The NSA and CISA recently released a cybersecurity advisory noting increased capability and activity targeting operational technology (OT) and control systems, two trends that Dragos can confirm. It’s heartening to see these agencies raising awareness of industrial cyber threats, but also putting forward solid recommendations to address it.
According to the advisory, recently observed tactics include “Internet-accessible OT assets are becoming more prevalent across the 16 US CI Sectors as companies increase remote operations and monitoring…” Our own experience as reported in our Year in Review report “Lessons Learned from the Frontlines of ICS Cybersecurity” is that 100% of organizations had routable network connections into their operational environments. When this connectivity is combined with poor firewall ruleset management, environmental visibility, and/or outright weak architecture accidental exposure to the Internet is possible.
To address the growing concerns of industrial cyber threats, the advisory puts forth six recommendations which are presented below along with how Dragos can help support and implement them:
1. Have a Resilience plan for OT
Given the increased threat activity since 2015, it’s necessary for planners to assume that contingencies are needed not just for malfunctioning systems but ones that act contrary to the safe and reliable operation of the process. In addition to offering a technology platform to visualize, identify and respond to industrial threats, Dragos offers a full range of services including table top exercises to plan for and mitigate risks and respond to incidents.
2. Exercise your Incident Response Plan
Having a plan is one thing but exercising it before an incident is necessary to be properly prepared. Dragos can help organizations prepare for, respond to, and recover from cyber incidents in their OT infrastructure. See the Dragos Incident Response Service.
3. Harden Your Network
During the COVID crisis reliance on remote access has grown significantly. The advisory recommends that external connections be limited, and we would add that they often also need to be discovered/identified. The Dragos Platform can monitor communications between industrial assets and devices including remote access.
4. Create an Accurate “As-operated” OT Network Map Immediately
The advisory recommends, and we agree, that a comprehensive understanding of your OT assets is the foundation for cyber-risk reduction. The Dragos Platform’s asset identification capability will identify what’s on your network and how it’s changed over time.
5. Understand and Evaluate Cyber-risk on “As-operated” OT Assets
The advisory recommends knowing what assets are in your OT network and how they’re behaving but to go beyond that to need to determine if you’re compromised and what to do about it. A core capability of the Dragos Platform is the ability to detect threats, not only from anomalies, but based on threat behaviors, the tactics, techniques, and procedures (TTPs) used by adversaries. Dragos was, and continues to be, a key contributor to the MITRE ATT&CK for ICS framework. The Dragos Platform is mapped to and enabled by MITRE ATT&CK for ICS to provide deep context of threats to help reduce threat discovery time, false positives, and alert fatigue
6. Implement a Continuous and Vigilant System Monitoring Program
The advisory recommends implementing a vigilant monitoring program that enables system anomaly detection, including many malicious cyber tactics like “living off the land” techniques within OT systems. Dragos agrees that continuous and vigilant monitoring is a best practice, and that anomaly detection be a component of an effective cybersecurity program. However while anomaly detection is necessary we view it as insufficient to effectively identify threat behaviors. We strongly recommend augmenting anomaly detection with the ability to identify and respond to threat behaviors as a more effective approach to cyber risk mitigation.
In summary, Dragos is happy to see and embraces the advisory and recommendations from the NSA and CISA . We mapped what we do and how can help with each of the recommendations. Contact us if we can help, and we look forward to working with the entire industrial community to safeguard our critical infrastructure.
Ready to put your insights into action?
Take the next steps and contact our team today.