Let’s consider the recent joint alert from the Cybersecurity & Infrastructure Security Agency (CISA, the FBI, and the NSA—"Understanding and Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure,” which is clearly prompted by the diplomatic talks between Biden and Putin. Leveraging cyber-operations is a textbook Russian strategy during geopolitical negotiations, as it gives the country plausible deniability and levels the playing field with more economically and militaristically powerful countries.
The strategy with this alert is to prepare critical organizations for anticipated Russian cyber-activity and, hopefully, mitigate potential fallout, which will likely take the form of espionage or cyber-physical attacks. Russian threat groups, in particular, are known for persistence and stealth, as opposed to other geopolitical cyber-adversaries like Iran, China and North Korea. Well-resourced Russian advanced, persistent threats (APTs) will aim to find a way into business-critical networks and exercise the long-term patience of nation-state players.
Critical infrastructure organizations, defense, and the aviation industry should heed this alert. Its focus on operational technology (OT) and industrial-control systems is significant, as we’ll continue to see more adversarial focus on cyber-physical systems. Identifying specific common vulnerabilities and exposures (CVEs) is extremely helpful, as it allows defenders to prioritize vulnerabilities and identify which playbooks will be most effective for mitigating and addressing risk.
The layer of OT in modern infrastructure in aircraft, the defense industrial base, and manufacturing was once isolated from other internet-facing networks. Today, it has become connected with IT, and is therefore discoverable and vulnerable to cyberattack—an attack surface attractive to Russian state-sponsored actors.
The alert’s recommendations focus on incident-response plans, reporting, and continuity, but should also include logging, which enables companies to find signs of compromise. “Be Prepared” is the most important piece of advice, as these APTs will find a way in relying on their resources and patience. The advice to “assume compromise” is spot on and represents the best of modern cybersecurity practices.
CISA Director Jen Easterly intimately understands the tactics, techniques and procedures of nation-state actors—she has been at the front lines of fighting Russian adversaries in cyberspace throughout her career, especially as part of NSA’s Tailored Access Operations—and that is informing this CISA alert. She is among some really sharp people at CISA who are at the forefront of cyber best practices, so this guidance is a sobering reminder of what we’re up against.
Josh Lospinoso is CEO and co-founder of Shift5