The National Security Agency (NSA) released the Cybersecurity Advisory, “Stop Malicious Cyber Activity Against Connected Operational Technology” , for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) operational technology (OT) owners and operators. The CSA details how to evaluate risks to systems and improve the security of connections between OT and enterprise networks. Information technology (IT) exploitation can serve as a pivot point for OT exploitation, so carefully evaluating the risk of connectivity between IT and OT systems is necessary to ensure unique cybersecurity requirements are met.
Each IT-OT connection increases the potential attack surface. To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible. An example of this type of threat includes recent adversarial exploitation of IT management software and its supply chain in the SolarWinds compromise with publicly documented impacts to OT, including U.S. critical infrastructure.
This guidance provides a pragmatic evaluation methodology to assess how to best improve OT and control system cybersecurity for mission success, to include understanding necessary resources for secure systems:
- First, NSA encourages NSS, DoD, and DIB system owners, operators, and administrators to evaluate the value against risk and costs for enterprise IT to OT connectivity. While the safest OT system is one that is not connected to an IT network, mission critical connectivity may be required at times. Review the connections and disconnect those that are not truly needed to reduce the risk to OT systems and functions.
- Next, NSA recommends taking steps to improve cybersecurity for OT networks when IT-OT connectivity is mission critical, as appropriate to their unique needs. For IT-OT connections deemed necessary, steps should be taken to mitigate risks of IT-OT exploitation pathways. These mitigations include fully managing all IT-OT connections, limiting access, actively monitoring and logging all access attempts, and cryptographically protecting remote access vectors.
Operational technology includes hardware and software that drives the operations of a given infrastructure environment, from an engine control unit in a modern vehicle to nationwide train transportation networks.
Every IT-OT connection creates an additional vector for potential OT exploitation that could impact and compromise mission and/or production. Performing a comprehensive risk analysis for all IT-OT interconnections and only allowing mission critical interconnections when they are properly protected will create an improved cybersecurity posture. By employing an appropriate risk analysis strategy, leadership and system owners and operators can make informed decisions to better manage OT networks while reducing the threats from and impact of exploitation and destructive cyber effects.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, explains, "Attacks targeting critical national infrastructure (CNI) tend to be the work of advanced persistent threat (APT) groups working on behalf of nation states with specific goals. Such high-level adversaries are difficult to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will opt for soft targets. In addition to facing particularly tenacious attackers, most areas of CNI must also contend with complex network infrastructure that is difficult to secure. Operational Technology (OT), the systems used for managing the heavy industrial equipment common across these sectors, often operates in a very different fashion to traditional IT. Systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks."
Carson adds, "Gaining centralized visibility and management of such a complex environment can be extremely challenging. This limited view creates gaps that can be exploited by threat actors, enabling them to infiltrate the network and move between systems without being detected. The conflicting network architecture also means that standard security measures such as role-based access control (RBAC) and two-factor authentication (2FA) are close to impossible to implement without purpose-built tools. These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption."
Dirk Schrader, Global Vice President at New Net Technologies (NNT), says, "Operational Technology (OT) has for long been seen as ‘this is not IT, why should I bother about it’ from cyber security folks. Neither did the ICS folks. The results are a dangerous mixture of differing languages and focus about what security is. Still, the essential security controls must be placed regardless of one’s perspective on IT and OT cyber security. Whether you prioritize availability (OT) or confidentially (IT), you will need to manage your vulnerabilities and to control unwanted change in order to maintain both."