Cyber Threats to Critical Infrastructure
Part one of our three-part cybersecurity series focuses on cyber threats to critical infrastructure, risk mitigation and how the Russia-Ukraine conflict may also increase the threat of cyber-attacks to both the government and private sectors.
Below is a transcription of the discussion between AmeriVet Vice President and U.S. Marine Corps veteran Jason Pandak and our newest advisory board member, Colonel Brian Denman, who retired from the U.S. Air Force in 2019, after a distinguished 25-year career in communications and cyberspace warfare.
You can also listen to their full conversation.
AmeriVet Securities: My name is Jason Pandak, Senior Vice President at AmeriVet and I’m here with Colonel Brian Denman, U.S. Air Force, retired, who joined our Advisory Board last year. Thank you for joining me today, Colonel Denman.
Colonel Denman: Thanks Jason, I’m happy to be here with you today.
AmeriVet Securities: Colonel Denman, before we jump into today’s topics, can you share some additional information on your background and time in the military?
Colonel Denman: Sure. I may date myself here, but I was certainly blessed to serve our nation for quite a long time in the military, and equally blessed to have served when I did. My career paralleled the growth of the modern internet in many ways. When I graduated from high school, the internet had all of 20,000 computers networked together. The first web browser was created the year I was commissioned as a Lieutenant. The roles I served in during the last decade of my career didn’t exist when I first entered the service. I spent just as much of my time in the military’s version of “startup companies” as I did in mature organizations while in the Air Force.
My perspective comes from more than just my direct experiences in the Air Force. Within the military, I was privileged to work with and lead “Joint,” or multi-service teams. I’ve also been fortunate to work with interagency partners within the government, including law enforcement and the intelligence communities, allied governments and international partners, and amazing people in the private sector.
Over the past decade, it has been a privilege to serve in a wide range of roles; from very large-scale enterprise IT operations to advanced cybersecurity and cyber warfare training, to national-level cyber strategy and policy formulation, to leadership of elements of U.S. Cyber Command’s action arm – the Cyber Mission Force.
During my last tour in the Air Force, my team and I organized, trained, equipped and deployed some of U.S. Cyber Command’s initial “Hunt Forward” cyber teams and were able to see them achieve some of their first successes as they bolstered the cyber-resilience of partners around the world. Those teams are now a cornerstone of U.S. Cyber Command’s “Persistent Engagement” strategy.
AmeriVet Securities: That’s helpful, sir, and I appreciate you sharing your background with us. I think it will be helpful for those listening to know that you continue to work in cybersecurity today and are able to provide a current perspective on this topic. Let’s go ahead and get into our discussion for today.
The Colonial Pipeline ransomware attack in May 2021 was one of the largest and highly publicized cyber-attacks, sparking concerns across the U.S. As one of the largest fuel pipelines, moving gas, diesel and jet fuel from Texas to New York, Colonial Pipeline immediately halted operations in order to contain the attack. The company paid a ransom of $5million to a Russian-based hacker group, a process which was overseen by the FBI.
Now, with the invasion of Ukraine, many believe the risk of cyber-attacks are greater than ever. Can you provide a little more background on what’s going on right now in cyber – do you believe there have been any massive shifts in cyber defense since the war began or is it business as usual for those who work in the space?
Colonel Denman: I wouldn’t characterize what we are seeing as a massive shift in cyber defense, nor would I call it business-as-usual in any sense of the term. I would characterize the current state of affairs as a significant heightening of concern over cyber-attacks that have grown steadily in scale and impact for the last three decades.
In the immediate term, our focus is on Russia, an already highly capable threat actor whose willingness to act in cyberspace has likely increased in conjunction with its invasion of Ukraine. There has been a steady drumbeat of Russia-attributed attacks against the Ukraine and others for years, particularly since the conflicts in Crimea and the Donbas turned hot in 2014. Some of those attacks spilled out of the conflict, with global impact.
Since shortly before the Russian invasion of the Ukraine in February, what we have seen is significant intensification of cyber defense activity at the government, industry and even individual levels. Few of the actions that are being taken are unprecedented, but their urgency and speed are different. It’s much faster, even when you look at a historical baseline of cybersecurity activity that is generally quite active on a regular basis.
If there has been any massive shift recently, it is the increased attention being paid the risks posed by malicious activity in cyberspace. It might be useful to discuss what is going on right now in terms of threats, risks, and ongoing mitigation activities.
The Colonial Pipeline ransomware attack was a very visible example of the sort of threats that keep cyber defenders on high alert, as global tensions increase. It was an eye-opener for some Americans, particularly those on the U.S. East Coast, of the very real potential impacts that could result from a cyber-attack on critical infrastructure. This type of threat had often been talked about, but rarely felt so publicly.
Among cybersecurity and industry experts, the incident was also eye-opening in terms of the psychological and societal effects that stemmed from it. While the incident itself did create a temporary reduction in the availability of petroleum products in the region, the second order effects, such as public runs on gas at local gas stations, magnified the supply-and-demand imbalance and threatened to turn crisis into calamity.
That said, while some pundits are saying the cyber threat has been “over-hyped,” there is not much hyperbole in concerns over cyber-attacks associated with the Russian invasion of the Ukraine. There’s precedent; these things have happened before and most of the concerns are based on recent history.
One such recent historical example is illustrative; the most economically damaging cyber-attack in history occurred just five years ago and also has roots in Russia’s ongoing conflict with the Ukraine. The attack occurred in 2017 and it was not a singular cyberattack, like the Colonial Pipeline, nor was it ransomware.
Instead, it was a self-replicating and destructive malware that posed as ransomware to keep cyber defenders on their heels. The malware had an odd name: “NotPetya,” that was coined because it was designed to look like a different family of cryptomalware, which is malware that relies on encrypting files.
Like ransomware, it encrypted data and files on victim systems, rendering them just as inoperable as if the data and files had been destroyed, then displayed a ransom message offering a decryption key and further exploited trusted connections with other computers to spread through networks and organizations.
The difference with NotPetya is that the decryption key would never be forthcoming – whether the victim tried to pay a ransom or not.
Initial disruptions were felt across Ukrainian government ministries, banks, transportation systems and a host of other critical and non-critical infrastructure – and it didn’t stop there. it rapidly spread through trusted connections or relationships to corporate networks spanning across companies, subsidiaries and other business partnerships outside the Ukraine.
Forensic analysis by multiple respected cybersecurity firms uncovered that threat actors had initially implanted NotPetya in a Ukrainian accounting software package as part of a “supply chain attack” or an attack designed to impact customers downstream from a product provider. This meant the malware was not tightly targeted – it propagated in a worm-like fashion.
The full scope of the damage from NotPetya may never be fully captured because it happened to different industries around different timeframes. Still, the impacts we do know of were significant and measured to be worth about $10 billion in total.
These impacts that we do know about included major companies and some critical infrastructure, such as:
- Maersk, a provider of 20% of the worlds shipping volume, who experienced a 10-day global shutdown affecting operations at nearly 80 ports and on more than 800 ships.
- FedEx, who experienced $300 million in distribution and business degradations that rippled company-wide for over five months.
- Food production company Mondelez International (formerly known as Kraft Foods — the people who put Oreo cookies, Cadbury chocolates, and other snack foods into your cupboard), who saw supply and distribution disruptions valued at $100 million.
- Pharmaceutical giant, Merck, had disruptions to its formulation, production, packaging and other business operations had insurance claims valued at over $1.4 billion in damages.
It’s useful to also have a conversation about cyber insurance, an area where the NotPetya attack also had a significant impact.
The damage claims for Merck and Mondelez were initially rebuffed by insurers who cited “acts of war” as an exclusion for non-coverage. This finding by the respective insurers was likely a second-order effect from the attribution of the attacks to the Russian government operatives and is not yet “settled law.”
This is one of several scenarios that causes concern today; NotPetya was a cyber-attack on Ukrainian targets that had massive collateral damage outside the Ukraine. Concerns about a cyber-attack originating in Ukraine and affecting others across the globe are not unfounded.
Since January 2022, there has been a spike in the number of cyber-attacks occurring in the Ukraine and, unlike NotPetya, most dispense with the fake ransomware façade.
Prior to the invasion of Ukraine, we saw “WhisperGate,” which impacted a range of Ukrainian systems. This was followed by another destructive attack called “HermeticWiper,” which occurred in concert with the invasion.
While most attacks have been constrained to Ukrainian targets, there has been some collateral damage from cyber-attacks outside the immediate area of conflict.
One example of this was an attack on Ka-band satellite ground terminal equipment, specifically satellite modems, which impacted public and private sectors in both the Ukraine and across Europe.
This attack degraded satellite communications in the region and seemed to be timed with the physical invasion. It was destructive in nature – in many cases, requiring replacement of affected satellite modems. While this attack has not been formally attributed at this point in time, all signs connect this attack to Russia.
Another threat scenario that causes concern is a deliberate cyberattack on the U.S, or other Western interests, in retaliation for sanctions and support to the Ukraine.
In mid-April, the Cybersecurity and Infrastructure Security Agency (CISA) director, Jen Easterly, reiterated this concern and that all intelligence points to the likelihood of an attack in the near future. Her concerns were deliberate attacks on either the energy sector or the financial sector.
There’s precedent for that behavior too – according to DoJ indictments at the time, from 2011 – 2013, Iranian threat actors carried out a series of cyber-attacks against banks and even attempted an attack on critical infrastructure – a very small dam in New York state — in response to sanctions that had been put on Iran at the time.
Threat Response and Risk Mitigation
Neither of the two are being done in a business-as-usual sense today.
Just as U.S. intelligence broke its business-as-usual norms through the remarkably open reporting of intelligence on the Russian military buildup prior to the invasion of Ukraine, the U.S. government has also opened the aperture on warnings and threat information to U.S. citizens, companies and other interests worldwide.
CISA has taken the unprecedented step of recommending that all organizations – large and small – “put their shields up” and prepare to respond to Russian cyberattacks. Other equivalent Western government organizations, like the National Cyber Security Centre in the U.K., have done the same.
Despite the surprising battlefield setbacks seen by the Russian military on the ground in the Ukraine, we do know that Russia retains a considerable and proven offensive cyber capability.
The broad concern is that Russia may choose to use that capability to weaken the resolve of Western democracies and impose costs on anyone who doesn’t support the Kremlin’s choices – particularly if Russian military setbacks continue, economic sanctions dig deeper, and Ukraine can’t be coerced into an agreement that favors Russia diplomatically.
Cyber warfare has a relatively low barrier to entry, meaning that nearly anyone with the funding to procure an internet connection and free software can get into the game.
This makes cyber warfare an appealing asymmetric capability against economies and societies that are heavily dependent on networked computers and the internet, as we are in the U.S.
While the most acute concern is focused on destructive or disruptive cyber-attacks, Russia and other threat actors still have interest in cyber espionage, as well as cyber-enabled financial and intellectual property theft, especially given prospect of impaired access to Western technologies.
There is also the continuation of cyber activities designed to both undermine public confidence and sow dissent amongst citizens. With all that focus on Russia, it is wise not to forget all the other, very well-known cyber villains who have credible capability – they are not backing off either.
AmeriVet Securities: Do you think Colonial Pipeline ransomware attack set a dangerous precedent or sent a message to hackers that these attacks work?
Colonel Denman: Paying a ransom in a ransomware attack is a risk-based decision whether you are an individual, an organization or a nation state, if it comes to that. There no one-size-fits-all answer; there’s an attack, there are consequences from the attack and then there are a range of options that are available afterward.
It was reported that Colonial Pipeline paid a $5 million ransom to Eastern European hackers. It’s been alleged that the payment went to a hacker group primarily located in Russia called DarkSide, who was the facilitator of the ransomware attack.
Paying a ransom may trade short-term relief for long-term pain. It also adds to the pain of others. There are multiple factors behind this:
- Your attacker will know you are willing to pay and how much you are willing to pay. It is an invite for them to find more ways to extort you and this also raises the stakes for your security team.
- Obviously, ransomware only works because people are willing to pay ransoms. It also works because people can pay using difficult-to-trace, but highly volatile, digital currencies (at least we thought they were untraceable – in the Colonial Pipeline case, the FBI seized a large amount of the cryptocurrency ransom).
- Ransomware is so profitable for criminals that it is offered as a “service” today, which is widely considered what happened to Colonial Pipeline. DarkSide, the ransomware “vendor” in the Colonial Pipeline case, offered their ransomware as a service to customers for a fee – or a cut of the ransom.
