Long before Russian troops invaded Ukraine in February of this year, there was a different kind of warfare taking place, one less obvious to the untrained eye: a war of desktops, keyboards and logins. Months before the first shots rang out, Russian hackers targeted critical infrastructure including power facilities, causing massive blackouts during the cold of winter and leaving hundreds of thousands of Ukrainians vulnerable to the elements. Other nations including the United States were...
Long before Russian troops invaded Ukraine in February of this year, there was a different kind of warfare taking place, one less obvious to the untrained eye: a war of desktops, keyboards and logins. Months before the first shots rang out, Russian hackers targeted critical infrastructure including power facilities, causing massive blackouts during the cold of winter and leaving hundreds of thousands of Ukrainians vulnerable to the elements. Other nations including the United States were also targeted, as was revealed in the latest declassified documents.
Just a few weeks ago, the cybersecurity authorities of the United States, Australia, Canada, New Zealand and the United Kingdom released a joint Cybersecurity Advisory to warn critical infrastructure organizations that Russia’s invasion of Ukraine could spawn increased malicious cyber activity by Russian state-sponsored cyber terrorists and cybercrime groups.
In tandem, the Cybersecurity and Infrastructure Security Agency issued Alert AA22-083A, AA22-110A and AA22-137A to address this topic, with technical details about threat actors, tactics used and recommended mitigations.
Guidance included the need to:
Insight by Pegasystems: During this exclusive webinar, moderator Jared Serbu and guest Lily Zeleke, acting DCIO for information enterprise, Office of the DoD CIO with the Department of Defense will discuss software modernization strategy at the Department of Defense.
Enforce MFA to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords.
As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality.
And while the above are generally geared toward large enterprises with significant data on-hand, this is entirely relevant for both small businesses and the general population as well — according to CISA, “anyone buying gas, going to the grocery store, or using an ATM” is at risk. Further, while the alert was more targeted to the power grid in particular, critical infrastructure as defined by CISA is comprised of 16 different verticals, including the financial sector, transportation and communication lines, highlighting just how much opportunity there is for multiple and complete systemic breakdowns.
But of course, systemic breakdowns don’t always start in a grandiose fashion; according to CISA, more than 90% of successful cyberattacks start with a single phishing email. These phishing and credential stuffing attacks often exploit passwords and their reuse. A 2021 survey revealed that 65% of people reuse passwords across accounts, and nearly half hadn’t changed their passwords in over a year, even after a known breach.
As such, leaders of all organizations — regardless of industry or size — should take certain measures to protect against such attacks, including but not limited to:
Just as a private sector breach in the energy or healthcare industries can be damaging, imagine an essential government system — like the military and its branches — being compromised. While CISA does enforce certain initiatives like the Federal Information Security Modernization Act (FISMA), government agencies (and many contractors tied to them) are still exposed. Just a couple weeks ago, a Defense Department bug bounty program uncovered more than 400 vulnerabilities in their contractors’ networks where only approximately 22% of them have fully-implemented MFA (despite the fact that it should have been in place since 2017).
Situations like these, where the public sector directly overlaps with private organizations, can be a two-pronged problem as highly sensitive government data is often held by these companies. These public organizations that have such a convergence should be especially cognizant of CISA’s cyberattack mitigation recommendations, as a breach of their network risks bleeding into external, critical infrastructure systems.
While these kinds of breaches have been a threat (and a reality) for some time, the latest incidents have cast a harsher light on the problem, and both public and private critical infrastructure providers should align with the latest CISA guidance to proactively respond to these most recent alerts. For federal organizations and affiliated contractors seeking guidance today, the proactive adherence to guidance and risk mitigation tactics provided by CISA and other governmental bodies will be a plan forward to secure critical infrastructure from unauthorized access and achieve command and control capabilities.
Bojan Simic is CEO and chief technology officer of Hypr.