Over the last several weeks, I have been having conversations with industrial security executives and customers with OT infrastructure about the implications of the Russian aggression in Ukraine. Although the fear of cyber warfare is now a daily headline, we have been involved in a cyber war for many years with adversarial countries including Russia, China, Iran and North Korea. There is a well-developed playbook on how these countries steal or scam money from consumers, businesses and financial institutions, illegally obtain our intellectual property, and blackmail companies through state-sanctioned ransomware gangs.
So, what should the West expect in the short term? We are seeing warnings that Russia may react to sanctions by targeting power grids and other critical infrastructure in Western nations as a form of retaliation. Industry executives are taking the US government’s Shields Up warning to heart and putting their teams on high alert.
However, if this conflict between Russia and Ukraine escalates further, and Russia continues down the path of becoming a pariah state under Putin, there are other medium-term developments that we should be concerned about.
As many people in the tech industry are aware, Russia has a world-class, highly developed cohort of computer science and engineering professionals. Many of these people are software developers, who Western countries have relied on for high quality outsourced software development for many years. With the average developer salary of $65,000 a year, leveraging this talent pool has been a great approach to bringing products or projects to market fast at an attractive cost.
Recent events are impacting this business model dramatically, with many Western companies already cancelling contracts and laying off Russian employees. Unfortunately, this will leave a large group of very talented people without a way to make an honest living. Additionally, if the Russian economy experiences a severe recession, other companies will lay off even more engineering talent, adding to this pool. With the ruble in freefall, the buying power of that $65,000 just became significantly diminished if Russian consumers want to purchase foreign goods such as cell phones, cars, electronics, clothes, etc. In fact, Russia does not produce much that consumers want to buy other than food and energy.
A concerning possibility is that some percentage of this software talent may turn to one of Russia’s most successful exports – ransomware blackmail gangs– as there may be no other way for them to earn a living. If 10% of the developers (40,000) end up unemployed, this is a huge pool of talent that could join existing gangs, or spin up their own teams to extort ransoms from Western businesses. The Russian government, which has always turned a blind eye at best, will only encourage this escalation.
This may not manifest itself in the very near term (the attacks on critical infrastructure are more likely), but we could very well see a tsunami of ransomware attacks over the next 12-24 months. These attacks may be more indiscriminate and not just go after well-heeled or high-profile companies and institutions. Everyone will be at risk.
So, there are a few things to expect. One is that your cyber insurance company may come looking for proof that you are meeting a specific security standard, such as the CIS Controls, IEC, or NIST CSF. If you aren’t, then that policy will either be exorbitant, or not written at all. Second, the government is in the process of putting together regulations that will require critical infrastructure companies to report on ransomware attacks, and companies will need to have tools and processes in place to feed this information to their regulators. Third, boards will come looking for proof that your programs can be measured and will be looking to assess financial risk in the event of attack. Anyone who needs help estimating these costs can do so with our ransomware risk calculator.
In my recent discussion with a Gartner analyst, he felt that only 5% of the OT security programs he’s seen met a “mature” profile. Quite a bit of the market is still just starting their journey, or are in the middle of putting together a security program. We continue to see interest in executing on hardening OT systems, but there is still a fair amount of foot-dragging because of the cost and complexity of managing these programs. The time to accelerate these programs is now. If you’re concerned about mitigating and managing the geo-political risk to your plants and operations, Industrial Defender has the people, services and technology to help. With the cost of a ransomware attack running low seven figures, to low eight figures and beyond, hardening your defenses with a platform from Industrial Defender is a low cost investment.