This blog was updated March 5, 2020.
The U.S. Department of Homeland Security (DHS) has issued a National Terrorism Advisory bulletin warning of a potential cyberattack by Iran in the wake of a U.S. drone attack that killed a senior Iranian military commander.
The advisory notes that there is currently no information about a specific, credible threat to the U.S., however, the DHS warns that Iran maintains a robust cyber program and “is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
It’s Time to Perform a Cyber Security Health Check
The DHS Advisory urges proactive preparations including “basic cyber hygiene”.
We couldn’t agree more. Based on many years of helping critical infrastructure increase its cyber resiliency, we know that a few simple steps can make all the difference in protecting an organization against operational disruptions.
We discussed the potential threat today with Nozomi Networks Advisor and former Under Secretary for the National Protection and Programs Directorate (NPPD) at the U.S. Department of Homeland Security (DHS), Suzanne Spaulding.
“Iran has already demonstrated intent and capability to attack inside the U.S. as well as a high tolerance for escalating risk, specifically during the 2011 plot to assassinate the Saudi Ambassador to the U.S. Therefore, current risk of escalatory action by Iran is particularly high, given that ‘red lines’ are not clearly defined in cyberspace and the Iranian government will be under intense internal pressure to take strong action.”
Suzanne Spaulding, Nozomi Networks Advisor
At this time, critical infrastructure organizations including energy, transportation, water, manufacturing, communications, and other services that support everyday life, should be particularly vigilant with respect to their standard cyber security practices for operational assets.
We suggest performing a cybersecurity health check, following best practices, such as:
- Ensure that your assets are updated with the latest software/firmware version.
- Apply a health-check on your network infrastructure. Ensure that correct network segregation and firewall policies are in place.
- Apply a health-check on your SIEM solution and complementary systems (Anti-Virus, IDS, etc).Ensure that all the nodes are monitoredand that there are no anomalies in the network traffic.
- Sanitize access and authorization. Verify that proper authentication schemes and policies are used(2FA, strong passwords), and that old credentials and expired digital certificates are revoked.
- Remain vigilant against suspicious emails or external devices that are allowed in your environment(USB, mobile phones, etc).
- Maintain a robust security awareness program for the employees of the organization. Establishperiodic training sessions and ensure that all employees in the corporate ladder are participating.
- Revisit your business continuity plan. Confirm that, in case of a successful cyber-attack, properbackup schemes and recovery policies are in place.
We also suggest leveraging security tools that provide broad operational visibility, continual network monitoring, and detection of system anomalies. The current situation demands renewed scrutiny around unusual activity, and immediate investigation of possible incidents.
Nozomi Networks Labs: Defending Critical Infrastructure Against Cyber Risks
The Nozomi Networks Labs team works with a broad range of security experts and leading institutions to find new and better ways to improve industrial cybersecurity.
Similar to our recommendations for all critical infrastructure organizations, Nozomi Networks Labs is continually monitoring for emerging threats. For example, our Threat Intelligence service, which is produced and curated by the Labs team, delivers up-to-date threat intelligence to the Nozomi Networks Guardian solution, making it easy to detect threats and vulnerabilities within OT and IoT environments.
“A critical part of neutralizing threats before they can migrate to operational systems, or between IT and OT networks, involves early warning. We can’t stress enough the importance of continuous monitoring, not just when these kinds of advisories are raised. Otherwise it may be too late to contain the enemy already in your network.”
Moreno Carullo, Co-founder and Chief Technical Officer
Nozomi Networks is committed to keeping our customers informed should new information on the potential cyberattack become available. The Nozomi Networks Labs team and field support staff are also on standby should clients need assistance.