View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Leadership
  2. Strategy
July 24, 2020updated 27 Jul 2020 8:49am

National Security Agency: Assume Your OT Control System Will Get Turned Against You

Ensure resilience "should a time of crisis emerge in the near term"

By CBR Staff Writer

The US National Security Agency (NSA) this week warned that a “perfect storm” is brewing for businesses running Operational Technology (OT) assets, including Critical National Infrastructure (CNI) providers across 16 sectors — from dams to chemicals, financial services to food, nuclear to defense.

Organisations should develop resilience plans that assume “a control system that is actively acting contrary to the safe and reliable operation of the process”, the agency said in a joint alert on Thursday with CERT. In short: organisations should assume their control systems will get compromised and turned against them.

The agencies urged a wide range of “immediate steps” to ensure infrastructure resilience “should a time of crisis emerge in the near term”.

These include making sure that a “gold copy” of crucial firmware, software, ladder logic, service contracts, product licenses, product keys, and configuration information is kept in a locked, tamper-proof environment like a safe. (Also, stop prohibit the use of default passwords on all devices and set up MFA, it noted…)

Read the Solarium Commission’s Report on Reforming US Cybersecurity Here

Vulnerabilities are worsening as companies “increase remote operations and monitoring, accommodate a decentralised workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance” the NSA said.

It blamed a proliferation of networked OT assets, easily available open-source information about devices, and powerful attacks deployable via common exploit frameworks like Metasploit, Core Impact, and Immunity Canvas for making life easier for attackers. (Defenders can — and should — also use publicly available tools like Shodan, to discover their internet-accessible OT devices, the advisory noted).

Organisations need an OT resilience plan that allows them to:

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?
  • “Immediately disconnect systems from the Internet that do not need internet connectivity for safe and reliable operations.
  • “Plan for continued manual process operations should the ICS become unavailable or need to be deactivated due to hostile takeover.
  • “Remove additional functionality that could induce risk and attack surface area.
  • “Identify system and operational dependencies.
  • “Restore OT devices and services in a timely manner. Assign roles and responsibilities for OT network and device restoration.
  • “Backup “gold copy” resources, such as firmware, software, ladder logic, service contracts, product licenses, product keys, and configuration information.
  • “Verify that all “gold copy” resources are stored off-network and store at least one copy in a locked tamperproof environment (e.g., locked safe).
  • “Test and validate data backups and processes in the event of data loss due to malicious cyber activity.

Poorly resourced organisations can tap publicly available tools, such as Wireshark, NetworkMiner, and the NSA’s own GRASSMARLIN for help in documenting and validating an accurate “as-operated” OT network map, the NSA noted, pointing defenders towards best practice like network segmentation, VPNs secured with MFA, secure network architectures utilising demilitarised zones, firewalls, jump servers, and/or one-way communication diodes, and — yes — regular patching.

“Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure, by exploiting internet-accessible OT assets”, the NSA warning noted, pointing to media reports about an attack on Israeli water facilities. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”

The NSA/CERT’s full guidance is here

See also: Should Infosec Leaders Talk Less, Listen More to OT Specialists?


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.