The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an advisory explaining how to thwart cyberattacks on operational technology (OT) and industrial control system (ICS) assets.
The new joint advisory outlines what critical infrastructure operators should know about their opponents, citing recent cyber attacks on Ukraine’s energy grid and the ransomware attack against a fuel distribution pipeline.
There are heightened fears that the Russia’s invasion of Ukraine and related cyberattacks against Ukraine could spread to Western critical infrastructure targets. CISA earlier this year warned that attackers had built custom tools to gain control of ICS and SCADA devices from major manufacturers.
NSA’s and CISA’s document “Control System Defense: Know the Opponent” explains that advanced persistent threats groups, both criminal and state-sponsored, target OT/ICS for political gain, economic advantages, or destructive effects.
The most dire consequences of these attacks include loss of life, property damage, and a breakdown of national critical functions, but there’s a whole lot of disruption and mayhem that can happen before those extreme scenarios.
“Owners and operators of these systems need to fully understand the threats coming from state-sponsored actors and cybercriminals to best defend against them,” said Michael Dransfield, NSA Control Systems Defense Expert.
“We’re exposing the malicious actors’ playbook so that we can harden our systems and prevent their next attempt.”
As the agencies note, designs for OT/ICS devices that include vulnerable IT components are publicly available.
“In addition, a multitude of tools are readily available to exploit IT and OT systems. As a result of these factors, malicious cyber actors present an increasing risk to ICS networks,” NSA and CISA note in the advisory.
They’re also worried that newer ICS devices incorporate internet or network connectivity for remote control and operations, which increases their attack surface.
The attackers “game plan” for OT/ICS intrusions include detailed descriptions of how attackers pick a target, collect intelligence, develop tools and techniques to navigate and manipulate systems, gain initial access, and execute tools and techniques at critical infrastructure targets.
When weighing up mitigations, the NSA wants operators to be more aware of the risks when deciding, for example, what information about their systems need to be publicly available. It also wants operators to assume their system is being targeted rather than simply that is could be. It offers simple mitigation strategies operators can choose if they experience “choice paralysis” or become befuddled by the array of security solutions available.
These strategies include limiting public exposure of system hardware, firmware and software information and information emitted from the system. Operators should create an inventory of remote access points and secure them, restrict scripts and tools to legitimate users and tasks, conduct regular security audits, and implement a dynamic rather than static network environment.
On the last point, the agencies note: “While it may be unrealistic for the administrators of many OT/ICS environments to make regular non-critical changes, owner/operators should consider periodically making manageable network changes. A little change can go a long way to disrupt previously obtained access by a malicious actor.”
The advisory builds upon two recent advisories. The NSA released an advisory this year about stopping malicious attacks on OT, but this was aimed at the US government and defense. NSA and CISA released an advisory to reduce exposure across all OT and ICS systems.
The US government has issued multiple warnings about cyberattacks on critical infrastructure. In March, warning against possible cyberattacks from Russia, US President Joe Biden stressed that most critical infrastructure was operated by the private sector. In April, national cybersecurity agencies warned about attacks on critical infrastructure. More recently, NSA warned that exploitation of IT systems connected to OT can “serve as a pivot to OT destructive effects”.