84

FFI-RAPPORT 16/00707

500 year longevity. What good is a longevity of this magnitude if the information cannot be

accessed in the future without additional references?

However, this trade-off between security issues and the concept of self-containment should be

up to the user to decide. If a user, for instance a national archive, wishes their information stored

on the piqlFilms to be accessible to all, also in the future, then cryptography is a non-issue and

the concept of self-containment is paramount. If, however, a user, perhaps a competitive

business storing patents, wishes their information to remain secret or private no matter what,

then cryptography is vital. The decision depends on whether the user values availability or

confidentiality the most.

Piql AS’ current security architecture addresses integrity – through the measure of verification –

and availability – by not deleting the original file from their computer system until the

production process is complete. Conversely, they do not offer anything to address

confidentiality. Though this may run counter to their vision for the Piql Preservation Services,

not at least offering it as a part of their security architecture for users to choose is a weakness.

Apart from the abovementioned weaknesses in the Piql IT system, there are also some worth

mentioning in the piqlVault IT system during the storage phase.

As mentioned previously in this chapter, the only real logical threat to the piqlVault system is

sabotage in the form of a threat actor gaining access to the system and wreaking havoc in the

piqlVault grid. They can create complete chaos with regards to the locations of piqlBins within

the grid and thus affect the availability of the piqlFilms, but the information security properties

are not otherwise affected. It was also said that a threat actor had two ways to achieve this level

of chaos. In the following we discuss how these events can come to pass by highlighting the

exploited vulnerabilities of the piqlVault system.

43

The first option was to gain access to the piqlVault IT system through the potentially vulnerable

B interface network between the Piql IT system and the piqlVault IT system and install malware

in the EWMS which switches the reel IDs around or orders random pick-ups continuously. The

mere role of the B network as an interface between the two systems makes it a point of

vulnerability. However, it seems that the setup it delivered from the supplier as a robust system

when it comes to computer security, and it is up to Piql AS and their realisation of the system to

keep it secure. It seems that Piql AS has done just that. Yet, such an interface can always be

turned into the chink in the otherwise solid armour and exploited by threat actors with the

proper know-how.

The second option was to affect the radio signals controlling the movements of the robots

through the use of a malicious transmitter. The use of a 2.4 GHz frequency to send the radio

signals through enhances security, as there is less radio propagation of the signals. However,

FFI has not learned of any cryptographic methods used in the information in the signals.

Without this feature the information in the signals can be accessed and possibly distorted. With

43

See figure 5.4 in chapter 5 as a reference.