With the Russian invasion of Ukraine, we’ve heard a lot about the threat of cyberattacks. In the lead-up to the war, which started on Feb. 24, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) published its Shields Up guidelines. Written for organizations of all sizes, it includes recommendations for those who lead them. And this week, three tech companies joined forces to offer a free suite of products to help keep smaller enterprises safe, under the umbrella of the Critical Infrastructure Defense Project.
But in order to figure out the real risks associated with this conflict, it’s worth distinguishing among the potential types of attack. As of this writing, for example, executives should be worrying less about Russians directly interfering with our water treatment plants and focus more on the potential that ransomware gangs will shut off access to IT networks. Yes, all this could change, but for now, IT networks are likely the weak link.
Bryson Bort, CEO of Scythe and an expert on cybersecurity for industrial control systems, told me on the podcast this week that he views concerns about Russia attacking U.S. infrastructure through operational technology (OT) attacks as unlikely. As he noted, OT attacks on actual infrastructure can have health and safety ramifications — they can cost lives. In that case, we’d likely see a physical response by the U.S. not just a U.S. cyberattack.
It’s unlikely Russia is ready to take that step. What he does caution executives and government officials about is ransomware.
There are several known Russian ransomware gangs, and it’s not hard to imagine them trying to amp up attacks to generate money for their country, which is being gradually cut off financially, an act that could also be seen as patriotic. While yes, ransomware attacks can impact the physical world — compromising a company’s IT systems could lead it to shut down its operations — it’s a different scale of attack compared to an attack on OT networks.
Ransomware attacks, such as the one that hit Colonial Pipeline, forcing the company to stop delivering oil to the East Coast, or those that hit hospitals and can lead to stalled surgeries or tests, can disrupt operations, but they can be managed. Instead of a catastrophic equipment failure that poisons the water supply or causes a chemical explosion, when ransomware affects operations it tends to lead to a somewhat controlled shutdown.
Businesses and governments that want to avoid such attacks have options to help protect themselves. This is where the CISA Shields Up recommendations come into play. They include a number of best practices, such as requiring users to have multi-factor authentication in place, ensuring that organizations don’t leave open ports on their network, and making sure that if they use third-party services, those services practice good cyber hygiene.
In addition to hardening their infrastructure, businesses and governments need to monitor it. For those that have operations in Ukraine or are working with Ukrainian organizations, CISA recommends taking extra care to monitor, inspect, and isolate traffic from those organizations, and closely review access controls for that traffic.
All businesses and governments should have a plan in place to deal with an attack, including having a pre-selected team ready with the resources they need to respond to one. Such resources will be different for an IT attack than they would be for an OT attack. They will moreover need a resiliency plan to ensure that if there is an attack, their operations will be able to continue and their data will not be lost. And that plan should not just be created, but tested.
That means they should have data backups and isolated networks to where they can shift their operations. Businesses in industrial settings, meanwhile, should conduct manual tests of all controls to ensure critical functions stay stable.
Ideally, it wouldn’t take one country invading another for organizations to create, implement, and test such plans. But here we are. And efforts like the Critical Infrastructure Defense Project can help. Under the umbrella of that project, Cloudflare, Ping Identity, and Crowdstrike have teamed up to offer many of these elements as part of a packaged suite of services. The services will be free for at least the next four months, which should help more organizations harden their cyber defenses.
Given how interconnected our digital society is today, it’s important that everyone does what they can. It only takes one weak link to set off a cyberattack that can cause millions or even billions of dollars in damages.
Want the latest IoT news and analysis? Get my newsletter in your inbox every Friday.