Connect with us

Hi, what are you looking for?



NSA Publishes ICS/OT Intrusion Detection Signatures and Analytics

NSA has released Elitewolf, a repository of intrusion detection signatures and analytics for OT environments.

The National Security Agency has published a repository of tools to help critical infrastructure entities hunt for malicious activity in ICS and other OT environments.

Named Elitewolf, the GitHub repository contains ICS/SCADA/OT-focused intrusion detection signatures and analytics that should enable defense industrial base (DIB), national security systems (NSS) and services, and other critical infrastructure owners and operators to implement continuous system monitoring.

The capability was released in response to increased cyber activity targeting critical infrastructure and internet-facing OT systems, and nation states’ exploitation of vulnerable OT systems and civilian infrastructure.

Three years ago, together with the US cybersecurity agency CISA, the NSA warned of increased targeting of critical infrastructure, urging all involved entities to take the necessary steps to improve the security and resilience of their systems.

“At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take immediate steps to ensure resilience and safety of US systems should a time of crisis emerge in the near term,” the two agencies said in a July 2020 advisory.

Since then, the two agencies have released multiple resources to help organizations improve the security of their networks and eliminate weaknesses from their environments, including a guide on the five typical steps that threat actors rely on when planning and executing a cyberattack.

“Due to the increase in adversary capabilities and activity, the criticality to US national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or retaliate for perceived US aggression,” the NSA notes.

The newly released signatures and analytics, the agency says, are not necessarily associated with malicious activity and require follow-up analysis to determine whether the activity is indeed malicious.

Advertisement. Scroll to continue reading.

“The provided SNORT rules are alerting rules. Investigation for accuracy is required for hits. The rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment,” the NSA notes.

Critical infrastructure owners and operators that rely on ICS/SCADA/OT systems are encouraged to use the new capability as part of their system monitoring program, to detect and identify potential malicious activity.

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: Organizations Warned of Top 10 Cybersecurity Misconfigurations Seen by CISA, NSA

Related: CISA, NSA Share Guidance on Securing CI/CD Environments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.