NSA Insights: Malicious Cyber Activity on Connected, IT Operational Tech

May 03, 2021 - On Thursday, the NSA unveiled guidance designed to support the defense of malicious cyber activity on targeted, connected operational tech (OT). Although aimed at federal agencies, private sector entities can leverage the insights to bolster their overall security posture.

The guidance joins other insights supporting the response and hopeful prevention of another SolarWinds Orion security incident. In the past few months, federal leaders released guides for defending against supply-chain attacks, advanced persistent threats, and vulnerability exploits.

Given that one IT exploit can allow an attacker to pivot into an exploit of operational tech, the latest NSA guide, provides system administrators with insights on evaluating systems risks and ways to improve the security of connections between OT and enterprise networks.

OT tech includes hardware and software that supports operations of infrastructure environments.According to the NSA, “carefully evaluating the risk of connectivity between IT and OT systems is necessary to ensure unique cybersecurity requirements are met.”

“Each IT-OT connection increases the potential attack surface,” officials explained. “To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible.”

“An example of this type of threat includes recent adversarial exploitation of IT management software and its supply chain in the SolarWinds compromise with publicly documented impacts to OT, including U.S. critical infrastructure,” they added.

The insights provides administrators with pragmatic, evaluation methodology that assesses OT and control system cybersecurity to ensure the success of enterprise security. The guide also includes the necessary resources to accomplish these security goals.

Administrators are encouraged to evaluate IT and OT connectivity value against risk and costs. The review should determine what connections are truly needed, to determine if any can be disconnected to reduce the risk to OT systems and functions.

The NSA also recommended leaders take steps to improve overall cybersecurity for OT networks for when the IT-OT connectivity is deemed mission critical. Administrators should mitigate risks of IT-OT exploitation pathways, for connections that are deemed necessary.

Possible mitigations could include the complete management of all IT-OT connections, as well as limiting access, actively monitoring and logging all access attempts, and cryptographically protecting remote access vectors.

The guide breaks down evaluation steps to analyze and assess potential risks of connecting the IT system to the OT environment, including insights for quantifying the increased costs associated with additional risks posed by connecting existing OT networks and devices to the enterprise network.

Administrators will also find best practices for securing all access vectors, as well as insights into assessing and prioritizing OT network cybersecurity needs to identify required mitigations and define cyber-hardening outcomes over time.

For healthcare, with a vast number of connected devices and struggles with inventory and patch management, the insights can support administrators with tackling the critical, time-consuming process.

“Every IT-OT connection creates an additional vector for potential OT exploitation that could impact and compromise mission and/or production,” NSA officials concluded. “Performing a comprehensive risk analysis for all IT-OT interconnections and only allowing mission critical interconnections when they are properly protected will create an improved cybersecurity posture.”

“By employing an appropriate risk analysis strategy, leadership and system owners and operators can make informed decisions to better manage OT networks while reducing the threats from and impact of exploitation and destructive cyber effects,” they added.