On July 23rd, the NSA and CISA issued an alert urging immediate action be taken by organizations with critical infrastructure.
The alert comes in response to two trends: malicious actors are increasingly attacking online OT security assets, and more OT assets are increasingly being put online.
Even the NSA/CISA calls it “the perfect storm” — legacy OT infrastructure was not designed to defend against cyberattacks, and they have incredible potential to disrupt civilian life. Once put online, these vulnerable assets make attractive targets for malicious cyber activities.
The report covers recently observed attack tactics, their impact, and a list of recommendations to secure online OT security networks against further attacks.
The NSA/CISA alert states that “while the behavior may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high.” The observed activities are mapped to the MITRE ATT&CK for the ICS framework and are listed below:
• Spearphishing to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
• Deployment of commodity ransomware to Encrypt Data for Impact on both networks.
• Connecting to Internet Accessible PLCs requiring no authentication for initial access.
• Utilizing Commonly Used Ports and Standard Application Layer Protocols, to communicate with controllers and download modified control logic.
• Use of vendor engineering software and Program Downloads.
• Modifying Control Logic and Parameters on PLCs.
These attacks can bring an OT security network offline, which would prevent human operators from viewing the control systems they need and ultimately cost organizations productivity and revenue.
Furthermore, these attacks can provide adversaries with active command-and-control over the OT assets and infrastructure, allowing malicious actors to manipulate and damage physical processes.
No. The NSA/CISA alert acknowledges that putting OT assets online is sometimes critical to business productivity, and recognizes that the industry trend points towards more online OT security for your assets, not less.
However, the alert is urging organizations to ensure that remotely accessible OT assets are protected from malicious attacks, whether through self-constructing a security stack or sourcing vendor products to protect your OT security remote access.
The mitigation techniques are divided up into six main categories. They are listed and summarized below, but the original version is worth reading.
Dispel provides secure remote access designed for OT security networks. Built on Moving Target Defense architecture, Dispel helps organizations enable OT remote access while aligning with regulatory frameworks and compliance standards. If you need an OT security network online or harden existing Internet-accessible OT assets, schedule a demo.