NSA and CISA Issue Joint Advisory for OT/ICS Networks

The US National Security Agency (NSA) and the Cybersecurity Infrastructure Security Agency (CISA) have issued a joint advisory specifically for OT/ICS networks. The advisory offers guidance on ways to mitigate the possibility of a cyber attack and reinforce protective security measures.

According to the advisory, “The combination of integrated, simplified tools and remote accesses creates an environment ripe for malicious actors to target control systems networks.” 

ICS Networks are “An Attractive Target”

The advisory highlights several of the known challenges for securing ICS networks, including the expanding attack surface created by IT/OT convergence and the large number of legacy systems still in use that lack proper security protections. 

As SCADAfence CTO Paul Smith said in a recent interview, “The old legacy stuff is hyper vulnerable. While it would be advisable for networks to replace the old equipment, that often doesn’t happen. It has become a major issue in industry where companies feel that if it is producing, don’t mess with it. The cost benefit analysis isn’t there for them to justify implementing new technologies yet,” said Smith.  (Read the complete interview)

The advisory also stresses the need for security personnel to understand how malicious actors target networks, and the tactics, techniques, and procedures (TTPs) used most often in planned attacks.

There is a standard game plan followed by threat actors when planning an attack. The advisory outlines five standard steps. They are: selecting a target, collecting intelligence, developing techniques and tools to navigate through the targeted network, gaining an initial foothold in the system, and executing the attack. 

State-sponsored threat actors will often carry out these steps repeatedly and with high levels of planning and coordination in order to execute an attack. SCADAfence has reported on several known OT cyber attacks that used these exact methods. Ukraine, for example, which the advisory mentions as an example, has been the victim of state sponsored attacks by Russia as part of the ongoing conflict in the region. As we reported earlier this year, several Russian based threat groups have targeted Ukraine’s critical infrastructure. In addition, we’ve also issued guidance about the malware framework Pipedream being used by state sponsored groups to target ICS systems. 

Mitigating the Potential Risk

Lowering the potential risk of an attack, according to the NSA and CISA, requires balancing network security with the need for performance, ease-of-use, and availability of the OT/ICS network. Among their suggestions is to limit the exposure of system information. The advisory suggests, “to the extent possible, avoid disclosing information about system hardware, firmware, and software in any public forum.”  

Other guidance includes securing remote access points, conducting regular security audits, implementing a dynamic network environment and restricting tools and scripts.

With regards to this last suggestion, the advisory states, “Limit access to network and control system application tools and scripts to legitimate users performing legitimate tasks on the control system.”  According to SCADAfence CTO Paul Smith, organizations should use extra care when removing access to tools as this can have unintended consequences for the organization. In certain cases, overly restrictive access controls can create roadblocks for engineers, data scientists and other team members who need to carry out important tasks.

Said Smith, “It's very paramount that you understand who is using what tools for what reason, be cognizant before you just start writing policies to lock everyone out of everything. Do your due diligence, understand the use case and really understand the  impact of removing these tools from the environment.” You can watch a video of Smith discussing this issue here.

SCADAfence Advises

The most effective way to increase the security of your OT network starts with a complete, detailed asset inventory. Since you can’t protect what you can’t see, a robust, automated asset inventory is the first step toward increasing your OT security. Too many organizations still maintain OT asset inventory using Excel spreadsheets or other insecure, outdated methods.

Next, prioritize which patches are most important to implement in your network, and in what order. A proper CVE prioritization tool can help your OT security team stay focused on mitigating the highest potential risk. 

Additionally, always stick to OT security best practices for protecting against malware and ransomware such as using multifactor authentication, encrypting sensitive data, implementing remote access security, and educating staff about the risks and methods of ransomware attacks.