NSA and CISA: What To Do When Hackers Target Critical Systems
NSA and CISA Give Advice to Critical Infrastructure Operators.
The National Security Agency (NSA) together with the Cybersecurity and Infrastructure Agency (CISA) have issued an advisory that outlines what the operators of critical infrastructure should how to deal with cyberattacks, on operational technology and industrial control system assets.
The advisory in the light of recent cyberattacks launched on Ukraine’s energy grid and ransomware against a fuel distribution pipeline. The invasion of Ukraine by Russia and the associated cyberattacks have raised concerns that they (the Russians) could target Western critical infrastructure. CISA issued a warning earlier this year that hackers had created specialized tools to take control of ICS and SCADA systems made by well-known manufacturers.
Control System Defense: Know the Opponent
According to the advisory from the two authorities, called “Control System Defense: Know the Opponent”, state-sponsored and illegal advanced persistent threat (APT) groups target operational technology/industrial control systems (OT/ICS) for illicit reasons, financial gain, or other negative outcomes. These devices and designs are readily accessible, frequently have weak information technology (IT) components, and include remote access and external connections that broaden their attack surfaces.
Loss of life, property damage, and the failure of vital national activities are the most severe effects of these strikes, but there is a lot of disruption and mayhem that can occur before those worst-case scenarios.
Owners and operators of these systems need to fully understand the threats coming from state-sponsored actors and cybercriminals to best defend against them… We’re exposing the malicious actors’ playbook so that we can harden our systems and prevent their next attempt.
What Operators Should Expect
The attackers’ plan for intruding into OT/ICS includes detailed descriptions of how the attackers are picking their target, how they are gathering their data, developing the necessary tools and techniques to navigate and manipulate the systems, gain access and execute the malware.
According to ZDNET, NSA wants operators to be more aware of the risks they are bringing to their systems when mitigating what information to make publicly available. The authority also offers simple mitigation strategies that operators can choose to follow if they are experiencing “choice paralysis”. Limiting public access to system hardware, firmware, software, and information emitted by the system are some of these tactics. The implementation of a dynamic rather than static network environment, as well as the creation and security of a list of remote access points, script and tool restriction to authorized users and tasks, regular security audits, and the use of scripts and tools should all be priorities for operators.
While it may be unrealistic for the administrators of many OT/ICS environments to make regular non-critical changes, owner/operators should consider periodically making manageable network changes. A little change can go a long way to disrupt previously obtained access by a malicious actor.