NSA Calls For Review Of Op Tech Security « Breaking Defense
“A significant shift in how [OT] are viewed, evaluated, and secured within the US is needed to prevent malicious cyber actors from executing successful, and potentially damaging, cyber effects,” the guidance says.
OT include hardware and software that enable infrastructure physical components to function, such as circuit breakers, motors and valves. OT are prevalent throughout critical infrastructure environments, from power grids and telecommunications networks to manufacturing plants, transportation systems and energy pipelines.
Cyberattacks against critical infrastructure usually entail targeting industrial control systems (ICS), which monitor, regulate, and automate OT. Supervisory control and data acquisition (SCADA) systems and distributed control systems are well-known types of ICS. Compromised ICS/OT can allow attackers, in some cases, to cause physical damage to systems and even widespread outages.
The threats and risks to OT are not new, which raises questions about the timing of this advisory’s release. Given the nature of the guidance, it’s possible that recent news of attackers exploiting vulnerabilities in Pulse Connect Secure virtual private network (VPN), attackers use of web shells in recent cyber campaigns, and/or a February cyber incident at a Florida water treatment plant prompted the advisory. It’s also possible the advisory is based on classified cyber threat intelligence. It could have been long planned, with no specific threat intelligence or incident in mind. After all, NSA’s guidance was not released jointly with CISA as an activity alert or emergency directive, the main way the government notifies industry and agencies to active attacks.
In 2007, DHS conducted a controlled demonstration at Idaho National Laboratory dubbed the Aurora Generator Test, which showed how cyberattacks can cause physical damage by compromising ICS and OT.
Notable cyberattacks against ICS/OT environments since then include the 2015 and 2016 hacks of Ukraine’s power grid and Stuxnet, which targeted Iran’s nuclear enrichment technology.
The NSA provides step-by-step guidance for using a risk-based framework to evaluate OT environments and make changes to inhibit and detect malicious cyber activities. “Without direct action to harden OT networks and control systems against vulnerabilities… OT system owners and operators will remain at indefensible levels of risk,” NSA notes.
The NSA guidance addresses two particularly dangerous threat vectors for remote cyberattacks against OT: The first is OT-IT connected systems, and the second is OT-Internet connected systems.
If OT are connected to traditional IT systems without proper safeguards, then attackers can gain access to ICS/OT after compromising IT systems. For example, Stuxnet exploited four zero-day vulnerabilities in the Microsoft Windows operating system in order to gain access to Iran’s Natanz nuclear facility ICS/OT for enriching uranium. The ICS was used to stop the flow of data from centrifuge OT to the control room so that operations looked normal to engineers and then sent unexpected commands to centrifuge OT (specifically, programmable logic controllers) via ICS, in turn physically destroying the centrifuges.
In its guidance, NSA notes, “IT exploitation can serve as a pivot point for OT exploitation. …Each IT-OT connection increases the potential attack surface.” The ability to “pivot,” or move laterally across a network, can be enabled by insecure network architectures with inadequate cybersecurity measures. This is one reason why NSA urged the defense sector to adopt zero-trust security architectures earlier this year.
NSA notes, “While there are very real needs for connectivity and automating processes, [OT] and [ICS] are inherently at risk when connected to enterprise IT systems. …While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences.”
When OT systems are connected directly to the Internet, attackers can use a search engine, such as Shodan, to scan for them — to include those running unpatched software versions — and then launch direct cyberattacks remotely.
So, the NSA urges owners to eliminate or significantly minimize OT-IT and OT-Internet connections. This can be done by “islanding” — or air-gapping — OT from IT systems and the Internet, as well as removing or greatly limiting remote access, both of which the NSA guidance suggests. (Zero-trust architectures, by default, limit access.)
These threats are exacerbated by the state of much OT across the US and the difficulty of patching such systems. NSA notes, “This paradigm shift applies to the stagnant OT assets and control systems installed and used throughout the US and [defense industrial base], many of which are past end-of-life and operated without sufficient resources.”
This CISA site provides regularly updated information on ICS/OT cyber vulnerabilities and available security patches.