Your Guide to the NSA/CISA Alert AA20-205A
On July 23rd, the NSA and CISA issued an alert urging immediate action be taken by organizations with critical infrastructure.
What caused the alert?
The alert comes in response to two trends: malicious actors are increasingly attacking online OT assets, and more OT assets are increasingly being put online.
Even the NSA/CISA calls it “the perfect storm” — legacy OT infrastructure were not designed to defend against cyberattacks, and they have incredible potential to disrupt civilian life. Once put online, these vulnerable assets make attractive targets for malicious cyber activities.
The report covers recently observed attack tactics, their impact, and a list of recommendations to secure online OT networks against further attack.
What are the attacks and their impact?
The NSA/CISA alert states that “while the behavior may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high.” The observed activities are mapped to the MITRE ATT&CK for ICS framework and listed below:
• Spearphishing to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
• Deployment of commodity ransomware to Encrypt Data for Impact on both networks.
• Connecting to Internet Accessible PLCs requiring no authentication for initial access.
• Utilizing Commonly Used Ports and Standard Application Layer Protocols, to communicate with controllers and download modified control logic.
• Use of vendor engineering software and Program Downloads.
• Modifying Control Logic and Parameters on PLCs.
These attacks can bring an OT network offline, which would prevent human operators from viewing the control systems they need and ultimately cost organizations productivity and revenue.
Furthermore, these attacks can provide adversaries with active command-and-control over the OT assets and infrastructure, allowing malicious actors to manipulate and damage physical processes.
Does this mean I must take all my OT assets offline?
No. The NSA/CISA alert acknowledges that putting OT assets online is sometimes critical to business productivity, and recognizes that the industry trend points towards more online OT assets, not less.
However, the alert is urging organizations to ensure that remotely accessible OT assets are protected from malicious attacks, whether through self-constructing a security stack or sourcing vendor products to protect your OT remote access.
What actions are recommended now?
The mitigation techniques are divided up into six main categories. They are listed and summarized below, but the original version is worth reading.
Have a Resilience Plan for OT: Beyond planning for malfunctioning or inoperable control systems, organizations must assume that malicious attacks will render OT systems “actively acting contrary to the safe and reliable operation of the process.”
Exercise your Incident Response Plan: Conduct active exercises with management, public affairs, and legal teams to preemptively test your incident response plan.
Harden Your Network: Perform network security controls and best practices to secure your Internet-accessible OT endpoints.
Create an Accurate “As-operated” OT Network Map Immediately: Take inventory of your OT network communication: know what OT assets are connected to the Internet, what protocols they use for communication, and where external connections exist.
Understand and Evaluate Cyber-risk on “As-operated” OT Assets: Refer to cybersecurity vulnerability resources and frameworks to help you evaluate the risk to your OT networks.
Implement a Continuous and Vigilant System Monitoring Program: Ensure that you have processes to log, review, and control all traffic and changes made to your OT network.
For more details on the mitigations recommended in these 6 categories, we recommend reading the full alert here.
Dispel provides secure remote access designed for OT networks. Built on Moving Target Defense architecture, Dispel helps organizations enable OT remote access while staying aligned to regulatory frameworks and compliance standards. If you are looking to securely bring an OT network online, or harden existing Internet-accessible OT assets, schedule a demo at https://dispel.io