Over the last few weeks, the US government consistently sounded the alarm about the threats our critical infrastructure will face if cyber-attacks become a foundational part of Russian aggression as their invasion of Ukraine intensifies.
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) alerted American companies to the threat of cyber-attacks from Russian threat actors as soon as Russia invaded Ukraine. Multiple advisories, sometimes released jointly with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA), urged critical infrastructure organizations, in particular, to get their “shields up.”
However, the resounding quiet on the cyber front has also left some feeling like this may be unnecessary. Recent news now suggests that many believe a debilitating cyber-attack from Russia is unlikely.
But the reality is that Russian threat actors have attacked US critical infrastructure with significant impact (i.e., SolarWinds, Colonial Pipeline). In fact, the same article that suggests there will not be a catastrophic cyber-attack from Russia goes through a long list of effective attacks against US critical infrastructure. With such clear and recent examples of highly successful cyber-attacks, coupled with the current state of the world, it seems astonishing that we are not emphasizing the need to use this “quiet moment” to improve protection and prepare.
As part of the government’s response to the myriad of successful cyber-attacks against federal government and critical infrastructure systems over the past year, CISA now maintains a catalog of nearly 500 critical vulnerabilities to prioritize what organizations need to patch immediately. A week after the Russian invasion started, 95 vulnerabilities were added to the list.
These resources are helpful, but we know that many critical infrastructure organizations are short-staffed and already working hard to keep basic cyber defense measures up to date. That’s why critical infrastructure executives need to know more than which vulnerabilities are important overall. They need to know which ones are most prevalent across their sector, which ones are in their networks or tools and if Russian actors have previously exploited these exposures or vulnerabilities.
Armed with this information, critical infrastructure executives can develop a better strategy and action plan to reduce their cyber-risk and protect their organization. Foundationally, our recommendation is to align to the NIST Cyber Security Framework (CSF) functions – identify, protect, detect, respond and recover. As the Framework suggests, executives across critical infrastructure need to have visibility of their entire ecosystem and understand their attack surface. Visibility is the key to building resilience internally across IT/OT (operational technology) systems and across the often-overlooked external view of an organization’s attack surface, thus creating a holistic picture of the company’s risk.
Achieving visibility then illuminates gaps, especially those where organizations can surgically deploy solutions to fill key gaps and highlight budgetary needs along the critical path.
From an executive’s perspective, this should ladder up to business decisions, prioritized and actionable. For example, more than 20% of the energy sector and a portion of the financial services sector in the US are currently infected with the Pony botnet (Ponyloader). Affiliated with Russian threat actors, this botnet is known for its success at stealing credentials, including secure shell and remote desktop usernames and passwords. If you are an executive in one of these sectors, identifying if you’re infected with Pony and where that is within your network is essential. Executives should be directing their teams to detect and respond to these infections, recover infected machines and deploy additional security to protect these company assets from future infections.
As Russia continues its war against Ukraine, the threat of Russian-affiliated cyber-attacks is simply too real to ignore. Understanding an organization’s attack surface and the current threat landscape enables leaders to quickly evaluate their organization’s cyber posture and direct resources where they’re the most impactful. While the cyber situation for critical infrastructure may feel anti-climactic, we should not waste this opportunity to improve our defenses and prepare.
We know with certainty that our adversaries are actively gathering intelligence and reading the battlefield – what actions executives within the critical infrastructure sector take next to identify, protect and defend their battlespace will ultimately impact our collective national security.