State of the Union's Infrastructure Security According to CISA

On the heels of a few high-profile cybersecurity breaches in the civilian sector, comes a poignant operational technology/industrial control systems advisory published jointly by CISA and the NSA. Contrasting with the bland title of “Control System Defense: Know the Opponent,” you get the sense that CISA has gotten tired of ringing the control system cybersecurity bell since at least 2009. Though, according to Tom Temin of the Federal News Network, protecting the software we rely upon has been on politician’s minds since the 90’s.

OT/ICS assets that control critical infrastructure from nuclear power plants to the water processing to the air conditioning in government facilities have always been targets. With the merging of IT and OT/ICS over at least the past decade and a half, the attack surfaces of these critical systems have increased exponentially.

It’s also critical that these systems keep running “despite the fact that many systems are decades old and use insecure protocols and architectures” requiring nonstandard interface and protocol support, while the vendors that made the equipment could no longer exist.

It isn’t any secret that much of the United States’ critical-for-society-to-function infrastructure is out of date. Nor is it a secret that well-funded malicious actors are more than capable when it comes to disrupting critical sectors. We’ve seen the Russian attack on Ukraine’s electric grid and the 2017 NotPetya attack on Maersk that resulted in Los Angeles’ busiest port shutting down for two weeks.

Furthermore, design and device information are publicly available or easily attained through job listings and interviews that specify certifications and equipment knowledge. Open Source operational intelligence (OSINT) also makes it simple to track down emails, names, software in use, or remote access points. Shodan is a fun tool.

Thankfully, CISA’s advisory doesn’t just point at the problem and say “hey, doesn’t that look terrible?” It also lays out the tactics, techniques, and procedures that many cyber actors use along with mitigations. If anyone remembers David Bianco’s Pyramid of Pain,  he explains that one of the most effective ways to thwart attackers is to disrupt their gameplan. Make their tools and information useless so they’re back to square one.

But what’s the use of an advisory, if the recommended strategies therein aren’t enforced? Well, according to a Federal News Network article, Eric Goldstein, the Executive Assistant Director for Cybersecurity for CISA, stated that CISA has plans to “release performance goals starting in October that will address individual risks of the various sectors.” It seems that there might be some muscle to back up the advisory.

#CISA #ICS