Shields up: CISA’s response to the targeting of critical infrastructure and what it means

Long before Russian troops invaded Ukraine in February of this year, there was a different kind of warfare taking place, one less obvious to the untrained eye: a war of desktops, keyboards and logins. Months before the first shots rang out, Russian hackers targeted critical infrastructure including power facilities, causing massive blackouts during the cold of winter and leaving hundreds of thousands of Ukrainians vulnerable to the elements. Other nations including the United States were...

READ MORE

Long before Russian troops invaded Ukraine in February of this year, there was a different kind of warfare taking place, one less obvious to the untrained eye: a war of desktops, keyboards and logins. Months before the first shots rang out, Russian hackers targeted critical infrastructure including power facilities, causing massive blackouts during the cold of winter and leaving hundreds of thousands of Ukrainians vulnerable to the elements. Other nations including the United States were also targeted, as was revealed in the latest declassified documents.

Just a few weeks ago, the cybersecurity authorities of the United States, Australia, Canada, New Zealand and the United Kingdom released a joint Cybersecurity Advisory  to warn critical infrastructure organizations that Russia’s invasion of Ukraine could spawn increased malicious cyber activity by Russian state-sponsored cyber terrorists and cybercrime groups.

In tandem, the Cybersecurity and Infrastructure Security Agency issued Alert AA22-083A, AA22-110A and AA22-137A to address this topic, with technical details about threat actors, tactics used and recommended mitigations.

Guidance included the need to:

Enforce MFA to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords.

  • Do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access. As Russian state-sponsored APT actors have demonstrated the ability to exploit default MFA protocols and known vulnerabilities, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.

As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality.

  • Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between — and access to — various subnetworks.

And while the above are generally geared toward large enterprises with significant data on-hand, this is entirely relevant for both small businesses and the general population as well — according to CISA, “anyone buying gas, going to the grocery store, or using an ATM” is at risk. Further, while the alert was more targeted to the power grid in particular, critical infrastructure as defined by CISA is comprised of 16 different verticals, including the financial sector, transportation and communication lines, highlighting just how much opportunity there is for multiple and complete systemic breakdowns.

But of course, systemic breakdowns don’t always start in a grandiose fashion; according to CISA, more than 90% of successful cyberattacks start with a single phishing email. These phishing and credential stuffing attacks often exploit passwords and their reuse. A 2021 survey revealed that 65% of people reuse passwords across accounts, and nearly half hadn’t changed their passwords in over a year, even after a known breach.

As such, leaders of all organizations — regardless of industry or size — should take certain measures to protect against such attacks, including but not limited to:

  • Incorporate MFA, particularly passwordless MFA (PMFA), into the backend to meet (and exceed) relevant security requirements.
    • PMFA completely eliminates shared secrets by storing a private key on each user’s device. A public key is stored in the cloud. Authentication is initiated by the user and is executed via challenge and signature, with passwordless MFA into desktops, VPN and SSO.
  • Engage with law enforcement, including CISA local contacts to establish relationships in advance.
  • Implement data encryption so points can’t be used if accessed.
  • Conduct personnel training to identify suspicious emails, links or malware, and encourage employees to notify those in an organization who can appropriately address.
  • Develop and test an incident response plan, should suspicious activity occur.
  • Obtain cyber insurance well in advance of a potential attack (note: many cyber insurers require the use of MFA, or provide a discount if used).

Just as a private sector breach in the energy or healthcare industries can be damaging, imagine an essential government system — like the military and its branches — being compromised. While CISA does enforce certain initiatives like the Federal Information Security Modernization Act (FISMA), government agencies (and many contractors tied to them) are still exposed. Just a couple weeks ago, a Defense Department bug bounty program uncovered more than 400 vulnerabilities in their contractors’ networks where only approximately 22% of them have fully-implemented MFA (despite the fact that it should have been in place since 2017).

Situations like these, where the public sector directly overlaps with private organizations, can be a two-pronged problem as highly sensitive government data is often held by these companies. These public organizations that have such a convergence should be especially cognizant of CISA’s cyberattack mitigation recommendations, as a breach of their network risks bleeding into external, critical infrastructure systems.

While these kinds of breaches have been a threat (and a reality) for some time, the latest incidents have cast a harsher light on the problem, and both public and private critical infrastructure providers should align with the latest CISA guidance to proactively respond to these most recent alerts. For federal organizations and affiliated contractors seeking guidance today, the proactive adherence to guidance and risk mitigation tactics provided by CISA and other governmental bodies will be a plan forward to secure critical infrastructure from unauthorized access and achieve command and control capabilities.

Bojan Simic is CEO and chief technology officer of Hypr.

 

Related Stories

    Amelia Brust/Federal News Network

    CISA provides agencies with long-awaited cloud security guidance

    Read more
    (Amelia Brust/Federal News Network)

    CISA issues rare emergency directive as ‘critical’ cyber vulnerabilities emerge

    Read more