Need for critical infrastructure sector to shore up cyber defenses, amid geopolitical tensions

Need for critical infrastructure sector to shore up cyber defenses, amid geopolitical tensions

The recent trend of using cyberattacks to target critical infrastructure networks has pushed the U.S. administration to prepare for potential cyberattacks since November while working towards shoring up cyber defenses at home. Such attacks have increased in the wake of increasing geopolitical tensions brought about by Russia’s potential invasion of Ukraine, prompting the U.S. government to intensify its support to Ukraine, specifically to its network defenders. 

Anne Neuberger, deputy national security advisor for cyber and emerging technology at the National Security Council
Anne Neuberger, deputy national security advisor for cyber and emerging technology at the National Security Council

The U.S. government believes that Russian hackers have likely targeted the Ukrainian government, including military and critical infrastructure networks, to collect intelligence and pre-position to conduct disruptive cyber activities, Anne Neuberger, deputy national security advisor for cyber and emerging technology at the National Security Council, said in a media briefing on Friday. “These disruptive cyber operations could be leveraged if Russia takes further military action against Ukraine. We’ve seen troubling signs of malicious cyber activity in the last month. Earlier this week, we saw a kind of cyberattack known as a DDoS attack that overloads online services at the Ukrainian Ministry of Defense and state-owned banks,” she added.

Back home, the U.S. administration has also coordinated extensive outreach by agencies with the private sector, specifically private sector owners and operators of critical infrastructure, Neuberger said. “In that outreach, departments and agencies have gone to unprecedented and extraordinary lengths to share sensitive information and, most importantly, to outline specific steps companies can take to make their systems more secure,” she added.

These cyberattacks prompted officials from multiple U.S. agencies to meet with executives from big U.S. banks to discuss how they might respond to Russian hacking threats, as U.S. officials warn that Russia could invade Ukraine at any time, five people briefed on the meeting told CNN.

Industrial cybersecurity firm Dragos identified fresh activity from the Xenotime threat group a couple of months ago, when the Ukraine tension really started. Robert M Lee, the company’s CEO and co-founder said in a recent online discussion that the group began carrying out reconnaissance against key electric and liquid natural gas sites in the U.S. At the time, Dragos informed federal partners about such activity. Xenotime is known for the TRISIS malware, which was used in cyberattacks that crippled an industrial plant reportedly located in the Middle East in 2017, intentionally compromising and disrupting industrial safety instrumented systems, which led to scenarios involving loss of life and environmental damage.

Robert M Lee, CEO and co-founder at Dragos
Robert M Lee, CEO and co-founder at Dragos

The Dragos alert prompted the U.S. government to issue an alert that “if the Ukraine conflict kicks off, there may be cyberattacks back on U.S. critical infrastructure,” Lee said. “That is in line with what we would assess and see as well. We are not saying that those organizations are compromised currently, we are not saying that there is Russian malware employed across the electric systems or that kind of hyped-up stories that go out there. But based on nothing more than the targeting that we see and the reconnaissance that we see, it is very clear that that adversary is capable and interested in very specific key U.S. sites,” he added.

Mandiant expressed concern that “as the situation escalates, serious cyber events will not merely affect Ukraine,” Sandra Joyce, executive vice president and head of Mandiant Intelligence, wrote in a company blog post. “The U.S. and Europe have seen wave after wave of attempts to burrow into our sensitive critical infrastructure—attempts we believe were designed to prepare for a scenario such as the crisis that is unfolding in Ukraine today. Without a doubt, the threat they pose is serious, especially for the defenders tasked with defending their networks from some of the most formidable intelligence services on the planet,” she added.

Sandra Joyce, executive vice president and head of Mandiant Intelligence
Sandra Joyce, executive vice president and head of Mandiant Intelligence

The NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) also put out a cybersecurity industry alert that said it was “closely following events between Russia and Ukraine and encourages electricity organizations to take additional precaution to secure their systems now.” It further directed electric asset owners and operators to the CISA’s recent ‘Shields Up’ page for recommended security actions.

Industrial Cyber reached out to industry experts to evaluate how prepared are critical infrastructure networks, as cyber warfare appears to take shape, in addition to arriving at various cyber defenses that can be immediately carried out to augment cybersecurity within the critical infrastructure sector in the shortest possible time. 

Jim Crowley, CEO at Industrial Defender
Jim Crowley, CEO at Industrial Defender

The preparation is varied by vertical, size of the organization, and balance sheet, Jim Crowley, CEO at Industrial Defender, told Industrial Cyber. “Large investor-owned utilities have invested quite a bit as required by their regulators and many have the capital to continue to invest in defensive programs including people, process, and technology. Other parts of critical infrastructure, such as water, have traditionally had limited funds to invest in cyber. Mid-size oil and gas firms are just starting their cyber journey and truly critical pieces of our infrastructure are at risk as demonstrated by the Colonial Pipeline incident,” he added.

