CISA, NSA: Nation-State Cyber Attackers Home in on Critical OT/IC Systems -

The Cybersecurity and Infrastructure Security Agency (CISA) in concert with the National Security Agency (NSA) are alerting owners and operators of operational technology/industrial control systems (OT/ICS) that they are prime targets for nation-state hackers and other cyber criminals.

In a lengthy advisory, the two agencies are circulating a bulletin about control system defense of assets that operate, control and monitor day-to-day critical infrastructure and industrial processes. Control System Defense: Know the Opponent is intended to provide critical infrastructure owners and operators with an understanding of the tactics, techniques, and procedures (TTPs) used by malicious cyber actors.

The Bottom Line

Understanding that being targeted is not an “if” but a “when” is essential context for making ICS security decisions. By assuming that the system is being targeted and predicting the effects that a malicious actor would intend to cause, owner/operators can employ and prioritize mitigation actions.

This latest advisory builds on a prior NSA and CISA 2021 guide to stop malicious ICS activity against connect OT issued two years ago.

Per CISA and the NSA alert, cyber threat actors typically follow these steps to plan and execute compromises against critical infrastructure control systems:

Establish intended effect and select a target.

Collect intelligence about the target system.

Develop techniques and tools to navigate and manipulate the system.

Gain initial access to the system.

Execute techniques and tools to create the intended effect.

Defending the Attack Surface

Malicious actors can conduct these steps in a coordinated manner, sometimes concurrently and repeatedly. Some mitigations include:

Limit exposure of system information. To the extent possible, avoid disclosing information about system hardware, firmware and software in any public forum. Incorporate information protection education into training for personnel. Limit information that is sent out from the system.

Identify and secure remote access points. Creating a full “connectivity inventory” is a critical step in securing access to the system.

Restrict tools and scripts. Limit access to network and control system application tools and scripts to legitimate users performing legitimate tasks on the control system. Carefully apply access and use limitations to particularly vulnerable processes and components to limit the threat.

Conduct regular security audits. The owner/operator of the control system should consider performing an independent security audit of the system. This is advised especially for third-party vendor access points and systems to identify and document system vulnerabilities, practices and procedures that should be eliminated to improve the cyber defensive posture.

Implement a dynamic network environment. A static network can provide cyber actors the opportunity to collect bits of intelligence about the system over time, establish long-term accesses into the system, and develop the tools and TTPs to affect the control system as intended.

The combination of integrated, simplified tools and remote access creates an environment ripe for malicious actors to target control systems networks. New IT-enabled accesses provide cyber actors with a larger attack surface into cyber-physical environments. It is vital for OT/ICS defenders to anticipate the TTPs of cyber actors combining IT expertise with engineering know-how.