Breaking Down CISA/NSA’s Warning to Industrial Control System (ICS) Operators

ics and ot security
ics and ot security

At the beginning of 2020, we predicted that strengthening America’s critical infrastructure would become a renewed focus of cybersecurity for federal agencies and contractors. In spite of everything else that has happened since then, this prediction is coming true more rapidly than we would have guessed.

At the end of last month, the Cybersecurity and Infrastructure Security Agency (CISA) posted an alert (AA20-205A) warning government agencies of an increased threat to the Industrial Control Systems (ICS) and operational technology (OT) that power the country’s National Security Systems (NSS), Defense Industrial Base (DIB) and other critical infrastructure.

In the alert, CISA urges “immediate action” to strengthen the security of vulnerable OT, outlining key risks and remediation strategies. Should your organization be concerned, and if so, how should you respond? In this article, we’ll break down CISA’s warning and comment on its recommendations.

What happened?

CISA contextualized its bulletin in general terms – apparently the agency has noticed a heightened level of activity from malicious cyber-actors targeting critical systems on protected federal networks. These attacks generally target OT through Internet-accessible programmable logic controllers (PLCs) and SCADA devices. While these incidents have increased in recent years, this is the first time an advisory has been released in response. Whether a particular actor or group of actors are involved has not been disclosed.

Why is this happening?

According to CISA, the rise in malicious activity is explained by multiple factors that closely map to our list of predictions for ICS risks in 2020. They include:

  • Increased Internet connectivity and Internet-connected assets within industrial environments, alongside and exacerbated by the growth of Industrial Internet of Things (IIoT).
  • Deprecated or legacy systems that are expensive to replace, and have not been protected against modern threats
  • Search engines that cull the IP addresses of public facing ICS systems – like Shodan and Kamerka – enable hackers to target them easily. For organizations with an inaccurate or outdated inventory, critical assets can go online without the knowledge of operators, and sometimes authentication will not even be required to interface with them.
  • Increased availability of exploit frameworks (Metasploit, Core Impact, etc.) that come pre-loaded with attack vectors and vulnerabilities that affect ICS systems

Ultimately, a rise in cyber-actors targeting ICS is not surprising. Because the OT/IT convergence is such a recent phenomenon, many organizations and federal agencies have not prioritized cybersecurity for OT, and threats have advanced much faster than infrastructure has developed in those organizations.

What tactics should I be worried about?

CISA lists several “Tactics, Techniques, and Procedures” (TTPs) that cyber-actors are using to exploit ICS-systems. Some are expected, including ransomware that encrypts data until the organization pays a fee to malicious actors, while others – in particular spearphishing attacks – are less commonly associated with OT-security, and show that insider threats (in this case, poorly trained personnel) remain a primary attack vector across multiple domains.

What Does CISA/NSA Recommend?

A week after the initial alert, CISA and the NSA provided a lengthy list of recommendations, urging “immediate action” to resolve vulnerabilities and strengthen the security position of critical infrastructure.

In abridged form, the recommended actions fall into three strategy groups:

  1. Develop an OT resilience plan – operators should ensure that their systems will maintain critical functionality even if components must be deactivated after a hostile takeover. They should isolate critical systems from further sabotage by disconnecting them from the Internet wherever possible and educate staff on processes for manual control in case ICS-functionality ever ceases.
  2. Develop and exercise an incident response strategy – in the past, we have written about the importance of responding quickly during a breach or threat event. CISA agrees and urges organizations to rehearse their strategy through “tabletop exercises”. All personnel who are involved in the strategy should know their roles, especially key decision makers, and third-parties should be consulted for further support.
  3. Harden your network – crucially, organizations should maintain an accurate inventory of all network-accessible equipment. Without this, it is impossible to guarantee their protection. CISA recommends the use of tools like Shodan to discover which assets are publicly accessible, and continuously monitor network activity to catch malicious behavior as soon as it begins.

The full list of recommendations – available on CISA’s website – is a great resource that OT operators should both read and retain for future reference. In particular, the actions recommended under “harden your network” fall under perimeter security, and protecting ICS assets on the perimeter is the most effective way to prevent them from falling into the wrong hands.

Know Your Infrastructure

The actions recommended by CISA and NSA are geared towards providing OT operators with a way to strengthen their security position in the short term. But in the long-term, defending against threats requires systemic improvement of an organization’s culture, alongside strategic replacement of deprecated software and physical systems.

Every organization that depends on industrial technology should aim to improve its infrastructure over time, but it’s not possible to do that without first assessing its current position, unique vulnerabilities and gaps. Download our free eBook: Industrial Cybersecurity in 2020: How to Conduct An OT/ICS Gap Analysis and learn:

  • OT/ICS security standards for proactive risk prevention
  • ICS-specific security gaps
  • Organization culture gaps
  • The dangers of complacency

Moving forward, ignoring ICS security risk is not an option. As cyber-actors advance, your organization is a target. With years of ICS expertise trusted by the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon can harden you against today’s risks and prepare you for tomorrows threats. Contact us to learn more!

OT Security Risks Are Worse Than Ever: Here’s How You Fight Them

security risks,
security risks,

The convergence of IT and OT has come so far that – in a recent blog post – the SANS Institute recommended dropping the “IT/OT” nomenclature entirely. Judging by the state of OT today, it’s a reasonable suggestion: over 65% of industrial control systems (ICS) are linked to enterprise or third-party networks, shrinking the “air gap” which has historically defended them.

This connectivity hasn’t come without a cost – on the contrary, OT systems have never been more vulnerable than they are now. According to SANS, the percentage of control systems that experienced three or more incidents increased from 35.3% in 2017 to 57.7% in 2019. We’ve written about quite a few of them, from the BlackEnergy malware which took down swaths of the Ukrainian power grid in 2015 to the Triton attack which hit industrial facilities in 2019.

By now, everyone knows that organizations with OT infrastructure are at risk. In our last blog post, we talked about the top ICS risks that organizations should watch out for in 2020. In this post, we’re zooming out to explain the nature of OT risks more generally and strategies for beating them.

The Threat-Sources Behind OT Attacks

From the perspective of technology, it’s easy to understand why OT is more vulnerable than ever: integration with IT generally means more attack vectors. But just who is targeting OT systems, and what’s enabling them? There are three primary threat sources:

  • Insider threats – insider threats come in one of three shades: the careless insider compromises an organization through lack of digital hygiene, the unwitting insider is manipulated through social engineering, and the malicious insider deliberately sabotages their own organization for spite or profit. A significant percentage  of OT security incidents involve insiders.
  • Targeted attacks – thanks to the dark web and the increased availability of advanced hacking tools, the number of hackers with the chops to successfully target an organization has risen. According to SANS, growth in OT attacks is largely attributable to foreign actors who are motivated by destruction or disruption.
  • Malware – since Stuxnet hit Iranian uranium enrichment processing in 2010, malware targeting OT systems has become alarmingly effective. It is often – but not always – connected with a targeted attack. Triton malware is stealthy and manages to bypass multiple security controls; strains of ransomware capable of infecting ICS have also been discovered.

The Risks of An OT Attack

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include:

  • Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property.
  • Disrupt operations – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities.
  • Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue.

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of people.

Dealing with OT Risks: Three Steps

The principles behind OT risk management are not difficult to understand. They share many things in common with – and overlap – the risk management strategies used in IT for decades. Risks to OT permeate through an organization and must be addressed at every level of the enterprise.

1. Implement Perimeter Security

Malware targeting OT – wherever it originates – must spread through the IT chain connected with control systems. Beginning with the devices closest to OT, secure these networks using traditional methods and work towards routers and other peripherals at the edge of your organization.

