CISA warns of cyberattacks targeting the US oil and gas infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, Department of Energy (DoE), and Environmental Protection Agency (EPA), has warned organizations of cyberattacks targeting Operational Technology (OT) and Industrial Control Systems (ICS) in the
US oil and natural gas sector.

According to the government agencies, while cybercriminals usually implement basic and elementary intrusion techniques for attacks on such infrastructure, the presence of poor cyber hygiene and exposed assets can lead to severe impact, including operational disruptions and physical damage.

Gabrielle Hempel, security operations strategist and threat intelligence researcher for the Exabeam TEN18 Team, echoed the advisory’s concerns. “There’s definitely some systemic negligence in addressing known vulnerabilities,” Hempel said. “The energy sector (and a lot of critical infrastructure) often relies on legacy systems, either not having the means or the knowledge to properly lock down their landscape.”

The convergence of IT and OT systems in these environments really expands the attack surface well, and makes traditional mitigation measures insufficient, she added.

To support organizations in the sector, CISA included detailed mitigation guidance to help them stay ahead of emerging threats.

Disconnect from the public and remote access

As OT devices tend to be overexposed when connected to the internet, on top of the fact that they lack authentication and authorization methods that are resistant to modern threats like searching for open ports on public IP ranges, removing OT connections to the public internet was recommended.

“The motivation of the malicious actors is irrelevant; if an organization’s exposed sensitive systems are exposed to the internet with no security hardening, they are at risk of a compromise,” said Thomas Richards, infrastructure security practice director at Black Duck. “Many times, these systems are provided with internet access for remote connectivity from support teams and vendors, but this creates a major security risk without restricting who can access it and adding proper authentication controls.”

On the subject of remote access to OT networks, CISA recommended that for essential remote access, upgrading to a private IP network connection to remove these OT assets from the public internet or using a virtual private network (VPN) functionality with a strong, phishing-resistant MFA authentication might help.

Additionally, organizations must document and configure remote access solutions to apply principles of least privilege. “The recommendations to secure these environments aren’t advanced security measures, they’re foundational practices that should already be in place,” Hempel noted.

Stronger passwords, segmentation, and manual operations are advised

CISA cited past analysis to emphasize that targeted systems use default or easily guessable (using open-source tools) passwords. Changing default passwords for strong and unique ones is important for public-facing internet devices that have the capability to control OT systems or processes, it added in the advisory.

Segmenting IT and OT networks was also advised. “As OT becomes more integrated with IT systems, it presents more opportunities for attackers,” Nathaniel Jones, vice president of Threat Research at Darktrace, told CSO in a comment. “OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network.”

Additionally, CISA highlighted that the capability for organizations to revert to manual controls to quickly restore operations is vital in the immediate aftermath of an incident.

The advisory is particularly noteworthy as CISA generally doesn’t sound the alarm on elementary hacks of this scale. “The fact that CISA has a need to report on the activities of an unsophisticated threat activity is noteworthy,” said Trey Ford, chief information security officer at Bugcrowd. “Their issuing an intelligence product focusing on hygienic cybersecurity foundations like this is a reminder–all security programs are on a journey, and failure in these seemingly obvious controls leads to certain failure and compromise.” Earlier this year, the US security watchdog warned of critical, high-risk flaws in ICS products from four leading industrial vendors.