What can the Ukrainian experience of successfully defending critical infrastructure against Russian attack teach others about building cyber resilience?

Source: Business Ukraine

Cyber-attacks against Ukraine are nothing new and can be traced back at least as far as 2014, when russia first annexed Crimea and occupied part of the Donbas region. This experience has made the country a kind of laboratory for cutting-edge cyber weapons. Milestones include cyber-attacks on the Ukrainian election system in 2014, energy blackouts in 2015, and the Petya ransomware attack in 2017.

In more recent times, cyber experts noted a rise in cyber incidents from mid-2021, a phenomenon which only intensified in the run-up to russia’s full-scale invasion in early 2022. According to statistics from Ukraine’s National Computer Emergency Response Team Cert-UA, the number of attacks increased almost tenfold in the first months of 2022 year-on-year. January 13 is widely considered the beginning of a new phase of russia’s cyberwar against Ukraine. Approximately 70 government websites have been defaced since then with hackers posting provocative messages. These attacks were designed to sow fear and panic among the Ukrainian population.

Many experts correctly predicted that kinetic military actions in Ukraine would be synchronized with extensive cyber operations. The russian invasion of Ukraine proves that we live in a world where businesses and governments must consider simultaneous threats as inherently intertwined: both nation-backed cyber-attacks on local IT systems and infrastructure, and traditional military threats directly resulting from war. Since the beginning of russia’s full-scale war in February 2022, Ukraine has been the target of numerous cyber-attacks that have impacted public institutions, private organizations, and individual citizens. This includes attacks on energy, telecommunications, media, and financial entities considered part of Ukraine’s critical infrastructure.

What can the Ukrainian experience of successful defending infrastructure teach other countries about building cyber resilience? And how can other countries best implement these lessons?

Organizations need to prepare in advance and be ready to meet these challenges. They need to assess their preparedness for cyber incidents and their ability to resume operations quickly and efficiently. Ukraine can offer a number of professional and practical recommendations to help organisations assess their level of cybersecurity readiness.

Cyber Review

The starting point for any preparations must be a proper review of existing response plans to better understand potential risks. Organizations are recommended to view the landscape of potential threats and liaise with cyber security threat intelligence service providers to better understand business risks and actions that need to be taken.

They should consider suspending operations in areas where hostilities are already taking place or are likely to occur in the near future, as well as identifying how best to minimize those risks (what to do in case of a telephone connection blackout, for example). If necessary, organizations should ensure there are realistic plans prepared in advance for the evacuation or relocation of employees and their families, as well as offices and systems.

The next step should be to review incident response and continuity plans before answering the following questions: how often are plans tested? Do test scenarios work under current threats?

Organizations should update security incident response plans, create specific response plans in line with baseline scenarios, and ensure that agreements with service providers that respond to and deter attacks are up-to-date. They should then review all regulatory requirements in terms of reporting cyber security incidents and consider liaising with law enforcement and government agencies to be involved in case of a large-scale cyber security incident, as well as conducting cyber-attack simulations if such exercises have not taken place in the last six months.

Organizations will find it sensible to review key sets of cyber security controls to help reduce the likelihood of attacks succeeding, including controls that help protect against threats from an aggressor state or organized groups that will undoubtedly intensify their activities during a conflict. The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a database of vulnerabilities and some cyber security centers provide advice on which vulnerabilities are high priority.

The priority should be a review of the key access controls. Organizations should isolate high-risk systems, focus on multi-factor authentication, and delete unused or expired accounts. They have to make sure that malware protection is in place, and that all licenses and programs are up-to-date. It is crucial to be sure that data is backed up regularly.

Cybersecurity Monitoring

In addition to preventive protection, effective security monitoring is also vital to ensure timely detection and response to intrusions. The average time between when a system is initially compromised and the launch of destructive malware is now measured in days and not weeks or months, as was typically the case previously.

It is therefore crucial to understand current opportunities for cyber security monitoring in an organization's network infrastructure to improve preparedness and increase the chance of detecting and preventing cyber security incidents. The next step should be to create a threat hunting team to search for IOC (Indicators of Compromise) based on tactics, techniques, and procedures (TTPs) connected with groups that are known to associate with an aggressor state or its partners, or organized crime groups involved in a war or conflict on the cyber front. It might be helpful to consider engaging external vendors to provide detection and response management services who can empower company teams and provide qualified support where needed.

Organizations should naturally anticipate potential operational interruption in regions where active military operations are taking place. In some cases, it will be vital for organizations to provide temporary staff support to ensure critical services continue to operate until employees can return to the office or the country itself.

Organizations also need to stay aware of the risk posed by organized crime in such situations. Unfortunately, it is an established fact that bad actors will always try to use a crisis to their favor, with some common scams including creating fake websites that allegedly offer help, provide “useful” information, or accept donations for fraudulent purposes. There is also a significant probability that there will be a notable uptick in phishing campaigns focused on the war or conflict and aimed at high-ranking officials who publicly express positions or opinions about the conflict.

To be well prepared for these circumstances, organizations should ensure that staff have access to reliable and verified sources of information, and should be aware of the risks posed by phishing and fraudulent websites. Providing cyber security advice to employees who are in places of potential risk or who work in high-ranking positions is important and should be done on a regular basis.

Third-Party Risks

When the COVID-19 pandemic started, organizations interrupted their operations and, in many cases, employees were sent home. Organizations facing these circumstances quickly realized how dependent they were on a complex ecosystem of third-party critical systems, services, and data. The current martial law regime in Ukraine has reinforced the importance of reshaping the security and resilience environment for all partners in important areas of the supply chain.

Organizations should identify dependencies on vendors and partners, and should look to create contingency plans factoring in situations where they may find themselves suddenly excluded from supply chains under certain conditions. When making a list of critical providers, organizations should then establish enhanced monitoring of incoming network traffic and take into consideration new actions by numerous hacker and Advanced Persistent Threat groups whose cyber crime only becomes more sophisticated and complex in a conflict or military scenario.

For critical suppliers, organizations will need to check the availability and relevance of incident response and sustainability plans. Furthermore, organizations should be fully aware of the impact that potential incidents could have on supply chains, determine where exactly it is most relevant to focus enhanced monitoring, and increase their preparedness to respond to incidents.

Cloud Migration

Migrating existing IT infrastructure to the cloud or deploying disaster recovery sites via global cloud data centers helps provide the required level of availability to keep organizations functioning. It is highly recommended that organizations analyze existing IT architecture with a view to assessing the feasibility and extent of cloud migration and consider any technical complexity, financial, regulatory, and security issues that might affect this change.

Given the available competencies of IT specialists and service providers on the market, it is of paramount importance to choose a reliable cloud service provider. When one has been selected, organizations should determine the order and timing of migration procedures. This means prioritizing IT elements for further cloud migration, organizing information backup, and creating public disaster recovery centers in Europe or the United States.

The Russian invasion of Ukraine has increased concerns about cyber security incidents and the resilience of critical business functions. These concerns are important and need to be addressed in parallel with protection for employees and support for organizations, both in Ukraine and abroad. Many organizations and institutions will find it necessary to assess their exposure and vulnerability to cyber incidents, technology disruption, and the related impact on critical services.

While the future remains unpredictable and uncertain, companies and organizations can constantly analyze how a situation may develop and anticipate the feasibility of a variety of scenarios that could arise. For each potential scenario, organizations needs to prepare an analysis of how disasters or events would affect them in a holistic sense. This means keeping in mind how best to meet the needs of their people, the business, supply chain, and technology for the organization as a whole.