When the longest‐serving (former) Director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT) speaks, people listen, or at least they should. The “joint alert from the NSA and CISA about malicious activity targeting operational technology (OT) and critical infrastructure should be taken very seriously. Don’t be fooled — this isn’t a warning about the possibility of attacks. This is a warning that attacks have occurred and are ongoing as we speak,” wrote Marty Edwards in a recent post at Tenable. The Alert (AA20-205A), NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems, published late Thursday states, over recent months cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets. Some of the more common attack methods highlighted in the alert includ spearphishing, ransomware, and unauthorized changes to PLC logic amongst others. For utilities that may not know where to focus, those are three salient and immediately actionable areas of emphasis (spearphishing, ransomware, and unauthorized changes to PLC logic) to undertake in securing OT environments. Despite some criticism that the alert lacks indicators of compromise (IoCs) or victim identification, NSA and CISA notably identify tactics, techniques, and procedures (TTPs), impacts, and mitigation strategies. Furthermore the alert maps specific activity and impacts to the MITRE ATT&CK Framework (for Enterprise and ICS) for consistent understanding of each tactic and underlying techniques. While larger utilities likely have a long functioning strategy for mitigating the most common threats highlighted in the alert, small to medium utilities should not delay in addressing these threats. Furthermore, NSA and CISA guidance does not stop with a list of best practices for utilities to navigate alone. CISA has a robust catalog of no-cost resources (also included in today’s Security & Resilience Update) to help all critical infrastructure partners manage this and other risks.

The Alert (AA20-205A), NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems was provided to WaterISAC members Friday morning and can be read on the portal here. Read more from Marty Edwards at Tenable