaking havoc inside the grid. A threat actor could gain access through the potentially vulnerable interface network between the Piql IT system and the piqlVault IT system (the vulnerability of which is expanded on below) and install malware in the EWMS which switches the reel IDs around or orders random pick-up continuously. A second option is if a threat actor somehow manages to affect the radio signals controlling the movements of the robots through the use of a malicious transmitter, either jamming the signals completely and halting all operations, or if they are able to break through the security protocol protecting the radio signals to alter their contents and sending the robots all over the place in the grid. Again, this would have no effect on integrity or confidentiality, but the availability of the piqlFilm would be compromised. Though the possibilities of logical sabotage are limited during storage, the opposite is the case for physical storage. Here, sabotage of the building housing the storage facility is possible, like blasting a wall; its structural dependencies such as energy supply can be tampered with if someone for instance cuts some vital cables; and its security barriers can be affected by taking a sledgehammer to important control systems. The grid of the piqlVault system can also be physically damaged, for instance if someone drives a truck right into it. Depending on the severity of the sabotage, the integrity of the information on the piqlFilms may be affected, but there is no question that availability is affected. We will now list the identified possibilities for both physical and logical sabotage during both the storage and production phase.

80

FFI-RAPPORT 16/00707