The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an advisory detailing how to thwart cyberattacks on operational technology (OT) and industrial control system (ICS) assets.
The new joint opinion describes what operators of critical infrastructure should know about their adversaries, citing recent cyberattacks on Ukraine’s energy grid and ransomware attack on a fuel distribution pipeline.
There are heightened fears that the Russian invasion of Ukraine and related cyber attacks on Ukraine could spill over to Western critical infrastructure targets. CISA warned earlier this year that attackers had developed custom tools to take control of ICS and SCADA devices from major manufacturers.
The NSA/CISA document Control System Defense: Know the Opponent explains that both criminal and government-sponsored Advanced Persistent Threat groups target OT/ICS for political reasons, economic gain, or destructive effects.
The worst consequences of these attacks include loss of life, property damage, and the collapse of vital national functions, but there can be a fair amount of disruption and chaos ahead of these extreme scenarios.
“Owners and operators of these systems need to fully understand the threats posed by state-sponsored actors and cybercriminals in order to best defend against them,” said Michael Dransfield, NSA’s defense control expert.
“We’re unveiling the bad actors’ playbook so we can harden our systems and prevent their next attempt.”
As noted by the authorities, designs for OT/ICS devices containing vulnerable IT components are publicly available.
“In addition, a variety of tools are available to exploit IT and OT systems. Because of these factors, malicious cyber actors pose an increasing risk to ICS networks,” the NSA and CISA note in the recommendation.
They are also concerned that newer ICS devices include internet or network connectivity for remote control and operation, increasing their attack surface.
The attacker’s “game plan” for OT/ICS intrusions includes detailed descriptions of how attackers choose a target, gather intelligence, develop tools and techniques to navigate and manipulate systems, gain initial access, and apply tools and techniques to critical infrastructure targets .
When considering mitigation measures, the NSA wants operators to be more aware of the risks when deciding, for example, what information about their systems needs to be publicly available. It also wants operators to assume that their system is under attack, not just that it might be. It provides simple mitigation strategies that operators can choose when experiencing “choice paralysis” or confused by the multitude of security solutions available.
These strategies include limiting the public disclosure of system hardware, firmware, and software information, as well as information emitted by the system. Operators should inventory and secure remote access points, limit scripts and tools to legitimate users and tasks, conduct regular security audits, and implement a dynamic rather than static network environment.
On the last point, the authorities note: “While it may be unrealistic for the administrators of many OT/ICS environments to make non-critical changes on a regular basis, owner/operators should consider making manageable network changes on a regular basis. A small change can go a long way Ability to break previously obtained access by a malicious actor.”
The advisory builds on two recently published advisories. The NSA released an advisory earlier this year on how to stop malicious attacks on OT, but that was aimed at the US government and defense. NSA and CISA have issued a recommendation to reduce exposure in all OT and ICS systems.
The US government has repeatedly warned of cyber attacks on critical infrastructure. US President Joe Biden stressed in March when he warned of possible cyber attacks from Russia that most critical infrastructure is run by the private sector. In April, national cyber security authorities warned of attacks on critical infrastructure. Recently, the NSA warned that the exploitation of IT systems connected to OT “may serve as a linchpin for OT’s destructive effects”.