Security and Resilience (Cyber and Physical)

Russian Cyber Threats: What You Need To Know

The Cybersecurity and Infrastructure Agency (CISA) is offering resources and guidance related to cyber threats from Russia, which launched a full-scale invasion of Ukraine on Feb. 24.

The Russian government “engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries,” CISA notes on its website.

Recent advisories published by CISA and other unclassified sources reveal that Russian state-sponsored threat actors are targeting a number of industries and organizations in the United States and other Western nations including energy, nuclear and water.

CISA notes that the same reporting associated Russian actors with a range of high-profile malicious cyber activity, including the 2020 compromise of the SolarWinds software supply chain, the 2020 targeting of U.S. companies developing COVID-19 vaccines, the 2018 targeting of U.S industrial control system infrastructure, and the 2017 NotPetya ransomware attack on organizations worldwide.

On Feb. 23, 2022, CISA, the United Kingdom's National Cyber Security Centre (NCSC), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory identifying that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to as Cyclops Blink.

The NCSC, CISA, and FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian Main Centre for Special Technologies.

CISA’s website includes a Russian malicious cyber activity section that lists all CISA advisories, alerts, and malware analysis reports on Russian malicious cyber activities.

“SHIELDS UP” Guidance

CISA is also offering what it refers to as “SHIELDS UP” guidance related to cybersecurity.

“CISA recommends all organizations -- regardless of size -- adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets,” it said.

Recommended actions include:

  • Reducing the likelihood of a damaging cyber intrusion
  • Taking steps to quickly detect a potential intrusion
  • Ensuring that the organization is prepared to respond if an intrusion occurs
  • Maximizing the organization's resilience to a destructive cyber incident

“Russia’s unprovoked attack on Ukraine, which has been accompanied by cyber-attacks on Ukrainian government and critical infrastructure organizations, may have consequences for our own nation’s critical infrastructure, a potential we’ve been warning about for months,” CISA said.

“While there are no specific or credible cyber threats to the U.S. homeland at this time, we are mindful of the potential for Russia’s destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization -- large and small -- must be prepared to respond to disruptive cyber activity,” it noted.

CISA, along with its partners in the U.S. Intelligence Community, law enforcement, the military, and sector risk management agencies, is monitoring the threat environment 24/7 to discern whether those threats manifest themselves in risks to the U.S. homeland.

In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA is working closely with its Joint Cyber Defense Collaborative (JCDC) and international computer emergency readiness team (CERT) partners to understand and rapidly share information on these ongoing malicious cyber activities. 

“As the nation’s cyber defense agency, CISA stands ready to help organizations respond to cyber-attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as warning to prevent other organizations and entities from falling victim to a similar attack,” it said.

The current environment “requires us all to be laser-focused on resilience. This must include a focus on ensuring preparedness and a rapid, coordinated response to mitigate the impact of such disruptions on our national security, economic prosperity, or public health and safety.”

CISA said it has been working closely with its critical infrastructure partners over the past several months to ensure awareness of potential threats, “part of a paradigm shift from being reactive to being proactive.”

As part of this effort, “we recognize that many critical infrastructure or state, local, tribal, and territorial governments find it challenging to identify resources for urgent security improvements.”

In response, CISA has established a catalog of free services from government partners, the open-source community, and JCDC companies to assist with this critical need.

President Biden Addresses Cybersecurity Threat In Remarks

On Feb. 24, President Biden said that if Russia “pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond.” He made his remarks in a speech at the White House.

“For months, we have been working closely...with the private sector to harden their cyber defenses, sharpen our ability to respond to Russian cyberattacks as well,” he said.

Last summer, the Department of Energy (DOE) reported that federal government agencies and the electricity industry had made significant strides in support of White House goals aimed at boosting the cybersecurity of critical infrastructure in the U.S.

In April 2021, the Biden Administration launched an Industrial Control Systems (ICS) Cybersecurity Initiative to meet its goal of strengthening the cybersecurity of the critical infrastructure across the country.

The initiative was kicked off with a 100-day action plan for the U.S. electricity subsector led by DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) in close coordination with CISA, and the Electricity Subsector Coordinating Council.

On July 28, 2021, President Biden further emphasized the importance of this initiative and broader cybersecurity efforts through his National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

APPA Offers Cybersecurity Resources

The American Public Power Association (APPA) offers a wide range of resources on cybersecurity for its members, including a Cybersecurity Defense Community.

Those resources include, among other things, the Public Power Cyber Incident Response Playbook, which walks through the steps and best practices a utility can follow in the event it experiences a cyber incident or attack. APPA is also working with the Department of Energy to help deploy Operational Technology, or OT, cybersecurity sensors at member utilities. 

Click here for additional information on APPA’s resources, or reach out to [email protected] to get involved.

Ditto Details Utility Sector’s Proactive Approach to Guard Against Cyberattacks

Among the many steps that the electricity sector takes to proactively guard against cyberattacks are tabletop exercises under which utility operators respond to a scenario and work through responses, said Joy Ditto, President and CEO of APPA, last October.

If such a scenario becomes a reality, “they have those lessons learned to apply,” Ditto said during a cyber summit held by the Aspen Institute.

Collaboration among the electric sector, government agencies and other industries plays a key role in the success of these exercises, Ditto pointed out.

FERC Moves To Close Gap In Reliability Standards For Electric Grid Cyber Systems

In January 2022, the Federal Energy Regulatory Commission (FERC) issued a notice of proposed rulemaking (NOPR) proposing to strengthen mandatory critical infrastructure protection (CIP) reliability standards by requiring internal network security monitoring for high- and medium-impact bulk electric system cyber systems.

The NOPR proposed to direct the North American Electric Reliability Corporation (NERC) to develop and submit new or modified reliability standards on internal network security monitoring to address what FERC regards as a gap in the current standards.