The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory recommending Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems. The advisory warns of foreign cyber threat actors potentially targeting US critical infrastructure and provides “immediate steps to ensure resilience and safety of US systems should a time of crisis emerge in the near term.” It notes that “Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the Internet (e.g., Shodan1 [2], Kamerka [3]), are creating a “perfect storm” of 1) easy access to unsecured assets, 2) use of common, open-source information about devices, and 3) an extensive list of exploits deployable via common exploit frameworks…”
The most recent NSA and CISA alerts are directed at Government assets, but they are valid warnings for any organization that has internet-facing systems. They offer solid advice that applies to any size of operation and reiterates recommendations the Information Security community has been giving for years.
In a nutshell: Have resiliency, business continuity, and response plans in place and exercise them. Understand and document your environment, your likely adversaries, and how they will probably attack so you can harden appropriately. Make sure personnel are trained and equipped to resist the expected attack vectors and mitigate them after a breach.
We, as a community need to do a better job using the available tools for assessing and analyzing risk, so we can respond more rapidly and effectively. The MITRE ATT&CK framework, for example, is an excellent resource for understanding cyberattack tactics and techniques, to respond to threats quickly and appropriately as they are discovered. We also need to improve user education at all levels. Our tools are getting much better at catching malicious actors once they are in the environment, but basic operational hygiene will help stop them from getting in in the first place.
If the NSA is coming out of the shadows to speak up in a joint alert with CISA, you want to listen and take action. What is most helpful is that the advisory (https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/1/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF) shares a list of tools attackers are using to identify targets. Seeing what the attacker sees allows your cybersecurity team to prioritize your defensive actions. The Advisory goes further still, offering a robust set of recommendations for executing a response strategy.
This was a very thorough briefing, yet didn’t include any indicators of compromise which peaks my interest, but also outlines that this is a more wide-scale and trending problem rather than a specific threat. Attacks on OT systems aren’t something we want to mess around with because it could mean things like dams and electric systems going down, and all attackers need to do is use Shodan (a search engine) to find vulnerable targets and they can employ free software to compromise them. In fact, in a simple search on Shodan I found more than 20,000 potentially vulnerable ICS systems.
The recommendations from this tactical briefing are a significant shift, focusing more on TTPs and linking back to MITRE ATT&CK Framework as opposed to indicators of compromise like domains and IPs. The alert is also highlighting the importance of anomaly detection, as typically there is some sort of attribution to a nation-state, but this time Russia, North Korea and/or Iran weren’t named, nor were there any specific IOCs. This is a true threat intelligence briefing, and a good one, yet most people still won’t know what to do with it.
What needs to be taken from this for anyone with OT is a concept of assumed breach. Each night before you go to bed, you lock your doors, but consider how this nighttime regimen would change if you know someone was going to try to break into your house tonight. It puts you in a much different mindset, which is the goal of this briefing. If you are an ICS or have operational technology, you need to start assuming you’re going to be targeted and take some of the recommendations into consideration.
My biggest take away is that proper network segmentation, network behavior analysis, and security incident preparation are needed to protect these critical environments. Operators cannot simply rely on anti-virus and firewall systems to solve the OT problem at hand. You instead need to consider improved behavioral analytics and a threat intelligence team either within the “walls” of your organization or one for hire. Over the past week, we’ve seen confirmed cases of hackers for hire being used by nation-states, so why are we so hesitant to hire threat hunters to defend against them?