New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting

The most recent CISA, CCCS et al alert / advice on pro-Russian hacktivists targeting critical infrastructures is a lot of good work, with one or two exceptions. The alert documents poorly resourced hacktivists connecting with ICS gear over the Internet and hacking it. That gear tends to control critical infrastructures in the smallest, poorest and weakest of critical infrastructure installations – infrastructures most in need of simple, clear advice.

To its credit, the guide documents threats and tactics, and provides advice to both owners / operators and device manufacturers. However, the guide misses the mark in the section “OT Device Manufacturers.” I find this language very misleading:

“Although critical infrastructure organizations can take steps to mitigate risks, it is ultimately the responsibility of OT device manufacturers to build products that are secure by design.”

And,

“By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.”

When I read these words, the message I get is “If device manufacturers would only do their job better, then critical infrastructure owners and operators could ignore security and go forth to connect as much of their control systems as they wish to the Internet.”

This is of course nonsense.

We can configure “secure” products into hopelessly insecure systems, just as we routinely (with a bit of care) configure “insecure” ICS products into “secure” systems. That manufacturers should “take ownership of security outcomes” does not mean they can or should ever take sole ownership of such outcomes. A sentence or two to this effect would help readers better understand the relative responsibilities of manufacturers vs. owners & operators.

By analogy, automobile manufacturers can build all the seat belts, turn signals and rear-view mirrors they want into their vehicles, owners and operators still need to be taught to use these features to improve their driving safety. More specifically, owners and operators of the smallest, poorest and most vulnerable critical infrastructures need to hear that it is never reasonable for them to deploy safety-critical nor reliability-critical HMIs on the Internet, no matter what “secure” by design features have been built into these products.

And again, while I commend these organizations for doing the work of putting out the alert / guidance, a second feedback is that their advice to owners and operators missed the mark. It is not that the advice is wrong – it   the wrong audience. The advice is appropriate for larger “medium-sized” infrastructures with a larger workforce, some of whom are knowledgeable in basic computer and cybersecurity concepts. The hacktivist attacks we’re talking about are targeting the smallest, poorest and least well-defended of critical infrastructures globally. These are organizations that uniformly suffer from STP Syndrome – Same Three People.

There is nobody no staff in these organizations who will understand the carefully phrased, completely general and abstract language of the guide’s 8 major recommendations and 17 sub-recommendations. These smallest organizations need the simplest advice possible. Eg:

• Don’t connect any of your OT systems on the Internet. Ever.
• Don’t enable remote access into any of your OT systems. Ever.
• Auto-update all of your ICS firewalls, and religiously replace these devices every 3 years, because let’s face it, some time after that the manufacturer is going to stop providing updates, and when they do, you’re not going to notice are you?
• Lock the doors to rooms containing your OT gear, and change the locks annually to control who has access to the space, because again, let’s face it, you’re going to lose track of who has those keys aren’t you?
• Make sure you have backups and spare equipment to restore those backups into when your main equipment breaks, or when that gear is hacked irrecoverably.
• Buy insurance from a reliable provider who can send someone who knows what they’re doing to your site when you have an emergency, to clean up the mess and restore your systems.

Again – I commend these organizations for making the effort. Securing the smallest, least-capable critical infrastructures is a hard problem to solve. This document is much better than nothing but would benefit from clearer and stronger guidance targeting owners and operators of the smallest critical infrastructure control systems, not just manufacturers of the control devices in those systems.