Industrial sector needs diversity of tactics to battle non-state threat actors

Nation state actors are a threat to the industrial sector—but at least they play by the rules.

Those rules aren’t hard and fast, but in general, nation state leaders tend to discourage direct involvement in causing chaos and instead prioritize behind-the-scenes activity like supporting criminal groups operating in the country. That’s in contrast to cybercriminals and hacktivists; while the danger presented by nation states shouldn’t be underestimated, it’s important to understand the difference in tactics.

“These guys don’t play by the same rules; they’re motivated by different things, they want to be noticed for different reasons,” Dragos SVP of Intelligence and Services Kurt Gaudette told IT Brew. “And that changes things in a big way.”

Fighting back requires a diversity of tactics. But first you need to understand the scope of the threat.

Eyes open. Attackers acting on the world stage without the tempering influence of nation states present a unique threat, as IT Brew reported last year. Often, these threat actors are motivated by ideology, which isn’t as easy as criminal activity for state actors to manage. And the aging digital infrastructure in the industrial space makes for a prime target.

When it comes to attacks from nation states, there are avenues for dealing with the problem, Gaudette said. Those can include political or diplomatic pressure, sanctions, and other soft power weapons. But criminal groups operate in a more “Wild West” environment, making addressing the threats more complicated.

Adding further complication is how some nation states allow groups like this to operate. It’s sometimes turning a blind eye, or, in some cases, outright endorsing the behavior, said Kerri Shafer-Page, VP of digital forensics incident response at Arctic Wolf.

“We see both of them acting independently, but I do think there’s a level of collaboration that potentially is happening,” Shafer-Page said. “The hacktivists are out in the media, taking the responsibility for whatever they’ve done, and it still accomplishes what the nation state actor hoped would happen.”

Money down. One challenge for companies dealing with these types of attacks is how they invest in preventing the threat in the first place. Some organizations and firms have difficulty with proactive investment due to the intricacies of running a business and deciding what to put money into.

“You get those companies that maybe are ignorant and or just immature—they want to do the right thing, but they don’t know how to do it,” Gaudette said. “And then you got companies that I think manage their risk differently and are just going, ‘Does it affect our bottom line?’”

One thing that’s essential, Shafer-Page said, is having an incident response plan. That will allow for clear communication with insurance and other interested parties as you get back on your feet. That includes law enforcement, who, at the federal level, will be keenly aware of the threat actor in question.

“If it’s a newer threat actor on the scene, you can leverage the information that a federal government agency might already have as it relates to that threat actor to figure out, is there something, from a defense standpoint, that a customer can do more quickly so there’s real benefit to them?” Shafer-Page said.

Knowledge is the key. That works in favor of the next victim as well; more information is key to pushing back against attackers. Luckily there’s a lot of information out there to consult. Threat actors of all kinds—not just hacktivists and criminals—rely on poor security hygiene and ignorance. Knowing those weaknesses can help organizations defend themselves.

“You can invest in your people, process, and tools, it’s really the trifecta of improving your security posture,” Shafer-Page said, adding, “even if you have a very small budget, making sure that you invest wisely, and again, you’re constantly checking it almost like you change the batteries in your smoke detector.”