Well before the bombs started falling in Ukraine, hackers were quietly invading their cyberspace. Systems were infiltrated, malware was developed, and attacks plans filled whiteboards in dark offices in Moscow. DDoS attacks began disabling Ukrainian official websites days before a single soldier set foot across the border. Once the attack began, they unleashed data-wiping malware (called HermeticWiper) that is designed to instantly delete anything it infects. Think of it as ransomware, without the ransom.
Cyber warfare is not new. You can date attacks on Ukrainian back to 2015 when a non-state threat actor named Sanworm devasted their power grid. Globally, it’s become part of every nation’s military operation, with billions each year spent on defensive and offensive weaponization of cyber. Whether countries are disrupting nuclear power plants, as with the Stuxnet in 2010, or much more recently manipulating GPS systems onboard ships, countries have used cyberattacks to further their political and economic interests.
What’s significant about the Ukrainian conflict is that it will be a driver for hyper-acceleration and adaptation in industrial cyber warfare. Wartime technologies advance the fastest during wartime. This is as true for atom bombs as it is with cyber attacks. Ukraine will be both a battleground and a testing ground for new techniques, methods and technologies. What comes out of that will have much wider and larger implications than this current conflict.
The Reshaping of Cyberwarfare Has Already Started
Ukraine has often been a favored target by Russian cyber-attacks. The proximity, political dynamics and infrastructure made it an ideal testing ground for new cyber threats, technologies and methodologies. However, embedding cyber-attacks as an integral part of full-scale conventional invasion bring this to a whole new level.
You can already see drivers and dynamics emerging that will change and accelerate how cyber warfare is conducted. Consider what we’ve already seen in the short time of this conflict:
- The fog of digital war – Nation-states have favored cyber-attacks because of the difficulty in attributing an attack to a particular threat actor or country. Put simply, it’s close to impossible to definitively prove that a specific country is behind an attack. This proves politically invaluable when you want to send a message. Now, in Ukraine, you have a massive volley of cyber-attacks that are clouded by the confusion of conventional warfare. There is simply too much confusion and activity to run the kinds of forensics you need to identify who, much less from where and how attacks are forming. The digital fog is simply too thick. In that fog, a lot can happen. Criminals can carry out their own cyber activity. Other nations can run false flag cyber-attacks. Threats in other countries can use this as a giant distraction to advance their own causes. When things get murky, cyber exploitations thrive.
- No timetable for cyber: The cyber part of this war has been waged for years. Whether it be quit intrusions that, called advanced persistent threats, or previous warning shots. Cyber simply needs no timeframe. Thus, there is no beginning or end to a cyber campaign. There are simply times of higher, more visible activity and impacts.
- No boundaries, no borders, no rules – There are no internationally recognized rules of cyberwarfare. No Geneva convention. There are a few agreements, but since attribution is hard, those are not very enforceable. So, there is no limit to what could be done. Shutting down a government website is one thing, shutting off the power grid is something entirely different. Critical infrastructure will be the new battleground for industrial cyber attacks.
- This is now a multiplayer game – The Ukrainian attack has the world’s attention. However, unlike previous major conflicts, the world is not standing by. While politicians are discussing sanctions, the cyber world has kicked into action. For example, the notorious hacktivist group Anonymous has declared its own cyberwar on Russia. The U.S. is considering its own cyber retaliation options. Anyone with an interest in this conflict can come to the digital table and play. That will reshape everything from alliances to power dynamics.
Wait Until You See What’s Next – What to Expect Moving Forward
For all the advanced cyber technology and techniques, we haven’t seen anything yet. In cyber terms, this conflict thankfully started too early. While traditional IT attacks are well developed, attacks on operational technology and industrial systems that make up our critical infrastructure are still in their youth. Attackers are still learning how to infiltrate industrial networks and companies are just beginning to understand how to protect them.
However, the motivation is there. Attacks such as the one on the Colonial Pipeline last year show the potential of impacting operations. That attack was primarily a traditional IT attack, but the company was forced to shut down operations. That sent a warning bell to the industry and a dinner bell to cyber attackers.
The reality is that operational networks and industrial cybersecurity are far less protected and much less mature than IT networks. The rush for digital transformation, data management, remote operations and automation is pushing this risk of attack even higher. The term “cyber-physical” is becoming much more known in board rooms as they have begun to realize that cyber is a clear and present risk to their operations and safety.
The Ukrainian conflict will accelerate this risk. This is no longer just about extorting money or gaining a competitive advantage. This will be central to national security and our economic stability. The new battlefield will be in the networks and equipment that make our countries run.
Lessons We Better Learn Now
We can learn a lot already from the Ukrainian conflict. We can see that cyber will be an ever-increasing part of warfare. We can expect that this will hyper-accelerate the spending on cyber, the sophistication of attacks, and the importance it has to international politics. We can even see how it is reshaping who is involved in a conflict.
What we need to learn, however, is the most basic lesson. We need to take industrial cybersecurity seriously. This isn’t a far-off conflict, it’s a persistent war on our infrastructure and operations. The target and the battlegrounds are our networks and companies.
To address this risk, we need to begin by doing the basics. Industrial cybersecurity, at its core, comes down to visibility and control. That means putting in the OT cybersecurity operations that provide asset management (shows you what to protect), vulnerability management (shows you the exposures in your network) and network monitoring (shows you if you are being attacked). For years, companies have been delaying putting in fundamental OT cyber operations, saying that it is unlikely or too expensive. We can no longer afford that type of thinking. The Ukrainian conflict is part demonstration and part warning. The question is, will we learn the lesson.
