May 30 2023

The essence of OT security: A proactive guide to achieving CISA’s Cybersecurity Performance Goals

Category: CISA,OT/ICS,Security ToolsDISC @ 9:27 am

The widespread adoption of remote and hybrid working practices in recent years has brought numerous benefits to various industries, but has also introduced new cyber threats, particularly in the critical infrastructure sector.

These threats extend not only to IT networks but also to operational technology (OT) and cyber-physical systems, which can directly influence crucial physical processes.

In response to these risks, the US government reinforced critical infrastructure security by introducing Cross-Sector Cybersecurity Performance Goals (CPGs) mandated by the US Cybersecurity Infrastructure & Security Agency (CISA).

Recently, CISA updated the CPGs to align with NIST’s standard cybersecurity framework, establishing each of the five goals as a prioritized subset of IT and OT cybersecurity practices.

In this article, we will look in more detail at CISA’s revamped CPGs and discuss the potential solutions available to help organizations achieve these critical goals.

CPG 1.0 Identify: Scoping out the vulnerabilities in the OT environment

CISA’s first CPG is “Identify”, which includes identifying the vulnerabilities in the IT and OT assets inventory, establishing supply chain incident reporting and vulnerability disclosure program, validating the effectiveness of third-party security controls across your IT and OT networks, establishing OT security leadership, and mitigating known vulnerabilities. Critical infrastructure organizations must address all these sub-categories exclusively to achieve the first CPG.

Addressing these responsibilities requires a dynamic effort. Firstly, organizations must strengthen their IT and OT relationship by fostering more effective collaboration between the security teams of both departments. But, most importantly, IT and OT teams must come together to understand the potential cyber threats and risks of each environment and how it affects the other. To achieve the first CPG, it is critical that these departments are not kept in isolation but rather collaborate and communicate frequently.

At the same time, organizations must establish OT leadership by clearly identifying a single leader who will be responsible and accountable for OT-specific cybersecurity. From there, organizations must create an asset inventory or glossary that clearly identifies and tracks all OT and IT assets across the entire ecosystem. These assets should be regularly audited based on their vulnerability management program. It’s also highly critical to have an open, public, and easily accessible communication channel where vendors, third parties, or employees can disclose any potential vulnerability in relation to the OT and IT assets.

CPG 2.0 Protect: Safeguarding privileged access to OT assets

CISA’s second CPG is “Protect”, which emphasizes the account security aspects of OT assets. To achieve this goal, critical infrastructure organizations are required to strengthen their password policies, change default credentials across OT remote access systems, apply network segmentation to segregate OT and IT networks, and separate general user and privileged accounts.

Addressing all these aspects of account security can be a chore for most organizations, but they can turn to unified secure remote access (SRA) solutions that can extend multiple account-level security controls to OT remote users via enforcement of multi-factor authentication (MFA), least privilege policies, and role-based access. Such solutions can also support advanced credential policies to further reduce the risk of unauthorized access and denial of service attacks.

It’s also important that organizations only leverage SRA solutions that are based on zero trust policies. This will help organizations establish effective network segmentation that eliminates direct, unfettered remote connectivity to OT assets, and to continuously monitor personnel activity during all remote OT connections.

CPG 3.0 Detect: Awareness of critical threats and potential attack vectors across your OT environment

CISA’s third CPG emphasizes the detection of relevant threats and knowledge of potential attack vectors and TTPs (tactics, techniques, and procedures) that can compromise OT security and potentially disrupt critical services.

Detecting relevant threats and TTPs across OT assets and networks requires a proactive approach that combines advanced monitoring and analysis. Real-time monitoring solution should be complemented with comprehensive network visibility, allowing for the swift detection of anomalies and unusual patterns.

A critical aspect of threat detection in OT environments — and meeting the CPG mandate — is the sharing of information and collaboration between various stakeholders. Threat intelligence platforms play an essential role in gathering and disseminating information about current and emerging threats. By leveraging this valuable data, organizations can stay ahead of potential risks, fine-tune their defenses, and ensure the safety and security of their OT assets. Additionally, conducting regular security assessments, penetration testing, and vulnerability scanning will help uncover any weaknesses in the infrastructure, allowing for timely remediation and improved resilience against cyberattacks.

