Nation-State Threats

Risk Overview

Nation-state threats from China, Russia, and Iran are well funded, sophisticated, and capable of targeting North American critical infrastructure to achieve strategic and political objectives. By gaining access to and exploiting native tools within critical infrastructure operating systems, these threat actors can evade detection and strike through a variety of methods at a time when maximum damage would be inflicted. Utilities need to enhance detection methods on critical operational control systems and develop business continuity plans to respond to and recover from various attack scenarios that could be conducted by a nation-state-sponsored threat actor.

Key Drivers and Trends

• Heightened tensions with U.S. adversarial nations over global influence and conflicts.
• Companies in the region are still scoping their response to these high-capability threat actors.
• Nation-state threats are continuing to use digital and physical means to influence U.S. citizens. The trend highlights the sophisticated methods and long time horizons that these threat actors use to achieve their strategic objectives.
• China is focusing their attention on critical infrastructure assets that provide little espionage or intelligence value, but could disrupt military, or health and human services.

Actions to Reduce Risk

• Determine where there is a lack of visibility in your networks and endpoints, and enhance detection.
• Focus on data integrity controls, including anomaly-based detection on control system values.
• Seek input from key technical personnel to identify system vulnerabilities.
• Develop business continuity plans that address direct attacks on electricity infrastructure, and indirect attacks via infrastructure that the electricity sector depends on for operations.
• Follow Project 2023-03 Internal Network Security Monitoring (INSM) that is creating a new CIP standard to improve detecting anomalous or unauthorized network activity.

Related Resources

• PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA describes China sponsored activity to preposition on critical infrastructure networks for disruptive or destructive cyber attacks in the event of a major crisis or conflict with the United States. The document discusses tactics, techniques, and procedures of the threat actor that are good to understand so you can defend against them.
• People’s Republic of China-Linked Cyber Actors Hide in Router Firmware | CISA describes China sponsored activity to gain access in government, industrial, media, electronics, and telecommunication sectors. The document presents an analysis of the tactics, techniques, and procedures of the threat actor.
• Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Google Cloud Blog is an analysis of Russian sponsored cyber and physical attacks on Ukranian electrical infrastructure. It shows that nation-state threats may use multiple risk vectors to achieve their goals.