Cossack Labs is a British company, founded in 2014, with an R&D office and a major part of its engineering team born in Ukraine. Our long-standing commitment to supporting Ukraine has only deepened in 2022, after the fully-fledged russian invasion, forcing us to focus more on the security of CNI operations and mission-critical systems where cybersecurity and cyber resilience are needed the most.
On the Day of Independence, it makes sense to look back and reflect on things done, and look into the future.
Security support for Ukrainian companies #
When the full-scale invasion began, we immediately started helping Ukrainian companies with application security, data-centric security solutions, secure communications solutions, security operations, and organisational security.
Our aim was to secure the sensitive data and personal information of Ukrainian people in the hands of Ukrainian companies against nation-state actors and ensure their infrastructure couldn’t be used to cause disruptions or chaos in Ukraine. But, of course, this was only the beginning.
Enhancing the resilience of critical national infrastructure #
Heightened security threats to Ukrainian critical infrastructure in the last decade have led to novel security problems that require novel ways to address them, which aligns with our expertise. Since 2019, our team has been delivering solutions that enhance the security and operational resilience of Ukraine’s critical national infrastructure.
Having delivered substantial improvements to the security and reliability of core dispatch systems before February 2022, it was logical for Ukrainian power grid operators to turn to us for assistance when the full-scale invasion began. While not all our work can be disclosed, there are some notable achievements we could discuss.
At the beginning of the fully-fledged invasion, the risk exposure and associated threats for the Ukrainian power grid changed dramatically, necessitating new defence strategies.
As a part of a larger initiative involving security teams across CNI operators in Ukraine, we formed a task force comprising different teams, from application/product security consultants to infrastructure engineers. Our goal was to quickly re-assess, re-design, and migrate critical dispatch systems we had previously worked on. This allowed Ukrainian grid operators to focus on more urgent problems, such as quickly integrating into the European power grid and establishing necessary redundancies, while we addressed internal security operational risks.
Since then, we have only increased our efforts to keep the lights on every day.
The rocket attacks in late 2022 made it clear that “theoretical”, and “potentially disruptive” events like temporarily converting the country-wide grid into island-mode micro-grids, required a critical reassessment of industry best practices. Lessons were quickly learned: we designed, delivered, and operationalised hardware and software solutions that enhance national power grid security within NPC “Ukrenergo” and resilience against targeted cyberattacks and physical threats.
Keeping the lights on needs moment-to-moment tuning of the power network. If the enemy gets to destroy a part of the network, trustworthy, adaptive secure control data aggregation solutions are essential to adapt and provide resilient supply.
Recognising the challenges of complex migrations and integrations during wartime, we had to deliver not only unique desired functionality but also shape it in a way that seamlessly integrated into the existing legacy SCADA/ICS systems, mitigating risks without disrupting operations.
This project was made possible through support provided by the USAID Cybersecurity for Critical Infrastructure in Ukraine Activity.
Photo by NPC Ukrenergo
Innovative security for mission-critical systems #
In the cybersecurity world, terms like “military-grade security” and “military-grade encryption” have been overused by marketing specialists, often equating to snake oil or even fraud in commercial contexts. The technical security community sees military security standards as rigid and outdated, work unexciting and limiting, with heavy reliance on operational security and proper compartmentalisation rather than technical innovation.
However, for those who have dedicated their lives to serving their country, building and securing these systems at the forefront of national defence is their daily responsibility, regardless of how outdated, unexciting or lacking these systems might seem.
Given our commitment to helping Ukraine stay in the fight and win, assisting in cyberspace became a high priority for us.
On the front line, our troops need to know who and what is where and when. Secure and reliable battlefield information exchange in large distributed systems and products is critical to personnel safety and mission success.
Over the past 2 years, we’ve focused on helping defenders do the right thing by improving the security of the existing systems, building new ones, and shaping the force to address the current and emerging challenges ahead. Some of these projects may have already been mentioned.
Improving operational capabilities of unmanned robotic systems #
Our experience with massive telemetry gathering systems, hardware and IoT security and distributed data exchanges, made some of the defenders’ challenges seem familiar. However, upon closer inspection, we realised that a multitude of details made almost everything significantly different.
UAVs and other autonomous systems are one of the key asymmetric advantages in the current conflict. Improving their resilience, synchronisation, and efficiency are the key efforts to maximise this advantage on the battlefield. In civilian context, safely controlling unmanned flights across critical national infrastructure, identifying owners and origin of UAVs across vast Ukrainian fields and areas distant from the front-line is equally important.
This requires massive secure identification and data collection infrastructure, which UA DroneID aims to be part of.
What started as a short-term consulting contribution on multi-party cryptographic signing protocols a while ago gradually evolved as we addressed more and more problems. This collaboration expanded into a partnership between Cossack Labs, the Ministry of Digital Transformation of Ukraine, the Ministry of Defence of Ukraine, and Aerorozvidka NGO on UA DroneID technology development.
UA DroneID technology
Besides UA DroneID, we have devoted considerable time to improving specific technical capabilities and devices used on the battlefield, working with dozens of Ukrainian companies in the hardware and robotics field.
Solving a wide array of problems—from firmware security to sophisticated tamper detection—we stay committed to improving the capabilities of Ukrainian defenders where we can.
Building security for mission-critical applications #
Many mission-critical systems have been developing under the pressures of active conflict. These include situational awareness systems, command and control information systems (C2IS), intelligence and data analytics systems, battlefield management systems, and many more. These systems are vital components in real-world operations.
Our team has had the unique opportunity to design and build robust security controls, help developers build efficient product security processes and provide actionable feedback on unique security challenges for a number of these systems, ensuring their resilience in demanding environments.
In March 2024, we participated in the NATO TIDE Sprint 42 event in Dresden, Germany. This event provided an opportunity to share our experience in developing defence-in-depth security controls and product security for the leading C2IS/C5ISR system. We shared the results of our ongoing work in product security engineering and the secure software development life cycle (SSDLC), demonstrating how these processes are essential in ensuring platform security and maintaining proactive measures.
Cossack Labs Head of Security Engineering Anastasiia Voitova talks about building security in a mission-critical application at NATO TIDE Sprint 2024.
Strong data privacy and security layer for govtech solutions #
As russian missiles targeted data centres, the Ukrainian government encountered new security hazards, necessitating the migration of critical data to private and/or public cloud infrastructure. We worked with several govtech products that operate on vast amounts of personally identifiable information (PII). Our team provided guidance and helped system owners with data security, application security, and cryptography, ensuring that personal information is not exposed in plaintext.
These efforts underscore the importance of public-private partnerships in national security in the face of evolving cyber threats.
Empowering Ukrainian cybersecurity community to stay in the fight #
It never stops with “just doing the work”. After a long delay caused by COVID-19, we started talking at conferences again with a very different goal: sharing experience, inspiring others and supporting local industry became a significant direction of effort for us.
We actively contribute to engineering and security conferences in Ukraine and worldwide, both online and in person, and lately, the topics are obvious: lessons learnt from this war. Outside the usual conference routine, we support local hackathons, development challenges and round table discussions, all aimed at enhancing cybersecurity and cyber resilience of Ukrainian CNI and defence.
Only together, can we strengthen Ukraine’s cyber resilience.
While we have dedicated considerable effort to protecting Ukrainian organisations, we also continue to offer data security solutions to commercial companies across various sectors, including finance, logistics, robotics, automotive, AI/ML, and other industries with high security risks. Now, with a wider perspective on what works with highly motivated and resourceful adversaries. For more information, please see our contact details.