As tensions rise between the United States and Russia amid the conflict in Ukraine, critical infrastructure (CI) operators should increase their readiness for an attack. A CI disruption could bring the U.S. economy to a halt and previous attacks such as the Colonial Pipeline, JBS foods, and SolarWinds are testaments to the power of a well-executed cyber-attack. Russia has previously demonstrated its willingness to use destructive cyberweapons on infrastructure, and it has done so again.
At the outset of the Russian invasion of Ukraine, the link between satellites that controlled over 5000 wind turbines was severed. The Russian interference with turbines scattered across central Europe was a demonstration of Russia’s cyber ability, and a reminder to Europe that the continent is still dependent on Russian energy.
Harsh sanctions imposed by the U.S. and its allies have been met with promises of retaliation by Russian leadership, only serving to increase hostility. The Ukrainian electrical grid hacks of 2015 by Russian hackers should serve as a stark reminder to CI stakeholders. The consequences of having inadequate protections in place can have physical impacts on operational technology systems like death, injury, damage to property, and even environmental damage. Since 2015, Ukraine has served as a testing ground for Russian cyber capabilities on CI and it can be expected that their capabilities have improved. Below is a basic guide through the 2015 Ukrainian power grid hack to illustrate the complexity of attack methods CI stakeholders should prepare for.
The 2015 Ukrainian Power Grid Hack Overview
- Spear-phishing of IT staff and admins occurs with BlackEnergy3 malware hidden in macros of word documents.
- Malware successfully infected devices, allowing for remote access.
- Power grid systems were extensively mapped for months without notice.
- To prevent detection, protective measures in infrastructure were destroyed by hackers
- Hackers took control of SCADA systems and substations were switched off.
- KillDisk malware destroyed files on servers and workstations.
- Denial of service attacks were placed on customer service centers to keep civilians in the dark.
The Russian invasion has been met with stiff resistance by Ukrainians, only adding to concerns that a cyber response from Russia is forthcoming.Any method to gain superiority may be considered by Russia, especially if the invasion proves unsuccessful and urgency increases. So far, there has been a surprising lack of cyber activity from Russia outside of the satellite link removal and DDoS attacks on Ukrainian government websites. However, this could change in an instant. The US Department of Homeland Security issued an alert to businesses in mid-February cautioning that Russian cyber-attacks are likely.
Here are 6 best practices to keep CI safe
- Scan for vulnerabilities and misconfigurations on firewalls, applications, and operating systems.
- Train employees to respond to social engineering with an emphasis on phishing.
- Ensure proper monitoring and logging of systems are deployed to detect anomalies and use automation when possible.
- Institute privileged access management to prevent privilege escalation or unauthorized lateral movement within systems.
- Test business continuity and incident response plans regularly.
- Increase system visibility and inventory of all IT/OT components.
Working towards the implementation of these best practices now can increase resiliency while limiting the impact of cyber-attacks on CI. OCD Tech can assist in bolstering your organization’s security with specialized services including vulnerability assessments, security awareness and phishing training, as well as privileged access management services.
