With growing concern and an ever-evolving ecosystem of cyber security threats, CISA and NSA have recommended asset owners (but not specifically limited to critical infrastructure) immediately reduce their attack surface and minimize exposed assets.
Verve Industrial, like others such as Dale Peterson, aren’t particularly fond of the alert because it is vague either on purpose due to nature, or as a reminder to the industry, but also because we have not publicly seen an increase in cyber attacks or threats. It’s likely urgent (as in this is occurring), but how urgent (or widespread)? Can’t say, but we don’t want asset owners to become desensitized to alerts.
If anything, the CISA alert is a reaffirmation that your organization should continue in cyber security basics. More fundamental activities are needed, but if you are a mature organization – here's a pat on the back, but don’t stop now.
There has likely been a variety of reported cyber incidents or situational reports behind this advisory, but currently, there is apparently a noted increase in adversary activity and a continued “willingness to conduct activities against critical infrastructure”.
However, from another angle, why and where did this sudden advisory release come from? The scarcely documented attacks in Israel that went over remote access, moved laterally, or even into water sanitization processes (apparently)? Or was it something more grand where the details are hidden behind closed doors?
We regularly find surprises such as unauthorized devices, multi-homed workstations bypassing ACLs, risky software, and even PLCs with poor network protection, so this is not bewildering. But on that note, when stormy conditions arise such as recessions, layoffs, strikes or protests, there are always insider or hacktivism threats that predictably arise; it is not just from X foreign adversary.
Due to the ease of exploiting a system directly attached to the Internet, readily available documentation on OT devices, current COVID-19 cyber security challenges, heightened political tensions, and having a decentralized workforce (due to increased remote access and work from home), attention must be drawn towards ensuring your organization is not unnecessarily at risk.
Figure 1: Freely available tools - great for defenders, free for attackers
In the above example, we have two cyber security search engine tools: Shodan and Spyse. Obviously, there are a “metric ton” of others that can be used to assist white hats, defenders, and red-teams with minimal investment, but for attackers, that same information is also available to them. There is no filter for the bad guys.
Defensive strategies such as scanning and monitoring publicly assigned IPs should be a common blue team activity for mature organizations, but unfortunately, attackers are leveraging those same publicly available tools out of convenience and effort reduction – including out of the box extensions via common exploit frameworks (e.g., Metasploit).
This also allows an attacker to potentially skip a step or two in the cyber kill chain and have the reconnaissance and exploitation phases completed for nearly zero effort on their part. Time is money, money is time, and a lot of attackers are lazy.
Figure 2: Lockheed Martin cyber kill chain and how the CISA alert hints to the availability of free recon & commodity cyber "weapons"
Its not a particularly “advanced” adversarial strategy (e.g., use free tools and already-made exploits), but it emphasizes the point that industrial organizations should manage and remediate “older” vulnerabilities, and have a comprehensive cyber security program that focuses on: asset visibility and inventorying, vulnerability management, endpoint management, system hardening, and ensuring network-level protections.
If we look backwards a bit towards some of the potential inspirations for this alert, we might take another view. After all, maybe NSA and CISA have more information than they are willing to share, or they are attempting to ensure that asset owners in the energy industry are on guard. However….
Figure 3: Example timelines of publicly noted attackers on energy
Perhaps there is truth in the matter, and various countries are all targeted each other’s vital spots. But CISA also noted a few tactics, techniques and procedures (TTP) and their impacts. While I think they are being conservative, I’ll list theirs, and a few of mine (but not limited to):
|Deployment of commodity ransomware to "encrypt data for impact" on both networks||
|Connecting to Internet Accessible PLCs (and PCs)||
|Use of vendor engineering software and program downloads||
|Modifying the control logic and parameters on the PLCs||
Regardless, ransomware can have a massive impact on organizations. But what CISA is also trying to tell us in the alert is that a number of operational systems are active and directly connected to the Internet. They could have disastrous affects on safety, visibility, control, revenue, and realities for operators (e.g., A windows box could be used to make a PLC or relay do something it shouldn’t, or where a PLC’s logic is modified so an operator thinks it is within normal logic constraints).
This isn’t a "kid who cried wolf" scenario, but it’s a well acknowledged fact that these are the consequences when you allow a malicious entity unfettered access to them. Should you panic? Well, if you find your assets on the Internet yes, but, if you are applying proper best practices to protect your OT assets – then congrats, you are doing the “right thing (trademark)”.
There are decades of widely accepted OT/ICS cyber security best practices, and even modern ones such as the ISA-62443 series. It should be a reasonably and feasible process to secure systems at the perimeter and outer OT network levels, however, ensure (at a minimum):
- Network perimeters are adequately protected by firewalls, access control lists (ACLs)
- Remote access mechanisms (and systems using or providing it) are secure
- Systems are patched appropriately and securely configured based on their impact and likelihood to be compromised
- Look for misconfigurations or architecture exceptions, and remediate/eliminate
- Monitor for vendor software being executed (or indicators of it’s usage)
- Deny direct access to OT devices from the Internet
- Prevent external network access from internal systems (e.g., to the Internet) unless on specific and adequately protected systems
- Adequate training for phishing and email-related controls are in place
- Up-to-date and secure backups are available, and frequently validated (including offline archives)
- Change default passwords, prevent re-use and have some diversity
- Tested processes, policies, and incident handling procedures to ensure their accuracy, completeness, and readiness (e.g., end to cyber fire drills)
Therefore, if you have engaged in active cyber security program measures representative of the risk and maturity of your organization, great – but don’t stop. Otherwise, this should all be common process and risk management.
CISA’s alert is not novel or even “newsworthy” by itself, but rather a rehash of a couple of decades of community advice. Security is ultimately in your hands (and unlikely insured), but do not be afraid to work with your established and trusted vendors to manage your concerns.
Truthfully, the reason for the alert is insignificant because this is almost business as usual from a risk perspective. While it is always important to take sufficient steps to keep the lights on, water flowing, economies moving, and ensure human and environmental safety (HSE), there will always be thieves, criminals and warfare.
It makes sense that CISA would create an alert and the DHS enumerates it’s critical infrastructure verticals (or “DHS-16”) which have a fundamental role in securing several sectors including energy, defense, transportation, water, chemical, and more.
From Verve’s perspective, we encourage asset owners to work with us, their vendors and partners, and their country's agencies (e.g., not limited to the United States of America) to take a stance of strong ownership of their cyber security program. It’s not an internal blame game, but one of continued success and feasibility.