A series of escalatory messages and actions between the US, Russia, and Iran are increasing the risk of further conflict and potential negative effects against industrial control systems (ICS) and critical infrastructure. This includes recent news reports on offensive US cyber operations targeting Russian critical infrastructure and the Kremlin warning that attempts to hack into its electric grid system could potentially lead to cyberwarfare. Additionally, cyber threat intelligence firms including Dragos, and the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), recently reported an increase in Iranian-linked malicious cyber activity targeting industry and government organizations in the US.
All industrial ICS operators (electric power, oil and gas, water management, sanitation, manufacturing, etc.) must take this threat seriously and should take these five steps immediately.
For threat intelligence supporting this blog and further discussion on response, join our webinar on Tuesday 25 June 2019.
- Take the Threat Seriously
Tensions and rhetoric are rising quickly between the US, Russia, and Iran. Where political tensions exist, cyber offensive and intelligence-driven operations follow. Industrial processes are one of the most likely targets in any force escalation across cyberspace. Due to increased investment in many countries to develop offensive industrial disruption capabilities, we must assume that these could be deployed now and in any future conflict. Countries will naturally want to avoid casualties, both military and civilian, and hence look for cyber disruption of ICS as an alternative to kinetic force. Further, as prominent cybersecurity and privacy researcher Lukasz Olejnik expertly highlights, “In conventional military operations, armed forces in close proximity are often at an increased risk of escalatory events… dozens of armed forces are constantly within the virtual arm’s length, creating a constant possibility of interaction and escalation.”
- Think Beyond Borders
The consideration of the threat and risk of cyberattack in an escalatory situation must expand beyond the borders of immediately concerned countries or regions. Countries project power in asymmetric ways and may use proxies to affect third parties to reduce likely retaliatory actions. Further, countries rarely act alone in any use of force and will rely on allies to complement their own capabilities (or lack thereof). For instance, Iran and Russia have several aligned interests and may support each other through coordination or cooperation – especially as both are currently in a conflict against a common adversary, the United States. Therefore, we cannot asses the risk from a cyberattack as from a singular country itself but as a group of allies. This is a good time to dispel the “I’m not a target” myth and understand that adversaries view the battlespace different from defenders – normal assumptions become dangerous.
- Increase Visibility and Threat Detection
Industrial organizations and ICS owners/operators must increase security visibility, logging granularity, and prioritize threat detection. What may have a been a low priority behavior/activity last week may need more examination this week. A network, asset, or device not previously logging last week will need logging turned on now. Security operations should more closely examine and apply relevant threat intelligence. An organization’s investigation and security response must change according to the threat environment. This state of readiness may be reduced later.
- Review and Practice Response and Recovery
The midst of a disaster is the worst time to develop a response and recovery plan. Usually responders become their own worst enemy when arriving unprepared. While no response plan will cover every eventuality, general approaches, a clear chain of command, and preestablished tools and procedures all play an important part in limiting harm:
- Establish and maintain knowledge of all the assets in the OT and IT environment.
- Prepare tools and procedures to gather evidence and intelligence from every corner of the OT and IT networks. This includes building relationships across organizations who will support each other in case of an event.
- Preestablish visibility into OT networks – gathering intelligence after-the-fact in an industrial network is one of the easiest ways of slowing a response.
- Build relationships with vendors, integrators, industry consortiums, government, partners, and security companies which can help respond quickly to a situation.
- Integrate cyber, digital, and physical response and recovery plans assuming threats may cross these boundaries.
- Document and know the decision makers, decision points, and key legal and policy issues.
- Know how and when information will flow – one of the most confusing elements of any situation is communication within and outside an organization.
- Engage Active Threat Hunting
Be proactive! Organizations should begin active and continuous threat hunting across their OT and IT environments if they have not already. Threat hunting looks to use security analysts, tools, and data to uncover threats not identified by traditional threat detection. Threat hunters may be able to identify a threat early, enabling preemptive response. While threat hunting may not uncover a threat preemptively, it will preposition key resources and will dramatically improve the response and recovery in case of an event.
Dragos does not know of any threats which pose immediate disruptive or destructive effects to industrial control systems, but the battlespace can change quickly in fluid escalatory environments. We are entering an unprecedented time for defending ICS and critical infrastructure. What once may have been a remote conflict can now easily extend to anywhere in the world. We strongly recommend all ICS operators take this threat seriously to protect lives, services, business, and critical infrastructure worldwide.