This blog is an executive summary of Dragos Year in Review reports. Read the full reports at dragos.com/year-in-review-2019/
Throughout 2019, Dragos observed an increase of threats targeting industrial organizations. Adversaries continue to adapt and mature, gaining advanced capabilities to attack industrial control systems. These adversaries remain largely unchecked by industrial defenders, stemming from a combination of both a lack of visibility in industrial environments, as well as a lack of understanding and communication around the potential impacts of cybersecurity incidents on control systems environments.
Understanding today’s evolving cyber threat landscape–through a deep understanding of how adversaries behave and the potential operational, safety, and financial impacts they can cause–is vital for the industrial control systems (ICS) community to raise the bar in cybersecurity and secure the resources needed to effectively protect the processes civilization depends on daily.
Dragos’ Year in Review reports are a collection of our team’s first-hand experience hunting, analyzing, and combatting industrial adversaries that provide the asset owner and practitioner community actionable defensive recommendations to operationalize in their daily security roles in order to reduce the overall risks associated with protecting our critical infrastructure.
KEY FINDINGS FROM DRAGOS YEAR IN REVIEW
Industrial Controls System (ICS) Vulnerabilities: Year in Review
438 ICS vulnerabilities—reported by a variety of sources, including independent researchers, vendors, and ICS-CERT—were assessed by Dragos vulnerability analysts. This analysis concluded:
- 77% of assessed vulnerabilities were considered “deep within” a control systems network, requiring some existing access to a control systems network to exploit.
- 9% of advisories applied to products generally associated with systems bordering the enterprise, which could facilitate initial access into operations.
- 26% of advisories had no patch available when the initial advisory came out, presenting a challenge for users trying to take action on the published vulnerability.
- 30% of advisories published incorrect data preventing operators from accurately prioritizing patch management.
- 40% of advisories applied to engineering workstation and operator station software requiring user interaction, or internet connectivity, to exploit, which may be rare and difficult depending on the industry.
Industrial Control System (ICS) Threat Landscape and Activity Groups: Year in Review
In 2019, Dragos identified three new activity groups targeting ICS entities globally, increasing the total count to 11 activity groups. Threat proliferation contributed greatly to increased risk, as entities expanded targeting and capabilities specifically focused on ICS organizations.
- Third-party and supply chain threats are increasing, including threats to telecommunications, managed service providers, and backbone internet service providers.
- Ransomware and commodity malware, like Ryuk and Emotet, remain threats to industrial operations. This type of malware can potentially bridge the IT/OT gap to disrupt operations.
- Common tactics such as phishing, password spraying, and watering holes remain popular and effective as initial access vectors into industrial organizations.
- Adversaries are increasingly targeting remote connectivity such as virtual private networks (VPNs), vendor and business management integrations, remote desktop connections, and managed service providers.
- Escalating geopolitical tensions increase the chance that offensive cyber effects operations against ICS will be employed more regularly, putting critical infrastructure and human life at higher risk
- Dragos team helped MITRE establish the ATT&CK Framework for ICS, which helps defenders better understand threat behaviors affecting industrial environments and develop defensive strategies.
Lessons Learned from the Front Lines of ICS Cybersecurity: Year in Review
From the proactive and responsive professional services performed—including threat hunts, incident response engagements, vulnerability assessments, and more—Dragos found:
- 76% of organizations could not detect Dragos’ Red Team activities
- 0% of IR cases were facilitated by aggregated logging or visibility into the ICS networks. Every incident required manual retrieval of logs and distributed analysis
- 100% of organizations had routable network connections into their operational environments
- 71% of organizations assessed had poor security perimeters, allowing the Dragos Red Team to traverse and gain access into the ICS networks
- 66% of incident response (IR) cases involved adversaries directly accessing the ICS network from the Internet
From these key findings, Dragos’ Year in Review concludes that threats to industrial environments are continuing to rise, adversaries are becoming more sophisticated with their tactics, techniques, and procedures, and organizations continue to lack critical visibility of the impacts these adversaries can have on their operations.
But defense is doable; whether organizations have mature ICS cybersecurity strategies or are just getting started down the path of better ICS cybersecurity defense, there are strategies that can be operationalized and implemented in order to reduce risk and prevent attackers from causing significant—potentially life-threatening—impacts.
KEY RECOMMENDATIONS TO IMPROVE INDUSTRIAL CYBERSECURITY DEFENSES
- Operationalize threat intelligence
- Threat intelligence informs operations beyond cybersecurity. Knowledge about adversaries’ tactics, techniques, and procedures can inform business continuity and remediation plans in the event of a cyberattack.
- Understand your ICS/OT environment
- Gain critical visibility of your industrial assets and their communications. You cannot protect what you do not know, and deep visibility of your environment is the prerequisite to identifying and responding to potential threats.
- Deploy ICS-specific monitoring technology mappable to the MITRE ATT&CK Framework for ICS
- ICS environments provide unique assets, configurations, processes, data, protocols, and many other distinctive characteristics that significantly hamper traditional IT enterprise products from performing effectively. It is insufficient to use an “IT” approach to achieve ICS defensibility.
- Dragos and MITRE created a framework specifically for ICS to identify behaviors and methods targeting operations environments. Those behaviors and methods are mapped to detections in the Dragos Platform technology to ensure defenders have a holistic view of the threat landscape and the advanced capabilities to monitor and detect threats.
- Prioritize defense of your “Crown Jewels”
- An attacker looking to achieve specific objectives will target an organization’s crown jewels, or the highest-valued assets that, if compromised, could cause major impact to the organization.
- Implement a risk-based cybersecurity approach
- Understand the potential impacts a cybersecurity incident can have on your organization and operations. By understanding this, you can plan and invest according to the associated risks (e.g., accurately scoped ICS security controls, tailored threat hunting, regular security assessments, and services customized to your organization’s unique environment and needs).