NSA's ELITEWOLF Signatures Detect Malicious Activity in OT Environments

Nation-state threat actors continue to show a heightened interest in compromising operational technology (OT) in critical infrastructure systems. And just as it sometimes takes fire to combat fire, it sometimes takes nation-state support to defend against nation-state caliber attacks adequately. To this end, the National Security Agency (NSA) recently published a stash of intrusion detection signatures and analytics they’re calling ELITEWOLF designed to help owners and operators of OT systems defend their systems better. 

Experts say that support from the NSA is needed and that there's likely more government collaboration and support for the private sector to come—but organizations also have to be able to do their part to be able to put the threat intelligence to use. 

"While the government posting such information is very critical and provides [information to help] small and mid-size organizations to be protected, it is still crucial to have a system in place to handle and parse the work by the threat intelligence shared,” said Itay Glick, VP of products at cybersecurity firm OPSWAT.

"I also believe that more governments would share more information in the future as a goal to protect allies, whether it is public or government to government," Glick says. "It is important to note that signatures have their limitations, and a good security approach should rely on A.I. and behavioral and contextual analytics to identify threats even without signatures," he advised.

ELITEWOLF Rules Flexible for OT Environments

According to the NSA's ELITEWOLF announcement, civilian infrastructure makes an attractive target for powers that wish to harm the U.S. or retaliate for what they see as U.S. aggression—something of heightened concern in recent weeks considering tensions in the Middle East. 

"It is highly recommended that ICS/SCADA/OT Critical Infrastructure owners and operators implement a continuous and vigilant system monitoring program," the NSA said in its announcement. 

The ELITEWOLF signatures complement the recently released NSA and CISA recommended actions for organizations to reduce their exposure across their OT/ICS devices. 

"The rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment."

—NSA

According to the NSA, the ELITEWOLF signatures and analytics can help critical infrastructure, defense industrial base, and national security systems to identify and detect potentially malicious cyber activity in their O.T. environments. However, the rules require additional analysis to determine if the suspected activity is malicious. 

"The rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment," the NSA said.

Detection Rules Critical to Lock Down OT

Experts agreed that the signatures and analytics are helpful, even necessary, for organizations' detection abilities, as the threats against these systems are substantial and attacks are challenging to detect. 

"Certainly, there are real threats targeting OT environments, and a lot of them are targeting vendors like Rockwell and Siemens. Additionally, there is a confirmed trend of nation-state attacks or conspired activities to exploit O.T. infrastructures via vendor vulnerabilities, offshore operations, and more," said Yiyi Miao, chief product officer at OPSWAT.

As Miao continued, detecting malicious activity within OT/ICS systems is challenging because these devices have been operational for decades. Another is the lack of resources within many O.T. operating organizations. 

"To benchmark malicious activities, one must first establish a baseline of expected behavior between the assets," Miao said. Adding that is also a high order for many organizations as simply managing these devices is challenging enough, and "analyzing normal vs. abnormal activities daily and weekly requires huge amounts of resources and expertise asset owners and operators may not possess. Many won't necessarily understand how to interpret the results sent by many alert systems and correlate the data to lead to identifying the culprit."

While that is likely so, such organizations should strongly consider hiring such capabilities in-house or turning to a security services provider to deliver them, as there is much work they must do to secure their OT systems adequately. In recent guidance to OT and critical infrastructure operators, the NSA recommends organizations keep up to date with recently observed tactics, techniques, and procedures, and create a plan of resilience for OT systems, practice their incident response plan, harden or disable unnecessary features and services, such as remote management services, discovery capabilities, remote desktop access, etc. and create an accurate "as operated" OT network map to use as the foundation for ongoing risk reduction.