The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning explaining how to thwart cyber attacks on operational technology (OT) and industrial control system (ICS) assets.
The new joint warning outlines what critical infrastructure operators should know about their opponents, citing recent cyber attacks on the Ukrainian energy grid and the ransomware attack on a fuel pipeline.
Fears have increased that the Russian invasion of Ukraine and related cyber attacks against Ukraine could spread to Western critical infrastructure targets. CISA warned earlier this year that attackers had created custom tools to gain control of major manufacturers’ ICS and SCADA devices.
The NSA and CISA document “Control System Defense: Know the Opponent” explains that advanced persistent threat groups, both criminal and state-sponsored, target OT / ICS for political gain, economic gain, or destructive effects.
The most dire consequences of these attacks include loss of life, property damage and a disruption of critical national functions, but there is a lot of disruption and chaos that can occur before those extreme scenarios.
“The owners and operators of these systems must fully understand the threats from state-sponsored cybercriminals and actors in order to best defend themselves,” said Michael Dransfield, defense expert on control systems at the NSA.
“We are exposing the malicious actors playbook so we can harden our systems and prevent their next attempt.”
As the agencies note, designs for OT / ICS devices that include vulnerable IT components are publicly available.
“In addition, a multitude of tools are readily available to exploit IT and OT systems. As a result of these factors, malicious cyber actors present an increasing risk to ICS networks,” note NSA and CISA in the warning.
They are also concerned that the new ICS devices incorporate Internet or network connectivity for remote control and operations, which increases their attack surface.
The attackers’ game plan for OT / ICS intrusions includes detailed descriptions of how attackers choose a target, gather information, develop tools and techniques to navigate and manipulate systems, gain initial access, and execute tools and techniques on objectives of the critical infrastructure.
When assessing mitigations, the NSA wants traders to be more aware of the risks when deciding, for example, what information about their systems should be publicly available. It also wants traders to assume that their system is being targeted rather than simply that it could be. It offers simple mitigation strategies that operators can choose from if they experience “choice paralysis” or if they become confused by the range of security solutions available.
These strategies include limiting public exposure of system hardware, firmware and software information, and information emitted from the system. Operators should inventory and secure remote access points, restrict scripts and tools to legitimate users and activities, conduct regular security audits, and implement a dynamic rather than static network environment.
On the last point, the agencies note: “While it may be unrealistic for administrators of many OT / ICS environments to make regular non-critical changes, owners / operators should consider making manageable changes to the network periodically. One small change it can take a long time to break access previously obtained by an attacker. “
The warning is based on two recent warnings. This year the NSA issued a warning about stopping malicious attacks on OT, but this was aimed at the US government and defense. NSA and CISA have issued a warning to reduce exposure to all OT and ICS systems.
The US government has issued multiple warnings about cyber attacks on critical infrastructure. In March, US President Joe Biden warned of possible cyber attacks from Russia that most of the critical infrastructure was managed by the private sector. In April, national cybersecurity agencies warned of attacks on critical infrastructure. More recently, the NSA warned that the exploitation of IT systems connected to OT can “serve as a pivot to the destructive effects of OT.”