The National Security Agency (NSA) published findings from a recent study addressing the increasing cybersecurity risks to OT (operational technology) systems due to their growing dependence on IT and integrated communications. These risks are critical for National Security Systems (NSS), where OT disruptions could endanger missions, public safety, and cause major financial losses. The study focused on strengthening smart controllers, advanced embedded OT devices, with rigorous technical security requirements. Using qualitative research, data mapping, and comparative analysis, the NSA identified security gaps between NIST controls and ISA standards and proposed enhanced requirements to close these gaps.

The report titled ‘Operational Technology Assurance Partnership: Smart Controller Security within National Security Systems’ includes a cybersecurity technical report detailing security objectives, findings, and new component-level requirements for NSS smart controllers; and support for the Operational Technology Assurance Partnership (OTAP), a pilot conformance testing program. It also includes contributions to updates for ISA/IEC 62443-4-2, improving OT component security standards.

While tailored to NSS, these advancements also offer valuable cybersecurity improvements for public and private sector infrastructure owners and operators who adopt the enhanced smart controller requirements.

Last April, the NSA director issued Binding Operational Directive (BOD) 2024-001: Operational Technology Security Implementation, Reporting, and Inventory Requirements, which sets a minimum moderate-moderate-moderate (M-M-M) impact baseline—based on NIST standards—for OT systems classified as National Security Systems (NSS).

To support this directive, the NSA employed qualitative research methods, data mapping, and comparative analysis. The process began by mapping the M-M-M NIST security countermeasures to relevant ISA/IEC 62443-4-2 standards, including Component Requirements (CRs), Requirement Enhancements (REs), Embedded Device Requirements (EDRs), and Network Device Requirements (NDRs), applicable to embedded devices up to Security Level (SL) 3.

Following the mapping, the NSA conducted a detailed comparative analysis to assess the alignment between NIST countermeasures and the corresponding ISA-62443-4-2 CR, RE, EDR, and NDR language, validating the extent to which ISA requirements conform to the NIST baseline.

The latest NSA study is to develop a set of requirements that align with the M-M-M NIST countermeasures for NSS OT smart controllers. These requirements will help shape the development of the Operational Technology Assurance Partnership (OTAP), a pilot NSS OT cybersecurity conformance testing program, and will support the updating of the International Society of Automation (ISA) 62443-4-2 to improve OT component security standards.

NSA determined that 74 ISA-62443-4-2 SL-1 through SL-3 requirements were relevant to the NSS OT smart controller M-M-M NIST countermeasures baseline, and that 13 M-M-M NIST countermeasures were not adequately addressed in the ISA-62443-4-2

requirements. NSA resolved the gaps by developing one new CR and five new REs, in line with the threat analysis, the security objectives defined in Section 3, and NIST countermeasure requirements, as well as using research of existing industry component security capabilities and practices.

The new requirements are written to align with the verbiage and format of existing ISA requirements. NSA is using the results to inform the development of a formalized NSS OT component cybersecurity testing process. Additionally, NSA will submit the newly identified CR and REs to the ISA standards committees for consideration and potential inclusion in future ISA-62443-4-2 updates. While NSA focused exclusively on smart controllers, future iterations will use the same process to explore other OT component categories.

The NSA study identified that the convergence and connectivity of IT and OT have introduced significant cybersecurity challenges for OT environments. Traditionally isolated from external networks, OT systems are increasingly connected to IT networks, exposing them to cyber threats. While beneficial for operational efficiency and data analytics, the integration has expanded the attack surface and increased the risk of cyber incidents that could disrupt critical missions, endanger public safety, and cause significant financial loss.

“The increased risk is of particular concern to NSS OT systems, which are potentially high-value targets for hacking groups and nation-state adversaries,” it added. “Improving the overall security posture of NSS OT systems requires robust security policies and procedures at an organizational level and implementing technical security features at the system and component levels, including embedded OT devices, specifically smart controllers. Understanding the threats and vulnerabilities facing OT systems and devices is critical when designing policies, procedures, and technical security features.”

The MITRE ATT&CK Framework for Industrial Control Systems (ICS) outlines 94 adversary techniques across 12 tactic categories, highlighting common methods used by attackers in OT/ICS environments, including supply chain compromises and hardcoded credential exploitation. The framework is grounded in real-world cyber incidents, including those involving Advanced Persistent Threats (APTs).

One notable example is Stuxnet, which used techniques like zero-day exploits, rootkits, and network propagation, and went undetected for nearly two years after its deployment in 2008.

In addition, the MITRE EMB3D Framework identifies 79 specific threats, organized into four categories – hardware (e.g., side-channel, firmware, and memory attacks); system software; application software; and networking. Together, these frameworks provide a comprehensive view of the threat landscape targeting OT/ICS systems.

The NSA document identified that in the National Information Assurance Partnership’s (NIAP) community, security objectives are established for specific IT devices, commonly referred to as Targets of Evaluation (TOEs), that are to be tested and certified through the NIAP evaluation process. “NIAP defines a TOE as an IT product or group of IT products configured as an IT System and associated documentation subject to a security evaluation under the Common Criteria (CC). Similarly, the study used parts of the NIAP process to evaluate the security of NSS OT smart controllers. As such, the TOE for the study, for which security objectives are being established, is an NSS OT smart controller,” it added.

The study noted that the NIST SP 800-53 Rev. 5 defines the complete list of cybersecurity countermeasures, while NIST 800-82 Rev. 3 and CNSSI 1253 identify the 470 countermeasures required for the M-M-M baseline. When considering the overall security of OT systems designated as NSS, each component of these systems must be able to perform a certain level of security functions.

ISA established a set of cybersecurity technical requirements for these OT elements in ISA-62443-4-2. Relevant requirements are identified as CRs, EDRs, NDRs, and underlying REs. NSA analyzed all requirements associated with SL-1 through SL-3. The analysis mapped the existing ISA-62443-4-2 requirements relevant to NSS OT smart controllers to the M-M-M countermeasure baseline, which led to identifying requirement gaps.

The NSA developed recommendations for new requirements to address these gaps and used the results of the analysis to recommend a set of designated ISA-62443-4-2 requirements and new NSS requirements as the baseline requirements for smart controllers within OT NSS.

The study also determined that NSS OT smart controllers must conform to 74 ISA-62443-4-2 SL-1 through SL-3 requirements and the 6 newly developed NSS smart controller requirements to meet the M-M-M NIST countermeasure baseline. All relevant ISA-62443-4-2 requirements with their mapped M-M-M NIST countermeasures.

“Within the OT environment, the increasing use of wireless networking places OT implementations at greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment,” according to the NSA report. “Having wireless access to sensors and final elements allows for direct manipulation of the physical processes within the OT environment, which could potentially render the OT system inoperable.”

Examples of potential attacks include unauthorized client accesses, denial of service (DoS) attacks, man-in-the-middle attacks, side-channel attacks (through dual-homed connections), IP spoofing, and hijacking.

The study concluded that the design, development, and testing of OT smart controllers using the ISA-62443-4-2 SL-1 through SL-3 requirements alone would not sufficiently satisfy the CNSSI 1253 M-M-M baseline of NIST SP 800-53 Rev. 5 countermeasures. However, with the addition of one new NSS CR and five new NSS REs, focused on smart controllers and specifically tailored to address the identified countermeasures gaps, the cybersecurity conformance testing to the mandated M-M-M security baseline can be achieved.

‍

Source: https://industrialcyber.co/industrial-cyber-attacks/nsa-targets-ot-cyber-risks-with-new-smart-controller-security-standards-for-national-security-systems/