Note: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise and ATT&CK for Industrial Control Systems frameworks for all referenced threat actor techniques and mitigations.
Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets.[1] Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression. OT assets are critical to the Department of Defense (DoD) mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure. At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take the following immediate steps to ensure resilience and safety of U.S. systems should a time of crisis emerge in the near term. The National Security Agency (NSA) along with the Cybersecurity and Infrastructure Security Agency (CISA) recommend that all DoD, NSS, DIB, and U.S. critical infrastructure facilities take immediate actions to secure their OT assets.
Internet-accessible OT assets are becoming more prevalent across the 16 U.S. CI sectors as companies increase remote operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance. Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the internet (e.g., Shodan,[2] Kamerka [3]), are creating a “perfect storm” of 1) easy access to unsecured assets, 2) use of common, open-source information about devices, and 3) an extensive list of exploits deployable via common exploit frameworks [4] (e.g., Metasploit,[5] Core Impact,[6] and Immunity Canvas [7]). Observed cyber threat activities can be mapped to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for Industrial Controls Systems (ICS) framework.[8] It is important to note that while the behavior may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high.
Click here for a PDF version of this report.
Since the Ukraine cyberattack of 2015 organizations must assume in their planning of not only a malfunctioning or inoperative control system, but a control system that is actively acting contrary to the safe and reliable operation of the process. Organizations need an OT resilience plan that allows them to:
In a state of heightened tensions and additional risk and exposure, it is critical to have a well-exercised incident response plan that is developed before an incident.
An accurate and detailed OT infrastructure map provides the foundation for sustainable cyber-risk reduction.
Informed risk awareness can be developed using a variety of readily available resources, many of which include specific guidance and mitigations.
A vigilant monitoring program enables system anomaly detection, including many malicious cyber tactics like “living off the land” techniques within OT systems.
CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found at <http://www.us-cert.gov/>.
CISA strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: <https://www.us-cert.gov/forms/feedback>.
Client Requirements / General Cybersecurity Inquiries: Cybersecurity Requirements Center, 410-854-4200, [email protected]
Media inquiries / Press Desk: 443-634-0721, [email protected]
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
[8] MITRE ATT&CK for Industrial Control Systems
[13] CISA Cyber Security Evaluation Tool
[14] MITRE Common Vulnerabilities and Exposures
[15] National Institute of Standards and Technology National Vulnerability Database
July 23, 2020: Initial Version
www.us-cert.gov/
attack.mitre.org/versions/v7/matrices/enterprise/
attack.mitre.org/versions/v7/techniques/T1192/
attack.mitre.org/versions/v7/techniques/T1486/
collaborate.mitre.org/attackics/index.php/Main_Page
collaborate.mitre.org/attackics/index.php/Main_Page
collaborate.mitre.org/attackics/index.php/Main_Page
collaborate.mitre.org/attackics/index.php/Technique/T826
collaborate.mitre.org/attackics/index.php/Technique/T828
collaborate.mitre.org/attackics/index.php/Technique/T829
collaborate.mitre.org/attackics/index.php/Technique/T831
collaborate.mitre.org/attackics/index.php/Technique/T833
collaborate.mitre.org/attackics/index.php/Technique/T836
collaborate.mitre.org/attackics/index.php/Technique/T843
collaborate.mitre.org/attackics/index.php/Technique/T869
collaborate.mitre.org/attackics/index.php/Technique/T883
collaborate.mitre.org/attackics/index.php/Technique/T885
coresecurity.com/products/core-impact
coresecurity.com/products/core-impact
cve.mitre.org
cve.mitre.org
cve.mitre.org
github.com/nsacyber/GRASSMARLIN
github.com/nsacyber/GRASSMARLIN
github.com/nsacyber/GRASSMARLIN
github.com/woj-ciech/kamerka
github.com/woj-ciech/kamerka
immunityinc.com/products/canvas
immunityinc.com/products/canvas
media.defense.gov/2020/Jul/23/2002462846/-1/-1/1/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF
metasploit.com
metasploit.com
netresec.com/?page=Networkminer
netresec.com/?page=Networkminer
netresec.com/?page=Networkminer
niap-ccevs.org
nvd.nist.gov
nvd.nist.gov
nvd.nist.gov
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
shodan.io
shodan.io
twitter.com/CISAgov
twitter.com/intent/tweet?text=NSA%20and%20CISA%20Recommend%20Immediate%20Actions%20to%20Reduce%20Exposure%20Across%20Operational%20Technologies%20and%20Control%20Systems+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-205a
us-cert.cisa.gov/ics/advisories
us-cert.cisa.gov/ics/advisories
us-cert.gov/ncas/current-activity/2019/11/04/cset-version-92-now-available
us-cert.gov/ncas/current-activity/2019/11/04/cset-version-92-now-available
www.cyberscoop.com/israel-cyberattacks-water-iran-yigal-unna
www.cyberscoop.com/israel-cyberattacks-water-iran-yigal-unna
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-205a&title=NSA%20and%20CISA%20Recommend%20Immediate%20Actions%20to%20Reduce%20Exposure%20Across%20Operational%20Technologies%20and%20Control%20Systems
www.fireeye.com/blog/threat-research/2020/03/monitoring-ics-cyber-operation-tools-and-software-exploit-modules.html
www.fireeye.com/blog/threat-research/2020/03/monitoring-ics-cyber-operation-tools-and-software-exploit-modules.html
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-205a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-205a
www.us-cert.gov/forms/feedback
www.usa.gov/
www.whitehouse.gov/
www.wireshark.org
www.wireshark.org
www.wireshark.org
www.youtube.com/@cisagov
mailto:?subject=NSA%20and%20CISA%20Recommend%20Immediate%20Actions%20to%20Reduce%20Exposure%20Across%20Operational%20Technologies%20and%20Control%20Systems&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-205a