CISA Alert AA22-265A – Control system defense: know the opponent.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Two Six Five Alpha.

Original release date: September Twenty Second, twenty twenty two.

This alert builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure. The alert documentation linked in the show notes describes TTPs that malicious actors use to compromise OT and ICS assets. It also recommends mitigations that owners and operators can use to defend their systems from each of the listed TTPs. NSA and CISA encourage OT and ICS owners and operators to apply the recommendations in this documentation.

Traditional approaches to securing OT and ICS do not adequately address current threats. Operators who understand cyber actors TTPs can use this knowledge to prioritize hardening and mitigation actions.

Operational technology and industrial control system assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes continue to be an attractive target for malicious cyber actors. These cyber actors target OT and ICS assets to achieve political gains, economic advantages, or destructive effects. Because OT and ICS systems manage physical processes, malicious cyber activity could result in physical consequences, including loss of life, property damage, and disruption of National Critical Functions.

Traditional ICS assets are difficult to secure due to their design for maximum availability and safety, coupled with their use of decades-old systems that often lack any recent security updates. Newer assets often have an increased attack surface due to incorporating Internet or IT network connectivity to facilitate remote control and operations. The net effect of the convergence of IT and OT platforms has increased the risk of cyber exploitation of control systems. APT actors have also developed tools for scanning, compromising, and controlling targeted OT devices.

For additional information regarding the TTPs that malicious cyber actors use to plan and execute compromises against critical infrastructure control systems, and for specific mitigation measures for each of these TTPs, visit the alert documentation linked in the show notes.

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.