How the Ukrainian conflict will make energy value chains the new battlefield for cybersecurity

Conflict drives change. From social, to economic, to political, war is a time where old rules are put to the test, and new innovations drive change. This is no more evident than with technology. ABS Group looks at the chain reactions from the Russian conflict in Ukraine.

Consider three key drivers that are emerging from the present conflict:

• Warfare is now a multiplayer game. The Russian attack on Ukraine has the world’s attention. However, unlike previous major conflicts the world is not standing idly by. While politicians are discussing sanctions, the cyber world has kicked into action. For example, the notorious hacktivist group Anonymous has declared their own cyber war on Russia. Many nations are also considering deploying tools from their cyber-war chest. Anyone with an interest in this conflict can come to the digital table and play. This includes nation states, independent organisations or any players with the requisite skill sets that want to run false flag operations to advance their own interests. This has the potential to reshape everything from global strategic alliances to power dynamics.
• In the connected world, conflict will be borderless. Attacks against Russian assets are happening world-wide. From yachts and villas owned by Russian oligarchs to banks, business and critical infrastructure. Everything, everywhere is fair game.
• Energy value chains are a natural target – The energy sector is at the heart of global economies. Everything from manufacturing, to shipping, to daily operations depend on the development and transport of energy. The energy sector has been under attack for years. For example, the Colonial Pipeline attack demonstrated how to conduct cyber attacks to affect operational technology and derail supply chains and economies. In the current conflict, Russia is focused on energy targets as part of its core invasion strategy. This has become a critical part of wartime strategy. Cyber attackers know that hitting the energy value chain is a way to cripple an economy and destabilise national security.

Put these drivers together, and you have the potential for this conflict to spill into a global, digital war waged in networks and systems that make up our energy value chains. These can be attacks on direct suppliers and participants of the conflict, or retaliatory on any supply chain. Attacks and warnings have already been executed in critical infrastructure such as energy, shipping, and manufacturing. These kinds of attacks have been a core part of the Russian invasion strategy and have since spilled into countries across the globe. As more countries and organizations join the digital fight, the cyber battlefield looks to be chaotic, limitless and active.

The more efficient our supply chains are, the more exposed they become

From manufacturing to distribution, energy companies are using digital technology to streamline and manage their operations and supply chains. As supply chains grow more interconnected, the link between operational technology (OT) and information technology (IT) becomes tighter. Anything that impacts IT can similarly affect OT. Unfortunately, OT is commonly more exposed and more reliant on outdated security measures, which makes it ripe for an attack.

In the recent Sans Survey on Threat-Informed Operational Technology Defense, 45 percent of participants believe that there is a high risk of threats to their control systems. Additionally, security teams are commonly resource-challenged in IT, but even more so in industrial control systems (ICS), where additional security and engineering knowledge is required to perform effective ICS active cyber defense. Forty-Seven percent of ICS organisations do not have dedicated, internal, 24/7 ICS security response resources to manage OT/ICS incidents.

Attackers are aware of these vulnerabilities and have seen the benefits of these highly integrated and interdependent supply chain systems. They understand that taking down the energy supply chain could have broad impacts on economies, politics, and national security. Cyber attacks in the energy sector are becoming the equivalent of weapons of mass destruction. A single point of access can allow an attacker to disrupt critical operations nation-wide, causing massive interferences, delays and outages, resulting in crippling effects to civilians. One important tool available to prevent this is to build a robust cybersecurity system that accounts for gaps that may have otherwise been overlooked.

The Russian-Ukrainian conflict will push cyber attackers that represent both sides of the conflict to innovate. Whether they are making a statement or directly trying to influence the conflict, cyber attackers are already trying to figure out how to disrupt supply chains.

A Duel Cyber Threat for the Energy Value Chain

Attacks on supply chains can take two forms:

Attacks on the value chain target a specific supplier or company critical to the supply chain. They are designed to disrupt operations and delay the flow of goods to market. Much like a traffic jam, when there are impacts, resources are restricted and delivery is delayed. If an energy company’s operations are attacked, they become a transmissible weak link, causing a ripple effect on the entire economic sector.

Attacks through the supply chains occur when an attacker compromises a component that is then delivered, integrated, and passed on to the next link. For example, an exploited chip is delivered to a company that uses it to manufacture a piece of equipment that they then deliver. While most companies inspect the component to ensure it works properly, they don’t always check for malware that may have been inserted along the way. Neglecting to check for cyber exposure means that a business is accepting all that risk and putting its company name on it. For the energy sector, this means that companies need to pay very close attention to their own suppliers.

One of the most famous examples of this is Stuxnet, where attackers were able to upload malware into centrifuges at the manufacturing stage. When put into use the centrifuge uploaded damage inducing instructions to their new networks, destroying equipment and disrupting the operations of an Iranian nuclear facility.

Value chain cybersecurity management is complex

How to Manage Value Chain Cyber Risk

If the new battlegrounds are the networks and systems of our supply chains, what can companies do to better protect themselves?  Value chain cybersecurity management is complex, but there are some basic steps businesses can take to start managing risk.

View the supply chain through a cyber lens:

• Cyber map the value chain – Identify key suppliers, components, and connections that comprise the supply chain. Don’t stop at the first level of the supplier; look at the supplier of their suppliers. The better overview a business has of its cyber dependencies, the more it can see the key vulnerabilities and risks in its operations.
• Prioritise cyber risks – Rate the criticality of the components, connections and suppliers that impact the business’s supply chain to reveal where to invest resources.
• Compare supply chain resiliency plan to the cyber resiliency plan – Match cyber resiliency with overall supply chain resiliency. This might influence the suppliers and risk measures the business implements.

Hold your suppliers accountable for cyber hygiene:

• Know the sub-components – Most manufacturing companies do not know where the sub-components are made. Organisations should know the suppliers of their suppliers.
• Cyber acceptance testing – Many companies do acceptance testing and yet almost none list cyber as a component. Organisations must ensure cybersecurity is added to acceptance testing of any component.
• Write cyber into contracts – Cybersecurity is usually a part of most contracts with suppliers. However, the language is often too vague and unenforceable to be useful. Contracts should reflect the ability to validate good cyber hygiene, promote collaboration before and after a potential incident and spell out cyber responsibilities.
• Map and monitor connectivity – Take a good look at connections to suppliers. Too often there are legacy or unmonitored connections, which can have open or shared access. These are prime avenues for cyber attackers to access networks.
• Practice together – Work together to develop an effective a monitoring and response plan with suppliers and then practice it.

Make sure you are not the weak link:

• Cyber by design – Since cybersecurity starts in the design phase, organisations must account for cybersecurity at the design phase of manufacturing, operations and distribution processes.
• Implement a clean build – Operations can introduce vulnerabilities into the supply chain. Organizations can combat these vulnerabilities by putting the people, processes and technologies in place to reduce the risk to operations as much as possible.
• Pay attention to delivery – Your organisation is responsible for securing any gaps in the supply chain until the product is safely delivered. This is a common weak point for most supply chains and everything from logistics to provenance needs to be considered from a cyber perspective.
• Account for ongoing maintenance of products and their end-of-life – Supply chains span a full product lifecycle. Everything, from fraudulent replacement parts to protecting unsettled products carries cyber risk.

It Comes Down to Visibility and Control

Cybersecurity comes down to visibility and control. Although production flows down a value chain, risk management needs to flow up the value chain. This means that every link in a supply chain needs to hold its suppliers accountable for cybersecurity and to have insight into the potential risks which arise from each and every one of their partners.