The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently issued an Alert (AA20-205A). It urges all Department of Defense (DoD), National Security Systems (NSS), Defense Industrial Base (DIB), and U.S. critical infrastructure facilities to take immediate action to secure their operational technology (OT) assets.
According to the alert, internet-accessible OT assets are becoming more prevalent across the 16 U.S. critical infrastructure (CI) sectors, yet the security of legacy OT systems has failed to keep up. Combined with readily available information that helps threat actors quickly recognize OT assets connected via the internet, you’ve got a “perfect storm” of:
- easy access to unsecured assets
- use of common, open-source information about devices, and
- an extensive list of exploits deployable via common exploit frameworks
Exploiting OT Assets Via the Internet
It’s no surprise that IoT and internet-based access to OT networks is experiencing rapid adoption. Faced with the COVID-19 pandemic, critical infrastructure organizations have become heavily reliant on remote access to and monitoring of operations to accommodate a decentralized workforce and facilitate the outsourcing of key skills. At the same time, foreign adversaries are increasing their attack capabilities and activity – read more about rising threats in the Nozomi Networks OT/IoT Security Report.
According to the NSA/CISA Alert, cyber threat actors continue to demonstrate their willingness to exploit internet-accessible OT assets to conduct malicious activity against critical infrastructure.
The Alert notes half a dozen recently observed tactics, techniques and procedures that have the potential to cause loss of network visibility and availability, loss of productivity and revenue, and disruption of physical processes. The list of observed threat activities follows and is mapped to the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) for Industrial Control Systems (ICS) framework:
- Spearphishing [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network
- Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks
- Connecting to Internet Accessible PLCs [T883] requiring no authentication for initial access
- Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols [T869] to communicate with controllers and download modified control logic
- Use of vendor engineering software and Program Downloads [T843]
- Modifying Control Logic [T833] and Parameters [T836] on PLCs
Take Action Now to Secure Critical Infrastructure
The Alert immediately urges DoD, NSS, DIB, and U.S. critical infrastructure facilities to take action to secure their OT assets and mitigate risk, including:
- Creating a resilience plan for OT
- Exercising your incident response plan
- Hardening your network
- Immediately creating an accurate “as-operated” OT network map
- Understanding and evaluating cyber risk on “as-operated” OT assets
- Implementing a continuous and vigilant system monitoring program
While this Alert raises serious concerns about the growing threat to critical infrastructure, the good news is that many industry-leading critical infrastructure organizations are already aggressively defending their systems, having taken early steps to leveraging innovative network visibility and security solutions for better protection. As an example, the Nozomi Networks OT/IoT solution supports over 3.6 million devices in over 2,400 installations across energy, manufacturing, mining, transportation, utilities, building automation, smart cities and critical infrastructure. Read the case studies here.
Our products span IT, OT and IoT to automate the hard work of inventorying, visualizing and monitoring industrial control networks. We can help you take immediate action to create and maintain an OT network map and understand any cyber risks related to “as-operated” OT assets. The solution continuously monitors your network assets for cyber threats and anomalies and identifies techniques and tactics referencing the MITRE ATT&CK for ICS framework.
Asset Discovery and Network Visualization functionalities create a dynamic, detailed OT infrastructure map that provides the foundation for understanding all the OT devices and potential cyber risks on your network. Passive monitoring identifies IP addresses, device types and roles, serial numbers, firmware versions and components for all devices communicating on the network.
Network Visualization provides instant awareness of the activity on your OT network, including the protocols used, traffic throughput, TCP connections, and connections with external systems and remote access users.
Vulnerability Assessment and Risk Monitoring passively monitor your network with continuously updated threat intelligence to prioritize security and reliability alerts and missing patches and vulnerabilities. They ensure you know the most significant threats facing your network and are aware of any activity that doesn’t comply with regulatory guidelines. The assessment uses the U.S. government’s National Vulnerability Database (NVD) for standardized naming, description and scoring of vulnerabilities for efficient prioritization and fast integration with response and mitigation workflows.
MITRE ATT&CK for ICS Framework
To speed and simplify incident response, Nozomi Networks incorporates the MITRE ATT&CK for ICS framework terminology into its detection and alerting capabilities. This provides immediate context for any specific activity detected because it locates every behavior in the overall attack chain, reducing the need for additional research to understand the significance of the behavior.
Comprehensive alerts detected through continuous monitoring include MITRE ATT&CK links to all specific tactics and techniques used in malicious or suspicious activity, such as:
- A “Firmware Change” alert that identifies the behavior as a Persistence tactic/System Firmware technique T857 or an Inhibit Response Function tactic (System Firmware technique T857)
- An “OT Device Stop Request” alert that identifies the behavior as an Execution tactic/Change Program State Technique T875, or an Impair Process Control tactic/Change Program State Technique T875).
Enabling Immediate Action
New security controls on your OT network can be up and running in a matter of days because Nozomi Networks offers a wide variety of virtual, cloud and on-premise deployment options and asset and threat intelligence services. Our new subscription licensing gives critical infrastructure facilities the ability to deploy the cybersecurity solutions immediately. NSA/CISA has raised the alert, now is the time to protect your OT network and the critical operations that rely upon it.
