State of the Industry: Russia-backed Cyberattacks are Targeting the Country’s Critical Infrastructure
Russia has shown us the damage it’s capable of inflicting.
In April, Russian hackers hit a Ukrainian energy company with malware that, had it successfully destroyed the targeted computers, would have caused a blackout for 2 million people.
A suspected Russian hacker in December of 2015 successfully attacked a Ukrainian power grid, knocking out power for more than 200,000 consumers for hours.
And, of course, there was the Russian-backed attack against Colonial Pipeline here in the United States in May 2021, which shut down the company’s distribution operations and led to fuel shortages along the East Coast.
Unfortunately, as the recent warnings indicate, we know the Russians are escalating their cyber activities against American critical infrastructure, including our electric grid. And the potential for another successful attack leading to another round of shortages or power outages exists.
Utility owners and operators report that they are seeing more scans against their firewalls and external-facing web application services, both indications that hackers are looking for open ports and known vulnerabilities that haven’t been patched. We know that this kind of activity is often a prelude to an attack.
The industry is better defended than it was just a year ago, as the Colonial Pipeline attack served as a real wake-up call for many. As a result, we saw many utilities strengthen their cybersecurity postures by investing in their security teams, tools and policies.
But those investments aren’t enough to adequately harden security at all – or even most – of the critical infrastructure entities in this country.
In fact, researchers with Gartner have estimated that “less than 30% of U.S. critical infrastructure owners and operators will meet newly-mandated government security requirements for cyber-physical systems” through 2026.
We must recognize that for too long the industry has had a culture of running extremely lean, which in turn, has led to a chronic underinvestment in security. At the same time it continues to run operations on legacy systems that cannot be patched.
That combination has left utilities overly vulnerable to attacks today.
Now is the time to change that.
CISA lists a number of recommendations as part of its Shields Up guidance to organizations. It advises CEOs and other executives to empower their CISOs, include CISOs in decision-making and prioritize security investments. CISA also advises executives to lower reporting thresholds, test their incident response plans, focus on continuity and – ominously – “plan for the worst.”
CISA also recommends a series of proactive defense actions, such as implementing multifactor authentication and prioritizing software updates, to help reduce the likelihood of a damaging cyber intrusion.
Here at Rokster, we endorse such moves and are advising utility owners and operators to tighten their defenses and strengthen their security posture. Those are always necessary moves, but they’re more critical today than ever before given the Russian-backed hacking activities we’re seeing.
Indeed, we’re also recommending that utilities take additional steps, such as:
- disabling nonessential connectivity to business-critical systems
- increasing the security of remote-access capabilities
- increasing the sensitivity of SIEM tools to reduce the threshold for alerting potentially suspicious activities
- paying more attention to anomalies that could hint at compromise
- adding or increasing both endpoint detection and threat detection capabilities
- automating security responses as much as possible to bring speed and efficiency, while decreasing the chance of alert fatigue
- adding staff to ensure the security team has the capacity to perform the work needed today
We’re also advising owners and operators to, first, review their incident response plans and then run drills using them. These two exercises should reveal any shortcomings with the plans, allowing those to be addressed now instead of during an actual event. They also help teams develop some muscle memory and understand the procedures they must follow to ensure continuity and recovery.
Advisors and owners also want to build into their incident response plans the procedures to follow for simultaneously conducting a root cause analysis. This is a critical step that you don’t want to skip. Hackers often return to where they’ve had success, and if you don’t address the vulnerabilities that the hackers exploited the first time, you could find yourself victimized again.
Given the state of the world, we agree with government officials and other security leaders that there’s a high likelihood of attacks. And given the existing vulnerabilities within critical infrastructure, we unfortunately think we could see something like last year’s Colonial Pipeline incident happen again.
However, we don’t accept that as an inevitability. We know that the more actions we take now, the more investments we make in a defense-in-depth security strategy, the better we can get at thwarting attacks – wherever they come from.