Foreign rogue nation-state threat actors are targeting critical infrastructure in the U.S., according to the White House report involving the National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The threat actors are targeting internet-connected operational technology (OT) in the United States defense systems. Cyber threats originating from state-sponsored actors were also targeting critical infrastructures such as electricity, water, and gas. Consequently, the NSA and CISA directed the owners and operators to take immediate action to secure the systems.
Ransomware cyber threat targeting the U.S. critical infrastructure
The agencies warned that “the increase in adversary capabilities and activity, the criticality to U.S. national security and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign actors.”
The NSA and CISA noted that OT assets are present in the Department of Defense systems and also in the defense industrial base sector. Their use is prominent in most critical areas including in the national security systems. The agencies say the use of such systems is necessary because of the increased demand for a decentralized workforce. However, their use opens an attack landscape while increasing monitoring complexities because of the pervasive nature of the systems.
The DHS indicated there was strong evidence of a cyber threat involving the use of email spear phishing tactics to infiltrate critical infrastructure networks through OT assets. Additionally, there are persistent efforts to conduct ransomware attacks on critical infrastructure. A ransomware cyber threat is particularly concerning because of its disruptive nature and ability to leak sensitive information.
In February, CISA released a report describing a ransomware attack on a natural gas compression facility, which led to the shutdown of operations on the facility.
A similar cyber threat was blocked in May targeting critical infrastructure on an Israeli water system, according to CyberScoop. Authorities said the attack was highly organized and synchronized.
Nilesh Dherange, CTO of Gurucul, reiterated that the cyber threat was real.
“The most recent NSA and CISA alerts are directed at Government assets, but they are valid warnings for any organization that has internet-facing systems. They offer solid advice that applies to any size of the operation and reiterates recommendations the Information Security community has been giving for years.”
Mitigating threats on critical infrastructure
The NSA and CISA advised organizations to create a resilience plan for the OT assets. The plan involves the creation of a manual process to restart industrial control systems after an attack takes place. They also recommended having a system monitoring process in place to monitor the cybersecurity state of the critical infrastructure concerning cyber threats. Because of the increased risks facing essential services, the agencies advised organizations to remain ahead of the cyber threat operators by being proactive.
Organizations should also create an incident response plan to anticipate new methods that hackers may deploy. This should include collaboration between organizations and CISA in the creation of organizational cybersecurity plans.
Operators should also harden their networks by restricting access to OT networks, and to carry regular tests to discover vulnerable OT devices within their networks.
Dherange summed up the list of measures that the operators of critical infrastructure should adopt.
“In a nutshell: Have resiliency, business continuity, and response plans in place and exercise them. Understand and document your environment, your likely adversaries, and how they will probably attack so you can harden appropriately. Make sure personnel are trained and equipped to resist the expected attack vectors and mitigate them after a breach.
Evan Dornbush, CEO and Founder of Point3 Security, says the cyber threat was critical, and therefore, operators should heed the advice.
“If the NSA is coming out of the shadows to speak up in a joint alert with CISA, you want to listen and take action. What is most helpful is that the advisory shares a list of tools attackers are using to identify targets. Seeing what the attacker sees allows your cybersecurity team to prioritize your defensive actions. The Advisory goes further still, offering a robust set of recommendations for executing a response strategy.”