Key Management Practices for Critical Infrastructure in Ukraine
Cryptographic keys are the most sensitive assets in any security architecture—if an attacker obtains encryption keys, all the mathematical security of the encryption algorithm is irrelevant. Effective key management encompasses key generation, distribution, storage, rotation, revocation, and destruction across the entire cryptographic key lifecycle. For Ukrainian government agencies and critical infrastructure operators under sustained targeting by sophisticated state-sponsored adversaries, key management practices directly determine whether encryption provides real security or merely the appearance of security.
Hardware Security Modules
Hardware Security Modules (HSMs) are purpose-built devices for secure key generation and management. An HSM stores private keys in tamper-resistant hardware—if an attacker attempts physical tampering, the device destroys its key material rather than allowing extraction. HSMs perform cryptographic operations (signing, decryption) inside the hardware boundary, such that private keys never leave the HSM in plaintext—they are used within the device and only the results of cryptographic operations are exported.
Ukrainian government certificate authorities, central banking systems, and high-security government signing systems have deployed FIPS 140-2 Level 3 or higher certified HSMs for root and intermediate CA key protection. The deployment of HSMs for critical key protection has been a priority element of international cybersecurity assistance programs, recognizing that compromise of a root CA key would undermine the entire government PKI hierarchy. SSSCIP has issued guidance specifying HSM requirements for systems handling government classified data and national identity document infrastructure.
Key Ceremony Procedures
A key ceremony is the formal procedure through which a cryptographic key is generated, with multiple authorized personnel witnessing the process, a strict script of verified steps, auditable records, and physical security controls to ensure no single individual has unilateral access to sensitive key material. Key ceremonies for root CA keys, code signing certificates, and other high-value keys follow a multi-person integrity requirement: the ceremony cannot proceed without a quorum of authorized key custodians, each holding a separate piece of the procedure (share of the private key or separate authentication credential).
Ukraine's national CA key ceremonies are conducted under procedures aligned with WebTrust/ETSI audit standards, with independent auditors witnessing and certifying the ceremony. Given the wartime context, contingency procedures for key ceremonies under emergency conditions—including dispersed personnel access requirements—have been developed and tested to ensure that key rotation and incident response can proceed even when normal quorum assembly is impractical.
Key Management Lifecycle Controls
| Key Type | Generation Method | Storage | Rotation Policy | Revocation Mechanism |
|---|---|---|---|---|
| Root CA | HSM ceremony, quorum | Offline HSM vault | 10-20 years | CRL / OCSP Responder |
| Intermediate CA | HSM, signed by root | Online HSM | 3-5 years | CRL / OCSP |
| TLS site certificates | Server-side CSR | Software or HSM | 1-2 years (→90 days) | OCSP / CRL |
| Code signing | HSM | Dedicated signing HSM | Annual | Immediate CRL update |
| Database encryption | KMS/HSM | Key management service | Annual or on-demand | Key rotation in KMS |
Key Escrow Risks in Ukrainian Context
Key escrow—providing copies of encryption keys to a trusted third party for recovery purposes—creates security risks that warrant careful policy consideration. Any key escrow arrangement creates an additional target that, if compromised, provides access to all data protected by escrowed keys. In the Ukrainian context, key escrow arrangements with any entity connected to Russia or operating under Russian jurisdiction are explicitly prohibited for government systems—a policy that may seem obvious but that requires careful supply chain and contractual review given the pre-2022 integration of Russian technology in Ukrainian systems.
Even escrow with trusted Western partners requires careful security architecture: escrow should use split-key schemes where multiple parties each hold key shares that are individually useless, requiring all parties to cooperate to reconstruct the full key. This prevents a single compromised escrow holder from providing an adversary with key access.
Quantum-Safe Key Exchange Deployment
Post-quantum key exchange (using ML-KEM/Kyber as discussed in the post-quantum migration article) is beginning early deployment in Ukrainian government pilot programs for the highest-sensitivity communications. Hybrid key exchange—combining ECDH and ML-KEM in a single handshake—provides both quantum safety and classical security assurance. TLS 1.3 hybrid key exchange implementations are available in current versions of OpenSSL, BoringSSL (Google), and other major TLS libraries, enabling pilot deployment without waiting for full protocol standardization.
