Dragos hosted our annual Year in Review webinar discussing research, trends, and vulnerabilities in industrial control system (ICS) cybersecurity in 2019. The findings came from three reports: one providing an overview of the ICS threat landscape and activity groups targeting this space, a vulnerability report that included assessed data from over 400 vulnerabilities affecting ICS, and findings from Dragos’ incident response and penetration testing team that worked with industrial infrastructure companies around the world to respond to and prevent cybersecurity events.
Dragos Vice President of Professional Services and R&D Ben Miller, Senior Vulnerability Analyst Kate Vajda, and Cyber Threat Intelligence Analyst Selena Larson joined Dragos Vice President of Threat Intelligence Sergio Caltagirone in conversation about key findings from each report.
The discussion covered attack trends and adversary behaviors Dragos observed in threat hunting and incident response, including the proliferation of threats that now target multiple industrial sectors. Additionally, panelists discussed key behaviors observed in victim environments, including the 66% of incident response cases involving adversaries accessing ICS networks directly from the Internet.
Dragos panelists received a number of questions from the audience, many of which we were unable to answer live during the webinar. However, we collected them all and they are answered below.
Q: One of the interesting findings in the report is the fact that 0% of the incidents had aggregated logs for you to look at. Would you go so far as to say that simply gathering and looking at logs would help detect adversaries or reduce dwell time in OT networks? Similar question about EDR – do you expect EDR tools to be useful in OT environments? Or would that add too much surface area of attack and we’d be better off continuing to use EDR in IT only. Does aggregated logging become more important than other controls? (I’m very glad you called it out in the reports).
A: Yes – there are so many native tools that are not being leveraged. Defenders can live off the land, too! That means you can take the native capabilities that already exist on Windows, networking gear, or other software to your advantage. The challenge is that most OT specific tools haven’t enabled that, but the Dragos Platform does. -Ben
Q: What guidance do you offer to protect against supply chain attacks on software patches?
A: Here are a few best practices: Always have a central location to get patches from a vendor, and get a hash with the proper software so you know that it hasn’t been modified. Additionally, making sure the communication from where the patches are stored is encrypted in transit and at rest. (and making sure the vendors have a similar security policy or process for creating and storing patches). -Ben
Q: What are the datapoints that you use to determine probability or likelihood of a threat occurring?
A: We focus more on the consequence component; we’ve found that teams largely don’t understand what a medium or high consequence threat looks like so it becomes an educational effort. We have a whitepaper on this called ‘Improving OT Defense and Response with Consequence-Driven ICS Cybersecurity Scoping’ on dragos.com. -Selena
Q: In reviewing your ICS Vulnerabilities report, I see you have Loss of View and Loss of Control impact types. But you are missing the Loss of Protection impact type. Had TRISIS been ‘successful’ it would have been a Loss of Protection incident?
A: When we consider a hard loss, it includes both loss of control and loss of protection. We recognize that there are differences, but we do lump them together in these numbers. -Ben
Q: As IT security reaches into the OT environment for management of security, how do we talk traditional IT security folks out of the mindset that constant software/firmware patching will solve inherent risks of the ICS environment due to the ‘insecure by design’ reality of ICS infrastructure? I find that there is a severe disconnect between experienced ICS/OT folks and IT folks on this subject.
A: Unfortunately it’s never a straightforward answer because it involves people. It’s SUPER important that everyone works together. I think in a lot of cases the vision has to be there from management that everyone will play nicely, while also still providing them the truth (not FUD) about the risks within the environments. IT is often a well-oiled machine when handling IT-security related issues, but trying to slam those techniques into OT is only going to break relationships (and possibly the process) instead of building them.
I think it’s very important that you have your security team open their hearts and minds and put themselves into ‘learning mode’ when entering a plant and meeting OT personnel. No OT person likes to be told that their system is broken, they’ve been caring and feeding it for possibly decades, they deserve to be respected, regardless of how bad their plant may look from an IT perspective. Trust has to be earned as well. It’s more important that trust is built between the teams so that IT security is called when a potential cyber-related incident takes place, instead of working around whatever the issue is (as most people in that space are willing to do). To be secure in OT, you have to make the secure option the easiest option. That means not causing a big commotion when basic IT security controls aren’t met, but instead understanding and training on the easy/right way to proceed.
