The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released a new cybersecurity advisory on September 22 to help owners and operators of critical infrastructure better protect operational technology (OT) and industrial control systems (ICS) assets from the increasing probability of cyberattacks.
OT and ICS assets that operate, control, and monitor day-to-day critical infrastructure continue to be an attractive target for malicious cyber actors because they often incorporate vulnerable IT components and include external connections and remote access that increase their attack surfaces. Traditional approaches to securing OT and ICS do not adequately address current threats to those systems.
However, “owners and operators who understand cyber actors’ tactics, techniques, and procedures can use that knowledge when prioritizing hardening actions for OT and ICS,” the advisory reads.
According to CISA and the NSA, cyber actors typically follow a set of steps to plan and execute compromises against critical infrastructure control systems, including:
- Establishing an intended effect and selecting a target;
- Collecting intelligence about the target system;
- Developing techniques and tools to navigate and manipulate the system;
- Gaining initial access to the system; and
- Executing techniques and tools to create the intended effect.
“Leveraging specific expertise and network knowledge, malicious actors – especially state-sponsored ones – can conduct these steps in a coordinated manner, sometimes concurrently and repeatedly,” the advisory says.
The variety of security solutions available to operators can be intimidating, resulting in “choice paralysis,” the advisory notes.
“In the midst of so many options, owners and operators may be unable to incorporate simple security and administrative strategies that could mitigate many of the common and realistic threats,” CISA and NSA said.
The advisory recommends that owners and operators of critical infrastructure take on some straightforward mitigation practices to defend their systems – such as limiting exposure to system information, identifying and securing remote access points, conducting regular security audits, restricting tools and scripts, and implementing a dynamic network environment.
In addition, the advisory stresses that owners and operators of critical infrastructures must also be cognizant of all the devices in their systems, paying particular attention to those that can be accessed remotely, including by device vendors.
“Establish a firewall and a demilitarized zone between the control system and the vendor’s access points and devices… Do not allow direct access into the system; use an intermediary service to share only necessary data and only when required,” the advisory says.