Breaking Down CISA/NSA’s Warning to Industrial Control System (ICS) Operators

ics and ot security

At the beginning of 2020, we predicted that strengthening America’s critical infrastructure would become a renewed focus of cybersecurity for federal agencies and contractors. In spite of everything else that has happened since then, this prediction is coming true more rapidly than we would have guessed.

At the end of last month, the Cybersecurity and Infrastructure Security Agency (CISA) posted an alert (AA20-205A) warning government agencies of an increased threat to the Industrial Control Systems (ICS) and operational technology (OT) that power the country’s National Security Systems (NSS), Defense Industrial Base (DIB) and other critical infrastructure.

In the alert, CISA urges “immediate action” to strengthen the security of vulnerable OT, outlining key risks and remediation strategies. Should your organization be concerned, and if so, how should you respond? In this article, we’ll break down CISA’s warning and comment on its recommendations.

What happened?

CISA contextualized its bulletin in general terms – apparently the agency has noticed a heightened level of activity from malicious cyber-actors targeting critical systems on protected federal networks. These attacks generally target OT through Internet-accessible programmable logic controllers (PLCs) and SCADA devices. While these incidents have increased in recent years, this is the first time an advisory has been released in response. Whether a particular actor or group of actors are involved has not been disclosed.

Why is this happening?

According to CISA, the rise in malicious activity is explained by multiple factors that closely map to our list of predictions for ICS risks in 2020. They include:

  • Increased Internet connectivity and Internet-connected assets within industrial environments, alongside and exacerbated by the growth of Industrial Internet of Things (IIoT).
  • Deprecated or legacy systems that are expensive to replace, and have not been protected against modern threats
  • Search engines that cull the IP addresses of public facing ICS systems – like Shodan and Kamerka – enable hackers to target them easily. For organizations with an inaccurate or outdated inventory, critical assets can go online without the knowledge of operators, and sometimes authentication will not even be required to interface with them.
  • Increased availability of exploit frameworks (Metasploit, Core Impact, etc.) that come pre-loaded with attack vectors and vulnerabilities that affect ICS systems

Ultimately, a rise in cyber-actors targeting ICS is not surprising. Because the OT/IT convergence is such a recent phenomenon, many organizations and federal agencies have not prioritized cybersecurity for OT, and threats have advanced much faster than infrastructure has developed in those organizations.

What tactics should I be worried about?

CISA lists several “Tactics, Techniques, and Procedures” (TTPs) that cyber-actors are using to exploit ICS-systems. Some are expected, including ransomware that encrypts data until the organization pays a fee to malicious actors, while others – in particular spearphishing attacks – are less commonly associated with OT-security, and show that insider threats (in this case, poorly trained personnel) remain a primary attack vector across multiple domains.

What Does CISA/NSA Recommend?

A week after the initial alert, CISA and the NSA provided a lengthy list of recommendations, urging “immediate action” to resolve vulnerabilities and strengthen the security position of critical infrastructure.

In abridged form, the recommended actions fall into three strategy groups:

  1. Develop an OT resilience plan – operators should ensure that their systems will maintain critical functionality even if components must be deactivated after a hostile takeover. They should isolate critical systems from further sabotage by disconnecting them from the Internet wherever possible and educate staff on processes for manual control in case ICS-functionality ever ceases.
  2. Develop and exercise an incident response strategy – in the past, we have written about the importance of responding quickly during a breach or threat event. CISA agrees and urges organizations to rehearse their strategy through “tabletop exercises”. All personnel who are involved in the strategy should know their roles, especially key decision makers, and third-parties should be consulted for further support.
  3. Harden your network – crucially, organizations should maintain an accurate inventory of all network-accessible equipment. Without this, it is impossible to guarantee their protection. CISA recommends the use of tools like Shodan to discover which assets are publicly accessible, and continuously monitor network activity to catch malicious behavior as soon as it begins.

The full list of recommendations – available on CISA’s website – is a great resource that OT operators should both read and retain for future reference. In particular, the actions recommended under “harden your network” fall under perimeter security, and protecting ICS assets on the perimeter is the most effective way to prevent them from falling into the wrong hands.

Know Your Infrastructure

The actions recommended by CISA and NSA are geared towards providing OT operators with a way to strengthen their security position in the short term. But in the long-term, defending against threats requires systemic improvement of an organization’s culture, alongside strategic replacement of deprecated software and physical systems.

Every organization that depends on industrial technology should aim to improve its infrastructure over time, but it’s not possible to do that without first assessing its current position, unique vulnerabilities and gaps. Download our free eBook: Industrial Cybersecurity in 2020: How to Conduct An OT/ICS Gap Analysis and learn:

  • OT/ICS security standards for proactive risk prevention
  • ICS-specific security gaps
  • Organization culture gaps
  • The dangers of complacency

Moving forward, ignoring ICS security risk is not an option. As cyber-actors advance, your organization is a target. With years of ICS expertise trusted by the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon can harden you against today’s risks and prepare you for tomorrows threats. Contact us to learn more!