As the Russia-Ukraine war continues, Russian cyber threat actors have been launching their attacks on the Ukrainian government. Given the widespread western support that Ukraine has received — in the form of money, weapons and harsh economic sanctions against Russia — there are expectations that Russia will target those supporters. Cyber-solidarity between allies is critical in this situation. Canada and the United States share an electrical grid, along with many other intertwined critical infrastructures. This coordination is crucial to aid in protecting each other’s infrastructures.
Coordinated messaging from different government agencies in various countries is necessary. Companies operating critical systems like the power grid are facing a common threat, regardless of the country where the company headquarters is located. Many large infrastructures span multiple countries and following different security guidance for different parts of the system. The Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) presenting the same information helps prevent confusion.
Canada’s cyber threat bulletin, provided by the Canadian Centre for Cyber Security (CCCS), gives information regarding the guidance that operators must isolate critical infrastructure components and services from the internet. The ransomware attack on Colonial Pipeline displayed what can happen when companies don’t have a plan to operate when the operational technology (OT) and information technology (IT) systems are separated. Even though control systems were untouched by the attackers in that situation, the pipeline had to be shut down when the IT system was attacked.
The NCSC has joined CISA’s call to be wary of Russian state interference in critical infrastructure systems, including telecoms networks, energy and utility suppliers, transport operations, and logistics and distribution specialists. Further, the NCSC notice presents accessible and consumable cybersecurity advice, discussing the use of antivirus software and the necessity for patching all systems with software updates.
Cyber threat advisory pitfalls
The CISA alert has general advice on best practices to reduce cybersecurity risk, but it lacks detail on vulnerability and configuration. CISA says to update software and use a centralized patch management system, but fails to mention the importance of validation or authentication before installing those patches.
Similar to the CISA advisory, the Canadian cyber threat bulletin has overlooked a key attack vector. They stress the importance of patching, but make no mention of validating or authenticating a patch before installing it into critical systems. If there is a known vulnerability in software that needs patching, it is fundamental to ensure the patch is legitimate. Did it really come from your supplier? Did a Russian-backed hacker intercept it first? Targeting a victim via one of their suppliers — known as a supply chain attack — is an increasingly common line of attack. Thus, operators of critical infrastructure need to be aware of this threat and check for authenticity before patching.
The NCSC notice lacks specific advice on security measures that end users can take. There are several ways end users can protect themselves, such as ensuring remote access technologies and VPNs are patched, users/credentials are securely provisioned and monitored, limiting inbound and outbound connections through edge firewalls and internal firewalls, and validating hardware and software inventories, including third-party components.