  • Use vulnerability analysis to find and prioritize areas of weakness. Validate those weaknesses using penetration tests and remediate according to the level of risk.
  • Take inventory of the IT chain, and – wherever possible – reduce the number of routes to OT by eliminating unnecessary connections or devices.
  • Invest in personnel training to raise awareness of cyber hygiene and prevent social engineering attacks.

In general, lack of collaboration between OT and IT drives the risk of IT/OT convergence: bringing these teams together can ensure that there is no conflict of interest between OT and the rest of an organization’s infrastructure.

2. Solidify OT Architecture

In an ideal world, organizations would build OT from the ground up following validated architecture plans reviewed and approved by security professionals and the appropriate regulatory authority. In reality, existing OT often predates modern security concerns and total redesign may be prohibitively expensive. Nevertheless, changes can be made to improve the security of OT architecture:

  • Move away from legacy or open-source protocols: legacy protocols may not receive patches when new vulnerabilities are discovered. Open-source protocols are well understood by attackers and make for easy targets.
  • Adopt a zero-trust policy towards IIoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers.
  • Adopt air gaps wherever possible: air-gapping is still the most reliable way to protect OT. If integration with IT is not necessary or mission critical, reverse it, or consider data diodes to limit bi-directional traffic.

3. Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to:

  • If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it.
  • Record and document an ongoing attack for later analysis and review.
  • Reduce harm by resetting affected systems’ passwords and user profiles.
  • Inform stakeholders and implement measures to prevent future incidents.

During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our recent blog post on disaster recovery and response.

The Need for Expertise

When it comes to preventing OT attacks, no method of security is more reliable than cyber threat hunting which allows organizations to discover and eliminate attack vectors before they are exploited.

Unfortunately, threat hunting requires expertise, and – with the scarcity of available ICS security expertise – that’s hard to come by. Fortunately, some of those experts are employed by Securicon. With years of education and experience in critical infrastructure, nobody is better equipped to discover vulnerabilities and maximize safety in modern OT systems. To learn more, contact us today

5 Big Risks for Industrial Control Systems (ICS) in 2020

manage the risks for Industrial Control Systems
manage the risks for Industrial Control Systems

2019 is coming to an end, and with it so is the decade when America started taking cybersecurity seriously. In the past decade, we have seen the rise of cloud-based infrastructure, government legislation like FedRAMP, and – most importantly – a dramatic increase in the number of cyber threats facing both commercial and governmental organizations.

Before 2010 when the Stuxnet attack crippled one-fifth of nuclear enrichment centrifuges in Iran, comprehensive cybersecurity programs for industrial systems and operational technology (OT) were practically non-existent. Since then, the IT/OT convergence has brought about a slew of malware attacks specifically targeting Industrial Control Systems (ICS) and programmable logic controllers (PLCs), from BlackEnergy in 2014 to Industroyer in 2016.

A Chance for Improvement

According to major players in the malware detection industry, over 40% of ICS systems across utilities and manufacturing were targeted or outright attacked during the first quarter of 2018. On the one hand, this is a scary moment in history: for the first time, terrorists can wage war on another country’s critical infrastructure. On the other hand, industry professionals are waking up to the need for robust security in the face of increased risk.

In the best-case scenario, America and other developed countries will emerge from the 2020s with stronger infrastructure and a renewed focus on cybersecurity. Along the way, they will have to take a critical look at the greatest risks for ICS systems today.

In this article, we’ll give you a head start: here’s our list of the top 5 threats that ICS professionals need to worry about during the new year.

Top 5 Risks to ICS in 2020

It’s commonly believed that OT security risks stem from developing technology. However, this is not entirely true: some ICS risks stem from systemic flaws in an organization’s structure, supply chain and talent pool. In this list, we’ll give equal priority to all of them.

1. False Promises

Automation has long been the dream of cybersecurity, and in his talk at the ICS Cybersecurity Conference last month, Mark Carrigan pointed out that unscrupulous vendors have been promising a level of automation they just can’t deliver. Organizations who are looking for off-the-shelf solutions to OT security must beware: targeted attacks are masterminded by humans, and it takes human intelligence to identify and beat them.

