If you were a CISO five and a half years ago you might already have a playbook for increasing your security team’s vigilance in the wake of recent events between the US, Iran, and Israel. Why? This is not the first time the threat level – including cyber threats – from Iran has escalated.
In January 2020, a US drone strike killed Iranian Major General Qassem Soleimani, a powerful figure in Iran. Following his death, Iranian leaders vowed revenge, the US Department of Homeland Security warned of potential cyber attacks from Iran in retaliation, and the Cybersecurity and Infrastructure Security Agency (CISA) issued alerts to US businesses and government agencies to be vigilant for potential cyber intrusions and disruptions.
As CISO of Rockwell Automation at that time, I took this alert very seriously and my team worked together to brainstorm a playbook for this increased threat. This blog has two parts. First, I have some important thoughts about cybersecurity in OT based on my experience in 2020. Second, I provide my thoughts on actions all CISOs should consider in light of current geopolitical events.
Could Your OT Cybersecurity Withstand a Geopolitically Driven Cyber Attack?
As CISO I took comfort in the fact that our EDR solution relied strongly on the company’s threat intelligence team and threat hunting, and they knew exactly what threats from Iran looked like. But I realized that we not only had to evaluate and raise our defenses in IT, but that our OT environment at Rockwell could also be a target due to our role in critical infrastructure. Therefore, I decided to reach out to a few leaders in the OT security space to assess whether we were adequately protected in OT. In fact, that was the first time I personally talked to Dragos CEO Rob Lee.
First, I reached out to another OT security platform provider, and asked how their platform was tailored to handle threats from Iran, and whether they were doing anything specific in response to the escalated threat environment. The answer was alarming and unsatisfying: they relied on anomaly detection and did not look for specific threats – they were doing nothing special in response to the heightened threat from Iran and warnings from DHS/CISA.
Then I reached out to Rob Lee and asked the same question about Dragos. I was impressed with the answer – so impressed that two years later I chose to come to Dragos after retiring from Rockwell. Rob explained that the Dragos Intelligence team is constantly seeking, tracking, and assessing cyber threats from specific adversary groups. They integrate the detailed tactics, techniques, and procedures (TTPs) employed by each threat group into behavioral analytics in the Dragos Platform on an ongoing basis, and their OT Watch threat hunters actively hunt for them in customer environments. This is what I wanted to hear. And I can tell you based on personal experience that the Dragos Intelligence Team has absolutely been focused on adversary groups tied to Iran in recent weeks and months. The speed in which they convey new intelligence, do threat hunts, and integrate new TTPs and indicators of compromise (IOCs) into our Platform are impressive to witness from the inside of the company.
For example, one day last week:
- At approximately 2 pm US Central Time (CT), the Dragos Intelligence Team passed some emerging threat intelligence on new BAUXITE capabilities to Dragos OT Watch threat hunters.
- By 2:30 pm CT, a Dragos WorldView product was drafted and prepped for review and coordination.
- By 3:00 pm CT, the WorldView product draft was in peer-review and the appropriate partner coordination had been completed.
- By 4:00 pm CT, Dragos OT Watch had executed an IOC sweep, derived from coordinated intelligence, for all OT Watch customers.
- By 4:30 pm CT, OT Watch had developed a query-based threat hunt to action across all OT Watch customers daily and the Intel Team released the report to WorldView subscribers.
An Action Plan for CISOs
This is not meant as a sales pitch for Dragos. I am not a salesperson. I am a former CISO who understands the pressures and challenges faced by CISOs and security teams around the world in the face of geopolitical events like we are experiencing right now, which might be tied to specific regions but impact cybersecurity globally. But I can honestly say that when we started our manufacturing cybersecurity program at Rockwell Automation in 2017 we prioritized a security platform for visibility and monitoring in OT. We realized that we had a high risk of already being compromised, and with the cyber threat environment at that time – which was nothing compared to now – we felt it was imperative that we had visibility and monitoring in our plants – the same priority we used in our IT security strategy.
I advise all CISOs to try to obtain the resources needed for an OT security platform if you do not have one. But you should be doing more than that, so if that is not an option or will take time, DO NOT WAIT. I am offering this advice in light of current geopolitical events:
- Increase your security team’s vigilance. We all know major cyber attacks usually occur off hours – including weekends. Ensure your security team is ready to jump into action at any time.
- Remember your OT environment. I am concerned about the number of organizations – especially in manufacturing – that have strong IT security programs but are only starting to think about OT security. CISOs: If your manufacturing environment is disrupted by a cyber attack the company’s revenue is also disrupted. Use this threat environment to request special funding for OT cybersecurity.
- Build an IT and OT playbook for specific geopolitical threats like we are currently facing. Iran is likely not the only state actor that will be escalating their threats in the coming weeks, months, and years. Every adversary group employs different TTPs – focus on Iran right now but then consider additional adversaries as the geopolitical climate is changing rapidly.
- Include active threat intelligence in the playbooks. It’s crucial to ensure that you are receiving, prioritizing, and implementing specific TTPs and IOCs in your security platforms, and actively hunt for them – in both IT and OT.
- Consider your supply chain and the rest of your ecosystem. Iranian-linked hacktivists (see Dragos information regarding the BAUXITE threat group) have targeted small water utilities and other sectors. Reach out to your key suppliers and partners and ensure that they are aware of the threat and of the Dragos free resources they can use (see below).
- Start with the SANS ICS 5 Critical Controls now. Even if you are just beginning your OT cybersecurity journey or evaluating how to grow maturity, use SANS guidance to streamline the complexity that can accompany OT cybersecurity. Evaluate the controls you DO have and make sure they are being implemented correctly.
- If you are a small electric, water, or natural gas utility, you play a crucial role in collective defense. It can feel overwhelming, so take advantage of resources that are available to build your knowledge and make OT cybersecurity accessible and achievable. Your ISACs are a resource, and other organizations are there to support you. For example, Dragos OT-CERT provides free resources for the ICS/OT community around the world, providing information and materials to help build an OT cybersecurity program, improve security posture, and reduce OT risks. The Dragos Community Defense program provides small electric, water, and natural gas utilities in US and Canada – which are under $100 million USD in annual revenue – with the Dragos Platform, threat hunting, online training, and collective defense – all for free.
In closing, no matter what the state of your cybersecurity program, let’s all take this opportunity to audit our defenses, tighten our controls, and close our gaps. We’ve all seen this escalation coming and our organizations, our customers, and civilization is counting on us to keep them safe. It’s a daunting responsibility, but isn’t this why we chose this profession in the first place?
An Executive Briefing on Industrial Cyber Threats
Ready to put your insights into action?
Take the next steps and contact our team today.