The latest joint advisory from NSA and CISA adds to the previous joint guidance released by the two agencies in order to stop malicious ICS activity and reduce OT exposure.
Also Read: Complete guide to SCADA security
Table of Contents
The latest advisory describes the various TTPs that bad actors could use to compromise critical OT assets. It also deep dives into measures ICS and OT operators can deploy to prevent cyberattacks while building cyber resilience.
Here are the 10 major recommendations cited in the latest OT/ICS advisory from NSA and CISA:
1. Newly observed TTPs in cyberattacks
Partial loss of view, connections to internet-accessible PLCs, spear phishing, modifying control logic, and deployment of commodity ransomware have been listed among recently observed TTPs
2. Increasing risk to ICS
Malicious cyber actors present an increasing risk to ICS networks.
3. Know thy enemy
Knowing your adversary and their potential tactics and measures for creating a breach is essential for deriving countermeasures
4. OT resilience plan
- Retain the ability to disconnect systems from the internet that do not need to access the net.
- Reduce additional functionality that could increase the surface area and introduce new vulnerabilities
- Plan for continued manual Ops in case ICS becomes unavailable or is deactivated
- Test and validate processes and backups
5. Set up and run your incidence response plan
- Run a tabletop exercise including, executive personnel, to test the functioning and effectiveness of the existing incident response plan
- Expand participation in the plan by including public affairs and legal teams in addition to IT, OT and executive management.
- Clearly identify decision-making authority and map them to key decisions
- Weave in the TTPs listed in the advisory to cover situations where the control system is actively operating to deny safe and reliable operations.
6. Harden networks
- Remove access for all non-essential assets from networks
- Discover Internet-accessible OT devices and eliminate/mitigate their connections immediately. Fully patch all systems that connect to the internet
- Segment networks in order to protect the PLCs and workstations from direct exposure to the Internet. Implement secure network architectures by using demilitarized zones (DMZs), firewalls, jump servers, and/or one-way communication diodes, as applicable.
- Use a virtual private network (VPN) with strong encryption further secured with multifactor authentication for devices that connect to a remote connection
- Constantly evaluate the connectivity needs of various devices (check if they are justified in accessing various connectivity means or networks)
- Use network intrusion detection systems to detect and address intrusions
- Secure all required and approved remote access and user accounts.
7. Understand and Evaluate Cyber-risk on “As-operated” OT Assets
- Move towards embracing an Informed risk awareness mode developed using a variety of readily available resources that include specific guidance and mitigations.
- Use a validated asset inventory to investigate and determine specific risk(s) associated with your existing OT devices and OT system software including vendor-specific cybersecurity and technical advisories
- Follow vendor-specific cybersecurity and technical advisories
8. Implement a persistent and continuous monitoring program
- A vigilant and continuous monitoring program enables the detection of anomalies, including those related to malicious cyber tactics such as “living off the land” techniques within OT systems
- Always log and review every authorized external access connections for misuse or anomalous activity
- Monitor all systems for unauthorized attempts to modify controllers.
- Implement integrity checks for controller process logic against documented ‘good baseline’.
- Ensure process controllers do not remain in remote program mode for long while in operation.
- Reduce set points in control processes to limit and contain the consequences of unauthorized controller access.
9. Understanding the malicious actor’s gameplan
Threat actors often follow these steps in their strategy to breach critical infrastructure control systems
- Establish intended effect and chose a target: cybercriminals are often financially motivated and target OT/ICS assets primarily for financial gain
- Collect intelligence about the target system: the data could be collected from multiple sources including insiders
- Develop techniques and tools to navigate and manipulate the system.
- Gain initial access to the system.
- Execute techniques and tools to create the intended effect.
10. Mitigation
- Limit exposure of system information
- Identify and secure remote access points
- Restrict tools and scripts
- Conduct regular cybersecurity audits
- Keep the network environment dynamic
Want to learn more about OT and ICS security tactics and strategies? Speak to an OT security expert.
Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now
See our OT security solution in action. Sign up for a free demo now.
Get your free threat intelligence feeds here.
Key Takeaways from the most recent OT/ICS advisory by NSA and CISA