The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week warning of ongoing Russian state-sponsored threats against critical infrastructure and providing guidance on how to reduce the risk.

But according to some industrial control system security experts, the CISA alert is too general to adequately protect critical infrastructure.

“It missed a critical point in the vulnerability and configuration management section,” wrote Eric Byres, founder and CTO at operational technology firm aDolus Technology, in an email.

“CISA says to update software and use a centralized patch management system, but they fail to mention the critical importance of validation or authentication before installing those patches,” he added. “There is no point updating a vulnerability with a malware-infested, counterfeit patch. Operators of critical infrastructure need to verify that the patch they’ve got in hand is safe to install and did indeed come from their vendor (and not a Russian agency).”

The joint security advisory by CISA, the FBI, and the NSA doesn’t highlight a time-sensitive risk to a specific sector or warn of a particular piece of malware being used or vulnerability being targeted by Russian state-sponsored actors.

However, Shift5 CEO Josh Lospinoso said there’s a reason CISA issued the alert this week. “This CISA alert is clearly prompted by the diplomatic talks between Biden and Putin,” he wrote in an email.

“CISA’s strategy with this alert is to prepare critical organizations for anticipated Russian cyber activity and hopefully mitigate potential fallout, which will likely take the form of espionage or cyber-physical attacks,” Lospinoso said. “Russian threat groups, in particular, are known for persistence and stealth as opposed to other geopolitical cyber adversaries like Iran, China and North Korea.”

In addition to co-founding the OT security company, Lospinoso is a former U.S. Cyber Command officer, where he pioneered red-team ops and studied Russian methods for more than a decade. Part of the time he worked under CISA Director Jen Easterly.

Easterly “intimately understands the tactics, techniques and procedures (TTPs) of nation-state actors,” Lospinoso said, adding “that is informing this CISA alert. The callout of NSA and FBI as co-authors leads me to wonder what TTPs and CVEs have been omitted, whether that omission is due to the United States’ own TTPs or a desire not to tip our hand about our own intelligence gathering activities against Russian APTs.”

Russian state-sponsored advanced persistent threat (APT) actors use “common but effective” tactics including spearphishing, brute force, and exploiting known vulnerabilities to gain access to target networks, the alert says.

The attackers also have been known to specifically target OT and industrial control system networks with destructive malware, it adds.

“The alert recaps much of what has been publicly available in one central spot. For example, the HAVEX malware dates back 8 years,” Dragos VP Ben Miller wrote in response to questions. “So while it's not detailing new attacks, it is a strong reminder that OT/ICS attacks are only increasing, and we don’t need to panic but do need to prioritize maturing our OT/ICS security programs.”

To detect malicious activity in an enterprise or cloud environment, the alert encourages critical infrastructure organizations to implement robust log collection and retention and look for behavioral evidence and host-based artifacts from known Russian state-sponsored tactics, techniques, and procedures that are listed in the alert.

It also highlights best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management. This includes updating software and firmware “in a timely manner,” and prioritizing patching of known exploited vulnerabilities — especially ones identified in the advisory.

To help prioritize patches, “asset owners should be using resources like SBOMs and VEX documents,” wrote Ron Brash, VP of technical research at aDolus. He’s referring to software bill of materials (SBOMs) and Vulnerability Exploitability eXchange (VEX), which NTIA describes as a “companion artifact” to an SBOM.

VEX “is the idea that product manufacturers and software suppliers can discover (using tools like FACT) vulnerabilities within third-party dependencies of their products and preemptively assess the exploitability of these vulnerabilities,” according to an aDolus blog. “This is important because not all vulnerabilities merit panic.”

aDolus worked with ICS vendors to produce VEX documents in response to the Log4j vulnerability, Brash added. “This kind of effort highlights the advantage of intelligent vulnerability response versus blanket knee-jerk patch everything statements.”

It also highlights the need for better visibility across OT environments, Miller said.

“CISA’s recommendations are exhaustive, which isn’t necessarily wrong but certainly not easy to digest,” he said. “Breaking it down, it largely maps to what Dragos regularly finds in customer environments: The need for stronger visibility and logging within the OT environments and response playbooks specifically for OT equipment and facilities. We need to gain visibility in our most critical areas in order to defend them.”