Threats to critical infrastructure (CI) and the need for nation states to protect such assets have been brought to the fore with Russia’s invasion of Ukraine and its relentless attacks, both physical and via cyberspace, on the country’s vital assets.
Critical infrastructure, the services and utilities essential to the well-being, proper functioning and cohesion of a society or nation state, need protecting. Whether facility, network, service or system, CI includes public and private organisations involved in critical sectors such as energy, food and water supply, transportation (rail, road, air, sea) medical services, telecommunications, finance, and more. There’s also acceptance that democratic nations’ electoral systems and processes also fall under the CI banner and are equally threatened by hostile state actors. Such interference has been proven in recent years with Russian cyber-attacks at both state and federal, electoral-system levels in the US, as well as in European states, including Spain and the Netherlands. Interference in the UK’s Brexit Referendum remains a matter of debate, but the bottom line is that it is happening.
This article takes a look at attacks on Ukraine’s CI, underlining the threat, how cyberattacks have played a major role, and looks at some of the ways in which nations, public and private organisations, as well as other corporate entities involved in the running of CI, can protect against such attacks.
Ukraine Attacks Highlight the Need to Protect CI
Russia’s physical attacks on CI began in the early stages of the war following the invasion; its forces recklessly shelled and occupied the Zaporizhzhya nuclear power plant and its surroundings, though keeping the staff inside to run the facility. Ballistic and cruise missile attacks rained down on Ukraine’s electricity generation and distribution facilities, the railway network, and more, and cyberattacks against almost every sector of the country’s critical infrastructure, which had actually started weeks before the invasion, reached new levels. Europe’s energy dilemma, with Russian use of its gas supplies as a means of economic warfare, also rose to the fore as a way to undermine the cohesion of NATO partners and their support for Ukraine, highlighting why belligerents, whether terrorists or nation states, target CI for their purposes, or in such a conflict.
The attacks go on – Russian missiles hit power facilities on Friday 10 Feb across Ukraine, cynically coinciding with President Zelenskiy’s return to Kyiv after a tour of Western capitals. The latest attacks, (at time of writing), were even cynically confirmed by the Russian Ministry of Defence the following day, when, in its daily update, it said it had carried out “massive strikes on critically important energy facilities of Ukraine’s ‘military-industrial complex’ on Friday”. It did not, of course, identify the facilities targeted as civilian infrastructure in nature, and went on to claim that the transport of foreign weapons and ammunition by rail to battlegrounds in Ukraine had been “blocked” as a result of their attack. Such an announcement was a fairly typical example of Kremlin attempts to justify attacks on civil CI.
On 23 November 2022, at the UN in New York, Under-Secretary-General Rosemary Dicarlo made a statement about attacks that had taken place the night before against civilians and critical infrastructure across Ukriane. The attack concerned a wave of missile and drone strikes targeting Kyiv, Odesa, Lviv, Mykolaiv, Kharkiv, and Zaporizhzhia, which contributed to the already dire circumstances in which the population found itself at the time, as it faced the start of the freezing winter ahead with much of the country without heating, electricity, water, or other basic utilities. Apparently, even before the latest strikes, Ukrainian officials said that practically no large thermal or hydroelectric power plants had been left intact in the country; the latest barrage only added to the worsening situation. Indeed, on the day of the DiCarlo’s statement, Ukraine was forced to introduce emergency shutdowns in all regions of the country, with some, including Lviv, Zaporizhzhia, Odesa and Chernihiv, completely disconnected from the grid.
In Kyiv, the missile and drone strike hit the Darnyts’ka thermal power plant leaving the whole of the Kyiv region without electricity; the approximately three million people in the capital were also left without running water. However, that Russian strike extended well beyond Kyiv; the Ladyzhyn power plant in the Vinnytsia region was also hit, as well as energy infrastructure in Kremenchuk, Lviv and Odesa also being damaged. Three nuclear power plants still operating at Rivne, South Ukraine, and Khmelnytskyi, were disconnected from the national grid as a result of the attacks.
These examples of what’s taking place in Ukraine are a hard lesson for the rest of the West to learn from, but this clarity as to the threats and CI’s true vulnerabilities will help drive discourse between public-private sector partnerships to secure CI, using latest approaches, technologies, collective thinking, including through means of resiliency and redundancy to sustain CI if and when attacked. A good example of such has been Ukraine’s ability to keep its railways running and to restore, at least some power supplies after attacks, including with the use of generators – resilience in practice.
