NSA and CISA Urge Action to Reduce Operational Technology Risk

September 9, 2020 Kevin Orr

The critical infrastructure that underpins our modern way of life continues to be under attack. The 2015 hack of Ukraine’s power grid brought this sobering reality into focus, and since then, threats have continued to grow in number and sophistication. In recent months, attackers doubled down on energy companies, water facilities, and more, often exploiting internet-connected operational technologies (OT) to reach into industrial control systems.

As a result, the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert recommending actions to reduce exposure across operational technologies and industrial control systems (ICS). It includes guidance on securing privileged credentials, which threat actors consistently target as part of critical infrastructure attacks.

By compromising privileged credentials (or stealing user identities with access that can become privileged) and gaining admin-level access to connected OT assets, attackers can disrupt critical services, corrupt OT and IT systems, wipe out endpoints and servers, and ultimately, put human lives in danger.

OT-IT Convergence and a Growing Attack Surface

So how is OT different than IT? OT comprises the hardware and software systems that monitor and control physical equipment and processes. These are highly specialized environments, complete with proprietary technology that is unfamiliar to most people beyond the operators and engineers working with them. OT systems are often “air-gapped” or segmented from outside networks for security and availability purposes. But as companies increase remote operations and outsource numerous tasks including equipment servicing and maintenance, connectivity becomes critical, and OT and IT technologies continue to converge.

This convergence can present numerous challenges, the first being that OT systems (many of which are decades old) were simply not designed to withstand today’s highly targeted attacks. As these systems become increasingly connected, the attack surface has expanded dramatically. The potential for nation-states or malicious insiders to steal or abuse privileged credentials to gain access to critical industrial control systems is a critical concern. Moreover, publicly available open source tools like Shodan and Kamerka can be used by attackers to conduct reconnaissance, pinpoint connected OT assets and map out their mission.

Privileged Access Risk: Spotlight on the Energy Sector

Privileged accounts, and the access they provide, represent one of the most significant security vulnerabilities critical infrastructure companies face today. While this is true for all 16 critical infrastructure sectors (as defined by the U.S. Department of Homeland Security), let’s explore some specific examples of privileged access risk in the energy sector. More specifically, in substations, the physical stations that transform voltage and either transmit or distribute power to designated areas of a region:

Remote Access to Substations

Substations are widely distributed around a region and are typically unattended. They rely on supervisory control and data acquisition (SCADA) for remote access, supervision and control. This requires connectivity. In the case of the Ukraine attack, threat actors opened breakers at 30 distribution substations. They did this by capturing privileged accounts from infected workstations, moving laterally through the IT environment, escalating privileges and setting up back doors to ensure persistence. Then, they used this elevated access to VPN from the IT environment into the OT environment, which was not properly air gapped.

Having a privileged access management (PAM) program in place to help protect against this type of risk is paramount. PAM is also an important security control to help ensure remote workers have only the necessary levels of access to OT machines and sensitive information to do their jobs — and nothing more — while enabling continuous visibility of all privileged activity and rapid response to anomalous behavior. (You can learn more about this in our recent blog post “Security for the Modern IT Environment.”)

Insecure Substation OT Devices

The OT equipment found in substations — including switchyards, switches, circuit breakers and transformers — are all created with a default security password, known as a standard PIN. This equipment is used for years, and often, the factory-issued standard PIN is never changed. Making matters worse, these PINs are easy to find through a quick Google search. Attackers know all of this. If they can gain access to a connected substation, they can easily abuse these hardcoded passwords to disable or corrupt critical OT devices and systems.

Five Steps for Protecting Privileged Access in OT Environments

While there is no silver bullet for OT cybersecurity, fundamental privileged access management controls can help protect against threats and dramatically reduce the impact of an attack.

The NSA and CISA offer guidance on securing identities and privileged credentials in OT environments. As part of a detailed mitigation strategy, they recommend critical infrastructure facilities “secure all required and approved remote access and user accounts” by following five steps:

1. Prohibit the use of default passwords on all devices, including controllers and OT equipment.

Our take: This should be the first thing you do after onboarding a new OT device in the environment. Same goes for the connected IoT devices in your home such as routers or printers — especially if you are working remotely.

2. Remove, disable or rename any default system accounts wherever possible, especially those with elevated privileges or remote access.

Our take: After you do this, identify the users that require privileged and/or remote access — or users that could become privileged under certain conditions — and implement strong controls that keep these users productive, but also secure.

3. Enforce a strong password security policy (e.g., length, complexity).

Our take: A significant part of effective enforcement is a strong and consistent approach to educating employees about cybersecurity risks and the fundamental importance of protecting passwords.

4. Require users to change passwords periodically, when possible.

Our take: Even better, take the onus off of the user by storing all privileged account passwords and credentials in an encrypted repository. Then automatically rotate these credentials based on policy to streamline admin and user workflows.

5. Enforce or plan to implement two-factor authentication for all remote connections.

Our take: Recently highlighted in our Twitter attack deconstruction, an account is more than 99.9% less likely to be compromised if MFA is in place. Mandating MFA should be table stakes.

The NSA and CISA also urge critical infrastructure facilities to “implement a continuous and vigilant system monitoring program” that enables anomaly detection. This can help organizations identify malicious cyber tactics like “living off the land,” where attackers abuse privileged access to gain network persistence, pose as authorized users and then utilize native tools or features existing in the OT environment to accomplish their mission.

As OT and IT systems become increasingly intertwined, critical infrastructure companies must make privileged access management a priority to combat highly organized, well-funded attackers. For more information on CyberArk’s approach to securing privileged access across OT environments, visit here.

Previous Article
Early Learning Coalition provides secure and agile access to its workforce with CyberArk Identity
Early Learning Coalition provides secure and agile access to its workforce with CyberArk Identity

ELC leverages CyberArk Identity for Single Sign-on, Multi-factor Authentication and Enterprise Mobility Man...

Next Article
CyberArk Blueprint for the Federal Government
CyberArk Blueprint for the Federal Government

Follow the CyberArk Blueprint frame to design and effective Identity Security implementation roadmap that c...