Connect with us

Hi, what are you looking for?



NSA Publishes ICS/OT Intrusion Detection Signatures and Analytics

NSA has released Elitewolf, a repository of intrusion detection signatures and analytics for OT environments.

The National Security Agency has published a repository of tools to help critical infrastructure entities hunt for malicious activity in ICS and other OT environments.

Named Elitewolf, the GitHub repository contains ICS/SCADA/OT-focused intrusion detection signatures and analytics that should enable defense industrial base (DIB), national security systems (NSS) and services, and other critical infrastructure owners and operators to implement continuous system monitoring.

The capability was released in response to increased cyber activity targeting critical infrastructure and internet-facing OT systems, and nation states’ exploitation of vulnerable OT systems and civilian infrastructure.

Three years ago, together with the US cybersecurity agency CISA, the NSA warned of increased targeting of critical infrastructure, urging all involved entities to take the necessary steps to improve the security and resilience of their systems.

“At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take immediate steps to ensure resilience and safety of US systems should a time of crisis emerge in the near term,” the two agencies said in a July 2020 advisory.

Since then, the two agencies have released multiple resources to help organizations improve the security of their networks and eliminate weaknesses from their environments, including a guide on the five typical steps that threat actors rely on when planning and executing a cyberattack.

“Due to the increase in adversary capabilities and activity, the criticality to US national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or retaliate for perceived US aggression,” the NSA notes.

The newly released signatures and analytics, the agency says, are not necessarily associated with malicious activity and require follow-up analysis to determine whether the activity is indeed malicious.

Advertisement. Scroll to continue reading.

“The provided SNORT rules are alerting rules. Investigation for accuracy is required for hits. The rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment,” the NSA notes.

Critical infrastructure owners and operators that rely on ICS/SCADA/OT systems are encouraged to use the new capability as part of their system monitoring program, to detect and identify potential malicious activity.

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: Organizations Warned of Top 10 Cybersecurity Misconfigurations Seen by CISA, NSA

Related: CISA, NSA Share Guidance on Securing CI/CD Environments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...