Earlier this month, the National Security Agency (NSA) and Cybersecurity & Infrastructure Security Agency (CISA) issued a joint advisory that recommended immediate actions to reduce exposure across all operational technologies and control systems. The two agencies warned that over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against Critical Infrastructure (CI) by exploiting Internet-accessible Operational Technology (OT) assets.
Pay attention and prioritize Cybersecurity Threats
“If the NSA is coming out of the shadows to speak up in a joint alert with CISA, you want to listen and take action,” said Evan Dornbush, CEO and founder of Point3 security, via an email to ClearanceJobs.
“What is most helpful is that the advisory shares a list of tools attackers are using to identify targets,” added Dornbush, who was formerly a computer network operator at the NSA. “Seeing what the attacker sees allows your cybersecurity team to prioritize your defensive actions. The advisory goes further still, offering a robust set of recommendations for executing a response strategy.”
Ransomware, data breaches, and phishing attacks – Top Threats
Among the recently observed tactics, techniques, and procedures, the NSA and CISA detected spear phishing. Cyber actors seek initial access to an organization’s information technology (IT) network. Once they get access, they will pivot to the operational technology (OT) network, and then deploy a commodity of ransomware to encrypt data for impact on both networks.
“This year continues to see similar threats that cybercriminals have been using over the last several years,” warned James McQuiggan, security awareness advocate at KnowBe4.
“Ransomware, data breaches, and phishing attacks continue to be the top three threats for 2020,” McQuiggan told ClearanceJobs. “Of these threats, social engineering emails are still a successful attack vector for cybercriminals. Adding to it is a majority of the workforce now working from home. Due to this new working environment, there has been a significant increase in social engineering email attacks. Verizon documented in their 2020 data breach investigations report that 80% of all incidents were due to phishing.”
The NSA and CISA also noted that cyber attacks are occurring via Internet accessible PLCs (programmable logic controllers). PLCs do not require authentication for initial access, and they utilize commonly used ports and standard application layer protocols. Such methods allow the cyber criminals to communicate with controllers and download modified control logic.
Create an Incident Response Plan for Cybersecurity threats
The agencies stated that we are in a state of heightened tensions and additional risk and exposure. It is now critical to have a well-exercised incident response plan in place before such an incident actually occurs. This is a sentiment echoed by those in the world of cybersecurity.
“Obviously, the first step is what you take before an incident – make the plan so you have something to follow after an incident,” Jim Purtilo, associate professor of computer science at the University of Maryland, told ClearanceJobs.
This should include a tabletop exercise with executive personnel to test the current plan. It should also include an organization’s public affairs and legal teams in the exercise in addition to the IT, OT, and executive management.
Make a Flow Chart for different Scenarios – Before an Attack
Key decision points should be discussed to identify who would have the authority to make key decisions under different circumstances and to consider scenarios inclusive of the standard tactics, techniques, and procedures (TTPs). Organizations should also be ready and willing to work with third-parties for support. However, it is crucial to review service contracts and governments services for emergency incident response and recovery support prior to an incident.
“The frenzy that ensues when an incident unfolds is a tough time to try to figure out all your corporate obligations, which is why we wrote them down in advance,” added Purtilo.
“You might have already contracted with teams who specialize in such things, so get them in motion as soon as possible,” he noted. “You need to take steps to protect assets, but what that statement means depends on the nature of your business and of the incident. Potentially, you will have a need to bring in media relations to help get ahead of the messaging before customers, stock holders, or competitors seize on early information and things get out of control. If law enforcement is to become involved, then sooner is better than later, and the same statement goes for insurance underwriters.”
Harden your Networks
The agencies suggested that the best way to address a cybersecurity threat is to have a recovery plan in place. Additionally, harden your networks to reduce the likelihood of attacks. A hardened network makes it more challenging for the bad actors to be successful when such an attack does occur.
Because remote connectivity to OT networks and devices provides a known path that can be exploited, such exposure should be reduced as much as possible. This includes removing access from the networks non-U.S. IP address if applicable; fully patch all Internet-accessible systems; segment networks to protect PLCs and workstations from direct exposure to the Internet. Protection can include implementation of secure network architectures that utilize so-called “demilitarization zones” (DMZs), which is a physical subnetwork that contains and exposes an organization’s external-facing services to the untrusted Internet. Reducing exposure also includes firewalls, jump servers, and/or one-way communication diodes.
In addition, all communications to remote devices should be conducted via a virtual private network (VPN). Secure the VPN with strong encryption and multi-factor authentication.
Stronger Passwords and Vigilant Monitoring
Other advice offered by the NSA and CISA included prohibiting the use of default passwords on devices, enforcing strong password security policy, removing/disabling/renaming any default system accounts when/wherever possible, and requiring users to change passwords periodically. The advisory noted that a vigilant monitoring program would also enable system anomaly detection, and help stop cyber attacks. While the best resources are needed in stopping attacks, it’s clear that the best resource – especially with ransomware and phishing attacks – is better staff training.
“A vulnerability scanning program provides additional support against ransomware attacks,” added KnowBe4’s McQuiggan. “Finally, and most importantly, organizations need to have systems to monitor and manage privileged accounts to limit access to those who require it.”
