The new battlefield shown in the conflict between Russia and Ukraine shows a progression of cybersecurity tactics that revolutionize the general plan of attack. Cyber warfare, once viewed as a secondary asset in wartime, has become a critical initial threat vector against an opponent.
Cyber assets deployed in the early stages of the battle plan could include remote access tools or RATS, keyloggers, or rootkits on non-essential hosts. These pre-deployed tools are placed years before the actual battle can take place. Even with modern cyber capabilities around EDR, XDR, antivirus updates, some of the dormant attack tools could go unnoticed for years. Combined with social media propaganda, social engineering targeting, and email phishing attacks, these threat vectors could turn the tide of battle long before a single shot is fired. Compared to real military hardware, attacking forces reveal their capabilities, tactics and expected results, the battle becomes predictable. cyber attacks create an unpredictable dilemma in the conflict.
The battle is no longer fought with soldiers and weapons facing each other. Cyber warfare enabled a virtual army of fighting assets from around the world. Regional security alliances, global terrorist groups, and cybercriminals for hire can mobilize in minutes to enter the digital battlefield on either side. Sometimes these virtual cyber warriors can change alliances without warning.
Predict the unpredictable?
The survivability of the infrastructure, moments after the battle begins, is measured in microseconds. As seen in recent global conflicts, many countries lack the means to counter cyberattacks due to aging infrastructure or response plans. As reported in Reuters, Ukraine’s president has requested help from the kyiv cyber underground to help strengthen the country’s cyber defense capabilities. The call for help highlighted Ukraine’s sense of urgency in addressing the first cyber warfare tactics that Russia successfully implemented. Adding to the unpredictable moments of war, rogue hacking groups previously hunted by their own government now became the stopgap to save their own country. Anonymous, a well-known global hacking consortium, joined the fray by directing its resources against various Russian targets. With Anonymous entering the battlefield as an outside participant, this added to the complexity of the battle. Did Anonymous join for the good of Ukraine or just to support their own ideology? More importantly, what happens if and when the cyber warriors for hire switching sides, what hacking tools could you leave buried in your current sponsor’s networks?
Attacks on critical infrastructure, including water control systems, power grids, and national computer networks, are unknown. Most of these industrial control systems live in closed loop air gap networks with very limited access outside of their isolated environments.
According to a survey in CisoMag84% of organizations have deployed IoT devices on their corporate networks, and more than 50% do not maintain the necessary security measures beyond default passwords. Many IOT/OT/ICS devices do not have enough physical device capacity to load classic IT security prevention tools. Most firmware devices focus on component functionality with minimal built-in security protection. Historically, these devices were often found within a closed loop network or air gap environment. Traditionally, these networks were not connected to the outside world or to internal corporate computer networks. Access to these devices was done at a local terminal or through a direct connection to a serial port.
The protection of physical infrastructure is transforming. OT/ICS systems lived within a closed loop network for years with the need to communicate outside of their protection zone. With the advancement of the Internet of Things and the rise of analytical data analysis, these devices have gone from being purdue manufacturing model at a level that opens these devices to external communications. Previously, these platforms were rarely exposed to classic IT attack vectors. These industrial control infrastructure support teams spent more time keeping these specific control units operational and less time understanding cybersecurity threats.
The SECOPS and NETOPS team learned early on that classic business and technology requirements for IT and OT did not always translate into the same security strategy or operating procedures. OT systems require extensive planning and execution for firmware upgrades and downtime. In legacy systems, many OT systems have very few failures and are highly available, similar to classic IT systems.
Can the typical SECOPS workflow enabled today be based on first detecting, responding and correctly protecting these assets moments after cyber? Mostly like, no.
To meet the challenges of the new battlefield, OT/ICS/IOT systems must live in a predefined compartmentalization strategy that ensures system survivability while still providing the service expected from the device. The ability to isolate, contain, and at the same time provide a next-generation level of security by defining a predictable zone of protection with the ability to contain an outbreak bodes well for this environment.
John P Gormally — Freelance Writer, Cybersecurity Veteran, Blogger, Global Cyclist, Fictional Writer, Founder of Cyclerwriter 3 Espresso Company,