U.S. Officials Warn of Russian Threats to Domestic Critical Infrastructure

Top U.S. defense agencies are warning critical infrastructure owners and operators against growing cyberthreats coming from Russian state-sponsored bad actors.

In a Jan. 11, 2022, joint statement, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency all advise “the cybersecurity community —especially critical infrastructure network defenders—to adopt a heightened state of awareness.”

This warning shouldn’t come as a surprise. The Russian government has a well-known history of sponsoring cyberattacks across the globe, and it has been ramping up its activities in recent years. Consider the figures from Microsoft on this front. Its 2021 Digital Defense Report notes that 58% of all cyberattacks observed by Microsoft from nation-states during the prior year came from Russia. Microsoft also reports that the attacks from Russian nation-state actors are increasingly effective – hitting a 32% successful compromise rate in 2021 vs. 21% the year before.

And the top target of these attacks, according to Microsoft? You guessed it: the United States, followed by Ukraine and the United Kingdom.

Russia is not the only country engaged in such activities, with Microsoft pointing out that (after Russia) North Korea, Iran and China are the top state sponsors of hostile cyber actions. Be aware, too, that the hacking groups and troll farms they shelter within their countries use a full range of technologies and tactics to launch all sorts of attacks, from distributed denial-of-service (DDoS) to ransomware to targeted espionage attacks. They will – and do – use any and all capabilities at their disposal to ensure success.

We know that these countries, particularly Russia, engage in state-sponsored cyberattacks for several reasons – namely to engage in espionage (as noted above), gain political influence and disseminate disinformation as well as to create discord and havoc.

The hacker groups themselves are after the payday.

Take the Colonial Pipeline attack. Authorities named the DarkSide hacking group – a ransomware gang that they believe is based in Russia – as the culprits of the May 2021 successful breach. The Colonial Pipeline CEO told a Senate committee that the company paid $5 million in ransom a day after the attack, which disrupted fuel supplies throughout the Eastern United States.

The damage that these state-sponsored hackers can do is significant. Look at what has happened in Ukraine. Cybercriminals took out the Ukrainian power grid in December 2016, leaving customers throughout the country without power for an hour, while a December 2015 attack knocked out power for nearly 250,000 Ukrainians.

More recently – in fact, just days after the U.S. warning to American entities – Ukraine suffered another crippling attack. This time hackers struck against government agencies, bringing down scores of websites for hours.

European officials blamed Russia for the attack, which indicates with increasing certainty that nation-states are using such tactics not only for political gain but for military purposes as well.

What, then, does this mean for U.S. organizations – and, in particular, the owners and operators of critical infrastructure?

First and foremost it should sound an alarm. Organizations across all industries – but in particular utilities and other such entities – must realize that the hackers targeting them are organized, highly motivated and well-funded. They should know that these hackers have their tactics, techniques and procedures laid out for them so they have the best chances of success when they go to execute.

Second, this should be seen as a call to action.

CISA, the FBI and the NSA in its advisory say as much, telling entities, their executives and their security teams to – in their exact words –

  • Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
  • Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
  • Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.

We agree with all that advice. We also endorse the agencies’ recommendation that security leaders at utilities and other critical infrastructure facilities adopt the MITRE Adversarial Tactics, Techniques, and Common Knowledge (or MITRE ATT&CK for ICS) framework to ensure they’re implementing appropriate safeguards and controls for industrial systems.

Think of this framework as a database of known attack and mitigation techniques that, when used to guide security strategies, helps organizations create more comprehensive defense, detection and recovery plans and, thus, increase their ability to thwart an attack as well as quickly respond and contain a successful breach.

The NIST Special Publication (SP) 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security as well as the ISO/IEC 27000 series and IEC 62443 for information security management are also effective and worthwhile frameworks to use.

The frameworks have several critical elements in common. They all stress the importance of doing fundamentals – such as vulnerability and patch management – exceedingly well. They also reinforce the need for having robust incident response programs as well as disaster recovery and business continuity plans in place.

A strong security program, however, shouldn’t rely solely on following a framework. Enterprise security leaders must also invest in staff, hiring and training – or contracting – for the skills necessary to implement frameworks and engage in other essential security operations such as threat hunting.

And they should work with their IT and business unit counterparts to ensure the systems within their information technology (IT) and operational technology (OT) environments are modern and still supported by vendors.

Unfortunately, for various reasons, utilities often run operational technologies that are well past end of life with unpatched vulnerabilities – a practice that needs to stop. Similarly, OT cybersecurity practices have lagged behind IT security in maturity. That, too, must change.

Organizations need to develop a depth-in-defense approach to security. Utilities – faced with the threat from Russia and other nation-states – should be at the forefront of taking this action.

We work with such entities to do that, to adopt frameworks and to align framework requirements to each organization’s unique risk profile and security objectives. Taking such action is an imperative, given who the adversaries are today, as CISA, the FBI and the NSA have warned.

Need advice on how to protect your critical infrastructure? Let’s Talk