How to Comply with the NSA/CISA Alert AA20-205A's Recommended Mitigations
In response to an increase in malicious actors attacking online OT assets, the NSA and CISA issued an alert on July 23rd urging critical infrastructure to take immediate action.
Following the NSA/CISA alert, we created two guides. The first guide focuses on the causes of the CISA alert, common attacks, and their implications. You can read the full article here.
This second guide summarizes how you can implement the CISA alert's recommended mitigations with Dispel's remote access and protect your remotely accessible OT assets from malicious cyberattacks.
What mitigations does the CISA alert recommend?
The CISA alert includes 6 categories of mitigations:
- Have a Resilience Plan for OT: Beyond planning for malfunctioning or inoperable control systems, organizations must assume that malicious attacks will render OT systems “actively acting contrary to the safe and reliable operation of the process.”
- Exercise your Incident Response Plan: Conduct active exercises with management, public affairs, and legal teams to preemptively test your incident response plan.
- Harden Your Network: Perform network security controls and best practices to secure your Internet-accessible OT endpoints.
- Create an Accurate “As-operated” OT Network Map Immediately: Take inventory of your OT network communication: know what OT assets connect to the Internet, what protocols they use for communication, and where external connections exist.
- Understand and Evaluate Cyber-risk on “As-operated” OT Assets: Refer to cybersecurity vulnerability resources and frameworks to help you evaluate the risk to your OT networks.
- Implement a Continuous and Vigilant System Monitoring Program: Ensure that you have processes to log, review, and control all traffic and changes made to your OT network.
How can Dispel help you comply with the recommended mitigations?
Protect your remotely accessible OT assets from attacks and adhere to the alert's recommendations by implementing a compliant secure remote access solution. The CISA alert provides guidance and recommendations within the context of NIST standards and frameworks.
Below, we list the CISA alert's recommended mitigations in bold, alongside how Dispel helps you to comply with them.
Mitigations for Have a Resilience Plan for OT:
Recommended Mitigation: “Immediately disconnect systems from the Internet that do not need internet connectivity for safe and reliable operations. Ensure that compensating controls are in place where connectivity cannot be removed.”
How Dispel Helps: Dispel places a barrier between OT systems and the internet, and allows operators to disconnect plants all-together when no remote access is needed. By installing a Dispel component known as a Wicket ESI in each facility’s OT DMZ, individual OT network devices do not require direct internet access. Wicket ESIs sit on-premise and let your team connect to your industrial control systems (ICS) remotely without having to install software onto preexisting ICS equipment. Wicket ESIs (i) establish an encrypted connection to a Dispel Enclave, and (ii) enable connections to ICS devices as permitted by an internal whitelist.
Wicket ESIs and virtual desktops stop direct connections to OT network devices. Network traffic routes only to the Wicket ESI, and no split tunneling is allowed. Thus, when connecting, a user’s device becomes locally scoped to the target OT network and internet connection is dropped.
Additional compensating controls include:
Multi-factor Authentication: Customers can enforce MFA for all users. You can use TOTP authentication tools (QR code style) such as Google Authenticator, Microsoft Authenticator, 1Password, Authy, etc. If you prefer hardware tokens, Dispel also supports FIDO U2F hardware tokens such as Yubikeys, and RSA SecurID tokens, and integrates with Active Directory, LDAP, Okta, and native OS biometric authentication systems including Apple Touch ID and Windows Hello in apps.
Encryption: Dispel uses two layers of AES-256-GCM or -CBC encryption with independently generated 4096-bit RSA keys for the initial key exchange. SD-WANs uniquely key themselves and all connections are end-to-end encrypted.
Single-Tenant Deployment: Each SD-WAN is built on single-tenant infrastructure. Because customers never share cloud resources or virtual machines, deployments segment fully from one another. This segmentation prevents lateral attack movement and reconnaissance gathering. All infrastructure can deploy on on-prem hardware or in the cloud.
Recommended Mitigation: "Restore OT devices and services in a timely manner. Assign roles and responsibilities for OT network and device restoration."
How Dispel Helps: Remote access can accelerate system restoration during a cyberattack. Building independent pathways on-demand permits emergency work. Load-balanced redundancy or back-up hot-swappable networks are also available.
Pre-specifying roles and responsibilities by permission tier speeds up OT network and device restoration. Dispel allows user-based access control lists, enforced at the Wicket ESI level. Permissions may be set by what kind of protocol a user can use, and what IP addresses and ports they can access.
Mitigations for Harden Your Network:
Recommended Mitigation: “Fully patch all Internet-accessible systems.”
How Dispel Helps: Remote access infrastructure automatically patches and updates on build. By this process, components remain up-to-date at least daily because the network and virtual desktops cycle regularly (typically once every 24 hours).
Recommended Mitigation: “Segment networks to protect PLCs and workstations from direct exposure to the internet. Implement secure network architectures utilizing demilitarized zones (DMZs), firewalls, jump servers, and/or one-way communication diodes.”
How Dispel Helps: Dispel segments networks away from direct internet exposure.
A Wicket ESI sits in each facility's OT DMZ, to ensure individual OT network devices do not require direct internet access. The Wicket ESI prevents all inbound connection attempts; proactively reaches out to establish a connection with the relevant moving target defense SD-WAN; and employs whitelisting to give authorized users access to relevant connected ICS devices. No split tunneling is allowed. Additionally, when connecting, a user's device becomes locally scoped to the target OT network, and internet connection drops.
Recommended Mitigation: “Ensure all communications to remote devices use a virtual private network (VPN) with strong encryption further secured with multi-factor authentication.”
