Dragos is an industrial cybersecurity company leveraging software, intelligence, and professional services to safeguard civilization. The SANS Institute empowers cybersecurity professionals with high quality training, certifications, degree programs, and more to help them make the world a safer place. Together, we have created a blog series about OT cybersecurity fundamentals, crafted for practitioners and executives alike to gain a better understanding of operational environments and their unique security requirements. This is the fourth blog in our series.
Cyber threat intelligence (CTI) involves collection, processing, analysis, dissemination, and integration of information about active or emerging cyber threats. The primary purpose of CTI is to uncover malicious cyber activities and adversaries and make this knowledge available to decision-making functions in the organization. Operational technology (OT) cyber threat intelligence addresses the unique challenges and requirements of OT environments. These systems are integral to critical infrastructure such as power plants, manufacturing facilities, gas pipelines, and water treatment plants.
This blog will examine the unique challenges and specific requirements for securing OT environments, highlighting the critical role of specialized cyber threat intelligence in safeguarding these systems.
The Domain of OT Cyber Threat Intelligence
OT Cyber Threat Intelligence is critical to safeguarding the systems that control physical processes. OT cyber threat intelligence involves proactively identifying threats that could alter, degrade, or disrupt physical processes and launching a defense against these threats before they lead to potentially dangerous outcomes. This is distinctly different from IT cyber threat intelligence which involves identifying and subverting cyber threats that aim to steal, corrupt, or exploit information.
Get Insights into Threats Affecting Industrial Infrastructure
Download your free copy of the 2023 OT Cybersecurity Year in Review for a complete analysis of threats targeting OT environments.
Download NowThreat Intelligence Cycle for OT Environments
In the context of OT-specific cyber threat intelligence, the intelligence cycle and the relationship between data, information, and intelligence are intricately connected. The intelligence cycle, consisting of Planning and Direction, Collection, Processing and Exploitation, Analysis and Production, and Dissemination and Integration, is designed to transform raw data from OT environments into actionable intelligence.
This process begins with collecting data from the operational environment, which includes signals specific to OT systems and network traffic. This raw data is then processed to create meaningful information, which is analyzed through the lens of risks in OT environment to produce intelligence. The intelligence cycle ensures that this intelligence is not only accurate and relevant but also effectively integrated into the organization’s security operations, providing actionable insights that inform decision-making and enhance the protection of critical infrastructure.
OT Cyber Threat Scenarios
Attacks on operational technology networks and industrial control systems (ICS) can impact essential services like electricity, oil and gas, manufacturing, and water. The following threat events and incidents illustrate the types of cyber activities and adversaries that impact industrial environments. These scenarios underscore the need for specialized OT cyber threat intelligence to protect against attacks with severe real-world consequences.
| 2015-2016 Ukraine Electric Grid Attacks | In 2015, an attack on a Ukraine electric entity was distributed via an email as a Word document or PowerPoint attachment, luring victims into clicking the seemingly legitimate file. BLACKENERGY3 was deployed to enable a distributed denial-of-service (DDoS) that disrupted electric services for several hours. In 2016, the CRASHOVERRIDE malware was deployed against a Ukraine energy entity, targeting hundreds of systems. The malware aimed to disable control and SCADA systems and launch a denial-of-service (DoS) attack on protective relays to create hazardous conditions. This incident marks the first known use of malicious code designed to target electric substations. |
| 2017 TRISIS Attack on Petrochemical Safety Systems | The TRISIS malware was deployed against a safety instrumentation system (SIS) at a petrochemical plant in Saudi Arabia. The attackers attempted to disable safety features. However, the attack tripped safety systems that would shut down the plant. It represents the first time that safety features of a system have been targeted and compromised directly. |
| 2022 Emergence of the Cross-Industry OT Toolkit PIPEDREAM | PIPEDREAM is a multi-tool malware. It targets specific Omron and Schneider Electric controllers, causing loss of view, control, and safety. It also manipulates OPC-UA connections and targets Windows systems, making it capable of an end-to-end attack. Unlike previous examples, which were designed to target a single OT environment, PIPEDREAM can be used in multiple industrial sectors and adapted for thousands of CODESYS devices. Fortunately, the malware was discovered before it was employed. It represents the first cross-industry OT attack toolkit. |
| 2023-2024 Hacktivist Attacks Impacting Water Utilities | Several self-proclaimed hacktivist groups successfully compromised water utilities throughout the United States, Europe, and Australia. Internet-exposed PLCs were targeted, easily discoverable in Shodan searches, and in some cases, compromised using only the default password for the devices targeted. Other techniques used were relatively unsophisticated. The attacks led to material impacts and disruption in a few locations, underscoring the importance of taking basic security precautions. |
Cyber Adversaries Targeting OT Environments
The many adversaries targeting operational technology environments and industrial control systems are motivated by different factors. Industrial organizations might encounter:
- State actors motivated by state objectives and that receive direction and support based on that alignment. These groups seek a strategic advantage by collecting information or pre-positioning for an attack later.
- Hacktivist groups with many different social and political motivations. They generally seek to advance a specific agenda, but their actions are sometimes inconsistent and misleading.
- Financially motivated cybercriminals. Ransomware groups are prime examples. They want a payoff by whatever means.
Cyber adversaries targeting industrial organizations and control systems can be informally classified according to their intent, capabilities, familiarity with industrial processes, and impacts.
| Adversaries that can cause DIRECT OT impact | These adversaries directly impact the operation of industrial control systems and have the potential to disrupt, degrade, or destroy operational technology systems. |
| Adversaries that can FACILITATE direct OT impact | Some adversaries are interested in industrial organizations, industrial control systems, and operational technology networks for reconnaissance and initial access activities. |
| Adversaries that can cause INDIRECT OT impact | Some adversaries targeting IT may indirectly disrupt operational technology environments, such as ransomware attacks that disrupt OT systems during preventative/precautionary shutdowns or adversaries that disrupt availability of IT systems needed for OT processes, absent of intent. |
While this is not an exhaustive categorization of adversaries, it is a helpful rubric for understanding the varied intentions and impacts encountered in OT cyber threat intelligence.
When securing operational technology networks, industrial organizations should focus on adversaries conducting sustained operations that are defensible and focused on industrial.
Vulnerabilities in OT Environments
Using an IT mindset when addressing OT vulnerabilities is wrong. Industrial infrastructure operates specialized machinery with longer lifecycles than IT equipment. It is heavily engineered to fulfill the core business functions—producing electricity, manufacturing products, distributing oil and gas, and treating water. However, most vulnerability disclosures are written with IT in mind and don’t correctly characterize the risks to OT. When prioritizing vulnerabilities in OT, it’s essential first to research and consider factors such as:
- Severity – What capabilities does this vulnerability provide adversaries?
- OT impact – What could happen in the OT environment?
- Network exploitability – Can it be reached from the network?
- Ease of exploitation – How skilled must an adversary be to use it?
- Events in the wild – Are adversaries already using it?
Knowing why and when to address vulnerabilities is the starting point. Then, it is a matter of determining what to do. Patch recommendations are standard, which is impractical in continuously running operations. To be effective, vulnerability management in industrial environments requires alternatives to patching and accurate risk information.
Key Frameworks for OT Cybersecurity Threats
Understanding where an adversary is in their campaign, their capabilities, and the tactics, techniques, and procedures (TTPs) that form their attack enables defenders to make better-informed security and risk management decisions.
Frameworks such as the ICS Cyber Kill Chain and MITRE ATT&CK® for ICS are invaluable tools for OT cyber threat intelligence professionals. These OT-specific frameworks help organizations anticipate, detect, and mitigate threats effectively for the safety and continuity of their operations.
| ICS Cyber Kill Chain | The ICS Cyber Kill Chain represents the entirety of the operation against an organization and its systems.Stage 1 of the ICS Cyber Kill Chain traditionally involves espionage operations, often to gain access to the information within networks and learn the system. Stage 2 consists of using the knowledge gained in Stage 1 to develop, test, and deploy a capability that can meaningfully attack OT. |
| MITRE ATT&CK for ICS | MITRE ATT&CK® for ICS is a comprehensive knowledge base of cyber adversary tactics, techniques, and procedures (TTPs) explicitly targeting industrial control systems. MITRE ATT&CK® for ICS details the various stages, from initial access and execution to impact, mapping out the specific threats and attack vectors relevant to ICS environments. |
OT Cyber Threat Intelligence Data Sources
Industrial organizations rely on multiple data sources to form a comprehensive understanding of cyber threats:
- Internal IT Data: Can help identify potential threats before they affect OT environments but is not sufficient alone.
- OT-Native Network Monitoring: Essential for knowledge of threats within OT systems. Technologies like the Dragos Platform are critical for this task.
- Collaboration with Partners: Sharing first-party data through agreements and networks like Neighborhood Keeper enhances visibility and detection capabilities.
- External Sources: Commercial CTI providers like WorldView, ISACs, and regulatory agencies provide a broader context and sector-specific intelligence.
In Conclusion
Understanding and effectively managing cyber threats facing OT environments is essential. Unlike IT systems, OT environments are directly tied to the physical world, meaning that any disruption can lead to significant physical consequences such as production downtime, equipment damage, and even risks to human safety and the environment.
OT cyber threat intelligence involves understanding, identifying, and responding to distinct adversaries who often employ different threat behaviors and capabilities than those targeting IT systems. Moreover, OT vulnerabilities must be managed differently using tailored mitigations that reflect industrial systems’ business requirements and operational challenges.
Organizations can proactively protect their critical infrastructure by leveraging OT-specific threat intelligence, ensuring operational continuity, safety, and security.
Download the 2023 Year in Review
Get insights into threats affecting industrial and critical infrastructure. Download your free copy of the 2023 OT Cybersecurity Year in Review.
Ready to put your insights into action?
Take the next steps and contact our team today.