If You’re Reading This, You’re at War

March 11, 2022

If you’re reading this, you’re probably in the ICS security community. We’ve all seen the warning signs of a coming cyber war going back 5, 10, 15 years, but in the past month or so, the idea of a coming geo-political cyber war has morphed from concept to reality. Critical infrastructure is, unfortunately, in the crosshairs of the enemy, and we must act now to protect our underlying power, water, energy (including wind and solar), and food supply.

Our civilized world operates atop systems that are extremely good at what they do, and designed to keep doing it. What they’re not good at, is change. We’ve been trying to bolt on security, vulnerability management, and defense in depth solutions around these systems for years, usually under the pretense of security advancement, hygiene, compliance, corporate goals, risk reduction— pick your poison for the justification to get the budget.

The one justification that isn’t getting enough discussion in open forums is the one that’s staring us straight in the face. There are so many proof points that critical infrastructure IS the front line for cyber warfare. And you, reader, are one of the soldiers for our defense. You are in a poignant position to do something bold, to do something now. If not now, how long can we wait before it’s too late and another critical infrastructure company becomes the next headline?

It’s been said that ICS systems are sacred ground. Nation-states are in a cold war, and the first to attack people’s electricity or water via cyberattack, opens the door to destruction of these systems for their own people. Until now, the adversaries have promised to be on their best behavior, and morally agreed not to attack the vulnerable core systems the keep the lights on, the water running, and the food on the table.

But what happens when they change their mind?

If an outside force caused you and your family extreme financial hardships, limited consumer freedom, and crippled your currency; all by way of limiting access to a computerized messaging system (SWIFT), full access to your bank account or even foreign goods, might you consider crossing that threshold and taking a swing at targets that were previously sacrosanct? These recent sanctions against Russia border on, and potentially cross, that line. We all expected nuclear saber rattling, but we’re seeing for the first time material state-sanctioned cyberthreats against Western critical infrastructure.

The DHS has said Russia has a "range of offensive cyber tools that it could employ against US networks," and the attacks could range from a low-level denial of service attack, to "destructive" attacks targeting critical infrastructure. We assess that Russia's threshold for conducting disruptive or destructive cyberattacks in the Homeland probably remains very high.”

How many proof points do we need to finally come to terms with the fact that we’re talking about defending all the progress we’ve made as humans. We’re defending civilized society. At our doorstep we have advanced persistent threats, zero days, nation-state actors, script kiddies, piles of CVE’s, and… a few thousand thought leaders who understand how bad the problem is: you. You are officially on the front lines of the cyber war for our civilization. It’s this sense of extreme urgency that I’m just not seeing reflected in the ICS professionals I deal with daily. Maybe next year? Maybe our vulnerability management program will get off the ground soon. Maybe if we can convince so and so to move on the project. Maybe, maybe, maybe.

Get real readers. The adversaries are here, right now. If you sometimes leave a meeting, and wonder, why isn’t everyone feeling the same urgency that I am? You are not alone, and it’s time to speak up.

In the past month, we have seen two attacks on rail systems, dozens of breaches at US LNG companies, a mysterious power outage affecting millions, two data breaches within government facilities (east and west), and practically every country in the world issue statements elevating their cyber threat levels. We will continue to see proof positive that this threat is real, that it missed your organization today, and that you have exactly until next time to prepare for the threat.

That preparation, I would argue, needs to be nothing short of comprehensive. But the issue with comprehensive is that people don’t know where to start. Start anywhere, pick a project, and start shoring up that aspect of your system today. Tomorrow, pick another one. Please don’t get stuck in analysis and paralysis. The adversary really doesn’t care that you need more time. They’re still coming. Be in the news, but for the right reasons. We want headlines like “Power outage hack thwarted due to robust vulnerability management program”, “Critical infrastructure knows they’re being targeted, and they have stepped up their game”, “You’ve got zero days? I’ve got disaster recovery! Bring it!” Ok, maybe not that last one. Let’s not pick a fight.

Those top foundational security controls, that we all learned decades ago, are a solid place to start doing something about your risks. Know your assets, know your software, manage your vulnerabilities, monitor for changes, log EVERYTHING. Too much focus has been put lately on flashy fixes and silver bullets, but cybersecurity is a lot like a diet: you have to do the work, and there’s no secret weapon. Eat your vegetables and move around often.

Do we need to wait for another event that impacts us all to make a difference?

Today. I’m challenging you today to do something to meet the threat at the door, and make it think twice about attacking you.

We’re not soft targets. We’re just the most valuable ones. And we’re in this together.