On Thursday, July 23rd the NSA and CISA issued an urgent joint cybersecurity advisory (Alert AA20-205A) to all critical infrastructure and services operations that rely upon OT systems to deliver core services. Jointly, two US government entities with the greatest visibility into system attack surfaces and exploitation in the wild have issued recommendations that corresponding operations act with urgency to rapidly assess and manage the holistic set of security exposures placing such environments at risk.
An Overview of “The Perfect Storm”
Their recommendations for immediate action are based on the following factors that contribute to what they describe as a “perfect storm”.
- Attacks are on the rise. Attacks executed by sophisticated actors, script kiddies, and everyone in between are on the rise. Though only a subset of such attacks have been publicized, the attacks and corresponding advisories brought to light in recent months highlight this escalation.
- July 2020 – Attack on Israel’s water facilities
- February 2020 – CISA advisory re: IT-based attack that pivoted into oil and gas OT infrastructure
- November 2019 – An attack against a Utah-based renewable energy provider that involved the exploitation of known vulnerabilities in Cisco network infrastructure.
- Exposures are public. The opportunity to identify Internet connected and exploitable OT systems is easier than ever, particularly through the use of publicly available solutions like Shodan and Kamerka.
- More Vulnerable Devices. The ever-growing number of disclosures regarding the vulnerable state of OT and IoT devices across industrial landscapes has clearly exposed a massive attack surface facing all industrial operations.
- This attack surface is inclusive of the IoT and IT devices that are often interconnected in support of digital transformation requirements, remote work and support needs, and in general, enabling informed business decisions by getting as close to relevant key indicators as possible.
- Exploiting OT systems is easier than ever. Common exploit frameworks such as Metasploit now offer an extensive list of exploits that can be rapidly executed against vulnerable devices through little more than “clicks”. This is not to mention the weaponized exploits available for sale and rent on the dark web, nor the sophisticated capabilities developed by the likes of the adversaries behind Triton, malware targeting safety systems in industrial environments.
- New Triton Alert. Speaking of Triton, on the same day (July 23rd), ICS-CERT announced a new set of vulnerabilities affecting the “Schneider Electric Triconex TriStation and Tricon Communication Module”. These flaws exist in the same safety systems targeted by Triton and it’s fair to assume that the adversaries behind this active and highly dangerous malware focused on disrupting production, or worse, loss of life outcomes are rapidly expanding their capabilities (or already have) to make their malware more effective.
- If combined with the exploitation of other known vulnerabilities (such as CDPwn, affecting most Cisco network devices and largely unpatched by most organizations), this could further increase the likelihood for a successful and destructive event.
- No signs of slowing. Adversaries are not only showing no signs of slowing down in light of the global pandemic but if anything, they are on the rise and with a greater potential for a material impact. This is not only because many organizations may be less equipped to effectively identify and respond to an attack remotely, which observing local, state, federal and company policy, but also because supply chain weaknesses have been highlighted for all to see.
NSA and CISA Recommendations
The joint entities have issued a number of detailed recommendations to help OT operations:
- Establish a baseline understanding of the environment and its current risks.
- Reduce existing risks to an acceptable level (replace devices, eliminate Internet connectivity, disable non-required services, securely configure misconfigured devices, patch where possible, etc.)
- Implement the controls required to continuously monitor the environment and identify changes in risk and to identify and enable the ability to understand and respond to active compromise with the potential to disrupt OT systems and related services.
- Continuously monitor for changes to the environment that grow risk beyond the acceptable level,
- and to ensure the ability to quickly detect and respond to attacks with the potential to impact critical OT operations.
Their specific recommendations are categorized as follows:
- Have a Resilience Plan for OT
- Exercise your Incident Response Plan
- Harden Your Network
- Create an Accurate “As-operated” OT Network Map Immediately
- Understand and Evaluate Cyber-risk on “As-operated” OT Assets
- Implement a Continuous and Vigilant System Monitoring Program
How Does Armis Help Our Customers Execute on These Recommendations?
First and foremost, we help our customers identify every single device in their OT and overall environment, whether it’s communicating over wire, wireless or over the air. This agentless, passive and continuous discovery capability ensures that our customers have a complete view of every device – OT, IT, and IoT.
Not only do we provide insights into every make, model, hostname and much more for every device in the environment, we also provide insights into how devices are communicating with other devices in the detail expected by IT and OT teams alike. This includes data flow maps and raw communication details for IT and Perdue model visualizations and overviews for OT.
Once all of the devices are identified and their behaviors normalized and compared against our Device Knowledgebase tracking over 280 million devices and corresponding behaviors, we provide visibility into known vulnerabilities and risks exposing the device and environment to potential exploitation. Our continuous and real-time yet passive visibility also enables our customers to rapidly detect and respond to active attacks, both manually or automatically. This includes being able to rapidly contain attacks by isolating compromised devices through integrations with network solutions such as NAC or even switches.
The sheer level of visibility offered to our customers and spanning IT, IoT, and OT also ensures that response, resiliency, and network hardening plans can be established and executed effectively and with the greatest impact in the shortest period of time. Without the level of visibility that solutions like Armis provide, any such plans will only be partially complete and may not align with executive expectations around truly understanding and managing this risk.
Lastly, delivering on the need for a “Continuous and Vigilant System Monitoring Program” cannot be accomplished using traditional security solutions and capabilities in an OT environment. Only modern security solutions built to continuously assess for, alert on, and enable a response to elevated risks, highly anomalous behavior, and active compromise based on the context around how all forms of devices operate in an environment will achieve this outcome.
Armis is here to help our customers achieve each of the recommendations outlined by the NSA and CISA, quickly.
The Risk of Doing Nothing
Beyond the fact that we rarely see broadly impacting advisories with the call for immediate action to avoid catastrophic events with the potential for loss of life outcomes, it’s important to consider this situation from another perspective as well.
Imagine for a moment that 12 months from now, an industrial operation and its OT systems are systematically compromised, leading to extensive outages, potential loss of life within one or more locations, a significant loss of current and future revenue, massive brand impacts and corresponding campaigns to improve this image, extensive response and recovery costs, as well as other related expenses and hits to revenue forecasts of at least 8 figures.
When filing a corresponding cyber insurance claim, the enterprise may face another challenge. If the enterprise failed to act upon the direct recommendations by the NSA and CISA to better understand and manage OT risks within their environment, what is the likelihood that the insurance provider will be willing to pay the claim? The likelihood of payment should be expected to reduce exponentially with every passing month before remediation plans are developed and efforts begin. In turn, enterprises should consider not only the immediate potential for costly impact to operations but also the inability to defer expenses in the event that operations are impacted by a bad actor.