US CISA/NSA release new OT/ICS security guidance, reveal 5 steps threat actors take to compromise assets

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published a new Cybersecurity Advisory (CSA) for protecting operational technology (OT) and industrial control systems (ICS). The CSA outlines the Tactics, Techniques and Procedures (TTPs) malicious actors use to compromise OT/ICS assets and recommends security mitigations that owners and operators should implement to defend systems. The new advisory builds on previous NSA/CISA guidance on stopping malicious ICS activity and reducing OT exposure, and comes as the cybersecurity risks surrounding OT and ICS continue to threaten to safety of data and critical systems.

Securing OT/ICS assets a significant challenge for organizations

While OT/ICS assets operate, control, and monitor industrial processes throughout US critical infrastructure, traditional assets are difficult to secure due to their design for maximum availability and safety, the CISA/NSA noted in Alert (AA22-265A). Their use of decades-old systems often lack recent security updates, too.

“Newer ICS assets may be able to be configured more securely but often have an increased attack surface due to incorporating internet or IT network connectivity to facilitate remote control and operations. The net effect of the convergence of IT and OT platforms has increased the risk of cyber exploitation of control systems,” CISA/NSA wrote.

This has led to increased malicious cyber activity against OT/ICS systems, with actors ranging from nation state APT attackers to independent hackers targeting OT/ICS assets for political gains, economic advantages, and potentially destructive effects. “More recently, APT actors have also developed tools for scanning, compromising, and controlling targeted OT devices,” the advisory added.

A report commissioned by cloud security company Barracuda discovered an increase in major attacks on industrial IoT/OT systems in the last year with security efforts to protect these systems continuing to lag behind. The report found that 93% of 800 senior IT and security officers surveyed admitted that their organization had failed in their IIoT/OT security projects, with a lack of skills and tools often blamed.

Bob Kolasky, senior VP for Exiger and former Assistant Director at CISA, tells CSO that the ubiquity of these assets coupled with the reality that reliance on ICS/OT industrial control is not always well understood is a big security challenge. “Perhaps an even bigger challenge is the lifecycle of use for OT which makes ensuring that effective security practices are in place and maintained difficult for products that were designed without security in mind and which may be in use for decades. Retrofitting security and prioritizing in future buy cycles should be a priority but doing so takes concerted effort and investment,” he adds.

5 steps to compromise critical infrastructure control systems

CISA/NSA stated that malicious actors typically take a five-step approach to planning and executing critical infrastructure control system compromise:

1. Establishing intended effect and selecting a target: For example, cybercriminals are financially motivated and target OT/ICS assets for financial gain, whereas state-sponsored APT actors target critical infrastructure for political or military objectives, such as destabilizing political or economic landscapes or causing psychological or social impacts on a population. The cyber actor selects the target and the intended effect – to disrupt, disable, deny, deceive, or destroy – based on these objectives.
2. Collecting intelligence about the target system: Once the intent and target are established, the actor collects intelligence on the targeted control system. The actor may collect data from multiple sources, including open-source research, insider threats, and enterprise networks. In addition to OT-specific intelligence, information about IT technologies used in control systems is widely available.
3. Developing techniques and tools to navigate and manipulate the system: Using the intelligence collected about a control system’s design, a cyber actor may procure systems that are similar to the target and configure them as mock-up versions for practice purposes. Access to a mock-up of the target system enables an actor to determine the most effective tools and techniques. Actors may also develop custom ICS-focused malware based on their knowledge of the control systems. For example, TRITON malware was designed to target certain versions of Triconex Tricon programmable logic controllers (PLCs) by modifying in-memory firmware to add additional programming. APT actors have also developed tools to scan for, compromise and control certain Schneider Electric PLCs, OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. With TTPs in place, a cyber actor is prepared to do virtually anything that a normal system operator can and potentially much more.
4. Gaining initial access to the system: To leverage the techniques and tools that they developed and practiced, cyber actors must first gain access to a targeted system. Poor security practices around remote access allow cyber actors to leverage these access points as vectors to covertly gain access, exfiltrate data and launch other activities before an operator realizes there is a problem. Malicious actors can use web-based search platforms, such as Shodan, to identify these exposed access points. This access to an ostensibly closed control system can be used to exploit the network and components.
5. Executing techniques and tools to create the intended effects: Once an actor gains initial access to a targeted OT/ICS system, they will execute techniques, tools, and malware to achieve the intended effects on the target system. To disrupt, disable, deny, deceive, and/or destroy the system, the malicious actor often performs, in any order or in combination, the following activities:
   • Degrading the operator’s ability to monitor the targeted system or degrading the operator’s confidence in the control system’s ability to operate, control and monitor the targeted system.
   • Operating the targeted control system, including the ability to modify analogue and digital values internal to the system or changing output control points.
   • Impairing the system’s ability to report data, accomplished by degrading or disrupting communications with external communications circuits, remote terminal units (RTUs) or programmable logic controllers (PLCs), connected business or corporate networks, HMI subnetworks, other remote I/O, and any connected Historian/bulk data storage.
   • Denying the operator’s ability to control the targeted system, including the ability to stop, abort or corrupt the system’s operating system or the supervisory control and data acquisition (SCADA) system’s software functionality.
   • Enabling remote or local reconnaissance on the control system.

“Leveraging specific expertise and network knowledge, malicious actors such as nation-state actors can conduct these steps in a coordinated manner, sometimes concurrently and repeatedly, as illustrated by real-world cyber activity,” the advisory stated.

Mitigating ICS/OT system cybersecurity threats

System owners and operators cannot prevent a malicious actor from targeting their systems, but by assuming that the system is being targeted and predicting the effects that a malicious actor might intend to cause, they can employ and prioritize mitigation actions, the advisory stated. Owners/operators can apply several ICS security best practices to counter adversary TTPs.

The first is limiting the exposure of system information, with a particular focus on information about system hardware, firmware, and software in any public forum, incorporating information protection education into training for personnel. The advisory read, “Document the answers to the following questions:

• From where and to where is data flowing?
• How are the communication pathways documented and how is the data secured/encrypted?
• How is the data used and secured when it arrives at its destination?
• What are the network security standards at the data destination, whether a vendor/regulator or administrator/financial institution?
• Can the data be shared further once at its destination? Who has the authority to share this data?”

Eliminate all other data destinations, share only the data necessary to comply with applicable legal requirements, do not allow other uses of the data and other accesses to the system without strict administrative policies, ensure agreements are in place with outside systems/vendors when it comes to sharing, access and use, have strong policies for the destruction of data, and audit policies/procedures to verify compliance and secure data once it gets to its destination, it added.

Owners/operators should also maintain detailed knowledge of all installed systems, including which remote access points are (or could be) operating in the control system network. Creating a full “connectivity inventory” is a critical step in securing access to the system, the CSA stated. Once all remote access points have been identified, the following are just some of the best practices suggested by CISA/NSA to improve their security posture:

• Reduce the attack surface by proactively limiting and hardening internet-exposed assets.
• Establish a firewall and a demilitarized zone (DMZ) between control systems and the vendor’s access points and devices.
• Enforce strict compliance with policies and procedures for remote access.
• Use jump boxes to isolate and monitor access to systems.
• Change all default passwords throughout the system and update any products with hard-coded passwords.
• Patch known exploited vulnerabilities whenever possible.
• Continually monitor remote access logs for suspicious accesses.

Restricting access to network and control system application tools/scripts to legitimate users is another important area covered in the advisory, along with the performing of independent security audits of systems and the implementation of a “dynamic network environment.”

Kolasky says CISA and the NSA have done a service by continuing to highlight the importance of protecting ICS and OT as a core element of building cyber resilience. “This risk is particularly acute for critical infrastructure providers who often operate highly industrialized systems and depend on digital management of those systems,” he adds. “Because of that, the impact of a breach to an ICS system can be severe – and can be felt broadly across critical infrastructure.” The new guidance is useful as it encourages cybersecurity professionals to think like the attacker and design defensive processes that are most useful to address common tactics used by attackers, Kolasky continues. “The guidance also encourages more effort for professionals to map and understand where their systems are most at risk and focus on building resilience to attacks in those areas. Using the guidance as a check against existing security programs should be helpful for critical infrastructure operators.”