Knowledge is Key – ICS Cyber Operation Counterintelligence

While most of the nation is working and learning remotely (hopefully at home) to stop the spread of COVID-19, it is up to critical infrastructure owners and operators to keep the water running, toilets flushing, heat and lights on, and the shelves stocked with critical supplies. While many utilities are finding the proper balance between social distancing and maintaining operations, cyber threat actors across all categories have stepped up their campaigns in hopes to capitalize on the numerous distractions and our eagerness for greater situational awareness during this time. It is especially important during this time that we do not wane on our resolve to keep our critical infrastructure facilities safe from more than just coronavirus. We must continue to understand the tactics, techniques, and procedures (TTPs) used by ICS-focused threat actors, including reconnaissance activity, tools, and exploits used to compromise our critical facilities. It is important to know what the bad guys know about your facility, including publicly available information and ICS products used, and remediate those vulnerabilities before they are exploited.

Industrial cybersecurity firm Dragos and cybersecurity firm Fireeye have recently shared some resources to help owners and operators perform basic counterintelligence to keep our critical infrastructure resilient:

• OSINT (open source intelligence) Primer (Dragos) – know what the bad guys know about your organization
• Monitoring ICS Cyber Operation Tools and Software Exploit Modules to Anticipate Future Threats (Fireeye) – a review of ICS-based attack tools that lower the barrier for cyber threat groups to attack OT infrastructure

Other important resources that provide more background on ICS-focused tools and threat actor groups:

• MITRE ATT&CK for ICS Software List
• Dragos’ Adversary Reports on Industrial Threat Activity Groups