NSA and CISA Recommend Immediate Actions

Summary

On July 23, 2020, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released Activity Alert AA20-205A , which highlights the recent offensive malicious cyber activity perpetrated against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets. Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, the NSA and CISA recommend that all Department of Defense (DoD), National Security Systems (NSS), Defense Industrial Base (DIB), and U.S. critical infrastructure facilities take immediate actions to secure their OT assets.

Recently observed Tactics, Techniques and Procedures (TTPs) targeting OT are:

• Spearphishing to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
• Deployment of commodity ransomware to encrypt data for impact on both networks.
• Connecting to internet accessible Programmable Logic Controllers (PLCs) requiring no authentication for initial access.
• Utilizing commonly used ports and standard application layer protocols to communicate with controllers and download modified control logic.
• User of vendor engineering software and program downloads
• Modifying control logic and parameters on PLCs.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form by clicking here.

Please do not hesitate to contact us at njccic@cyber.nj.gov with any questions.