Skip to main content
The Dragos Blog

10.17.23 | 5 min read

The Critical Role of Cyber Threat Intelligence in Today’s ICS/OT Threat Landscape

The threat of predation imposes pressure on organisms to develop instincts that help identify threats, employ effective strategies to prevent predators from attacking, and engage in tactics that will increase chances of surviving an attack if it does occur. In nature, species develop these capabilities over time through a selective evolutionary process. Industrial organizations face the same pressure, but the evolution of industrial control systems (ICS) and operational technology (OT) cybersecurity is measured in weeks, months, and years, not millennia. Instead of operating on instinct, industrial organizations rely on cyber threat intelligence to identify threats on the horizon, deploy effective countermeasures, and be ready to respond if an attack occurs – with no OT company left behind.

Operational technology (OT) is the backbone of many industries, driving critical processes and systems. The convergence of OT and IT systems and the rapidly evolving threat landscape has pushed the importance of ICS/OT threat intelligence to the forefront. Here’s what cyber threat intelligence means, how to use it in your converged OT and IT cybersecurity operations, and the indispensable role of Dragos Threat Intelligence in today’s evolving industrial threat landscape.

Behind the Buzzword: What Is Cyber Threat Intelligence?

Threat intelligence is not a catch-all term, but it’s increasingly used that way. True cyber threat intelligence casts a wide net. It aggregates data from a myriad of external sources, including open-source and dark web research, telemetry, industry reports, and information shared across the global cybersecurity community. On its own, this information does not qualify as intelligence – it’s just data until analysis is applied.

Ultimately, threat intelligence involves finished tactical, operational, and strategic products destined for use across several different settings and audiences. This holistic approach provides a richer, more predictive understanding of the cyber threat landscape, enabling whole organizations to anticipate, prepare for, and counteract not just known threats, but also emerging and potential ones.

Real-World Applications: ICS/OT Threat Intelligence at Work

Dragos leads the industrial threat intelligence market using knowledge and skills gained from hunting adversaries, deconstructing malware, analyzing vulnerabilities, and engineering threat detections, all with a focus on ICS/OT.

Here’s how to utilize Dragos Threat Intelligence across four key areas of your cybersecurity operations.

Integrating OT IOCs in Your OT SOC

OT adversaries compromise IT networks in industrial infrastructure to enable a pivot to OT, but IT cybersecurity personnel often lack the ICS/OT knowledge and data to spot the activity.

  • Understanding the Context: IT Security Operation Centers (SOCs) can use OT-specific Indicators of Compromise (IOCs) to identify threats contextualized for OT environments. IOCs are used to set up tailored alerts in your SIEM (Security Information and Event Management), TIP (Threat Intelligence Platform), or SOAR (Security Orchestration, Automation, and Response) tools. This aids in differentiating between noise, generic threats, and those specifically targeting OT.
  • Block Phishing Lures: Employ these IOCs to identify and block potential phishing lures that might exploit vulnerabilities in your systems, bolstering your defense against targeted phishing campaigns.
  • Enhance Collaboration: Empower your IT SOC team with specialized OT knowledge. This not only bridges the gaps between IT and OT teams but also guarantees a synchronized response to threats to both realms.

Dragos WorldView Indicators ensure that threats to OT that start in IT systems won’t go unnoticed. When combined with other data in an existing SIEM/TIP, IOCs provide an early warning of possible risks to industrial operations, even without a lot of ICS/OT knowledge.

The Dragos Threat Intelligence team collects, analyzes, and delivers a maintained feed of IOCs relevant to industrial organizations They are contextualized so IT-focused teams can identify industrial threats before they gain access to OT networks.

Using Corrected CVE Scores & Alternatives to Patching for OT

A steady stream of vulnerabilities creates a major challenge for OT defenders, especially when working off CVSS scores and mitigation advice ill-suited for ICS/OT environments.

  • Assessing Real-World Impact: Traditional Common Vulnerability Scoring System (CVSS) scores might not capture the nuances of OT systems. Using corrected, accurate scores can provide a clearer picture of the risk in an OT context.
  • Alternatives to Patching: Given that OT systems can’t always be patched immediately, due to operational requirements, consider alternatives. This includes network segmentation, deploying detection systems, or implementing multi-factor authentication (MFA).
  • Prioritizing Patching: When patching is feasible, use corrected CVE scores to prioritize which vulnerabilities to address first, ensuring the most critical OT vulnerabilities are handled promptly.

The Dragos Threat Intelligence team tests all ICS vulnerabilities on physical devices to provide correct and enriched information in the context of ICS/OT environments. This information entirely delivered in Dragos WorldView and codified in the Dragos Platform for vulnerability detection in facilities where sensors are in place. OT defenders can focus on what’s most impactful, and address vulnerabilities that are easy to exploit, or already exploited.

When it comes time to respond, alternative mitigations are included for all ICS/OT vulnerabilities to sidestep the hassle of patching in OT environments where devices performing critical functions simply cannot go offline.

Cybersecurity Planning & Risk Management

Keeping track of ICS/OT threats takes a considerable time and specialized knowledge; it requires collection and analysis of large amounts of data. This can represent a burden and may be out of reach for many industrial organizations.

  • Informed Risk Assessment: Utilize OT threat intelligence to assess and understand the specific threats and vulnerabilities related to your OT environment. This offers a clearer picture of your risk posture.
  • Strategic Planning: Incorporate OT-specific threats and vulnerabilities into your cybersecurity strategy. This ensures you’re not just focusing IT threats but also addressing OT-specific risks.
  • Stakeholder Engagement: By demonstrating an understanding of OT-specific risks, OT cybersecurity teams can engage more effectively with IT teams and executives, fostering collaboration to secure today and thrive tomorrow.

Dragos WorldView is not a threat intelligence feed. That’s because every piece of information is contextualized by the Dragos Threat Intelligence team. It is then packaged based on need and actions taken by specific audiences responsible for safeguarding industrial infrastructure. This includes a wide range of regularly scheduled strategic reports as well as unscheduled advisories.

Proactive Measures: Threat Hunts & Incident Response Planning

The typical ICS/OT adversary can take many months, and even years, to achieve their goals. Given that 80 percent of industrial organizations have limited or no visibility of their ICS/OT environments, unless defenders know what to look for, adversaries can stay hidden for quite a long time.

  • Intel-Driven Threat Hunting: With OT threat intelligence, your threat hunting initiatives can be more focused. Look for patterns and TTPs (Tactics, Techniques, and Procedures) and Indicators of Compromise (IOCs) specific to OT adversaries.
  • Incident Response Playbooks: Design incident response playbooks tailored to OT scenarios. This ensures that if an incident occurs, the response is swift, coordinated, and aligned with the unique requirements for OT systems.
  • Training and Drills: Use OT threat intelligence to simulate real-world attack scenarios during training exercises. This prepares your teams for actual incidents, ensuring they have the skills and knowledge to respond effectively.

Dragos WorldView delivers detailed technical reports on adversary TTPs, OT Indicators of Compromise (IOCs), ICS-specific malware capabilities, and vulnerabilities use to compromise industrial infrastructure.

Leveraging diverse skill sets from threat discovery teams that hunt for adversary threats, vulnerability researchers, and malware analysts, the Dragos Threat Intelligence team provides enough comprehensive technical information to understand how threats behave in OT environments, where to find them, and what to do if a compromise is found.

Navigate the Cyber Threat Landscape with Dragos WorldView Threat Intelligence

The increasing convergence of IT and OT makes the role of OT threat intelligence vital. By understanding OT-specific insights across these use cases, organizations can bolster their security posture, ensuring the availability of critical systems. As industrial cybersecurity threats continue to evolve, a proactive, informed approach will be key to staying one step ahead in an increasingly vulnerable world.

Dragos WorldView is an annual subscription service that delivers actionable analyst-driven cyber research and reports on adversary threats, malware, and vulnerabilities impacting industrial sectors. With a primary focus on adversary activity and capabilities used in operational technology networks and industrial control systems environments, Dragos WorldView also provides threat intelligence on early-stage adversary activities to help bridge the visibility gap between OT and IT teams. The outcome – finished threat intelligence that is packaged and delivered for use across multiple settings and audiences. Dragos Threat Intelligence indicators, vulnerabilities, and detections are codified for operational technology facilities leveraging the Dragos Platform.

Get free sample reports of Dragos WorldView to see the types of intelligence we provide.
SKIP

Ready to put your insights into action?

Take the next steps and contact our team today.