Analysis
Attacks and Vulnerabilities
CISA
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
News
OT Network security
Patch Management
Perimeter security
Risk & Compliance
Secure Remote Access
SOC & Incident Response
System Design & Architecture
Tech Solutions
Threat Landscape
Vulnerabilities

CISA, NSA reveal that OT/ICS owners, operators cannot prevent malicious hacker attacks, but must work on mitigation actions

September 23, 2022
CISA, NSA reveal that OT/ICS owners, operators cannot prevent malicious hacker attacks, but must work on mitigation actions

U.S. cybersecurity agencies published a joint cybersecurity advisory on Thursday covering control system defense for operational technology (OT) and industrial control systems (ICS). The guidance gives critical infrastructure owners and operators an understanding of malicious cyber attackers’ tactics, techniques, and procedures (TTPs). It also revealed that asset owners and operators cannot prevent malicious hacker attacks from targeting their systems, but they can prioritize mitigation actions.

In the advisory titled ‘Control System Defense: Know the Opponent,’ the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) drew the attention of owners and operators of OT/ICS assets. These organizations operate, control, and monitor day-to-day critical infrastructure and industrial processes, making them “an attractive target for malicious cyber actors. These cyber actors, including advanced persistent threat (APT) groups, target OT/ICS assets to achieve political gains, economic advantages, or destructive effects.” 

The advisory said that system owners and operators cannot prevent malicious hackers from targeting their systems. “Understanding that being targeted is not an ‘if’ but a ‘when’ is essential context for making ICS security decisions. By assuming that the system is being targeted and predicting the effects that a malicious actor would intend to cause, owner/operators can employ and prioritize mitigation actions,” it added.

The CISA-NSA advisory builds upon previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure and describes the TTPs that malicious hackers use to compromise OT/ICS assets. In addition, the CISA-NSA advisory highlighted that traditional approaches to securing OT/ICS do not adequately address current threats to those systems. However, owners and operators who understand cyber hackers’ TTPs can use that knowledge when prioritizing hardening actions for their OT/ICS systems.

“Because OT/ICS systems manage physical, operational processes, cyber actors’ operations could result in physical consequences, including loss of life, property damage, and disruption of National Critical Functions,” the advisory adds. Last June, the CISA started a systematized registry that documents bad cybersecurity practices that are exceptionally risky for any organization and are especially dangerous for those supporting designated critical infrastructure or National Critical Functions.

Balancing complexities of network security with performance, features, ease of use, and availability can overwhelm critical infrastructure owners and operators. The entanglement is especially true where system tools and scripts enable ease of use and increase availability or functionality of the control network; and when equipment vendors require remote access for warranty compliance, service obligations, and financial/billing functionality. 

However, with the increase in targeting of OT/ICS by hackers, owners/operators should be more conscious of the risks when making these balancing decisions. Additionally, owners/operators should also carefully consider what information about their systems needs to be publicly available and determine if each external connection is truly needed. 

OT/ICS devices and designs are publicly available, often incorporate vulnerable information technology (IT) components, and include external connections and remote access that increase attack surfaces. In addition, many tools are readily available to exploit IT and OT systems. As a result of these factors, malicious hackers present an increasing risk to ICS networks.

“OT/ICS assets operate, control, and monitor industrial processes throughout U.S. critical infrastructure. Traditional ICS assets are difficult to secure due to their design for maximum availability and safety, coupled with their use of decades-old systems that often lack any recent security updates,” the advisory said. “Newer ICS assets may be able to be configured more securely but often have an increased attack surface due to incorporating Internet or IT network connectivity to facilitate remote control and operations. The net effect of the convergence of IT and OT platforms has increased the risk of cyber exploitation of control systems.”

The advisory also pointed to the prevailing threat landscape filled with well-funded malicious cyber hackers financed by nation-states, less sophisticated groups, independent hackers, and insider threats. In addition, various malicious hackers have targeted control systems in recent years to achieve political gains, economic advantages, and possibly destructive effects. More recently, it added that APT hackers have also developed tools for scanning, compromising, and controlling targeted OT devices.

The CISA-NSA advisory provided a detailed map of how the hackers plan and execute compromises against critical infrastructure control systems. They begin by establishing the intended effect and selecting a target, then move on to collect intelligence about the target system and work towards developing techniques and tools to navigate and manipulate the system. The hackers then gain initial access to the system and execute techniques and tools to create the intended effect.

“Leveraging specific expertise and network knowledge, malicious actors such as nation-state actors can conduct these steps in a coordinated manner, sometimes concurrently and repeatedly, as illustrated by real-world cyber activity,” the advisory added.

Hackers, from cyber criminals to state-sponsored APT hackers, target critical infrastructure to achieve various objectives. Cybercriminals are financially motivated and target OT/ICS assets for financial gain using data extortion or ransomware operations. State-sponsored APT hackers target critical infrastructure for political and/or military objectives, such as destabilizing political or economic landscapes or causing psychological or social impacts on a population. Based on these objectives, the hacker can select the target and the intended effect—to disrupt, disable, deny, deceive, and/or destroy. 

The advisory said that once the intent and target are established, the hacker works on collecting intelligence on the targeted control system. Cyber attackers may collect data from multiple sources, including open source research, insider threats, and enterprise networks. 

Besides OT-specific intelligence, information about IT technologies used in control systems is widely available. The knowledge that was once limited to control system engineers and OT operators has become readily available as IT technologies move into more of the control system environment, the CISA-NSA advisory said. 

