Parsing the NSA’s Recent OT Advisory

The US National Security Agency (NSA) issued a Cybersecurity Advisory on April 29 titled Stop Malicious Cyber Activity Against Connected Operational Technology. The Advisory dealt with vulnerabilities in Operational Technology (OT) across the U.S. Government (USG) and the Defense Industrial Base (DIB). In particular, the Advisory stated, “As OT components continue being connected to information technology (IT), IT exploitation increasingly can serve as a pivot to OT destructive effects.”

In other words, OT, comprising the systems that control industrial operations and critical infrastructure, is vulnerable to attack by malicious actors who take over connected IT systems. The NSA is concerned that, for example, a foreign hacker might shut down or damage a defense plant by hacking into its accounting system and then moving laterally over the network to “brick” the SCADA system that runs the factory itself. The Advisory lays out a number of recommendations for mitigating OT/IT risks.

“Industrial enterprises dealing with IT/OT security face a variety of interlocking constraints that make remediation a lot harder than it first looks.” – Mark Carrigan, Chief Operating Officer of PAS

It’s good that that NSA is taking these threats seriously, but this is not exactly a new issue. OT risk exposure has been the subject of serious discussion in cybersecurity circles for years. Surely, the NSA was aware of this. (And sorry, I can’t resist… they were probably aware of it, and stop calling me “Shirley.”) One gets the sense that there is some strategic a$$ covering going on—that the NSA wants to go on record as being worried about this issue and offer guidance on remediating IT/OT vulnerabilities before they lead to serious problems.

Certainly, the NSA’s timing seems either prescient or inauspicious, depending on your point of view. A week later after the Advisory came out, a criminal gang most likely associated with the Russian government shut down the Colonial gas pipeline. Though Colonial has stated that its OT systems were not compromised by the ransomware attack, which crippled their business systems. They evidently shut down the pipeline as a precaution.

“If you’re running a refinery that produces $50 million worth of gas a day, how are you going to explain to your CEO that you need to shut it down for a month to repair a few OT applications?” – Mark Carrigan

Mark Carrigan, Chief Operating Officer of PAS, part of Hexagon

It’s hard to know exactly what this means, or if it’s even true. Was the pipeline’s operation endangered by the shutdown of the business systems, or was it simply a matter of not being able to invoice for gasoline and jet fuel they might have delivered? Indeed, Colonial itself may not know whether their OT systems were compromised by the ransomware attack. The actual answer might be that the company simply needed time to check the OT systems carefully to see if they, too, had been implanted with malware.

The NSA Advisory and the Colonial attack serve as helpful prompts for industrial companies to take a harder look at their risk exposure in these areas. Not that solving the problem will be easy, as industry experts well understand. “Industrial enterprises dealing with IT/OT security face a variety of interlocking constraints that make remediation a lot harder than it first looks,” explained Mark Carrigan, Chief Operating Officer of PAS, part of Hexagon, a company that delivers software solutions that prevent, detect and remediate cyber threats in OT environments.

As Carrigan revealed, “Most OT managers are now recognizing that ‘air gaps,’ which are recommended by the NSA, don’t work very well. There can be unknown Internet-connected devices on the OT network, for instance. At the same time, there simply isn’t time to shut down facilities long enough to fix the problem, even if you could.” According to Carrigan, some OT solutions are so old that they simply cannot be patched at all. Patches need to be tested carefully before deployment, in any event. With petroleum facilities, for example, the risks of a mis-handled software update include costly outages and even life-threatening malfunctions.

“If you’re running a refinery that produces $50 million worth of gas a day, how are you going to explain to your CEO that you need to shut it down for a month to repair a few OT applications? They’re not going to let you do it—and, in all honesty, if you really wanted to address every OT security issue, you’d need to shut the facility down for at least a year. No one is doing that.”

So, what can be done? There are solutions. PAS advises its clients to build a demilitarized zone (DMZ) around OT assets. “You have to isolate OT,” Carrigan said. “Once you’ve segmented OT away from IT using a DMZ, you can filter and monitor data going between the IT and OT environments. This approach reduces risk significantly, without requiring a facility shutdown.”