- The cost imposition balance will continue to be out of your favor. Ransomware attacks can be trivial to execute at scale, but the victim faces at least three cost “categories” that result from an attack: the cost of the ransom payment (if paid), the cost for business recovery post-attack and the cost to pay for improved security to prevent recurrence. The amount of the cost in the latter two categories is driven by the idea of “restoral of trust” in your infrastructure – but it is important to note that paying a ransom does not automatically buy back that restoral of trust in your data and environments.
Paying a ransom may be useless. Recall our NotPetya example. Fake ransomware can be as common as ransomware. Your ransom payment may be accompanied by silence, that will be drowned out by the chaos of your own company or organization being fully offline, from an IT perspective.
Paying a ransom may be illegal. If an individual, organization or country has been formally sanctioned by the U.S. government, then it is typically illegal to transact with them financially. This may be true for both the payer of the ransom and anyone who facilitates ransoms on the victim’s behalf – meaning cyber insurers, digital forensics and incident response firms and financial institutions may also be at risk of potential sanctions violations.
According to the Department of the Treasury’s Office of Foreign Assets Control, civil penalties for sanctions violations (for ransomware or other reasons) are based on strict liability, meaning that a payer, or facilitator, of ransoms might be held civilly liable even if they were unaware that a transaction was with a sanctioned entity.
If a firm were to pay a ransom to someone who is on the sanctioned list, but it wasn’t found out until after the ransom was paid that they had actually paid a terrorist, there is still a liability concern, which is important to consider.
Paying a ransom may become a harmful public statement, especially if the beneficiary of the ransom is an attacker whose aim is to harm the security of your customers, constituents or other stakeholders.
It also may also be perceived as a concrete statement regarding the preparedness of an organization for risks that, today, should be commonly considered – paying a ransom is often considered a last-ditch effort because an organization has no other practical option and has failed in every other way.
How do you regain the trust from your stakeholders afterward? There’s a lot to consider.
AmeriVet Securities: What, if any, are the risks involved for the everyday American, as cyberattacks on infrastructure and the energy sector continue?
Colonel Denman: Before diving into any discussion on risk, some perspective is in order. Hollywood has done an impressive job portraying hackers as all-powerful beings conveniently able to bend any complex to their will in a few short keystrokes. Reality can be very different; cyber-attacks, even by well-resourced and highly skilled nation-state actors, can be difficult to successfully carry out.
A significant number of cyber-attacks are simply opportunistic, where the hacker has an exploit in their toolkit and simply searches for those who might be vulnerable; I would say there is a good chance that the Colonial Pipeline fit that mold. Many ransomware attacks fall into this category.
Focused cyber-attacks on well-defended targets, on the other hand, can be very difficult, no matter who you are. They are often very lengthy efforts, that can sometimes be thwarted by a single configuration change or software patch. An attacker can put a lot of time and energy into trying to attack a target with only modest return on that investment. Focused effort put towards defense can go a long way against all but the most sophisticated actors.
Attacking a well-defended and technologically bespoke critical infrastructure system can be particularly challenging for the attacker – if it weren’t, we would likely see even more attacks that we already do today.
So, when we talk about risk, it is best to discuss in terms of the probability of the risk event and the consequence if it does happen.
For the average American, an attack of any kind on critical infrastructure potentially represents a high consequence event – almost by definition – but not necessarily a high probability one. Our concern is that the probability of a high consequence cyber-attack on critical infrastructure has grown, as that infrastructure has become more automated and interconnected – and therefore more vulnerable. Threat actors have become more skilled and motivated to do harm in this way.
What does this risk feel like in real terms – why all the angst?
Recently, the U.S. experienced an event that illustrates what a high consequence risk to critical infrastructure both looks and feels like: the Texas power grid failure in February 2021.
You may recall that Texas suffered a broad failure of its (separate) electrical grid due to a rare, but not entirely unexpected, series of winter storms.
This was a natural disaster, not a cyber-attack, that power grid operators had failed to foresee, despite a clear trend of increasingly extreme weather and numerous warnings in the preceding decade.
The power outages from that failure affected almost the entire state and persisted for days; for some, over two weeks. It’s worth noting that we have seen cyber-related power grid attacks in the Ukraine which had smaller scope, but similar, impacts.
The scale of the outages during a time of severe weather made conversations about continuing business operations moot. As much as we talk about continuity plans to preserve businesses, most citizens – and most employees of an organization – had more fundamental needs: heat, food and water.
The second, third and fourth order effects of this on society were remarkable and maybe even unappreciated until they actually occurred.
Consider one such cascading chain: fighting fires. During the grid failure, many citizens turned to alternate heating sources, such as fire – often without being equipped to safely do so.
The result was an increase in fire incidents, which were more difficult to handle due to the lack of water distribution and fuel availability – both water pumps and gas pumps require power. Even backup generators require refueling for extended operations. This is the nature of critical infrastructure.
How does this relate to a hypothetical cyber-attack? There are parallels between this natural disaster and a successful cyber-attack, as the latter could yield similar consequences, perhaps at a different scale. The greatest fear is that a successful attack could have extended consequences – for weeks or months.
This fear is not unfounded either, as the Texas grid almost experienced that sort of extended outage during the 2021 winter storm event.
Why? In order to function without overload or damage, power grids must maintain a balance between energy supply and demand, to keep power generation and distribution machinery physically operating within safe limits.
During the crisis, power grid operators could not maintain this balance. As power production resources went offline, demand simultaneously spiked due to increases in electricity use for heating and other cold weather needs.
To avoid even more catastrophic damage, the Texas grid operator was forced to shut the distribution system down completely. In essence, this requirement for balance in distribution systems meant that a loss of “only” 40 – 50% of power production resulted in a 100% loss of power for consumers, for an extended period. As bad as the power outages were, the shutdown prevented a greater catastrophe than it caused.
For example, replacing an extra-high-voltage transformer in a power substation is a very expensive and logistically complex action, involving an asset that often must be custom built with exceptionally long manufacturing lead times.
At scale, as might be required in the aftermath of a major disaster or cyber-attack, replacement time frames for some key assets might extend into months or years, and that assumes the manufacturers and their supply chains not also been affected by the power outage.
The idea of a cyber-attack causing physical damage to energy resources is not hypothetical — it has been proven. As early as 2007, U.S. government researchers successfully tested the concept, using cyber means to destroy a 27-ton power generator by corrupting safety controls – specifically a remote-controlled protective relay.
Russia has conducted similar attacks in the Ukraine and has turned the conflict into a proving ground for energy-related cyber-attacks. We have seen those type of attacks continue, the latest occurring in just the last month, which is why there is increased concern about high-consequence attacks happening here in the U.S.
Companies in the energy sector are on full alert and are more informed than ever about risks and threats. The big question is whether they have the wherewithal to harden their infrastructure sufficiently and build resilience against those threats. Against a skilled, capable and now increasingly motivated threat actor, the cyber risk to the energy sector – indeed, all sectors – remains elevated.
The time to be ready is now.
About Brian Denman
Colonel Brian Denman retired from active duty in 2019, after a distinguished 25-year career in the U.S. Air Force as a communications and cyberspace warfare operations officer.
During his military service, he led Cyber Protection Teams for U.S. Cyber Command, the U.S. Air Force’s advanced cyber warfare and information operations schoolhouse, an enterprise network operations unit responsible for the global operation of the U.S. Air Force’s networks and an intelligence support unit.
Additionally, Colonel Denman served as a strategic planner and resource advocate on the Joint Staff, where he focused on Russia and emerging cyber threats. In this role, he also supported the creation and employment of the nation’s Cyber Mission Force, U.S. Cyber Command’s action arm to execute cyberspace operations in defense of the nation’s interests.
A native of Spokane, Washington, Colonel Denman earned his commission as a Second Lieutenant in the Air Force and his bachelor’s degree in business administration, with a focus on management information systems, from Washington State University in 1994.
He earned a master’s degree in management from Troy University and a master’s degree, with distinction, in national security and strategic studies from the U.S. Naval War College. In addition, he is a Certified Information Systems Security Professional and holds multiple cybersecurity industry certifications.
Following his military career, Colonel Denman and his wife, Amy, returned home to Spokane, where they own and manage a cybersecurity consulting and training firm, Sentient Forge, LLC.
He is devoted to educating our next generation of cyber professionals and helping organizations find success in today’s challenging security environment.