Amit Yoran, Chairman and CEO, Tenable
CIO News

Securing US critical infrastructure against Russian cyber threats

Knowing what the threat is, the impact it could have on your systems and how to respond is far more important than knowing where the threat is coming from. Understanding where the threat is coming from is useful from the perspective of national cyber strategy, defense and intelligence. It can also help determine how to prioritise remediations based on the motivations of threat actors.

Beyond that, knowing where a threat is coming from has little impact on how an organisation responds. For almost all organisations, cybersecurity risk management practices are the same regardless of whether the attack is coming from the Russians, other nation states, cyber criminals or other bad actors.

Ransomware is also a very flexible weapon, demonstrated by Russian-attributed malware BlackEnergy and CrashOverride

Ransomware against critical infrastructure providers is incredibly profitable for cybercriminals, as demonstrated by the Conti ransomware data leaks. The Conti group and its affiliates reportedly made use of over 30 known vulnerabilities, some of which were first disclosed in 2018. The Conti bitcoin wallet data showed more than $1 billion had been paid, creating a massive funding method for Russian actors.

Ransomware is also a very flexible weapon, as demonstrated by the Russian-attributed malware BlackEnergy and CrashOverride, both of which were used in attacks against the Ukrainian power grid and were very sophisticated and modular with payloads that could be delivered in near real-time to the victim. Two separate indictments from the Department of Justice were unsealed on March 25, charging four Russian nationals for extensive hacking campaigns against critical infrastructure providers worldwide.

Ransomware against critical infrastructure providers is incredibly profitable for cybercriminals

Last week, President Biden warned of the potential for Russian cyberattacks against the United States in response to the economic costs we have imposed following the invasion of Ukraine. He urged governors, private sector partners and critical infrastructure providers to harden their cyber defences immediately.

The White House also issued a Fact Sheet, Act Now to Protect Against Potential Cyberattacks, that called for companies to deploy multi-factor authentication, continuous monitoring and threat mitigation, to make sure systems are patched and protected against all known vulnerabilities, build security into products from the ground up, and use modern tools to check for known and potential vulnerabilities.

Critical infrastructure is not one thing, and most critical infrastructure industries vastly differ. The Cybersecurity and Infrastructure Security Agency, CISA has identified 16 critical infrastructure sectors in the US, including financial services, energy providers, water and wastewater treatment facilities, and transportation systems.

There is no singular defense paradigm that could effectively be applied across all the sectors. Some critical infrastructure providers have a high degree of cybersecurity preparedness, strong risk understanding and risk management practices, and very strong security programs. Others are woefully ill prepared.

The Cybersecurity and Infrastructure Security Agency, identified 16 critical infrastructure sectors in the US

All critical infrastructure sectors continue to undergo digital transformation, resulting in an expanding cyber attack surface. New technology investments represent great efficiency opportunities, like the move to smart factories and smart cities, but these shifts can introduce real gaps in security. Without enhancements to security and resiliency, critical infrastructure providers are left unprepared to address cyberthreats.

Just this week, a new report from the Center for Strategic and International Studies and Trellix, yet again, put this lack of preparedness in writing. The report, based on survey results from 800 IT decision-makers from several countries around the world, including the United States, found that 9% of critical infrastructure operators don’t even have a cybersecurity strategy in place, despite the fact that 85% of respondents believe they have been targeted by a nation-state cyberthreat.

While differences can be found in security readiness of individual banks, the sector is resilient as a critical infrastructure

Certain critical infrastructure sectors better understand strategic risk assessments and cyber risk management as a discipline. Generally speaking, the cybersecurity practices in these markets and industries have been more highly regulated than others.

For example, the financial services sector has long relied on IT and has built strong cyber risk management processes and practices. Most modern banks realise that, in many ways, they are technology companies. For decades, everything from bank accounts to transactions to data analytics have been digitised, resulting in a culture of strong security practices. These security practices have been encouraged through a high level of regulation and oversight.

There is no singular defense paradigm that could effectively be applied across all the sectors

While dramatic differences can be found in the security readiness of individual banks, the sector as a whole has strong security and is resilient as a critical infrastructure.

For years, the electric industry operated on voluntary compliance of reliability standards, but following the Northeast blackout of 2003, Congress authorised the mandatory development of reliability standards, which included cybersecurity Energy Policy Act of 2005.

Due, in part, to regulation by the Federal Energy Regulatory Commission FERC, which oversees the reliable operation of the bulk power system, the electric sector has improved cyber resiliency. FERC certified the North American Electric Reliability Corporation NERC to oversee electric reliability, and as part of its definition of resilience, included cybersecurity as critical. Today, cybersecurity standards in the energy sector continue to be developed and enforced by NERC resulting in improved security and reliability.

Healthcare and manufacturing, average twice as many critical vulnerabilities per device

As IT and operational technology OT systems become increasingly interconnected, even some well managed critical infrastructure sectors remain at risk. For example, some industries, such as mining, chemical plants and fuel pipelines, already have safety systems to prevent destruction of physical infrastructure and bodily harm or loss of life.

However, as organisations increasingly interconnect their IT and OT systems in the pursuit of improved efficiency, more control settings become digitised. As a result, the effectiveness of some of these safety measures may be brought into question.

Other critical infrastructure sectors have not prioritised cyber and are largely blindsided by cyber as a strategic risk. Some of these sectors have not historically thought of interconnectivity, access, complexity and digitisation as strategic cyber risk and haven’t been regulated in that way.

For example, many healthcare providers and hospitals have long viewed IT as a cost efficiency play for automation and sharing information when needed to provide better care, not necessarily a strategic asset. Consequently, attackers have caught many healthcare organisations off guard.

Financial services and energy sector, average about the same number of critical vulnerabilities per device

A closer look at the data reveals stark differences among critical infrastructure sectors. According to Tenable’s own vulnerability data, financial services organisations and organisations in the energy sector, which encompasses more than the electric sector, average about the same number of critical vulnerabilities per device, showing a relative approximation in the maturity of their cyber practices. Contrast that with healthcare and manufacturing, which average twice as many critical vulnerabilities per device.

The median time for financial services and energy sector organisations to remediate a critical vulnerability is approximately 12 days, while manufacturing and healthcare average 29 and 32 days, respectively. This gap provides adversaries ample opportunity and highlights the sample disparities in the cyber maturity of these sectors.

There are fundamental steps all providers must take, from knowing what’s on their network and how those systems are vulnerable to addressing those exposures, and from controlling user access and privileges to managing critical systems that are interconnected, that will make it harder for bad actors to compromise critical infrastructures.


All US critical infrastructure sectors continue to undergo digital transformation representing efficiency, but these shifts also introduce gaps in security.

Amit Yoran, Chairman and CEO, Tenable
Amit Yoran, Chairman and CEO, Tenable.