For NATO and its allies, the current conflict also highlights the need to understand where vulnerabilities exist in the respective national infrastructures of member states, which could undermine the overall collective defence of the alliance unless any weaknesses are addressed.
Cyber Threats, Prophylaxis, and Response
The cyber assaults waged against critical Ukrainian infrastructure since even before the invasion have been linked to Kremlin-associated actors, and are in total violation of Russia’s cynical pledge to comply with international law in cyberspace – no surprise there. Intended to incapacitate critical services, including government institutions and private companies active in such as financial, IT and energy sectors, these cyberattacks are often now coordinated as precursors to conventional strikes.
Back in January 2022, more than 70 Ukrainian Government websites were disabled by a coordinated cyberattack blamed by the authorities on cyber criminals linked to Belarusian intelligence services. During the same period Microsoft uncovered wiper software masquerading as ransomware across dozens of Ukrainian public and private computer networks, that was designed to disable computer systems and again was attributed a Belarusian group linked to the Kremlin. The largest denial-of-service (DoS) cyberattacks in the country’s history followed in the days prior to the invasion targeting banks, government departments, all identified by Ukrainian, US and UK agencies as attributable to Russia, and on the 23rd February 2022, destructive software was uncovered that had infected hundreds of computers in Ukrainian ministries, as well as financial institutions not only in Ukraine, but also in Latvia and Lithuania; Microsoft was able to block the software, which was named FoxBlade, sharing anti-virus code with a number of allied European countries to prevent its wider spread. These attacks have escalated throughout the conflict, including the targeting of satellite broadband aimed at degrading Ukraine’s military communications capabilities, but which have also impacted civil and neighbouring nation communications.
Microsoft actually identified preparatory cyber activities a year before the invasion, when Russian troops were concentrating on the Ukrainian border. At this time, frequent malicious probing activities were uncovered and seen as intelligence-gathering attempts on Ukraine’s military and its allies.
Protective Response and Retaliation
Ukraine now has some of the world’s most experienced IT engineers seasoned in cyber-attack prevention and response. Attacks against the nation’s power grid have occurred, not only as part of the current situation, but even as far back as 2016, so multiple cyber operations have added to the nation’s expertise. Yet, effective responses in the current, intense scenario have benefitted from the cooperation between allied states and leading players like Cisco, Microsoft, and Google from the private sector, whose software is often targeted by malicious activity.
The US has actually been helping the country strengthen its cyber defence for many years, including in the latter months of 2021 when soldiers from the US Army Cyber Command were deployed to Ukraine to help detect and neutralise Russian malware, potentially embedded in Ukrainian institution and company networks.
One method of response to Russia’s cyber-attacks has also been to hack the attackers, which has seen hackers from inside Ukraine and elsewhere retaliate against the Russian state as well as Russian companies with attacks aimed at publishing data to compromise and counter the Kremlin’s state propaganda. Anti-war messages have been posted to public institution and media websites, as well as some attacks being aimed at CI to degrade Russian military capabilities. In one instance, hacking managed to slow down transportation trains carrying Russia’s war materiel through Belarus to the front lines early on in the invasion.
With such cyber resilience shown by Ukraine and its collaboration with allies in this regard, there are allied concerns that Russia might launch larger scale cyber-attacks on allied companies outside the conflict area, as well as against non-Ukrainian CI. The message here is the need to prepare for such a worst-case eventuality and even if no such attacks materialise at this time, to be prepared is to be forearmed and is imperative. Knowing what we now know, unilateral, collaborative, coordinated cyber protection are all needed in earnest with effective exchange of information and teamwork between specialised private companies and the public institutions to protect CI across NATO member states, its many allies and partners.
Protecting CI from the Threat of Cyber-Attack
Russia’s attack on Ukraine has already impacted players beyond the borders of the conflict and malicious cyber activity must be assumed as a manner in which hostile players may seek to damage western and allied interests and CI without actually entering into physical confrontation.