CPG 4.0 and 5.0: Respond and Recover

The final two CISA’s CPGs stress the importance of incident reporting and planning. Regardless of how robust your OT security practices are, cyber threats are almost inevitable in today’s interconnected and increasingly remote networking era. So, while proactive security solutions are necessary, attacks still are unavoidable, especially in a highly targeted sector like critical infrastructure.

Therefore, CISA stresses that organizations must have a comprehensive plan and process outlined for reporting security incidents and effectively recovering their affected systems or services upon a breach.

Advanced SRA solutions can help organizations to achieve these goals through automated recording of user activities and asset-related data, as well as creating automated backups of critical data. More specifically, they can log all user sessions, encrypt all user- and asset-related data, and retain logs of OT remote user activity. These measures help to ensure that critical information is stored in accordance with all relevant regulatory requirements and backup and recovery needs.

Conclusion

Overall, the vulnerabilities of ageing OT assets and siloed OT and IT networks have created a significant threat to critical infrastructure entities, which has been further exacerbated by the prevalence of remote access.

CISA’s OT-specific goals and actions within the CPGs provide a much-needed set of guidelines for CNI organizations to strengthen their security posture and increase cyber resilience. By following CISA’s recommendations and employing innovative security technologies, organizations can minimize the risk of cyberattacks affecting the physical world and public safety.

InfoSec tools | InfoSec services | InfoSec books

Tags: CISA, Cybersecurity Performance Goals, ICS, Industrial Cybersecurity, OT


May 02 2023

CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog

Category: CISA,Security vulnerabilitiesDISC @ 10:00 am

US Cybersecurity and Infrastructure Security Agency (CISA) added TP-Link, Apache, and Oracle vulnerabilities to its Known Exploited Vulnerabilities catalog.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following three new issues to its Known Exploited Vulnerabilities Catalog:

CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX-21 Command Injection Vulnerability. The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the router’s language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.

The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security. 

The Zero Day Initiative (ZDI) threat-hunting team recently reported that the Mirai botnet attempting to exploit the CVE-2023-1389 vulnerability (aka ZDI-CAN-19557/ZDI-23-451, CVSS v3: 8.8) in TP-Link Archer AX21 Wi-Fi routers.

Tags: US Cybersecurity and Infrastructure Security Agency


Aug 29 2022

CISA adds 10 new flaws to its Known Exploited Vulnerabilities Catalog

Category: CISA,cyber security,Information SecurityDISC @ 9:05 am

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 10 new flaws to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 10 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a high-severity security flaw (

 CVSS score: 7.8) impacting Delta Electronics industrial automation software.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

According to the US agency, Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation). An attacker can trigger the flaw to cause an out-of-bounds write and achieve code execution.

It is important to highlight that there are no security patches to fix this issue and that the impacted product is end-of-life.

CISA also added to the catalog a Sanbox Bypass Vulnerability, tracked as CVE-2021-31010 (CVSS score: 7.5), in Apple iOS, macOS, and watchOS.

“In affected versions of Apple iOS, macOS, and watchOS, a sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory.

The other vulnerabilities added to the catalog are:

  • CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability
  • CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability
  • CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability
  • CVE-2022-22963 – VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
  • CVE-2022-2294 – WebRTC Heap Buffer Overflow Vulnerability
  • CVE-2021-39226 – Grafana Authentication Bypass Vulnerability
  • CVE-2020-36193 – PEAR Archive_Tar Improper Link Resolution Vulnerability
  • CVE-2020-28949 – PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability

CISA orders federal agencies to fix these vulnerabilities by September 15, 2022.

CISA Known Exploited Vulnerabilities Catalog

CISA Cybersecurity Alerts

CyberWire Inc. (Author)Flash cybersecurity advisories from the US Government. These alerts provide timely technical and operational information, indicators of compromise, and mitigations for current major security threats, vulnerabilities, and exploits. These alerts have been edited and adapted for audio by The CyberWire as a public service.

Free podcast:

CISA Cybersecurity Alerts

Tags: CISA, CISA Cybersecurity, CISA Cybersecurity Alerts