Tensions in the Baltic States and other areas around the world present opportunities for threat actors that include nation states, organized cybercriminals, domestic violent extremists, and general “hacktivists” and “script kiddies”.
Current events in this region are a red flag for business and operations leaders to assess their risk posture, mitigate unacceptable risks and increase resilience to plausible disruptions.
For cybersecurity professionals, this is a “deja vu” moment. Cyber warfare (the use of digital attacks against a target, such as an enemy state) has increasingly become an established form of asymmetric pressure, even without military action.
In 2007, a denial of service attack was used to disrupt financial markets and government operations in Estonia over disagreements with Russia. Russia launched cyber attacks on Georgia and Crimea both before and during the invasions, both of which focused on financial institutions. Another attack focused on Ukraine’s power grid, causing power outages for over 230,000 users. This attack, the first publicly acknowledged successful cyberattack on a power grid, remotely shut down substations and disabled or destroyed components of IT infrastructure.
The effectiveness of these measures caused military organizations around the world to reconsider the importance of network security for modern military doctrine and for cyber as an additional “battlefield”.
The financial services and energy markets are particularly at risk in the current environment. Both markets ensure stability as the foundation of society; banking, enabling trade and economic trust, and the energy market, providing light, heat and transportation.
We have already seen consequences for the banks. The current government has already stated directly that its sanctions plan targets Russian banks. UniCredit, one of several European banks with significant exposure to Russia, withdrew from a potential bid for a Russian bank amid tensions in Ukraine. In addition, DDoS attacks are costly for financial institutions. The average cost of a DDoS attack on a financial services company is reportedly up to $1.8 million.
From an energy point of view, Europe depends on Russia for around 35% of its natural gas. Europe is experiencing a much colder winter than expected and has seen gas prices rise by 600% over the past year due to its dependence on Russian natural gas.
Additionally, supply chain attacks are expected as an extension of offensive disruption operations and are utilized by advanced adversaries. These attackers often use new techniques and tools that make detection more difficult, and they can use multiple attack techniques. Supply chain attacks expand the scope further than typical cyber attacks.
The recent crisis in Ukraine bears similarities to previous security attacks, necessitating preparation. To ensure protection and resilience, prudent business and security leaders who support and manage the infrastructure of these markets should consider the following measures:
- Validate and strengthen the security of your perimeter protection, inventories of key assets (people, applications, data, vendors, etc.) and critical failure points, and reviewing maximum allowable downtime estimates to manage risk. Most importantly, ensure that operational technology (OT) is separated from your mission-critical information technology (IT) systems and data assets from the rest of the organization.
- Run scenario-based simulation tests to prepare and identify gaps in your security and resilience plans.
- Review and improve your incident response and crisis management skills, recovery and communication plans and contact lists. Open clear escalation channels to high-risk areas to build rapid response capability.
- Review and confirm agreements for your third-party incident response support by asking questions such as: Is your organization guaranteed priority support for common problems? Is this documented in your service level agreements? Do you have a backup or alternative provider?
- Implement security best practices and guidance provided by security frameworks such as NIST 800-53 and 800-171
Experience has taught the world that the speed of cyberattacks prohibits a “we’ll find out when it happens” approach to managing this risk. “Failure to plan” in today’s cyber world is not “planning to fail”; “Failure to plan” causes failure.