CISA Alert (AA22-265A): Control System Defenses: Know the Opponent. Know Their Steps.

“To know your enemy, you must become your enemy.” Sun Tzu, regarded as one of the greatest military strategists of all time, certainly did not live in the hyper-connected and cyberthreat-laden times of today, but we would all benefit from some of his more profound teachings. And it seems some of his teachings have made their way into CISA.

For those that do not know CISA, the Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security (DHS) that is responsible for strengthening cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government’s cybersecurity protections against private and nation-state hackers.On September 22, 2022, CISA laid out some fundamental facts within Alert (AA22-265A) that should form the foundation for protecting OT/ICS systems and components:

• OT components continue being connected to information technology (IT) and the Internet
• IT exploitation increasingly serves as a pivot to OT, yielding destructive effects
• Many OT assets and control systems installed and used are past end-of-life and operated without sufficient resources.
• A multitude of tools are readily available to exploit IT and OT systems.
• As a result, a risk analysis of cross-domain connections (e.g., IT-to-OT, Internet-to-OT) and for all currently connected OT assets is recommended.

Without direct action to harden OT networks and control systems against vulnerabilities introduced through IT and business network intrusions, OT system owners and operators will remain at indefensible levels of risk.

Let’s start with Sun Tzu to understand our enemy’s 5 steps into our ICS and OT environments:

1. Effects and targets: APT actors, or state-sponsored actors, are looking to create chaos, sow discord, or destabilization of leadership. To do so, they typically vet out critical assets within critical infrastructure like controllers in marine ports, energy generation/distribution points, and highly visible targets where a disruption may cause harm, distrust, or may psychologically or socially impact a community. Conversely, cybercriminals are looking for a payoff and are more than happy to find high-value targets anywhere within an organization to extort their owners. While there may have been a wide gap in the past, the skills, backing, and training between the two is narrowing.

WHAT TO DO: Define your critical protect-surfaces. Not all systems and components are created equal. Begin by identifying the most critical surfaces and grow to incorporate additional surfaces over time. Within OT, this may be a bank of Windows machines that allow for remote access into a PLC segment where third party lateral connections are established for maintenance and support. Within IT, this may be north-south assets that allow for pivoting from IT into OT, especially if IT connections to the Internet are present.

ARMIS CLIENTS: Group critical process devices and their dependencies into boundaries by leveraging features found within ‘Sites’ and ‘Boundaries‘.   Using both ‘connections’ and ‘IP connections’ features, identify and track all connections in/out of these protect-surface boundaries to identify both authorized and unauthorized connections, and their users. Block unauthorized or unneeded connections and evaluate the value vs. risk vs. potential costs of these inter-boundary connections. Contact Armis for additional remediation tactics.

2. Intelligence collecting on the target system: It is widely known that information about both OT systems and IT technologies is widely known. Publicly available documentation on both IT and OT systems and components is not hidden, including default admin credentials.

WHAT TO DO: Never allow for default admin credentials to reside on any asset and continually rotate passwords.

ARMIS CLIENTS:  Monitor ‘Risk Factors’, ‘Alerts’, and ‘Activities’ for certificate status, expired passwords, invalid credentials, default credentials, password intercepts, and cleartext credentials; monitor lateral (east-west) movements for insider threats; search ‘Applications’ for unauthorized recognizance software such as Nmap or other disavowed applications. Proceed to ‘Vulnerabilities’ and review confirmed vulnerabilities with active exploits found in the wild. Patch if able, and if unable to patch, closely monitor the activities of all devices entering the OT segments. Contact Armis for additional remediation tactics.

3. Developing techniques and tools: Adversaries can be quite resourceful, especially with readily available tools on the dark web. Presuming devices are secured because they run proprietary protocols is a zero-sum game as tools are readily available to exploit IT and OT systems. APT actors have also developed tools to scan for, compromise, and control certain Schneider Electric PLCs, OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

WHAT TO DO: Acknowledge that standalone, islanded networks are few and far between. Do not presume a posture of security by obscurity. Monitor application usage and ICS traffic to include authorized user access and behavioral anomalies.

ARMIS CLIENTS: Proceed to ‘Applications’ and search for popular mapping tools such as Nmap, SolarWinds, and Spiceworks. Create a Policy to alert to the introduction of these common network mapping tools into the environment, or of their usage. Contact Armis for additional remediation tactics.

4. Gain initial access: Most modern control systems have remote access capabilities that allow  third-party vendors and integrators into the systems, as well as work-from-home, remote access and the supply chain. Oftentimes, these points of access into the network are attack vectors for cyber actors. Matters get worse when we add wireless access points to the mix that attract local actors into the fray.

WHAT TO DO: Audit all third-party access. Ensure the ability to pivot to high-value targets is non-existent. Take advantage of VLAN technologies to create safe holding pens for devices as they are introduced into your network prior to introducing them into the production network. Look for devices with multiple NICs attaching to differing networks, creating bridges from ‘A to B’.

ARMIS CLIENTS: Proceed to ‘Applications’ and search for popular mapping tools such as Nmap, SolarWinds, and Spiceworks. Create a Policy to alert to the introduction of these common network mapping tools into the environment, or of their usage. Create a Policy to alert when new devices connect to any wired or wireless network. Create Policies that alert on malicious IPs and domains, inclusive of Shodan. Create Policies that alert on Port Scans. Contact Armis for additional remediation tactics.

5. Execution: The disruption, disabling, denying, and/or destruction of the system, to achieve intended results. This might include the degradation of the monitoring of a target system (Manipulation of View [T0832] ), operation of the control system (Manipulation of Control [T0831]), SCADA impairment (Block Reporting Message [T0804], Denial of View [T0815]), denial of control (Denial of Control [T0813]), or theft of operational information Theft of Operational Information [T0882]).

WHAT TO DO: Monitor industrial control commands and anomalous behaviors coming from unauthorized machines, unauthorized users, commands occurring outside of change control, and multiple reset, errors, and mode changes in critical infrastructure.

ARMIS CLIENTS: Proceed to ‘Activities’ and review ‘Activity Types’ such as restricted connections (set policies to identify these connections), application usage, credentials, PLC edits, Modbus connections, and industrial protocol activities and commands. Proceed to ‘Users’ and group authorized users that interface with OT devices and group into an ‘Allow Policy’, and alert to unauthorized users who attempt to attach to critical infrastructure. Contact Armis for additional remediation tactics. Enable the MITRE ATT&CK for ICS framework Policy library. Contact Armis for additional remediation tactics.

As system owners and operators, we cannot prevent a malicious actor from targeting our systems. Understanding that being targeted is not an “if” but a “when” is essential. By assuming that the system is being targeted and predicting the effects that a malicious actor would intend to cause we can employ and prioritize mitigation actions. It all starts with identifying the initial system and all its sub-components within a protect surface. Once we find success, repeating across the broader OT landscape gets easier each time.

Armis is Ready to Help.

Existing customers can follow the guidelines above or reach out to your existing Armis support teams for additional customization.

Additional mitigation details can be found within CISA Alert AA22-265A. Additional CISA Advisory details on Stopping Malicious Cyber Activity Against Connected Operational Technology can be found within NSA Security Agency Cybersecurity Advisory.