www.cisa.gov
Open in
urlscan Pro
2a02:26f0:6c00:297::447a
Public Scan
Submitted URL: https://us-cert.cisa.gov/ncas/alerts/aa20-205a
Effective URL: https://www.cisa.gov/uscert/ncas/alerts/aa20-205a
Submission: On December 28 via api from US — Scanned from DE
Effective URL: https://www.cisa.gov/uscert/ncas/alerts/aa20-205a
Submission: On December 28 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://search.us-cert.gov/search
<form accept-charset="UTF-8" action="https://search.us-cert.gov/search" class="hidden-xs searchbox" method="get"><input name="utf8" type="hidden" value="✓"><input id="affiliate-desktop" name="affiliate" type="hidden" value="us-cert">
<div class="form-group"><label class="sr-only" for="query-desktop">Enter Search Terms(s):</label>
<div class="input-group"><input autocomplete="off" class="form-control form-control-custom input-lg" id="query-desktop" name="query" placeholder="Search" type="text">
<div class="input-group-addon input-group-addon-custom"><button class="submit input-lg"><img alt="search icon" data-entity-type="" data-entity-uuid="" src="/sites/default/files/cert/search-icon.png" title="search icon"></button></div>
</div>
</div>
</form>GET https://search.us-cert.gov/search
<form accept-charset="UTF-8" action="https://search.us-cert.gov/search" class="hidden-lg hidden-md searchbox" method="get"><input name="utf8" type="hidden" value="✓"><input id="affiliate-mobile" name="affiliate" type="hidden" value="us-cert">
<div class="form-group"><label class="sr-only" for="query-mobile">Enter Search Terms(s):</label>
<div class="input-group"><input autocomplete="off" class="form-control form-control-custom input-lg" id="query-mobile" name="query" placeholder="Search" type="text">
<div class="input-group-addon input-group-addon-custom"><button class="submit input-lg"><img alt="search icon" data-entity-type="" data-entity-uuid="" src="/sites/default/files/cert/search-icon.png" title="search icon"></button></div>
</div>
</div>
</form>https://public.govdelivery.com/accounts/USDHSCISA/subscribers/qualify
<form action="https://public.govdelivery.com/accounts/USDHSCISA/subscribers/qualify"><label class="visually-hidden" for="email-address-field">Enter your email address</label> <input class="signup-form" id="email-address-field" name="email"
placeholder=" Enter your email address" title="Enter your email address" type="text"><br><input class="btn btn-primary" name="submit" title="Sign up for alerts" type="submit" value="Sign Up"> </form>Text Content
Skip to main content
An official website of the United States government Here's how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS A lock () or https:// means you've safely
connected to the .gov website. Share sensitive information only on official,
secure websites.
Enter Search Terms(s):
CISA.gov Services Report
--------------------------------------------------------------------------------
Toggle navigation
Enter Search Terms(s):
CISA.gov
Services
Report
CERTMAIN MENU
* Alerts and Tips
* Resources
* Industrial Control Systems
* Report
--------------------------------------------------------------------------------
TLP:WHITE
TLP:WHITE
1. National Cyber Awareness System >
2. Alerts >
3. NSA and CISA Recommend Immediate Actions to Reduce Exposure Across
Operational Technologies and Control Systems
More Alerts
ALERT (AA20-205A)
NSA AND CISA RECOMMEND IMMEDIATE ACTIONS TO REDUCE EXPOSURE ACROSS OPERATIONAL
TECHNOLOGIES AND CONTROL SYSTEMS
Original release date: July 23, 2020 | Last revised: October 24, 2020
SUMMARY
Note: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and
Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise and ATT&CK
for Industrial Control Systems frameworks for all referenced threat actor
techniques and mitigations.
