2022 has been busy in the cyber world. While there were signals in 2021 with the increased in activity in threat actors targeting OT environments with ransomware, the conflict in Ukraine prompted many businesses to press harder in asking more questions about their own resilience with operational technologies (OT) and supply chain infrastructure.
The Cybersecurity Infrastructure Security Agency (CISA) reported shortly after the invasion began that Russia was targeting Ukrainian critical infrastructure to soften up that nation prior to the invasion in the weeks leading up to the Russian attack February 24 attack. Why does that matter? The success, or failure, of these efforts depend heavily on gathering target intelligence, performing healthy communication and governance across different organizations, and identifying a payload to achieve the target objective in the attack. This type of threat actor behavior is not limited to military conflicts and is often attributed to more successful criminal threat actor groups as well. Denial of Service may be used as a method to disrupt, disorient, and draw attention while another attack in being delivered against the primary objective.
[Please see: Trustwave's Action Response: Russia-Ukraine Crisis – Defending Your Organization From Geopolitical Cybersecurity Threats]
Russia Leads with Cyberattacks Against OT and Critical Infrastructure
What we have witnessed so far includes attempts to wipe systems with ransomware, disinformation campaigns, Distributed Denial of Service (DDoS) attacks against the Ukrainian government's infrastructure that impacted its ability to provide information to the individuals and people in and outside of Ukraine.
CISA noted in a March 1 alert that:
- On January 15, the Microsoft Threat Intelligence Center (MSTIC) disclosed that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable. These systems impacted span multiple government, non-profit, and information technology organizations, all based in Ukraine.
- On February 23, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure.
Operational Technology and Supply Chain are Possible Lines of Attack
History is a passion of mine which is why I always find it helpful to reflect back on the roots of OT over the last 20 years to appreciate how much the lines have been blurred today between corporate and OT data environments.
Now, while some people still look at OT as a niche area in cybersecurity that requires specialized personnel dedicated to OT, the reality is that OT has evolved. It's no longer found just inside a nuclear facility or plants associated energy and water supply. It's extended beyond the physical and critical infrastructure and the grid and expanded into everyday corporate operational technology.
OT has become a conversation for retail and hospitality. It's become a conversation for many industries as the way businesses level digital and 5G to enhance their revenue and ability to reach customers. OT now plays an increased role in supply chain, and in our digital workforce. This includes how do we empower employees and contractors to be successful in their mission. In a hybrid workforce, all these different attributes tie back into OT.
And from threat research, we are observing attackers are taking advantage of the fact that OT is challenging businesses cyber defense programs in new ways, but with some traditional tactics and techniques.
What is interesting is that threat actors are not necessarily creating new or updating old attacks for the OT environment. Instead, adversaries are taking many of the threats and tactics that we see used every day. This is because an attacker still must look at how an organization defends itself, then figure out how to deploy and deliver malware, identify targets, access command and control, exfiltrate data, and leave while covering your tracks. Again, there really isn't anything new here, so what has always worked is also good for attacks targeting operational technology.
The threat against OT is very real. We are seeing an incredible amount of threat research and due diligence conducted by adversaries, criminal organizations, and nation-states to exploit the OT environment.
Understanding the Organization’s Supply Chain Partners, and the Systems Required to Effectively Operate Your Supply Chain
Let’s talk about the supply chain through two different lenses. The first is that an organization must maintain, control, and vet the vendors you partner with to the best of your ability to ensure that they are maintaining a minimum viable posture that your organization considers acceptable per your risk appetite.
The second lens is how do you ensure the continuity of your supply chain, and what is security's role in enabling the resilience of that operation? The best way to do so is using the NIST cybersecurity framework. NIST breaks down the supply chain into several areas: identify, protect, detect, respond, and recover. NIST also delivers what I will call an accelerated review of how, as an organization, one knows their overall attack surface, including supply chain.
This knowledge ties back to that OT equation because a lot of security fundamentals start with looking at corporate infrastructure. Is the perimeter safe? Do we have the fundamentals in place to even adhere to compliance?
Once you answer these questions, you become more resilient as a business, above and beyond just demonstrating compliance. Next, you need to figure out what to prioritize. This prioritization includes understanding how well one knows their attack surface and the critical assets.
This knowledge also includes physical access. For example, understanding the process of trucks going from one building to the next or ships going from one port to the next can ensure fidelity and cyber resilience.
Now, while we started with the cyber threats being generated by Ukrainian-Russian war it’s important to realize those activities are tied to the wider world and to remain secure organizations must look at every aspect of their business, including operational technology and supply chain.
Enhancing Cyber Defense People, Process, and Technologies to Account for OT and Supply Chain Threats
Even though nations outside of Ukraine are not involved in direct physical contact or confrontation with Russia, many countries have aligned themselves with Ukraine and supports heavy sanctions on Russia. The United States, Canada, the United Kingdom, Germany, and other NATO states, as well as nations like Australia, have all taken financial action in terms of severe sanctions against Russia. This national activity requires corporate entities in these lands to be on heightened awareness about retaliatory digital strikes.
Such a retaliatory strike doesn't have to be from a nation-state involved in the conflict. I'm more concerned about nationalists inside of Russia or tied to Russia, who might seek to aid or respond in support of Russia against the sanctions and lash out. In addition, I am concerned about financial opportunist seeking to take advantage of the moment but who are entirely motivated by financial gains. This retaliatory type of action could take place against corporate infrastructure or against nations that have been very open and transparent about their thoughts and perspectives regarding Russia's action in Ukraine.
If your business has not yet considered its resilience posture, it may be time for security to help proactively educate and lead peers and the board on what this increased emphasis on OT and supply chain threats mean to the business. Is the cyber defense program equipped to handle these threats or do you need to ensure the business understands what the risks are and cyber defense’s ability to provide resilience to those risks.
We all have a role to play, and it is a good time to have these discussions with security teams and the business if we have not already.