Citing an “increase in adversary capabilities and activity,” the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are warning critical infrastructure facilities in the U.S. to “take immediate actions” to secure operational technology (OT) assets against cyber threats.

In an alert issued last week, the agencies noted that OT assets capable of accessing the internet have become increasingly common across the 16 U.S. critical infrastructure sectors, including the energy industry. Because these systems interface with legacy OT assets that were not designed with malicious cyberactivity in mind, their spread — along with a decentralized workforce and outsourcing of instrumentation and control, OT asset management and maintenance and other key functions — has created a “perfect storm” of vulnerability that can be exploited by malicious actors, the agencies said.

Warning from Attack on Israel

While the alert did not mention any specific attacks against U.S. assets, it did link to a report from CyberScoop on a cyberattack against control systems at water facilities in Israel. That attack occurred in May and has been attributed to the government of Iran, though Israel’s government has not officially identified the culprits beyond stating that the crime did not appear to be motivated by profit.

According to NSA and CISA, attackers in recent incidents have commonly gained access to organizations’ information technology network through spearphishing attacks, then pivoted to accessing the OT network. Initial access may also be gained through internet-accessible control hardware that lack authentication requirements or through the use of exploits known to be common across hardware from the same vendors.

Once inside a utility’s systems, attackers usually deploy commodity ransomware to encrypt data on both networks. Impacts include loss of availability on the OT network and lockouts for human operators, leading to loss of productivity and revenue or even manipulation by the adversary that results in disruption to offline processes.

While utilities should aim to prevent attackers from entering sensitive systems in the first place, CISA and NSA also recommend developing a resilience plan to limit the damage done by actors who gain a foothold and turn control systems against their users. Elements of a successful resilience plan include:

• the ability to disconnect systems immediately from the internet if they can operate safely without being online;
• a plan for manual operation should industrial control systems (ICS) become unavailable;
• removing unnecessary functionality that increases the risk and attack surface area;
• maintaining secure, offsite backups for “gold copy” resources (firmware, software, ladder logic, service contracts and product information); and
• testing and validating procedures for data loss from malicious cyberactivity.

Entities are also encouraged to rehearse their incident response plans frequently through tabletop exercises that include executive, public affairs and legal teams.

Pandemic Highlights Cyber Concerns

Cyberattacks have become a serious concern for the electricity industry in recent months because of the sudden expansion of the remote workforce during the COVID-19 pandemic. (See Solarium Team Urges Long-term Cybersecurity Focus.) In a report earlier this year, NERC urged utilities to use the Electricity Information Sharing and Analysis Center and the Cybersecurity Risk Information Sharing Program to stay informed about the latest threats. (See PPE, Testing Top Coronavirus Concerns for NERC.)

National security officials also have been increasingly focused on cyber threats to the electric grid originating from foreign governments. In May, President Trump declared a national emergency regarding foreign threats to the bulk power system, which was followed earlier this month by information requests from NERC and the Department of Energy. (See NERC Issues Level 2 Supply Chain Alert.)

China and Russia are commonly seen as the biggest threats to the North American grid, though experts believe Iran has targeted the U.S. energy infrastructure as well. (See Iran Cyber Threat Increasing, Experts Say.) Cuba, North Korea and Venezuela are also considered potential threats.

In a press release, advocacy group Protect Our Power said NSA and CISA’s report “confirms the urgency” of the cyber threat against the BPS, along with the need for a coordinated response from all stakeholders.

“Addressing grid threats will require a combination of government funding and regulatory incentives encouraging utilities to invest in cybersecurity,” POP Executive Director Jim Cunningham said. “It is also critical that utilities and key government agencies continue to proactively share cybersecurity information so that all asset owners know about incoming attacks and effective best practices and resources to repel or mitigate those attacks. The grid is only as strong as its weakest link.”