By Mark Lanterman
Since the start of the war in Ukraine, there have been renewed concerns about attacks on critical infrastructure. In 2015, an attack on Ukraine’s power grid that left thousands without power was ultimately attributed to Sandworm, a Russian hacking group. Years later, it has been revealed that a similar attack was made in the early days of the current war when “hackers targeted one of its largest energy companies, trying to shut down substations, which would have caused blackouts for two million people.”1 Fortunately, the attack was thwarted by quickly identifying the malware. And while Russia denies any direct involvement, it appears that a variation of the malware used in 2015 was discovered during the investigation.
The possibility of an attack on critical infrastructure remains a major concern, and realistically, every sector is at heightened risk. What changes should be made to cybersecurity strategies, and how can an organization improve its security posture cost effectively and quickly?
Improving cybersecurity does not necessarily require a high price point. For many organizations, the bones of a great cybersecurity posture exist in its written policies and procedures, personnel, and best intentions. While basic groundwork is often already in place, the real issue is whether it’s up to date, whether anyone knows it exists, and how the procedures should actually be enacted within the organization. In 2015, clicking on an email attachment is what started the attack in Ukraine.2 Simply dedicating time to testing out an organization’s current set of policies is a cost-effective method to a) uncover obvious vulnerabilities, security gaps, and communication issues; b) improve awareness of primary threats, including social engineering; and c) identify and reinforce what’s working well in the current environment.
The Cybersecurity & Infrastructure Security Agency (CISA) provides guidance on how to assess the proactive and reactive measures an organization has in place to handle and mitigate cyberattacks.3 Basic steps include confirming the use of multi-factor authentication, keeping software up to date, conducting table-top exercises, and testing backup procedures. But CISA also stresses the need to incorporate the human element of security by encouraging organizations to include CISOs in risk-management decisions, lower reporting thresholds, and engage senior management in testing incident response procedures. CISA’s list of recommendations serves as a basic checklist—a lens through which an organization can assess its cybersecurity approach. Reviewing the guidelines may help in prioritizing cybersecurity as a central aspect of business-continuity planning. This is especially important in the case of critical infrastructure. In recent years, cloud technologies and the internet of things have shaped how critical infrastructure operates. This also creates an increased number of potential vulnerabilities and the risk of operational failure should a cyberattack succeed.
This past spring, President Biden signed into law The Cyber Incident Reporting Act, which “puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities.”4 While these reporting requirements will not go into effect until the rules are finalized,5 specified entities classified as critical infrastructure will have new reporting requirements that include notifying CISA of any “covered” cyber event along with a description of the incident, its impact, and its duration. Additional requirements include alerting CISA to any ransomware payments and their amounts. This legislation is a clear acknowledgement that cyberattacks are of national concern and a recognition of the private sector’s impact on federal efforts to strengthen cybersecurity.
In a recent statement by President Biden on our nation’s cybersecurity, he explained that while the federal government is working toward bettering cyber defenses, “Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors.” He went on to state, “We need everyone to do their part to meet one of the defining threats of our time—your vigilance and urgency today can prevent or mitigate attacks tomorrow.”6
This statement addresses both goals of a cybersecurity plan—prevent or mitigate. The 2022 attack on Ukraine’s power grid could have been worse had it not been for the strengthened defensive measures that were implemented and the private sector’s assistance in quickly identifying and mitigating the threat. And since cyberattacks may ultimately evade even our best defenses, preparation is key. Assessing written policies, conducting tabletop exercises, and practicing communication channels are easy ways that an organization can start improving its security posture today.
NOTES
1 https://www.bbc.com/news/technology-61085480
2 https://jsis.washington.edu/news/cyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks/
3 https://www.cisa.gov/shields-up
4 https://www.natlawreview.com/article/president-biden-signs-law-cyber-incident-reporting-act-imposing-reporting
5 https://www.natlawreview.com/article/president-biden-signs-law-cyber-incident-reporting-act-imposing-reporting
6 https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.