Overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.
Written by Lani Refiti
We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple western critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors, primarily in the US. The US Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements. In Australia, we have been largely shielded from these activities given our geopolitical and geographic isolation. However, this hasn’t stopped the Australian Cyber Security Centre (ACSC) from issuing alerts in order to keep organisations aware of the heightened risks that may affect Australian organisations.
In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.
In early April, high-voltage electrical substations operated by an energy provider in Ukraine were targeted with Industroyer2 malware, with the intent of causing damage by manipulating industrial control systems (ICS).
In a highly unusual move, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom released a joint release on “Russian State-Sponsored and Criminal Threats to Critical Infrastructure” to warn organisations they may be exposed due to the ongoing conflict in Ukraine. The joint release stated the heightened threat “..may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners”.
As geopolitical tensions continued to intensify, the ACSC issued another alert urging Australian organisations to urgently adopt an enhanced cyber security posture. Although intended to include a broad swathe of sectors, the technical alert is heavily slanted towards critical infrastructure with destructive malware emanating from Ukraine conflict, Conti ransomware group and state-sponsored targeting of network devices being covered in detail.
Finally it was announced last month that the Critical Infrastructure Security Agency had expanded it’s Joint Cyber Defense Collaborative initiative to include OT/ICS specialists like Claroty in order to enable better partnership between public and private sector organisations to safeguard critical infrastructure.
The red line is gone
The clear red line that once existed as part of the Cold War is no longer there. Back in those days, if Russia were to engage in nuclear warfare, the U.S. would know within minutes and respond. This concept of mutual assured destruction is what, to a large extent, deterred both Russia and the U.S. from engaging in nuclear warfare. What is also clear that alliances like AUKUS and the QUAD where Australia is closely aligned with it's most strategic and closest allies including the United States are now in-scope when it comes to relevant targets for potential Russian state-sponsored attacks.
Cyber warfare does not afford us the equilibrium of mutual assured destruction. Furthermore, the use of cyber as an offensive weapon within a geopolitical conflict could be considered a military strategy as it allows disruption while maintaining deniability, or at least not causing immediate escalation. Since we don’t have perfect visibility into all critical infrastructure networks, it’s hard to reliably detect the early signs of such coordinated actions and attribute them accurately. Which is why ACSC is actively encouraging and working with owners and operators of those networks to ensure proactive steps are taken to mitigate the impact of cyberattacks. It’s also why the Department of Home Affairs have hurried through the passage of both amendments to the Security of Critical Infrastructure Act over the past year.
In addition to the obvious disruption, inconvenience, and safety hazards posed by breaching critical infrastructure networks, we also have to consider that adversary nation-states could leverage disruptions in critical processes and productions to engage in economic warfare. For example, multiple sectors of the U.S. economy could be targeted, in particular their operational networks, with the goal of inflicting economic damage to the nation.
The biggest advantage defenders have as the nature of the conflict and strategies evolve, is to know their networks better than the adversary. Having visibility into all assets, including CPS, so you can understand your risk posture, is an excellent first step to prepare proactively and focus on addressing likely paths of attack. In addition to that, sophisticated attacks on CPS do require extensive preparation by adversaries and usually take a significant amount of time to carry out, with lots of lateral movement. Having the ability to monitor CPS for early warning indicators of compromise could give you the home-turn advantage of detecting an adversary pre-emptively and taking necessary steps to mitigate risk.
Regardless of how the geopolitical situation develops, two things are clear: Firstly, CPS and the networks they operate on have become attractive targets for nation-state adversaries and criminals. These networks are critical, and therefore valuable. As defenders, we must accelerate the rate at which we get visibility and control over those assets, so we can proactively prepare for the likely scenarios. Secondly, we in Australia can no longer enjoy the isolation and shielding from state-sponsored attacks given our close alignment with other western allies.