How Dispel Helps: Dispel utilizes VPNs, secured with two layers of AES-256-GCM or -CBC encryption with independently generated 4096-bit RSA keys for the initial key exchange. All connections are end-to-end encrypted from the user to the OT DMZ. Traffic is decrypted at the OT firewall, to allow for deep packet inspection.
Customers can also require MFA for all users, and continue to use their preferred TOTP authentication tool—such as Google Authenticator, Microsoft Authenticator, 1Password, Authy, etc. Dispel also supports FIDO U2F hardware tokens such as Yubikeys, and RSA SecurID tokens, and integrates with Active Directory, LDAP, Okta, and native OS biometric authentication systems including Apple Touch ID and Windows Hello in apps.
Additionally, customers benefit from protection that goes beyond using static encrypted VPNs by using moving target defense SD-WANs. A moving target defense SD-WAN consists of a shifting network of virtual machines that bridges two or more points. Originally invented to protect assets from targeted attacks, moving target defense networks are uniquely well-suited for providing stable connections to critical systems. Each SD-WAN is built from virtual machines that connect using two cascade ciphered AES-256 VPN tunnels.
Recommended Mitigation: “Connect remote PLCs and workstations to network intrusion detection systems where feasible.”
How Dispel Helps: Dispel integrates with several network intrusion detection systems.
If you have a centralized network intrusion detection system, but a lot of remote PLCs and workstations on different locations, Dispel will securely connect your multiple locations to your central server.
Recommended Mitigation: “Filter network traffic to only allow IP addresses that are known to need access, and use geo-blocking where appropriate.”
How Dispel Helps: Dispel enables connections to ICS devices as permitted by an internal whitelist. Blocking everything by default achieves geo-blocking.
Administrators can build virtual desktops for users based in any location they choose. All traffic not coming through the administrator's selected locations is dropped.
Recommended Mitigation: “Capture and review access logs from these systems.”
How Dispel Helps: Dispel provides session recording of all RDP connections and customizable syslogging of all activities. You can store session recordings on-site on NAS hard drives or WORM LTO, configure logging, and view granular user activity, including keystrokes. Dispel also provides syslogs for Elasticsearch and Kibana (ELK), and Splunk.
Logs are also collected based on user access requests. Users request access through a built-in access request form, where they must specify why they need access, from when, and to what assets. Verified administrators receive the access requests, and can approve or reject them in part or in whole.
Recommended Mitigation: “Encrypt network traffic preferably using NIAP-validated VPN products and/or CNSSP- or NIST-approved algorithms when supported by OT system components to prevent sniffing and man-in-the-middle tactics.”
How Dispel Helps: Dispel encrypts network traffic using CNSSP- and NIST-approved algorithms.
Dispel uses two layers of AES-256-GCM or -CBC encryption on cascade ciphered VPN tunnels with independently generated 4096-bit RSA keys for the initial key exchange. Each SD-WAN has unique keys and all connections are end-to-end encrypted.
Recommended Mitigation: “Prohibit the use of default passwords on all devices, including controllers and OT equipment.”
How Dispel Helps: Remote access equipment does not come with default passwords. Users must set their own passwords at the beginning.
Recommended Mitigation: “Enforce a strong password security policy (e.g., length, complexity).”
How Dispel Helps: Strong passwords are required on all accounts. For those not using an Active Directory integration, passwords must have at least 8 characters, 1 number, 1 uppercase, and 1 special character. Users may not perform more than six unsuccessful login attempts.
Recommended Mitigation: “Enforce or plan to implement two-factor authentication for all remote connections.”
How Dispel Helps: Customers can require users to present valid credentials and multi-factor authentication before accessing any assets in the OT environment. Secure multi-factor authentication methods include Temporary One-Time Passwords (e.g. Google Auth, Authy) and U2F Hardware Tokens (e.g. Yubikeys).
Due to security issues related to SIM-swapping, Dispel does not support SMS/text-based multi-factor authentication.
Mitigations for Understand and Evaluate Cyber-risk on “As-operated” OT Assets:
Recommended Mitigation: “Audit and identify all OT network services (e.g., system discovery, alerts, reports, timings, synchronization, command, and control) that are being used.”
How Dispel Helps: Audit and identification becomes simpler when brokering all external OT network services through the Dispel SD-WAN. Beyond network and asset monitoring, Dispel logs access requests and generates reports through an access request form to aid in auditing processes. When users request access through the built-in request form, they must specify why they need access, from when, and to what assets. Verified administrators receive the requests, and can approve or reject them in part or in whole.
Mitigations for Implement a Continuous and Vigilant System Monitoring Program:
Recommended Mitigation: “Log and review all authorized external access connections for misuse or unusual activity.”
How Dispel Helps: To help you in the auditing process, session recording of all RDP connections and customizable syslogging of all activities are available. You can store session recordings on-site on NAS hard drives or WORM LTO, configure logging, and view granular user activity, including keystrokes. Dispel also provides syslogs for Elasticsearch and Kibana (ELK), and Splunk.
Additionally, Dispel provides live views of user activity for real-time behavior monitoring. Administrators can intervene, share a session with the user for support, and terminate a third-party’s access if needed.
CISA alerts are designed to inform industry about ongoing threats and how to tackle them. Following recommended guidelines brings organizations into line with industry standards. Responder reaction times are improved with standardization. When CISA alerts are issued, we recommend reviewing them within the first 5 business days of a release at a minimum.
For more details on the mitigations recommended in these 6 categories, we suggest reading the full NSA/CISA alert here.
If you'd like to read the previous guide explaining the alert, click here.
Dispel provides secure remote access designed for OT networks. Built on Moving Target Defense architecture, Dispel helps organizations enable OT remote access while staying aligned to regulatory frameworks and compliance standards. If you are looking to securely bring an OT network online, or harden existing Internet-accessible OT assets, schedule a demo at https://dispel.io