The National Security Agency (NSA), along with the Cybersecurity and Infrastructure Security Agency (CISA), has issued an alert advising government agencies to take immediate actions to secure their operational technology (OT) assets.
The alert cites increased capabilities and activity on the part of adversaries as the reason for additional urgency. The agencies note legacy OT assets that have minimal security, combined with readily available information that identifies OT assets, are creating a “perfect storm.”
OT security issues that IT teams are advised to address include easy access to unsecured assets; use of common, open-source information about devices; and the extensive list of exploits deployable via common exploit frameworks. The report notes that while the attacks being launched may not be technically advanced, the attacks should be taken seriously because of the high-value nature of the OT assets being targeted.
The agencies are advising IT teams to make sure they have a comprehensive OT security plan that provides for:
- Being able to immediately disconnect systems from the internet
- Ensuring compensating controls are in a place where connectivity cannot be removed
- Planning for continued manual process operations should an industrial control system (ICS) become unavailable or need to be deactivated due to hostile takeover
- Removing additional functionality that could increase risk and attack surface area
- Identifying system and operational dependencies
- Restoring OT devices and services in a timely manner
- Backing up “gold copy” resources, such as firmware, software, ladder logic, service contracts, product licenses, product keys, and configuration information
- Testing and validating data backups and processes
Other recommended actions include testing incident response plans; hardening networks using firewalls; creating network maps; evaluating risks to inventory; and implementing a continuous monitoring system. The agencies also advise IT teams to map attack vectors to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for ICS framework to better prepare for responding to an attack.
Implications for IoT security
Most of the OT systems that are the focus of the alert have been running in production environments for years. As more organizations start to build Internet of Things (IoT) applications, these same cybersecurity issues will raise their head more broadly. A survey of 170 IoT industry leaders conducted by Omdia in collaboration with the host of the Internet of Worlds Conference finds 85 percent cite security concerns as a major barrier to IoT adoption. Just under two-thirds of respondents (64%) cited end-to-end IoT security as their top short-term priority.
The survey notes the most common methods currently employed to ensure security are end-to-end data encryption (60%), regular firmware and software update policies (54%), and checking on the physical security of devices (44%).
Most OT and IoT systems are deployed by either a line of business or government agency. OT systems as a general rule are managed independently from the application environments managed by centralized IT organizations. However, many organizations are now trying to define a set of cybersecurity policies and best practices that could be applied consistently across an extended enterprise.
Getting IT and OT teams to play nice with one another is not always all that simple. These teams usually have diverse cultures. The challenge and the opportunity are to bring the best of these two cultures together in a way where the whole far exceeds the sum of the parts.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.