For those of us working every day to protect our nation’s critical infrastructure and that of our global client base, it comes as no surprise that the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released an urgent advisory, Alert AA20-205A, calling for immediate action to reduce the exposure of Operational Technology (OT) systems. There’s no question that we are in unparalleled times with high tensions and an increasingly high level of targeted attacks. If you’ve ever used Shodan, then you know just how exposed many organizations really are. And what’s worse is that they may not even be aware of their exposure.
It is easy to see the reason for the urgency behind this advisory. Potentially vulnerable assets such as IoT devices and Industrial IoT (IIoT) devices are connecting to enterprise networks in huge numbers. And when you add in the unprecedented changes that COVID-19 has brought about, including a wildly expanded remote workforce (not to mention risks associated with countless “dirty” home networks and unsecured VPN connections!), you get a highly volatile mix with exposure for businesses at an all-time high. In fact, many organizations don’t realize just how many unknown assets are connected to their networks, and it’s not unusual for their estimates to be off by an order of magnitude.
Any good security professional will tell you that a real-time asset inventory is the foundation of a good cybersecurity program; however, that’s just a start. Visibility is important, too, but it must be able to quickly tie to mitigation or another desired action. Otherwise, it’s of little value alone. After all, it is the mitigation that reduces risk and exposure. The NSA/CISA advisory outlines specific mitigation recommendations for immediate action built upon a complete asset inventory and real-time visibility capabilities to reduce exposure and risk.
Without appropriate due diligence, organizations often find that they can check all the boxes when it comes to visibility but are completely unprepared to deal with what they see, such as malware breaches or other nefarious activities. Clearly, asset visibility isn’t enough! Although many cyberattacks are more sophisticated today, even simplistic ones that take advantage of old vulnerabilities can have success in OT environments due to the lack of patching and other common mitigation activities as well as poor segmentation.
Many of these cyberattacks on OT systems involve some form of “living off the land” or, basically, just using PowerShell or other native tools on a system to achieve an underhanded objective. Because these tools are native, without proper monitoring in place, they can also be much more difficult to detect. Similarly, attackers may use common ports leveraged by OT systems, as these ports may already be open through the firewall, as noted in the advisory’s example. Network monitoring solutions must do more than simple port recognition to properly identify protocols; they must be able to perform deep packet and protocol inspection to provide the accuracy and contextual information that is necessary to maintain a secure cyber environment. Ideally, they should go beyond establishing security and provide operational value by identifying operational activities, such as the download of a PLC configuration. While downloading PLC configurations may be a somewhat common activity for OT environments, it is also a vector that attackers may use. Thus, organizations should be made aware of when this happens. As noted in the advisory, the referenced examples follow the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) and the ATT&CK for Industrial Control Systems (ICS) frameworks, which are great tools for enhancing an organization’s response capabilities.
But again, we’re talking about generating more data, which is useless unless you can respond – preferably by taking the immediate actions advised by the NSA and CISA. This means that it is more important than ever to have the ability to automate responses and work toward a proactive cybersecurity program to actively defend today’s “Enterprise of Things.” While some are hesitant to automate mitigations on the OT network due to safety and availability reasons, which is understandable, this can be done relatively easily in phases. For example, mitigations can be implemented in Purdue Levels 3 and 3.5 (DMZ), where it makes sense and is feasible to implement safely and without impacting operations. Many of our customers are doing this, and, with Forescout’s “cloud to controller” capabilities, they are readily taking action in accordance with Alert AA20-205A. You can see how our capabilities map to the advisory’s recommendations here.
As you work through addressing each of these recommendations for reducing risk in your OT environment, consider what may be needed to do these proactively while taking advantage of existing investments. That way, the next time an urgent advisory is released, you can rest assured that you’ve already been there and got that t-shirt!