Critical Infrastructure Security, Network Security

Government warns OT assets still in danger of attack over internet

An aerial view of the US Cyber Command joint operations center on the NSA campus. The NSA and CISA have issued a joint alert warning that operational technologies and industrial control systems are at risk to attackers over the internet. Today’s columnist, Ron Brash of Verve Industrial Protection, offers tips for security pros on how to reduce rans...

Security professionals responsible for protecting critical infrastructure strive to isolate and segregate their most mission-critical systems, but there are still too many operational technology (OT) assets that are accessible to attackers over the internet, according to a new government alert.

When searchable and accessible via the internet, OT systems – just like conventional IT systems – can potentially be scanned and identified using search tools like Shodan, and ultimately exploited by cybercriminals.

“In fact, in a simple search on Shodan I found more than 20,000 potentially vulnerable ICS systems,” said Bill Swearingen, cyber strategist at IronNet, who noted that although this particular alert didn’t report any newly discovered indicators of compromise or mention any specific nation-state actors, it does highlight an increasingly dangerous threat that needs addressing.

In light of the threat, public- and private-sector entities featuring OT and industrial control systems must take steps to reduce risk and bolster resilience by mapping their assets, limiting their attack surface, hardening their networks and improving incident response.

Among the most key recommendations: OT operators must “immediately disconnect systems from the internet that do not need internet connectivity for safe and reliable operations,” the alert states. The challenge, however, is that internet-accessible OT assets are “becoming more prevalent across the 16 U.S. [critical infrastructure sectors] as companies increase remote operations and monitoring, accommodate a decentralized workforce and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance.”

The alert, jointly released last week by the National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), referred specifically to Department of Defense, National Security Strategy, Defense Industrial Base, and U.S. critical infrastructure facilities. “[B]ut they are valid warnings for any organization that has internet-facing systems,” said Nilesh Dherange, CTO at Gurucul.

The two agencies “offer solid advice that applies to any size of operation and reiterates recommendations the information security community has been giving for years,” Dherange continued. “In a nutshell: Have resiliency, business continuity and response plans in place and exercise them. Understand and document your environment, your likely adversaries, and how they will probably attack so you can harden appropriately. Make sure personnel are trained and equipped to resist the expected attack vectors and mitigate them after a breach.”

The alert also warns that organizations must anticipate an attack that might not only disrupt operations, but also present an actual safety hazard. When such a scenario occurs automated ICS systems are impacted or hijacked, OT and critical infrastructure operators must be able to quickly implement manual contingencies and ensure continuity of process, restore OT devices and services in timely fashion, and rely on backup data and resources that are stored off-site.

The two agencies also recommend creating an accurate “as-operated OT network map” – then evaluating the cyber risk of assets on this map and implementing a “continuous and vigilant system monitoring program.”

“My biggest takeaway is that proper network segmentation, network behavior analysis, and security incident preparation are needed to protect these critical environments,” concluded Swearingen. “Operators cannot simply rely on anti-virus and firewall systems to solve the OT problem at hand. You instead need to consider improved behavioral analytics and a threat intelligence team either within the walls of your organization or one for hire. Over the past week, we’ve seen confirmed cases of hackers for hire being used by nation-states, so why are we so hesitant to hire threat hunters to defend against them?”

Last February, CISA similarly warned critical infrastructure operators to redouble their security efforts after a natural gas compression facility was hit and shut down by a ransomware attack.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.