Key Management in OT Environments
Key management for operational technology environments faces constraints absent in IT environments: OT devices may have limited computational resources for key operations, may not support standard PKI or TLS key management protocols, may have 20-year operational lifetimes creating key rotation challenges, and may be physically inaccessible for regular key maintenance. Practical OT key management typically relies on centralized key management servers that provision keys to OT devices through secure automated protocols, with offline backup key material stored in HSMs accessible for recovery scenarios.
FAQ
- What is FIPS 140-2 Level 3 HSM certification?
- FIPS 140-2 is the US federal standard for cryptographic module security. Level 3 adds physical tamper protection requirements to Level 2's role-based authentication requirements—HSMs at Level 3 have physical tamper-evidence and tamper-response mechanisms that destroy sensitive key material if physical intrusion is attempted. Levels 1-4 represent increasing assurance levels; government CA key protection typically requires Level 3 minimum.
- Why should root CA keys be stored offline?
- Root CA keys sign everything in a PKI hierarchy—if a root CA key is compromised, an attacker can issue fraudulent certificates for any domain or any identity. Offline storage—keeping the root CA key in a hardware device never connected to any network—eliminates the possibility of remote compromise. Root CAs are typically used only to sign intermediate CA certificates (which are done infrequently in formal ceremonies), so offline storage is operationally practical.
- What happened to Ukrainian key management systems in early 2022?
- Russian cyber operations in February 2022 targeted Ukrainian government IT infrastructure broadly, with some agencies losing access to systems including PKI infrastructure. Emergency procedures developed after previous attacks (2015-2017) enabled faster recovery than otherwise possible. Some digital signature infrastructure required recovery from HSM backups and potentially re-issuance of certificates—a process contingency plans prepared for based on earlier incident experience.
- What is the recommended TLS certificate rotation frequency?
- The CA/Browser Forum has progressively reduced maximum TLS certificate validity. The current maximum is 398 days (~13 months). Google Chrome has proposed reducing maximum validity to 90 days, which would require much more frequent rotation—creating automation requirements for certificate management. Shorter validity periods reduce the exposure window when a certificate's private key is compromised. Automation through ACME protocol (Let's Encrypt) enables 90-day renewal workflows without manual intervention.
- What is a key custodian and what are their responsibilities?
- A key custodian is an individual formally designated to hold and control access to specific cryptographic key material or key shares. Custodian responsibilities include: secure physical storage of their key share, availability for authorized key ceremonies, verification of identity before participating in any key ceremony, immediate notification of key compromise or custodian credential loss, and compliance with separation of duty requirements that prevent any single custodian from having full key access alone.
Sources
- NIST — "SP 800-57 Part 1 Rev 5: Recommendation for Key Management," nist.gov
- CA/Browser Forum — "Baseline Requirements for TLS Server Certificates," cabforum.org
- Thales — "Hardware Security Module (HSM) Best Practices Guide," thalestct.com
- SSSCIP Ukraine — "Key Management Requirements for Government PKI," 2022-2023
- ETSI — "EN 319 401: Electronic Signatures and Infrastructures — General Policy Requirements for TSPs," etsi.org
Cyber Operations Analysis: Key Management Practices for Critical Infrastructure in Ukraine
The Russia-Ukraine conflict has generated the most comprehensively documented state-sponsored cyber operations in history, with Key Management Practices for Critical Infrastructure in Ukraine representing a significant dimension of this digital warfare environment. Cyber attacks have targeted Ukrainian government systems, critical infrastructure, financial institutions, and military communications since well before the physical invasion began in February 2022. Understanding the technical characteristics, attributable actors, and strategic effects of cyber operations related to Key Management Practices for Critical Infrastructure in Ukraine provides essential context for assessing both immediate operational impacts and broader implications for cyber conflict doctrine.
