A year later, Russia-Ukraine war directly impacted ICS/OT cybersecurity, as watchful awareness continues to grow

It has been one year since Russia launched its invasion of Ukraine, resulting in the deaths of several thousand people and the displacement of millions, and causing billions of dollars worth of economic damage in the aftermath. The Russia-Ukraine war, which broke out on Feb. 24 of last year, made history by showcasing for the first time the importance of cyber operations in international conflicts, apart from demonstrating that cyber will now play an integral role in future armed conflict, supplementing traditional forms of warfare.

Data released by Google identified that the Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results. It also found that Moscow has leveraged the full spectrum of information operations, from overt state-backed media to convert platforms and accounts, to shape public perception of the war. Finally, the Russian-Ukraine war triggered a notable shift in the Eastern European cybercriminal ecosystem that will likely have long-term implications for both coordination between criminal groups and the scale of cybercrime worldwide.

Russian-backed attackers leverage a full spectrum of information operations to shape public perceptions of war in cyberspace. As a result of the Russia-Ukraine war, the distinction between financially motivated and government-backed attackers in Eastern Europe has blurred, with hackers shifting their targeting to align with regional geopolitical interests, and government-backed attackers adopting similar tactics and services as financially motivated attackers.

The Russia-Ukraine war showed that phishing remains a prominent initial access vector for government-backed attackers. Attackers use this access to achieve multiple Russian strategic objectives, such as intelligence collection, data destruction, and information leaks intended to further Russian national objectives. 

Cybersecurity researcher Joe Slowik also noted that “a steady drumbeat of cyber operations has taken place. In examining these events, we see a variety of items that shed light on trend lines otherwise obscured in cyber operations more broadly: how they are difficult to coordinate with kinetic operations, the overall utility of such actions when kinetic strikes are possible, and how non-government entities can enter into the fray as force-multipliers (or potentially deniers).” 

With the upcoming first anniversary of the Russian-Ukraine war, Industrial Cyber reached out to cybersecurity experts to evaluate its impact on the global ICS/OT cybersecurity space. They also examine the changes that OT environments have had to make to their fundamental concepts, as well as how they expect this to play out in the long run.

“The impact has been generally low since cyber attacks were perceived as taking a back seat where traditional military-terrorist kinetic attacks have been used to target critical infrastructure,” Vytautas Butrimas, industrial cybersecurity consultant, and member of the International Society of Automation (ISA) told Industrial Cyber. “Witness all the missile and drone strikes on substations and tanks firing and nuclear power stations and boots on the ground occupation of them. Much attention has also been given to the kinetic attacks on substations in the U.S. (Oregon, N.Carolina) and elsewhere.”

Butrimas said that three events took place last year which should have acted as another shock to ICS security practitioners but seems to have also had a minimal impact. “The first was the cyber attack on Viasat terminals which began in Ukraine at the start of the Russian invasion on February 24, which spread to other parts of Europe. Most notably in Germany where windfarm operator Enercon lost 5800 Viasat terminals used to link the control room with the remotely located windmills. Another case of losing the ‘view and control’ of a critical process due to a cyber attack. The lessons of Stuxnet continue to be applied in subsequent attacks on control systems,” he added.

“The second took place months later in the summer with the discovery of cyber attack tools called ‘Pipedream’ which are designed to search for, locate and compromise Programmable Logic Controllers (PLCs) which are the core technologies used to monitor and control processes governed by the laws of physics and chemistry found in critical infrastructure,” according to Butrimas. “It was a visible discovery for a bulletin issued by the US Government and a security company published an analysis yet the impact on the industry also seemed low.”

Lastly, almost at the same time, a group called ‘Predatory Sparrow’ published a video on the Internet of its cyber attack on a steel mill in Iran, Butrimas said. “According to the attacker’s video recording using the plant‘s own video surveillance cameras the cyber attack resulted in physical damage to the plant. Reminiscent of the 2014 cyber attack on a steel mill in Germany which was published as part of a report by BSI in Germany. So in summary the impact was low in terms of the perceived response from the industry,” he added.

