28 Jul 2020 NSA/CISA AA20-205A Alert Analysis
The NSA & CISA have jointly issued a (long) alert with advice for securing OT equipment in critical infrastructures (CI). The focus of the alert is OT equipment that’s directly accessible from the Internet, with a secondary emphasis on indirectly-accessible equipment, which includes just about everything else. The alert, by sections says very roughly:
-We’re in trouble,
-Have a plan to keep operating when hacked,
-Run “oh no we are hacked” practice scenarios,
-Lock everything down – especially stuff on the Internet,
-Do an inventory – to find out what’s on the Internet,
-Patch what you can, and
The surprises are in the details. Half the alert is focused on critical infrastructure equipment that is right out on the Internet, meaning the main audience for the alert is CI providers who are “starting from zero.” The advice to these providers is “you will be hacked” and “put a plan together to keep the lights on & clean water in the pipes when you are hacked.” How? Plan to operate the infrastructure manually. This buys time to erase everything that was hacked and rebuild computerized operations. Noteworthy: this is the first time I have seen this advice in documentation from U.S. authorities.
The advice also says to carry out at least a management-level, table-top “we are hacked” exercise. Such an exercise helps enormously to get started on the basics of a security program. The exercise helps answer questions like “who makes which decisions?” and “who can we call on to help?” This differs from most incident response advice that is very technical.
Keeping in the “starting from zero” approach, the alert advises us to carry out an as-operated asset inventory. It sounds boring, but think about it – we have no hope of locking down Internet-exposed gear if we have no idea where that gear is or how it’s connected. So, inventory everything. It dangerous to have our attackers know our networks better than we do, not to mention embarrassing.
What was missing from the alert? The alert mentions unidirectional communications as a way to protect OT networks, but a stronger recommendation would have been nice. When an organization is starting from zero, unidirectional gateways are a great way to “jump to the head of the queue” cyber-wise. The gateways are the strongest practical protection from network & Internet-based attacks on OT targets. Unidirectional technology is used by all the world’s most secure industrial & infrastructure sites.
Product recommendations generally were missing, but that’s expected in government publications. Waterfall’s BlackBox for example, is a tamper-proof repository for gold images and forensic data. The NSA/CISA alert uses a locked safe as an example of a tamper-proof repository, but that’s a very manual method for managing “gold image” backups. A Waterfall BlackBox stores these backups & other files automatically. The backups are locked behind unidirectional gateway technology that renders the stored files inaccessible to attackers. The files are inaccessible until an incident responder with a physical key grabs a copy of the gold to use when re-imaging an entire network while the infrastructure is operated manually.
Bottom line: the NSA/CISA alert is a very useful resource. Infrastructure providers with equipment out on the Internet – and there are a lot of them – should use the advice to take simple first steps in a cybersecurity program. Providers with more mature programs should use the alert as a checklist to compare to their own programs. In particular, the “manual operation” and “gold images in a tamper-proof repository” are new advice that likely need to be incorporated into mature programs.
Click here to read the original Alert (AA20-205A).
And a free book – for insights into a robust security program that echoes a lot of the NSA/CISA AA20-205A advice, please request a copy of this author’s latest book Secure Operations Technology, provided free of charge, courtesy of Waterfall Security Solutions, the OT security company.
- Three Ways Ransomware Can Shut Down A Pipeline | Colonial Pipeline Attack Update - May 17, 2021
- Critical Infrastructure Implications of the Pulse Multifactor Authentication Bypass - April 24, 2021
- Obsolete Centreon Version Breached - February 17, 2021