Patching in OT is something that IT people like, mostly because it’s easy to measure and show improvement (or not). But the ROI on patching these devices just might not be there. Let’s say a Modicon controller has a vulnerability that allows you to configure the device remotely and a patch comes out that fixes the web certificate of the device. Fixing the certificate is generally to stop man-in-the-middle attacks, where the attacker is already on the same network as the controller. If you haven’t mitigated the first vulnerability, mitigating the second one doesn’t mean anything. And in some cases, the ‘bugs’ that were identified are part of the “feature” set in OT and are needed for the functionality of the device.
Some patching is good, especially if vendors have approved, etc but focusing solely on patching when you could be documenting what protocols are in use and monitoring for abnormalities, that can protect you against these forever-days that the devices are vulnerable to. -Ben
Q: As Dragos has grown over the last year and increased its customer base, have there been any surprises in how ICS networks are set up around the world? Non-intuitive commonalities or differences by geographic region or sector?
A: I still am surprised at default deployment guides and latest software revisions and their state of security. Some areas have inched forward but the maturity around service accounts, passwords, and PKI material are still largely not very good. -Ben
Q: What is the best way to discover if ICS activity groups have launched a campaign in my network?
A: At Dragos, we use a number of resources to hunt for and identify threats to ICS. From a threat intelligence perspective, it’s important to move beyond indicators of compromise (IOCs) and leverage threat behavior detection to observe the tactics, techniques, and procedures that adversaries are using. We identify activity groups based off the Diamond Model of Intrusion Analysis; that is, finding adversary infrastructure, capabilities, victimology, and details about the group like any previous activity or links to known groups. All of these variables help create a framework around which defensive plans can be built. From a hunting and detection perspective, you can use behaviors to identify malicious activity within your environment and whether it maps to known activity. Unlike IOCs which can be easily changed, threat behaviors generally have a long shelf life — adversaries, like any human, like to stick to known patterns of activity. Also, we highly recommend using an ICS-specific threat detection and response platform to gain visibility into your environment and be alerted to potential threats. -Selena
Q: You mentioned monitoring as best practice. What tools can organizations deploy for proactive monitoring?
A: It all depends on your infrastructure, but logging at the switch level, host level sending to a SIEM is a great first step. -Ben
Q: Is OT awareness training different from IT in these days?
A: Cybersecurity training for OT teams should be different than IT. Although there are some similarities between the two environments, and having an IT security background can be useful for OT operators, but the way that OT defenders identify, respond to, manage, and mitigate risks and threats will be different. Dragos hosts an ICS security training class and often has a number of IT security folks who attend and it contains many hands-on labs and activities to reinforce the concepts learned. Additionally, it is very beneficial for OT security folks to undergo IT security training. This can also help improve collaboration and communication between those two teams. -Selena
Q: Have you seen any OT Ransomware attack that actually threatened to control an end device directly… i.e. shut a control valve… shut down a pump?
A: Most of the ransomware activity we have seen impacting OT is due to incidental infections in which the ransomware is able to bridge the IT/OT gap and impact devices like Windows HMIs and other related items. However, we did recently observe EKANS ransomware that contains ICS-specific characteristics. In this case, the attackers appeared to develop a specific interest and capability to target, and potentially disrupt, ICS functionality. It suggests ransomware authors are becoming more familiar with industrial processes which could potentially cause operationally disruptive effects. With EKANS, like a lot of other ransomware strains, propagation is achieved via large-scale compromise of an enterprise network and distributed via mechanisms like Active Directory. However it does have the capability to “kill” certain ICS processes. Targeting historian and data gathering processes at the client and server level imposes significant costs on an organization that could induce a loss of view condition within the plant environment. More information on that is available here: https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/ -Selena
Q: Have you seen any entry into the OT environment from the supply chain… like a compromised control valve? And, what about the new wave of cheaper IIoT devices, are those a point of a concern?
A: I am not aware of hardware supply chain threats enabling initial access to operations environments. There have been cases of software supply chain compromises that enable attackers to backdoor machines, including the ASUS compromise in 2019. (link: https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers) Additionally, in 2018, Schneider Electric alerted customers that some USB media shipped with two Conext products may have been infected with unidentified malware during manufacturing by a supplier. No customers publicly reported incidents of infection in this case. (link: https://www.zdnet.com/article/schneider-electric-shipped-usb-drives-infested-with-malware/) -Selena
If you’d like to read the 2019 Year In Review reports or watch the recorded webinar, you can find them here.
Ready to put your insights into action?
Take the next steps and contact our team today.