Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
Industrial IoT
ISA/IEC 62443
IT/OT Collaboration
Malware, Phishing & Ransomware
News
NIST
Regulation, Standards and Compliance
Technology & Solutions
Threat Landscape

NSA unveils Elitewolf repository of intrusion detection signatures and analytics for OT environments

October 13, 2023
NSA unveils Elitewolf repository of intrusion detection signatures and analytics for OT environments

On Thursday, the U.S. National Security Agency (NSA) made a significant contribution to the realm of cybersecurity by publishing a repository of intrusion detection signatures and analytics crafted for OT (operational technology) environments. The resource, known as ‘Elitewolf’ can enable defenders of critical infrastructure, defense industrial base, and national security systems to identify and detect potentially malicious cyber activity in their OT environments. 

Elitewolf is now available on the NSA’s GitHub page, and works towards empowering organizations to bolster their security measures in the OT sector.

The move comes as adversaries and bad actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure by exploiting Internet-accessible and vulnerable OT assets, according to the ‘nsacyber’ on its GitHub page. Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression. 

Additionally, it is highly recommended that ICS/SCADA/OT (industrial control system/supervisory control and data acquisition) critical infrastructure owners and operators implement a continuous and vigilant system monitoring program. 

The NSA identified that civilian infrastructure has become an attractive target for foreign powers attempting to do harm to U.S. interests. “Because of the increase in adversary capabilities, the vulnerability of OT systems, and the potential scope of impact, NSA recommends that OT critical infrastructure owners and operators implement ELITEWOLF as part of a continuous and vigilant system monitoring program,” it added.

The Elitewolf repository contains various ICS/SCADA/OT focused signatures and analytics, according to the GitHub page. “The end goal is to enable Critical Infrastructure Defenders, Intrusion Analysts, and others to implement continuous and vigilant system monitoring.” 

The agency does warn that these “signatures/analytics aren’t necessarily malicious activity. They require follow on analysis to truly determine if this activity is malicious or not.”

The NSA announced that the release of the Elitewolf repository comes as a direct response to a July advisory jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the NSA. The advisory underscored the growing prevalence of Internet-accessible OT assets across the 16 critical infrastructure sectors. This surge is primarily attributed to the increasing adoption of remote operations and monitoring, the need to support a decentralized workforce, and the expanding outsourcing of crucial skill areas, OT asset management and maintenance, and, in certain instances, process operations and maintenance within these sectors.

The advisory further highlighted that legacy OT assets, originally designed without robust defenses against malicious cyber activities, have compounded the situation. This is exacerbated by the accessibility of information that readily identifies OT assets connected to the Internet, through tools like Shodan and Kamerka, creating a concerning convergence that could be likened to a ‘perfect storm.’ 

This convergence combines the easy access to unsecured assets, utilization of commonly available open-source device information, and an extensive arsenal of deployable exploits accessible through widely-used exploit frameworks like Metasploit, Core Impact, and Immunity Canvas.

Furthermore, observed cyber threat activities can be mapped to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for Industrial Controls Systems (ICS) framework. “It is important to note that while the behavior may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high,” it added.

Earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), NSA, and U.S. Department of the Treasury released new guidance for senior leadership and operations personnel at OT vendors and critical infrastructure facilities. The fact sheet will assist with better management of risk from open source software (OSS) use in OT products and increase resilience using available resources.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation