The Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) laid out a series of recommendations for critical infrastructure owners and operators to protect their operational technology (OT) assets. In an alert published on July 23, CISA published an alert in which it recognized malicious actors' growing willingness to target OT assets. The government body attributed these ongoing attacks to the increasing number of OT devices connected to the internet. As it explained in its bulletin:
Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the internet (e.g., Shodan,[2] Kamerka [3]), are creating a “perfect storm” of 1) easy access to unsecured assets, 2) use of common, open-source information about devices, and 3) an extensive list of exploits deployable via common exploit frameworks [4] (e.g., Metasploit,[5] Core Impact,[6] and Immunity Canvas [7]).
In particular, CISA noted that malicious actors had taken to launching spearphishing attacks, deploying crypto-ransomware, modifying control logic and parameters on PLCs along with executing other techniques. Those and other tactics had resulted in the loss of productivity and revenue, reduced availability of assets on the OT network and/or disruption to an organization's physical processes. Acknowledging those threats, CISA and NSA recommended that owners and operators of OT implement several best security practices. These should include the following
-
Develop an OT resilience plan: Organizations need to have a resilience plan in the event that they suffer a security incident. This plan should involve creating a plan to ensure the continued operations of industrial control systems (ICSes) if certain assets go down in an attack. It should also include developing a data backup strategy and testing it regularly.Image
- Exercise an incident response plan: Additionally, organizations need to make sure they can respond to an incident in a timely matter. Towards that end, they need to have a plan that takes key roles and decision points into consideration. They can then test that plan by conducting tabletop incident response simulations.
- Monitor the OT network for potential threats: To provide an optimum level of security, organizations need to monitor the OT network for all instances of external access to the OT network. They should also monitor controllers for unauthorized change attempts.
For additional guidance on building resilience and monitoring for threats in the OT network, click here.
