State-backed foreign hackers are lining up to target U.S. critical infrastructure, intending to deliver hard cyber shots at vulnerable operational technology (OT) underpinning the nation’s defenses, federal cyber security agencies said in a joint alert.
In an advisory issued late last week, the Department of Homeland Security’s (DHS) cyber security unit and the National Security Agency (NSA) strongly recommended that operators of critical systems take “immediate steps to ensure resilience and safety of US systems should a time of crisis emerge in the near term.”
The Cybersecurity and Infrastructure Security Agency’s (CISA) and NSA's alert was specifically directed at the Department of Defense, National Security Systems (NSS), Defense Industrial Base (DIB) and U.S. critical infrastructure facilities. Foreign powers are ready not only to harm U.S. interests but also to retaliate for “perceived” U.S. aggression, the joint dispatch reads.
“Internet-accessible OT assets are becoming more prevalent across the 16 US CI Sectors as companies increase remote operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as Instrumentation & Control, OT asset management/maintenance, and in some cases, process operations and maintenance,” DHS and CISA said. Among the critical infrastructure sectors at risk are communications, energy, financial services, healthcare and information technology.
A “perfect storm” of legacy OT assets not designed to defend against malicious cyber activities combined with readily available information that identifies OT assets connected via the Internet have given hackers easy access to unsecured assets, enabled use of common, open-source information about devices, and produced an extensive list of exploits deployable via common exploit frameworks, CISA and the NSA said.
Playing with that card deck, the agencies have laid out a set of recommendations for critical infrastructure operators to safeguard against cyber bad actors. Here is an abridged list:
Have a Resilience Plan for OT
Organizations need an OT resilience plan that allows them to immediately disconnect systems from the Internet that do not need connectivity for safe and reliable operations.
Exercise your Incident Response Plan
Conduct a tabletop exercise including IT and OT executive management, public affairs and legal teams to test your existing incident response plan.
Harden Your Network
Remove access from networks, such as non-US IP addresses if applicable, that do not have legitimate business reasons to communicate with the system.
Create an Accurate “As-operated” OT Network Map Immediately
Document and validate an accurate “as-operated” OT network map. Use vendor-provided tools and procedures to identify OT assets.
Understand and Evaluate Cyber-risk on “As-operated” OT Assets
Use the validated asset inventory to investigate and determine specific risk(s) associated with existing OT devices and OT system software.
Implement a Continuous and Vigilant System Monitoring Program
Log and review all authorized external access connections for misuse or unusual activity.
Federal cybersecurity officials have stepped up the pace and specificity of warnings concerning potential attacks delivered by the nation’s adversaries on systems vital to commercial and civilian interests. Of late, much of it has concerned the coronavirus (COVID-19) pandemic.
For example, two months ago DHS and the Federal Bureau of Investigation (FBI) issued an advisory accusing China of intellectual property espionage related to the COVID-19 vaccine development. That followed a joint warning by DHS, CISA and the U.S. State Department warning that North Korea is an escalating cyber threat to the international community, network defenders and the public.
