U.S. President Joe Biden is urging American providers of critical infrastructure, such as banks and energy companies, to be alert because of “evolving intelligence” that the Russian government is “exploring options for potential cyberattacks.”
“If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year,” he said in a statement.
“You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow.
He also released a list of things firms should do now, including mandating the use of multi-factor authentication on IT systems.
In response to questions from ITWorldCanada, a spokesperson for the Canadian Centre for Cyber Security, which advises the private sector, said it isn’t aware of any current specific threats to Canadian organizations in relation to events in and around Ukraine.
However, the spokesperson added, “there has been an historical pattern of cyber attacks on Ukraine having international consequences, such as the malware known as NotPetya in 2017. This is why we have issued unclassified threat bulletins reminding Canadian critical infrastructure operators and defenders to be aware of the risks and take mitigations against known Russian-backed cyber threat activity.
“Now is the time to take defensive action and be proactive in network monitoring and applying appropriate mitigations.”
The spokesperson said the Centre has been in touch with critical infrastructure partners “over the past several weeks to provide briefings on the Canadian cyber threat environment.”
In a press briefing Monday, U.S. deputy national security advisor for cyber Anne Neuberger said the President’s public warning follows classified briefings held last week with 100 select companies on “preparatory” work for cyber attacks it recently has seen. She wouldn’t detail what that evidence was.
She did say the classified meetings with the companies were ones Washington thinks might be affected, and included sharing resources and threat intelligence to help them harden defences. The offer included hands-on support from the FBI.
This is part of an effort including classified and unclassified briefings with firms that started last fall, she added, as well as cybersecurity orders directly given by federal agencies to companies. For example, she said, the Transportation Safety Agencies gave certain orders to pipeline companies after the ransomware attack last year on Colonial Pipeline. There have been what she called significant improvements.
“Notwithstanding these repeated warnings, we continue to see adversaries compromising systems that use known vulnerabilities for which there are patches. This is deeply troubling. So we’re urging today companies to take the steps within their control to act immediately to protect the services millions of Americans rely on and to use the resources the federal government makes available.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a regularly updated list of known vulnerabilities that hackers commonly use, most of which have patches available.
Failing to patch makes it easier for hackers, she said. “Lock your digital doors,” she urged companies. “Make it harder for attackers.”
“Preparatory activity” could include scanning websites or looking for IT vulnerabilities, she said. “We’ve given a number of threat warnings over the last number of weeks that Russia could consider conducting cyber attacks in response to the significant economic costs the U.S. and partners have put on Russia” for invading Ukraine. “The latest intelligence “speaks to evolving threat intention and a potential shift in intention to do so.”
“To be clear,” Neuberger added, “there is no certainty there will be an incident on critical infrastructure. But because of evidence of preparations the government has seen, it wants to urge critical infrastructure providers to pick up the pace of their work. “This is a call to action and a call to responsibility for all of us,” she said.
The U.S. and Canada largely have the same list of industries that fit into the definition of critical infrastructure. In Canada the list appears shorter because industries are folded into one heading (for example, energy producers). On the U.S. side the list separately enumerates dams, chemical producers, communications providers, emergency services providers, the financial sector, governments at all levels, IT producers, transportation firms, nuclear reactors, water producers, the healthcare sector, food providers, critical manufacturers, the defence sector and commercial facilities (such as malls and hotels).
There are four implications of the new Ukraine-Russia advisory from the White House, said Karthik Kannan, CEO of Anvilogic:
- firms should act immediately on tactical low-hanging fruit initiatives such as multi-factor authentication, disaster recovery/backup practices, regular patching for vulnerabilities;
- firms should make continuous investment in threat detection;
- application developers must, if they haven’t done so already, start thinking security in their daily development processes to make stronger and more resilient applications that are harder to breach;
- companies must collaborate with their peers and with government agencies to learn more about threats as well as share best detection/response/mitigation practices.