In a recent announcement, the Ukrainian government revealed that it is once again preparing for “massive cyberattacks” that it fears Russian hackers will carry out on critical infrastructure facilities. They also shared their concern for institutions located in allied countries, including Poland and the Baltic States. The target at the top of the list is likely the energy sector considering past breaches of such systems in 2015 and 2016.
NSA and CISA Address Building ICS Cybersecurity Risk
The building anticipation of this threat has organizations like the CISA issuing guides on topics such as “indicators of compromise,” according to Security Week. Alongside NSA, the CISA has also detailed the 5-step approach that malicious actors typically take when looking to take control of ICS systems, which CSO outlines. The list includes establishing a target that best suits intent, collecting intelligence, putting together the proper techniques, gaining access and, ultimately, carrying out the method of attack.
Additionally, the joint advisory published measures that security professionals can implement in order to avoid having operations compromised even. With recommendations for each stage of the process provided above, best practices mentioned consist of actions like limiting system information exposure, locating and shielding points of remote access, restricting tools and scripts, conducting security audits and implementing a dynamic network environment. Importantly, Bleeping Computer points out that these procedures take into account the fact that not all operators have access to advanced cybersecurity resources.
ICS Cybersecurity Challenges
Beyond access, however, such cybersecurity guides should also consider another challenge when addressing OT/ICS – the age of many of these systems. As Michael Hill writes at CSO “While OT/ICS assets operate, control, and monitor industrial processes throughout US critical infrastructure, traditional assets are difficult to secure due to their design…Their use of decades-old systems often lack recent security updates, too.”
On top of not always having cybersecurity embedded in a design, static networks can provide cyber actors the opportunity to collect bits of intelligence about the system over time. In turn, this establishes long-term access into a system.
Adopting Manageable Security Recommendations
While it may be unrealistic for the administrators of many OT/ICS environments to make regular non-critical changes, owners and operators should consider periodically making manageable network changes. Manageable moves that have been suggested include deploying additional firewalls and routers from different vendors. Agreeing with this, Dynics CTO Jeff Smith explains, “even as a firewall / perimeter security provider, I don’t recommend using the same solution from a firewall perspective at every level of the stack.” However, other suggestions like modifying IP address pools are far more difficult in the realm of OT and ICS. According to Smith, this is not an option in the OT space without huge cost in time and resources as well as lost production and risk.
While the best paths forward are sorted out, the fact that agencies are taking the initiative to assist ICS cybersecurity is still significant. “I applaud the intent, and anything we can do to “mix it up” and make it harder for an adversary to compromise an OT system is not to be discarded out of hand,” says Smith.
- “Ukraine Says Russia Planning ‘Massive Cyberattacks’ on Critical Infrastructure” – Ryan Naraine, Security Week
- “US CISA/NSA release new OT/ICS security guidance, reveal 5 steps threat actors take to compromise assets” – Michael Hill, CSO
- “NSA shares guidance to help secure OT/ICS critical infrastructure” – Sergiu Gatlan, Bleeping Computer