In the previous few years, we’ve seen ample proof of how cyberattacks on important infrastructure might be leveraged by nation-states and different highly effective adversaries as weapons in geopolitical conflicts. The assaults on the Ukraine energy grid and a number of other different incidents demonstrated a present of energy and the way a rustic’s infrastructure might be disrupted. The indiscriminate use of damaging exploits in NotPetya (which triggered widespread, collateral harm to operational expertise (OT) networks and halted operations) revealed to safety professionals simply how poor the cyber danger posture of their OT networks is and prompted swift actions in most of the largest firms.
For years now, the federal government has been warning brazenly and clearly that: “Since a minimum of March 2016, Russian authorities cyber actors—hereafter known as ‘risk actors’—focused authorities entities and a number of U.S. important infrastructure sectors, together with the power, nuclear, business amenities, water, aviation, and important manufacturing sectors.” A brand new alert, issued by the U.S. Nationwide Safety Company (NSA) and Cybersecurity and Infrastructure Safety Company (CISA), couldn’t be extra clear: “We’re in a state of heightened tensions and extra danger and publicity.”
Authorities company alerts about earlier threats sometimes describe how the assaults are executed and supply some tactical steps to particular sectors to reinforce their capability to cut back publicity. Nevertheless, this current alert stands out for its tone, language, and content material. Framed from a strategic perspective, it consists of broad warnings of an imminent and severe risk throughout all 16 important infrastructure sectors, and prolonged, detailed units of suggestions for the best way to defend OT environments that, collectively, encourage a holistic method to danger mitigation.
When you assume like an attacker, the timing of this leap in important infrastructure assaults isn’t stunning. Nation-state actors have habitually focused organizations in industries together with high-tech manufacturing, prescribed drugs, biotech, and healthcare to steal mental property and analysis. Now, it’s being extensively reported that nation-state actors believed to be linked to China and Russia are focusing on assaults towards organizations concerned within the analysis and manufacturing of COVID-19 vaccines – a transparent use of cyber weapons to advance their geopolitical agendas.
With many U.S. important infrastructure organizations concerned in these pursuits, the stakes are terribly excessive. Adversaries are extraordinarily motivated, and such threats are significantly regarding. As advances are made and we get nearer to a vaccine, assaults will probably intensify. And this is only one instance of how the opposite important infrastructure industries might be focused. Therefore the urgency conveyed within the NSA and CISA alert to guard susceptible networks.
Why is the potential influence to important property so excessive? The alert describes an ideal storm state of affairs, just like what I’ve described earlier than: a mixture of legacy OT gadgets, lots of that are internet-facing (one thing for which they have been by no means designed) and thus broaden the assault floor, and opportunistic adversaries with entry to instruments that present details about these property and methods to use them. The pervasiveness and gravity of the state of affairs, and the relative ease with which these exploits might be executed, requires quick actions to cut back publicity throughout OT networks and management methods. Amongst an intensive checklist of particular suggestions, NSA and CISA urge the deployment of risk monitoring expertise.
We’ve talked concerning the want for asset visibility and risk monitoring in OT environments for years, as a result of one of many largest challenges in securing these environments is zero telemetry and thus, no visibility into OT networks. One of many roadblocks is that organizations have been constrained by preconceived notions of the best way to proceed based mostly on trusted IT cybersecurity greatest practices that dictate a “crawl, stroll, run” method. What’s extra, most of the IT safety instruments and approaches introduce pointless complexity and, worse, aren’t efficient in OT environments. Clearly, based mostly on the tone of the NSA and CISA alert, we have to transfer straight to “run” and give attention to what we are able to execute instantly to cut back danger essentially the most. That’s the place risk monitoring is available in.
OT networks talk and share way more info than is often obtainable from IT elements – the software program model they’re working, firmware, serial numbers, and extra. OT community site visitors supplies all the safety info required to watch for threats. With a single, agentless answer for asset visibility and steady risk monitoring, that may be applied shortly and built-in into IT methods and workflows, organizations can transfer quick to detect and mitigate danger. Translating the obscurity of OT networks for IT safety operations heart (SOC) analysts, such an answer permits IT and OT groups to work collectively and convey the total energy of the group’s assets to bear. They’ll begin to determine deviations from established behavioral baselines, unauthorized connections, and the presence of adversary strategies, resembling these within the new MITRE ATT&CK for ICS framework, to implement mitigation suggestions quickly.
We can’t defend ourselves on this newest battlefield with out the fitting safety capabilities. Let’s be taught from the earlier examples of financial warfare and use the detailed observations and proposals from NSA and CISA to our benefit. The stakes have by no means been increased. Thankfully, our capabilities to safe our OT environments are as much as the problem.
Associated: Study Extra About Assessing Danger in Industrial Environments at SecurityWeek’s 2020 ICS Cyber Safety Convention