On the heels of a few high-profile cybersecurity breaches in the civilian sector, comes a poignant operational technology/industrial control systems advisory published jointly by CISA and the NSA. Contrasting with the bland title of “Control System Defense: Know the Opponent,” you get the sense that CISA has gotten tired of ringing the control system cybersecurity bell since at least 2009. Though, according to Tom Temin of the Federal News Network, protecting the software we rely upon has been on politician’s minds since the 90’s.
OT/ICS assets that control critical infrastructure from nuclear power plants to the water processing to the air conditioning in government facilities have always been targets. With the merging of IT and OT/ICS over at least the past decade and a half, the attack surfaces of these critical systems have increased exponentially.
It’s also critical that these systems keep running “despite the fact that many systems are decades old and use insecure protocols and architectures” requiring nonstandard interface and protocol support, while the vendors that made the equipment could no longer exist.
It isn’t any secret that much of the United States’ critical-for-society-to-function infrastructure is out of date. Nor is it a secret that well-funded malicious actors are more than capable when it comes to disrupting critical sectors. We’ve seen the Russian attack on Ukraine’s electric grid and the 2017 NotPetya attack on Maersk that resulted in Los Angeles’ busiest port shutting down for two weeks.
Furthermore, design and device information are publicly available or easily attained through job listings and interviews that specify certifications and equipment knowledge. Open Source operational intelligence (OSINT) also makes it simple to track down emails, names, software in use, or remote access points. Shodan is a fun tool.
Thankfully, CISA’s advisory doesn’t just point at the problem and say “hey, doesn’t that look terrible?” It also lays out the tactics, techniques, and procedures that many cyber actors use along with mitigations. If anyone remembers David Bianco’s Pyramid of Pain, he explains that one of the most effective ways to thwart attackers is to disrupt their gameplan. Make their tools and information useless so they’re back to square one.
But what’s the use of an advisory, if the recommended strategies therein aren’t enforced? Well, according to a Federal News Network article, Eric Goldstein, the Executive Assistant Director for Cybersecurity for CISA, stated that CISA has plans to “release performance goals starting in October that will address individual risks of the various sectors.” It seems that there might be some muscle to back up the advisory.
#CISA #ICS
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.