Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
CISA to Critical Infrastructure: See Something, Say Something
By Grant Geyer | March 23, 2022
The White House, FBI, and CISA are ramping up their respective messaging around what they’re calling preparatory activity by Russia against U.S.-based critical infrastructure sectors. So-called lifeline sectors—identified by CISA as communications, transportation, water, energy, and financial services—have been warned by the government that reconnaissance efforts by Russia, including vulnerability and network scanning, have intensified. These could be precursors to potentially disruptive and damaging attacks, CISA said during a three-hour call with critical infrastructure owners and operators yesterday, available below.
CBS News, meanwhile, reported Tuesday that five U.S. energy companies were the focus of much of this activity, and that the FBI has communicated to 23 companies that it has traced network scanning to 140 Russia-linked IP addresses.
Electricity providers in Ukraine have been compromised and disrupted twice before by Russia, causing interruptions to power distribution in the country. The U.S. government has asked providers here—many of which are privately owned—to increase their vigilance around network monitoring and information sharing. Providers should have a low threshold for reporting incidents, CISA Director Jen Easterly said. Even mundane scanning should be reported, she said, in order for CISA and the FBI to connect similar activity from other sources that might indicate a larger campaign.
“Every business and entity should consider themselves at risk,” Easterly said, adding that financial services organizations are also high-priority targets for Russia in the wake of extensive economic sanctions imposed against Russia by the U.S. and its allies.
Have A Low Threshold for Information Sharing
CISA’s Shields Up program, initiated shortly after Russia’s Feb. 24 invasion of Ukraine, contains a catalog of freely available resources and tools that organizations may leverage, in particular smaller, less-resourced utilities that make up the bulk of providers nationwide.
A joint CISA, NSA, and FBI advisory released in January outlines in depth tactics, techniques, and procedures associated with a number of Russian state actors. That advisory should be the centerpiece of your intelligence as you monitor internal networks in the coming days and weeks for suspected malicious activity.
CISA also spoke directly to operators of OT networks and industrial control systems, asking managers to take note of unexpected equipment behaviors such as unexplained reboots of control systems, hardware, and software.
Russian actors also covet credentials to gain an initial network foothold and maintain persistence. Credentials should be secured with multifactor authentication, in particular those credentials protecting domains and Active Directory, which can be abused or lateral network movement. Easterly also stressed resilience in the face of Russia’s activity so far. Organizations, she said, should review incident response plans, identify crisis response teams, ensure availability of key personnel, and test backups, which are vital to recovery in the face of ransomware attacks.
OT environments should also test manual controls to ensure the uptime of critical services and functionality in the event of an IT compromise rendering that environment untrustworthy.
“We cannot stress the importance of reporting activity, even if it’s mundane scanning,” said CISA Deputy Executive Assistant Director for Cybersecurity, Matt Hartman. “The key is to report quickly. Even a trivial anomaly could be a key indicator of an emerging campaign.”
Be Vigilant About Asset Visibility, Secure Remote Access
Claroty has been monitoring the conflict for attacks and disruptions to critical infrastructure sectors, including wiper malware attacks carried out against Ukrainian government agencies prior to Russia’s invasion. It’s important to note that previous Russian malware attacks, such as NotPetya, have spread beyond intended targets. NotPetya, for example, was disguised as ransomware attack but instead spread malware that compromised machines at the hardware level rendering them inoperable.
A separate wiper malware attack in January called WhisperGate was followed by a number of distributed denial-of-service (DDoS) attacks against agencies and financial institutions in Ukraine, disrupting services and business. Claroty reinforces the need for visibility into network activity, in particular where IT and OT networks converge and automation processes may be impacted by attacks against Windows-based engineering workstations, for example. These machines are used to program logic downloaded to industrial control systems such as PLCs.
We also stress the need to monitor and secure remote connections to internet-facing systems, especially human-machine interfaces (HMIs) that may be connected for support and maintenance reasons. These connections must be monitored, audited, and actively disconnected at the first sign of malicious activity.
It’s also important to include ICS project files among your backup procedures. Critical to recovery from any malware incident—ransomware in particular—backups should be regularly scheduled, and critical files stored offline and physically offsite.
Project files are crucial pieces of intellectual property. They usually take the form of archive file formats that contain OLE files, SQLite databases, proprietary binary formats, text files, and directories created within engineering workstations. These programs are used by engineers to monitor, configure, and communicate with programmable logic controllers (PLCs) and other control systems. The program logic contained in a project file governs ICS devices and oversees processes, and it also may include network configuration data and—at times—a complete OT network layout.