Over recent months, cyber actors have demonstrated their continued willingness
to conduct malicious cyber activity against critical infrastructure (CI) by
exploiting internet-accessible operational technology (OT) assets.[1(link is
external)] Due to the increase in adversary capabilities and activity, the
criticality to U.S. national security and way of life, and the vulnerability of
OT systems, civilian infrastructure makes attractive targets for foreign powers
attempting to do harm to U.S. interests or retaliate for perceived U.S.
aggression. OT assets are critical to the Department of Defense (DoD) mission
and underpin essential National Security Systems (NSS) and services, as well as
the Defense Industrial Base (DIB) and other critical infrastructure. At this
time of heightened tensions, it is critical that asset owners and operators of
critical infrastructure take the following immediate steps to ensure resilience
and safety of U.S. systems should a time of crisis emerge in the near term. The
National Security Agency (NSA) along with the Cybersecurity and Infrastructure
Security Agency (CISA) recommend that all DoD, NSS, DIB, and U.S. critical
infrastructure facilities take immediate actions to secure their OT assets.
Internet-accessible OT assets are becoming more prevalent across the 16 U.S. CI
sectors as companies increase remote operations and monitoring, accommodate a
decentralized workforce, and expand outsourcing of key skill areas such as
instrumentation and control, OT asset management/maintenance, and in some cases,
process operations and maintenance. Legacy OT assets that were not designed to
defend against malicious cyber activities, combined with readily available
information that identifies OT assets connected via the internet (e.g.,
Shodan,[2(link is external)] Kamerka [3(link is external)]), are creating a
“perfect storm” of 1) easy access to unsecured assets, 2) use of common,
open-source information about devices, and 3) an extensive list of exploits
deployable via common exploit frameworks [4(link is external)] (e.g.,
Metasploit,[5(link is external)] Core Impact,[6(link is external)] and Immunity
Canvas [7(link is external)]). Observed cyber threat activities can be mapped to
the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for
Industrial Controls Systems (ICS) framework.[8] It is important to note that
while the behavior may not be technically advanced, it is still a serious threat
because the potential impact to critical assets is so high.
Click here for a PDF version of this report.
TECHNICAL DETAILS
RECENTLY OBSERVED TACTICS, TECHNIQUES, AND PROCEDURES
* Spearphishing [T1192] to obtain initial access to the organization’s
information technology (IT) network before pivoting to the OT network.
* Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both
networks.
* Connecting to Internet Accessible PLCs [T883] requiring no authentication for
initial access.
* Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols
[T869], to communicate with controllers and download modified control logic.
* Use of vendor engineering software and Program Downloads [T843].
* Modifying Control Logic [T833] and Parameters [T836] on PLCs.
IMPACTS
* Impacting a Loss of Availability [T826] on the OT network.
* Partial Loss of View [T829] for human operators.
* Resulting in Loss of Productivity and Revenue [T828].
* Adversary Manipulation of Control [T831] and disruption to physical
processes.
MITIGATIONS
HAVE A RESILIENCE PLAN FOR OT
Since the Ukraine cyberattack of 2015 organizations must assume in their
planning of not only a malfunctioning or inoperative control system, but a
control system that is actively acting contrary to the safe and reliable
operation of the process. Organizations need an OT resilience plan that allows
them to:
* Immediately disconnect systems from the Internet that do not need internet
connectivity for safe and reliable operations. Ensure that compensating
controls are in place where connectivity cannot be removed.
* Plan for continued manual process operations should the ICS become
unavailable or need to be deactivated due to hostile takeover.
* Remove additional functionality that could induce risk and attack surface
area.
* Identify system and operational dependencies.
* Restore OT devices and services in a timely manner. Assign roles and
responsibilities for OT network and device restoration.
* Backup “gold copy” resources, such as firmware, software, ladder logic,
service contracts, product licenses, product keys, and configuration
information. Verify that all “gold copy” resources are stored off-network and
store at least one copy in a locked tamperproof environment (e.g., locked
safe).
* Test and validate data backups and processes in the event of data loss due to
malicious cyber activity.
EXERCISE YOUR INCIDENT RESPONSE PLAN
In a state of heightened tensions and additional risk and exposure, it is
critical to have a well-exercised incident response plan that is developed
before an incident.
* Conduct a tabletop exercise, including executive personnel, to test your
existing incident response plan.
* Be sure to include your public affairs and legal teams in your exercise in
addition to your IT, OT, and executive management.
* Discuss key decisions points in the response plan and identify who has the
authority to make key decisions under what circumstances.
* Ensure your plan takes into account a scenario inclusive of the TTPs above
and where the control system is actively operating counter to safe and
reliable operations.
* Partner with third parties for support. Review service contracts and
government services for emergency incident response and recovery support.
HARDEN YOUR NETWORK
* Remote connectivity to OT networks and devices provides a known path that can
be exploited by cyber actors. External exposure should be reduced as much as
possible.
* Remove access from networks, such as non-U.S. IP addresses, if applicable,
that do not have legitimate business reasons to communicate with the system.
* Use publicly available tools, such as Shodan, to discover internet-accessible
OT devices. Take corrective actions to eliminate or mitigate
internet-accessible connections immediately. Best practices include:
* Fully patch all Internet-accessible systems.
* Segment networks to protect PLCs and workstations from direct exposure to
the internet. Implement secure network architectures utilizing
demilitarized zones (DMZs), firewalls, jump servers, and/or one-way
communication diodes.
* Ensure all communications to remote devices use a virtual private network
(VPN) with strong encryption further secured with multifactor
authentication.
* Check and validate the legitimate business need for such access.
* Filter network traffic to only allow IP addresses that are known to need
access, and use geo-blocking where appropriate.
* Connect remote PLCs and workstations to network intrusion detection systems
where feasible.
* Capture and review access logs from these systems.
* Encrypt network traffic preferably using NIAP-validated VPN products and/or
CNSSP- or NIST-approved algorithms when supported by OT system components
to prevent sniffing and man-in-the-middle tactics. Available at:
https://niap-ccevs.org.
* Use the validated inventory to investigate which OT devices are
internet-accessible.
* Use the validated inventory to identify OT devices that connect to business,
telecommunications, or wireless networks.
* Secure all required and approved remote access and user accounts.
* Prohibit the use of default passwords on all devices, including controllers
and OT equipment.
* Remove, disable, or rename any default system accounts wherever possible,
especially those with elevated privileges or remote access.
* Enforce a strong password security policy (e.g., length, complexity).
* Require users to change passwords periodically, when possible.
* Enforce or plan to implement two-factor authentication for all remote
connections.
* Harden or disable unnecessary features and services (e.g., discovery
services, remote management services, remote desktop services, simulation,
training, etc.).
CREATE AN ACCURATE “AS-OPERATED” OT NETWORK MAP IMMEDIATELY
An accurate and detailed OT infrastructure map provides the foundation for
sustainable cyber-risk reduction.
* Document and validate an accurate “as-operated” OT network map.
* Use vendor-provided tools and procedures to identify OT assets.
* Use publicly available tools, such as Wireshark,[9] NetworkMiner,[10(link
is external)] GRASSMARLIN,[11(link is external)] and/or other passive
network mapping tools.
* Physically walk down to check and verify the OT infrastructure map.
* Create an asset inventory.
* Include OT devices assigned an IP address.
* Include software and firmware versions.
* Include process logic and OT programs.
* Include removable media.
* Include standby and spare equipment.
* Identify all communication protocols used across the OT networks.
* Use vendor-provided tools and procedures to identify OT communications.
* Use publicly available tools, such as Wireshark,[9] NetworkMiner,[10(link
is external)] GRASSMARLIN,[11(link is external)] and/or other passive
network mapping tools.
* Investigate all unauthorized OT communications.
* Catalog all external connections to and from the OT networks.
* Include all business, vendor, and other remote access connections.
* Review service contracts to identify all remote connections used for
third-party services.
UNDERSTAND AND EVALUATE CYBER-RISK ON “AS-OPERATED” OT ASSETS
Informed risk awareness can be developed using a variety of readily available
resources, many of which include specific guidance and mitigations.
* Use the validated asset inventory to investigate and determine specific
risk(s) associated with existing OT devices and OT system software.
* Vendor-specific cybersecurity and technical advisories.
* CISA Advisories [12].
* Department of Homeland Security – Cybersecurity and Infrastructure Security
Agency Cyber Security Evaluation Tool [13].
* MITRE Common Vulnerabilities and Exposures (CVE) for both Information
Technology and OT devices and system software [14]. Available at
https://cve.mitre.org.
* National Institute of Standards and Technology – National Vulnerability
Database [15]. Available at https://nvd.nist.gov.
* Implement mitigations for each relevant known vulnerability, whenever
possible (e.g., apply software patches, enable recommended security controls,
etc.).
* Audit and identify all OT network services (e.g., system discovery, alerts,
reports, timings, synchronization, command, and control) that are being used.
* Use vendor provided programming and/or diagnostic tools and procedures.
IMPLEMENT A CONTINUOUS AND VIGILANT SYSTEM MONITORING PROGRAM
A vigilant monitoring program enables system anomaly detection, including many
malicious cyber tactics like “living off the land” techniques within OT systems.
* Log and review all authorized external access connections for misuse or
unusual activity.
* Monitor for unauthorized controller change attempts.
* Implement integrity checks of controller process logic against a known good
baseline.
* Where possible, ensure process controllers are prevented from remaining in
remote program mode while in operation.
* Lock or limit set points in control processes to reduce the consequences of
unauthorized controller access.
CONTACT INFORMATION
CISA
CISA encourages recipients of this report to contribute any additional
information that they may have related to this threat. For any questions related
to this report, please contact CISA at
* 1-888-282-0870 (From outside the United States: +1-703-235-8832)
* CISAServiceDesk@cisa.dhs.gov(link sends email)
CISA(link sends email) encourages you to report any suspicious activity,
including cybersecurity incidents, possible malicious code, software
vulnerabilities, and phishing-related scams. Reporting forms can be found at
http://www.us-cert.gov/.
CISA strives to make this report a valuable tool for our partners and welcomes
feedback on how this publication could be improved. You can help by answering a
few short questions about this report at the following URL:
https://www.us-cert.gov/forms/feedback.
NSA CYBERSECURITY
Client Requirements / General Cybersecurity Inquiries: Cybersecurity
Requirements Center, 410-854-4200, Cybersecurity_Requests@nsa.gov(link sends
email)
Media inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov(link sends
email)
REGISTERED TRADEMARKS
* Shodan is a registered trademark of Shodan Limited Liability Company.
* Metasploit is a registered trademark of Rapid7 Limited Liability Company.
* Core Impact is a registered trademark of Help/Systems, Limited Liability
Company.
* Canvas is a registered trademark of Immunity Products, Limited Liability
Company.
* MITRE is a registered trademark of The MITRE Corporation.
* ATT&CK is a registered trademark of The MITRE Corporation.
* Wireshark is a registered trademark of Wireshark Foundation, Inc.
DISCLAIMER OF ENDORSEMENT
The information and opinions contained in this document are provided "as is" and
without any warranties or guarantees. Reference herein to any specific
commercial product, process, or service by trade name, trademark, manufacturer,
or otherwise, does not constitute or imply its endorsement, recommendation, or
favoring by the United States Government, and this guidance shall not be used
for advertising or product endorsement purposes.
REFERENCES
[1] Lyngaas, S. Israeli official confirms attempted cyberattack on water
system…(link is external)
[2] Shodan(link is external)
[3] Kamerka(link is external)
[4] Fireeye (2020).Monitoring ICS Cyber Operation Tools and Software Exploit
Mo…(link is external)
[5] Metasploit(link is external)
[6] Core Impact(link is external)
[7] Immunity CANVAS(link is external)
[8] MITRE ATT&CK for Industrial Control Systems
[9] Wireshark
[10] NetworkMiner(link is external)
[11] GRASSMARLIN(link is external)
[12] CISA Advisories
[13] CISA Cyber Security Evaluation Tool
[14] MITRE Common Vulnerabilities and Exposures
[15] National Institute of Standards and Technology National Vulnerability Data…
REVISIONS
July 23, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use
policy.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.
CONTACT US
(888)282-0870
Send us email(link sends email)
Download PGP/GPG keys
Submit website feedback
SUBSCRIBE TO ALERTS
Receive security alerts, tips, and other updates.
Enter your email address
HSIN
Report
--------------------------------------------------------------------------------
Home Site Map FAQ Contact Us Traffic Light Protocol PCII
Accountability Disclaimer Privacy Policy FOIA No Fear Act
AccessibilityPlain WritingPlug-ins Inspector General The White House
USA.gov
CISA is part of the Department of Homeland Security