The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an advisory explaining how to thwart cyberattacks on operational technology (OT) and industrial control system (ICS) assets.
The new joint advisory outlines what critical infrastructure operators should know about their opponents, citing recent cyberattacks on Ukraine's energy grid and the ransomware attack against a fuel distribution pipeline.
NSA and CISA's document "Control System Defense: Know the Opponent" explains that advanced persistent threats groups, both criminal and state-sponsored, target OT/ICS for political gain, economic advantages, or destructive effects.
The most dire consequences of these attacks include loss of life, property damage, and a breakdown of national critical functions, but there's a whole lot of disruption and mayhem that can happen before those extreme scenarios.
"Owners and operators of these systems need to fully understand the threats coming from state-sponsored actors and cybercriminals to best defend against them," NSA control systems defense expert Michael Dransfield said Thursday. "We're exposing the malicious actors' playbook so that we can harden our systems and prevent their next attempt."
As the agencies note, designs for OT/ICS devices that include vulnerable IT components are publicly available.
"In addition, a multitude of tools are readily available to exploit IT and OT systems. As a result of these factors, malicious cyber actors present an increasing risk to ICS networks," NSA and CISA noted in the advisory.
They're also worried that newer ICS devices incorporate internet or network connectivity for remote control and operations, which increases their attack surface.
The attackers' "game plan" for OT/ICS intrusions includes detailed descriptions of how attackers pick a target, collect intelligence, develop tools and techniques to navigate and manipulate systems, gain initial access, and execute tools and techniques at critical infrastructure targets.
When weighing mitigations, the NSA wants operators to be more aware of the risks when deciding, for example, what information about their systems needs to be publicly available. It also wants operators to assume their system is being targeted rather than simply that it could be. The NSA offers simple mitigation strategies operators can choose if they experience "choice paralysis" or become befuddled by the array of security solutions available.
These strategies include limiting public exposure of system hardware, firmware and software information, and information emitted from the system. Operators should create an inventory of remote access points and secure them, restrict scripts and tools to legitimate users and tasks, conduct regular security audits, and implement a dynamic rather than static network environment.
On the last point, the agencies note: "While it may be unrealistic for the administrators of many OT/ICS environments to make regular non-critical changes, owner/operators should consider periodically making manageable network changes. A little change can go a long way to disrupt previously obtained access by a malicious actor."
The advisory builds upon two recent advisories. The NSA released an advisory this year about stopping malicious attacks on OT, but this was aimed at the US government and defense. NSA and CISA released an advisory to reduce exposure across all OT and ICS systems.