Sid Snitkin, vice president for cybersecurity services at ARC Advisory Group, said that sophisticated attacks on manufacturers and critical infrastructure operators have changed security requirements. “Yesterday, most industrial facilities could get by with basic OT cybersecurity programs designed to protect operations from general hackers and malware floating around the internet. Today, every facility needs an OT cybersecurity program that can deal with ransomware and targeted attacks by sophisticated adversaries,” he added. 

Sid Snitkin, Ph.D. VP for cybersecurity services at ARC Advisory Group
Sid Snitkin, Ph.D. VP for cybersecurity services at ARC Advisory Group

Digital transformation is another development that requires better OT cybersecurity, Snitkin said. “Industrial companies can be excused for the fact that initial OT cybersecurity investments did not anticipate these developments or the rapid pace of technological change. But there is no excuse for continuing to operate with weak OT cyber defenses. A single incident could jeopardize worker safety, product quality, regulatory compliance, and operational continuity,” he added.

Clearing the air that the threat of cyberwar is not looming, Crowley said that “it has been here for 10+ years. China has been stealing intellectual property, Russian government has meddled in our elections, and Russian gangs have moved from stealing PII to brazen ransomware attacks,” he added. 

The biggest challenge is denial and boards not truly understanding the risk until they are hit, Crowley added.

Mandiant’s Joyce said that after attacking the U.S. and French elections, Western media, the Olympics, and many other targets with limited repercussions, Russia is emboldened to use their most aggressive cyber capabilities throughout the West. “While they are unlikely to engage the West in combat, these tools give Russia the means to aggressively compete with others without risking open armed conflict. Should U.S. and allies deploy sanctions in the event of a full invasion, the risk of this only increases,” she added.

The rising instances of cyberattacks and the need to build cyber defenses have prompted a re-assessment of whether cyber warfare is more challenging than the other cybersecurity threats faced by the critical infrastructure sector.

Crowley identified that “they will use the same tools and tactics, it will just be on a greater scale.”

Snitkin said that cyber warfare would fall under the category of sophisticated attacks. “Passive defenses can make it harder for these kinds of attackers to get into systems, but well-funded, focused, nation-state attackers, will still be able to find a way to compromise any system. So all industrial companies need to ensure that they have continuous monitoring of every system and rapid response to any anomalous event. The technology to do this is readily available, but the resources remain a major obstacle. That’s why we suggest companies converge their IT and OT cybersecurity programs,” he added.

Looking at proactive measures and cyber defenses that critical infrastructure installations can be immediately carried out to augment cybersecurity in the shortest possible time, to deal with rising instances of cyberattacks, Crowley said that “our adversaries need to be warned that this is not a one-way street. The US and our allies need to be prepared to go on the offensive and take out their infrastructure and release embarrassing information on the regimes behind these tactics,” he added.

Sophisticated attacks on manufacturers and critical infrastructure operators have changed security requirements, Snitkin said. “Yesterday, most industrial facilities could get by with basic OT cybersecurity programs designed to protect operations from general hackers and malware floating around the internet. Today, every facility needs an OT cybersecurity program that can deal with ransomware and targeted attacks by sophisticated adversaries,” he added.

Passive defenses can never stop all attacks, regardless of how well they are maintained, according to Snitkin. “Companies need Anomaly and Breach Detection solutions that rapidly detect intrusions and give defenders time to respond before attackers wreak havoc. Companies should have solutions that detect anomalous behaviors within assets and network communications,” he added.

Industrial companies can be excused for the fact that initial OT cybersecurity investments did not anticipate these developments or the rapid pace of technological change, Snitkin said. “But there is no excuse for continuing to operate with weak OT cyber defenses. A single incident could jeopardize worker safety, product quality, regulatory compliance, and operational continuity,” he added.

Mandiant is imploring its customers and community to prepare for disruptive and destructive attacks, similar to those that have recently transpired in Ukraine, Joyce said. “We are concerned about scenarios like a destructive attack that leverages broad access from the software supply chain or other means to gain access to multiple networks simultaneously,” she added. 

Even an automated, simplistic data wiping attack at this scale could have serious consequences for public and private networks; but those consequences are not a foregone conclusion, Joyce said. “Many of the same steps defenders might take to harden their networks against ransomware crime will serve to prepare them from a determined state actor, if they take them now,” she concluded.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related