Security professionals responsible for protecting critical infrastructure strive to isolate and segregate their most mission-critical systems, but there are still too many operational technology (OT) assets that are accessible to attackers over the internet, according to a new government alert.
When searchable and accessible via the internet, OT systems – just like conventional IT systems – can potentially be scanned and identified using search tools like Shodan, and ultimately exploited by cybercriminals.
“In fact, in a simple search on Shodan I found more than 20,000 potentially vulnerable ICS systems,” said Bill Swearingen, cyber strategist at IronNet, who noted that although this particular alert didn’t report any newly discovered indicators of compromise or mention any specific nation-state actors, it does highlight an increasingly dangerous threat that needs addressing.
In light of the threat, public- and private-sector entities featuring OT and industrial control systems must take steps to reduce risk and bolster resilience by mapping their assets, limiting their attack surface, hardening their networks and improving incident response.
Among the most key recommendations: OT operators must “immediately disconnect systems from the internet that do not need internet connectivity for safe and reliable operations,” the alert states. The challenge, however, is that internet-accessible OT assets are “becoming more prevalent across the 16 U.S. [critical infrastructure sectors] as companies increase remote operations and monitoring, accommodate a decentralized workforce and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance.”
The alert, jointly released last week by the National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), referred specifically to Department of Defense, National Security Strategy, Defense Industrial Base, and U.S. critical infrastructure facilities. “[B]ut they are valid warnings for any organization that has internet-facing systems,” said Nilesh Dherange, CTO at Gurucul.
The two agencies “offer solid advice that applies to any size of operation and reiterates recommendations the information security community has been giving for years,” Dherange continued. “In a nutshell: Have resiliency, business continuity and response plans in place and exercise them. Understand and document your environment, your likely adversaries, and how they will probably attack so you can harden appropriately. Make sure personnel are trained and equipped to resist the expected attack vectors and mitigate them after a breach.”
The alert also warns that organizations must anticipate an attack that might not only disrupt operations, but also present an actual safety hazard. When such a scenario occurs automated ICS systems are impacted or hijacked, OT and critical infrastructure operators must be able to quickly implement manual contingencies and ensure continuity of process, restore OT devices and services in timely fashion, and rely on backup data and resources that are stored off-site.
The two agencies also recommend creating an accurate “as-operated OT network map” – then evaluating the cyber risk of assets on this map and implementing a “continuous and vigilant system monitoring program.”
“My biggest takeaway is that proper network segmentation, network behavior analysis, and security incident preparation are needed to protect these critical environments,” concluded Swearingen. “Operators cannot simply rely on anti-virus and firewall systems to solve the OT problem at hand. You instead need to consider improved behavioral analytics and a threat intelligence team either within the walls of your organization or one for hire. Over the past week, we’ve seen confirmed cases of hackers for hire being used by nation-states, so why are we so hesitant to hire threat hunters to defend against them?”
Last February, CISA similarly warned critical infrastructure operators to redouble their security efforts after a natural gas compression facility was hit and shut down by a ransomware attack.