Experts at Singapore-based cybersecurity company Group-IB – Anton Fishman, head of system solutions, and Stanislav Fesenko, head of presales – spoke about potential cyber threats of national significance and how to guard against them.
What happened?
On June 15, The New York Times, citing US government officials, reported that the US was escalating cyber attacks against the Russian energy system. The new strategy is focused on planting malware in Russian power supply networks.
Shortly afterwards, US President Donald Trump accused the newspaper of lies and treason. The paper responded by saying that President Trump’s own national security officials were aware of the content of the article. Trump promptly demanded that The New York Times disclose its sources of information about cyber attacks on Russia.
Were there any attacks?
It’s not known for sure. Sergey Naryshkin, director of Russia’s Foreign Intelligence Service, said that his department was aware of US plans to carry out cyber attacks against Russia (reports TASS).
However, experts note that it is technically impossible to attack the entire Russian energy grid at once, for two reasons.
First, online attacks are only effective against automated stations, while in Russia most stations are manually controlled. In other words, if hackers were to remotely turn off the power in a particular city, an "IT SWAT team" would quickly show up to "flick a switch" and restore the supply. Any cyber attack would fall flat.
Second, all enterprises of potential interest to military hackers are very security-minded, and periodically test equipment with a view to cyber robustness.
So Russia can breathe easy?
Not entirely. The country does have some automated facilities that could be attacked. These are mainly located in and around Moscow and St Petersburg, as well as Sochi and Kaliningrad.
The most vulnerable to cyber attacks are large substations of a particular class. If several facilities at such stations are “attacked” simultaneously, it is possible for a whole region to suffer a blackout – and for a long time.
Additionally, the stations are fitted with all kinds of sensors and controllers for temperature, pressure, and other process variables. They are often located far from each other. To control all such devices, wireless channels via Wi-fi or Bluetooth are used, which in turn are connected to a single server hooked up to the Internet. Theoretically, hackers could attack both the server and the devices by connecting to the wireless connection (although in the latter case they would need to be in the immediate vicinity of the target facility, which would be problematic for US-based military hackers).
How to protect against all this?
First, all critical infrastructure should use only domestic equipment. As such, Russia tries to avoid US equipment to alleviate the risk of remote-access backdoors.
There are in fact several companies in Russia that make automated equipment for substations, most of which are owned by Rostec State Corporation. Russian software is also homemade. That said, some components are procured in China or Taiwan, along with some rare purchases of electrical equipment from French company Schneider Electric and even rarer ones from Germany’s Siemens.
Second, a fairly common security method in use is user segmentation by access rights. For example, each station has a user segment (ordinary office employees), plus the main one, where operators observe and manage the substations. The idea is that these two segments are not connected, so if a cyber attack hits the more numerous (and hence more prone to social engineering methods) office segment, the main control center will still be up and running.
Third, several years ago, there appeared on the market a class of security solutions against well-planned targeted cyber attacks. This protects against not only individual, but government and corporate hackers, too.
Is that everything?
Not quite. There exists a special state system for the detection, prevention, and elimination of computer attacks on the information resources of the Russian Federation (Russian acronym: GosSOPKA). All information about incidents is first forwarded to dedicated units, and then to a single center run by the Federal Security Service (FSB).
Stations receive centralized damage-control assistance from this center in the event of a cyber attack.
So is Russia totally protected against cyber attacks?
Again, not entirely. In January 2019, Nikolay Murashov, deputy director of the National Computer Incident Coordination Center, an FSB structure, stated that Russia’s critical infrastructure was subjected to “sophisticated and targeted” cyber attacks from abroad. Which countries in particular, he did not specify.
Moreover, the power grid is not the only critical area. The oil-and-gas industry, for instance, has even more vulnerabilities, since it deploys a lot of automated equipment. And don’t rule out the transport system and large-scale industry (machine-building, metallurgy, etc.) as potential victims of military hacker attacks, either.