The National Security Agency has published a repository of tools to help critical infrastructure entities hunt for malicious activity in ICS and other OT environments.
Named Elitewolf, the GitHub repository contains ICS/SCADA/OT-focused intrusion detection signatures and analytics that should enable defense industrial base (DIB), national security systems (NSS) and services, and other critical infrastructure owners and operators to implement continuous system monitoring.
The capability was released in response to increased cyber activity targeting critical infrastructure and internet-facing OT systems, and nation states’ exploitation of vulnerable OT systems and civilian infrastructure.
Three years ago, together with the US cybersecurity agency CISA, the NSA warned of increased targeting of critical infrastructure, urging all involved entities to take the necessary steps to improve the security and resilience of their systems.
“At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take immediate steps to ensure resilience and safety of US systems should a time of crisis emerge in the near term,” the two agencies said in a July 2020 advisory.
Since then, the two agencies have released multiple resources to help organizations improve the security of their networks and eliminate weaknesses from their environments, including a guide on the five typical steps that threat actors rely on when planning and executing a cyberattack.
“Due to the increase in adversary capabilities and activity, the criticality to US national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or retaliate for perceived US aggression,” the NSA notes.
The newly released signatures and analytics, the agency says, are not necessarily associated with malicious activity and require follow-up analysis to determine whether the activity is indeed malicious.
“The provided SNORT rules are alerting rules. Investigation for accuracy is required for hits. The rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment,” the NSA notes.
Critical infrastructure owners and operators that rely on ICS/SCADA/OT systems are encouraged to use the new capability as part of their system monitoring program, to detect and identify potential malicious activity.