alexandrink1966 - stock.adobe.co
US tells CNI orgs to stop connecting OT kit to the web
US authorities have released guidance for owners of critical national infrastructure in the face of an undisclosed number of cyber incidents
A growing number of ongoing cyber incidents affecting US operators of critical national infrastructure has prompted a cross-agency warning from the US authorities, with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, the Environmental Protection Agency, and the Department of Energy all weighing in.
In a jointly penned advisory, the organisations said they were “aware of cyber incidents” affecting the operational technology (OT) and industrial control systems (ICS) of CNI operators.
“The authoring organisations urge critical infrastructure entities to review and act now to improve their cyber security posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS,” said the advisory’s authors.
OT systems are incredibly easy targets for state-backed and financially motivated threat actors alike when connected to the internet, because they often lack up-to-date authentication and authorisation methods and can be found quickly by running searches for open ports on public IP ranges.
“Cyber threat actors use simple, repeatable and scalable toolsets available to anyone with an internet browser,” said CISA. “Critical infrastructure entities should identify their public-facing assets and remove unintentional exposure.”
Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, a security consultancy, said: “The industry has been working diligently on auditing N/S [North/South] traffic on the firewalls. We’ve seen great improvement in finding these connections and cutting them.
“What is currently left are mission-critical applications like SAP,” he added. “This is especially true in manufacturing, where workflow management has digitally transformed faster than security could keep up. Ensuring these connections are correctly configured and architected is a task measured in years, not days.”
Detailed advice
The full advisory – which can be downloaded here – contains additional guidelines on security OT and ICS estates. These include:
- Changing default passwords where possible and using strong, unique passwords – current trends seem to suggest that targeted systems all use default or easily guessable passwords. This is particularly important to do on public-facing internet devices that can control OT systems or processes.
- Securing remote access to OT networks – many CNI bodies or their contractors seem to have been making risky trade-offs when implementing remote access, and it is now time to reevaluate those. If remote access is a must, private IP network connections and VPNs should be used, as well as phishing-resistant multi-factor authentication. CNI operators may also like to consider reassessing who truly needs access to what, and to clear out dormant or unused accounts.
- Segmenting the IT and OT networks – to keep critical systems apart with a so-called “demilitarised zone” to pass control data to enterprise logistics. This cuts down the potential impact of incidents and reduces the risk of disruption to OT operations should a hacker try to come in via the IT estate.
- Practicing and maintaining the ability to operate OT systems manually – so that operations can be stood up again quickly if there is an incident.
- Keeping channels of communication open to their managed service providers, system integrators and system manufacturers – they may be able to help provide system-specific guidance for more obscure assets or help address misconfigurations.
Your systems are defenceless
Nic Adams, co-founder and CEO at 0rcus, a threat intelligence specialist, said: “Critical infrastructure systems are being targeted not because the attackers are sophisticated, but because the systems are defenceless.
“The threat is pure operational negligence,” he said. “If your control layer can be accessed without physical proximity, isolated network design and verified authentication, it is functionally compromised. Breaches now announce themselves with subtle logic changes, unauthorised sessions or misconfigurations missed during commissioning.
“Look past malware,” said Adams. “Treat every control asset as a live-fire target. If you haven’t tested under adversarial pressure, it won’t even come close to holding.”
He warned that CNI organisations that aren’t prepared to make the recommended changes risked “becoming the next headliner and laughing stock”.
Read more about security for the CNI sector
- GCHQ’s National Cyber Security Centre warns that a growing ‘digital divide’ between organisations that can keep pace with AI-enabled threats and those that cannot is set to heighten the UK’s overall cyber risk.
- Elements of the Cyber Security and Resilience Bill are welcome but questions remain about how best to act in the face of persistent challenges like geopolitical chaos, threats to critical infrastructure, and technological advances.
- The NCSC, CISA and others have set out 12 cyber security considerations CNI organisations and other users of operational technology should incorporate into their buying processes to force their suppliers to do better.
Read more on Regulatory compliance and standard requirements
-
![]()
Revealed: How Russia’s Sandworm ramped up attacks on Ukraine’s critical infrastructure
By: Alex Scroxton
-
![]()
CISA, NSA Provide OT, ICS Defense Strategies to Critical Infrastructure
By: Jill McKeon
-
![]()
CNI leaders’ attitude to ransomware lackadaisical at best
By: Alex Scroxton
-
![]()
Operational Technology (OT) Security Risks, Best Practices in Healthcare
By: Jill McKeon