“Control system vendors, in conjunction with the owner/operator community, have continually optimized and reduced the cost of engineering, operating, and maintaining control systems by incorporating more commodity IT components and technologies in some parts of OT environments,” the advisory said. “These advancements sometimes can make information about some systems easily available, thereby increasing the risk of cyber exploitation,” it added.

Using the intelligence collected about the control system’s design, a hacker may procure systems similar to the target and configure them as mock-up versions for practice purposes. The advisory said, “nation-state actors can easily obtain most control system equipment. Groups with limited means can still often acquire control systems through willing vendors and secondhand resellers. Access to a mock-up of the target system enables an actor to determine the most effective tools and techniques. A cyber actor can leverage resident system utilities, available exploitation tools; or, if necessary, develop or purchase custom tools to affect the control system,” it added. 

Utilities that are already on the system can be used to reconfigure settings and may have powerful troubleshooting capabilities, the CISA-NSA advisory revealed. “As the control system community has incorporated commodity IT and modernized OT, the community has simplified the tools, techniques, scripts, and software packages used in control systems. As a result, a multitude of convenient tools are readily available to exploit IT and OT systems,” it added.

The advisory said that hackers must first gain access to the targeted system to leverage the techniques and tools they developed and practiced. “Most modern control systems maintain remote access capabilities allowing vendors, integrators, service providers, owners, and operators access to the system. Remote access enables these parties to perform remote monitoring services, diagnose problems remotely, and verify warranty agreements,” it added.

“However, these access points often have poor security practices, such as using default and maintenance passwords,” the advisory said. “Malicious cyber actors can leverage these access points as vectors to covertly gain access to the system, exfiltrate data, and launch other cyber activities before an operator realizes there is a problem. Malicious actors can use web-based search platforms, such as Shodan, to identify these exposed access points,” it added.

After the hacker gains initial access to the targeted OT/ICS system, the hacker will execute techniques, tools, and malware to achieve the intended effects on the target system. For example, to disrupt, disable, deny, deceive, and/or destroy the system, the malicious hacker often performs, in any order or in combination, the advisory said. 

“Using these techniques, cyber actors could cause various physical consequences. They could open or close breakers, throttle valves, overfill tanks, set turbines to over-speed, or place plants in unsafe operating conditions,” the advisory said. “Additionally, cyber actors could manipulate the control environment, obscuring operator awareness and obstructing recovery, by locking interfaces and setting monitors to show normal conditions. Actors can even suspend alarm functionality, allowing the system to operate under unsafe conditions without alerting the operator,” it added.

The advisory pointed out that the host of available security solutions can also be intimidating, resulting in choice paralysis. With so many options, owners/operators may be unable to incorporate simple security and administrative strategies that could mitigate many common and realistic threats. Fortunately, owners/operators can apply a few straightforward ICS security best practices to counter adversary TTPs.

“Operational and system information and configuration data is a key element of critical infrastructure operations. The importance of keeping such data confidential cannot be overstated,” the advisory said. “To the extent possible, avoid disclosing information about system hardware, firmware, and software in any public forum. Incorporate information protection education into training for personnel. Limit information that is sent out from the system. Eliminate all other data destinations. Share only the data necessary to comply with applicable legal requirements, such as those contractually required by vendors—nothing more,” it added. 

The CISA-NSA advisory called for owners and operators to maintain detailed knowledge of all installed systems, including which remote access points are—or could be—operating in the control system network. The guidance recommended creating a full ‘connectivity inventory’ is a critical step in securing access to the system. “Many vendor-provided devices maintain these access capabilities as an auxiliary function and may have services that will automatically ‘phone home’ in an attempt to register and update software or firmware. A vendor may also have multiple access points to cover different tasks,” it added.

Furthermore, critical infrastructure owners and operators must limit access to network and control system application tools and scripts to legitimate users performing legitimate tasks on the control system. They must remove the tools and scripts entirely, and patching embedded control system components for exploitable vulnerabilities is often not feasible. Thus, carefully apply for access and use limitations to particularly vulnerable processes and components to limit the threat. 

Additionally, the “owner/operator of the control system should consider performing an independent security audit of the system, especially of third-party vendor access points and systems. The owner/operator cannot solely depend on the views, options, and guidance of the vendor/integrator that designed, developed, or sold the system,” the advisory said. The goal of such an audit is to identify and document system vulnerabilities, practices, and procedures that should be eliminated to improve the cyber defensive posture and ultimately prevent malicious cyber hackers from being able to cause their intended effects, it added.

The advisory also addressed static network environments that provide malicious hackers with persistent system knowledge. “A static network can provide cyber actors the opportunity to collect bits of intelligence about the system over time, establish long-term accesses into the system, and develop the tools and TTPs to affect the control system as intended. While it may be unrealistic for the administrators of many OT/ICS environments to make regular non-critical changes, owner/operators should consider periodically making manageable network changes,” it added.

The CISA-NSA advisory said that combining integrated, simplified tools and remote access creates an environment ripe for malicious hackers to target control systems networks. “New IT-enabled accesses provide cyber actors with a larger attack surface into cyber-physical environments. It is vital for OT/ICS defenders to anticipate the TTPs of cyber actors combining IT expertise with engineering know-how. Defenders can employ the mitigations listed in this advisory to limit unauthorized access, lock down tools and data flows, and deny malicious actors from achieving their desired effects,” it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights