OT Security Guidance in Wake of SolarWinds Attack

The U.S. National Security Agency is offering operational technology security guidance for the Defense Department as well as third-party military contractors and firms in the wake of the attack that targeted SolarWinds in 2020.

See Also: Live Webinar | Empowering Financial Services with a Secure Data Path From Endpoint to Cloud

In the warning issued this week, the NSA notes that a standalone, unconnected (“islanded”) OT system is safer from outside threats than one connected to an enterprise IT system(s) with external connectivity. Each connection between an information technology system and a traditionally isolated OT system increases the attack surface, so administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible to prevent a possible attack.

The NSA also notes that unpatched or exploitable vulnerabilities in IT systems can allow attackers to pivot to OT systems, increasing the risk of an attack that could affect industrial control systems or supervisory control and data acquisition systems that support critical infrastructure networks.

“An example of this type of threat includes recent adversarial exploitation of IT management software and its supply chain in the SolarWinds compromise with publicly documented impacts to OT, including U.S. critical infrastructure,” the NSA notes.

NSA Recommendations

The NSA advises that administrators should holistically evaluate the value versus risk versus cost for enterprise IT-to-OT connectivity. It provides guidance for a pragmatic evaluation methodology to assess how to best improve OT and control system cybersecurity, recommending several steps that organizations can take to enhance OT security. These include:

• Cryptographically protecting all access vectors and logging all access attempts from vendors or any outsourced OT asset support, remote connections, internal access, especially via open, unmanaged networks, and direct physical access.
• Disconnecting all remote access connections until there is active monitoring in place.
• Creating an OT network map and device settings baseline, and validating all equipment on the network.
• Assessing and prioritizing OT network cybersecurity needs to identify required mitigations and then deploying cyber-hardening strategies.

SolarWinds Hack

While the NSA report did not list specific attack scenarios, the agency notes the supply chain attack that affected SolarWinds and its customers, including nine federal agencies and 100 private sector firms, should serve as an example of the risk when connecting IT and OT systems.

During April, the Biden Administration formally accused Russia’s Foreign Intelligence Service, or SVR, of conducting the attack on SolarWinds. In addition to the White House announcing sanctions, the NSA, along with FBI and the Cybersecurity and Infrastructure Security Agency published a list of tools and techniques that the Russian spy agency uses to target governments and other organizations (see: US Pulls Back Curtain on Russian Cyber Operations).

Later, CISA and the FBI warned that the SVR will likely continue to target vulnerable networks and that attackers have changed their tactics in recent years to target more cloud resources to access email and other valuable resources (see: FBI, CISA Warn of Ongoing Russian Cyberthreats).

This week, CISA and the National Institute of Standards and Technology released a report providing insights on how to enhance supply chain security in the wake of the SolarWinds attack (see:
Tips on Enhancing Supply Chain Security).