CISA, NSA Provide OT, ICS Defense Strategies to Critical Infrastructure

September 27, 2022 - Standard approaches to operational technology (OT) and industrial control system (ICS) security “do not adequately address current threats,” the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) stated in a joint cybersecurity advisory directed at critical infrastructure entities.

“OT/ICS devices and designs are publicly available, often incorporate vulnerable information technology (IT) components, and include external connections and remote access that increase their attack surfaces,” the advisory stated.

“In addition, a multitude of tools are readily available to exploit IT and OT systems. As a result of these factors, malicious cyber actors present an increasing risk to ICS networks.”

Building on previous CISA and NSA guidance, CISA issued the advisory to shed light on the tactics, techniques, and procedures (TTPs) used by threat actors, in order to help OT and ICS owners and operators better defend their assets.

The use of decades-old technology and the growing popularity of OT and IT convergence have expanded the attack surface when it comes to OT and ICS security, the advisory reasoned.

READ MORE: HC3 Details APT41 Cyberattack Tactics, Risks to Healthcare Cybersecurity

Organizations in the healthcare sector and elsewhere are increasingly leveraging cyber-physical systems that incorporate IT elements into OT devices and infrastructure. While this integration can promote more efficiency and efficacy, it also may open organizations up to additional security risks.

ICS and OT owners and operators must make careful and calculated security decisions to limit the exposure of sensitive data. While traditional IT-based cyberattacks are more of a commonplace threat, the CISA and the NSA stressed the importance of maintaining cyber awareness and ensuring the security of OT and ICS assets as well.

What Does an ICS/OT Cyberattack Look Like?

“Today’s cyber realm is filled with well-funded malicious cyber actors financed by nation-states, as well as less sophisticated groups, independent hackers, and insider threats,” the advisory continued.

“Control systems have been targeted by a variety of these malicious cyber actors in recent years to achieve political gains, economic advantages, and possibly destructive effects. More recently, APT actors have also developed tools for scanning, compromising, and controlling targeted OT devices.”

CISA and the NSA noted that threat actors typically follow the following steps to execute attacks against critical infrastructure control systems:

1. Establish intended effect and select a target.
2. Collect intelligence about the target system.
3. Develop techniques and tools to navigate and manipulate the system.
4. Gain initial access to the system.
5. Execute techniques and tools to create the intended effect.

READ MORE: 6 Healthcare Cybersecurity, Operational Strategies For Successful CISOs

“Leveraging specific expertise and network knowledge, malicious actors such as nation-state actors can conduct these steps in a coordinated manner, sometimes concurrently and repeatedly, as illustrated by real world cyber activity,” the advisory continued, citing an observed attack against Ukrainian critical infrastructure and multiple intrusion attempts by state-sponsored Russian cyber actors against the US energy sector.

The advisory also provided detailed explanations of each of the 5 steps.

Mitigation Tactics

“The complexity of balancing network security with performance, features, ease-of-use, and availability can be overwhelming for owner/operators. This is especially true where system tools and scripts enable ease-of-use and increase availability or functionality of the control network; and when equipment vendors require remote access for warranty compliance, service obligations, and financial/billing functionality,” the advisory explained.

“However, with the increase in targeting of OT/ICS by malicious actors, owner/operators should be more cognizant of the risks when making these balancing decisions. Owner/operators should also carefully consider what information about their systems needs to be publicly available and determine if each external connection is truly needed.”

The advisory also noted that the proliferation of available security solutions may be overwhelming for ICS and OT operators, “resulting in choice paralysis.”

READ MORE: HC3 Alerts Healthcare Sector of Monkeypox-Themed Phishing Scheme

CISA and the NSA recommended that organizations employ a few simple strategies to mitigate realistic threats. For example, organizations should focus on limiting the exposure of system information and avoid disclosing information about system hardware, firmware, or software whenever possible.

“Share only the data necessary to comply with applicable legal requirements, such as those contractually required by vendors—nothing more,” the advisory stressed.

In addition, owners and operators should identify and secure remote access points, limit access to control system and network application tools and scripts, and conduct regular security audits. Lastly, the advisory recommended that organizations implement a dynamic network environment by periodically making manageable network changes such as modifying IP address pools or upgrading operating systems.

However, the agencies acknowledged that it “may be unrealistic for many OT/ICS environments to make regular non-critical changes.” Even so, small periodic changes can go a long way.

“The combination of integrated, simplified tools and remote accesses creates an environment ripe for malicious actors to target control systems networks. New IT-enabled accesses provide cyber actors with a larger attack surface into cyber-physical environments,” the advisory concluded.

“It is vital for OT/ICS defenders to anticipate the TTPs of cyber actors combining IT expertise with engineering know-how. Defenders can employ the mitigations listed in this advisory to limit unauthorized access, lock down tools and data flows, and deny malicious actors from achieving their desired effects.”