Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict

We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.

In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.

In early April, high-voltage electrical substations operated by an energy provider in Ukraine were targeted with Industroyer2 malware, with the intent of causing damage by manipulating industrial control systems (ICS). And on April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI warned that threat actors have developed custom-made tools to target ICS and supervisory control and data acquisition (SCADA) devices.

Since the beginning of the year, we’ve seen a steady drumbeat of alerts and new resources available for critical infrastructure organizations. A joint Cybersecurity Advisory, authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI, released in January, 2022, details tactics, techniques, and procedures associated with a number of Russian state actors. Given these threat actors’ demonstrated capabilities and activities, it comes as no surprise that CISA is stepping in and speaking directly to operators of critical infrastructure networks, giving them specific indicators of compromise to look out for and any unexplained equipment behavior.

As geopolitical tensions continued to intensify, in February of this year CISA issued a plan (PDF) of tactical recommendations to prepare for and mitigate foreign influence operations targeting critical infrastructure. The document contains the core steps to take to enhance the security of critical infrastructure networks, including understanding the assets you have in your network, their vulnerabilities and risk posture, and developing a robust incident response plan.

In light of evolving intelligence, in March, CISA and the FBI warned U.S. and international satellite communication network providers and customers of possible threats, offered specific mitigation recommendations, and strongly encouraged information sharing through CISA’s Shields Up initiative. Within days, CISA held a three-hour call with U.S.-based critical infrastructure owners and operators to discuss intensified preparatory activity by Russia to initiate potentially disruptive and damaging attacks.

The red line is gone

The clear red line that once existed as part of the Cold War is no longer there. Back in those days, if Russia were to engage in nuclear warfare, the U.S. would know within minutes and respond. This concept of mutual assured destruction is what, to a large extent, deterred both Russia and the U.S. from engaging in nuclear warfare.

Cyber warfare does not afford us the equilibrium of mutual assured destruction. Furthermore, the use of cyber as an offensive weapon within a geopolitical conflict could be considered a military strategy as it allows disruption while maintaining deniability, or at least not causing immediate escalation. Since we don’t have perfect visibility into all critical infrastructure networks, it’s hard to reliably detect the early signs of such coordinated actions and attribute them accurately. Which is why CISA is actively encouraging and working with owners and operators of those networks to ensure proactive steps are taken to mitigate the impact of cyberattacks.

In addition to the obvious disruption, inconvenience, and safety hazards posed by breaching critical infrastructure networks, we also have to consider that adversary nation-states could leverage disruptions in critical processes and productions to engage in economic warfare. For example, multiple sectors of the U.S. economy could be targeted, in particular their operational networks, with the goal of inflicting economic damage to the nation.

Defenders’ advantage

The biggest advantage defenders have as the nature of the conflict and strategies evolve, is to know their networks better than the adversary. Having visibility into all assets, including CPS, so you can understand your risk posture, is an excellent first step to prepare proactively and focus on addressing likely paths of attack. In addition to that, sophisticated attacks on CPS do require extensive preparation by adversaries and usually take a significant amount of time to carry out, with lots of lateral movement. Having the ability to monitor CPS for early warning indicators of compromise could give you the home-turn advantage of detecting an adversary preemptively and taking necessary steps to mitigate risk.

Regardless of how the geopolitical situation develops, one thing is clear: CPS and the networks they operate on have become attractive targets for nation-state adversaries and criminals. These networks are critical, and therefore valuable. As defenders, we must accelerate the rate at which we get visibility and control over those assets, so we can proactively prepare for the likely scenarios.