April 14, 2022 Update: A new advisory from the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation warns of potential attacks on critical infrastructure following the discovery that advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices. VMware encourages all critical infrastructure operators to review this advisory, as well as the guidance below, for hardening their ICS/SCADA devices and preventing cyber attacks.
Since the Colonial Pipeline attack last year, we have known that additional cyberattacks targeting the energy sector were likely. Against the backdrop of today’s geopolitical crisis, however, VMware believes that all critical infrastructure providers should operate under the assumption that targeted attacks using destructive malware are imminent. Securing internet-facing systems and testing incident response readiness should be top priorities.
Given the massive global pushback on the Russian government – from sanctions and corporate exits to a U.S. ban on Russian energy imports – threat actors who stand to benefit from supporting Russian government interests may be emboldened to focus their attacks on critical sectors such as energy, utilities and other infrastructure. And while Russian-affiliated actors have deployed destructive malware mostly against Ukrainian infrastructure thus far, we believe the threat is not contained to that region. At a White House briefing on Monday, Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger stated that Russia “is exploring options for potential cyberattacks on critical infrastructure in the United States.” The Biden administration also published a statement urging businesses to take added precautions.
15 Necessary Actions for Preventing Cyber Attacks
The WhisperGate and HermeticWiper attacks in January and February are examples of why organizations in critical infrastructure sectors should immediately focus on mitigations that prioritize remote access vulnerabilities and outdated systems and software, as well as readiness for response at all levels, including operational response.
Below are the immediate actions recommended to bolster critical infrastructure defenses against cyberattacks, including remote access and network mitigations. A defense in depth approach is essential in targeted attack scenarios.
- Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.
- Limit remote access to users with a verified need.
- Audit networks for systems using remote access services. Close unneeded network ports associated with remote access services.
- Enable logging for all remote access technologies and audit the logs regularly to identify any instances of unauthorized access.
- Reduce the time remote access services are running by using manual start and stop features in place of always-activated unattended access.
- When configuring access control for a host, utilize custom settings to limit the access a remote party can attempt to acquire.
- Deploy application control in high enforcement.
- Expand threat hunting with specific focus on the TTPs associated with Sandworm; APT28, APT 29 and Turla.
- Apply just in time administration.
- Implement and ensure robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network. Consider demilitarized zones (DMZs), firewalls, jump servers, and other methods to prevent unregulated communication between the IT and OT networks.
- Develop/update network maps to ensure a full accounting of all equipment connected to the network. Any equipment that is not required to conduct operations should be removed from networks to reduce the exploitable attack surface.
Readiness and incident response
- Test the viability of your backups.
- Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and threats to safety.
- Account for third parties with legitimate need for OT network access, including engineers and vendors.
- Review, test, and update the emergency response plan annually.
- Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications.
- Execute tabletop exercises that incorporate loss of visibility and control scenarios so employees gain decision-making experience in likely scenarios.
As we’ve noted in our annual security outlook reports, the energy/utilities and government sectors become more susceptible to attacks, including ransomware, as geopolitical tensions rise. When destruction, and not just monetary gain, is the objective, however, it’s important to understand that the most damage is often done post-infection, not in the initial phases of a ransomware attack. Learn the four best practices recommended by VMware’s Threat Analysis Unit for protecting against ransomware and visit VMware’s Ransomware Resource Center for additional guidance. Finally, as geopolitical tension continues to manifest in cyberspace, review the best practices and planning strategies for preventing cyber attacks included in CISA’s unprecedented warning regarding imminent destructive cyberattacks from Russia.