NSA and CISA Recommend Immediate Actions to Reduce Exposure Across OT and ICS (AA20-205A)

Raluca Saceanu

Raluca Saceanu

NSA and CISA Recommend Immediate Actions to Reduce Exposure Across OT and ICS (AA20-205A)

Just as MITRE are updating their framework for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) to include ICS and OT Systems, the NSA and CISA have recently issued the AA20-205A alert recommending immediate actions to reduce exposure across operational technologies and control systems.

CISA and NSA advised that there has been an increase in activity by cyber actors targeting critical infrastructures by exploiting OT assets. The alert does not cite any specific recent threats, but it notes that hackers, including nation-state actors, are increasingly changing their tactics to target OT systems and critical infrastructure. This includes increasing use of spear-phishing emails to gain a foothold within vulnerable networks, deploying ransomware, connecting to programmable logic controllers using remote access protocols and taking advantage of software flaws.

Technical Details:

Recently Observed Tactics, Techniques, and Procedures

  • Spearphishing [T1192] to obtain initial access to the organisation’s information technology (IT) network before pivoting to the OT network.
  • Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks.
  • Connecting to Internet Accessible PLCs [T883] requiring no authentication for initial access.
  • Utilising Commonly Used Ports [T885] and Standard Application Layer Protocols [T869], to communicate with controllers and download modified control logic.
  • Use of vendor engineering software and Program Downloads [T843].
  • Modifying Control Logic [T833] and Parameters [T836] on PLCs.


  • Impacting a Loss of Availability [T826] on the OT network.
  • Partial Loss of View [T829] for human operators.
  • Resulting in Loss of Productivity and Revenue [T828].
  • Adversary Manipulation of Control [T831] and disruption to physical processes.


  1. Have a resilience plan
  • Immediately disconnect systems from the Internet that do not need internet connectivity for safe and reliable operations. Ensure that compensating controls are in place where connectivity cannot be removed.
  • Plan for continued manual process operations should the ICS become unavailable or need to be deactivated due to hostile takeover.
  • Remove additional functionality that could induce risk and attack surface area.
  • Identify system and operational dependencies.
  • Restore OT devices and services in a timely manner. Assign roles and responsibilities for OT network and device restoration.
  • Backup “gold copy” resources, such as firmware, software, ladder logic, service contracts, product licenses, product keys, and configuration information. Verify that all “gold copy” resources are stored off-network and store at least one copy in a locked tamperproof environment (e.g., locked safe).
  • Test and validate data backups and processes in the event of data loss due to malicious cyber activity.

2. Test your incident response plan

  • Conduct a tabletop exercise, including executive personnel, to test your existing incident response plan.
  • Be sure to include your public affairs and legal teams in your exercise in addition to your IT, OT, and executive management.
  • Discuss key decisions points in the response plan and identify who has the authority to make key decisions under what circumstances.
  • Ensure your plan takes into account a scenario inclusive of the TTPs above and where the control system is actively operating counter to safe and reliable operations.
  • Partner with third parties for support. Review service contracts and government services for emergency incident response and recovery support.