More generally – as Steven Booth of FireEye maintains – bad vendors can be a liability to security, even when their products work as advertised: “we have seen a number of situations in the past few years where software components in automatic updates were corrupted or poisoned with malicious code,” said Booth.

This is a trend which security practitioners in every field need to be aware of. Next year, the Department of Defense (DoD) will require vendors to pass a certification program before working with government partners. Until then, organizations must stay vigilant in vetting their supply chain.

2. The Industrial Internet of Things (IIoT)

IIoT has been a mixed basket for organizations: on the one hand, it extends the functionality of networks and helps to generate data that drives operational efficiencies – consequently many operations managers love IIoT devices.

However, these devices can also create points of entry for attackers, especially because IIoT vendors are rushing their products to market, utilizing components from less-than-reputable sources, and skipping basic security controls along the way. Many products lack two-factor authentication (2FA) and secure update mechanisms— or in some cases, they don’t allow customers to change default accounts and passwords from default settings.

The National Institute of Standards and Technology (NIST) is currently working to develop mandatory standards for IIoT, in response to lax security in Distributed Energy Resources (DERs) which threaten the power grid. In the meantime, organizations should adopt a zero-trust policy towards IIoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers.

3. Insider Threats

In response to ICS risks, some organizations have rejected the IT/OT convergence altogether, isolating their OT from any contact with networks. While this so-called “air gap” method of defense kept OT on the periphery of cybersecurity for years, it is no defense against the biggest threat to ICS security of all: people.

Only 3% of attacks on critical infrastructure begin and end with technical exploits and vulnerabilities. Ninety-seven percent rely on social engineering techniques which trick an organization’s personnel into divulging passwords and access information. Insiders can also compromise a system through careless Internet activity and negligence of security protocol.

Going forward, organizations should invest more resources in training their personnel. Knowing cyber hygiene techniques, developing security situational awareness, and understanding the tactics of hackers can often prevent a major security breach.

4. Hackers Are Improving

According to Thomas Pope from Dragos, modern hackers have begun to converge on a common set of threats, techniques and procedures (TTPs). On the one hand, this is good news for security professionals, since it means attacks will be easier to detect. On the other hand, an over-reliance on commodity IT solutions and open design protocols put organizations at significant risk.

According to CyberX, 82% of industrial sites depended on remote management protocols like RDP and SSH in 2017. Not only are hackers familiar with these access protocols and their vulnerabilities, but they are even familiar with proprietary ICS systems.

Every year, attackers become stronger thanks to the resources available to them: increased digital literacy, the widespread availability of pentesting toolkits and darknet markets where SCADA/ICS protocols and exploits are sold cheap. Organizations should acknowledge this fact by designing industrial infrastructure with greater attention to segmentation and detection of indicators of compromise.

5. Talent Gap

When it comes to talent, the entire security industry is in a rough spot. According to some estimates, there will be 3.5 million unfilled security positions by 2021, thanks to the rise of cybercrime and a lack of educated professionals.

The situation is even worse for OT security: according to Robert M. Lee of Dragos, there are fewer than 1,000 ICS professionals in the entire world. In the coming decade, industrial organizations would do well to make sure their personnel have the education they need for success and promote the cybersecurity career path to inbound university students.

The Need for Expertise

With years of expertise trusted by the U.S. security community – including DoD, DHS and the U.S. Cyber Command – our people are equipped to find and eliminate modern OT threats with methodology including:

  • Vulnerability assessments and penetration tests
  • Red-team and blue-team services
  • Industrial Control System (ICS) assessments
  • Network engineering and security architecture design

Automated solutions just aren’t good enough: in 2020, partner with an organization that can see both the big picture and granular details of OT security today.

The 2020’s are an opportunity for renewed focus on cybersecurity. Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cybersecurity, we are here to help you manage the risks for Industrial Control Systems. Contact us for more information.