The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE) have identified cyber incidents targeting operational technology (OT) and industrial control systems (ICS) within U.S. critical infrastructure. They urge these entities to review and act immediately to improve their cybersecurity posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS.

These agencies strongly urge critical infrastructure asset owners and operators to review this fact sheet for detailed guidance on reducing the risk of potential intrusions. Although these activities often include elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions, and in severe cases, physical damage.

Organizations are recommended that they should remove OT connections from the public internet. OT devices are particularly vulnerable when exposed online, as they often lack modern authentication and authorization mechanisms. These devices can be easily discovered by scanning public IP ranges for open ports using widely available search engine tools. Once identified, threat actors can target them using simple, repeatable, and scalable tool sets accessible to anyone with an internet browser. To mitigate this risk, critical infrastructure entities must identify all public-facing assets and eliminate any unintentional exposure.

Additionally, default passwords on OT systems should be changed immediately and replaced with strong, unique credentials. Recent analyses of related cyber activity have revealed that many targeted systems were still using default or easily guessable passwords, often identified through open-source tools. This practice is especially dangerous for internet-facing devices that have the ability to control OT systems or processes.

Critical infrastructure entities must secure remote access to OT networks. Many organizations or contractors working on their behalf, often make risk-based tradeoffs when implementing remote access to OT assets, but these decisions require careful reevaluation. If remote access is necessary, organizations should transition to private IP network connections to eliminate public internet exposure. Remote access should also be protected using virtual private network (VPN) technology, combined with strong passwords and phishing-resistant multi factor authentication (MFA) to ensure secure user access.

All remote access solutions should be documented and configured to apply the principle of least privilege, tailored to the specific asset, user role, or scope of work. Additionally, any dormant accounts should be identified and disabled to reduce potential attack surfaces.

Segmentation between IT and OT networks is equally important. Implementing strict separation between these environments, and introducing a demilitarized zone (DMZ) for securely passing control data to enterprise logistics, can significantly reduce the impact of cyber threats and help ensure the continuity of essential OT operations.

Finally, organizations must maintain and routinely test their ability to operate OT systems manually. In the event of a cyber incident, the ability to quickly transition to manual controls is vital for restoring operations. This includes developing and testing business continuity and disaster recovery plans, maintaining fail-safe mechanisms, establishing islanding capabilities, ensuring regular software backups, and keeping standby systems operational to support manual processes when needed.

The authoring organizations recommend that critical infrastructure organizations maintain regular communication with their third-party managed service providers, system integrators, and system manufacturers. These external partners can offer system-specific configuration guidance that is essential for securing OT environments.

Misconfigurations may be introduced during routine operations, by system integrators, managed service providers, or even through default product settings established by system manufacturers. Proactively working with these stakeholders to identify and address such issues can help prevent the introduction of unintentional vulnerabilities and enhance the overall security posture of OT systems.

Last month, U.S. cybersecurity agencies hosted Louisiana State University (LSU) alongside several energy sector and critical infrastructure partners for a hands-on training exercise simulating high-impact cyberattacks on OT and traditional IT systems. The training took place at the CISA’s Control Environment Laboratory Resource (CELR) in Idaho Falls, Idaho.

This joint initiative, led by CISA, the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), and Idaho National Laboratory (INL), marked a significant milestone, with LSU becoming the first U.S. university invited to participate in a CELR exercise. The engagement is part of broader efforts by CISA and INL to advance cyber talent development and strengthen research partnerships that support national cybersecurity resilience.

‍

Source: https://industrialcyber.co/cisa/cisa-fbi-epa-doe-issue-joint-alert-on-rising-cyber-threats-to-critical-infrastructure-ot-systems/