Government issues alert about cyberattacks on critical infrastructure
The U.S. government has issued an alert warning that there is an increased danger of cyberattacks on civilian infrastructure. The alert comes from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
Who is at risk?
The CISA and the NSA have warned that the 16 designated critical infrastructure (CI) sectors are all potentially at risk, including manufacturing and energy, emergency services and healthcare, as well as transportation, food, and water systems.
These sectors are considered critical because attacks on facilities in any one of them could cause widespread disruption and threaten national security.
Why is critical infrastructure undefended?
The security bulletin says that cyberattacks on CI facilities are likely to target internet-accessible, operational technology (OT) assets. The alert mentions several factors that explain the heightened vulnerability of these assets.
For one thing, there are simply more of these networked operational technology assets than ever before, increasing the attack surface available to threat actors. The surge in networked OT is due to the growing decentralization of many companies, which are allowing more employees to work remotely and are outsourcing key operational functions.
Secondly, infrastructure sites often rely on older technologies that were never intended to be connected to the Internet, and which were not designed to resist cyberattacks. These “legacy OT assets” can’t always be easily replaced, and thus pose a danger to the facilities where they are used.
Additionally, there is now a great deal of easily accessible information that can be used to attack OT assets — especially older ones. There are databases of common vulnerabilities, repositories containing ready-to-use exploits, and even IoT search engines that can locate exposed devices.
Finally, many critical infrastructure workers don’t realize that they face a serious and growing threat, perhaps because these types of cyberattacks were not very common in the past. However, as the CISA/NSA alert notes, threat actors are now targeting infrastructure with greater frequency, meaning that the time for complacency is over.
Who is behind the attacks?
The alert does not specify which particular threat actors are to blame, but mentions “foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression”.
This suggests that the government is worried about the militaries or intelligence agencies of nation states that have an adversarial relationship with the United States, as well as Advanced Persistent Threat (APT) groups sponsored by these states. Given the current tensions between the US and China, Iran, and North Korea, it’s not too difficult to surmise who the government may be thinking of. One recent Wired report calls out Russia’s GRU military intelligence agency in particular, implicating them in a 2019 attack on the U.S. energy sector.
What are the attack vectors
The threat summary in the CISA/NSA alert mentions several recently observed tactics used by attackers.
These include targeted phishing attacks aimed at gaining access to internal company networks, using commercially available, “off-the-shelf” ransomware to encrypt key files; and accessing exposed industrial control systems in order to disrupt operations.
How should CI facilities respond?
The CISA/NSA alert provides detailed recommendations for how CI facilities can mitigate their risks:
Create an OT resilience plan
Organizations should be prepared to respond to a cyberattack. This means being ready to disconnect networked assets quickly, and being able to switch to manual operation if industrial control systems are knocked offline. It also means having a mitigation plan in place, so that normal function can be restored quickly in the aftermath of an incident. To this end, CI facilities should create backups of important IT, industrial technology, and business resources.
Practice incident response
Organizations should create and practice their incident response plan. The government suggests doing this through a tabletop exercise involving executives, IT/OT managers, public relations officers, and legal teams. Such an exercise can help organizations identify key decisions that will need to be made, and the decision makers who will be authorized to make them, well in advance of an incident.
Harden networks against attack
The government recommends that CI facilities reduce the exposure of OT assets as much as possible, and restrict access to networks to only those individuals who have legitimate reasons to use them. In addition, organizations should rigorously enforce general cybersecurity best practices like software patching, use of VPNs and encryption, and good password security for all remote access and user accounts.
Create an OT map
Organizations should create a map of their OT infrastructure and then double-check the map to ensure its accuracy. This means mapping the OT network, identifying and making an inventory of OT assets, and understanding which communication protocols are used on the network.
Assess OT risks
Once an organization has mapped its network and inventoried its OT assets, it should perform a thorough risk assessment. Possible resources that can help with this include advisories from OT device vendors, government alerts and warnings, and public databases of known vulnerabilities. If vulnerabilities are found, organizations should make use of the available mitigations (for example, software patches or recommended secure settings).
Monitor systems for irregular activity
Lastly, critical infrastructure facilities should routinely monitor their systems for any signs of abnormal activity. This includes logging and reviewing external connections to the network, and watching for any unexpected or unauthorized changes to industrial control systems.
There is an increased risk to critical infrastructure sectors, but the good news is that public awareness of the problem is growing. If you know someone who works in one of the 16 critical industry sectors, please consider sharing the CISA/NSA alert (or this article) with them.