Answering NSA / CISA Call for Action to Reduce Exposure Across OT and Control Systems

Answering NSA / CISA Call for Action to Reduce Exposure Across OT and Control Systems

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently issued an Alert (AA20-205A). It urges all Department of Defense (DoD), National Security Systems (NSS), Defense Industrial Base (DIB), and U.S. critical infrastructure facilities to take immediate action to secure their operational technology (OT) assets.

According to the alert, internet-accessible OT assets are becoming more prevalent across the 16 U.S. critical infrastructure (CI) sectors, yet the security of legacy OT systems has failed to keep up. Combined with readily available information that helps threat actors quickly recognize OT assets connected via the internet, you’ve got a “perfect storm” of:

  • easy access to unsecured assets
  • use of common, open-source information about devices, and
  • an extensive list of exploits deployable via common exploit frameworks

Exploiting OT Assets Via the Internet

It’s no surprise that IoT and internet-based access to OT networks is experiencing rapid adoption. Faced with the COVID-19 pandemic, critical infrastructure organizations have become heavily reliant on remote access to and monitoring of operations to accommodate a decentralized workforce and facilitate the outsourcing of key skills. At the same time, foreign adversaries are increasing their attack capabilities and activity – read more about rising threats in the Nozomi Networks OT/IoT Security Report.

According to the NSA/CISA Alert, cyber threat actors continue to demonstrate their willingness to exploit internet-accessible OT assets to conduct malicious activity against critical infrastructure.

The Alert notes half a dozen recently observed tactics, techniques and procedures that have the potential to cause loss of network visibility and availability, loss of productivity and revenue, and disruption of physical processes. The list of observed threat activities follows and is mapped to the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) for Industrial Control Systems (ICS) framework:

  • Spearphishing [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network
  • Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks
  • Connecting to Internet Accessible PLCs [T883] requiring no authentication for initial access
  • Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols [T869] to communicate with controllers and download modified control logic
  • Use of vendor engineering software and Program Downloads [T843]
  • Modifying Control Logic [T833] and Parameters [T836] on PLCs

Take Action Now to Secure Critical Infrastructure

The Alert immediately urges DoD, NSS, DIB, and U.S. critical infrastructure facilities to take action to secure their OT assets and mitigate risk, including:

  • Creating a resilience plan for OT
  • Exercising your incident response plan
  • Hardening your network
  • Immediately creating an accurate “as-operated” OT network map
  • Understanding and evaluating cyber risk on “as-operated” OT assets
  • Implementing a continuous and vigilant system monitoring program

While this Alert raises serious concerns about the growing threat to critical infrastructure, the good news is that many industry-leading critical infrastructure organizations are already aggressively defending their systems, having taken early steps to leveraging innovative network visibility and security solutions for better protection. As an example, the Nozomi Networks OT/IoT solution supports over 3.6 million devices in over 2,400 installations across energy, manufacturing, mining, transportation, utilities, building automation, smart cities and critical infrastructure. Read the case studies here.

Our products span IT, OT and IoT to automate the hard work of inventorying, visualizing and monitoring industrial control networks. We can help you take immediate action to create and maintain an OT network map and understand any cyber risks related to “as-operated” OT assets. The solution continuously monitors your network assets for cyber threats and anomalies and identifies techniques and tactics referencing the MITRE ATT&CK for ICS framework.

Asset Discovery and Network Visualization functionalities create a dynamic, detailed OT infrastructure map that provides the foundation for understanding all the OT devices and potential cyber risks on your network. Passive monitoring identifies IP addresses, device types and roles, serial numbers, firmware versions and components for all devices communicating on the network.

Single asset view
Single Asset View with extensive information.

Network Visualization provides instant awareness of the activity on your OT network, including the protocols used, traffic throughput, TCP connections, and connections with external systems and remote access users.

Interactive Network Visualization Graph
Portion of interactive Network Visualization Graph.

Vulnerability Assessment and Risk Monitoring passively monitor your network with continuously updated threat intelligence to prioritize security and reliability alerts and missing patches and vulnerabilities. They ensure you know the most significant threats facing your network and are aware of any activity that doesn’t comply with regulatory guidelines. The assessment uses the U.S. government’s National Vulnerability Database (NVD) for standardized naming, description and scoring of vulnerabilities for efficient prioritization and fast integration with response and mitigation workflows.

List showing vulnerabilities for a facility’s assets
List showing vulnerabilities for a facility’s assets.

MITRE ATT&CK for ICS Framework

To speed and simplify incident response, Nozomi Networks incorporates the MITRE ATT&CK for ICS framework terminology into its detection and alerting capabilities. This provides immediate context for any specific activity detected because it locates every behavior in the overall attack chain, reducing the need for additional research to understand the significance of the behavior.

Comprehensive alerts detected through continuous monitoring include MITRE ATT&CK links to all specific tactics and techniques used in malicious or suspicious activity, such as:

  • A “Firmware Change” alert that identifies the behavior as a Persistence tactic/System Firmware technique T857 or an Inhibit Response Function tactic (System Firmware technique T857)
Example of a “Firmware Change” alert
Example of a “Firmware Change” alert showing source and destination details, plus an attack analysis.

  • An “OT Device Stop Request” alert that identifies the behavior as an Execution tactic/Change Program State Technique T875, or an Impair Process Control tactic/Change Program State Technique T875).
OT device suspicious activity
Example of an OT device suspicious activity “OT Device Stop Request” alert including details and attack analysis.

Enabling Immediate Action

New security controls on your OT network can be up and running in a matter of days because Nozomi Networks offers a wide variety of virtual, cloud and on-premise deployment options and asset and threat intelligence services. Our new subscription licensing gives critical infrastructure facilities the ability to deploy the cybersecurity solutions immediately. NSA/CISA has raised the alert, now is the time to protect your OT network and the critical operations that rely upon it.