NSA and CISA Alert Highlights Urgency for OT Security

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder


ByGalina Antovaon August 18, 2020

In the last few years, we’ve seen ample evidence of how cyberattacks on critical infrastructure can be leveraged by nation-states and other powerful adversaries as weapons in geopolitical conflicts. The attacks on the Ukraine power grid and several other incidents demonstrated a show of power and how a country’s infrastructure can be disrupted. The indiscriminate use of destructive exploits in NotPetya (which caused widespread, collateral damage to operational technology (OT) networks and halted operations) revealed to security professionals just how poor the cyber risk posture of their OT networks is and prompted swift actions in many of the largest companies. 

For years now, the government has been warning openly and clearly that: “Since at least March 2016, Russian government cyber actors—hereafter referred to as ‘threat actors’—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” A new alert, issued by the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), couldn’t be more clear: “We are in a state of heightened tensions and additional risk and exposure.” 

Government agency alerts about previous threats typically describe how the attacks are executed and provide some tactical steps to specific sectors to enhance their ability to reduce exposure. However, this recent alert stands out for its tone, language, and content. Framed from a strategic perspective, it includes broad warnings of an imminent and serious threat across all 16 critical infrastructure sectors, and lengthy, detailed sets of recommendations for how to protect OT environments that, together, encourage a holistic approach to risk mitigation.

If you think like an attacker, the timing of this jump in critical infrastructure attacks isn’t surprising. Nation-state actors have habitually targeted organizations in industries including high-tech manufacturing, pharmaceuticals, biotech, and healthcare to steal intellectual property and research. Now, it is being widely reported that nation-state actors believed to be linked to China and Russia are targeting attacks against organizations involved in the research and production of COVID-19 vaccines – a clear use of cyber weapons to advance their geopolitical agendas.

With many U.S. critical infrastructure organizations involved in these pursuits, the stakes are extraordinarily high. Adversaries are extremely motivated, and such threats are particularly concerning. As advances are made and we get closer to a vaccine, attacks will likely intensify. And this is just one example of how the other critical infrastructure industries could be targeted. Hence the urgency conveyed in the NSA and CISA alert to protect vulnerable networks. 

Why is the potential impact to critical assets so high? The alert describes a perfect storm situation, similar to what I have described before: a combination of legacy OT devices, many of which are internet-facing (something for which they were never designed) and thus expand the attack surface, and opportunistic adversaries with access to tools that provide information about these assets and ways to exploit them. The pervasiveness and gravity of the situation, and the relative ease with which these exploits can be executed, calls for immediate actions to reduce exposure across OT networks and control systems. Among an extensive list of specific recommendations, NSA and CISA urge the deployment of threat monitoring technology. 

We’ve talked about the need for asset visibility and threat monitoring in OT environments for years, because one of the biggest challenges in securing these environments is zero telemetry and thus, no visibility into OT networks. One of the roadblocks is that organizations have been constrained by preconceived notions of how to proceed based on trusted IT cybersecurity best practices that dictate a “crawl, walk, run” approach. What’s more, many of the IT security tools and approaches introduce unnecessary complexity and, worse, aren’t effective in OT environments. Clearly, based on the tone of the NSA and CISA alert, we need to move straight to “run” and focus on what we can execute immediately to reduce risk the most. That’s where threat monitoring comes in. 

OT networks communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, and more. OT network traffic provides all the security information required to monitor for threats. With a single, agentless solution for asset visibility and continuous threat monitoring, that can be implemented quickly and integrated into IT systems and workflows, organizations can move fast to detect and mitigate risk. Translating the obscurity of OT networks for IT security operations center (SOC) analysts, such a solution allows IT and OT teams to work together and bring the full power of the organization’s resources to bear. They can start to identify deviations from established behavioral baselines, unauthorized connections, and the presence of adversary techniques, such as those in the new MITRE ATT&CK for ICSframework, to implement mitigation recommendations rapidly. 

We cannot defend ourselves on this latest battlefield without the right security capabilities. Let’s learn from the previous examples of economic warfare and use the detailed observations and recommendations from NSA and CISA to our advantage. The stakes have never been higher. Fortunately, our capabilities to secure our OT environments are up to the challenge.