Geopolitical Cyber Attacks — The New Battlefield
The new battlefield on display in the conflict between Russia and Ukraine war shows a progression of cybersecurity tactics revolutionizing the overall attack plan. Cyber warfare, previously viewed as a secondary asset in time of war, has become a critical initial threat vector against an opponent.
Cyber assets deployed in an initial early stages of the battle plan could include remote access tools or RATS, keyloggers, or rootkits on non-essential hosts. These pre-deployed tools are placed years before the actual battle could take place. Even with modern cyber capabilities around EDR, XDR, anti-virus updates, some of the dormant attack tools could go undetected for years. Combined with social media propaganda, social engineering targeting, and email phishing attacks, these threat vectors could change the course of the battle well before a single shot is fired. Compared to actual military hardware, the attacking forces are disclosing their capabilities, tactics, and expected outcomes, the battle becomes predictable. Cyber attacks create an unpredictable dilemma in the conflict.
No longer is the battle fought with soldiers and weapons facing off against each other. Cyber warfare enabled a virtual army of combative resources from across the world. Regional security alliances, global terror groups, and cyber criminals for hire can mobilize in minutes to enter the digital field of battle on any side. Sometimes, these virtual cyber warriors could switch alliances without warning.
Predicting the unpredictable?
The survivability of the infrastructure, moments after the battle begins, is measured in microseconds. As witnessed in recent global conflicts, many countries lack the means to counter-attack against the cyberattacks because of aging infrastructure or response plans. As reported in Reuters, the President of Ukraine, requested help from the Kiev cyber underground to help fortify the country’s cyber defense capabilities. The call for help highlighted the sense of urgency by Ukraine to address the early cyberwarfare tactics Russia successfully deployed. Already adding to unpredictable moments of the war, rogue hacker groups previously being hunted by their own government now became the stopgap to save their own country. Anonymous, a well known global hacking consortium, joined the battle by directing their resources against several Russian targets. By Anonymous entering the field of battle as a 3rd party participant, this added to the complexity of the battle. Did Anonymous join for the good of Ukraine or only to support their own ideology? More importantly, what happens if and when the cyber for hire warriors change sides, what hacker tools could they leave behind buried within the networks of their current sponsor?
Attack on the lifeblood of the country
Attacks on critical infrastructure, including water control systems, power grids, and national computer networks, are unknown. Most of these industrial control systems live in closed loop air gap networks with very limited access outside of their isolated environments.
According to a survey in CisoMag,84% of organizations have deployed IoT devices on their corporate networks, and more than 50% don’t maintain the necessary security measures beyond default passwords. Many IOT/OT/ICS devices do not have enough physical device capacity to load classic IT security prevention tools. Most firmwares devices focus on the functionality of the component with minimal onboard security protection. Historically, these devices often sit within a closed loop network or air gap environment. Traditionally, these networks were not connected to outside or to the internal corporate IT networks. Access to these devices were either done at a local terminal or direct connection into a serial port.
Protecting physical infrastructure is transforming. OT/ICS systems lived within a closed loop network for years with the need to communicate outside their protection zone. With the advancement of the Internet of things and the increase in analytical data analysis, these devices have moved up from the Purdue manufacturing model to a level that opens these devices to external communications. Previously, these platforms rarely are exposed to classic IT attack vectors. These industrial control infrastructure support teams spent more time on keeping these specific control units operational and less time understanding cybersecurity threats.
The SECOPS and NETOPS team learned early on that business and technology requirements for classic IT and OT did not always translate into the same security strategy or operations procedures. OT systems require extensive planning and execution to perform firmware updates and downtime. In legacy systems, many OT systems have very little in the way of failure and are highly available, similar to the classic IT systems.
Can the typical SECOPS work stream enabled today be based on detecting first, responding, and correctly protecting these assets moments after cyber? Mostly like, no.
Movement towards predictable adaptive control for OT/ICS/IOT environments
To meet the challenges of the new battlefield, OT/ICS/IOT systems need to live in a pre-defined compartmentalization strategy ensuring the survivability of the system while still delivering the expected service from the device. The ability to isolate, contain, while delivering a next generation level of security by defining a predictable protective zone with the ability to contain an outbreak is a welcome sign of this environment.
John P Gormally — Freelance writer, Cybersecurity veteran, blogger, global cyclist, fictional writer, Founder of cyclerwriter 3 espresso coffee company,