President Biden cites ‘evolving intelligence’ to warn critical infrastructure sector of potential Russian cyberattacks

U.S. President Joe Biden has asked critical infrastructure owners and operators to improve domestic cybersecurity and bolster national resilience. The latest warning comes in the wake of ‘evolving intelligence’ that the Russian government is exploring options for potential cyberattacks. As most of the nation’s critical infrastructure is owned and operated by the private sector, it is for these environments ‘to act to protect the critical services on which all Americans rely.’

“I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners,” President Biden said in a statement issued by the White House on Monday. “It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” he added.

“My Administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure,” President Biden said. “But the Federal Government can’t defend against this threat alone. Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors,” he added. 

President Biden, pointing to the various measures taken by his administration, said that it “has worked to strengthen our national cyber defenses, mandating extensive cybersecurity measures for the Federal Government and those critical infrastructure sectors where we have authority to do so, and creating innovative public-private partnerships and initiatives to enhance cybersecurity across all our critical infrastructure.”

President Biden also cited that Congress has partnered “with us on these efforts — we appreciate that Members of Congress worked across the aisle to require companies to report cyber incidents to the United States Government.” 

Earlier this month, the Congress passed the Cyber Incident Reporting bill that requires critical infrastructure owners and operators to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). The $1.5 trillion government funding bill was subsequently signed into law by President Biden last week.

The U.S. has 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the nation that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Typically, these sectors are made up of the vast network of highways, connecting bridges and tunnels, railways, utilities and buildings necessary to maintain normalcy in daily life. Transportation, commerce, clean water and electricity also rely on these vital systems.

With the intention of bolstering America’s cybersecurity over the long term, the Biden administration encourages technology and software companies to build security into their products from the ground up — “bake it in, don’t bolt it on” — to protect intellectual property and customers’ privacy, according to a Fact Sheet issued by the Biden-Harris Administration on Monday. It also called for software development on highly secure and accessible systems, making it much harder for an intruder to jump from system to system and compromise a product or steal intellectual property. It also sought the adoption of modern tools to check for known and potential vulnerabilities. 

As software developers are responsible for all code used in their products, including open source code, they must make sure that the provenance (i.e., origin) of components they are using and have a ‘software bill of materials.’ The U.S. also wants the implementation of the security practices mandated in the President’s Executive Order. Pursuant to that EO, all software the U.S. government purchases is now required to meet security standards in how it is built and deployed.

The U.K.’s National Cyber Security Centre (NCSC) supports President Biden’s call for increased cybersecurity vigilance among organizations in response to Russia’s unprovoked, illegal and unnecessary invasion of Ukraine.

“In heightened periods of international tension all organisations should be vigilant to cyber risks, and for several months the NCSC has been advising organisations to bolster their cyber security,” the NCSC said in a statement. “For several months, the NCSC has been advising organisations to bolster their cyber security due to the heightened risk resulting from Russia’s aggression towards Ukraine,” it added.

“Today’s remarks by President Biden warning of potential cyberattacks from Russia should come as no surprise to anyone. Cybersecurity has and will continue to play a central role in armed conflict,” Amit Yoran, CEO of Tenable said in an emailed statement. “For months, governments around the world have issued stark warnings to batten down the cyber hatches,” he added.

“Critical infrastructures, largely operated by the private sector, are a significant target. The world we live in relies on these digital systems — everything from the water we drink to the electricity we use to heat our homes. We cannot afford to leave this infrastructure vulnerable,” according to Yoran. “The main takeaway from the president’s statement: organisations need to roll up their sleeves and secure their systems before it’s too late. We have a responsibility and duty of care, especially in turbulent times, to protect ourselves,” he added. 

“Our government must continue communicating this type of information so industry can take steps to heighten security awareness and take action to reduce security risks,” Mark Carrigan, senior vice president for process safety and OT cybersecurity at Hexagon PPM, wrote in an emailed statement. “The announcement contains many practical steps organizations should follow to improve security, but there is one recommendation that taken too extreme actually poses a threat to our critical infrastructure,” he added.  

Carrigan also pointed out that the recommendations provided in the statement to ‘…make sure that your systems are patched and protected against all known vulnerabilities…’ is not “realistic for Operational Technology (OT) that enables our electric, water and pipeline sectors. Many of these patches are not compatible with the underlying OT infrastructure, and if implemented, could actually cause OT systems to fail. We suggest that this recommendation be tempered to recognize the technical limitations that exist on the vast majority of OT networks,” he added.

The Department of Homeland Security’s CISA has been actively working with critical infrastructure owners and operators to rapidly share information and mitigation guidance to help protect their systems and networks. Since the start of increased geopolitical tensions brought about by Russia’s potential invasion of Ukraine, U.S. security agencies have issued a number of advisories warning the critical infrastructure sector of potential cyberattacks. 

The CISA issued last month a ‘Shields Up’ alert warning that “the Russian government understands that disabling or destroying critical infrastructure — including power and communications — can augment pressure on a country’s government, military and population and accelerate their acceding to Russian objectives.”  

U.S. security agencies warned industrial control systems and OT operators in January to implement cybersecurity measures to protect against potential critical threats, following reports of the WhisperGate malware wiping out data on Ukrainian computers in a coordinated attack. Additionally, CISA warned critical infrastructure installations of malicious hackers, using influence operations to shape public opinion, undermine trust, amplify division, and sow discord. 

In the wake of rising cybersecurity threats emerging from the current geopolitical situation, further adding to the cybersecurity challenges brought about to these environments, industrial cyber insurance premiums continue to rocket. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.