CISA and NSA Cybersecurity Advisory on Control System Defense

CISA and NSA Cybersecurity Advisory on Control System Defense

The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) released an advisory titled, “Control System Defense: Know the Opponent,” to help owners and operators better understand cyber actors’ commonly followed tactics, techniques, and procedures (TTPs) to compromise operational technology (OT) and industrial control systems (ICS). With this information, organizations can more effectively counter the adversary’s efforts to compromise their OT/ICS assets.

Cyber actors, including advanced persistent threat (ATP) groups, have targeted OT/ICS systems in recent years to achieve political gains, economic advantages, and possibly to execute destructive effects. Recently, they've developed tools for scanning, compromising, and controlling targeted OT devices.

Noting that traditional approaches to securing OT/ICS do not adequately address threats to these systems, NSA and CISA examine the TTPs cyber actors employ so that owners and operators can prioritize hardening actions for OT/ICS. Some of the actions CI owners and operators should apply include:

  • Limit exposure of system information including hardware, firmware, and software in any public forum.
  • Identify and secure remote access points through creating a connectivity inventory.
  • Restrict tools and scripts to legitimate users performing legitimate tasks on the control system.
  • Conduct regular and independent security audits of systems, especially of third-party vendor access points and systems.
  • Implement a dynamic network environment by making manageable network changes.

Defenders should review the advisory and employ the listed mitigations to limit unauthorized access, lock down tools and data flows, and deny malicious actors from achieving their desired effects. This advisory builds on NSA and CISA 2021 guidance provided to stop malicious ICS activity against connect OT, and 2020 guidance to reduce their OT exposure. For more information on CISA’s efforts to improve ICS cybersecurity, visit CISA’s role in industrial control systems webpage.

Your support to amplify this CSA through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.


Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell:  217-299-3954 |