
alexandrink1966 - stock.adobe.co
US tells CNI orgs to stop connecting OT kit to the web
The US authorities have released new guidance for owners of critical national infrastructure in the face of an undisclosed number of cyber incidents.
A growing number of ongoing cyber incidents affecting American operators of critical national infrastructure has prompted a new cross-agency warning from the US authorities, with the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE), all weighing in.
In a jointly-penned advisory, the organisations said that they were “aware of cyber incidents” affecting the operational technology (OT) and industrial control systems (ICS) of CNI operators.
“The authoring organisations urge critical infrastructure entities to review and act now to improve their cyber security posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS,” said the advisory’s authors.
OT systems are incredibly easy targets for state-backed and financially-motivated threat actors alike when connected to the internet because they often lack up-to-date authentication and authorisation methods and can be found quickly by running searches for open ports on public IP ranges.
“Cyber threat actors use simple, repeatable, and scalable toolsets available to anyone with an internet browser,” said CISA.
“Critical infrastructure entities should identify their public-facing assets and remove unintentional exposure.”
Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, a security consultancy, said: “The industry has been working diligently on auditing N/S [North/South] traffic on the firewalls. We’ve seen great improvement in finding these connections and cutting them.
“What is currently left are mission-critical applications like SAP. This is especially true in manufacturing, where workflow management has digitally transformed faster than security could keep up. Ensuring these connections are correctly configured and architected is a task measured in years, not days,” he added.
Detailed advice
The full advisory – which can be downloaded here – contains additional guidelines on security OT and ICS estates. These include:
- Changing default passwords where possible and using strong, unique passwords – current trends seem to suggest that targeted systems all use default or easily-guessable passwords. This is particularly important to do on public-facing internet devices that can control OT systems or processes;
- Securing remote access to OT networks – many CNI bodies or their contractors seem to have been making risky tradeoffs when implementing remote access, and it is now time to reevaluate those. If remote access is a must, private IP network connections and VPNs should be used, as well as phishing resistant multifactor authentication (MFA). CNI operators may also like to consider reassessing who truly needs access to what, and to clear out dormant or unused accounts.
- Segmenting the IT and OT networks – to keep critical systems apart with a so-called ‘demilitarised zone’ to pass control data to enterprise logistics. This cuts down the potential impact of incidents and reduces the risk of disruption to OT operations should a hacker try to come in via the IT estate.
- Practicing and maintaining the ability to operate OT systems manually – so that operations can be stood up again quickly if there is an incident.
- Keeping channels of communication open to their managed service providers, system integrators, and system manufacturers – they may be able to help provide system-specific guidance for more obscure assets or help address misconfigurations.
Your systems are defenceless
“Critical infrastructure systems are being targeted not because the attackers are sophisticated, but because the systems are defenceless,” said Nic Adams, co-founder and CEO at 0rcus, a threat intelligence specialist.
“The threat is pure operational negligence. If your control layer can be accessed without physical proximity, isolated network design, and verified authentication, it is functionally compromised. Breaches now announce themselves with subtle logic changes, unauthorised sessions, or misconfigurations missed during commissioning. Look past malware. Treat every control asset as a live-fire target. If you haven’t tested under adversarial pressure, it won’t even come close to holding.”
Adams warned that CNI organisations that aren’t prepared to make the recommended changes risked “becoming the next headliner and laughing stock”.
Read more about security for the CNI sector
- GCHQ’s National Cyber Security Centre warns that a growing ‘digital divide’ between organisations that can keep pace with AI-enabled threats and those that cannot is set to heighten the UK's overall cyber risk.
- Elements of the Cyber Security and Resilience Bill are welcome but questions remain about how best to act in the face of persistent challenges like geopolitical chaos, threats to critical infrastructure, and technological advances.
- The NCSC, CISA and others have set out 12 cyber security considerations CNI organisations and other users of operational technology should incorporate into their buying processes to force their suppliers to do better.