Attacks and Vulnerabilities
Control device security
Critical infrastructure
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Risk & Compliance
Threat Landscape
Utilities: Energy & Power, Water, Waste
Vulnerabilities

House Homeland Committee galvanizes cyber defenses for securing US critical infrastructure against Russian cyber threats

April 06, 2022
House Homeland Committee galvanizes cyber defenses for securing US critical infrastructure against Russian cyber threats

The U.S. House of Representatives Committee on Homeland Security met on Tuesday at a joint subcommittee meeting to consider mobilizing the nation’s cyber defenses to secure critical infrastructure against Russian cyber threats.

The witnesses included Adam Meyers, senior vice president for intelligence at Crowdstrike, Steve Silberstein, chief executive officer at Financial Services Information Sharing and Analysis Center, Kevin M. Morley, manager for federal relations at American Water Works Association, and Amit Yoran, chairman and chief executive officer at Tenable.

“Over the past decade, Russia has demonstrated its ability and willingness to use cyber tools to advance its global agenda,” Ritchie Torres, a Democrat from New York and vice-chair of the Committee, said at the hearing’s opening statement on Tuesday. “It has used its neighbors in Eastern Europe as testbeds for deploying its cyber capabilities to interfere with elections, spread disinformation, and disrupt critical infrastructure. In 2015 and 2016, for example, Russian hackers temporarily knocked out power to over 200,000 Ukrainians. In 2017, Russia unleashed NotPetya to disrupt Ukraine’s financial system, but the malware affected networks across critical infrastructure sectors globally, including in the United States,” Torres added.

Russia’s willingness to deploy its cyber capabilities against the United States is well-documented. Since at least 2008, the intelligence community has warned of Russia’s formidable cyber capabilities in its annual threat assessment, Torres said. “In 2017, the Intelligence Community concluded that the Russian government had attempted to interfere in the 2016 Presidential elections – engaging in both information operations and targeting election infrastructure,” he added. 

“The following year, DHS and FBI warned entities in a range of sectors — from energy and aviation to water and critical manufacturing — that the Russian government was attempting to gain access to their networks,” according to Torres. “Despite these warnings, the Federal Government and its private sector partners have been slow to chart an enduring course for strategic partnership,” he added.

Torres was further pleased “to see the President’s budget proposed a new competitive grant program aimed at raising the cybersecurity posture of certain critical infrastructure sectors. Finally, the Federal Government and the private sector must work together to harness the security gains realized as we defend against Russian cyber threats in order to establish a new, heightened security baseline,” he added.

A recent assessment of an available search engine for internet-connected devices revealed that more than 28,000 Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are directly accessible from the internet, Yoran, wrote in his written statement. “While not directly accessible from the Internet, countless more can be accessed via increasingly popular service portals, which can themselves be compromised. Combine that with human error and frequency of poorly configured software, and the rapid connectivity required to keep today’s OT environments running efficiently, we may be entering an era which exponentially hastens systemic cybersecurity failures. Systems that are interconnected in ways they weren’t designed leads to complexity and breeds insecurity,” he added. 

Yoran also highlighted that these systems, and other OT technologies used in critical infrastructure environments, are notoriously difficult to patch because systems may have to be taken down and thoroughly tested each time an update is made. “Existing operating models for most OT environments, such as power plants, gas pipelines, and manufacturing plants, leave little margin for downtime. These companies have historically tried to reduce their exposure by highly segmenting their environments, but the increase of IT/OT convergence is making segmentation less effective, resulting in systems that can’t be patched or secured as targets,” he added.

“Furthermore, many critical infrastructure organizations still fail to segment their IT and OT environments,” Yoran said. “There are increasingly compelling business reasons to create interconnection points between these environments, but doing so without an appreciation of the consequences such actions represent can result in system risks which are not understood,” he added.

“AWWA strongly values collaboration and information sharing with our federal partners to address the dynamic nature of the cyber threats facing our critical infrastructure systems,” Morley, wrote in his testimony before the House Committee on Homeland Security. “Recent federal recommendations on how to mitigate Russian cyber threats have been invaluable. The water sector has actively participated in multiple briefings provided by the Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Environmental Protection Agency (EPA) that illuminate the evolving threat environment and help professional organizations, such as AWWA, build awareness among members,” he added. 

Working with sector partners, EPA reached out to 58,000 water systems collectively serving about 300 million Americans regarding cyber threat concerns at the end of December 2021, according to Morley. “This led to several sector-level briefings hosted by EPA to share information on Russian cyber threat activity. The associated advisories have been shared across multiple communication platforms to ensure the widest possible distribution to water utility owners and operators,” he added. 

AWWA recognizes the cybersecurity challenge and is committed to establishing a new paradigm for cybersecurity governance in the water sector, Morley wrote. “We believe a new approach is necessary, one that recognizes the technical and financial challenges facing the sector and sets minimum cybersecurity standards for all types of water systems. A tiered risk- and performance-based requirements model similar to the approach used in the electric sector under the auspices of North American Electric Reliability Corporation (NERC) would underpin this approach in the water sector. An entity similar to NERC would be created in the water sector to lead the development of the requirements using subject matter experts from the field,” he added.

“As I write this statement, the financial sector has not experienced an increased level of cyberattacks coming from Russia. Of course, we are always tracking ‘background noise’ in terms of low-level cyberattacks, mostly from threat actors scanning for vulnerabilities,” Silberstein, CEO of Financial Services Information Sharing and Analysis Center, wrote in his testimony. “However, outside of the conflict zone, we are not seeing any significant uptick in attacks attributable to any specific geography or threat actor. I reiterate that this assessment holds true as I prepare to deliver this statement to the Committee, but we are always on the watch in the event this changes,” he added. 

Fortunately, “the sector’s ability to thwart such attacks has evolved in tandem, and the financial system remains attentive to and is well-prepared to defend against potential sophisticated Russian cyber-attacks,” according to Silberstein.

Since long before the current conflict in Ukraine, U.S. national security officials and cybersecurity industry analysts have raised concerns about Russia’s demonstrated capabilities and potential intentions to attack U.S. critical infrastructure, Meyers of CrowdStrike, wrote in his written testimony. “Periodic breaches of operators in this space, attributed to Russia-nexus actors, illustrate that U.S. infrastructure could at least be held at risk, and possibly attacked, degraded, and destroyed, during a time of heightened geopolitical tensions. As the war in Ukraine drags on without Russia achieving its political objectives, and as sanctions by the U.S. and allies mount in scope and impact, the risk of such attacks becomes more acute” he added.

Last month, U.S. President Joe Biden warned of the potential of Russian cyber attacks against U.S. critical infrastructure owners and operators, in response to the economic sanctions imposed following the invasion of Ukraine. The latest warning comes in the wake of ‘evolving intelligence’ that the Russian government is exploring options for potential cyberattacks

In addition, the U.S. Department of Homeland Security (DHS) received a letter from a bipartisan group of 22 senators requesting a briefing on the department’s efforts to protect the nation’s public and private sector enterprises from the Russian government’s cyber and disinformation threats.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns