ComputerWeekly.com

https://www.computerweekly.com/news/366623645/US-tells-CNI-orgs-to-stop-connecting-OT-kit-to-the-web

US tells CNI orgs to stop connecting OT kit to the web

By Alex Scroxton

A growing number of ongoing cyber incidents affecting US operators of critical national infrastructure has prompted a cross-agency warning from the US authorities, with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, the Environmental Protection Agency, and the Department of Energy all weighing in.

In a jointly penned advisory, the organisations said they were “aware of cyber incidents” affecting the operational technology (OT) and industrial control systems (ICS) of CNI operators.

“The authoring organisations urge critical infrastructure entities to review and act now to improve their cyber security posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS,” said the advisory’s authors.

OT systems are incredibly easy targets for state-backed and financially motivated threat actors alike when connected to the internet, because they often lack up-to-date authentication and authorisation methods and can be found quickly by running searches for open ports on public IP ranges.

“Cyber threat actors use simple, repeatable and scalable toolsets available to anyone with an internet browser,” said CISA. “Critical infrastructure entities should identify their public-facing assets and remove unintentional exposure.”

Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, a security consultancy, said: “The industry has been working diligently on auditing N/S [North/South] traffic on the firewalls. We’ve seen great improvement in finding these connections and cutting them.

“What is currently left are mission-critical applications like SAP,” he added. “This is especially true in manufacturing, where workflow management has digitally transformed faster than security could keep up. Ensuring these connections are correctly configured and architected is a task measured in years, not days.”

Detailed advice

The full advisory – which can be downloaded here – contains additional guidelines on security OT and ICS estates. These include:

• Changing default passwords where possible and using strong, unique passwords – current trends seem to suggest that targeted systems all use default or easily guessable passwords. This is particularly important to do on public-facing internet devices that can control OT systems or processes.
• Securing remote access to OT networks – many CNI bodies or their contractors seem to have been making risky trade-offs when implementing remote access, and it is now time to reevaluate those. If remote access is a must, private IP network connections and VPNs should be used, as well as phishing-resistant multi-factor authentication. CNI operators may also like to consider reassessing who truly needs access to what, and to clear out dormant or unused accounts.
• Segmenting the IT and OT networks – to keep critical systems apart with a so-called “demilitarised zone” to pass control data to enterprise logistics. This cuts down the potential impact of incidents and reduces the risk of disruption to OT operations should a hacker try to come in via the IT estate.
• Practicing and maintaining the ability to operate OT systems manually – so that operations can be stood up again quickly if there is an incident.
• Keeping channels of communication open to their managed service providers, system integrators and system manufacturers – they may be able to help provide system-specific guidance for more obscure assets or help address misconfigurations.

Your systems are defenceless

Nic Adams, co-founder and CEO at 0rcus, a threat intelligence specialist, said: “Critical infrastructure systems are being targeted not because the attackers are sophisticated, but because the systems are defenceless.

“The threat is pure operational negligence,” he said. “If your control layer can be accessed without physical proximity, isolated network design and verified authentication, it is functionally compromised. Breaches now announce themselves with subtle logic changes, unauthorised sessions or misconfigurations missed during commissioning.

“Look past malware,” said Adams. “Treat every control asset as a live-fire target. If you haven’t tested under adversarial pressure, it won’t even come close to holding.”

He warned that CNI organisations that aren’t prepared to make the recommended changes risked “becoming the next headliner and laughing stock”.