CISA-NSA guidance pushes OT/ICS environments to bolster cybersecurity posture as adversaries get nearer

CISA-NSA guidance pushes OT/ICS environments to bolster cybersecurity posture as adversaries get nearer

With the exponential growth of digitization initiatives across IT and OT (operational technology) environments, critical infrastructure asset owners and operators must work on the premise that their traditional approaches to securing OT/ICS environments are inadequate to address current cybersecurity threats. For example, a recent CISA-NSA guidance urges organizations to base their ICS security decisions on the fact that cybersecurity attacks are imminent and their systems are being targeted to achieve political gains, economic advantages, or destructive effects. It also called upon these organizations to predict the effects cyber attackers would cause and subsequently employ and prioritize mitigation actions.

The CISA-NSA guidance said that system owners and operators are no longer in a position to prevent a malicious actor from targeting their systems. These agencies want the critical infrastructure sector and OT/ICS environments to understand that  ‘being targeted’ is not an ‘if’ but a ‘when,’ while executing essential context for making ICS (industrial control system) security decisions. By assuming that the system is being targeted and predicting the effects that a malicious actor would intend to cause, owner/operators can employ and prioritize mitigation actions.

As these OT/ICS systems manage physical and operational processes, any exploitation by cyber attackers could have physical consequences, including loss of life, property damage, and disruption of national critical functions. In addition, the effects of targeting control systems are apparent and often widespread, potentially leading to operational downtime and disruption in critical services.

The CISA-NSA guidance points out that asset owners and operators must work towards defending against the most urgent threats while finding and defeating adversaries before they cause harm. They must also work on equipping critical infrastructure owners, operators, and cyber defenders with the technologies and tools required to raise adversary time, costs, and technical barriers. Additionally, they must build processes to sustain operational resilience by addressing systemic weaknesses to enable control systems to withstand cyber incidents with minimal impact on critical infrastructure.

Clearly, the time has come for government and industry to deploy appropriate technologies and practices to safeguard and bolster critical infrastructure and OT/ICS environments from potential adversarial threats and attacks while building innovative capabilities to defend against emerging threats on the horizon. Additionally, with the ICS risk landscape evolving, there is a greater need to align the axis of cybersecurity on ICS security best practices to counter adversary tactics, techniques, and procedures (TTPs) and work through collective action to defend cyberspace better.

Industrial Cyber reached out to OT/ICS cybersecurity experts to weigh their opinion on the outcome of the CISA-NSA guidance and its possible ramifications across the critical infrastructure and OT environments.

Robert (Rob) Dyson Partner, IBM Global Security Services Global OT-IoT Security Services Business Leader
Robert (Rob) Dyson Partner, IBM Global Security Services Global OT-IoT Security Services Business Leader

Robert (Rob) Dyson, partner – global OT/IoT Security Services business leader at IBM Global Security Services, told Industrial Cyber that this statement could not be contested as cyber-attacks can be broadcast and targeted. “The typical broadcast attack is just looking for vulnerabilities to exploit, and when the attack is successful, the attacker starts to focus. Then there is the insider threat that is very high because the typical industrial environment includes not only employees but lots of third parties such as contractors and vendors.” 

Dyson also said that the risk of cyber-attacks is growing exponentially due to ‘Industry 4.0’ digitization initiatives. “Although the industrial environment stakeholders cannot prevent a malicious actor from targeting their systems, they can implement controls to mitigate the impact of any malicious activity,” he added. 

Ben Miller, vice president of services at Dragos
Ben Miller, vice president of services at Dragos

“It’s important to acknowledge that threats surrounding OT systems are increasing, and they are growing more diverse,” Ben Miller, vice president of services at Dragos, told Industrial Cyber. “Customized guidance being released by CISA/NSA is important as it recognizes that OT is different than IT, and we can’t just duplicate our security programs is important for critical infrastructure and any manufacturer to understand.”

Joe Weiss, an expert on instrumentation, controls, and control system cybersecurity, expressed his opinion from an engineering perspective. He focuses on the underlying fact that the IT and OT networking organizations are trying to force the square peg of network security into the round hole of engineering systems, which cannot implement many of the network security technologies for technical reasons. He adds that adversaries have been aware of this situation for some time.

Weiss has pointed out that IT and OT cybersecurity focuses on the Internet Protocol networks that fall under the purview of the CISO. On the other hand, control system field devices like process sensors require an understanding how the systems and components work. “Control system cyber security focuses on the field devices such process sensors and their associated lower-level networks, which are often serial. These field devices have no cyber security and are under the purview of engineering. Therefore, protecting these field devices is different from protecting IT or OT networks and requires different technologies and training,” he added.

Joe Weiss, Managing Partner at Applied Control Solutions
Joe Weiss, Managing Partner at Applied Control Solutions

Weiss said that ICS include OT networks with cybersecurity and forensic capabilities but also control system field devices with no cyber security, authentication, or cyber forensics. “I expect those organizations that have taken OT network cyber security seriously will continue to do so.” 

“My concern is that the Sun Tzu quote ‘Know your opponent’ only extends to IT and OT networks, not control system devices,” Weiss told Industrial Cyber. “In 2016, a Russian cyber security researcher did a webcast from Moscow to the ICS Cyber Security Conference demonstrating hacking process sensors and sensor networks. In 2017, Iran publicly acknowledged being aware of the lack of cyber security in process sensors.” 

