Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the internet (e.g., Shodan, Kamerka ), are creating a “perfect storm” of 1) easy access to unsecured assets, 2) use of common, open-source information about devices, and 3) an extensive list of exploits deployable via common exploit frameworks  (e.g., Metasploit, Core Impact, and Immunity Canvas ).In particular, CISA noted that malicious actors had taken to launching spearphishing attacks, deploying crypto-ransomware, modifying control logic and parameters on PLCs along with executing other techniques. Those and other tactics had resulted in the loss of productivity and revenue, reduced availability of assets on the OT network and/or disruption to an organization's physical processes. Acknowledging those threats, CISA and NSA recommended that owners and operators of OT implement several best security practices. These should include the following
- Exercise an incident response plan: Additionally, organizations need to make sure they can respond to an incident in a timely matter. Towards that end, they need to have a plan that takes key roles and decision points into consideration. They can then test that plan by conducting tabletop incident response simulations.
- Monitor the OT network for potential threats: To provide an optimum level of security, organizations need to monitor the OT network for all instances of external access to the OT network. They should also monitor controllers for unauthorized change attempts.