We’ve seen ample evidence in recent years of how nation-states and other powerful adversaries can leverage cyberattacks on critical infrastructure as weapons in geopolitical conflicts. The attacks on Ukraine’s power grid and several other incidents showed a show of power and how to disrupt a country’s infrastructure. The indiscriminate use of destructive exploits in NotPetya (which caused widespread collateral damage to operational technology (OT) networks and stopped operations) revealed to security professionals how poor their OT networks’ cyber-risk posture is, and prompted swift action in many of the biggest companies.
For years now, the government has been publicly and explicitly warning that: “Since at least March 2016, Russian government cyber actors—hereinafter referred to as ‘threat actors’—have threatened government agencies and several vital U.S. infrastructure sectors, including the oil, nuclear, industrial, water, aviation, and vital manufacturing sectors.” The National Security Agency ( NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) couldn’t be any clearer: “We ‘re in a state of increased tensions and increased risk and exposure.”
Public agency warnings regarding past threats usually explain how the attacks are conducted, and provide particular industries with some practical measures to improve their risk management capability. This recent warning, however, is noteworthy for its sound, language, and content. Framed from a strategic perspective, it provides specific alerts of an imminent and severe threat to all 16 critical infrastructure sectors, and comprehensive, thorough collection of guidelines on how to secure OT environments, which together promote a holistic approach to risk reduction.
The timing of this spike in critical infrastructure attacks is not shocking, if you think like an intruder. National-state actors have typically targeted organizations to steal intellectual property and work in sectors like high-tech manufacturing, pharmaceuticals, agriculture, and health care. Now it is widely stated that nation-state actors suspected to be linked to China and Russia are planning attacks on organizations involved in COVID-19 vaccine research and development – a direct use of cyber resources to promote their geopolitical agendas.
The risks are extraordinarily high for many U.S. vital infrastructure agencies participating in such activities. Adversaries are highly motivated and are especially disturbed by these challenges. As progress is made, and we reach a vaccine, attacks are likely to escalate. And this is only one example of how to targete the other vital infrastructure industries. Hence the urgency expressed for the safety of vulnerable networks in the NSA and CISA warning.
How is the risk potentially so large on vital assets? The warning describes a perfect storm scenario, similar to what I mentioned earlier: a mixture of existing OT devices, many of which are internet-facing (something they’ve never been built for) and therefore extend the scope of the attack, and opportunistic adversaries with access to software that provide information on such assets and ways to manipulate them. The pervasiveness and seriousness of the situation, and the relative ease with which these attacks can be performed, demands immediate action to reduce exposure through OT networks and control systems. NSA and CISA are recommending the implementation of threat detection technologies, among an comprehensive list of detailed recommendations.
For years, we have been thinking about the need for asset visibility and threat management in OT environments, since one of the greatest obstacles in protecting these environments is zero telemetry, and thus no visibility in OT networks. One of the roadblocks is that organizations have been hampered by preconceived ideas of how to proceed based on established best practices in IT cybersecurity that prescribe an approach to “crawl, move, run” What’s more, many of the IT protection tools and solutions add needless complexity and, worse still, in OT environments are not successful. Obviously, we need to move straight to “go” based on the tone of the NSA and CISA warning and concentrate on what we can conduct immediately to mitigate the most harm. That is where surveillance of the threat comes in.
OT networks communicate and exchange much more information than IT components usually do – the software version they are running, firmware, serial numbers and more. OT network traffic provides all the information necessary to monitor for threats. With a single, agentless asset visibility solution and continuous threat monitoring, which can be quickly implemented and incorporated into IT systems and workflows, enterprises can move quickly to detect and mitigate risk. Translating the complexity of OT networks for IT Security Operations Center (SOC) researchers, such a solution allows IT and OT teams to work together and put the maximum power to bear on the organization’s resources. They should start detecting deviations from defined behavioral baselines, unwanted associations, and the existence of adversarial strategies, such as those in the current ICS system for MITRE ATT&CK, to quickly enforce mitigation recommendations.
Without the right defense equipment, we can not protect ourselves at this new battlefield. Let’s learn from previous economic warfare examples, and use NSA and CISA ‘s extensive findings and advice to our advantage. The stakes were never higher. Luckily, the difficulty lies in our capabilities to protect our OT environments.