"NSA Publishes ICS/OT Intrusion Detection Signatures and Analytics"

The National Security Agency (NSA) has recently published a repository of tools to help critical infrastructure entities hunt for malicious activity in ICS and other OT environments.  Named Elitewolf, the GitHub repository contains ICS/SCADA/OT-focused intrusion detection signatures and analytics that should enable defense industrial base (DIB), national security systems (NSS) and services, and other critical infrastructure owners and operators to implement continuous system monitoring.  NSA noted that the capability was released in response to increased cyber activity targeting critical infrastructure and internet-facing OT systems and nation states’ exploitation of vulnerable OT systems and civilian infrastructure.  NSA stated that the newly released signatures and analytics are not necessarily associated with malicious activity and require follow-up analysis to determine whether the activity is indeed malicious.  The provided SNORT rules are alerting rules, and NSA said that an investigation for accuracy is required for hits.  NSA noted that the rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment.  Critical infrastructure owners and operators that rely on ICS/SCADA/OT systems are encouraged to use the new capability as part of their system monitoring program to detect and identify potential malicious activity.

SecurityWeek reports: "NSA Publishes ICS/OT Intrusion Detection Signatures and Analytics"