This makes it imperative for government and private organisations of all sizes to protect and prepare to respond to the prospect of disruptive cyber incidents. While there are guidelines across the alliance by national departments, the EU and others, one agency which has set out very clear methodologies of preparing against cyber-attack is the US’ Cyber and Infrastructure Security Agency, (CISA). Its approach will help CI organisations, and others, prepare for, respond to, and mitigate the impact of cyber-attacks, which, when reported quickly, will enable assistance to be rendered quickly and warnings to be disseminated to prevent other organisations from falling victim to a similar attack; the importance of sharing information about an attack as swiftly as possible cannot be understated for the benefit of the collective whole.
Regardless of size, CI organisations, facilities, departments, should adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets and while it will be challenging for many companies to identify resources for urgent security improvements, state CI players will have little choice but to implement stringent security protocols and processes. That said, there are a wide range of protections that can and should be put in place by all players to reduce the likelihood of a damaging cyber intrusion. Companies should validate that all remote access to the organisation’s network and privileged or administrative access requires multi-factor authentication. IT departments must ensure that software across their networks is up to date, prioritising updates that address known, exploited vulnerabilities identified by national cyber agencies, and all ports and protocols that are not essential for business purposes should also be disabled by IT departments – ‘bring your own device’ should be carefully controlled in this regard so that employees do not, unknowingly, introduce malware onto a corporate network from their own tablets or phones if they connect for work purposes. If an organisation is using cloud services, IT personnel must review and implement strong controls, many of which will be published in official government guidelines.
That said, no amount of preparation can stop attempts to infiltrate a network – the key is to know what to do when a potential intrusion is detected. Here, an organisation’s cybersecurity/IT personnel should be focused on identifying and quickly assessing any unexpected or unusual network behaviour. At the same time, ensuring that an organisation’s entire network is protected by cyber security software must be confirmed, and that signatures in such tools are updated. In the case of companies or agencies working with Ukrainian organisations, now and in the future, these must take extra care to monitor, inspect, and isolate traffic from those organisations, closely reviewing access controls for any such traffic. Even visiting websites for Ukrainian media and state organisations can lead to the unwitting downloading of malicious cookies that have been placed into seemingly innocent pages of news and information.
As far as protective preparation to cyber-attack is concerned, ensuring an organisation is ready and able to respond at a moment’s notice if an intrusion occurs offers a degree of peace of mind, which can be achieved by designating a crisis-response team with main points of contact in the event of a suspected cybersecurity incident. Roles and responsibilities should be clear, and likely involvement should be from technology, communications, legal and business continuity departments, with the availability of key personnel assured and a means whereby surge support can be provided in response to an incident determined, if needed. To ensure such a response works smoothly if the real thing occurs, rehearsal exercises should be conducted to ensure all participants understand their roles in an incident.
In terms of maximising the resilience an organisation has to a destructive cyber incident, back-up/business continuity procedures to ensure that critical data can be rapidly restored if the organisation is impacted by ransomware, or a destructive cyberattack, should be regularly tested, but they must also always be isolated from network connections. Where Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) are involved, tests of manual controls to ensure that critical functions remain operable if the organisation’s network is unavailable or compromised, must be carried out.
Worst-Case Conclusion and Ransomware Checklist
All the aforementioned precautions, protections, preparations will help improve the overall cybersecurity and resilience of any organisations involved in CI, though it is also advisable for all CI stakeholders and management involved in cyber/IT aspects of their organisations to review the latest guidelines from respective national government, as well as allied agencies about current Russian state-sponsored cyber threats to critical infrastructure and threats from ransomware attacks.
One key message from CISA is to ‘plan for the worst-case scenario’, so that senior management of any CI entity ensure that urgent measures can be taken to protect the most critical assets in case of an intrusion, including disconnecting high-impact parts of the network if necessary.
In the case of ransomware, a joint CISA/Multi-State Information Sharing and Analysis Centre (MS-ISAC) guideline offers a check-list of what to do to protect an organisation in the event of an attack, which is worth repeating as a useful ‘detect, contain, eradicate’ conclusion to this discussion on protecting critical infrastructure.
- First, determine which systems were impacted and immediately isolate them.
- Second, only in the event of being unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.
- Third, triage impacted systems for restoration and recovery.
- Fourth, consult your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.
- Fifth, engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.
- Sixth, take a system image and memory capture of a sample of affected devices, such as workstations and servers.
- Seventh, consult federal law enforcement regarding possible decryptors available, as security researchers have already broken the encryption algorithms for some ransomware variants.
Tim Guest