US CISA/NSA Releases New OT/ICS Security Guidelines, Reveals 5 Steps Threat Actors Take to Compromise Assets
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have issued a new Cybersecurity Advisory (CSA) for the protection of Operational Technology (OT) and Industrial Control Systems (ICS) . The CSA outlines the tactics, techniques, and procedures (TTPs) used by malicious actors to compromise OT/ICS assets and recommends security mitigations that owners and operators should implement to defend the systems. The new advisory builds on previous NSA/CISA guidance on stopping malicious ICS activity and reducing exposure to OT, and comes as cybersecurity risks surrounding OT and ICS continue to threaten the security of critical data and systems.
Securing OT/ICS assets are a significant challenge for organizations
While OT/ICS assets operate, control, and monitor industrial processes across critical infrastructure in the United States, traditional assets are difficult to secure due to their design for maximum availability and security, a noted CISA/NSA in Alert (AA22-265A). Their use of decades-old systems also often lack recent security updates.
“New ICS assets can be configured more securely, but often have an increased attack surface due to the integration of internet or computer network connectivity to facilitate remote control and operations. The net effect of the convergence of computing and OT platforms has increased the risk of cyber exploitation of control systems,” CISA/NSA wrote.
This has led to an increase in malicious cyber activity against OT/ICS systems, with actors ranging from nation-state APT attackers to independent hackers targeting OT/ICS assets for political gain, economic benefit and potentially destructive effects. . “More recently, APT actors have also developed tools to scan, compromise and control targeted OT devices,” the advisory adds.
A report commissioned by cloud security firm Barracuda has found an increase in major attacks against industrial IoT/OT systems over the past year as security efforts to protect these systems continue to lag. The report found that 93% of 800 IT and security leaders surveyed admitted that their organization had failed in their IIoT/OT security projects, with a lack of skills and tools often blamed.
5 Steps to Compromising Critical Infrastructure Control Systems
CISA/NSA said malicious actors typically take a five-step approach to planning and executing a critical infrastructure control system compromise:
- Establish the desired effect and select a target: For example, cybercriminals are financially motivated and target OT/ICS assets for financial gain, while state-sponsored APT actors target critical infrastructure for political or military purposes, such as destabilizing political or economic landscapes. or the psychological or social impact on a population. The cyber actor selects the target and the desired effect – to disrupt, disable, deny, deceive or destroy – based on these objectives.
- Collecting information about the target system: Once the intent and the target have been established, the actor gathers information about the targeted control system. The actor may collect data from multiple sources, including open source research, insider threats, and corporate networks. In addition to OT-specific intelligence, information on computer technologies used in control systems is widely available.
- Develop techniques and tools to navigate and manipulate the system: Using intelligence gathered about a control system design, a cyber actor can procure similar systems to the target and configure them as mock-up versions for practice purposes. Access to a model of the target system allows an actor to determine the most effective tools and techniques. Actors can also develop custom ICS-focused malware based on their knowledge of control systems. For example, the TRITON malware was designed to target certain versions of Triconex Tricon Programmable Logic Controllers (PLCs) by modifying in-memory firmware to add additional programming.
APT actors have also developed tools to find, compromise and control certain Schneider Electric, OMRON Sysmac NEX PLCs and OPC UA (Open Platform Communications Unified Architecture) servers. With the TTPs in place, a cyber actor is ready to do almost anything a normal system operator can do and potentially much more.
- Initial access to the system: To take advantage of the techniques and tools they have developed and practiced, cyber actors must first have access to a targeted system. Poor security practices around remote access allow cyber actors to exploit these hotspots as vectors to covertly gain access, exfiltrate data, and initiate other activities before an operator realizes they are there is a problem. Malicious actors can use web search platforms, such as Shodan, to identify these exposed access points. This access to a seemingly closed control system can be used to exploit the network and components.
- Execute techniques and tools to create the desired effects: Once an actor gains initial access to a targeted OT/ICS system, they will execute techniques, tools, and malware to achieve their intended effects on the target system. To disrupt, disable, deny, deceive and/or destroy the system, the malicious actor often performs, in any order or combination, the following activities:
- Degrade the operator’s ability to monitor the targeted system or degrade the operator’s confidence in the control system’s ability to operate, control, and monitor the targeted system.
- Operate the targeted control system, including the ability to change system-internal analog and digital values or change output control points.
- Impairment of the system’s ability to report data, by degrading or disrupting communications with external communications circuits, remote terminal units (RTUs) or programmable logic controllers (PLCs), connected enterprise or corporate networks , HMI subnets, other remote I/O, and any connected Historian/mass data storage.
- Denying the operator’s ability to control the targeted system, including the ability to shut down, interrupt, or corrupt the system’s operating system or supervisory control and data acquisition system software functionality (SCADA).
- Activation of remote or local recognition on the control system.
“By leveraging specific expertise and knowledge of the network, malicious actors such as state actors can carry out these steps in a coordinated manner, sometimes simultaneously and repeatedly, as illustrated by real-world cyber activity. “, reads the notice.
ICS/OT Systems Cybersecurity Threat Mitigation
System owners and operators cannot prevent a malicious actor from targeting their systems, but assuming the system is targeted and predicting the effects a malicious actor might intend to cause, they can use and prioritize mitigation measures, the notice states. Owners/operators can apply several ICS security best practices to counter adversarial TTPs.
The first is to limit the exposure of system information, with particular emphasis on system hardware, firmware and software information in any public forum, incorporating information protection education into training Staff. The notice said: “Document answers to the following questions:
- From where and to where does the data flow?
- How are communication channels documented and how is data secured/encrypted?
- How is the data used and secured when it arrives at its destination?
- What are the security standards of the network at the destination of the data, be it a provider/regulator or an administrator/financial institution?
- Can the data be further shared once at destination? Who has the power to share this data? »
Eliminate all other data destinations, only share data necessary to comply with applicable legal requirements, do not allow other uses of data and other system access without strict administrative policies, ensure agreements are in place with external systems/vendors as appropriate to sharing, access and use, have robust policies for data destruction and auditing policies/procedures to verify compliance and secure data once once they arrive at their destination, he added.
Owners/operators must also maintain a detailed knowledge of all installed systems, including remote access points that are working (or could be working) in the control system network. Creating a comprehensive “connectivity inventory” is an essential step in securing system access, the ASC said. Once all remote access points have been identified, here are some of the best practices suggested by CISA/NSA to improve their security posture:
- Reduce the attack surface by proactively limiting and hardening assets exposed to the Internet.
- Establish a firewall and a demilitarized zone (DMZ) between control systems and vendor access points and devices.
- Strictly enforce remote access policies and procedures.
- Use junction boxes to isolate and monitor access to systems.
- Change all system-wide default passwords and update all products with hard-coded passwords.
- Patch known exploited vulnerabilities whenever possible.
- Continuously monitor remote access logs for suspicious access.
Restricting access to network and control system application tools/scripts to legitimate users is another important area covered by the advisory, along with performing independent security audits of systems and implementation of a “dynamic network environment”.
Copyright © 2022 IDG Communications, Inc.