The National Security Agency (NSA) has released guidelines and an evaluation methodology, to improve operational technologies (OT) and control systems cybersecurity. The advisory, described as a “significant shift,” includes understanding how the OT systems are viewed, evaluated, and secured within the U.S., in order to prevent malicious cyber actors (MCA) from executing successful, and potentially damaging, cyber effects.
Titled, “Stop Malicious Cyber Activity Against Connected Operational Technology” developed for the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) OT owners and operators, the advisory provides details on how to evaluate risks to systems and improve the security of connections between OT and enterprise networks. IT exploitation can serve as a pivot point for OT exploitation, so carefully evaluating the risk of connectivity between IT and OT systems is necessary to ensure unique cybersecurity requirements are met.
Reacting to recent adversarial exploitation of IT management software and its supply chain in publicly documented impacts across government agencies and the DIB, the change in approach applies to the often stagnant OT assets and control systems installed and used across the U.S. Government (USG) and the DIB, according to the advisory. Several of these assets are past end-of-life and operated without sufficient resources, enabling malicious cyber activities to target OT environments and threaten these networks.
The guidance offers a pragmatic evaluation methodology that evaluates how to best improve OT and control system cybersecurity for mission success, and include understanding necessary resources for secure systems, the NSA advisory said. Without direct action to harden OT networks and control systems cybersecurity against vulnerabilities introduced through IT and business network intrusions, the OT system owners and operators will remain at indefensible levels of risk.
NSA encourages NSS, DoD, and DIB system owners, operators, and administrators to evaluate the value against risk and costs of enterprise IT to OT connectivity. While the safest OT system is one that is not connected to an IT network, mission critical connectivity may be required at times to review the connections and disconnect those that are not truly needed to reduce the risk to OT systems and functions, it said.
The NSA also recommends taking steps to improve cybersecurity for OT networks when IT-OT connectivity is mission-critical, as appropriate to their unique needs, the NSA advisory said. For IT-OT connections deemed necessary, steps should be taken to mitigate risks of IT-OT exploitation pathways. These mitigations include fully managing all IT-OT connections, limiting access, actively monitoring and logging all access attempts, and cryptographically protecting remote access vectors.
Every IT-OT connection creates an additional vector for potential OT exploitation that could impact and compromise the mission and/or production, the advisory highlighted. Performing a comprehensive risk analysis for all IT-OT interconnections and only allowing mission critical interconnections when they are properly protected will create an improved cybersecurity posture.
While there are very real needs for connectivity and automating processes, OT and control systems cybersecurity environments are inherently at risk when connected to enterprise IT systems. Seriously consider the risk, benefits, and cost before connecting (or continuing to connect) enterprise IT and OT networks. By employing an appropriate risk analysis strategy, leadership and system owners and operators can make informed decisions to better manage OT networks, while reducing the threats from and impact of exploitation and destructive cyber effects.
Users must carefully prioritize and evaluate the risks before allowing enterprise IT-to-OT connections. While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences. Taking action now can help improve cybersecurity and ensure mission readiness, the advisory concluded.
This week, U.S. intelligence agencies said that Russian SVR cyber hackers used a range of initial exploitation techniques varying in sophistication, coupled with ‘stealthy intrusion tradecraft within compromised networks.’ The Russian Foreign Intelligence Service (SVR) cyber hackers have primarily targeted government networks, think tanks and policy analysis organizations, and information technology companies.
The advisory complements an earlier one issued by the agencies alleging ongoing Russian SVR exploitation of five publicly known vulnerabilities, which was released alongside the government’s formal attribution of the SolarWinds supply chain compromise and related cyber-espionage campaign.