Iran has already demonstrated intent and capability to attack inside the US as well as a high tolerance for escalating risk, specifically during the 2011 plot to assassinate the Saudi Ambassador to the US inside the US. Therefore current risk of escalatory action by Iran is particularly high, given that the “red lines” are not clearly defined in cyberspace and the Iranian government will be under intense internal pressure to take strong action.
In 2011-2012, Iran went after banks for implementing sanctions and we should now anticipate actions against the contractors involved in the development and deployment of drones. The US Government needs to lean very far forward in sharing with potential targets any info it has regarding Iranian capabilities, TTPs, and plans in a coordinated effort to minimise this risk and tighten up defences.
In the meantime, critical infrastructure organizations should be particularly vigilant in monitoring their operational systems for unusual activity in their industrial operation systems. At this stage, gaining OT visibility with the ability to detect issues and react quickly is paramount to national security.
Our position is that owners and operators should remain vigilant given the recent events. Heightened threat activity against ICS/OT networks often correlates with geopolitical volatility and it\’s certainly plausible that Iran would retaliate against critical infrastructure. At the same time, I\’d caution against speculative reports that place high levels of confidence in a retaliatory cyber attack. From a technical perspective, companies should be sure to monitor their ICS connections, particularly as it relates to third-parties and other remote connections based on historical publications of Iranian TTPs.
Given recent news, critical infrastructure organizations should be prepared for an increase in attempted cyberattacks. We recommend that security teams within critical infrastructure organizations lock down access to critical controls and sensitive data. Focus on securing and monitoring access points into the most critical OT environments, often provided via privileged access. The best way to mitigate the risk of a successful cyberattack is to isolate access to critical controls and keep it separate from any day-to-day usage or internet access.
I think in the near future we will not observe major cyber attacks triggered by the military operation in question. Enemies of the US have already silently breached what they could, stealing valuable information including intelligence data, intellectual property and trade secrets. The majority of sophisticated APTs have already happened. Regrettably, their complexity often makes them undetectable and uninvestigable.
Today the attackers are unlikely to expose their invisible presence in compromised and backdoored systems by inflicting highly destructive actions. Moreover, they probably have a crystal-clear comprehension that such hostile activities will almost inevitably cause unprecedented trouble both in a cyber or military nature. The western world has an immense capacity to ruin its adversaries in a cyber war, albeit not without collateral damage.
Obviously, a spiralling wave of unsophisticated attacks, including website defacements or primitive ransomware attacks, will probably target US citizens now. Most such attacks will, however, be undertaken by individuals unrelated to governmental structures. Therefore, American companies and individuals should be particularly vigilant in cyber space while this conflict goes on
Geopolitical concerns are nothing new for multi-national businesses, but for those who operate only within a given country or who are directly involved in creating new products, dealing with shifts in global priorities may be foreign. This lack of familiarity can be particularly problematic when you recognize that we live in a software and data driven world and that fundamentally all businesses are digital businesses at some level. As a result, any potential shift in geopolitical risk can pose a distinct risk to the digital and physical supply chains we all depend upon.
Given the reality that attackers define the rules of engagement, business and technical leaders should use the current increase in geopolitical tensions as an opportunity to review the cyber security risks present with their businesses. Critical questions to answer would include:
1. Precisely what is the composition of our supply chains, and what plans exist should any member of those chains become a target?
2. Should a member of our supply chain become a target, how would we proactively recognise that an attack was underway?
3. Knowing that our business is a link in our customers supply chains, what are we doing to ensure the continued success of our customers resulting from using our products or services?
4. Understanding that data can flow both to customers and from customers, what impact to our operations might exist should a customer become a target and the attacker seek to disrupt our business?
These questions are typically part of a cyber threat analysis but should be reassessed with changes in geopolitical risk. The answers from these questions form part of a cyber security response plan – a plan enacted at all levels of the business from core operations to product development through to service delivery.\”