Bringing the NSA & CISA’s OT Security Recommendations to Action
By The Claroty Team
July 29, 2020
Last week, the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert recommending that critical infrastructure owners and operators take “immediate actions to reduce exposure across operational technologies and control systems” in response to cyber threat actors’ continued interest in targeting critical infrastructure by “exploiting internet-accessible operational technology (OT) assets.”
The alert notes an increase in recent months in adversary capabilities and activity, particularly with respect to certain tactics, techniques, and procedures (TTPs) and impacts referenced in the MITRE ATT&CK for ICS framework. These include:
Connecting to internet-accessible PLCs
Utilizing commonly used ports and standard application layer protocols
Modifying control logic and parameters
Loss of availability
Partial loss of view for human operators
Loss of productivity and revenue
Adversary manipulation of physical processes
Reflecting the criticality of these impacts, the immediate actions the NSA and CISA recommend for all critical infrastructure owners and operators — as well as how Claroty can support those actions for our customers — are as follows:
Create an accurate, “as operated” OT network map immediately.
The foundation for sustainable cyber-risk reduction is an accurate and comprehensive map of your OT infrastructure. Such a map requires:
A detailed inventory of all assets, including each asset’s key IP address, vendor, software and firmware versions, and process logic, among other pieces of key information
All communication protocols in use across the OT network
All external connections to and from the OT network, including those used for third-party services
The ability to obtain this information is at the center of The Claroty Platform, which combines safe and non-disruptive Passive, Active, and AppDB scanning with the broadest protocol support in the industry to provide full asset, network, and process visibility for OT networks — all the way down to the I/O level. This caliber of visibility underpins our customers’ security posture and is unique to Claroty.
Understand and evaluate cyber-risk on “as-operated” OT assets.
To achieve informed OT cyber-risk awareness, you must be able to identify the specific risk(s) associated with the assets and system software present within your OT environment. This entails keeping an accurate and detailed inventory of that environment, conducting frequent and thorough audits of security and risk posture, and continually identifying and actioning timely and relevant knowledge from industry leaders and reputable open and proprietary sources.
Here are a few ways we equip our customers here at Claroty to better understand and evaluate risks facing their OT assets:
The Claroty Platform includes the latest OT-specific threat intelligence — including proprietary signatures from Claroty researchers — and common vulnerabilities and exposures (CVE) data updates from the National Vulnerabilities Database (NVD), all of which is updated in real-time via The Claroty Cloud.
As the foundation of our platform, Claroty Continuous Threat Detection (CTD) can immediately identify, correlate, and assess the risk of all TTPs included in the MITRE ATT&CK for ICS framework, among others, thereby helping our customers understand and address gaps in their network where known avenues of attack exist.
Attack Vector Mapping, which is also part of The Claroty Platform, pinpoints the most at-risk assets and zones in our customers’ networks and simulates the various means through which an attacker could penetrate that network. This enables customers to understand which entry points are most exposed and which assets face the greatest risk of compromise.
In cases where critical vulnerabilities are present but cannot be patched immediately — as is common in OT networks with infrequent patching windows — Attack Vector Mapping empowers customers to understand the risk at hand and what compensating controls are needed to minimize that risk until patching can occur.
In terms of auditing, Claroty Secure Remote Access (SRA) grants customers the ability to record and review all remote sessions on the network, helping to ensure compliance with remote access policies and streamlining investigations.
Risk and Hygiene Scores based on the unique composition, presence of vulnerabilities, potentially malicious events, and other characteristics of our customers’ OT networks are central to The Claroty Platform. These scores exist at the asset, zone, and network levels, as well as for the overall OT environment across all sites in which a customer has deployed our platform, enabling efficient and effective assessment and mitigation of risk.
Implement a continuous and vigilant system monitoring program.
In addition to having a detailed inventory of your OT environment and a thorough evaluation of the cyber risks it may face, your team also needs a vigilant monitoring system that enables you to quickly identify potentially malicious events.
Such a system must log and review all authorized internal and external access connections for misuse or unusual activity, while maintaining the ability to detect threats, such as unauthorized controller change attempts, deviations from established behavioral baselines, or remote access sessions that venture away from their stated purpose.
The Claroty Platform provides the entirety of these capabilities by utilizing five detection engines to monitor OT networks for both known and unknown or zero-day threats. It also includes live monitoring and full recording of all remote access sessions, as well as contextualized triage and mitigation recommendations that equip security teams to take action rapidly and effectively when potentially malicious events surface.
Harden your network.
Remote connectivity to OT networks and devices is a tried-and-true path for exploitation by threat actors, but external exposure can be reduced by using remote access methods that are secure-by-design and suitable for OT. Even seemingly basic and straightforward measures — such as prohibiting default passwords for devices and accounts — can make it considerably more difficult and time consuming for an adversary to wage an attack against your environment.
Mapping your network, as The Claroty Platform does, is the first step towards hardening it. Network segmentation, such as our platform’s Virtual Zones feature, also helps by creating secure network policies that maintain the integrity of firewall systems and other types of security infrastructure.
And in order to further minimize the risks introduced specifically by remote connectivity to OT networks, Claroty SRA, which is secure-by-design, provides:
A simple, secure interface through which all remote users connect
Built-in functionality that splits all data in transit between two encrypted tunnels, thereby removing direct connectivity between remote users and assets on the OT network and thus breaking the attack surface
Password vaulting and encryption of all asset and session data
Granular role- and policy-based administrative controls that support Zero Trust and Least Privilege principles
Full monitoring and auditing capabilities
Support for emergency access and “break the glass” approval workflows with the ability to immediate disconnect risky sessions
Architecture that preserves the Purdue Model
Have a resilience plan for OT.
Following the infamous 2015 Ukraine cyber attack, OT resiliency has been embraced with heightened importance. Achieving this requires a resilience plan that ensures safety and reliability in the event of a disruption.
The plan should allow for the immediate cutoff of all non-essential internet connections, as well as compensating controls for areas where this is not possible. OT personnel must also be able to continue operations manually, quickly reduce OT attack surface, and have well-tested backup and recovery capabilities.
The Claroty Platform helps support the development and implementation of OT resilience plans for our customers by equipping them with:
A complete network map detailing asset communication patterns, processes, dependencies, and vulnerabilities
The ability to immediately disconnect remote connections deemed risky via Claroty
The ability to customize threat detection alerts for their unique operational security needs
Real-time insight into exploitable attack vectors and simulation of entry paths to vulnerable assets
Detailed backups of asset configuration files that can be accessed to support recovery efforts
Exercise your incident response plan.
In addition to being able to assure resilience in the event of a disruption, OT security teams must also have a predefined plan for responding to the incident itself. Stakeholders should discuss key decision points, assign roles and responsibilities, and conduct tabletop tabletop exercises to test your incident response plan under various simulated circumstances.
It is also crucial to ensure your plan takes into account scenarios inclusive of the adversary TTPs mentioned above, as well as where control systems are actively operating counter to safe and reliable operations. The Claroty Platform arms our customers with this information by — as noted previously — delivering full-spectrum asset discovery, segmentation, threat detection, risk and vulnerability management, and triage and mitigation controls for their OT networks.
To learn more about how Claroty can help your organization gain visibility and minimize exposure across your OT ecosystem, request a demo.