OT Security: Your Guide to the NSA/CISA Alert AA20-205A
On July 23rd, the NSA and CISA issued an alert urging immediate action be taken by organizations with critical infrastructure.
What caused the OT security alert?
The alert comes in response to two trends: malicious actors are increasingly attacking online OT security assets, and more OT assets are increasingly being put online.
Even the NSA/CISA calls it “the perfect storm” — legacy OT infrastructure was not designed to defend against cyberattacks, and they have incredible potential to disrupt civilian life. Once put online, these vulnerable assets make attractive targets for malicious cyber activities.
The report covers recently observed attack tactics, their impact, and a list of recommendations to secure online OT security networks against further attacks.
What are the attacks and their impact?
The NSA/CISA alert states that “while the behavior may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high.” The observed activities are mapped to the MITRE ATT&CK for the ICS framework and are listed below:
• Spearphishing to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
• Deployment of commodity ransomware to Encrypt Data for Impact on both networks.
• Connecting to Internet Accessible PLCs requiring no authentication for initial access.
• Utilizing Commonly Used Ports and Standard Application Layer Protocols, to communicate with controllers and download modified control logic.
• Use of vendor engineering software and Program Downloads.
• Modifying Control Logic and Parameters on PLCs.
These attacks can bring an OT security network offline, which would prevent human operators from viewing the control systems they need and ultimately cost organizations productivity and revenue.
Furthermore, these attacks can provide adversaries with active command-and-control over the OT assets and infrastructure, allowing malicious actors to manipulate and damage physical processes.
Should my OT assets be offline?
No. The NSA/CISA alert acknowledges that putting OT assets online is sometimes critical to business productivity, and recognizes that the industry trend points towards more online OT security for your assets, not less.
However, the alert is urging organizations to ensure that remotely accessible OT assets are protected from malicious attacks, whether through self-constructing a security stack or sourcing vendor products to protect your OT security remote access.
Recommended steps for OT security
The mitigation techniques are divided up into six main categories. They are listed and summarized below, but the original version is worth reading.
- Have a Resilience Plan for OT: Beyond planning for malfunctioning or inoperable control systems, organizations must assume that malicious attacks will render OT systems “actively acting contrary to the safe and reliable operation of the process.”
- Exercise your Incident Response Plan: Conduct active exercises with management, public affairs, and legal teams to preemptively test your incident response plan.
- Harden Your Network: Perform network security controls and best practices to secure your Internet-accessible OT endpoints.
- Create an Accurate OT Network Map: Take inventory of your OT network communication: know what OT assets are connected to the Internet, what protocols they use for communication, and where external connections exist.
- Evaluate Cyber-risk on “As-operated” OT Assets: Refer to cybersecurity vulnerability resources and frameworks to help you evaluate the risk to your OT networks.
- Implement a Vigilant System Monitoring Program: Ensure that you have processes to log, review, and control all traffic and changes made to your OT network.
Dispel provides secure remote access designed for OT security networks. Built on Moving Target Defense architecture, Dispel helps organizations enable OT remote access while aligning with regulatory frameworks and compliance standards. If you need an OT security network online or harden existing Internet-accessible OT assets, schedule a demo.