CISA red-teams critical infrastructure.
N2K logoMar 2, 2023

Red team was thwarted by multifactor authentication and time constraints.

CISA red-teams critical infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published the findings of a red team assessment the agency carried out against a large critical infrastructure organization last year.

Successful spearphishing attacks.

The operation, conducted at the request of the organization, lasted three months. The red team was able to gain access to two workstations via spearphishing attacks. The team was also able to move laterally within the network, but were unable to gain access to the organization's sensitive business systems after running up against multifactor authentication measures and time constraints. However, CISA believes that “by using Secure Shell (SSH) session socket files…they could have accessed any hosts available to the users whose workstations were compromised.”

Industry comments on red-teaming critical infrastructure.

Jori VanAntwerp, CEO & Co-Founder at SynSaber, offered the following observations:

“Upon reading the report, my initial reaction is that OT networks and systems are not mentioned. While the IT system discussed could adversely affect the day-to-day business operations of an organization, there isn't any explicit mention or evidence of manipulation or interruption to process control or operation. While the simulated breach in this red team is concerning, and defenses should be bolstered, I'm not entirely sure that this would have affected the operations of a critical infrastructure environment.

“Critical infrastructure providers are more aware than ever of what needs to be done to secure their environments. The challenge now shifts to the implementation of best practices to mitigate risk, such as segmentation, visibility, detection, and monitoring. Exercises such as this provide defenders with the point of proof necessary to ensure that budget and resources are properly implemented to improve posture and overall defense of operations.

“These findings highlight some of the challenges OT is facing in terms of implementing cybersecurity best practices such as proper segmentation, network visibility, detection, access privileges, and more.”

Paul Scott, R&D, Solutions Engineer at Cado Security, commented:

“My view is that for critical infrastructure, I don't think their security posture or the advice that they should be following has changed. Threat actors continue to do what works which at the moment still tends to be phishing of staff or abusing publicly known exploits in unpatched web-facing infrastructure. For critical infrastructure, their key difference between corporations is their industrial control systems which are often never patched or not able to be patched and are accessible remotely by support vendors with limited or no network segmentation or controls in place.

“To me, the key things that I've seen fail in industrial settings are:

  • “little or no network segmentation between industrial control devices
  • “little or no segmentation of domains and domain trusts
  • “little or no implementation of strict firewall rules between applications
  • “no logging or detections on access from 3rd party support providers
  • “no ability to detect anomalies on industrial systems (e.g., programmable logic controllers)
  • “overly permissive user account access allowing lateral movement after initial compromise”

(Added, 4:45 PM ET, March 2nd, 2023. Chris Grove, Cyber Security Strategist, Director at Nozomi Networks, sees some lessons in the exercise that can be applied to hardening critical infrastructure.

"The recent findings of the CISA Red Team assessment are unfortunately, not surprising….but fortunately, not as scary as they could be.

"Although the words ‘critical infrastructure’ are used, the attacks didn’t necessarily touch that infrastructure, nor pose any risk to the operations of that entity. In large IT enterprises, they are in a constant state of recovery, every single day there are multiple incidents being handled. This assessment simply provided a glimpse into the day-to-day operations of a typical SOC.

"However, among all of the infected laptops, hijacked browsers, employees on malicious wifi, they are mostly contained to IT environments and will have multiple, hard to overcome obstacles before having an impact on the operations. For example, knowing how to hack a firewall or phish an employee is useless knowledge once you enter the OT domain, so the hacker will need help to understand what to do next. The protocols are new, engineering knowledge will be needed, and those who use products such as ours, will easily detect their presence, and will have a hardened network that resists.

"There could also be an air-gap that prevents communications between the IT networks and the actual critical infrastructure, or it was deployed properly using ISA-62443, NERC-CIP, the Purdue model, or other best practices that are designed with infected IT networks in mind.

"That said, it shows that we have a long way to go to shore up our defenses within the critical infrastructure sectors. As in many other cases, the weak link is the humans that are being phished, or systems that are not maintained or configured according to best practices.")