NSA Releases EliteWolf GitHub Repository for Securing OT Environments
The National Security Agency released a code repository in GitHub to make it easier for critical infrastructure organizations and similar entities to better identify and detect potentially malicious activities in their operational technology (OT) environments.
The agency announced this week that it released the repository for OT Intrusion Detection Signatures and Analytics to the NSA Cyber GitHub in an effort called EliteWolf.
The repository includes various signatures and analytics focused on industrial control systems (ICS), OT, and SCADA, with the goal being to “enable Critical Infrastructure Defenders, Intrusion Analysts, and others to implement continuous and vigilant system monitoring,” the NSA wrote on the EliteWolf GitHub site.
While the signatures and analytics themselves may not necessarily be malicious activity, more analysis and investigation will need to be done through SNORT rules provided by the agency.
EliteWolf represents the latest step by NSA and other federal agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), told bolster protections around critical infrastructure environments as the cyberthreats aimed at espionage or disruptions grow.
“Cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against Critical Infrastructure … by exploiting Internet-accessible and vulnerable Operational Technology … assets,” the NSA wrote. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”
An Ongoing Concern
Critical infrastructure and OT security has been a focus of federal agencies over the past several years, particularly in the wake of attacks on such firms Colonial Pipeline, a ransomware attack in May 2021 by the Russia-linked threat group DarkSide that squeezed fuel supplies in some southern states and that CISA Director Jen Easterly and Tom Fanning, chair and CEO of Southern Company and chair of CISA’s Cybersecurity Advisory Committee, called “a watershed moment in the short but turbulent history of cybersecurity.”
“This was the moment when the vulnerability of our highly connected society became a nationwide reality and a kitchen table issue,” Easterly and Fanning wrote in a report in May.
That incident was followed soon after by a similar ransomware attack by the group REvil on global meat processor JBS Foods.
The Biden Administration as part of its ICS Cybersecurity Initiative launched in 2021 tasked CISA and other federal agencies to build up the cybersecurity of critical infrastructure in 16 sectors, including chemical, oil, electric, gas, and water.
NSA and CISA issued a joint advisory urging public and private organizations to bolster the security around their OT and controls systems, saying that “Internet-accessible OT assets are becoming more prevalent across the 16 US CI Sectors as companies increase remote operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as Instrumentation & Control, OT asset management/maintenance, and in some cases, process operations and maintenance.”
They also noted legacy OT assets that weren’t designed to protect against cyberthreats and available information that identify internet-connected OT asset, creating what they called a “perfect storm” of easy access to unsecured assets, common and open source information about devices, and a growing list of exploits that can be deployed through common exploit frameworks.
The Challenge of Open Source Software
More recently, the NSA and other agencies – the FBI, Treasury Department, and CISA – earlier this week released a nine-page report about securing OT and industrial control system environments that use open source software.
“In OT, both cybersecurity and safety concerns are heightened due to the potentially far-reaching impacts of incidents and associated life safety implications, specifically to connected infrastructure,” the agencies wrote. “Widely accepted cyber hygiene practices, such as updating software in IT systems when a patch for a vulnerability is available, may be challenging when an underlying OSS library needs to be updated.”
Updating the OT software may be even more difficult because of the “potential adverse effects on other (dependent) software and potential operational risks. Implementing ‘secure-by-design’ and ‘- default’ approaches can help decrease these cybersecurity and safety risks in OT,” they wrote.