Russian state-sponsored threat actors including Sandworm (GRU Unit 74455), APT28/Fancy Bear (GRU Unit 26165), Cozy Bear/APT29 (SVR), and Turla (FSB) have conducted sustained campaigns against Ukrainian and allied targets with objectives spanning espionage, sabotage, and influence operations. Key Management Practices for Critical Infrastructure in Ukraine intersects with this threat actor ecosystem in specific ways, whether through the deployment of particular malware families, targeting of specific sectors, or employment of novel techniques that reveal evolving adversary capabilities and intentions.
Ukraine's cyber defense architecture, significantly strengthened with Western assistance through programs including the EU's Cyber Resilience for Ukraine project and bilateral cooperation with US Cyber Command, has demonstrated growing resilience against Russian operations. The Ukrainian Computer Emergency Response Team (CERT-UA) has published hundreds of threat intelligence advisories, contributing to global understanding of Russian cyber tactics, techniques, and procedures (TTPs). Key Management Practices for Critical Infrastructure in Ukraine informs this evolving defensive picture, highlighting areas where Ukrainian defenses have proven effective and where vulnerabilities remain.
The strategic calculation surrounding cyber operations related to Key Management Practices for Critical Infrastructure in Ukraine involves complex trade-offs between operational effect, attribution risk, and escalation management. Russia's decision to employ destructive wiper malware, distributed denial-of-service attacks, and infrastructure-targeting operations reflects a calibrated use of cyber as a coercive instrument alongside physical military operations. The international response—including intelligence sharing, cyber defense assistance, and potential offensive cyber operations by allied nations—shapes the cost-benefit calculations of Russian cyber strategists.
Lessons for Global Cybersecurity Policy
The cyber dimensions of the Russia-Ukraine conflict represented by Key Management Practices for Critical Infrastructure in Ukraine have generated critical lessons for national cybersecurity strategies worldwide. The importance of pre-positioning defensive measures before conflict onset, the value of international cyber defense cooperation frameworks, the role of private sector cybersecurity companies in supporting national defense, and the limitations of cyber operations as a strategic coercive tool have all been illuminated by Ukrainian experience. These lessons are reshaping cybersecurity investment priorities, information sharing architectures, and incident response frameworks across NATO and partner nations.
Frequently Asked Questions
What are the main Russian cyber attacks on Ukraine?
Russia has conducted sustained cyber operations against Ukraine since at least 2014, with a major escalation in February 2022. Key campaigns include the NotPetya attack (2017), attacks on energy infrastructure, the Viasat hack at war's start, and continuous operations against government, military, and civilian targets throughout the full-scale invasion.
How has Ukraine defended against Russian cyber attacks?
Ukraine's cyber defense has benefited from pre-invasion preparation, Microsoft and Western tech company assistance, CERT-UA operations, and the support of allied intelligence services. Ukraine developed significant cyber resilience by distributing government data to cloud infrastructure before the invasion.
What is the role of cyber warfare in the Ukraine conflict?
Cyber warfare in the Ukraine conflict operates alongside conventional military operations. Russia uses cyber attacks to disrupt infrastructure, spread disinformation, and support physical strikes, while Ukraine has developed offensive cyber capabilities to target Russian systems, including oil and gas infrastructure and military networks.
Who are the main cyber actors targeting Ukraine?
Russian state-affiliated cyber groups targeting Ukraine include Sandworm (GRU), APT28 (GRU), APT29 (SVR), Turla (FSB), and various GRU units. Ukrainian cyber forces, international volunteer hacker groups (IT Army of Ukraine), and allied intelligence cyber units operate on the Ukrainian side.
What can other countries learn from Ukraine's cyber defense?
Ukraine's cyber defense offers critical lessons: distributed cloud infrastructure reduces vulnerability to physical and cyber attacks, international information sharing accelerates threat response, pre-conflict preparation matters enormously, and the integration of civilian tech expertise with military cyber operations creates strategic advantages.