US Federal Agencies Issue Warning on Basic Cyber Threats to Operational Technology

A recent surge in cyber incidents targeting operational technology (OT) and industrial control systems (ICS) within critical infrastructure sectors in the United States has prompted federal agencies to issue an urgent advisory. The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI, the Department of Energy (DOE), and the Environmental Protection Agency (EPA), is advising infrastructure operators to enhance their cybersecurity measures immediately.

This advisory emphasizes the alarming rise in attempts by less sophisticated cyber actors to compromise OT systems exposed to the public internet. These systems, prevalent in sectors such as energy and transportation, frequently lack contemporary security measures, rendering them susceptible to elementary intrusion tactics.

Despite the simplicity of these attacks, they have been linked to significant consequences, including unauthorized configuration changes, operational disruptions, and, in some instances, physical damage. Thomas Richards, director of infrastructure security practice at Black Duck, emphasizes that the intent of malicious actors is inconsequential; if an organization’s critical systems are accessible on the internet without adequate security, they are at risk of a breach.

The advisory identifies common cyber hygiene deficiencies that enable these intrusions, such as the use of default passwords, misconfiguration of systems, and unsecured remote access points. Richards notes that while many OT systems require internet access for remote support by vendors, such access must be strictly managed to mitigate security risks through proper authentication controls.

To mitigate exposure and bolster defenses, asset owners and operators are encouraged to implement the following best practices:

– Disconnect OT systems from the public internet to eliminate potential attack vectors.
– Replace default credentials with strong, unique passwords.
– Secure remote access with Virtual Private Networks (VPNs), private IP connections, and phishing-resistant multi-factor authentication (MFA).
– Segment IT and OT networks to isolate critical systems effectively.
– Maintain the capability for manual operation of OT systems in the event of an incident.

Richards further comments on the broader implications of these vulnerabilities, indicating that organizations lacking proper cybersecurity governance or oversight expose themselves to significant risk. He advocates for industries to adopt established frameworks for cybersecurity controls and to implement a rigorous review process to strengthen their security posture continually.