Addressing Critical Infrastructure Threats Requires Collaboration
Since long before the current conflict in Ukraine, U.S. national security officials and cybersecurity industry analysts have raised concerns about Russia’s demonstrated capabilities and potential intentions to attack U.S. critical infrastructure (CI).
At a hearing led by the House Homeland Security Committee last week, cybersecurity leaders were asked how U.S. critical infrastructure could work with the Cybersecurity and Infrastructure Security Agency (CISA) and other federal partners to ramp up cybersecurity measures in response to escalating Russian cybersecurity threats.
The hearing also served as an opportunity to discuss the value of new public-private partnerships and information sharing practices and how the surge of security activity driven by the threat environment can be harnessed to establish a heightened security baseline moving forward.
Adam Meyers, senior vice president of intelligence at CrowdStrike, noted cybersecurity professionals across the country are on a high alert, monitoring and preparing for attacks against critical U.S. infrastructure.
“As Russia began to amass forces on the Ukrainian border, cyberattacks increased in turn,” he said. “The war has reshaped the technological landscape.”
Different Approaches for Different Sectors
During his testimony at the hearing, Amit Yoran, CEO of Tenable, noted that different approaches are required for different sectors of critical infrastructure. He pointed out that the financial sector seemed particularly well equipped to deal with cyberthreats.
However, a patchwork approach to targeted threats against critical infrastructure leaves many potential attack points unguarded.
Chris Morgan, senior cyberthreat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, said that with a rapidly changing—and escalating—cybersecurity threat landscape, the importance of cross-border and public and private sector cooperation has never been more apparent.
“Sharing information quickly and without bureaucratic red tape can be the difference in turning one organization’s active defense into mitigation for another,” he said. “This is particularly evident when considering the significant impact of the COVID-19 pandemic on many countries’ financial situation; many countries will be significantly under-resourced and benefit greatly from cross-border and multi-lateral cooperation.”
Morgan pointed out that the executive order issued by president Joe Biden in May 2021 outlined several steps that would assist companies working with the federal government to lower their cybersecurity risk.
This included the introduction of software bills of material (SBOMs) and implementing zero-trust security models.
“While these initiatives are important, realistically, such significant changes take time,” he said.
He pointed out several attacks against critical national infrastructure (CNI) targets in 2021 demonstrated that focusing on basic security hygiene principles can often go a long way.
These practices include ensuring that two-factor authentication (2FA) is enabled wherever possible, minimizing the attack surface of remote services, taking a risk-based approach to vulnerability management and regularly patching high-risk vulnerabilities.
“These simple steps can significantly improve cyber resilience and minimize the likelihood and impact of malicious activity,” Morgan said.
Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM) solutions, noted with the CISA, FBI and other agencies warning for weeks about possible direct attacks against the U.S., there is always the possibility of a “cry wolf” reaction, especially when a long stretch of time passes without incident—until a catastrophe strikes.
“It is always important to take warnings seriously as they tend to have hard evidence that attacks are in preparation, though it is always hard to determine when the strike will happen, so that tends to be on short notice,” he said. “When CISA issued the ‘Shields Up’ warning, it was a good time to simulate a security incident, update your systems and perform a solid backup to ensure you have a checkpoint to where you can recover from.”
He said when global stability is at serious risk, the time is right to be vigorous and increase the sensitivity of your security controls.
“Global cooperation and transparency are key to being able to contain and become resilient to cyberattacks,” Carson added. “Sharing of threat intelligence quickly can give many organizations the chance to shut the door to most cyberattacks as they start spreading quickly.”
He said it is also the best way to put strong legal policies in place to ensure that cybercriminals and nation-state actors are held responsible for their actions and give them fewer safe havens in which to hide.
Casey Ellis, founder and CTO at Bugcrowd, a specialist in crowdsourced cybersecurity, said he believed direct action by Russia against the U.S. isn’t likely because of the risk of escalation, which is something neither country wants.
“That said, collateral or lone-wolf action from ‘friends of Putin’, in the same vein as what we’ve seen conducting against Russia, is far more likely, and there’s a legitimate need to use the Russo-Ukrainian conflict as a catalyst to assess preparedness and improve it if necessary,” he said.
He noted that critical infrastructure, in general, is built to maximize uptime and availability of the assets with the focus on “making the system do what it should do” and not so much on security.
Often this focus comes at the cost of “making the system not do all the things that it shouldn’t,” and this is ultimately the root cause of the generally vulnerable state of CI.
A Worldwide Critical Infrastructure Challenge
“The most glaring weaknesses are around operating systems and software which cannot be upgraded because the business-specific systems which run on top of them cannot support it,” he said. “The good news, in some ways, is that almost every country in the world suffers some version of this problem.”
He explained that global CI-focused cyberwarfare is prevented by the same concepts that prevent nuclear war; an aggressor knows that they are just as vulnerable to counterattack as their potential victim.
“The internet has no concept of national borders,” he said. “National sharing and cooperation is necessary to allow defenders to focus on the things which matter most.”
