What Impact Will the Ukraine Crisis Have on U.S. Critical Infrastructure?

On February 23, we learned that Russia had invaded Ukraine after months of threats and demands. However, Russian cyber-attacks on Ukraine had begun long before this.

I had the privilege last year, through a connection with Purdue University CERIAS and CRDF Global to train Ukrainian cyber operators in red teaming (network/web penetration testing and assessment) and blue teaming (security operations). This training was part of the U.S. State Department’s cybersecurity assistance mission to Ukraine. We had students from the Ukraine State Center for Cybersecurity, the Intelligence Directorate of the Ministry of Defense, the State Border Guard Service, the National Bank of Ukraine, and other agencies.

A 2018 Global Cybersecurity Index (GCI) published by the International Telecommunication Union (ITU) had Ukraine ranked 54^th globally in terms of “…implementation of cybercrime legislation, national cybersecurity strategies (NCS), computer emergency response teams (CERTs), awareness and capacity to spread out the strategies, and capabilities and programs in the field of cybersecurity.”

However, the good news is that, from my experience, we encountered many knowledgeable and capable Ukrainian cyber analysts. So, I believe there is the capacity for adequate cyber-defense there, given they have sufficient tools and funding.

The question I have been asked several times is: “Will the Ukraine situation spill over into the U.S.?”

I believe the answer to that is an unequivocal “yes” – and we have already seen as much with recent Russian attacks on our critical infrastructure. If the U.S. begins imposing heavy sanctions against Russia or even supports a kinetic response, we are sure to see those cyber-attacks stepped up.

In a Jan. 3 opinion piece in the Washington Post, Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, and Samantha F. Ravich, commissioner on the Cyberspace Solarium Commission, wrote the following:

“It’s rare that four government agencies issue a joint advisory on a potential threat to the basic health and welfare of the entire U.S. population. But that’s what happened in October when the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Environmental Protection Agency warned that U.S. water and wastewater systems are being targeted by ‘known and unknown’ malicious actors.”

During Super Bowl weekend last year in Tampa Bay, hackers breached the water treatment system in Oldsmar, Florida and attempted to raise the levels of sodium hydroxide (lye) by 100-fold in the water. In other words, they tried to poison the water supply. We have previously written about lessons learned from this attack. While attribution to a specific Advanced Persistent Threat (APT) group has not been averred by law enforcement, there’s a good chance it was Russian threat actors. Furthermore, Russian hackers were most likely behind attacks on FireEye and SolarWinds in 2020 and the Colonial Pipeline in 2021.

Montgomery and Ravich note that the U.S. has “…approximately 52,000 drinking water and 16,000 wastewater systems, many of which service small communities of fewer than 10,000 residents.”

We know from the Oldsmar attack that many of the water systems have very limited budgets and are likely using some local mom & pop I.T. shop for infrastructure support with no dedicated cybersecurity budget or staff.

Although politicians recognize that protecting our water supply is a matter of national security – little has been done to date. In fact, in the massive, multi-billion-dollar infrastructure bill passed recently, there was far more attention paid to cybersecurity for the energy and transportation sectors than for our water supply.

On Jan. 27, the White House and Environmental Protection Agency (EPA) announced a new “action plan” called “The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan” to secure U.S. water systems from cyber-attacks, part of a broader effort to defend elements of domestic critical infrastructure from digital threats.

The plan calls for the following:

• Establishing a task force of water sector leaders.
• Implementing pilot projects to demonstrate and accelerate adoption of incident monitoring.
• Improving information sharing and data analysis.
• Providing technical support to water systems.

However, it’s unclear how effective this plan will be, given that water utilities’ participation in the pilot program, adoption of ICS monitoring tools, and information sharing with the federal government are all voluntary. When asked why the Biden administration is not mandating such activities for the water sector, a senior administration official said that the EPA “has far more limited authorities for the water sector” than, say, the Transportation Security Administration (TSA) has for air travel security.

And let’s take a closer look at those initiatives. In my eyes, we have the following:

• A committee. Those are always effective…
• ICS monitoring. Sounds promising, but I would need more details to know if it’s an effective approach.
• Improved information sharing. Well, we’ve already had the Water ISAC for 20 years; what enhancements are being proposed?
• Providing technical support. Sounds good, but what about a mandated cybersecurity framework, such as the DoD is imposing with CMMC on the Defense Industrial Base (DIB)?

In all, this action plan looks a little like putting one of those tiny, round Band-Aids on a huge, gaping sore. What about ensuring ICS are air-gapped both from office systems and the Internet to prevent takeover using a standard remote desktop connection? What about enforcing mandatory 24/7 monitoring utilizing both eXtensible Detection and Response (XDR) and machine learning (ML) for anomalous behavior? What about incident response plans and exercises, multifactor authentication, cyber awareness training, and so forth?

Perhaps it will be up to the states to take action. Currently, the Florida state legislature is considering Senate Bill 828 which has cybersecurity provisions for critical infrastructure protection. But unless we get serious and require specific, mandatory controls (and provide budget for these), our critical infrastructure – and water supply in particular – will remain at risk.

Abacode currently provides cybersecurity support to municipal water agencies in terms of compliance against a best practices framework, assessments, penetration testing, 24/7 continuous monitoring and incident response, training, and other services. If you are involved with critical infrastructure security, please contact us today for help.

In closing, Russia has shown it will take what it wants, and with Putin having met with Xi Jinping recently in a show of unity, we can only surmise that China may soon take similar action with Taiwan. The latter puts much of the world’s computer chip-making supply at risk. Then, we may be looking not only at attacks on critical infrastructure but at an existential threat to the global supply chain, telecommunications, business, etc.

I commend the brave people of Ukraine and pray for a quick end to this violence, but the U.S. should start preparing now for the worst possible global outcome.