As tensions rose between Ukraine and Russia, ultimately escalating to warfare, the West expected Russia to use its cyber-attacking capabilities to target western critical infrastructure (CI) in a SolarWinds-style incident, especially in retaliation to ongoing sanctions against Moscow.
However, such an attack has not come to fruition despite government organizations like the US’ Cybersecurity and Infrastructure Security (CISA) and the UK’s National Cyber Security Centre (NCSC), among others, issuing statements and warnings to CI organizations to bolster their cyber security and expect increased Russian cyber-activity.
CS Hub spoke to cyber security experts about their theories as to why we have not seen a SolarWinds-style attack yet and whether the West’s CI is sufficiently prepared if one was to occur.
Russia has the capability
Firstly, Charles Denyer, a national security and cyber security expert, told CS Hub that Russia does indeed have the capability to weaponize their cyber capabilities and could hit the West in a way which would have a similar impact to that of the Colonia Pipeline attack of 2021.
One reason such an attack has not been perpetrated however, Denyer supposes, is the idea of mutually assured destruction (MAD).
Reflecting on the MAD principle that provides the cornerstone of global nuclear policy, a significant cyber-attack committed by Russia against the West could see an equal level of retaliation which Moscow and Putin can ill-afford as they become bogged down in the campaign against Ukraine.
“Russia is definitely among the top four or five cyber entities, with the US being number one,” Denyer said. “But from my understanding based on the intelligence apparatus of the US, they are clearly aware that if they hit the US with any type of meaningful cyber-attack that would really damage our CI to the point that American society would stop functioning, [Russia] knows what is going to happen. US Cyber Command would hit them back with an offensive counterpunch that could do damage of the likes the world has not seen.”
Concurring with this, Yuval Wollman, President, CyberProof and Chief Cyber Officer, UST, said, “Russia has extensive cyber capabilities. However, it is not using them at present. It seems that Russia is deterred by the West.”
The former Director-General of the Israeli Intelligence Ministry added, “While Biden has made it clear that he is not interested in sending in American troops, Putin does not want to risk changing that situation by doing something that would force the West to declare war.”
While an attack has not occurred yet, the CISA states on its website that, “Evolving intelligence indicates that the Russian Government is exploring options for potential cyber-attacks.”
Critical infrastructure preparedness
Multiple warnings from the likes of the CISA and NCSC have been published advising organizations to bolster their defenses. One of the concerns is that an attack at the CI level would have a major impact on a nation’s national security.
The CISA has gone as far as launching its ‘Shields Up’ campaign which encourages organizations of all sizes to adopt a heightened posture when it comes to cyber security and protecting their most critical assets.
As Rob Demain, CEO & Founder at e2e-assure pointed out, CI is particularly vulnerable because of the destructive aspect of any cyber-attack bringing down such an organization.
“The key difference between CI and other organizations is that safety and availability [of systems] is key. That makes it quite difficult to respond quickly to cyber-attacks which may be moving faster than the CI organizations are set up to respond to. Specifically with destructive malware and ransomware and disruptive attacks the goal is to break something which can ultimately harm safety.
“Recovering some of these things, for example something that controls power supply, from complete destruction is quite a serious challenge that may need quite niche skills and resources that are not necessarily available in the cyber domain,” he explained.
Demain said the challenge is detecting and responding to the problems described, especially if it is a ‘destroy it’ type of attack.
He added that in terms of preparedness there is always more that can be done but overall, the threats are taken seriously.
Wollman said that improving the level of protection of critical infrastructure requires better collaboration between the public and private sector on an ongoing basis, “to a degree that is not currently taking place”.
For the US, most of its CI is owned by private sector organizations.