US-CERT released the alert, Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors, on Thursday, March 15th. The technical alert includes indicators of compromise (IOCs), technical details on the tactics, techniques, and procedures (TTPs) used by the actors, and security best practices relevant to the campaign. DHS and FBI published this alert with the expressed goal of empowering defenders to reduce their exposure to malicious activity.
Though the Systems Affected section of the alert explicitly identifies Domain Controllers, File Servers, and Email Servers as in scope, many of the defensive measures are relevant to the PI System as well. The goal of this post is to highlight the measures in the General Best Practices Applicable to this Campaign section of the alert that are relevant to the PI System and point to resources that may assist with defensive efforts.
“Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best Practices for more information.”
- PI System core functionality does NOT require SMB, however SMB is a default feature of Windows and may be enabled on your system. For guidance on SMB and the PI System, see AL00318, WannaCry Ransomware Attack FAQ.
“Segment any critical networks or control systems from business systems and networks according to industry best practices.”
- The PI System supports segmented network architectures. Network ports used by PI System services are outlined in KB01162. Industry Standard Reference Architectures are available here on PI Square.
“Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis. See the FireEye blog post Greater Visibility through PowerShell Logging for more information.”
- Most PI System administration tasks for the PI Data Archive and PI AF Server can be performed remotely with the PI System Management Tools, PowerShell Tools for the PI System, or PI System Explorer over PINet. For remote administration to the OS, the MSDN blog post PowerShell Security at Enterprise Customers is a comprehensive overview of the security features that make PowerShell the best choice. Given the manageability and security benefits, we recommend installing the PI Server on the latest release of Windows Server Core and performing remote administration via PowerShell.
“Implement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.”
- We recommend installing PI Vision on the latest version of Windows Server Core for the reduced attack surface area. Additionally, guidance for web security in PI Vision is covered in KB01631.
“Implement application directory whitelisting. System administrators may implement application or application directory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.”
- Guidance for configuring application whitelisting on systems with PI applications using AppLocker is provided in KB00994.
“Block RDP connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.”
- We recommend performing remote system administration via PowerShell instead of RDP. Note that the issue disclosed in the Microsoft support KB CredSSP updates for CVE-2018-0886 this patch Tuesday is exposed through RDP. Furthermore, the abstract of the Black Hat Asia presentation Server Tailgating - A Chosen-Plaintext Attack on RDP indicates that vulnerability details will be made public next week.
“Ensure applications are configured to log the proper level of detail for an incident response investigation.”
- Default configuration provides significant information. See PI Data Archive monitoring in the LiveLibrary for more details on all PI Data Archive monitoring capabilities through PI Message Logs, Connection history and Windows performance counters. PI System administrators can opt into PI Auditing, which records the data that is added, edited, or removed from database files, as well as other events or changes to configuration that occur in the PI Data Archive to satisfy FDA Title 21 CFR Part 11 auditing requirements. See Auditing the PI Data Archive in the LiveLibrary for more information. Enabling PI Audit is not recommended unless the default monitoring is insufficient. PI AF Server client connectivity logging is covered in KB00412. PI AF Audit Trail is described in the Audit Trail implementation section of the LiveLibrary.
“Consider implementing HIPS or other controls to prevent unauthorized code execution.”
- There are no known compatibility issues with Host Intrusion Prevention Systems and the PI System. Guidance for antivirus and antimalware solutions and the PI System provided in KB01062.
“Establish least-privilege controls.”
- Permissions required for tasks in the LiveLibrary describes permissions required for common administration tasks. A practical role-based access implementation for Windows Integrated Security in the PI System is described in the PI Data Archive Field Service Technical Standard in KB01702.
“Based on the suspected level of compromise, reset all user, administrator, and service account credentials across all local and domain systems.”
- Since the PI System leverages Windows authentication through PI Mappings, reset of Windows principals will impact PI System components. In the event where this course of action needs to be taken, please contact tech support so that important aspects of recovery relevant to the PI System are not overlooked.
“Create and participate in information sharing programs.”
- In accordance with our Ethical Disclosure Policy, we publish disclosure bulletins. You can subscribe to our alerts by following the procedure in KB01199. Alerts are relayed a month later as ICS-CERT Advisories.
Hopefully the resources in this post help make the best practices relevant to this campaign more actionable for your PI System deployments.