Butrimas said that the same changes should have been made after the discovery of Stuxnet in 2010. “It has been demonstrated in several cases over the years what is being targeted and from what kind of threat actors. The most dangerous come from the advanced persistent threat actor that is patient, has the skills to construct an effective attack on the engineering and is resourced by the state.

Unfortunately, the public efforts seem to be more law enforcement focused on fighting cybercrime and ransomware. All the cases point toward the need for changes to the design of the system architecture, he added.

“This is still apparent today. Just look at the Colonial Pipeline shutdown of 2021. Even though the ICS side of the operations of the pipeline had to be shut down they were not affected by the ransomware,” according to Butrimas. “In my opinion, this was caused by a failure in the design where too many data links to the ICS side were established that perhaps were not needed for operations but were needed for data analysis in the office.”

Patrick Miller, president and CEO at Ampere Industrial Security, told Industrial Cyber that the Russian-Ukraine war has impacted ICS/OT cybersecurity directly. “There are several documented attacks by Russia on Ukrainian ICS/OT both before and during the war. Russian tools and techniques have also been discovered.” 

“With all this information known on Russian operations toward ICS/OT, it gives the rest of the world the awareness and visibility to defend against them,” Miller added. “It also helps speculation and inference on what they may do next, and how, based on previous knowledge. This has changed everything from defensive architectures to system hardening techniques.”

Early in the Ukraine invasion, there was a heightened focus on improving the visibility of operational technology (OT) assets from critical infrastructure and industrial operators, Aaron Crow, CTO at Industrial Defender, told Industrial Cyber. “Then, as operators updated their asset inventories, they recognized the need for more information about their OT devices to properly secure them, moving beyond device identification toward collecting critical endpoint data like software versions and configuration settings,” he added.

Viktor Zhora, chief digital transformation officer at Ukraine’s SSSCIP agency said that the country has witnessed a threefold growth in cyber-attacks over the past year, and ‘in some cases, cyber-attacks supportive to kinetic effects.’

Google data revealed that since the start of the Russia-Ukraine war, Russian government-backed attackers have aggressively targeted Ukraine and its supporters, particularly NATO member countries. In 2022, Russia increased targeting of users in Ukraine by 250 percent compared to 2020. Targeting of users in NATO countries increased over 300 percent in the same period. 

The experts address whether they are aware of similar kinetic effects being reported in their region, and what measures have critical infrastructure companies in their region done to safeguard their infrastructure. 

“To say that cyber-attacks have grown is a generality or can be better said as a general truth. Listen to any country‘s security service and you will frequently hear that cyber attacks are increasing tremendously. The devil is in the details and how a cyber attack is classified,” Butrimas said. “Many of the thousands or millions of cyber attacks are quite mundane and not initially harmless. For example mapping or probing a site‘s ports. Some phishing attacks break into the home or office network on the IT side. The most dangerous attacks are those attempting to compromise the technologies used to monitor and control a physical process.” 

Butrimas said that attacks like the Triton/Trisis attack on the safety systems of a petrochemical plant resulting in a plant shutdown are few but most significant in terms of potential damage to people, property, and the environment. “This is not likely to happen with a ransomware attack on IT systems.”

“In the region where I live, as in other parts of the world, there is a watchful awareness by the critical infrastructure operator and asset owner. No major incidents have been reported publicly,” according to Butrimas. “If an incident happens seldom if ever is information published from an investigation. Cyber is not listed as a cause but then again if one wishes to investigate a cyber incident one has to have the capacity to conduct that investigation that is in-house.”

He added that a national cyber center is not likely to have the expertise to conduct such an investigation for they are not likely to have much experience working with PLCs or other industrial automation and control systems. “We are at the Antonie van Leeuwenhoek state of cyber investigation for the industrial side. Just think of the shock people had when they first used his microscope to view a drop of pond water that they were drinking all the time?”

Crow said that while “we don’t have evidence of specifically US-targeted attacks to comment on, with most of the attention on activity directed at Ukraine, we do know critical infrastructure operators are more aware of the risks as unintended targets. The blast radius of some cyber campaigns doesn’t respect any geographical borders, as we’ve seen with WannaCry, Petya, and NotPetya.”

