NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems
Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity
against Critical Infrastructure (CI) by exploiting Internet-accessible Operational Technology (OT) assets [1]. Due to the
increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability
of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or
retaliate for perceived US aggression. OT assets are critical to the Department of Defense (DoD) mission and underpin
essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical
infrastructure. At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take
the following immediate steps to ensure resilience and safety of US systems should a time of crisis emerge in the near
term. The National Security Agency along with the Cybersecurity and Infrastructure Security Agency recommend that all
DoD, NSS, DIB, and U.S. Critical Infrastructure facilities take immediate actions to secure their OT assets.
Internet-accessible OT assets are becoming more prevalent across the 16 US CI Sectors as companies increase remote
operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as
Instrumentation & Control, OT asset management/maintenance, and in some cases, process operations and
maintenance. Legacy OT assets that were not designed to defend against malicious cyber activities, combined with
readily available information that identifies OT assets connected via the Internet (e.g., Shodan 1 [2], Kamerka [3]), are
creating a “perfect storm” of 1) easy access to unsecured assets, 2) use of common, open-source information about
devices, and 3) an extensive list of exploits deployable via common exploit frameworks [4] (e.g., Metasploit 2 [5], Core
Impact 3 [6], and Immunity Canvas 4 [7]). Observed cyber threat activities can be mapped to the MITRE 5 Adversarial
Tactics, Techniques, and Common Knowledge (ATT&CK 6 ) for Industrial Controls Systems (ICS) framework [8]. It is
important to note that while the behavior may not be technically advanced, it is still a serious threat because the potential
impact to critical assets is so high.