3. Harden Your Network

  • Remote connectivity to OT networks and devices provides a known path that can be exploited by cyber actors. External exposure should be reduced as much as possible.
  • Remove access from networks, such as non-U.S. IP addresses, if applicable, that do not have legitimate business reasons to communicate with the system.
  • Use publicly available tools, such as Shodan, to discover internet-accessible OT devices. Take corrective actions to eliminate or mitigate internet-accessible connections immediately. Best practices include:
    • Fully patch all Internet-accessible systems.
    • Segment networks to protect PLCs and workstations from direct exposure to the internet. Implement secure network architectures utilising demilitarised zones (DMZs), firewalls, jump servers, and/or one-way communication diodes.
    • Ensure all communications to remote devices use a virtual private network (VPN) with strong encryption further secured with multifactor authentication.
    • Check and validate the legitimate business need for such access.
    • Filter network traffic to only allow IP addresses that are known to need access, and use geo-blocking where appropriate.
    • Connect remote PLCs and workstations to network intrusion detection systems where feasible.
    • Capture and review access logs from these systems.
    • Encrypt network traffic preferably using NIAP-validated VPN products and/or CNSSP- or NIST-approved algorithms when supported by OT system components to prevent sniffing and man-in-the-middle tactics. Available at: https://niap-ccevs.org.
  • Use the validated inventory to investigate which OT devices are internet-accessible.
  • Use the validated inventory to identify OT devices that connect to business, telecommunications, or wireless networks.
  • Secure all required and approved remote access and user accounts.
    • Prohibit the use of default passwords on all devices, including controllers and OT equipment.
    • Remove, disable, or rename any default system accounts wherever possible, especially those with elevated privileges or remote access.
    • Enforce a strong password security policy (e.g., length, complexity).
    • Require users to change passwords periodically, when possible.
    • Enforce or plan to implement two-factor authentication for all remote connections.
  • Harden or disable unnecessary features and services (e.g., discovery services, remote management services, remote desktop services, simulation, training, etc.).

4. Create an Accurate “As-operated” OT Network Map Immediately

An accurate and detailed OT infrastructure map provides the foundation for sustainable cyber-risk reduction.

  • Document and validate an accurate “as-operated” OT network map.
    • Use vendor-provided tools and procedures to identify OT assets.
    • Use publicly available tools, such as Wireshark,[9] NetworkMiner,[10] GRASSMARLIN,[11] and/or other passive network mapping tools.
    • Physically walk down to check and verify the OT infrastructure map.
  • Create an asset inventory.
    • Include OT devices assigned an IP address.
    • Include software and firmware versions.
    • Include process logic and OT programs.
    • Include removable media.
    • Include standby and spare equipment.
  • Identify all communication protocols used across the OT networks.
    • Use vendor-provided tools and procedures to identify OT communications.
    • Use publicly available tools, such as Wireshark,[9] NetworkMiner,[10] GRASSMARLIN,[11] and/or other passive network mapping tools.
  • Investigate all unauthorized OT communications.
  • Catalog all external connections to and from the OT networks.
    • Include all business, vendor, and other remote access connections.
    • Review service contracts to identify all remote connections used for third-party services.

5. Understand and Evaluate Cyber-risk on “As-operated” OT Assets

Informed risk awareness can be developed using a variety of readily available resources, many of which include specific guidance and mitigations.

  • Use the validated asset inventory to investigate and determine specific risk(s) associated with existing OT devices and OT system software.
    • Vendor-specific cybersecurity and technical advisories.
    • CISA Advisories [12].
    • Department of Homeland Security – Cybersecurity and Infrastructure Security Agency Cyber Security Evaluation Tool [13].
    • MITRE Common Vulnerabilities and Exposures (CVE) for both Information Technology and OT devices and system software [14]. Available at https://cve.mitre.org.
    • National Institute of Standards and Technology – National Vulnerability Database [15]. Available at https://nvd.nist.gov.
  • Implement mitigations for each relevant known vulnerability, whenever possible (e.g., apply software patches, enable recommended security controls, etc.).
  • Audit and identify all OT network services (e.g., system discovery, alerts, reports, timings, synchronization, command, and control) that are being used.
    • Use vendor provided programming and/or diagnostic tools and procedures.

6. Implement a Continuous and Vigilant System Monitoring Program

A vigilant monitoring program enables system anomaly detection, including many malicious cyber tactics like “living off the land” techniques within OT systems.

  • Log and review all authorized external access connections for misuse or unusual activity.
  • Monitor for unauthorized controller change attempts.
    • Implement integrity checks of controller process logic against a known good baseline.
    • Where possible, ensure process controllers are prevented from remaining in remote program mode while in operation.
    • Lock or limit set points in control processes to reduce the consequences of unauthorized controller access.

At Smarttech247 we have a dedicated OT security solutions department and we have partnerned with Tenable.ot to help organisations reduce their OT cyber risk. If you have any concerns about the above guidelines, please contact us today to set up a free OT security consultation.

Raluca Saceanu

Raluca Saceanu