Miller said that “Kinetic effects from cyberattacks outside of the Russia-Ukraine theater have not been reported publicly at this time.”

Using their experience in the OT/ICS sector, the experts rated the preparedness of critical infrastructure organizations in their region, as one year since the start of the Russian-Ukraine war. They also weighed in on whether these infrastructures are better safeguarded now than earlier, or is it still work-in-progress.

Butrimas said that on the surface things seem to look well under control. “Most countries have national CERTs, laws on cybersecurity, and regulations. Even the EU is working on an EU Cyber Resilience Act.”

However, “we still have not learned the lesson of the Three Little Pigs where only one took the time to answer the three security policy questions correctly: what to protect, from what threats, and how? Sadly, many of our efforts regionally and in the EU for example fall into the category of pigs 1 and 2 who built their homes of straw and sticks to protect themselves from the wind and rain respectively. That is ok for dealing with by analogy cybercrime and ransomware,” according to Butrimas. “However very few countries have gotten it right like the third little pig who built his house of brick to protect from the ‘wolf’ or by analogy the state actor.”

He added that to answer the question “the work sadly will be completed after a major incident that points out the errors made in answering the first, and especially the second question.”

“In North America, I think they are very prepared. Most utilities are going above and beyond their required minimums – whether regulatory (NERC CIP, CFATS), national security mandated (TSA Pipeline Security Directives) – or just good practice (Water/Wastewater),” Ampere’s Miller said. “Every adversary tool that is discovered is often dissected and the key information is shared between all vendors and asset owners to help everyone both prevent and detect the known attack methods. This also helps others around the globe who may have a lower regulatory bar than North America.”

“We’re seeing efforts to strengthen the controls that some might describe as basic, but aren’t executed to the extent needed for actual security,” Crow said. “In fact, we’ve just seen FERC’s final rule confirmed for updating NERC-CIP standards with the intention of moving the needle beyond compliance, toward security – explicitly requiring internal network security monitoring for bulk electric systems. We also saw CISA introduce their cross-sector cybersecurity performance goals (CPGs) last year emphasizing ICS security diligence.”

Given the evolving threat landscape, the experts examine what must be the focus areas from a cybersecurity perspective for industrial and manufacturing companies as the Russian-Ukraine war continues, and OT systems become more complex and interconnected.

Butrimas said that the main focus areas start with safety and reliability, and then resilience. “The three questions must be soberly and patiently worked through. Complexity and connectivity are serious challenges. We should have the courage, especially from our engineers to say that if there is no good operational reason to connect an ICS to the accounting system in the office then it should not be allowed. Forget about the wonderful offers from the vendors to add more devices and connections to help analyse all the operational data,” he added. 

“If it does not enhance safety, reliability, and resilience then the engineers should say no and be allowed to say it,” Butrimas added. “Too often missing in these modern developments is the participation of the engineer in an environment that favors the IT department too much. It is only the engineer who can give a ‘reality check’ to all the grand and wonderful promises behind the IIoT and Industry 4.0 movements.”

Miller said to “get everything possible off the Internet and behind a firewall. Segment internal networks and make the zone with the ICS/OT the highest trust (critical). Require MFA for any kind of interactive access into the highest trust zones.” 

There are many other steps but these are the most important to reduce the most risk in the shortest time/effort, he added.

“Nation-state APTs are still largely using ‘Living Off the Land’ techniques, exploiting known vulnerabilities and trusted tools to infiltrate environments,” Crow said. “So without that detailed information about their assets readily available, organizations would be scrambling to understand if and where their environments are impacted when a vulnerability or supply chain issue arises.”

The experts also looked into the impact of the attacks in the wake of the Russia-Ukraine war with the use of multiple tools, notably wipers, against critical infrastructure installations in their region.

“None that I am aware of. At best, nothing is happening, at worst, something is happening, but the operator is not aware of it,” Butrimas said. “Just as the operators of that petrochemical plant realised one day that their control environment had been compromised for months before the event occurred.”

Likewise, Miller pointed out that there were none in North America at this time.