Home System list CISA and NSA guidelines attempt to narrow alternatives for securing industrial control systems

CISA and NSA guidelines attempt to narrow alternatives for securing industrial control systems


Federal agencies have released guidance that they hope will help streamline and ease the decision-making process for owners of critical infrastructure to begin protecting industrial control systems from an increasing likelihood of cyberattacks.

“The variety of security solutions available can also be daunting, leading to choice paralysis,” it read. tips the Cybersecurity and Infrastructure Security Agency released Thursday with the National Security Agency. “In the midst of so many options, owner/operators may be unable to integrate simple security and administration strategies that could mitigate many of the common and realistic threats. Fortunately, owners/operators can apply some simple ICS security best practices to counter the adversary. [Tactics Techniques and Procedures].”

The guide notes the emergence of new malware for targeting specific Programmable logic controllers and open platform unified communications architecture. He cautions against robust reconnaissance by adversaries who could use these and other tools to cause large-scale physical and psychological consequences for society.

“They could open or close circuit breakers, choke valves, overfill reservoirs, overspeed turbines, or place factories in unsafe operating conditions,” the agencies wrote of the malicious cyber actors. “Additionally, cyber actors could manipulate the control environment, clouding operator consciousness, and hindering recovery, by locking down interfaces and setting monitors to show normal conditions. Actors can even suspend functionality alarm, allowing the system to operate in hazardous conditions without alerting the operator.

CISA is expected to publish performance goals for critical infrastructure involving industrial control systems soon. Completing the targets is voluntary under the national security memo calling on CISA to produce them. But trade associations at some of the biggest companies in the economy are wary of how they could be used in potential regulations. In a September 16 letter to Senate leaders responsible for crafting the National Defense Authorization Act, they argue that companies should be allowed to voluntarily implement security controls “based on their own risk assessments.”

NSA and CISA guidelines have emphasized the need for owners and operators to be aware of all devices in their systems, with particular attention to those accessed remotely, including by device vendors. The NSA and CISA note that vendors “sometimes require remote access for warranty compliance, service obligations, and financial/billing functionality.”

“Establish a firewall and a demilitarized zone (DMZ) between the control system and the vendor’s access points and devices,” they say at the top of their list of recommended mitigations. “Do not allow direct access to the system; use an intermediary service to share only necessary data and only when necessary. »

CISA included a related metric in a list of “common baseline” checks it offered to serve as performance goals that the National Security Note instructed the agency to establish.

“All owners/operators should implement segmentation between [information technology] and [operational technology] networks to prevent initial access by threat actors,” according to a CISA Common Baseline Controls project referenced by professional associations opposing the proposal. “Organizations should verify that devices on either side of segmentation lines/security zones should not connect to the opposite side with minimal exceptions and only through a properly configured firewall or comparable alternative.”

Comments were prepared by CTIA—The Wireless Association, NCTA—The Internet and Television Association, and USTelecom—The Broadband Association.

“This draft control is overly prescriptive and oversimplifies segmentation tradeoffs for various networks,” the associations wrote, noting a lack of flexibility to facilitate alternative approaches. “Segmentation can be costly and can impede access to business or critical applications. Too rigid an expectation for default segmentation would rob organizations of the ability to manage their systems and networks. Therefore, at a minimum, CISA should remove terms such as “shall”.

CISA is expected to release final performance goals in October to mark Cybersecurity Awareness Month.