Agency Warns Attackers Could Use IT Exploits to Pivot to OT Systems
The U.S. National Security Agency is offering operational technology security guidance for the Defense Department as well as third-party military contractors and others in the wake of the SolarWinds supply chain attack.
In the warning, the NSA notes that a stand-alone, unconnected, or “islanded,” OT system is safer from outside threats than one connected to an enterprise IT system with external connectivity. Each connection between an IT system and an isolated OT system increases the attack surface, so administrators should ensure only the most imperative IT-OT connections are allowed and that these are hardened to the greatest extent possible to prevent a possible attack.
The NSA also notes that unpatched or exploitable vulnerabilities in IT systems can allow attackers to pivot to OT systems, increasing the risk of an attack that could affect industrial control systems or supervisory control and data acquisition systems that support critical infrastructure networks.
“An example of this type of threat includes recent adversarial exploitation of IT management software and its supply chain in the SolarWinds compromise with publicly documented impacts to OT, including U.S. critical infrastructure,” the NSA notes.
The NSA advises that administrators should holistically evaluate the value against risk and cost for enterprise IT-to-OT connectivity. It provides guidance for a pragmatic evaluation methodology to assess how to best improve OT and control system cybersecurity, recommending several steps that organizations can take to enhance OT security. These include:
- Cryptographically protecting all access vectors and logging all access attempts from vendors or any outsourced OT asset support, remote connections, internal access – especially via open, unmanaged networks – and direct physical access;
- Disconnecting all remote access connections until there is active monitoring in place;
- Creating an OT network map and device settings baseline and validating all equipment on the network;
- Assessing and prioritizing OT network cybersecurity needs to identify required mitigations and then deploying cyber-hardening strategies.
While the NSA report did not list specific attack scenarios, the agency notes the supply chain attack that affected SolarWinds and 18,000 customers, with follow-on attacks on nine federal agencies and 100 companies, should serve as an example of the risk when connecting IT and OT systems.
In April, the Biden administration formally accused Russia’s Foreign Intelligence Service, or SVR, of conducting the attack on SolarWinds. In addition to the White House announcing sanctions, the NSA, along with the FBI and the Cybersecurity and Infrastructure Security Agency, published a list of tools and techniques that the Russian spy agency uses to target governments and other organizations (see: US Pulls Back Curtain on Russian Cyber Operations).
Later, CISA and the FBI warned that the SVR will likely continue to target vulnerable networks and that attackers have changed their tactics in recent years to target more cloud resources to access email and other valuable resources (see: FBI, CISA Warn of Ongoing Russian Cyberthreats).
CISA and the National Institute of Standards and Technology recently released a report providing insights on how to enhance supply chain security in the wake of the SolarWinds attack (see:
Tips on Enhancing Supply Chain Security).