It's rare that an intelligence agency provides risk-management guidance to an entire sector, but last week—for the second time in less than a year—the National Security Agency (NSA) did just that for operational technology (OT).
Recognizing the rapidly increasing connectivity of OT and IT systems, the NSA published a cybersecurity advisory describing how organizations can evaluate the risk of connecting industrial networks to IT, while also listing out a half-dozen ways to improve the resilience of the resulting connected networks.
Last July was the first such advisory from NSA, which partnered with the Cybersecurity and Infrastructure Security Agency (CISA) on a joint advisory in response to a growing number of attacks targeting industrial networks. That advisory laid out adversary tactics, impacts of attacks, and mitigation strategies that included the need for resilience, incident response, and hardening networks against remote attacks, among other advice.
While last week's NSA advisory was crafted with government agencies and the defense industrial base in mind, its advice applies across industries. The agency singled out "stagnant" OT assets and control systems that are prevalent on connected networks, many of which are no longer supported with security and feature updates.
"Without direct action to harden OT networks and control systems against vulnerabilities introduced through IT and business network intrusions, OT system owners and operators will remain at indefensible levels of risk," the advisory says.
Evaluating Connectivity Risks vs. Rewards
As ransomware and supply-chain attacks continue to pose significant risk to disrupt enterprise networks, IT/OT connectivity threatens to expand that risk to industrial devices and processes. Attackers who are successful in attacking Windows-based machines that manage the industrial control systems (ICS) that oversee field devices and higher levels on the Purdue Model can drastically impact shop floor operations or the delivery of critical infrastructure services.
A successful compromise of a Windows-based engineering workstation, for example, could enable a threat actor to change or halt process logic, send malicious commands that result in code execution, or cause denial-of-service conditions. Engineering workstations are designed to allow engineers and operators to configure and manage control-system applications and equipment. These are reliable, powerful machines that store documentation essential to plant operations, known as project files. The ability of an EWS to directly connect to and communicate with programmable logic controllers (PLCs), intelligent electronic devices (IEDs) in utilities, and safety-instrumented systems (SIS), for example, also make EWS a ground zero for ransomware and extortion attacks.
The NSA's most recent guidance includes what it calls a "pragmatic evaluation methodology" to evaluate the risk of connecting IT and OT networks, which are quickly becoming the status quo over traditional air-gapped machines. Primarily, the NSA asks decision makers and OT operators to evaluate the value of IT/OT connectivity against the risks.
The value of convergence is largely understood, with efficiencies such as the use of existing IT expertise and tools for system monitoring and centralized updates primarily among them. Those potential benefits, NSA says, must be weighed against potential loss of process control and the risk to human life if safety systems fail. Loss of revenue from downtime must also be a consideration.
There are also technology-investment considerations that must be taken into account in order to properly and securely segment networks, additional licensing costs, system and hardware upgrades if necessary, and any additional workforce that may be needed.
The NSA guidance also includes a number of cybersecurity-specific recommendations, many of which are considered basic blocking-and-tackling techniques that are well implemented in IT security. Extending those to connected IT/OT networks are just as vital moving forward.
The recommendations start with authentication and access control, two critical security controls that can help stem a number of threats, including unauthorized access to networks and systems, and preventing lateral network movement. NSA recommends they also be extended to the supply chain, with logging for all third-party vendor connections, for example, and providing alerting for any anomalies.
Secure remote access to OT networks is also an imperative, NSA says, as are tools that provide visibility into networked OT assets. Topographical and physical network mapping and inventorying are specifically called out by NSA. NSA also urges organizations to create a gold-copy of all OT networks and devices to ensure business continuity in the event of a catastrophic failure, for example, from a ransomware attack.
"While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences," NSA said in its advisory. "Taking action now can help improve cybersecurity and ensure mission readiness."
Recommendations
NSA's guidance acknowledges that threat actors may be able to influence production on industrial networks by, for example, compromising the Windows-based machines managing industrial control systems. A successful exploit of a vulnerable server or endpoint could disrupt industrial processes or crash critical systems, regardless of industry.
As more IT and OT networks are integrated, security must be a top-line consideration. As NSA points out, visibility into network activity, including unpatched CVEs, is a mandate. Organizations must understand what assets are running on their industrial networks, and be able to assess their risk posture. Doing so centrally from a converged SOC, for example, is a massive advantage as analysts would be able to enrich industrial networks with information and intelligence about current threats.
Visibility into remote connections is also crucial, in particular as remote workforces appear to be the norm for the immediate future. Secure remote access must include logging and auditing of connections, and the ability to sever those remote connections if malicious activity is detected.
In the meantime, basic security hygiene remains job No. 1. Enterprises would do well to adhere to guidance that requires authentication, encrypted connections to assets, and secure management of the supply chain. A current and available offline backup is also a must in an environment where extortion attacks such as ransomware don't seem to be abating.
