Attacks and Vulnerabilities
CISA
Critical infrastructure
IT/OT Collaboration
News

NSA issues new guidelines to enhance security of operational technology, control systems cybersecurity

April 30, 2021
NSA issues new guidelines to enhance security of operational technology, control systems cybersecurity

The National Security Agency (NSA) has released guidelines and an evaluation methodology, to improve operational technologies (OT) and control systems cybersecurity. The advisory, described as a “significant shift,” includes understanding how the OT systems are viewed, evaluated, and secured within the U.S., in order to prevent malicious cyber actors (MCA) from executing successful, and potentially damaging, cyber effects. 

Titled, “Stop Malicious Cyber Activity Against Connected Operational Technology” developed for the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) OT owners and operators, the advisory provides details on how to evaluate risks to systems and improve the security of connections between OT and enterprise networks. IT exploitation can serve as a pivot point for OT exploitation, so carefully evaluating the risk of connectivity between IT and OT systems is necessary to ensure unique cybersecurity requirements are met.

Reacting to recent adversarial exploitation of IT management software and its supply chain in publicly documented impacts across government agencies and the DIB, the change in approach applies to the often stagnant OT assets and control systems installed and used across the U.S. Government (USG) and the DIB, according to the advisory. Several of these assets are past end-of-life and operated without sufficient resources, enabling malicious cyber activities to target OT environments and threaten these networks. 

The guidance offers a pragmatic evaluation methodology that evaluates how to best improve OT and control system cybersecurity for mission success, and include understanding necessary resources for secure systems, the NSA advisory said. Without direct action to harden OT networks and control systems cybersecurity against vulnerabilities introduced through IT and business network intrusions, the OT system owners and operators will remain at indefensible levels of risk.

NSA encourages NSS, DoD, and DIB system owners, operators, and administrators to evaluate the value against risk and costs of enterprise IT to OT connectivity. While the safest OT system is one that is not connected to an IT network, mission critical connectivity may be required at times to review the connections and disconnect those that are not truly needed to reduce the risk to OT systems and functions, it said.

The NSA also recommends taking steps to improve cybersecurity for OT networks when IT-OT connectivity is mission-critical, as appropriate to their unique needs, the NSA advisory said. For IT-OT connections deemed necessary, steps should be taken to mitigate risks of IT-OT exploitation pathways. These mitigations include fully managing all IT-OT connections, limiting access, actively monitoring and logging all access attempts, and cryptographically protecting remote access vectors.

Every IT-OT connection creates an additional vector for potential OT exploitation that could impact and compromise the mission and/or production, the advisory highlighted. Performing a comprehensive risk analysis for all IT-OT interconnections and only allowing mission critical interconnections when they are properly protected will create an improved cybersecurity posture. 

While there are very real needs for connectivity and automating processes, OT and control systems cybersecurity environments are inherently at risk when connected to enterprise IT systems. Seriously consider the risk, benefits, and cost before connecting (or continuing to connect) enterprise IT and OT networks. By employing an appropriate risk analysis strategy, leadership and system owners and operators can make informed decisions to better manage OT networks, while reducing the threats from and impact of exploitation and destructive cyber effects.

Users must carefully prioritize and evaluate the risks before allowing enterprise IT-to-OT connections. While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences. Taking action now can help improve cybersecurity and ensure mission readiness, the advisory concluded.

This week, U.S. intelligence agencies said that Russian SVR cyber hackers used a range of initial exploitation techniques varying in sophistication, coupled with ‘stealthy intrusion tradecraft within compromised networks.’ The Russian Foreign Intelligence Service (SVR) cyber hackers have primarily targeted government networks, think tanks and policy analysis organizations, and information technology companies. 

The advisory complements an earlier one issued by the agencies alleging ongoing Russian SVR exploitation of five publicly known vulnerabilities, which was released alongside the government’s formal attribution of the SolarWinds supply chain compromise and related cyber-espionage campaign.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems