The National Security Agency (NSA) is recommending that National Security System (NSS), Defense Department (DoD), and Defense Industrial Base (DIB) network owners perform a detailed risk analysis before creating cross-domain connections and currently connected operational technologies (OT).
In a Cybersecurity Advisory released by NSA, the agency detailed how recent high-profile cyber intrusions of networks through exploitation of IT management software and supply chains are shifting how OT should be viewed, evaluated, and secured within the United States.
“This paradigm shift applies to the stagnant OT assets and control systems installed and used throughout the [U.S. government] and DIB, many of which are past end-of-life and operated without sufficient resources,” said NSA. “To evaluate and improve the cybersecurity of connected OT and control systems, NSA recommends that NSS, DoD, and DIB network owners perform a detailed risk analysis prior to creating cross-domain connections (e.g., IT-to-OT, Internet-to-OT) and for all currently connected OT.”
NSA outlined steps for OT owners and administrators to evaluate cyber risks and to “guide network changes with current resources to realistically monitor and detect malicious activity.”
To take immediate steps toward improving OT cybersecurity, NSA suggests holistically evaluating the value vs. risk vs. cost for enterprise IT-to-OT connectivity through the following steps:
- Acknowledge that standalone, unconnected OT systems are safer from outside threats than ones connected to an enterprise IT system with external connectivity;
- Determine the value to the enterprise of connecting IT systems to OT networks or control system environments;
- Determine the risk to the enterprise of connecting IT systems to OT environments;
- Quantify increased costs associated with mitigating additional risks from connecting the existing OT networks and devices to enterprise IT systems; and
- Present leadership with findings to effectively evaluate value, risks, and expenses and resources.
Further, NSA provided steps for improving cybersecurity for connected enterprise IT-to-OT networks, including:
- Fully manage, encrypt and authenticate, and “apply an allowlist or a dial-back approach to all access vectors”;
- Where remote access is permitted, add sensors and monitor all cross-domain connections. NSA recommends that “all remote access connections be disconnected until such time that active monitoring is in place”;
- Create a known OT network map and device settings baseline, and validate all equipment on the network by using topographical and physical network mapping and inventorying;
- Create a known OT network communication baseline;
- Assess and prioritize OT network cybersecurity needs to identify required mitigations and define short-, medium-, and long-term cyber-hardening outcomes; and
- Create an exemplar “gold copy” baseline to enable OT networks and devices to be repaired and/or re-instantiated.
“At a high level, existing resources and freely-available OT tools should be applied to better secure enterprise IT-connected OT systems,” said NSA. “Additionally, while not as critical, these same recommendations can be applied to ‘islanded’ and to intermittently connected OT networks and systems to improve cyber resiliency and ensure mission readiness.”