“Unfortunately, the agencies’ statement does not address this gap,” Weiss pointed out. 

Referencing Moody’s recently issued Cyber Heat Map, where all electric and water utilities are identified at very high risk (the NERC CIPs don’t ameliorate this assessment), Weiss said that “one wonders what effect Moody’s Heat Map will have on the boards.”

The CISA-NSA guidance acknowledges that traditional approaches to securing OT/ICS environments are inadequate to address current cyber threats. Additionally, the variety of available security solutions can be intimidating, resulting in choice paralysis. Therefore, it is appropriate to assess the effect of the directive on smaller critical infrastructure asset owners/operators, as they usually work with traditional ICS assets, using systems that are difficult to secure due to their design for maximum availability and safety. These organizations also function with limited budgets and lack the expertise of appropriate cybersecurity personnel. 

“As the discipline of OT security has matured, so has the techniques available to bring visibility and security control over all levels and types of OT environments,” Dyson said. “The ‘airgap’ or ‘can’t patch’ excuse is no longer valid. I would advise all companies to develop an OT security program (people, process, technology) that is aligned to their specific cyber security risks immediately.” 

Dyson recommended that all companies start by assigning OT security responsibility to one person covering all their industrial environments. “The trend is to assign this responsibility to the CISO or VP of security. Then each person working in the industrial environment needs to understand their role and responsibility to ensure cyber security policies and processes are followed,” he added. 

Miller said that guidance could only be actioned if it is heard. “Smaller asset owners often don’t have the resources to track and implement (or even be aware) of defensible architecture guidelines like what was issued. This is a hard problem, and I’m glad to see the government issuing guidance. These challenges should be a community effort, frankly,” he added. 

“I do not believe being small or large is the issue, as small and large end-users use the same cyber vulnerable control system equipment,” Weiss said. He added that Moody’s Cyber Heat covers all small and large asset owners.

The CISA-NSA guidance calls upon asset owners and operators to understand cyber actors’ TTPs and use that knowledge when prioritizing hardening actions for OT/ICS. In addition, these requirements call upon the ability of critical infrastructure owners and operators to decipher adversarial TTPs and work toward hardening their cybersecurity posture promptly.

Dyson said that everyone must start somewhere, and the time is now. “Most asset owners and operators do not have good visibility of their OT devices and systems beyond their immediate environments. Although concepts of preventative maintenance may be commonplace, cyber security hardening is not.” 

“Cyber security training must be increased in these environments just like safety training has advanced over the years,” according to Dyson. “Every safety class should include a section for cyber security. For example, changing default IDs and passwords are considered mandatory system hardening in the corporate IT enterprise, while in the typical industrial environment, you will find asset owners and operators that will tell you that these cannot or should not be changed. Just one of many examples that would include system backup, firmware updates, patching, etc.,” he added.

Miller said that an intelligence-informed OT program helps asset owners understand the specific scenarios they can detect and be prepared to respond to. “The threats are increasingly developing their own playbooks against OT using new and novel techniques; asset owners should be having leveled discussions between different teams to understand how to prepare.”

“TTPs were implemented by the defense intelligence community,” Weiss said. “Although TTPs were designed to be used for more than just OT network attacks, their focus has been primarily network-centric. Understanding how systems work and identifying their weak spots that an adversary could exploit is the concern. However, that requires the engineering organization to be involved and that hasn’t happened often.”

“Protecting these field devices is different from protecting IT or OT networks and requires different technologies and training,” Weiss said. “When control systems are impacted, the results are obvious – trains or planes crash, pipelines rupture, power is lost. Because of the lack of control system cyber forensics and training, these incidents are generally not identified as being cyber-related,” he added.

The CISA-NSA guidance urges owners/operators to incorporate simple security and administrative strategies that mitigate common and realistic threats to counter adversary TTPs. Thereby making it essential to look into how many critical infrastructure owners and operators can immediately carry out the measures. In addition, it is also crucial to measure how far these initiatives will go to prevent adversarial threats and attacks.

“The discipline of cyber security is too complex to expect that an asset owner or operator can figure this out on their own,” Dyson said. “Companies need to budget to seek help from leading professional security services organizations that specialize in OT cyber security solutions. By partnering with the right cyber security services provider, the company will achieve their OT cyber security risk management objectives quicker and more cost-effectively.” 

However, Dyson added that everyone should set their expectations correctly and realize that achieving these objectives is a journey that will be accomplished over time. 

Weiss said that hardening the OT networks and doing good cyber hygiene can help, and it should have been done years ago, regardless of the organization’s size. “However, that only addresses the OT networks. Unfortunately, there is very little cyber forensics at the control system device layer and minimal cyber security training for the engineers, which means there is a significant gap in preventing or even identifying control system cyberattacks.”

“I believe the inherent vulnerabilities in control system devices and the importance of these systems to our economy will continue to make these systems targets,” according to Weiss. “Solarwinds demonstrated that a sophisticated nation-state attacker can get around even the latest Internet Network Protocol cyber mitigations (IT or OT). Consequently, there is a need to monitor the physics of the process sensors, which can’t be cyber-compromised, to know if the processes (boilers, pipelines, transformers, etc.) have been compromised as the OT networks may not be available or trusted as demonstrated by the Stuxnet and Triton ‘man-in-the-middle’ attacks,” he concluded.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related