CISA, FBI and the DOE released a joint Cybersecurity Advisory (CSA) detailing state-sponsored Russian cyber actors from 2011 to 2018 that targeted U.S. and international Energy Sector organizations. The CSA highlights historical tactics, techniques, and procedures as well as mitigations Energy Sector organizations can take to protect their networks. They recommend a set of ICS Best Practices, as well as a list of 10 mitigations with specific actions intended to harden corporate enterprise networks:
- Privileged Account Management: Manage the creation of, modification of, use of—and permissions associated with—privileged accounts, including SYSTEM and root.
- Password Policies: Set and enforce secure password policies for accounts.
- Disable or Remove Features or Programs: Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
- Audit: Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.
- Operating System Configuration: Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
- Multifactor Authentication: Enforce multifactor authentication (MFA) by requiring users to provide two or more pieces of information (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
- Filter Network Traffic: Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
- Network Segmentation: Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a demilitarized zone (DMZ) to contain any internet-facing services that should not be exposed from the internal network.