The NSA and CISA recently released a cybersecurity advisory noting increased capability and activity targeting operational technology (OT) and control systems, two trends that Dragos can confirm. It’s heartening to see these agencies raising awareness of industrial cyber threats, but also putting forward solid recommendations to address it.
According to the advisory, recently observed tactics include “Internet-accessible OT assets are becoming more prevalent across the 16 US CI Sectors as companies increase remote operations and monitoring…” Our own experience as reported in our Year in Review report “Lessons Learned from the Frontlines of ICS Cybersecurity” is that 100% of organizations had routable network connections into their operational environments. When this connectivity is combined with poor firewall ruleset management, environmental visibility, and/or outright weak architecture accidental exposure to the Internet is possible.
To address the growing concerns of industrial cyber threats, the advisory puts forth six recommendations which are presented below along with suggested resources and how Dragos can help support and implement them:
1. Have a Resilience plan for OT
Given the increased threat activity since 2015, it’s necessary for planners to assume that contingencies are needed not just for malfunctioning systems but ones that act contrary to the safe and reliable operation of the process.
For help creating a resiliency plan, check out the paper Dragos created with the 451 Group “How to build an Industrial Cybersecurity Program.” In addition to offering a technology platform to visualize, identify and respond to industrial threats, Dragos offers a full range of services including table top exercises to plan for and mitigate risks and respond to incidents.
2. Exercise your Incident Response Plan
Incident response is top of mind for many OT cybersecurity professionals. Dragos has several resources on best practices and recommendations. Here is a summary of “lessons learned” from North American Electric Reliability Corporation (NERC) from its fifth biennial electrical power grid and emergency response exercise, GridEx V “An Ounce of Prevention: The Power of Deliberate Planning.” And incident response during the pandemic lock down presents new challenges, see our recommendations for “ICS/OT Incident Response in Times of Lockdown.”
During an incident how do you operate/investigate if the reported data cannot be trusted? TRISIS demonstrated that even safety systems are subject to compromise by manipulating registers or altering the firmware. See our blog and report “TRISIS: Analyzing Safety System Targeting Malware.”
Having a plan is one thing but exercising it before an incident is necessary to be properly prepared. Dragos can help organizations prepare for, respond to, and recover from cyber incidents in their OT infrastructure. See the Dragos Incident Response Service.
3. Harden Your Network
During the COVID crisis reliance on remote access has grown significantly. The advisory recommends that external connections be limited, and we would add that they often also need to be discovered/identified.
Jason Christopher is a Principal Risk Advisor at Dragos and a certified SANS instructor, see his blog “Guidance on Remote Access.” Also the Dragos Platform can monitor communications between industrial assets and devices including remote access.
4. Create an Accurate “As-operated” OT Network Map Immediately
The advisory recommends, and we agree, that a comprehensive understanding of your OT assets is the foundation for cyber-risk reduction.
Dragos recommends using a collection management framework to go beyond an asset inventory to enable incident responders and security operations staff who must prepare for and conduct investigations into adversary activity in their environments. See our white paper on “Collection Management Frameworks – Beyond Asset Inventories for Preparing for and Responding to Cyber Threats.” Another resource to consider is “Developing a Strategic ICS/OT Cybersecurity Roadmap Using Intelligence and Consequence Driven Analysis,” a recent webinar with Dragos CEO Rob Lee and Deloitte ICS leader Ramsay Hajj who explain the benefits of using intelligence (what have adversaries done) and consequence (what could go wrong) to bolster ICS cybersecurity. In addition the Dragos Platform’s asset identification capability will identify what’s on your network and how it’s changed over time.
5. Understand and Evaluate Cyber-risk on “As-operated” OT Assets
The advisory recommends knowing what assets are in your OT network and how they’re behaving but to go beyond that to need to determine if you’re compromised and what to do about it. A core capability of the Dragos Platform is the ability to detect threats, not only from anomalies, but based on threat behaviors, the tactics, techniques, and procedures (TTPs) used by adversaries. Dragos was, and continues to be, a key contributor to the MITRE ATT&CK for ICS framework. The Dragos Platform is mapped to and enabled by MITRE ATT&CK for ICS to provide deep context of threats to help reduce threat discovery time, false positives, and alert fatigue.
6. Implement a Continuous and Vigilant System Monitoring Program
The advisory recommends implementing a vigilant monitoring program that enables system anomaly detection, including many malicious cyber tactics like “living off the land” techniques within OT systems. Dragos agrees that continuous and vigilant monitoring is a best practice, and that anomaly detection be a component of an effective cybersecurity program. However while anomaly detection is necessary we view it as insufficient to effectively identify threat behaviors. We strongly recommend augmenting anomaly detection with the ability to identify and respond to threat behaviors as a more effective approach to cyber risk mitigation.
In summary, Dragos is happy to see and embraces the advisory and recommendations from the NSA and CISA . We mapped what we do and how can help with each of the recommendations. Contact us if we can help, and we look forward to working with the entire industrial community to safeguard our critical infrastructure.
Ready to put your insights into action?
Take the next steps and contact our team today.