Critical infrastructure threats raise new questions for state CISOs
State-government cybersecurity officials are used to receiving and heeding advisories about malicious activity from foreign governments that could disrupt crucial systems. But the ongoing conflict between Russia and Ukraine has added a new layer of concern, amid repeated warnings that the Kremlin may strike at U.S. critical infrastructure in retaliation for American support of Ukraine, several CISOs said Wednesday.
“This is the first conflict where there’s a viable cyber actor,” Virginia CISO Michael Watson said during an online event hosted by the government IT think tank ATARC. “No one’s 100% sure where the line’s going to be. We’re doing our best to make sure we’re prepared. But there’s a wait-and-see on how far this goes.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — joined by several U.S. allies’ intelligence services — on Wednesday issued its fourth warning since the start of hostilities about Russia’s ability to disrupt digital and physical infrastructure.
Watson noted that most critical infrastructure, like power and water utilities, manufacturing and agriculture, is run by the private sector. But that doesn’t lessen concerns for state government. The war in Ukraine also isn’t the only reason to be mindful, he said.
“We’re doing our best making those connections and understanding what the impact is if electric gets impacted or any of our other critical infrastructure,” Watson said. “Those are real things we have to worry about with the way things are trending. That’s due to both the conflict between Ukraine and Russia, but also our future state.”
North Dakota CISO Michael Gregg said he holds monthly calls with officials at all levels of government in the state, including cities, counties, towns and school districts. He also plugged the new security operations center North Dakota recently opened in concert with five other states. The operation has been distributing reports modeled on Verizon’s annual Data Breach Investigation Report, one of the benchmark cybersecurity publications.
And Alex Jackson, CISO at the South Carolina Department of Revenue, said he’s increasingly concerned about attacks that go after software supply chains, like the 2020 SolarWinds breach.
“I think a lot about it with everyone going to the cloud,” Jackson said. “Microsoft 365 is a huge attack surface.”
The ATARC event’s speakers said the increased focus on recent issues like Ukraine and supply-chain compromises doesn’t reduce the urgency of more familiar threats, like ransomware.
“Ransomware, I know what they’re after,” Watson said. “I know what they’re trying to do. The conflict overseas is new and it doesn’t have defined things that are going to happen if [the Russians] turn their ire toward states or state services. I think we can handle whatever comes at the cyber level, but the ripple effects, I don’t think I have a great feel for.”
Gregg, the North Dakota CISO, put it more bluntly: “The unknowns are what keep me up at night. It’s always the unknown for which I want more knowledge and more threat intelligence.”
Correction: This story originally misstated the name of the South Carolina Department of Revenue CISO, Alex Jackson.